Logging: server pipelining offer but no uptake
[exim.git] / src / src / exim.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8
9/* The main function: entry point, initialization, and high-level control.
10Also a few functions that don't naturally fit elsewhere. */
11
12
13#include "exim.h"
14
98913c8e 15#if defined(__GLIBC__) && !defined(__UCLIBC__)
01f3091a
JH
16# include <gnu/libc-version.h>
17#endif
18
f797c123
JH
19#ifdef USE_GNUTLS
20# include <gnutls/gnutls.h>
21# if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22# define DISABLE_OCSP
23# endif
24#endif
25
6545de78
PP
26extern void init_lookup_list(void);
27
059ec3d9
PH
28
29
30/*************************************************
31* Function interface to store functions *
32*************************************************/
33
34/* We need some real functions to pass to the PCRE regular expression library
35for store allocation via Exim's store manager. The normal calls are actually
36macros that pass over location information to make tracing easier. These
37functions just interface to the standard macro calls. A good compiler will
38optimize out the tail recursion and so not make them too expensive. There
39are two sets of functions; one for use when we want to retain the compiled
40regular expression for a long time; the other for short-term use. */
41
42static void *
43function_store_get(size_t size)
44{
45return store_get((int)size);
46}
47
48static void
49function_dummy_free(void *block) { block = block; }
50
51static void *
52function_store_malloc(size_t size)
53{
54return store_malloc((int)size);
55}
56
57static void
58function_store_free(void *block)
59{
60store_free(block);
61}
62
63
64
65
66/*************************************************
98a90c36
PP
67* Enums for cmdline interface *
68*************************************************/
69
70enum commandline_info { CMDINFO_NONE=0,
36a3ae5f 71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
98a90c36
PP
72
73
74
75
76/*************************************************
059ec3d9
PH
77* Compile regular expression and panic on fail *
78*************************************************/
79
80/* This function is called when failure to compile a regular expression leads
81to a panic exit. In other cases, pcre_compile() is called directly. In many
82cases where this function is used, the results of the compilation are to be
83placed in long-lived store, so we temporarily reset the store management
84functions that PCRE uses if the use_malloc flag is set.
85
86Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91Returns: pointer to the compiled pattern
92*/
93
94const pcre *
476be7e2 95regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
059ec3d9
PH
96{
97int offset;
98int options = PCRE_COPT;
99const pcre *yield;
100const uschar *error;
101if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106if (caseless) options |= PCRE_CASELESS;
476be7e2 107yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
059ec3d9
PH
108pcre_malloc = function_store_get;
109pcre_free = function_dummy_free;
110if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113return yield;
114}
115
116
117
118
119/*************************************************
120* Execute regular expression and set strings *
121*************************************************/
122
123/* This function runs a regular expression match, and sets up the pointers to
124the matched substrings.
125
126Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134Returns: TRUE or FALSE
135*/
136
137BOOL
1dc92d5a 138regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
059ec3d9
PH
139{
140int ovector[3*(EXPAND_MAXN+1)];
1dc92d5a
JH
141uschar * s = string_copy(subject); /* de-constifying */
142int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
059ec3d9
PH
143 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
144BOOL yield = n >= 0;
145if (n == 0) n = EXPAND_MAXN + 1;
146if (yield)
147 {
148 int nn;
149 expand_nmax = (setup < 0)? 0 : setup + 1;
150 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
151 {
1dc92d5a 152 expand_nstring[expand_nmax] = s + ovector[nn];
059ec3d9
PH
153 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
154 }
155 expand_nmax--;
156 }
157return yield;
158}
159
160
161
162
163/*************************************************
921b12ca
TF
164* Set up processing details *
165*************************************************/
166
167/* Save a text string for dumping when SIGUSR1 is received.
168Do checks for overruns.
169
170Arguments: format and arguments, as for printf()
171Returns: nothing
172*/
173
174void
175set_process_info(const char *format, ...)
176{
92b0827a 177int len = sprintf(CS process_info, "%5d ", (int)getpid());
921b12ca 178va_list ap;
921b12ca
TF
179va_start(ap, format);
180if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len - 2, format, ap))
181 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
182len = Ustrlen(process_info);
183process_info[len+0] = '\n';
184process_info[len+1] = '\0';
185process_info_len = len + 1;
186DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
187va_end(ap);
188}
189
830832c9
HSHR
190/***********************************************
191* Handler for SIGTERM *
192***********************************************/
921b12ca 193
830832c9
HSHR
194static void
195term_handler(int sig)
196{
197 exit(1);
198}
921b12ca
TF
199
200
201/*************************************************
059ec3d9
PH
202* Handler for SIGUSR1 *
203*************************************************/
204
205/* SIGUSR1 causes any exim process to write to the process log details of
206what it is currently doing. It will only be used if the OS is capable of
207setting up a handler that causes automatic restarting of any system call
208that is in progress at the time.
209
921b12ca
TF
210This function takes care to be signal-safe.
211
059ec3d9
PH
212Argument: the signal number (SIGUSR1)
213Returns: nothing
214*/
215
216static void
217usr1_handler(int sig)
218{
921b12ca
TF
219int fd;
220
221os_restarting_signal(sig, usr1_handler);
222
cab0c277 223if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
921b12ca
TF
224 {
225 /* If we are already running as the Exim user, try to create it in the
226 current process (assuming spool_directory exists). Otherwise, if we are
227 root, do the creation in an exim:exim subprocess. */
228
229 int euid = geteuid();
230 if (euid == exim_uid)
231 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
232 else if (euid == root_uid)
233 fd = log_create_as_exim(process_log_path);
234 }
235
236/* If we are neither exim nor root, or if we failed to create the log file,
237give up. There is not much useful we can do with errors, since we don't want
238to disrupt whatever is going on outside the signal handler. */
239
240if (fd < 0) return;
241
2f21487f 242(void)write(fd, process_info, process_info_len);
921b12ca 243(void)close(fd);
059ec3d9
PH
244}
245
246
247
248/*************************************************
249* Timeout handler *
250*************************************************/
251
252/* This handler is enabled most of the time that Exim is running. The handler
253doesn't actually get used unless alarm() has been called to set a timer, to
254place a time limit on a system call of some kind. When the handler is run, it
255re-enables itself.
256
257There are some other SIGALRM handlers that are used in special cases when more
258than just a flag setting is required; for example, when reading a message's
259input. These are normally set up in the code module that uses them, and the
260SIGALRM handler is reset to this one afterwards.
261
262Argument: the signal value (SIGALRM)
263Returns: nothing
264*/
265
266void
267sigalrm_handler(int sig)
268{
269sig = sig; /* Keep picky compilers happy */
270sigalrm_seen = TRUE;
271os_non_restarting_signal(SIGALRM, sigalrm_handler);
272}
273
274
275
276/*************************************************
277* Sleep for a fractional time interval *
278*************************************************/
279
280/* This function is called by millisleep() and exim_wait_tick() to wait for a
281period of time that may include a fraction of a second. The coding is somewhat
eb2c0248
PH
282tedious. We do not expect setitimer() ever to fail, but if it does, the process
283will wait for ever, so we panic in this instance. (There was a case of this
284when a bug in a function that calls milliwait() caused it to pass invalid data.
7086e875 285That's when I added the check. :-)
059ec3d9 286
0f8ba377
JH
287We assume it to be not worth sleeping for under 100us; this value will
288require revisiting as hardware advances. This avoids the issue of
289a zero-valued timer setting meaning "never fire".
290
059ec3d9
PH
291Argument: an itimerval structure containing the interval
292Returns: nothing
293*/
294
295static void
296milliwait(struct itimerval *itval)
297{
298sigset_t sigmask;
299sigset_t old_sigmask;
0f8ba377
JH
300
301if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
302 return;
059ec3d9
PH
303(void)sigemptyset(&sigmask); /* Empty mask */
304(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
305(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
7086e875 306if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
eb2c0248
PH
307 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
308 "setitimer() failed: %s", strerror(errno));
059ec3d9
PH
309(void)sigfillset(&sigmask); /* All signals */
310(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
311(void)sigsuspend(&sigmask); /* Until SIGALRM */
312(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
313}
314
315
316
317
318/*************************************************
319* Millisecond sleep function *
320*************************************************/
321
322/* The basic sleep() function has a granularity of 1 second, which is too rough
323in some cases - for example, when using an increasing delay to slow down
324spammers.
325
326Argument: number of millseconds
327Returns: nothing
328*/
329
330void
331millisleep(int msec)
332{
333struct itimerval itval;
334itval.it_interval.tv_sec = 0;
335itval.it_interval.tv_usec = 0;
336itval.it_value.tv_sec = msec/1000;
337itval.it_value.tv_usec = (msec % 1000) * 1000;
338milliwait(&itval);
339}
340
341
342
343/*************************************************
344* Compare microsecond times *
345*************************************************/
346
347/*
348Arguments:
349 tv1 the first time
350 tv2 the second time
351
352Returns: -1, 0, or +1
353*/
354
32dfdf8b 355static int
059ec3d9
PH
356exim_tvcmp(struct timeval *t1, struct timeval *t2)
357{
358if (t1->tv_sec > t2->tv_sec) return +1;
359if (t1->tv_sec < t2->tv_sec) return -1;
360if (t1->tv_usec > t2->tv_usec) return +1;
361if (t1->tv_usec < t2->tv_usec) return -1;
362return 0;
363}
364
365
366
367
368/*************************************************
369* Clock tick wait function *
370*************************************************/
371
372/* Exim uses a time + a pid to generate a unique identifier in two places: its
373message IDs, and in file names for maildir deliveries. Because some OS now
374re-use pids within the same second, sub-second times are now being used.
4c04137d 375However, for absolute certainty, we must ensure the clock has ticked before
059ec3d9
PH
376allowing the relevant process to complete. At the time of implementation of
377this code (February 2003), the speed of processors is such that the clock will
378invariably have ticked already by the time a process has done its job. This
379function prepares for the time when things are faster - and it also copes with
380clocks that go backwards.
381
382Arguments:
383 then_tv A timeval which was used to create uniqueness; its usec field
384 has been rounded down to the value of the resolution.
385 We want to be sure the current time is greater than this.
386 resolution The resolution that was used to divide the microseconds
387 (1 for maildir, larger for message ids)
388
389Returns: nothing
390*/
391
392void
393exim_wait_tick(struct timeval *then_tv, int resolution)
394{
395struct timeval now_tv;
396long int now_true_usec;
397
398(void)gettimeofday(&now_tv, NULL);
399now_true_usec = now_tv.tv_usec;
400now_tv.tv_usec = (now_true_usec/resolution) * resolution;
401
402if (exim_tvcmp(&now_tv, then_tv) <= 0)
403 {
404 struct itimerval itval;
405 itval.it_interval.tv_sec = 0;
406 itval.it_interval.tv_usec = 0;
407 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
408 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
409
410 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
411 negative value for the microseconds is possible only in the case when "now"
412 is more than a second less than "then". That means that itval.it_value.tv_sec
413 is greater than zero. The following correction is therefore safe. */
414
415 if (itval.it_value.tv_usec < 0)
416 {
417 itval.it_value.tv_usec += 1000000;
418 itval.it_value.tv_sec -= 1;
419 }
420
421 DEBUG(D_transport|D_receive)
422 {
423 if (!running_in_test_harness)
424 {
d0291a0a 425 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
7437665e
JH
426 then_tv->tv_sec, (long) then_tv->tv_usec,
427 now_tv.tv_sec, (long) now_tv.tv_usec);
d0291a0a
JH
428 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
429 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
059ec3d9
PH
430 }
431 }
432
433 milliwait(&itval);
434 }
435}
436
437
438
439
440/*************************************************
2632889e
PH
441* Call fopen() with umask 777 and adjust mode *
442*************************************************/
443
444/* Exim runs with umask(0) so that files created with open() have the mode that
445is specified in the open() call. However, there are some files, typically in
446the spool directory, that are created with fopen(). They end up world-writeable
447if no precautions are taken. Although the spool directory is not accessible to
448the world, this is an untidiness. So this is a wrapper function for fopen()
449that sorts out the mode of the created file.
450
451Arguments:
452 filename the file name
453 options the fopen() options
454 mode the required mode
455
456Returns: the fopened FILE or NULL
457*/
458
459FILE *
1ba28e2b 460modefopen(const uschar *filename, const char *options, mode_t mode)
2632889e 461{
67d175de
PH
462mode_t saved_umask = umask(0777);
463FILE *f = Ufopen(filename, options);
464(void)umask(saved_umask);
2632889e
PH
465if (f != NULL) (void)fchmod(fileno(f), mode);
466return f;
467}
468
469
470
471
472/*************************************************
059ec3d9
PH
473* Ensure stdin, stdout, and stderr exist *
474*************************************************/
475
476/* Some operating systems grumble if an exec() happens without a standard
477input, output, and error (fds 0, 1, 2) being defined. The worry is that some
478file will be opened and will use these fd values, and then some other bit of
479code will assume, for example, that it can write error messages to stderr.
480This function ensures that fds 0, 1, and 2 are open if they do not already
481exist, by connecting them to /dev/null.
482
483This function is also used to ensure that std{in,out,err} exist at all times,
484so that if any library that Exim calls tries to use them, it doesn't crash.
485
486Arguments: None
487Returns: Nothing
488*/
489
490void
491exim_nullstd(void)
492{
493int i;
494int devnull = -1;
495struct stat statbuf;
496for (i = 0; i <= 2; i++)
497 {
498 if (fstat(i, &statbuf) < 0 && errno == EBADF)
499 {
500 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
501 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
502 string_open_failed(errno, "/dev/null"));
1fe64dcc 503 if (devnull != i) (void)dup2(devnull, i);
059ec3d9
PH
504 }
505 }
1fe64dcc 506if (devnull > 2) (void)close(devnull);
059ec3d9
PH
507}
508
509
510
511
512/*************************************************
513* Close unwanted file descriptors for delivery *
514*************************************************/
515
516/* This function is called from a new process that has been forked to deliver
517an incoming message, either directly, or using exec.
518
519We want any smtp input streams to be closed in this new process. However, it
520has been observed that using fclose() here causes trouble. When reading in -bS
521input, duplicate copies of messages have been seen. The files will be sharing a
522file pointer with the parent process, and it seems that fclose() (at least on
523some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
524least sometimes. Hence we go for closing the underlying file descriptors.
525
526If TLS is active, we want to shut down the TLS library, but without molesting
527the parent's SSL connection.
528
529For delivery of a non-SMTP message, we want to close stdin and stdout (and
530stderr unless debugging) because the calling process might have set them up as
531pipes and be waiting for them to close before it waits for the submission
532process to terminate. If they aren't closed, they hold up the calling process
533until the initial delivery process finishes, which is not what we want.
534
535Exception: We do want it for synchronous delivery!
536
537And notwithstanding all the above, if D_resolver is set, implying resolver
538debugging, leave stdout open, because that's where the resolver writes its
539debugging output.
540
541When we close stderr (which implies we've also closed stdout), we also get rid
542of any controlling terminal.
