Harmonised TLS library version reporting.
[exim.git] / src / src / exim.c
CommitLineData
73a46702 1/* $Cambridge: exim/src/src/exim.c,v 1.71 2010/06/07 00:12:42 pdp Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
0a49a7a4 7/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10
11/* The main function: entry point, initialization, and high-level control.
12Also a few functions that don't naturally fit elsewhere. */
13
14
15#include "exim.h"
16
6545de78
PP
17extern void init_lookup_list(void);
18
059ec3d9
PH
19
20
21/*************************************************
22* Function interface to store functions *
23*************************************************/
24
25/* We need some real functions to pass to the PCRE regular expression library
26for store allocation via Exim's store manager. The normal calls are actually
27macros that pass over location information to make tracing easier. These
28functions just interface to the standard macro calls. A good compiler will
29optimize out the tail recursion and so not make them too expensive. There
30are two sets of functions; one for use when we want to retain the compiled
31regular expression for a long time; the other for short-term use. */
32
33static void *
34function_store_get(size_t size)
35{
36return store_get((int)size);
37}
38
39static void
40function_dummy_free(void *block) { block = block; }
41
42static void *
43function_store_malloc(size_t size)
44{
45return store_malloc((int)size);
46}
47
48static void
49function_store_free(void *block)
50{
51store_free(block);
52}
53
54
55
56
57/*************************************************
58* Compile regular expression and panic on fail *
59*************************************************/
60
61/* This function is called when failure to compile a regular expression leads
62to a panic exit. In other cases, pcre_compile() is called directly. In many
63cases where this function is used, the results of the compilation are to be
64placed in long-lived store, so we temporarily reset the store management
65functions that PCRE uses if the use_malloc flag is set.
66
67Argument:
68 pattern the pattern to compile
69 caseless TRUE if caseless matching is required
70 use_malloc TRUE if compile into malloc store
71
72Returns: pointer to the compiled pattern
73*/
74
75const pcre *
76regex_must_compile(uschar *pattern, BOOL caseless, BOOL use_malloc)
77{
78int offset;
79int options = PCRE_COPT;
80const pcre *yield;
81const uschar *error;
82if (use_malloc)
83 {
84 pcre_malloc = function_store_malloc;
85 pcre_free = function_store_free;
86 }
87if (caseless) options |= PCRE_CASELESS;
88yield = pcre_compile(CS pattern, options, (const char **)&error, &offset, NULL);
89pcre_malloc = function_store_get;
90pcre_free = function_dummy_free;
91if (yield == NULL)
92 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
93 "%s at offset %d while compiling %s", error, offset, pattern);
94return yield;
95}
96
97
98
99
100/*************************************************
101* Execute regular expression and set strings *
102*************************************************/
103
104/* This function runs a regular expression match, and sets up the pointers to
105the matched substrings.
106
107Arguments:
108 re the compiled expression
109 subject the subject string
110 options additional PCRE options
111 setup if < 0 do full setup
112 if >= 0 setup from setup+1 onwards,
113 excluding the full matched string
114
115Returns: TRUE or FALSE
116*/
117
118BOOL
119regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup)
120{
121int ovector[3*(EXPAND_MAXN+1)];
122int n = pcre_exec(re, NULL, CS subject, Ustrlen(subject), 0,
123 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
124BOOL yield = n >= 0;
125if (n == 0) n = EXPAND_MAXN + 1;
126if (yield)
127 {
128 int nn;
129 expand_nmax = (setup < 0)? 0 : setup + 1;
130 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
131 {
132 expand_nstring[expand_nmax] = subject + ovector[nn];
133 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
134 }
135 expand_nmax--;
136 }
137return yield;
138}
139
140
141
142
143/*************************************************
144* Handler for SIGUSR1 *
145*************************************************/
146
147/* SIGUSR1 causes any exim process to write to the process log details of
148what it is currently doing. It will only be used if the OS is capable of
149setting up a handler that causes automatic restarting of any system call
150that is in progress at the time.
151
152Argument: the signal number (SIGUSR1)
153Returns: nothing
154*/
155
156static void
157usr1_handler(int sig)
158{
159sig = sig; /* Keep picky compilers happy */
160log_write(0, LOG_PROCESS, "%s", process_info);
161log_close_all();
162os_restarting_signal(SIGUSR1, usr1_handler);
163}
164
165
166
167/*************************************************
168* Timeout handler *
169*************************************************/
170
171/* This handler is enabled most of the time that Exim is running. The handler
172doesn't actually get used unless alarm() has been called to set a timer, to
173place a time limit on a system call of some kind. When the handler is run, it
174re-enables itself.
175
176There are some other SIGALRM handlers that are used in special cases when more
177than just a flag setting is required; for example, when reading a message's
178input. These are normally set up in the code module that uses them, and the
179SIGALRM handler is reset to this one afterwards.
180
181Argument: the signal value (SIGALRM)
182Returns: nothing
183*/
184
185void
186sigalrm_handler(int sig)
187{
188sig = sig; /* Keep picky compilers happy */
189sigalrm_seen = TRUE;
190os_non_restarting_signal(SIGALRM, sigalrm_handler);
191}
192
193
194
195/*************************************************
196* Sleep for a fractional time interval *
197*************************************************/
198
199/* This function is called by millisleep() and exim_wait_tick() to wait for a
200period of time that may include a fraction of a second. The coding is somewhat
eb2c0248
PH
201tedious. We do not expect setitimer() ever to fail, but if it does, the process
202will wait for ever, so we panic in this instance. (There was a case of this
203when a bug in a function that calls milliwait() caused it to pass invalid data.
7086e875 204That's when I added the check. :-)
059ec3d9
PH
205
206Argument: an itimerval structure containing the interval
207Returns: nothing
208*/
209
210static void
211milliwait(struct itimerval *itval)
212{
213sigset_t sigmask;
214sigset_t old_sigmask;
215(void)sigemptyset(&sigmask); /* Empty mask */
216(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
217(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
7086e875 218if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
eb2c0248
PH
219 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
220 "setitimer() failed: %s", strerror(errno));
059ec3d9
PH
221(void)sigfillset(&sigmask); /* All signals */
222(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
223(void)sigsuspend(&sigmask); /* Until SIGALRM */
224(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
225}
226
227
228
229
230/*************************************************
231* Millisecond sleep function *
232*************************************************/
233
234/* The basic sleep() function has a granularity of 1 second, which is too rough
235in some cases - for example, when using an increasing delay to slow down
236spammers.
237
238Argument: number of millseconds
239Returns: nothing
240*/
241
242void
243millisleep(int msec)
244{
245struct itimerval itval;
246itval.it_interval.tv_sec = 0;
247itval.it_interval.tv_usec = 0;
248itval.it_value.tv_sec = msec/1000;
249itval.it_value.tv_usec = (msec % 1000) * 1000;
250milliwait(&itval);
251}
252
253
254
255/*************************************************
256* Compare microsecond times *
257*************************************************/
258
259/*
260Arguments:
261 tv1 the first time
262 tv2 the second time
263
264Returns: -1, 0, or +1
265*/
266
267int
268exim_tvcmp(struct timeval *t1, struct timeval *t2)
269{
270if (t1->tv_sec > t2->tv_sec) return +1;
271if (t1->tv_sec < t2->tv_sec) return -1;
272if (t1->tv_usec > t2->tv_usec) return +1;
273if (t1->tv_usec < t2->tv_usec) return -1;
274return 0;
275}
276
277
278
279
280/*************************************************
281* Clock tick wait function *
282*************************************************/
283
284/* Exim uses a time + a pid to generate a unique identifier in two places: its
285message IDs, and in file names for maildir deliveries. Because some OS now
286re-use pids within the same second, sub-second times are now being used.
287However, for absolute certaintly, we must ensure the clock has ticked before
288allowing the relevant process to complete. At the time of implementation of
289this code (February 2003), the speed of processors is such that the clock will
290invariably have ticked already by the time a process has done its job. This
291function prepares for the time when things are faster - and it also copes with
292clocks that go backwards.
293
294Arguments:
295 then_tv A timeval which was used to create uniqueness; its usec field
296 has been rounded down to the value of the resolution.