543
544Arguments: None
545Returns: Nothing
546*/
547
548static void
549close_unwanted(void)
550{
551if (smtp_input)
552 {
74f1a423
JH
553#ifdef SUPPORT_TLS
554 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
555#endif
1fe64dcc
PH
556 (void)close(fileno(smtp_in));
557 (void)close(fileno(smtp_out));
059ec3d9
PH
558 smtp_in = NULL;
559 }
560else
561 {
1fe64dcc
PH
562 (void)close(0); /* stdin */
563 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
564 if (debug_selector == 0) /* stderr */
059ec3d9
PH
565 {
566 if (!synchronous_delivery)
567 {
1fe64dcc 568 (void)close(2);
059ec3d9
PH
569 log_stderr = NULL;
570 }
571 (void)setsid();
572 }
573 }
574}
575
576
577
578
579/*************************************************
580* Set uid and gid *
581*************************************************/
582
583/* This function sets a new uid and gid permanently, optionally calling
584initgroups() to set auxiliary groups. There are some special cases when running
585Exim in unprivileged modes. In these situations the effective uid will not be
586root; if we already have the right effective uid/gid, and don't need to
587initialize any groups, leave things as they are.
588
589Arguments:
590 uid the uid
591 gid the gid
592 igflag TRUE if initgroups() wanted
593 msg text to use in debugging output and failure log
594
595Returns: nothing; bombs out on failure
596*/
597
598void
599exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
600{
601uid_t euid = geteuid();
602gid_t egid = getegid();
603
604if (euid == root_uid || euid != uid || egid != gid || igflag)
605 {
606 /* At least one OS returns +1 for initgroups failure, so just check for
607 non-zero. */
608
609 if (igflag)
610 {
611 struct passwd *pw = getpwuid(uid);
612 if (pw != NULL)
613 {
614 if (initgroups(pw->pw_name, gid) != 0)
615 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
616 (long int)uid, strerror(errno));
617 }
618 else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
619 "no passwd entry for uid=%ld", (long int)uid);
620 }
621
622 if (setgid(gid) < 0 || setuid(uid) < 0)
623 {
624 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
625 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
626 }
627 }
628
629/* Debugging output included uid/gid and all groups */
630
631DEBUG(D_uid)
632 {
cd59ab18 633 int group_count, save_errno;
059ec3d9
PH
634 gid_t group_list[NGROUPS_MAX];
635 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
636 (long int)geteuid(), (long int)getegid(), (long int)getpid());
637 group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18 638 save_errno = errno;
059ec3d9
PH
639 debug_printf(" auxiliary group list:");
640 if (group_count > 0)
641 {
642 int i;
643 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
644 }
cd59ab18
PP
645 else if (group_count < 0)
646 debug_printf(" <error: %s>", strerror(save_errno));
059ec3d9
PH
647 else debug_printf(" <none>");
648 debug_printf("\n");
649 }
650}
651
652
653
654
655/*************************************************
656* Exit point *
657*************************************************/
658
659/* Exim exits via this function so that it always clears up any open
660databases.
661
662Arguments:
663 rc return code
664
665Returns: does not return
666*/
667
668void
9bfb7e1b 669exim_exit(int rc, const uschar * process)
059ec3d9
PH
670{
671search_tidyup();
672DEBUG(D_any)
9bfb7e1b
JH
673 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
674 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
675 process ? "(" : "", process, process ? ") " : "", rc);
059ec3d9
PH
676exit(rc);
677}
678
679
680
681
682/*************************************************
683* Extract port from host address *
684*************************************************/
685
686/* Called to extract the port from the values given to -oMa and -oMi.
b90c388a
PH
687It also checks the syntax of the address, and terminates it before the
688port data when a port is extracted.
059ec3d9
PH
689
690Argument:
691 address the address, with possible port on the end
692
693Returns: the port, or zero if there isn't one
694 bombs out on a syntax error
695*/
696
697static int
698check_port(uschar *address)
699{
7cd1141b 700int port = host_address_extract_port(address);
8e669ac1 701if (string_is_ip_address(address, NULL) == 0)
059ec3d9
PH
702 {
703 fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
704 exit(EXIT_FAILURE);
705 }
706return port;
707}
708
709
710
711/*************************************************
712* Test/verify an address *
713*************************************************/
714
715/* This function is called by the -bv and -bt code. It extracts a working
716address from a full RFC 822 address. This isn't really necessary per se, but it
717has the effect of collapsing source routes.
718
719Arguments:
720 s the address string
721 flags flag bits for verify_address()
722 exit_value to be set for failures
723
a5a28604 724Returns: nothing
059ec3d9
PH
725*/
726
727static void
728test_address(uschar *s, int flags, int *exit_value)
729{
730int start, end, domain;
731uschar *parse_error = NULL;
732uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
733 FALSE);
734if (address == NULL)
735 {
736 fprintf(stdout, "syntax error: %s\n", parse_error);
737 *exit_value = 2;
738 }
739else
740 {
741 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
4deaf07d 742 -1, -1, NULL, NULL, NULL);
059ec3d9
PH
743 if (rc == FAIL) *exit_value = 2;
744 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
745 }
746}
747
748
749
750/*************************************************
059ec3d9
PH
751* Show supported features *
752*************************************************/
753
059ec3d9 754static void
96508de1 755show_db_version(FILE * f)
059ec3d9
PH
756{
757#ifdef DB_VERSION_STRING
96508de1
JH
758DEBUG(D_any)
759 {
760 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
761 fprintf(f, " Runtime: %s\n",
762 db_version(NULL, NULL, NULL));
763 }
764else
765 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
766
059ec3d9
PH
767#elif defined(BTREEVERSION) && defined(HASHVERSION)
768 #ifdef USE_DB
769 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
770 #else
771 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
772 #endif
96508de1 773
059ec3d9
PH
774#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
775fprintf(f, "Probably ndbm\n");
776#elif defined(USE_TDB)
777fprintf(f, "Using tdb\n");
778#else
779 #ifdef USE_GDBM
780 fprintf(f, "Probably GDBM (native mode)\n");
781 #else
782 fprintf(f, "Probably GDBM (compatibility mode)\n");
783 #endif
784#endif
96508de1
JH
785}
786
787
788/* This function is called for -bV/--version and for -d to output the optional
789features of the current Exim binary.
790
791Arguments: a FILE for printing
792Returns: nothing
793*/
794
795static void
796show_whats_supported(FILE * f)
797{
798auth_info * authi;
799
800DEBUG(D_any) {} else show_db_version(f);
059ec3d9
PH
801
802fprintf(f, "Support for:");
9cec981f
PH
803#ifdef SUPPORT_CRYPTEQ
804 fprintf(f, " crypteq");
805#endif
059ec3d9
PH
806#if HAVE_ICONV
807 fprintf(f, " iconv()");
808#endif
809#if HAVE_IPV6
810 fprintf(f, " IPv6");
811#endif
79378e0f
PH
812#ifdef HAVE_SETCLASSRESOURCES
813 fprintf(f, " use_setclassresources");
929ba01c 814#endif
059ec3d9
PH
815#ifdef SUPPORT_PAM
816 fprintf(f, " PAM");
817#endif
818#ifdef EXIM_PERL
819 fprintf(f, " Perl");
820#endif
1a46a8c5
PH
821#ifdef EXPAND_DLFUNC
822 fprintf(f, " Expand_dlfunc");
823#endif
059ec3d9
PH
824#ifdef USE_TCP_WRAPPERS
825 fprintf(f, " TCPwrappers");
826#endif
827#ifdef SUPPORT_TLS
c11d665d 828# ifdef USE_GNUTLS
059ec3d9 829 fprintf(f, " GnuTLS");
c11d665d 830# else
059ec3d9 831 fprintf(f, " OpenSSL");
c11d665d 832# endif
059ec3d9 833#endif
b2f5a032
PH
834#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
835 fprintf(f, " translate_ip_address");
836#endif
f174f16e
PH
837#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
838 fprintf(f, " move_frozen_messages");
839#endif
8523533c
TK
840#ifdef WITH_CONTENT_SCAN
841 fprintf(f, " Content_Scanning");
842#endif
c0635b6d
JH
843#ifdef SUPPORT_DANE
844 fprintf(f, " DANE");
845#endif
74f150bf
JH
846#ifndef DISABLE_DKIM
847 fprintf(f, " DKIM");
848#endif
ef1bbb27
HSHR
849#ifndef DISABLE_DNSSEC
850 fprintf(f, " DNSSEC");
851#endif
0cbf2b82
JH
852#ifndef DISABLE_EVENT
853 fprintf(f, " Event");
854#endif
8c5d388a
JH
855#ifdef SUPPORT_I18N
856 fprintf(f, " I18N");
857#endif
74f150bf
JH
858#ifndef DISABLE_OCSP
859 fprintf(f, " OCSP");
860#endif
4d832da1
TL
861#ifndef DISABLE_PRDR
862 fprintf(f, " PRDR");
863#endif
cee5f132
JH
864#ifdef SUPPORT_PROXY
865 fprintf(f, " PROXY");
866#endif
f0989ec0 867#ifdef SUPPORT_SOCKS
74f150bf 868 fprintf(f, " SOCKS");
f2de3a33 869#endif
7952eef9
JH
870#ifdef SUPPORT_SPF
871 fprintf(f, " SPF");
872#endif
1a2dfad5 873#ifdef TCP_FASTOPEN
10ac8d7f
JH
874 deliver_init();
875 if (tcp_fastopen_ok) fprintf(f, " TCP_Fast_Open");
1a2dfad5 876#endif
5bde3efa
ACK
877#ifdef EXPERIMENTAL_LMDB
878 fprintf(f, " Experimental_LMDB");
879#endif
3369a853
ACK
880#ifdef EXPERIMENTAL_QUEUEFILE
881 fprintf(f, " Experimental_QUEUEFILE");
882#endif
8523533c
TK
883#ifdef EXPERIMENTAL_SRS
884 fprintf(f, " Experimental_SRS");
885#endif
617d3932
JH
886#ifdef EXPERIMENTAL_ARC
887 fprintf(f, " Experimental_ARC");
888#endif
8523533c
TK
889#ifdef EXPERIMENTAL_BRIGHTMAIL
890 fprintf(f, " Experimental_Brightmail");
891#endif
6a8f9482
TK
892#ifdef EXPERIMENTAL_DCC
893 fprintf(f, " Experimental_DCC");
894#endif
4840604e
TL
895#ifdef EXPERIMENTAL_DMARC
896 fprintf(f, " Experimental_DMARC");
897#endif
895fbaf2
JH
898#ifdef EXPERIMENTAL_DSN_INFO
899 fprintf(f, " Experimental_DSN_info");
900#endif
8ac90765
JH
901#ifdef EXPERIMENTAL_REQUIRETLS
902 fprintf(f, " Experimental_REQUIRETLS");
903#endif
059ec3d9
PH
904fprintf(f, "\n");
905
e6d225ae
DW
906fprintf(f, "Lookups (built-in):");
907#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
059ec3d9
PH
908 fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
909#endif
e6d225ae 910#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
059ec3d9
PH
911 fprintf(f, " cdb");
912#endif
e6d225ae 913#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
4a6a987a 914 fprintf(f, " dbm dbmjz dbmnz");
059ec3d9 915#endif
e6d225ae 916#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
059ec3d9
PH
917 fprintf(f, " dnsdb");
918#endif
e6d225ae 919#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
059ec3d9
PH
920 fprintf(f, " dsearch");
921#endif
e6d225ae 922#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
059ec3d9
PH
923 fprintf(f, " ibase");
924#endif
e6d225ae 925#if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
059ec3d9
PH
926 fprintf(f, " ldap ldapdn ldapm");
927#endif
5bde3efa
ACK
928#ifdef EXPERIMENTAL_LMDB
929 fprintf(f, " lmdb");
930#endif
e6d225ae 931#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
059ec3d9
PH
932 fprintf(f, " mysql");
933#endif
e6d225ae 934#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
059ec3d9
PH
935 fprintf(f, " nis nis0");
936#endif
e6d225ae 937#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
059ec3d9
PH
938 fprintf(f, " nisplus");
939#endif
e6d225ae 940#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
059ec3d9
PH
941 fprintf(f, " oracle");
942#endif
e6d225ae 943#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
059ec3d9
PH
944 fprintf(f, " passwd");
945#endif
e6d225ae 946#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
059ec3d9
PH
947 fprintf(f, " pgsql");
948#endif
de78e2d5
JH
949#if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
950 fprintf(f, " redis");
951#endif
e6d225ae 952#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
13b685f9
PH
953 fprintf(f, " sqlite");
954#endif
e6d225ae 955#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
059ec3d9
PH
956 fprintf(f, " testdb");
957#endif
e6d225ae 958#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
059ec3d9
PH
959 fprintf(f, " whoson");
960#endif
961fprintf(f, "\n");
962
adf73d37
JH
963auth_show_supported(f);
964route_show_supported(f);
965transport_show_supported(f);
059ec3d9 966
c11d665d
JH
967#ifdef WITH_CONTENT_SCAN
968malware_show_supported(f);
969#endif
970
059ec3d9
PH
971if (fixed_never_users[0] > 0)
972 {
973 int i;
974 fprintf(f, "Fixed never_users: ");
975 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
976 fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
977 fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
978 }
21c28500 979
19bfe9e7
HSHR
980fprintf(f, "Configure owner: %d:%d\n", config_uid, config_gid);
981
73a46702 982fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
36f12725 983
6545de78
PP
984/* Everything else is details which are only worth reporting when debugging.
985Perhaps the tls_version_report should move into this too. */
986DEBUG(D_any) do {
987
988 int i;
989
b3c261f7
PP
990/* clang defines __GNUC__ (at least, for me) so test for it first */
991#if defined(__clang__)
992 fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
993#elif defined(__GNUC__)
994 fprintf(f, "Compiler: GCC [%s]\n",
995# ifdef __VERSION__
996 __VERSION__
997# else
998 "? unknown version ?"
999# endif
1000 );
1001#else
1002 fprintf(f, "Compiler: <unknown>\n");
1003#endif
1004
98913c8e 1005#if defined(__GLIBC__) && !defined(__UCLIBC__)
01f3091a
JH
1006 fprintf(f, "Library version: Glibc: Compile: %d.%d\n",
1007 __GLIBC__, __GLIBC_MINOR__);
1008 if (__GLIBC_PREREQ(2, 1))
1009 fprintf(f, " Runtime: %s\n",
1010 gnu_get_libc_version());
1011#endif
1012
96508de1
JH
1013show_db_version(f);
1014
754a0503
PP
1015#ifdef SUPPORT_TLS
1016 tls_version_report(f);
1017#endif
8c5d388a 1018#ifdef SUPPORT_I18N
b04be5e7
JH
1019 utf8_version_report(f);
1020#endif
754a0503 1021
fc362fc5
JH
1022 for (authi = auths_available; *authi->driver_name != '\0'; ++authi)
1023 if (authi->version_report)
44bbabb5 1024 (*authi->version_report)(f);
6545de78 1025
decd95cb 1026 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
6475bd82
PP
1027 characters; unless it's an ancient version of PCRE in which case it
1028 is not defined. */
1029#ifndef PCRE_PRERELEASE
01f3091a 1030# define PCRE_PRERELEASE
6475bd82
PP
1031#endif
1032#define QUOTE(X) #X
1033#define EXPAND_AND_QUOTE(X) QUOTE(X)
6545de78
PP
1034 fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
1035 " Runtime: %s\n",
1036 PCRE_MAJOR, PCRE_MINOR,
6475bd82 1037 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
6545de78 1038 pcre_version());
6475bd82
PP
1039#undef QUOTE
1040#undef EXPAND_AND_QUOTE
6545de78
PP
1041
1042 init_lookup_list();
1043 for (i = 0; i < lookup_list_count; i++)
6545de78
PP
1044 if (lookup_list[i]->version_report)
1045 lookup_list[i]->version_report(f);
6545de78 1046
b70d2586
PP
1047#ifdef WHITELIST_D_MACROS
1048 fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1049#else
1050 fprintf(f, "WHITELIST_D_MACROS unset\n");
1051#endif
1052#ifdef TRUSTED_CONFIG_LIST
1053 fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1054#else
1055 fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
1056#endif
1057
6545de78 1058} while (0);
059ec3d9
PH
1059}
1060
1061
98a90c36
PP
1062/*************************************************
1063* Show auxiliary information about Exim *
1064*************************************************/
1065
1066static void
1067show_exim_information(enum commandline_info request, FILE *stream)
1068{
1069const uschar **pp;
1070
1071switch(request)
1072 {
1073 case CMDINFO_NONE:
1074 fprintf(stream, "Oops, something went wrong.\n");
1075 return;
1076 case CMDINFO_HELP:
1077 fprintf(stream,
1078"The -bI: flag takes a string indicating which information to provide.\n"
1079"If the string is not recognised, you'll get this help (on stderr).\n"
1080"\n"
1081" exim -bI:help this information\n"
030caf2a
JS
1082" exim -bI:dscp list of known dscp value keywords\n"
1083" exim -bI:sieve list of supported sieve extensions\n"
98a90c36
PP
1084);
1085 return;
1086 case CMDINFO_SIEVE:
1087 for (pp = exim_sieve_extension_list; *pp; ++pp)
1088 fprintf(stream, "%s\n", *pp);
1089 return;
36a3ae5f
PP
1090 case CMDINFO_DSCP:
1091 dscp_list_to_stream(stream);
1092 return;
98a90c36
PP
1093 }
1094}
059ec3d9
PH
1095
1096
1097/*************************************************
1098* Quote a local part *
1099*************************************************/
1100
1101/* This function is used when a sender address or a From: or Sender: header
1102line is being created from the caller's login, or from an authenticated_id. It
1103applies appropriate quoting rules for a local part.