297 We want to be sure the current time is greater than this.
298 resolution The resolution that was used to divide the microseconds
299 (1 for maildir, larger for message ids)
300
301Returns: nothing
302*/
303
304void
305exim_wait_tick(struct timeval *then_tv, int resolution)
306{
307struct timeval now_tv;
308long int now_true_usec;
309
310(void)gettimeofday(&now_tv, NULL);
311now_true_usec = now_tv.tv_usec;
312now_tv.tv_usec = (now_true_usec/resolution) * resolution;
313
314if (exim_tvcmp(&now_tv, then_tv) <= 0)
315 {
316 struct itimerval itval;
317 itval.it_interval.tv_sec = 0;
318 itval.it_interval.tv_usec = 0;
319 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
320 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
321
322 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
323 negative value for the microseconds is possible only in the case when "now"
324 is more than a second less than "then". That means that itval.it_value.tv_sec
325 is greater than zero. The following correction is therefore safe. */
326
327 if (itval.it_value.tv_usec < 0)
328 {
329 itval.it_value.tv_usec += 1000000;
330 itval.it_value.tv_sec -= 1;
331 }
332
333 DEBUG(D_transport|D_receive)
334 {
335 if (!running_in_test_harness)
336 {
337 debug_printf("tick check: %lu.%06lu %lu.%06lu\n",
338 then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec);
339 debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec,
340 itval.it_value.tv_usec);
341 }
342 }
343
344 milliwait(&itval);
345 }
346}
347
348
349
350
351/*************************************************
352* Set up processing details *
353*************************************************/
354
355/* Save a text string for dumping when SIGUSR1 is received.
356Do checks for overruns.
357
358Arguments: format and arguments, as for printf()
359Returns: nothing
360*/
361
362void
1ba28e2b 363set_process_info(const char *format, ...)
059ec3d9
PH
364{
365int len;
366va_list ap;
367sprintf(CS process_info, "%5d ", (int)getpid());
368len = Ustrlen(process_info);
369va_start(ap, format);
370if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len, format, ap))
371 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
372DEBUG(D_process_info) debug_printf("set_process_info: %s\n", process_info);
373va_end(ap);
374}
375
376
377
378
379
380/*************************************************
2632889e
PH
381* Call fopen() with umask 777 and adjust mode *
382*************************************************/
383
384/* Exim runs with umask(0) so that files created with open() have the mode that
385is specified in the open() call. However, there are some files, typically in
386the spool directory, that are created with fopen(). They end up world-writeable
387if no precautions are taken. Although the spool directory is not accessible to
388the world, this is an untidiness. So this is a wrapper function for fopen()
389that sorts out the mode of the created file.
390
391Arguments:
392 filename the file name
393 options the fopen() options
394 mode the required mode
395
396Returns: the fopened FILE or NULL
397*/
398
399FILE *
1ba28e2b 400modefopen(const uschar *filename, const char *options, mode_t mode)
2632889e 401{
67d175de
PH
402mode_t saved_umask = umask(0777);
403FILE *f = Ufopen(filename, options);
404(void)umask(saved_umask);
2632889e
PH
405if (f != NULL) (void)fchmod(fileno(f), mode);
406return f;
407}
408
409
410
411
412/*************************************************
059ec3d9
PH
413* Ensure stdin, stdout, and stderr exist *
414*************************************************/
415
416/* Some operating systems grumble if an exec() happens without a standard
417input, output, and error (fds 0, 1, 2) being defined. The worry is that some
418file will be opened and will use these fd values, and then some other bit of
419code will assume, for example, that it can write error messages to stderr.
420This function ensures that fds 0, 1, and 2 are open if they do not already
421exist, by connecting them to /dev/null.
422
423This function is also used to ensure that std{in,out,err} exist at all times,
424so that if any library that Exim calls tries to use them, it doesn't crash.
425
426Arguments: None
427Returns: Nothing
428*/
429
430void
431exim_nullstd(void)
432{
433int i;
434int devnull = -1;
435struct stat statbuf;
436for (i = 0; i <= 2; i++)
437 {
438 if (fstat(i, &statbuf) < 0 && errno == EBADF)
439 {
440 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
441 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
442 string_open_failed(errno, "/dev/null"));
1fe64dcc 443 if (devnull != i) (void)dup2(devnull, i);
059ec3d9
PH
444 }
445 }
1fe64dcc 446if (devnull > 2) (void)close(devnull);
059ec3d9
PH
447}
448
449
450
451
452/*************************************************
453* Close unwanted file descriptors for delivery *
454*************************************************/
455
456/* This function is called from a new process that has been forked to deliver
457an incoming message, either directly, or using exec.
458
459We want any smtp input streams to be closed in this new process. However, it
460has been observed that using fclose() here causes trouble. When reading in -bS
461input, duplicate copies of messages have been seen. The files will be sharing a
462file pointer with the parent process, and it seems that fclose() (at least on
463some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
464least sometimes. Hence we go for closing the underlying file descriptors.