1104
1105Argument: the local part
1106Returns: the local part, quoted if necessary
1107*/
1108
1109uschar *
1110local_part_quote(uschar *lpart)
1111{
1112BOOL needs_quote = FALSE;
acec9514 1113gstring * g;
059ec3d9
PH
1114uschar *t;
1115
1116for (t = lpart; !needs_quote && *t != 0; t++)
1117 {
1118 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1119 (*t != '.' || t == lpart || t[1] == 0);
1120 }
1121
1122if (!needs_quote) return lpart;
1123
acec9514 1124g = string_catn(NULL, US"\"", 1);
059ec3d9
PH
1125
1126for (;;)
1127 {
1128 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1129 if (nq == NULL)
1130 {
acec9514 1131 g = string_cat(g, lpart);
059ec3d9
PH
1132 break;
1133 }
acec9514
JH
1134 g = string_catn(g, lpart, nq - lpart);
1135 g = string_catn(g, US"\\", 1);
1136 g = string_catn(g, nq, 1);
059ec3d9
PH
1137 lpart = nq + 1;
1138 }
1139
acec9514
JH
1140g = string_catn(g, US"\"", 1);
1141return string_from_gstring(g);
059ec3d9
PH
1142}
1143
1144
1145
1146#ifdef USE_READLINE
1147/*************************************************
1148* Load readline() functions *
1149*************************************************/
1150
1151/* This function is called from testing executions that read data from stdin,
1152but only when running as the calling user. Currently, only -be does this. The
1153function loads the readline() function library and passes back the functions.
1154On some systems, it needs the curses library, so load that too, but try without
1155it if loading fails. All this functionality has to be requested at build time.
1156
1157Arguments:
1158 fn_readline_ptr pointer to where to put the readline pointer
1159 fn_addhist_ptr pointer to where to put the addhistory function
1160
1161Returns: the dlopen handle or NULL on failure
1162*/
1163
1164static void *
1ba28e2b
PP
1165set_readline(char * (**fn_readline_ptr)(const char *),
1166 void (**fn_addhist_ptr)(const char *))
059ec3d9
PH
1167{
1168void *dlhandle;
e12f8c32 1169void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
059ec3d9 1170
e12f8c32 1171dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
059ec3d9
PH
1172if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1173
1174if (dlhandle != NULL)
1175 {
1ba28e2b
PP
1176 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1177 * char * readline (const char *prompt);
1178 * void add_history (const char *string);
1179 */
1180 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1181 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
059ec3d9
PH
1182 }
1183else
1184 {
1185 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1186 }
1187
1188return dlhandle;
1189}
1190#endif
1191
1192
1193
1194/*************************************************
1195* Get a line from stdin for testing things *
1196*************************************************/
1197
1198/* This function is called when running tests that can take a number of lines
1199of input (for example, -be and -bt). It handles continuations and trailing
1200spaces. And prompting and a blank line output on eof. If readline() is in use,
1201the arguments are non-NULL and provide the relevant functions.
1202
1203Arguments:
1204 fn_readline readline function or NULL
1205 fn_addhist addhist function or NULL
1206
1207Returns: pointer to dynamic memory, or NULL at end of file
1208*/
1209
1210static uschar *
1ba28e2b 1211get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
059ec3d9
PH
1212{
1213int i;
acec9514 1214gstring * g = NULL;
059ec3d9 1215
acec9514 1216if (!fn_readline) { printf("> "); fflush(stdout); }
059ec3d9
PH
1217
1218for (i = 0;; i++)
1219 {
1220 uschar buffer[1024];
1221 uschar *p, *ss;
1222
1223 #ifdef USE_READLINE
1224 char *readline_line = NULL;
1225 if (fn_readline != NULL)
1226 {
1227 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1228 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1229 p = US readline_line;
1230 }
1231 else
1232 #endif
1233
1234 /* readline() not in use */
1235
1236 {
1237 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1238 p = buffer;
1239 }
1240
1241 /* Handle the line */
1242
1243 ss = p + (int)Ustrlen(p);
1244 while (ss > p && isspace(ss[-1])) ss--;
1245
1246 if (i > 0)
1247 {
1248 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1249 }
1250
acec9514 1251 g = string_catn(g, p, ss - p);
059ec3d9
PH
1252
1253 #ifdef USE_READLINE
acec9514 1254 if (fn_readline) free(readline_line);
059ec3d9
PH
1255 #endif
1256
acec9514
JH
1257 /* g can only be NULL if ss==p */
1258 if (ss == p || g->s[g->ptr-1] != '\\')
059ec3d9 1259 break;
acec9514
JH
1260
1261 --g->ptr;
1262 (void) string_from_gstring(g);
059ec3d9
PH
1263 }
1264
acec9514
JH
1265if (!g) printf("\n");
1266return string_from_gstring(g);
059ec3d9
PH
1267}
1268
1269
1270
1271/*************************************************
81ea09ca
NM
1272* Output usage information for the program *
1273*************************************************/
1274
1275/* This function is called when there are no recipients
1276 or a specific --help argument was added.
1277
1278Arguments:
1279 progname information on what name we were called by
1280
1281Returns: DOES NOT RETURN
1282*/
1283
1284static void
1285exim_usage(uschar *progname)
1286{
1287
4c04137d 1288/* Handle specific program invocation variants */
81ea09ca
NM
1289if (Ustrcmp(progname, US"-mailq") == 0)
1290 {
1291 fprintf(stderr,
e765a0f1 1292 "mailq - list the contents of the mail queue\n\n"
81ea09ca
NM
1293 "For a list of options, see the Exim documentation.\n");
1294 exit(EXIT_FAILURE);
1295 }
1296
1297/* Generic usage - we output this whatever happens */
1298fprintf(stderr,
1299 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1300 "not directly from a shell command line. Options and/or arguments control\n"
1301 "what it does when called. For a list of options, see the Exim documentation.\n");
1302
1303exit(EXIT_FAILURE);
1304}
1305
1306
1307
1308/*************************************************
a7cbbf50
PP
1309* Validate that the macros given are okay *
1310*************************************************/
1311
1312/* Typically, Exim will drop privileges if macros are supplied. In some
1313cases, we want to not do so.
1314
a4034eb8 1315Arguments: opt_D_used - true if the commandline had a "-D" option
a7cbbf50
PP
1316Returns: true if trusted, false otherwise
1317*/
1318
1319static BOOL
a4034eb8 1320macros_trusted(BOOL opt_D_used)
a7cbbf50
PP
1321{
1322#ifdef WHITELIST_D_MACROS
1323macro_item *m;
1a7c9a48 1324uschar *whitelisted, *end, *p, **whites, **w;
a7cbbf50
PP
1325int white_count, i, n;
1326size_t len;
1327BOOL prev_char_item, found;
1328#endif
1329
a4034eb8 1330if (!opt_D_used)
a7cbbf50
PP
1331 return TRUE;
1332#ifndef WHITELIST_D_MACROS
1333return FALSE;
1334#else
1335
66581d1e
PP
1336/* We only trust -D overrides for some invoking users:
1337root, the exim run-time user, the optional config owner user.
1338I don't know why config-owner would be needed, but since they can own the
1339config files anyway, there's no security risk to letting them override -D. */
1340if ( ! ((real_uid == root_uid)
1341 || (real_uid == exim_uid)
1342#ifdef CONFIGURE_OWNER
1343 || (real_uid == config_uid)
1344#endif
1345 ))
1346 {
1347 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1348 return FALSE;
1349 }
1350
a7cbbf50
PP
1351/* Get a list of macros which are whitelisted */
1352whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1353prev_char_item = FALSE;
1354white_count = 0;
1355for (p = whitelisted; *p != '\0'; ++p)
1356 {
1357 if (*p == ':' || isspace(*p))
1358 {
1359 *p = '\0';
1360 if (prev_char_item)
1361 ++white_count;
1362 prev_char_item = FALSE;
1363 continue;
1364 }
1365 if (!prev_char_item)
1366 prev_char_item = TRUE;
1367 }
1368end = p;
1369if (prev_char_item)
1370 ++white_count;
1371if (!white_count)
1372 return FALSE;
1373whites = store_malloc(sizeof(uschar *) * (white_count+1));
1374for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1375 {
1376 if (*p != '\0')
1377 {
1378 whites[i++] = p;
1379 if (i == white_count)
1380 break;
1381 while (*p != '\0' && p < end)
1382 ++p;
1383 }
1384 }
1385whites[i] = NULL;
1386
1a7c9a48
JH
1387/* The list of commandline macros should be very short.
1388Accept the N*M complexity. */
85e03244 1389for (m = macros_user; m; m = m->next) if (m->command_line)
1a7c9a48
JH
1390 {
1391 found = FALSE;
1392 for (w = whites; *w; ++w)
1393 if (Ustrcmp(*w, m->name) == 0)
1394 {
1395 found = TRUE;
1396 break;
1397 }
1398 if (!found)
1399 return FALSE;
1400 if (!m->replacement)
1401 continue;
1402 if ((len = m->replen) == 0)
1403 continue;
1404 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1405 0, PCRE_EOPT, NULL, 0);
1406 if (n < 0)
1407 {
1408 if (n != PCRE_ERROR_NOMATCH)
1409 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1410 return FALSE;
1411 }
1412 }
43236f35 1413DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
a7cbbf50
PP
1414return TRUE;
1415#endif
1416}
1417
1418
1419/*************************************************
9650d98a
JH
1420* Expansion testing *
1421*************************************************/
1422
1423/* Expand and print one item, doing macro-processing.
1424
1425Arguments:
1426 item line for expansion
1427*/
1428
1429static void
1430expansion_test_line(uschar * line)
1431{
1432int len;
1433BOOL dummy_macexp;
1434
1435Ustrncpy(big_buffer, line, big_buffer_size);
1436big_buffer[big_buffer_size-1] = '\0';
1437len = Ustrlen(big_buffer);
1438
1439(void) macros_expand(0, &len, &dummy_macexp);
1440
1441if (isupper(big_buffer[0]))
1442 {
1443 if (macro_read_assignment(big_buffer))
1a7c9a48 1444 printf("Defined macro '%s'\n", mlast->name);
9650d98a
JH
1445 }
1446else
1447 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1448 else printf("Failed: %s\n", expand_string_message);
1449}
1450
1451
1452/*************************************************
059ec3d9
PH
1453* Entry point and high-level code *
1454*************************************************/
1455
1456/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1457the appropriate action. All the necessary functions are present in the one
1458binary. I originally thought one should split it up, but it turns out that so
1459much of the apparatus is needed in each chunk that one might as well just have
1460it all available all the time, which then makes the coding easier as well.
1461
1462Arguments:
1463 argc count of entries in argv
1464 argv argument strings, with argv[0] being the program name
1465
1466Returns: EXIT_SUCCESS if terminated successfully
1467 EXIT_FAILURE otherwise, except when a message has been sent
1468 to the sender, and -oee was given
1469*/
1470
1471int
1472main(int argc, char **cargv)
1473{
1474uschar **argv = USS cargv;
1475int arg_receive_timeout = -1;
1476int arg_smtp_receive_timeout = -1;
1477int arg_error_handling = error_handling;
f05da2e8
PH
1478int filter_sfd = -1;
1479int filter_ufd = -1;
059ec3d9 1480int group_count;
1670ef10 1481int i, rv;
059ec3d9
PH
1482int list_queue_option = 0;
1483int msg_action = 0;
1484int msg_action_arg = -1;
1485int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1486int queue_only_reason = 0;
1487#ifdef EXIM_PERL
1488int perl_start_option = 0;
1489#endif
1490int recipients_arg = argc;
1491int sender_address_domain = 0;
1492int test_retry_arg = -1;
1493int test_rewrite_arg = -1;
1494BOOL arg_queue_only = FALSE;
1495BOOL bi_option = FALSE;
1496BOOL checking = FALSE;
1497BOOL count_queue = FALSE;
1498BOOL expansion_test = FALSE;
1499BOOL extract_recipients = FALSE;
f4ee74ac 1500BOOL flag_G = FALSE;
12f69989 1501BOOL flag_n = FALSE;
059ec3d9
PH
1502BOOL forced_delivery = FALSE;
1503BOOL f_end_dot = FALSE;
1504BOOL deliver_give_up = FALSE;
1505BOOL list_queue = FALSE;
1506BOOL list_options = FALSE;
bf3c2c6b 1507BOOL list_config = FALSE;
059ec3d9
PH
1508BOOL local_queue_only;
1509BOOL more = TRUE;
1510BOOL one_msg_action = FALSE;
4ab69ec7 1511BOOL opt_D_used = FALSE;
059ec3d9
PH
1512BOOL queue_only_set = FALSE;
1513BOOL receiving_message = TRUE;
33d73e3b 1514BOOL sender_ident_set = FALSE;
8669f003 1515BOOL session_local_queue_only;
059ec3d9
PH
1516BOOL unprivileged;
1517BOOL removed_privilege = FALSE;
81ea09ca 1518BOOL usage_wanted = FALSE;
059ec3d9
PH
1519BOOL verify_address_mode = FALSE;
1520BOOL verify_as_sender = FALSE;
1521BOOL version_printed = FALSE;
1522uschar *alias_arg = NULL;
1523uschar *called_as = US"";
a3fb9793 1524uschar *cmdline_syslog_name = NULL;
059ec3d9
PH
1525uschar *start_queue_run_id = NULL;
1526uschar *stop_queue_run_id = NULL;
328895cc 1527uschar *expansion_test_message = NULL;
059ec3d9
PH
1528uschar *ftest_domain = NULL;
1529uschar *ftest_localpart = NULL;
1530uschar *ftest_prefix = NULL;
1531uschar *ftest_suffix = NULL;
0ad2e0fc 1532uschar *log_oneline = NULL;
8544e77a 1533uschar *malware_test_file = NULL;
059ec3d9
PH
1534uschar *real_sender_address;
1535uschar *originator_home = US"/";
a3fb9793 1536size_t sz;
059ec3d9
PH
1537void *reset_point;
1538
1539struct passwd *pw;
1540struct stat statbuf;
1541pid_t passed_qr_pid = (pid_t)0;
1542int passed_qr_pipe = -1;
1543gid_t group_list[NGROUPS_MAX];
1544
98a90c36
PP
1545/* For the -bI: flag */
1546enum commandline_info info_flag = CMDINFO_NONE;
1547BOOL info_stdout = FALSE;
1548
059ec3d9
PH
1549/* Possible options for -R and -S */
1550
1551static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1552
1553/* Need to define this in case we need to change the environment in order
1554to get rid of a bogus time zone. We have to make it char rather than uschar
1555because some OS define it in /usr/include/unistd.h. */
1556
1557extern char **environ;
1558
35edf2ff 1559/* If the Exim user and/or group and/or the configuration file owner/group were
059ec3d9
PH
1560defined by ref:name at build time, we must now find the actual uid/gid values.
1561This is a feature to make the lives of binary distributors easier. */
1562
1563#ifdef EXIM_USERNAME
1564if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1565 {
10385c15
PP
1566 if (exim_uid == 0)
1567 {
1568 fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
1569 EXIM_USERNAME);
1570 exit(EXIT_FAILURE);
1571 }
084c1d8c
PP
1572 /* If ref:name uses a number as the name, route_finduser() returns
1573 TRUE with exim_uid set and pw coerced to NULL. */
1574 if (pw)
1575 exim_gid = pw->pw_gid;
1576#ifndef EXIM_GROUPNAME
1577 else
1578 {
1579 fprintf(stderr,
1580 "exim: ref:name should specify a usercode, not a group.\n"
1581 "exim: can't let you get away with it unless you also specify a group.\n");
1582 exit(EXIT_FAILURE);
1583 }
1584#endif
059ec3d9
PH
1585 }
1586else
1587 {
1588 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1589 EXIM_USERNAME);
1590 exit(EXIT_FAILURE);
1591 }
1592#endif
1593
1594#ifdef EXIM_GROUPNAME
1595if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1596 {
1597 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1598 EXIM_GROUPNAME);
1599 exit(EXIT_FAILURE);
1600 }
1601#endif
1602
1603#ifdef CONFIGURE_OWNERNAME
1604if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1605 {
1606 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1607 CONFIGURE_OWNERNAME);
1608 exit(EXIT_FAILURE);
1609 }
1610#endif
1611
79d4bc3d
PP
1612/* We default the system_filter_user to be the Exim run-time user, as a
1613sane non-root value. */
1614system_filter_uid = exim_uid;
1615
35edf2ff
PH
1616#ifdef CONFIGURE_GROUPNAME
1617if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1618 {
1619 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1620 CONFIGURE_GROUPNAME);
1621 exit(EXIT_FAILURE);
1622 }
1623#endif
1624
92e6a3d9
JH
1625/* In the Cygwin environment, some initialization used to need doing.
1626It was fudged in by means of this macro; now no longer but we'll leave
1627it in case of others. */
059ec3d9
PH
1628
1629#ifdef OS_INIT
1630OS_INIT
1631#endif
1632
1633/* Check a field which is patched when we are running Exim within its
1634testing harness; do a fast initial check, and then the whole thing. */
1635
1636running_in_test_harness =
1637 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
65a32f85
JH
1638if (running_in_test_harness)
1639 debug_store = TRUE;
059ec3d9
PH
1640
1641/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1642at the start of a program; however, it seems that some environments do not
1643follow this. A "strange" locale can affect the formatting of timestamps, so we
1644make quite sure. */
1645
1646setlocale(LC_ALL, "C");
1647
1648/* Set up the default handler for timing using alarm(). */
1649
1650os_non_restarting_signal(SIGALRM, sigalrm_handler);
1651
1652/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1653because store_malloc writes a log entry on failure. */
1654
40c90bca 1655if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
059ec3d9
PH
1656 {
1657 fprintf(stderr, "exim: failed to get store for log buffer\n");
1658 exit(EXIT_FAILURE);
1659 }
1660
6c6d6e48
TF
1661/* Initialize the default log options. */
1662
1663bits_set(log_selector, log_selector_size, log_default);
1664
059ec3d9
PH
1665/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1666NULL when the daemon is run and the file is closed. We have to use this
1667indirection, because some systems don't allow writing to the variable "stderr".
1668*/
1669
1670if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1671
1672/* Arrange for the PCRE regex library to use our store functions. Note that
1673the normal calls are actually macros that add additional arguments for
1674debugging purposes so we have to assign specially constructed functions here.
1675The default is to use store in the stacking pool, but this is overridden in the
1676regex_must_compile() function. */
1677
1678pcre_malloc = function_store_get;
1679pcre_free = function_dummy_free;
1680
1681/* Ensure there is a big buffer for temporary use in several places. It is put
1682in malloc store so that it can be freed for enlargement if necessary. */
1683
1684big_buffer = store_malloc(big_buffer_size);
1685
1686/* Set up the handler for the data request signal, and set the initial
1687descriptive text. */
1688
1689set_process_info("initializing");
1690os_restarting_signal(SIGUSR1, usr1_handler);
1691
830832c9
HSHR
1692/* If running in a dockerized environment, the TERM signal is only
1693delegated to the PID 1 if we request it by setting an signal handler */
1694if (getpid() == 1) signal(SIGTERM, term_handler);
1695
059ec3d9
PH
1696/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1697in the daemon code. For the rest of Exim's uses, we ignore it. */
1698
1699signal(SIGHUP, SIG_IGN);
1700
1701/* We don't want to die on pipe errors as the code is written to handle
1702the write error instead. */
1703
1704signal(SIGPIPE, SIG_IGN);
1705
1706/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1707set to SIG_IGN. This causes subprocesses that complete before the parent
1708process waits for them not to hang around, so when Exim calls wait(), nothing
1709is there. The wait() code has been made robust against this, but let's ensure
1710that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1711ending status. We use sigaction rather than plain signal() on those OS where
1712SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1713problem on AIX with this.) */
1714
1715#ifdef SA_NOCLDWAIT
1716 {
1717 struct sigaction act;
1718 act.sa_handler = SIG_DFL;
1719 sigemptyset(&(act.sa_mask));
1720 act.sa_flags = 0;
1721 sigaction(SIGCHLD, &act, NULL);
1722 }
1723#else
1724signal(SIGCHLD, SIG_DFL);
1725#endif
1726
1727/* Save the arguments for use if we re-exec exim as a daemon after receiving
1728SIGHUP. */
1729
1730sighup_argv = argv;
1731
1732/* Set up the version number. Set up the leading 'E' for the external form of
1733message ids, set the pointer to the internal form, and initialize it to
1734indicate no message being processed. */
1735
1736version_init();
1737message_id_option[0] = '-';
1738message_id_external = message_id_option + 1;
1739message_id_external[0] = 'E';
1740message_id = message_id_external + 1;
1741message_id[0] = 0;
1742
67d175de 1743/* Set the umask to zero so that any files Exim creates using open() are
2632889e
PH
1744created with the modes that it specifies. NOTE: Files created with fopen() have
1745a problem, which was not recognized till rather late (February 2006). With this
1746umask, such files will be world writeable. (They are all content scanning files
1747in the spool directory, which isn't world-accessible, so this is not a
1748disaster, but it's untidy.) I don't want to change this overall setting,
1749however, because it will interact badly with the open() calls. Instead, there's
1750now a function called modefopen() that fiddles with the umask while calling
1751fopen(). */
059ec3d9 1752
67d175de 1753(void)umask(0);
059ec3d9
PH
1754
1755/* Precompile the regular expression for matching a message id. Keep this in
1756step with the code that generates ids in the accept.c module. We need to do
1757this here, because the -M options check their arguments for syntactic validity
1758using mac_ismsgid, which uses this. */
1759
1760regex_ismsgid =
1761 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1762
a5bd321b 1763/* Precompile the regular expression that is used for matching an SMTP error
d6a96edc
PH
1764code, possibly extended, at the start of an error message. Note that the
1765terminating whitespace character is included. */
a5bd321b
PH
1766
1767regex_smtp_code =
1768 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1769 FALSE, TRUE);
1770
a7cbbf50
PP
1771#ifdef WHITELIST_D_MACROS
1772/* Precompile the regular expression used to filter the content of macros
1773given to -D for permissibility. */
1774
1775regex_whitelisted_macro =
1776 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1777#endif
1778
f38917cc
JH
1779for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1780
059ec3d9
PH
1781/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1782this seems to be a generally accepted convention, since one finds symbolic
1783links called "mailq" in standard OS configurations. */
1784
1785if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1786 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1787 {
1788 list_queue = TRUE;
1789 receiving_message = FALSE;
1790 called_as = US"-mailq";
1791 }
1792
1793/* If the program is called as "rmail" treat it as equivalent to
1794"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1795i.e. preventing a single dot on a line from terminating the message, and
1796returning with zero return code, even in cases of error (provided an error
1797message has been sent). */
1798
1799if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1800 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1801 {
1802 dot_ends = FALSE;
1803 called_as = US"-rmail";
1804 errors_sender_rc = EXIT_SUCCESS;
1805 }
1806
1807/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1808this is a smail convention. */
1809
1810if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1811 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1812 {
1813 smtp_input = smtp_batched_input = TRUE;
1814 called_as = US"-rsmtp";
1815 }
1816
1817/* If the program is called as "runq" treat it as equivalent to "exim -q";
1818this is a smail convention. */
1819
1820if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1821 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1822 {
1823 queue_interval = 0;
1824 receiving_message = FALSE;
1825 called_as = US"-runq";
1826 }
1827
1828/* If the program is called as "newaliases" treat it as equivalent to
1829"exim -bi"; this is a sendmail convention. */
1830
1831if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1832 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1833 {
1834 bi_option = TRUE;
1835 receiving_message = FALSE;
1836 called_as = US"-newaliases";
1837 }
1838
1839/* Save the original effective uid for a couple of uses later. It should
1840normally be root, but in some esoteric environments it may not be. */
1841
1842original_euid = geteuid();
1843
1844/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1845to be the same as the real ones. This makes a difference only if Exim is setuid
1846(or setgid) to something other than root, which could be the case in some
1847special configurations. */
1848
1849real_uid = getuid();
1850real_gid = getgid();
1851
1852if (real_uid == root_uid)
1853 {
1670ef10
PP
1854 rv = setgid(real_gid);
1855 if (rv)
1856 {
1857 fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
1858 (long int)real_gid, strerror(errno));
1859 exit(EXIT_FAILURE);
1860 }
1861 rv = setuid(real_uid);
1862 if (rv)
1863 {
1864 fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
1865 (long int)real_uid, strerror(errno));
1866 exit(EXIT_FAILURE);
1867 }
059ec3d9
PH
1868 }
1869
1870/* If neither the original real uid nor the original euid was root, Exim is
1871running in an unprivileged state. */
1872
1873unprivileged = (real_uid != root_uid && original_euid != root_uid);
1874
059ec3d9
PH
1875/* Scan the program's arguments. Some can be dealt with right away; others are
1876simply recorded for checking and handling afterwards. Do a high-level switch
1877on the second character (the one after '-'), to save some effort. */
1878
1879for (i = 1; i < argc; i++)
1880 {
1881 BOOL badarg = FALSE;
1882 uschar *arg = argv[i];
1883 uschar *argrest;
1884 int switchchar;
1885
1886 /* An argument not starting with '-' is the start of a recipients list;
1887 break out of the options-scanning loop. */
1888
1889 if (arg[0] != '-')
1890 {
1891 recipients_arg = i;
1892 break;
1893 }
1894
4c04137d 1895 /* An option consisting of -- terminates the options */
059ec3d9
PH
1896
1897 if (Ustrcmp(arg, "--") == 0)
1898 {
1899 recipients_arg = i + 1;
1900 break;
1901 }
1902
1903 /* Handle flagged options */
1904
1905 switchchar = arg[1];
1906 argrest = arg+2;
1907
1908 /* Make all -ex options synonymous with -oex arguments, since that
1909 is assumed by various callers. Also make -qR options synonymous with -R
1910 options, as that seems to be required as well. Allow for -qqR too, and
1911 the same for -S options. */
1912
1913 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1914 Ustrncmp(arg+1, "qR", 2) == 0 ||
1915 Ustrncmp(arg+1, "qS", 2) == 0)
1916 {
1917 switchchar = arg[2];
1918 argrest++;
1919 }
1920 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1921 {
1922 switchchar = arg[3];
1923 argrest += 2;
1924 queue_2stage = TRUE;
1925 }
1926
1927 /* Make -r synonymous with -f, since it is a documented alias */
1928
1929 else if (arg[1] == 'r') switchchar = 'f';
1930
1931 /* Make -ov synonymous with -v */
1932
1933 else if (Ustrcmp(arg, "-ov") == 0)
1934 {
1935 switchchar = 'v';
1936 argrest++;
1937 }
1938
4b2241d2
PP
1939 /* deal with --option_aliases */
1940 else if (switchchar == '-')
1941 {
1942 if (Ustrcmp(argrest, "help") == 0)
1943 {
1944 usage_wanted = TRUE;
1945 break;
1946 }
1947 else if (Ustrcmp(argrest, "version") == 0)
1948 {
1949 switchchar = 'b';
73a46702 1950 argrest = US"V";
4b2241d2
PP
1951 }
1952 }
1953
059ec3d9
PH
1954 /* High-level switch on active initial letter */
1955
1956 switch(switchchar)
1957 {
a3fb9793
PP
1958
1959 /* sendmail uses -Ac and -Am to control which .cf file is used;
1960 we ignore them. */
1961 case 'A':
1962 if (*argrest == '\0') { badarg = TRUE; break; }
1963 else
1964 {
1965 BOOL ignore = FALSE;
1966 switch (*argrest)
1967 {
1968 case 'c':
1969 case 'm':
1970 if (*(argrest + 1) == '\0')
1971 ignore = TRUE;
1972 break;
1973 }
1974 if (!ignore) { badarg = TRUE; break; }
1975 }
1976 break;
1977
059ec3d9
PH
1978 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1979 so has no need of it. */
1980
1981 case 'B':
1982 if (*argrest == 0) i++; /* Skip over the type */
1983 break;
1984
1985
1986 case 'b':
1987 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1988
1989 /* -bd: Run in daemon mode, awaiting SMTP connections.
1990 -bdf: Ditto, but in the foreground.