465
466If TLS is active, we want to shut down the TLS library, but without molesting
467the parent's SSL connection.
468
469For delivery of a non-SMTP message, we want to close stdin and stdout (and
470stderr unless debugging) because the calling process might have set them up as
471pipes and be waiting for them to close before it waits for the submission
472process to terminate. If they aren't closed, they hold up the calling process
473until the initial delivery process finishes, which is not what we want.
474
475Exception: We do want it for synchronous delivery!
476
477And notwithstanding all the above, if D_resolver is set, implying resolver
478debugging, leave stdout open, because that's where the resolver writes its
479debugging output.
480
481When we close stderr (which implies we've also closed stdout), we also get rid
482of any controlling terminal.
483
484Arguments: None
485Returns: Nothing
486*/
487
488static void
489close_unwanted(void)
490{
491if (smtp_input)
492 {
493 #ifdef SUPPORT_TLS
494 tls_close(FALSE); /* Shut down the TLS library */
495 #endif
1fe64dcc
PH
496 (void)close(fileno(smtp_in));
497 (void)close(fileno(smtp_out));
059ec3d9
PH
498 smtp_in = NULL;
499 }
500else
501 {
1fe64dcc
PH
502 (void)close(0); /* stdin */
503 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
504 if (debug_selector == 0) /* stderr */
059ec3d9
PH
505 {
506 if (!synchronous_delivery)
507 {
1fe64dcc 508 (void)close(2);
059ec3d9
PH
509 log_stderr = NULL;
510 }
511 (void)setsid();
512 }
513 }
514}
515
516
517
518
519/*************************************************
520* Set uid and gid *
521*************************************************/
522
523/* This function sets a new uid and gid permanently, optionally calling
524initgroups() to set auxiliary groups. There are some special cases when running
525Exim in unprivileged modes. In these situations the effective uid will not be
526root; if we already have the right effective uid/gid, and don't need to
527initialize any groups, leave things as they are.
528
529Arguments:
530 uid the uid
531 gid the gid
532 igflag TRUE if initgroups() wanted
533 msg text to use in debugging output and failure log
534
535Returns: nothing; bombs out on failure
536*/
537
538void
539exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
540{
541uid_t euid = geteuid();
542gid_t egid = getegid();
543
544if (euid == root_uid || euid != uid || egid != gid || igflag)
545 {
546 /* At least one OS returns +1 for initgroups failure, so just check for
547 non-zero. */
548
549 if (igflag)
550 {
551 struct passwd *pw = getpwuid(uid);
552 if (pw != NULL)
553 {
554 if (initgroups(pw->pw_name, gid) != 0)
555 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
556 (long int)uid, strerror(errno));
557 }
558 else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
559 "no passwd entry for uid=%ld", (long int)uid);
560 }
561
562 if (setgid(gid) < 0 || setuid(uid) < 0)
563 {
564 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
565 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
566 }
567 }
568
569/* Debugging output included uid/gid and all groups */
570
571DEBUG(D_uid)
572 {
cd59ab18 573 int group_count, save_errno;
059ec3d9
PH
574 gid_t group_list[NGROUPS_MAX];
575 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
576 (long int)geteuid(), (long int)getegid(), (long int)getpid());
577 group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18 578 save_errno = errno;
059ec3d9
PH
579 debug_printf(" auxiliary group list:");
580 if (group_count > 0)
581 {
582 int i;
583 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
584 }
cd59ab18
PP
585 else if (group_count < 0)
586 debug_printf(" <error: %s>", strerror(save_errno));
059ec3d9
PH
587 else debug_printf(" <none>");
588 debug_printf("\n");
589 }
590}
591
592
593
594
595/*************************************************
596* Exit point *
597*************************************************/
598
599/* Exim exits via this function so that it always clears up any open
600databases.
601
602Arguments:
603 rc return code
604
605Returns: does not return
606*/
607
608void
609exim_exit(int rc)
610{
611search_tidyup();
612DEBUG(D_any)
613 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d "
614 ">>>>>>>>>>>>>>>>\n", (int)getpid(), rc);
615exit(rc);
616}
617
618
619
620
621/*************************************************
622* Extract port from host address *
623*************************************************/
624
625/* Called to extract the port from the values given to -oMa and -oMi.
b90c388a
PH
626It also checks the syntax of the address, and terminates it before the
627port data when a port is extracted.