1991 */
1992
1993 if (*argrest == 'd')
1994 {
1995 daemon_listen = TRUE;
1996 if (*(++argrest) == 'f') background_daemon = FALSE;
1997 else if (*argrest != 0) { badarg = TRUE; break; }
1998 }
1999
328895cc
PH
2000 /* -be: Run in expansion test mode
2001 -bem: Ditto, but read a message from a file first
2002 */
059ec3d9
PH
2003
2004 else if (*argrest == 'e')
328895cc 2005 {
059ec3d9 2006 expansion_test = checking = TRUE;
328895cc
PH
2007 if (argrest[1] == 'm')
2008 {
2009 if (++i >= argc) { badarg = TRUE; break; }
2010 expansion_test_message = argv[i];
2011 argrest++;
2012 }
2013 if (argrest[1] != 0) { badarg = TRUE; break; }
2014 }
059ec3d9 2015
f05da2e8
PH
2016 /* -bF: Run system filter test */
2017
2018 else if (*argrest == 'F')
2019 {
34e86e20 2020 filter_test |= checking = FTEST_SYSTEM;
f05da2e8
PH
2021 if (*(++argrest) != 0) { badarg = TRUE; break; }
2022 if (++i < argc) filter_test_sfile = argv[i]; else
2023 {
2024 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
2025 exit(EXIT_FAILURE);
2026 }
2027 }
2028
2029 /* -bf: Run user filter test
059ec3d9
PH
2030 -bfd: Set domain for filter testing
2031 -bfl: Set local part for filter testing
2032 -bfp: Set prefix for filter testing
2033 -bfs: Set suffix for filter testing
2034 */
2035
f05da2e8 2036 else if (*argrest == 'f')
059ec3d9 2037 {
f05da2e8 2038 if (*(++argrest) == 0)
059ec3d9 2039 {
34e86e20 2040 filter_test |= checking = FTEST_USER;
f05da2e8 2041 if (++i < argc) filter_test_ufile = argv[i]; else
059ec3d9
PH
2042 {
2043 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
2044 exit(EXIT_FAILURE);
2045 }
2046 }
2047 else
2048 {
2049 if (++i >= argc)
2050 {
2051 fprintf(stderr, "exim: string expected after %s\n", arg);
2052 exit(EXIT_FAILURE);
2053 }
2054 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2055 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2056 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2057 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2058 else { badarg = TRUE; break; }
2059 }
2060 }
2061
2062 /* -bh: Host checking - an IP address must follow. */
2063
2064 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2065 {
2066 if (++i >= argc) { badarg = TRUE; break; }
2067 sender_host_address = argv[i];
2068 host_checking = checking = log_testing_mode = TRUE;
2069 host_checking_callout = argrest[1] == 'c';
1a6230a3 2070 message_logs = FALSE;
059ec3d9
PH
2071 }
2072
2073 /* -bi: This option is used by sendmail to initialize *the* alias file,
2074 though it has the -oA option to specify a different file. Exim has no
2075 concept of *the* alias file, but since Sun's YP make script calls
2076 sendmail this way, some support must be provided. */
2077
2078 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2079
98a90c36
PP
2080 /* -bI: provide information, of the type to follow after a colon.
2081 This is an Exim flag. */
2082
2083 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2084 {
2085 uschar *p = &argrest[2];
2086 info_flag = CMDINFO_HELP;
2087 if (Ustrlen(p))
2088 {
2089 if (strcmpic(p, CUS"sieve") == 0)
2090 {
2091 info_flag = CMDINFO_SIEVE;
2092 info_stdout = TRUE;
2093 }
36a3ae5f
PP
2094 else if (strcmpic(p, CUS"dscp") == 0)
2095 {
2096 info_flag = CMDINFO_DSCP;
2097 info_stdout = TRUE;
2098 }
98a90c36
PP
2099 else if (strcmpic(p, CUS"help") == 0)
2100 {
2101 info_stdout = TRUE;
2102 }
2103 }
2104 }
2105
059ec3d9
PH
2106 /* -bm: Accept and deliver message - the default option. Reinstate
2107 receiving_message, which got turned off for all -b options. */
2108
2109 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2110
8544e77a
PP
2111 /* -bmalware: test the filename given for malware */
2112
2113 else if (Ustrcmp(argrest, "malware") == 0)
2114 {
2115 if (++i >= argc) { badarg = TRUE; break; }
34e86e20 2116 checking = TRUE;
8544e77a
PP
2117 malware_test_file = argv[i];
2118 }
2119
059ec3d9
PH
2120 /* -bnq: For locally originating messages, do not qualify unqualified
2121 addresses. In the envelope, this causes errors; in header lines they
2122 just get left. */
2123
2124 else if (Ustrcmp(argrest, "nq") == 0)
2125 {
2126 allow_unqualified_sender = FALSE;
2127 allow_unqualified_recipient = FALSE;
2128 }
2129
2130 /* -bpxx: List the contents of the mail queue, in various forms. If
2131 the option is -bpc, just a queue count is needed. Otherwise, if the
2132 first letter after p is r, then order is random. */
2133
2134 else if (*argrest == 'p')
2135 {
2136 if (*(++argrest) == 'c')
2137 {
2138 count_queue = TRUE;
2139 if (*(++argrest) != 0) badarg = TRUE;
2140 break;
2141 }
2142
2143 if (*argrest == 'r')
2144 {
2145 list_queue_option = 8;
2146 argrest++;
2147 }
2148 else list_queue_option = 0;
2149
2150 list_queue = TRUE;
2151
2152 /* -bp: List the contents of the mail queue, top-level only */
2153
2154 if (*argrest == 0) {}
2155
2156 /* -bpu: List the contents of the mail queue, top-level undelivered */
2157
2158 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2159
2160 /* -bpa: List the contents of the mail queue, including all delivered */
2161
2162 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2163
2164 /* Unknown after -bp[r] */
2165
2166 else
2167 {
2168 badarg = TRUE;
2169 break;
2170 }
2171 }
2172
2173
2174 /* -bP: List the configuration variables given as the address list.
2175 Force -v, so configuration errors get displayed. */
2176
2177 else if (Ustrcmp(argrest, "P") == 0)
2178 {
bf3c2c6b
HSHR
2179 /* -bP config: we need to setup here, because later,
2180 * when list_options is checked, the config is read already */
2181 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2182 {
2183 list_config = TRUE;
2184 readconf_save_config(version_string);
2185 }
2186 else
2187 {
2188 list_options = TRUE;
2189 debug_selector |= D_v;
2190 debug_file = stderr;
2191 }
059ec3d9
PH
2192 }
2193
2194 /* -brt: Test retry configuration lookup */
2195
2196 else if (Ustrcmp(argrest, "rt") == 0)
2197 {
34e86e20 2198 checking = TRUE;
059ec3d9
PH
2199 test_retry_arg = i + 1;
2200 goto END_ARG;
2201 }
2202
2203 /* -brw: Test rewrite configuration */
2204
2205 else if (Ustrcmp(argrest, "rw") == 0)
2206 {
34e86e20 2207 checking = TRUE;
059ec3d9
PH
2208 test_rewrite_arg = i + 1;
2209 goto END_ARG;
2210 }
2211
2212 /* -bS: Read SMTP commands on standard input, but produce no replies -
2213 all errors are reported by sending messages. */
2214
2215 else if (Ustrcmp(argrest, "S") == 0)
2216 smtp_input = smtp_batched_input = receiving_message = TRUE;
2217
2218 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2219 on standard output. */
2220
2221 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2222
2223 /* -bt: address testing mode */
2224
2225 else if (Ustrcmp(argrest, "t") == 0)
2226 address_test_mode = checking = log_testing_mode = TRUE;
2227
2228 /* -bv: verify addresses */
2229
2230 else if (Ustrcmp(argrest, "v") == 0)
2231 verify_address_mode = checking = log_testing_mode = TRUE;
2232
2233 /* -bvs: verify sender addresses */
2234
2235 else if (Ustrcmp(argrest, "vs") == 0)
2236 {
2237 verify_address_mode = checking = log_testing_mode = TRUE;
2238 verify_as_sender = TRUE;
2239 }
2240
2241 /* -bV: Print version string and support details */
2242
2243 else if (Ustrcmp(argrest, "V") == 0)
2244 {
2245 printf("Exim version %s #%s built %s\n", version_string,
2246 version_cnumber, version_date);
2247 printf("%s\n", CS version_copyright);
2248 version_printed = TRUE;
2249 show_whats_supported(stdout);
b25c9675 2250 log_testing_mode = TRUE;
059ec3d9
PH
2251 }
2252
9ee44efb
PP
2253 /* -bw: inetd wait mode, accept a listening socket as stdin */
2254
2255 else if (*argrest == 'w')
2256 {
2257 inetd_wait_mode = TRUE;
2258 background_daemon = FALSE;
2259 daemon_listen = TRUE;
2260 if (*(++argrest) != '\0')
2261 {
2262 inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE);
2263 if (inetd_wait_timeout <= 0)
2264 {
2265 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2266 exit(EXIT_FAILURE);
2267 }
2268 }
2269 }
2270
059ec3d9
PH
2271 else badarg = TRUE;
2272 break;
2273
2274
2275 /* -C: change configuration file list; ignore if it isn't really
2276 a change! Enforce a prefix check if required. */
2277
2278 case 'C':
2279 if (*argrest == 0)
2280 {
2281 if(++i < argc) argrest = argv[i]; else
2282 { badarg = TRUE; break; }
2283 }
2284 if (Ustrcmp(config_main_filelist, argrest) != 0)
2285 {
2286 #ifdef ALT_CONFIG_PREFIX
2287 int sep = 0;
2288 int len = Ustrlen(ALT_CONFIG_PREFIX);
863bd541 2289 const uschar *list = argrest;
059ec3d9
PH
2290 uschar *filename;
2291 while((filename = string_nextinlist(&list, &sep, big_buffer,
2292 big_buffer_size)) != NULL)
2293 {
2294 if ((Ustrlen(filename) < len ||
2295 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2296 Ustrstr(filename, "/../") != NULL) &&
2297 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2298 {
2299 fprintf(stderr, "-C Permission denied\n");
2300 exit(EXIT_FAILURE);
2301 }
2302 }
2303 #endif
261dc43e
DW
2304 if (real_uid != root_uid)
2305 {
90b6341f 2306 #ifdef TRUSTED_CONFIG_LIST
261dc43e 2307
90b6341f
DW
2308 if (real_uid != exim_uid
2309 #ifdef CONFIGURE_OWNER
2310 && real_uid != config_uid
2311 #endif
2312 )
261dc43e
DW
2313 trusted_config = FALSE;
2314 else
2315 {
90b6341f 2316 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
261dc43e
DW
2317 if (trust_list)
2318 {
2319 struct stat statbuf;
2320
2321 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2322 (statbuf.st_uid != root_uid /* owner not root */
2323 #ifdef CONFIGURE_OWNER
2324 && statbuf.st_uid != config_uid /* owner not the special one */
2325 #endif
2326 ) || /* or */
2327 (statbuf.st_gid != root_gid /* group not root */
2328 #ifdef CONFIGURE_GROUP
2329 && statbuf.st_gid != config_gid /* group not the special one */
2330 #endif
2331 && (statbuf.st_mode & 020) != 0 /* group writeable */
2332 ) || /* or */
2333 (statbuf.st_mode & 2) != 0) /* world writeable */
2334 {
2335 trusted_config = FALSE;
2336 fclose(trust_list);
2337 }
2338 else
2339 {
2340 /* Well, the trust list at least is up to scratch... */
2341 void *reset_point = store_get(0);
90b6341f
DW
2342 uschar *trusted_configs[32];
2343 int nr_configs = 0;
261dc43e
DW
2344 int i = 0;
2345
2346 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2347 {
2348 uschar *start = big_buffer, *nl;
2349 while (*start && isspace(*start))
2350 start++;
1e83d68b 2351 if (*start != '/')
261dc43e
DW
2352 continue;
2353 nl = Ustrchr(start, '\n');
2354 if (nl)
2355 *nl = 0;
90b6341f
DW
2356 trusted_configs[nr_configs++] = string_copy(start);
2357 if (nr_configs == 32)
261dc43e
DW
2358 break;
2359 }
2360 fclose(trust_list);
2361
90b6341f 2362 if (nr_configs)
261dc43e
DW
2363 {
2364 int sep = 0;
55414b25 2365 const uschar *list = argrest;
261dc43e
DW
2366 uschar *filename;
2367 while (trusted_config && (filename = string_nextinlist(&list,
2368 &sep, big_buffer, big_buffer_size)) != NULL)
2369 {
90b6341f 2370 for (i=0; i < nr_configs; i++)
261dc43e 2371 {
90b6341f 2372 if (Ustrcmp(filename, trusted_configs[i]) == 0)
261dc43e
DW
2373 break;
2374 }
90b6341f 2375 if (i == nr_configs)
261dc43e
DW
2376 {
2377 trusted_config = FALSE;
2378 break;
2379 }
2380 }
1e83d68b 2381 store_reset(reset_point);
261dc43e
DW
2382 }
2383 else
2384 {
2385 /* No valid prefixes found in trust_list file. */
2386 trusted_config = FALSE;
2387 }
2388 }
2389 }
2390 else
2391 {
2392 /* Could not open trust_list file. */
2393 trusted_config = FALSE;
2394 }
2395 }
2396 #else
2397 /* Not root; don't trust config */
2398 trusted_config = FALSE;
2399 #endif
2400 }
059ec3d9
PH
2401
2402 config_main_filelist = argrest;
2403 config_changed = TRUE;
2404 }
2405 break;
2406
2407
2408 /* -D: set up a macro definition */
2409
2410 case 'D':
2411 #ifdef DISABLE_D_OPTION
2412 fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2413 exit(EXIT_FAILURE);
2414 #else
2415 {
2416 int ptr = 0;
059ec3d9
PH
2417 macro_item *m;
2418 uschar name[24];
2419 uschar *s = argrest;
2420
4ab69ec7 2421 opt_D_used = TRUE;
059ec3d9
PH
2422 while (isspace(*s)) s++;
2423
2424 if (*s < 'A' || *s > 'Z')
2425 {
2426 fprintf(stderr, "exim: macro name set by -D must start with "
2427 "an upper case letter\n");
2428 exit(EXIT_FAILURE);
2429 }
2430
2431 while (isalnum(*s) || *s == '_')
2432 {
2433 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2434 s++;
2435 }
2436 name[ptr] = 0;
2437 if (ptr == 0) { badarg = TRUE; break; }
2438 while (isspace(*s)) s++;
2439 if (*s != 0)
2440 {
2441 if (*s++ != '=') { badarg = TRUE; break; }
2442 while (isspace(*s)) s++;
2443 }
2444
85e03244 2445 for (m = macros_user; m; m = m->next)
1a7c9a48
JH
2446 if (Ustrcmp(m->name, name) == 0)
2447 {
2448 fprintf(stderr, "exim: duplicated -D in command line\n");
2449 exit(EXIT_FAILURE);
2450 }
059ec3d9 2451
85e03244 2452 m = macro_create(name, s, TRUE);
059ec3d9
PH
2453
2454 if (clmacro_count >= MAX_CLMACROS)
2455 {
2456 fprintf(stderr, "exim: too many -D options on command line\n");
2457 exit(EXIT_FAILURE);
2458 }
1a7c9a48
JH
2459 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2460 m->replacement);
059ec3d9
PH
2461 }
2462 #endif
2463 break;
2464
2465 /* -d: Set debug level (see also -v below) or set the drop_cr option.
8e669ac1 2466 The latter is now a no-op, retained for compatibility only. If -dd is used,
3d235903 2467 debugging subprocesses of the daemon is disabled. */
059ec3d9
PH
2468
2469 case 'd':
2470 if (Ustrcmp(argrest, "ropcr") == 0)
2471 {
2472 /* drop_cr = TRUE; */
2473 }
2474
2475 /* Use an intermediate variable so that we don't set debugging while
2476 decoding the debugging bits. */
2477
2478 else
2479 {
2480 unsigned int selector = D_default;
2481 debug_selector = 0;
2482 debug_file = NULL;
3d235903
PH
2483 if (*argrest == 'd')
2484 {
2485 debug_daemon = TRUE;
2486 argrest++;
2487 }
059ec3d9 2488 if (*argrest != 0)
6c6d6e48
TF
2489 decode_bits(&selector, 1, debug_notall, argrest,
2490 debug_options, debug_options_count, US"debug", 0);
059ec3d9
PH
2491 debug_selector = selector;
2492 }
2493 break;
2494
2495
2496 /* -E: This is a local error message. This option is not intended for
2497 external use at all, but is not restricted to trusted callers because it
2498 does no harm (just suppresses certain error messages) and if Exim is run
2499 not setuid root it won't always be trusted when it generates error
2500 messages using this option. If there is a message id following -E, point
2501 message_reference at it, for logging. */
2502
2503 case 'E':
2504 local_error_message = TRUE;
2505 if (mac_ismsgid(argrest)) message_reference = argrest;
2506 break;
2507
2508
2509 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2510 option, so it looks as if historically the -oex options are also callable
2511 without the leading -o. So we have to accept them. Before the switch,
2512 anything starting -oe has been converted to -e. Exim does not support all
2513 of the sendmail error options. */
2514
2515 case 'e':
2516 if (Ustrcmp(argrest, "e") == 0)
2517 {
2518 arg_error_handling = ERRORS_SENDER;
2519 errors_sender_rc = EXIT_SUCCESS;
2520 }
2521 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2522 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2523 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2524 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2525 else badarg = TRUE;
2526 break;
2527
2528
2529 /* -F: Set sender's full name, used instead of the gecos entry from
2530 the password file. Since users can usually alter their gecos entries,
2531 there's no security involved in using this instead. The data can follow
2532 the -F or be in the next argument. */
2533
2534 case 'F':
2535 if (*argrest == 0)
2536 {
2537 if(++i < argc) argrest = argv[i]; else
2538 { badarg = TRUE; break; }
2539 }
2540 originator_name = argrest;
2fe1a124 2541 sender_name_forced = TRUE;
059ec3d9
PH
2542 break;
2543
2544
2545 /* -f: Set sender's address - this value is only actually used if Exim is
2546 run by a trusted user, or if untrusted_set_sender is set and matches the
2547 address, except that the null address can always be set by any user. The
2548 test for this happens later, when the value given here is ignored when not
2549 permitted. For an untrusted user, the actual sender is still put in Sender:
2550 if it doesn't match the From: header (unless no_local_from_check is set).
2551 The data can follow the -f or be in the next argument. The -r switch is an
2552 obsolete form of -f but since there appear to be programs out there that
2553 use anything that sendmail has ever supported, better accept it - the
2554 synonymizing is done before the switch above.
2555
2556 At this stage, we must allow domain literal addresses, because we don't
2557 know what the setting of allow_domain_literals is yet. Ditto for trailing
2558 dots and strip_trailing_dot. */
2559
2560 case 'f':
2561 {
250b6871 2562 int dummy_start, dummy_end;
059ec3d9
PH
2563 uschar *errmess;
2564 if (*argrest == 0)
2565 {
2566 if (i+1 < argc) argrest = argv[++i]; else
2567 { badarg = TRUE; break; }
2568 }
2569 if (*argrest == 0)
059ec3d9 2570 sender_address = string_sprintf(""); /* Ensure writeable memory */
059ec3d9
PH
2571 else
2572 {
2573 uschar *temp = argrest + Ustrlen(argrest) - 1;
2574 while (temp >= argrest && isspace(*temp)) temp--;
2575 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2576 allow_domain_literals = TRUE;
2577 strip_trailing_dot = TRUE;
8c5d388a 2578#ifdef SUPPORT_I18N
250b6871
JH
2579 allow_utf8_domains = TRUE;
2580#endif
2581 sender_address = parse_extract_address(argrest, &errmess,
2582 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
8c5d388a 2583#ifdef SUPPORT_I18N
250b6871
JH
2584 message_smtputf8 = string_is_utf8(sender_address);
2585 allow_utf8_domains = FALSE;
2586#endif
059ec3d9
PH
2587 allow_domain_literals = FALSE;
2588 strip_trailing_dot = FALSE;
2589 if (sender_address == NULL)
2590 {
2591 fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2592 return EXIT_FAILURE;
2593 }
2594 }
2595 sender_address_forced = TRUE;
2596 }
2597 break;
2598
a3fb9793 2599 /* -G: sendmail invocation to specify that it's a gateway submission and
f4ee74ac
PP
2600 sendmail may complain about problems instead of fixing them.
2601 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2602 not at this time complain about problems. */
059ec3d9
PH
2603
2604 case 'G':
f4ee74ac 2605 flag_G = TRUE;
059ec3d9
PH
2606 break;
2607
2608 /* -h: Set the hop count for an incoming message. Exim does not currently
2609 support this; it always computes it by counting the Received: headers.
2610 To put it in will require a change to the spool header file format. */
2611
2612 case 'h':
2613 if (*argrest == 0)
2614 {
2615 if(++i < argc) argrest = argv[i]; else
2616 { badarg = TRUE; break; }
2617 }
2618 if (!isdigit(*argrest)) badarg = TRUE;
2619 break;
2620
2621
2622 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2623 not to be documented for sendmail but mailx (at least) uses it) */
2624
2625 case 'i':
2626 if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2627 break;
2628
2629
a3fb9793
PP
2630 /* -L: set the identifier used for syslog; equivalent to setting
2631 syslog_processname in the config file, but needs to be an admin option. */
2632
2633 case 'L':
2634 if (*argrest == '\0')
2635 {
2636 if(++i < argc) argrest = argv[i]; else
2637 { badarg = TRUE; break; }
2638 }
2639 sz = Ustrlen(argrest);
2640 if (sz > 32)
2641 {
2642 fprintf(stderr, "exim: the -L syslog name is too long: \"%s\"\n", argrest);
2643 return EXIT_FAILURE;
2644 }
2645 if (sz < 1)
2646 {
2647 fprintf(stderr, "exim: the -L syslog name is too short\n");
2648 return EXIT_FAILURE;
2649 }
2650 cmdline_syslog_name = argrest;
2651 break;
2652
059ec3d9
PH
2653 case 'M':
2654 receiving_message = FALSE;
2655
2656 /* -MC: continue delivery of another message via an existing open
2657 file descriptor. This option is used for an internal call by the
2658 smtp transport when there is a pending message waiting to go to an
2659 address to which it has got a connection. Five subsequent arguments are
2660 required: transport name, host name, IP address, sequence number, and
2661 message_id. Transports may decline to create new processes if the sequence
2662 number gets too big. The channel is stdin. This (-MC) must be the last
2663 argument. There's a subsequent check that the real-uid is privileged.
2664
2665 If we are running in the test harness. delay for a bit, to let the process
2666 that set this one up complete. This makes for repeatability of the logging,
2667 etc. output. */
2668
2669 if (Ustrcmp(argrest, "C") == 0)
2670 {
41c7c167
PH
2671 union sockaddr_46 interface_sock;
2672 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2673
059ec3d9
PH
2674 if (argc != i + 6)
2675 {
2676 fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2677 return EXIT_FAILURE;
2678 }
2679
2680 if (msg_action_arg >= 0)
2681 {
2682 fprintf(stderr, "exim: incompatible arguments\n");
2683 return EXIT_FAILURE;
2684 }
2685
2686 continue_transport = argv[++i];
2687 continue_hostname = argv[++i];
2688 continue_host_address = argv[++i];
2689 continue_sequence = Uatoi(argv[++i]);
2690 msg_action = MSG_DELIVER;
2691 msg_action_arg = ++i;
2692 forced_delivery = TRUE;
2693 queue_run_pid = passed_qr_pid;
2694 queue_run_pipe = passed_qr_pipe;
2695
2696 if (!mac_ismsgid(argv[i]))
2697 {
2698 fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2699 argv[i]);
2700 return EXIT_FAILURE;
2701 }
2702
875512a3
JH
2703 /* Set up $sending_ip_address and $sending_port, unless proxied */
2704
5013d912 2705 if (!continue_proxy_cipher)
875512a3
JH
2706 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2707 &size) == 0)
2708 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2709 &sending_port);
2710 else
2711 {
2712 fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2713 strerror(errno));
2714 return EXIT_FAILURE;
2715 }
41c7c167 2716
059ec3d9
PH
2717 if (running_in_test_harness) millisleep(500);
2718 break;
2719 }
2720
2d14f397
JH
2721 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2722 {
875512a3 2723 switch(argrest[1])
2d14f397 2724 {
059ec3d9
PH
2725 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2726 precedes -MC (see above). The flag indicates that the host to which
2727 Exim is connected has accepted an AUTH sequence. */
2728
2d14f397 2729 case 'A': smtp_authenticated = TRUE; break;
059ec3d9 2730
6c1c3d1d
WB
2731 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2732 that exim is connected to supports the esmtp extension DSN */
28b3821f 2733
14de8063 2734 case 'D': smtp_peer_options |= OPTION_DSN; break;
6c1c3d1d 2735
e37f8a84 2736 /* -MCG: set the queue name, to a non-default value */
28b3821f 2737
2d14f397
JH
2738 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2739 else badarg = TRUE;
2740 break;
2741
2742 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2743
14de8063 2744 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
28b3821f 2745
059ec3d9
PH
2746 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2747 it preceded -MC (see above) */
2748
14de8063 2749 case 'P': smtp_peer_options |= OPTION_PIPE; break;
059ec3d9
PH
2750
2751 /* -MCQ: pass on the pid of the queue-running process that started
2752 this chain of deliveries and the fd of its synchronizing pipe; this
2753 is useful only when it precedes -MC (see above) */
2754
2d14f397
JH
2755 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2756 else badarg = TRUE;
2757 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2758 else badarg = TRUE;
2759 break;
059ec3d9
PH
2760
2761 /* -MCS: set the smtp_use_size flag; this is useful only when it
2762 precedes -MC (see above) */
2763
14de8063 2764 case 'S': smtp_peer_options |= OPTION_SIZE; break;
059ec3d9 2765
2d14f397 2766#ifdef SUPPORT_TLS
875512a3
JH
2767 /* -MCt: similar to -MCT below but the connection is still open
2768 via a proxy proces which handles the TLS context and coding.
5013d912
JH
2769 Require three arguments for the proxied local address and port,
2770 and the TLS cipher. */
875512a3 2771
5013d912 2772 case 't': if (++i < argc) sending_ip_address = argv[i];
875512a3
JH
2773 else badarg = TRUE;
2774 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2775 else badarg = TRUE;
5013d912
JH
2776 if (++i < argc) continue_proxy_cipher = argv[i];
2777 else badarg = TRUE;
875512a3
JH
2778 /*FALLTHROUGH*/
2779
059ec3d9
PH
2780 /* -MCT: set the tls_offered flag; this is useful only when it
2781 precedes -MC (see above). The flag indicates that the host to which
2782 Exim is connected has offered TLS support. */
2783
14de8063 2784 case 'T': smtp_peer_options |= OPTION_TLS; break;
2d14f397
JH
2785#endif
2786
2787 default: badarg = TRUE; break;
2788 }
8ac90765
JH
2789 break;
2790 }
2791
2792#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
2793 /* -MS set REQUIRETLS on (new) message */
2794
2795 else if (*argrest == 'S')
2796 {
2797 tls_requiretls |= REQUIRETLS_MSG;
2798 break;
059ec3d9 2799 }
8ac90765 2800#endif
059ec3d9
PH
2801
2802 /* -M[x]: various operations on the following list of message ids:
2803 -M deliver the messages, ignoring next retry times and thawing
2804 -Mc deliver the messages, checking next retry times, no thawing
2805 -Mf freeze the messages
2806 -Mg give up on the messages
2807 -Mt thaw the messages
2808 -Mrm remove the messages
2809 In the above cases, this must be the last option. There are also the
2810 following options which are followed by a single message id, and which
2811 act on that message. Some of them use the "recipient" addresses as well.
2812 -Mar add recipient(s)
2813 -Mmad mark all recipients delivered
2814 -Mmd mark recipients(s) delivered
2815 -Mes edit sender
0ef732d9 2816 -Mset load a message for use with -be
059ec3d9 2817 -Mvb show body
a96603a0 2818 -Mvc show copy (of whole message, in RFC 2822 format)
059ec3d9
PH
2819 -Mvh show header
2820 -Mvl show log
2821 */
2822
2823 else if (*argrest == 0)
2824 {
2825 msg_action = MSG_DELIVER;
2826 forced_delivery = deliver_force_thaw = TRUE;
2827 }
2828 else if (Ustrcmp(argrest, "ar") == 0)
2829 {
2830 msg_action = MSG_ADD_RECIPIENT;
2831 one_msg_action = TRUE;
2832 }
2833 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2834 else if (Ustrcmp(argrest, "es") == 0)
2835 {
2836 msg_action = MSG_EDIT_SENDER;
2837 one_msg_action = TRUE;
2838 }
2839 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2840 else if (Ustrcmp(argrest, "g") == 0)
2841 {
2842 msg_action = MSG_DELIVER;
2843 deliver_give_up = TRUE;
2844 }
2845 else if (Ustrcmp(argrest, "mad") == 0)
2846 {
2847 msg_action = MSG_MARK_ALL_DELIVERED;
2848 }
2849 else if (Ustrcmp(argrest, "md") == 0)
2850 {
2851 msg_action = MSG_MARK_DELIVERED;
2852 one_msg_action = TRUE;
2853 }
2854 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
0ef732d9
PH
2855 else if (Ustrcmp(argrest, "set") == 0)
2856 {
2857 msg_action = MSG_LOAD;
2858 one_msg_action = TRUE;
2859 }
059ec3d9
PH
2860 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2861 else if (Ustrcmp(argrest, "vb") == 0)
2862 {
2863 msg_action = MSG_SHOW_BODY;
2864 one_msg_action = TRUE;
2865 }
a96603a0
PH
2866 else if (Ustrcmp(argrest, "vc") == 0)
2867 {
2868 msg_action = MSG_SHOW_COPY;
2869 one_msg_action = TRUE;
2870 }
059ec3d9
PH
2871 else if (Ustrcmp(argrest, "vh") == 0)
2872 {
2873 msg_action = MSG_SHOW_HEADER;
2874 one_msg_action = TRUE;
2875 }
2876 else if (Ustrcmp(argrest, "vl") == 0)
2877 {
2878 msg_action = MSG_SHOW_LOG;
2879 one_msg_action = TRUE;
2880 }
2881 else { badarg = TRUE; break; }
2882
2883 /* All the -Mxx options require at least one message id. */
2884
2885 msg_action_arg = i + 1;
2886 if (msg_action_arg >= argc)
2887 {
2888 fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2889 return EXIT_FAILURE;
2890 }
2891
2892 /* Some require only message ids to follow */
2893
2894 if (!one_msg_action)
2895 {
2896 int j;
2897 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2898 {
2899 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2900 argv[j], arg);
2901 return EXIT_FAILURE;
2902 }
2903 goto END_ARG; /* Remaining args are ids */
2904 }
2905
2906 /* Others require only one message id, possibly followed by addresses,
2907 which will be handled as normal arguments. */
2908
2909 else
2910 {
2911 if (!mac_ismsgid(argv[msg_action_arg]))
2912 {
2913 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2914 argv[msg_action_arg], arg);
2915 return EXIT_FAILURE;
2916 }
2917 i++;
2918 }
2919 break;
2920
2921
2922 /* Some programs seem to call the -om option without the leading o;
2923 for sendmail it askes for "me too". Exim always does this. */
2924
2925 case 'm':
2926 if (*argrest != 0) badarg = TRUE;
2927 break;
2928
2929
2930 /* -N: don't do delivery - a debugging option that stops transports doing
2931 their thing. It implies debugging at the D_v level. */
2932
2933 case 'N':
2934 if (*argrest == 0)
2935 {
2936 dont_deliver = TRUE;
2937 debug_selector |= D_v;
2938 debug_file = stderr;
2939 }
2940 else badarg = TRUE;
2941 break;
2942
2943
12f69989
PP
2944 /* -n: This means "don't alias" in sendmail, apparently.
2945 For normal invocations, it has no effect.
2946 It may affect some other options. */
059ec3d9
PH
2947
2948 case 'n':
12f69989 2949 flag_n = TRUE;
059ec3d9
PH
2950 break;
2951
2952 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2953 option to the specified value. This form uses long names. We need to handle
2954 -O option=value and -Ooption=value. */
2955
2956 case 'O':
2957 if (*argrest == 0)
2958 {
2959 if (++i >= argc)
2960 {
2961 fprintf(stderr, "exim: string expected after -O\n");
2962 exit(EXIT_FAILURE);
2963 }
2964 }
2965 break;
2966
2967 case 'o':
2968
2969 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2970 file" option). */
2971
2972 if (*argrest == 'A')
2973 {
2974 alias_arg = argrest + 1;
2975 if (alias_arg[0] == 0)
2976 {
2977 if (i+1 < argc) alias_arg = argv[++i]; else
2978 {
2979 fprintf(stderr, "exim: string expected after -oA\n");
2980 exit(EXIT_FAILURE);
2981 }
2982 }
2983 }
2984
2985 /* -oB: Set a connection message max value for remote deliveries */
2986
2987 else if (*argrest == 'B')
2988 {
2989 uschar *p = argrest + 1;
2990 if (p[0] == 0)
2991 {
2992 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2993 {
2994 connection_max_messages = 1;
2995 p = NULL;
2996 }
2997 }
2998
2999 if (p != NULL)
3000 {
3001 if (!isdigit(*p))
3002 {
3003 fprintf(stderr, "exim: number expected after -oB\n");
3004 exit(EXIT_FAILURE);
3005 }
3006 connection_max_messages = Uatoi(p);
3007 }
3008 }
3009
3010 /* -odb: background delivery */
3011
3012 else if (Ustrcmp(argrest, "db") == 0)
3013 {
3014 synchronous_delivery = FALSE;
3015 arg_queue_only = FALSE;
3016 queue_only_set = TRUE;
3017 }
3018
3019 /* -odf: foreground delivery (smail-compatible option); same effect as
3020 -odi: interactive (synchronous) delivery (sendmail-compatible option)
3021 */
3022
3023 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
3024 {
3025 synchronous_delivery = TRUE;
3026 arg_queue_only = FALSE;
3027 queue_only_set = TRUE;
3028 }
3029
3030 /* -odq: queue only */
3031
3032 else if (Ustrcmp(argrest, "dq") == 0)
3033 {
3034 synchronous_delivery = FALSE;
3035 arg_queue_only = TRUE;
3036 queue_only_set = TRUE;
3037 }
3038
3039 /* -odqs: queue SMTP only - do local deliveries and remote routing,
3040 but no remote delivery */
3041
3042 else if (Ustrcmp(argrest, "dqs") == 0)
3043 {
3044 queue_smtp = TRUE;
3045 arg_queue_only = FALSE;
3046 queue_only_set = TRUE;
3047 }
3048
3049 /* -oex: Sendmail error flags. As these are also accepted without the
3050 leading -o prefix, for compatibility with vacation and other callers,
3051 they are handled with -e above. */
3052
3053 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
3054 -oitrue: Another sendmail syntax for the same */
3055
3056 else if (Ustrcmp(argrest, "i") == 0 ||
3057 Ustrcmp(argrest, "itrue") == 0)
3058 dot_ends = FALSE;
3059
3060 /* -oM*: Set various characteristics for an incoming message; actually
3061 acted on for trusted callers only. */
3062
3063 else if (*argrest == 'M')
3064 {
3065 if (i+1 >= argc)
3066 {
3067 fprintf(stderr, "exim: data expected after -o%s\n", argrest);
3068 exit(EXIT_FAILURE);
3069 }
3070
3071 /* -oMa: Set sender host address */
3072
3073 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
3074
3075 /* -oMaa: Set authenticator name */
3076
3077 else if (Ustrcmp(argrest, "Maa") == 0)
3078 sender_host_authenticated = argv[++i];
3079
3080 /* -oMas: setting authenticated sender */
3081
3082 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
3083
3084 /* -oMai: setting authenticated id */
3085
3086 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
3087
3088 /* -oMi: Set incoming interface address */
3089
3090 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
3091
d2af03f4
HS
3092 /* -oMm: Message reference */
3093
3094 else if (Ustrcmp(argrest, "Mm") == 0)
3095 {
3096 if (!mac_ismsgid(argv[i+1]))
3097 {
3098 fprintf(stderr,"-oMm must be a valid message ID\n");
3099 exit(EXIT_FAILURE);
3100 }
3101 if (!trusted_config)
3102 {
3103 fprintf(stderr,"-oMm must be called by a trusted user/config\n");
3104 exit(EXIT_FAILURE);
3105 }
3106 message_reference = argv[++i];
3107 }
3108
059ec3d9
PH
3109 /* -oMr: Received protocol */
3110
65e061b7
HSHR
3111 else if (Ustrcmp(argrest, "Mr") == 0)
3112
3113 if (received_protocol)
3114 {
3115 fprintf(stderr, "received_protocol is set already\n");
3116 exit(EXIT_FAILURE);
3117 }
3118 else received_protocol = argv[++i];
059ec3d9
PH
3119
3120 /* -oMs: Set sender host name */
3121
3122 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3123
3124 /* -oMt: Set sender ident */
3125
33d73e3b
PH
3126 else if (Ustrcmp(argrest, "Mt") == 0)
3127 {
3128 sender_ident_set = TRUE;
3129 sender_ident = argv[++i];
3130 }
059ec3d9
PH
3131
3132 /* Else a bad argument */
3133
3134 else
3135 {
3136 badarg = TRUE;
3137 break;
3138 }
3139 }
3140
3141 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3142 seem to call this as -m (undocumented), so that is also accepted (see
3143 above). */
3144
3145 else if (Ustrcmp(argrest, "m") == 0) {}
3146
3147 /* -oo: An ancient flag for old-style addresses which still seems to
3148 crop up in some calls (see in SCO). */
3149
3150 else if (Ustrcmp(argrest, "o") == 0) {}
3151
3152 /* -oP <name>: set pid file path for daemon */
3153
3154 else if (Ustrcmp(argrest, "P") == 0)
3155 override_pid_file_path = argv[++i];
3156
3157 /* -or <n>: set timeout for non-SMTP acceptance
3158 -os <n>: set timeout for SMTP acceptance */
3159
3160 else if (*argrest == 'r' || *argrest == 's')
3161 {
3162 int *tp = (*argrest == 'r')?
3163 &arg_receive_timeout : &arg_smtp_receive_timeout;
3164 if (argrest[1] == 0)
3165 {
3166 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3167 }
3168 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3169 if (*tp < 0)
3170 {
3171 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3172 exit(EXIT_FAILURE);
3173 }
3174 }
3175
3176 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3177
3178 else if (Ustrcmp(argrest, "X") == 0)
3179 override_local_interfaces = argv[++i];
3180
3181 /* Unknown -o argument */
3182
3183 else badarg = TRUE;
3184 break;
3185
3186
3187 /* -ps: force Perl startup; -pd force delayed Perl startup */
3188
3189 case 'p':
3190 #ifdef EXIM_PERL
3191 if (*argrest == 's' && argrest[1] == 0)
3192 {
3193 perl_start_option = 1;
3194 break;
3195 }
3196 if (*argrest == 'd' && argrest[1] == 0)
3197 {
3198 perl_start_option = -1;
3199 break;
3200 }
3201 #endif
3202
3203 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3204 which sets the host protocol and host name */
3205
3206 if (*argrest == 0)
5bfe3b35
JH
3207 if (i+1 < argc)
3208 argrest = argv[++i];
3209 else
059ec3d9 3210 { badarg = TRUE; break; }
059ec3d9
PH
3211
3212 if (*argrest != 0)
3213 {
65e061b7
HSHR
3214 uschar *hn;
3215
3216 if (received_protocol)
3217 {
3218 fprintf(stderr, "received_protocol is set already\n");
3219 exit(EXIT_FAILURE);
3220 }
3221
3222 hn = Ustrchr(argrest, ':');
059ec3d9 3223 if (hn == NULL)
059ec3d9 3224 received_protocol = argrest;
059ec3d9
PH
3225 else
3226 {
90341c71
JH
3227 int old_pool = store_pool;
3228 store_pool = POOL_PERM;
059ec3d9 3229 received_protocol = string_copyn(argrest, hn - argrest);
90341c71 3230 store_pool = old_pool;
059ec3d9
PH
3231 sender_host_name = hn + 1;
3232 }
3233 }
3234 break;
3235
3236
3237 case 'q':
3238 receiving_message = FALSE;
3cc66b45
PH
3239 if (queue_interval >= 0)
3240 {
3241 fprintf(stderr, "exim: -q specified more than once\n");
3242 exit(EXIT_FAILURE);
3243 }
059ec3d9
PH
3244
3245 /* -qq...: Do queue runs in a 2-stage manner */
3246
3247 if (*argrest == 'q')
3248 {
3249 queue_2stage = TRUE;
3250 argrest++;
3251 }
3252
3253 /* -qi...: Do only first (initial) deliveries */
3254
3255 if (*argrest == 'i')
3256 {
3257 queue_run_first_delivery = TRUE;
3258 argrest++;
3259 }
3260
3261 /* -qf...: Run the queue, forcing deliveries
3262 -qff..: Ditto, forcing thawing as well */
3263
3264 if (*argrest == 'f')
3265 {
3266 queue_run_force = TRUE;
55e70e76 3267 if (*++argrest == 'f')
059ec3d9
PH
3268 {
3269 deliver_force_thaw = TRUE;
3270 argrest++;
3271 }
3272 }
3273
3274 /* -q[f][f]l...: Run the queue only on local deliveries */
3275
3276 if (*argrest == 'l')
3277 {
3278 queue_run_local = TRUE;
3279 argrest++;
3280 }
3281
55e70e76 3282 /* -q[f][f][l][G<name>]... Work on the named queue */
28b3821f
JH
3283
3284 if (*argrest == 'G')
3285 {
fa665e0b
JH
3286 int i;
3287 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3288 queue_name = string_copyn(argrest, i);
3289 argrest += i;
3290 if (*argrest == '/') argrest++;
28b3821f
JH
3291 }
3292
3293 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3294 only, optionally named, optionally starting from a given message id. */
059ec3d9
PH
3295
3296 if (*argrest == 0 &&
3297 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3298 {
3299 queue_interval = 0;
3300 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3301 start_queue_run_id = argv[++i];
3302 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3303 stop_queue_run_id = argv[++i];
3304 }
3305
fa665e0b
JH
3306 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3307 forced, optionally local only, optionally named. */
059ec3d9 3308
55e70e76
JH
3309 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3310 0, FALSE)) <= 0)
059ec3d9 3311 {
55e70e76
JH
3312 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3313 exit(EXIT_FAILURE);
059ec3d9
PH
3314 }
3315 break;
3316
3317
3318 case 'R': /* Synonymous with -qR... */
3319 receiving_message = FALSE;
3320
3321 /* -Rf: As -R (below) but force all deliveries,
3322 -Rff: Ditto, but also thaw all frozen messages,
3323 -Rr: String is regex
3324 -Rrf: Regex and force
3325 -Rrff: Regex and force and thaw
3326
3327 in all cases provided there are no further characters in this
3328 argument. */
3329
3330 if (*argrest != 0)
3331 {
3332 int i;
55e70e76 3333 for (i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3334 if (Ustrcmp(argrest, rsopts[i]) == 0)
3335 {
3336 if (i != 2) queue_run_force = TRUE;
3337 if (i >= 2) deliver_selectstring_regex = TRUE;
3338 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3339 argrest += Ustrlen(rsopts[i]);
3340 }
059ec3d9
PH
3341 }
3342
3343 /* -R: Set string to match in addresses for forced queue run to
3344 pick out particular messages. */
3345
55e70e76
JH
3346 if (*argrest)
3347 deliver_selectstring = argrest;
3348 else if (i+1 < argc)
3349 deliver_selectstring = argv[++i];
3350 else
059ec3d9 3351 {
55e70e76
JH
3352 fprintf(stderr, "exim: string expected after -R\n");
3353 exit(EXIT_FAILURE);
059ec3d9 3354 }
059ec3d9
PH
3355 break;
3356
3357
3358 /* -r: an obsolete synonym for -f (see above) */
3359
3360
3361 /* -S: Like -R but works on sender. */
3362
3363 case 'S': /* Synonymous with -qS... */
3364 receiving_message = FALSE;
3365
3366 /* -Sf: As -S (below) but force all deliveries,
3367 -Sff: Ditto, but also thaw all frozen messages,
3368 -Sr: String is regex
3369 -Srf: Regex and force
3370 -Srff: Regex and force and thaw
3371
3372 in all cases provided there are no further characters in this
3373 argument. */
3374
55e70e76 3375 if (*argrest)
059ec3d9
PH
3376 {
3377 int i;
55e70e76 3378 for (i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3379 if (Ustrcmp(argrest, rsopts[i]) == 0)
3380 {
3381 if (i != 2) queue_run_force = TRUE;
3382 if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3383 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3384 argrest += Ustrlen(rsopts[i]);
3385 }
059ec3d9
PH
3386 }
3387
3388 /* -S: Set string to match in addresses for forced queue run to
3389 pick out particular messages. */
3390
55e70e76
JH
3391 if (*argrest)
3392 deliver_selectstring_sender = argrest;
3393 else if (i+1 < argc)
3394 deliver_selectstring_sender = argv[++i];
3395 else
059ec3d9 3396 {
55e70e76
JH
3397 fprintf(stderr, "exim: string expected after -S\n");
3398 exit(EXIT_FAILURE);
059ec3d9 3399 }
059ec3d9
PH
3400 break;
3401
3402 /* -Tqt is an option that is exclusively for use by the testing suite.
3403 It is not recognized in other circumstances. It allows for the setting up
3404 of explicit "queue times" so that various warning/retry things can be
3405 tested. Otherwise variability of clock ticks etc. cause problems. */
3406
3407 case 'T':
3408 if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3409 fudged_queue_times = argv[++i];
3410 else badarg = TRUE;
3411 break;
3412
3413
3414 /* -t: Set flag to extract recipients from body of message. */
3415
3416 case 't':
3417 if (*argrest == 0) extract_recipients = TRUE;
3418
3419 /* -ti: Set flag to extract recipients from body of message, and also
3420 specify that dot does not end the message. */
3421
3422 else if (Ustrcmp(argrest, "i") == 0)
3423 {
3424 extract_recipients = TRUE;
3425 dot_ends = FALSE;
3426 }
3427
3428 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3429
3430 #ifdef SUPPORT_TLS
817d9f57 3431 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
059ec3d9
PH
3432 #endif
3433
3434 else badarg = TRUE;
3435 break;
3436
3437
3438 /* -U: This means "initial user submission" in sendmail, apparently. The
3439 doc claims that in future sendmail may refuse syntactically invalid
3440 messages instead of fixing them. For the moment, we just ignore it. */
3441
3442 case 'U':
3443 break;
3444
3445
3446 /* -v: verify things - this is a very low-level debugging */
3447
3448 case 'v':
3449 if (*argrest == 0)
3450 {
3451 debug_selector |= D_v;
3452 debug_file = stderr;
3453 }
3454 else badarg = TRUE;
3455 break;
3456
3457
3458 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3459
3460 The -x flag tells the sendmail command that mail from a local
3461 mail program has National Language Support (NLS) extended characters
3462 in the body of the mail item. The sendmail command can send mail with
3463 extended NLS characters across networks that normally corrupts these
3464 8-bit characters.
3465
3466 As Exim is 8-bit clean, it just ignores this flag. */
3467
3468 case 'x':
3469 if (*argrest != 0) badarg = TRUE;
3470 break;
3471
a3fb9793
PP
3472 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3473 logs to that file. We swallow the parameter and otherwise ignore it. */
3474
3475 case 'X':
3476 if (*argrest == '\0')
a3fb9793
PP
3477 if (++i >= argc)
3478 {
3479 fprintf(stderr, "exim: string expected after -X\n");
3480 exit(EXIT_FAILURE);
3481 }
0ad2e0fc
JH
3482 break;
3483
3484 case 'z':
3485 if (*argrest == '\0')
3486 if (++i < argc) log_oneline = argv[i]; else
3487 {
3488 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
3489 exit(EXIT_FAILURE);
3490 }
a3fb9793
PP
3491 break;
3492
059ec3d9
PH
3493 /* All other initial characters are errors */
3494
3495 default:
3496 badarg = TRUE;
3497 break;
3498 } /* End of high-level switch statement */
3499
3500 /* Failed to recognize the option, or syntax error */
3501
3502 if (badarg)
3503 {
3504 fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3505 "option %s\n", arg);
3506 exit(EXIT_FAILURE);
3507 }
3508 }
3509
3510
3cc66b45
PH
3511/* If -R or -S have been specified without -q, assume a single queue run. */
3512
55e70e76
JH
3513if ( (deliver_selectstring || deliver_selectstring_sender)
3514 && queue_interval < 0)
3515 queue_interval = 0;
3cc66b45
PH
3516
3517
059ec3d9 3518END_ARG:
81ea09ca
NM
3519/* If usage_wanted is set we call the usage function - which never returns */
3520if (usage_wanted) exim_usage(called_as);
3521
3522/* Arguments have been processed. Check for incompatibilities. */
059ec3d9
PH
3523if ((
3524 (smtp_input || extract_recipients || recipients_arg < argc) &&
3525 (daemon_listen || queue_interval >= 0 || bi_option ||
3526 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
f05da2e8 3527 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
059ec3d9
PH
3528 ) ||
3529 (
3530 msg_action_arg > 0 &&
44915474 3531 (daemon_listen || queue_interval > 0 || list_options ||
0ef732d9
PH
3532 (checking && msg_action != MSG_LOAD) ||
3533 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
059ec3d9
PH
3534 ) ||
3535 (
55e70e76 3536 (daemon_listen || queue_interval > 0) &&
059ec3d9 3537 (sender_address != NULL || list_options || list_queue || checking ||
0ef732d9 3538 bi_option)
059ec3d9
PH
3539 ) ||
3540 (
3541 daemon_listen && queue_interval == 0
3542 ) ||
3543 (
9ee44efb
PP
3544 inetd_wait_mode && queue_interval >= 0
3545 ) ||
3546 (
059ec3d9
PH
3547 list_options &&
3548 (checking || smtp_input || extract_recipients ||
f05da2e8 3549 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3550 ) ||
3551 (
3552 verify_address_mode &&
3553 (address_test_mode || smtp_input || extract_recipients ||
f05da2e8 3554 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3555 ) ||
3556 (
3557 address_test_mode && (smtp_input || extract_recipients ||
f05da2e8 3558 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3559 ) ||
3560 (
f05da2e8 3561 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
059ec3d9
PH
3562 extract_recipients)
3563 ) ||
3564 (
3565 deliver_selectstring != NULL && queue_interval < 0
328895cc
PH
3566 ) ||
3567 (
3568 msg_action == MSG_LOAD &&
3569 (!expansion_test || expansion_test_message != NULL)
059ec3d9
PH
3570 )
3571 )
3572 {
3573 fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3574 exit(EXIT_FAILURE);
3575 }
3576
3577/* If debugging is set up, set the file and the file descriptor to pass on to
3578child processes. It should, of course, be 2 for stderr. Also, force the daemon
3579to run in the foreground. */
3580
3581if (debug_selector != 0)
3582 {
3583 debug_file = stderr;
3584 debug_fd = fileno(debug_file);
3585 background_daemon = FALSE;
3586 if (running_in_test_harness) millisleep(100); /* lets caller finish */
3587 if (debug_selector != D_v) /* -v only doesn't show this */
3588 {
3589 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3590 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3591 debug_selector);
6545de78
PP
3592 if (!version_printed)
3593 show_whats_supported(stderr);
059ec3d9
PH
3594 }
3595 }
3596
3597/* When started with root privilege, ensure that the limits on the number of
3598open files and the number of processes (where that is accessible) are
3599sufficiently large, or are unset, in case Exim has been called from an
3600environment where the limits are screwed down. Not all OS have the ability to
3601change some of these limits. */
3602
3603if (unprivileged)
3604 {
3605 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3606 }
3607else
3608 {
3609 struct rlimit rlp;
3610
3611 #ifdef RLIMIT_NOFILE
3612 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3613 {
3614 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3615 strerror(errno));
3616 rlp.rlim_cur = rlp.rlim_max = 0;
3617 }
eb2c0248
PH
3618
3619 /* I originally chose 1000 as a nice big number that was unlikely to
a494b1e1
PH
3620 be exceeded. It turns out that some older OS have a fixed upper limit of
3621 256. */
eb2c0248 3622
059ec3d9
PH
3623 if (rlp.rlim_cur < 1000)
3624 {
3625 rlp.rlim_cur = rlp.rlim_max = 1000;
3626 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
eb2c0248 3627 {
a494b1e1
PH
3628 rlp.rlim_cur = rlp.rlim_max = 256;
3629 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3630 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3631 strerror(errno));
eb2c0248 3632 }
059ec3d9
PH
3633 }
3634 #endif
3635
3636 #ifdef RLIMIT_NPROC
3637 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3638 {
3639 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3640 strerror(errno));
3641 rlp.rlim_cur = rlp.rlim_max = 0;
3642 }
3643
3644 #ifdef RLIM_INFINITY
3645 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3646 {
3647 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3648 #else
3649 if (rlp.rlim_cur < 1000)
3650 {
3651 rlp.rlim_cur = rlp.rlim_max = 1000;
3652 #endif
3653 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3654 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3655 strerror(errno));
3656 }
3657 #endif
3658 }
3659
3660/* Exim is normally entered as root (but some special configurations are
3661possible that don't do this). However, it always spins off sub-processes that
3662set their uid and gid as required for local delivery. We don't want to pass on
3663any extra groups that root may belong to, so we want to get rid of them all at
3664this point.
3665
3666We need to obey setgroups() at this stage, before possibly giving up root
3667privilege for a changed configuration file, but later on we might need to
3668check on the additional groups for the admin user privilege - can't do that
3669till after reading the config, which might specify the exim gid. Therefore,
3670save the group list here first. */
3671
3672group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18
PP
3673if (group_count < 0)
3674 {
3675 fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
3676 exit(EXIT_FAILURE);
3677 }
059ec3d9
PH
3678
3679/* There is a fundamental difference in some BSD systems in the matter of
3680groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3681known not to be different. On the "different" systems there is a single group
3682list, and the first entry in it is the current group. On all other versions of
3683Unix there is a supplementary group list, which is in *addition* to the current
3684group. Consequently, to get rid of all extraneous groups on a "standard" system
3685you pass over 0 groups to setgroups(), while on a "different" system you pass
3686over a single group - the current group, which is always the first group in the
3687list. Calling setgroups() with zero groups on a "different" system results in
3688an error return. The following code should cope with both types of system.
3689
3690However, if this process isn't running as root, setgroups() can't be used
3691since you have to be root to run it, even if throwing away groups. Not being
3692root here happens only in some unusual configurations. We just ignore the
3693error. */
3694
3695if (setgroups(0, NULL) != 0)
3696 {
3697 if (setgroups(1, group_list) != 0 && !unprivileged)
3698 {
3699 fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3700 exit(EXIT_FAILURE);
3701 }
3702 }
3703
3704/* If the configuration file name has been altered by an argument on the
3705command line (either a new file name or a macro definition) and the caller is
cd25e41d
DW
3706not root, or if this is a filter testing run, remove any setuid privilege the
3707program has and run as the underlying user.
059ec3d9 3708
cd25e41d
DW
3709The exim user is locked out of this, which severely restricts the use of -C
3710for some purposes.
059ec3d9
PH
3711
3712Otherwise, set the real ids to the effective values (should be root unless run
3713from inetd, which it can either be root or the exim uid, if one is configured).
3714
3715There is a private mechanism for bypassing some of this, in order to make it
3716possible to test lots of configurations automatically, without having either to
3717recompile each time, or to patch in an actual configuration file name and other
3718values (such as the path name). If running in the test harness, pretend that
3719configuration file changes and macro definitions haven't happened. */
3720
3721if (( /* EITHER */
a7cbbf50 3722 (!trusted_config || /* Config changed, or */
a4034eb8 3723 !macros_trusted(opt_D_used)) && /* impermissible macros and */
059ec3d9 3724 real_uid != root_uid && /* Not root, and */
059ec3d9
PH
3725 !running_in_test_harness /* Not fudged */
3726 ) || /* OR */
3727 expansion_test /* expansion testing */
3728 || /* OR */
f05da2e8 3729 filter_test != FTEST_NONE) /* Filter testing */
059ec3d9
PH
3730 {
3731 setgroups(group_count, group_list);
3732 exim_setugid(real_uid, real_gid, FALSE,
3733 US"-C, -D, -be or -bf forces real uid");
3734 removed_privilege = TRUE;
3735
3736 /* In the normal case when Exim is called like this, stderr is available
3737 and should be used for any logging information because attempts to write
3738 to the log will usually fail. To arrange this, we unset really_exim. However,
3739 if no stderr is available there is no point - we might as well have a go
b7487bce 3740 at the log (if it fails, syslog will be written).
059ec3d9 3741
b7487bce
PP
3742 Note that if the invoker is Exim, the logs remain available. Messing with
3743 this causes unlogged successful deliveries. */
3744
3745 if ((log_stderr != NULL) && (real_uid != exim_uid))
3746 really_exim = FALSE;
059ec3d9
PH
3747 }
3748
3749/* Privilege is to be retained for the moment. It may be dropped later,
3750depending on the job that this Exim process has been asked to do. For now, set
3751the real uid to the effective so that subsequent re-execs of Exim are done by a
3752privileged user. */
3753
3754else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3755
f05da2e8 3756/* If testing a filter, open the file(s) now, before wasting time doing other
059ec3d9
PH
3757setups and reading the message. */
3758
f05da2e8
PH
3759if ((filter_test & FTEST_SYSTEM) != 0)
3760 {
3761 filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3762 if (filter_sfd < 0)
3763 {
3764 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3765 strerror(errno));
3766 return EXIT_FAILURE;
3767 }
3768 }
3769
3770if ((filter_test & FTEST_USER) != 0)
059ec3d9 3771 {
f05da2e8
PH
3772 filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3773 if (filter_ufd < 0)
059ec3d9 3774 {
f05da2e8 3775 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
059ec3d9
PH
3776 strerror(errno));
3777 return EXIT_FAILURE;
3778 }
3779 }
3780
8829633f
PP
3781/* Initialise lookup_list
3782If debugging, already called above via version reporting.
3783In either case, we initialise the list of available lookups while running
3784as root. All dynamically modules are loaded from a directory which is
3785hard-coded into the binary and is code which, if not a module, would be
3786part of Exim already. Ability to modify the content of the directory
3787is equivalent to the ability to modify a setuid binary!
3788
3789This needs to happen before we read the main configuration. */
3790init_lookup_list();
3791
8c5d388a 3792#ifdef SUPPORT_I18N
9d4319df
JH
3793if (running_in_test_harness) smtputf8_advertise_hosts = NULL;
3794#endif
3795
059ec3d9
PH
3796/* Read the main runtime configuration data; this gives up if there
3797is a failure. It leaves the configuration file open so that the subsequent
3de973a2 3798configuration data for delivery can be read if needed.
059ec3d9 3799
3de973a2
HSHR
3800NOTE: immediatly after opening the configuration file we change the working
3801directory to "/"! Later we change to $spool_directory. We do it there, because
3802during readconf_main() some expansion takes place already. */
bc3c7bb7 3803
cd328be9
JH
3804/* Store the initial cwd before we change directories. Can be NULL if the
3805dir has already been unlinked. */
3806initial_cwd = os_getcwd(NULL, 0);
3615fa9a 3807
34e86e20
HSHR
3808/* checking:
3809 -be[m] expansion test -
3810 -b[fF] filter test new
3811 -bh[c] host test -
3812 -bmalware malware_test_file new
3813 -brt retry test new
3814 -brw rewrite test new
3815 -bt address test -
3816 -bv[s] address verify -
3817 list_options:
3818 -bP <option> (except -bP config, which sets list_config)
3819
3820If any of these options is set, we suppress warnings about configuration
3821issues (currently about tls_advertise_hosts and keep_environment not being
3822defined) */
3823
3824readconf_main(checking || list_options);
059ec3d9 3825
32b8ce41 3826
3de973a2
HSHR
3827/* Now in directory "/" */
3828
bc3c7bb7
HSHR
3829if (cleanup_environment() == FALSE)
3830 log_write(0, LOG_PANIC_DIE, "Can't cleanup environment");
3831
3832
a3fb9793
PP
3833/* If an action on specific messages is requested, or if a daemon or queue
3834runner is being started, we need to know if Exim was called by an admin user.
3835This is the case if the real user is root or exim, or if the real group is
3836exim, or if one of the supplementary groups is exim or a group listed in
3837admin_groups. We don't fail all message actions immediately if not admin_user,
3838since some actions can be performed by non-admin users. Instead, set admin_user
3839for later interrogation. */
3840
3841if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3842 admin_user = TRUE;
3843else
3844 {
3845 int i, j;
32b8ce41
JH
3846 for (i = 0; i < group_count && !admin_user; i++)
3847 if (group_list[i] == exim_gid)
3848 admin_user = TRUE;
3849 else if (admin_groups)
3850 for (j = 1; j <= (int)admin_groups[0] && !admin_user; j++)
a3fb9793 3851 if (admin_groups[j] == group_list[i])
32b8ce41 3852 admin_user = TRUE;
a3fb9793
PP
3853 }
3854
3855/* Another group of privileged users are the trusted users. These are root,
3856exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3857are permitted to specify sender_addresses with -f on the command line, and
3858other message parameters as well. */
3859
3860if (real_uid == root_uid || real_uid == exim_uid)
3861 trusted_caller = TRUE;
3862else
3863 {
3864 int i, j;
3865
32b8ce41
JH
3866 if (trusted_users)
3867 for (i = 1; i <= (int)trusted_users[0] && !trusted_caller; i++)
a3fb9793 3868 if (trusted_users[i] == real_uid)
32b8ce41