059ec3d9
PH
628
629Argument:
630 address the address, with possible port on the end
631
632Returns: the port, or zero if there isn't one
633 bombs out on a syntax error
634*/
635
636static int
637check_port(uschar *address)
638{
7cd1141b 639int port = host_address_extract_port(address);
8e669ac1 640if (string_is_ip_address(address, NULL) == 0)
059ec3d9
PH
641 {
642 fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
643 exit(EXIT_FAILURE);
644 }
645return port;
646}
647
648
649
650/*************************************************
651* Test/verify an address *
652*************************************************/
653
654/* This function is called by the -bv and -bt code. It extracts a working
655address from a full RFC 822 address. This isn't really necessary per se, but it
656has the effect of collapsing source routes.
657
658Arguments:
659 s the address string
660 flags flag bits for verify_address()
661 exit_value to be set for failures
662
a5a28604 663Returns: nothing
059ec3d9
PH
664*/
665
666static void
667test_address(uschar *s, int flags, int *exit_value)
668{
669int start, end, domain;
670uschar *parse_error = NULL;
671uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
672 FALSE);
673if (address == NULL)
674 {
675 fprintf(stdout, "syntax error: %s\n", parse_error);
676 *exit_value = 2;
677 }
678else
679 {
680 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
4deaf07d 681 -1, -1, NULL, NULL, NULL);
059ec3d9
PH
682 if (rc == FAIL) *exit_value = 2;
683 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
684 }
685}
686
687
688
689/*************************************************
059ec3d9
PH
690* Show supported features *
691*************************************************/
692
4b2241d2
PP
693/* This function is called for -bV/--version and for -d to output the optional
694features of the current Exim binary.
059ec3d9
PH
695
696Arguments: a FILE for printing
697Returns: nothing
698*/
699
700static void
701show_whats_supported(FILE *f)
702{
703#ifdef DB_VERSION_STRING
704fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
705#elif defined(BTREEVERSION) && defined(HASHVERSION)
706 #ifdef USE_DB
707 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
708 #else
709 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
710 #endif
711#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
712fprintf(f, "Probably ndbm\n");
713#elif defined(USE_TDB)
714fprintf(f, "Using tdb\n");
715#else
716 #ifdef USE_GDBM
717 fprintf(f, "Probably GDBM (native mode)\n");
718 #else
719 fprintf(f, "Probably GDBM (compatibility mode)\n");
720 #endif
721#endif
722
723fprintf(f, "Support for:");
9cec981f
PH
724#ifdef SUPPORT_CRYPTEQ
725 fprintf(f, " crypteq");
726#endif
059ec3d9
PH
727#if HAVE_ICONV
728 fprintf(f, " iconv()");
729#endif
730#if HAVE_IPV6
731 fprintf(f, " IPv6");
732#endif
79378e0f
PH
733#ifdef HAVE_SETCLASSRESOURCES
734 fprintf(f, " use_setclassresources");
929ba01c 735#endif
059ec3d9
PH
736#ifdef SUPPORT_PAM
737 fprintf(f, " PAM");
738#endif
739#ifdef EXIM_PERL
740 fprintf(f, " Perl");
741#endif
1a46a8c5
PH
742#ifdef EXPAND_DLFUNC
743 fprintf(f, " Expand_dlfunc");
744#endif
059ec3d9
PH
745#ifdef USE_TCP_WRAPPERS
746 fprintf(f, " TCPwrappers");
747#endif
748#ifdef SUPPORT_TLS
749 #ifdef USE_GNUTLS
750 fprintf(f, " GnuTLS");
751 #else
752 fprintf(f, " OpenSSL");
753 #endif
754#endif
b2f5a032
PH
755#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
756 fprintf(f, " translate_ip_address");
757#endif
f174f16e
PH
758#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
759 fprintf(f, " move_frozen_messages");
760#endif
8523533c
TK
761#ifdef WITH_CONTENT_SCAN
762 fprintf(f, " Content_Scanning");
763#endif
80a47a2c
TK
764#ifndef DISABLE_DKIM
765 fprintf(f, " DKIM");
766#endif
8523533c
TK
767#ifdef WITH_OLD_DEMIME
768 fprintf(f, " Old_Demime");
769#endif
770#ifdef EXPERIMENTAL_SPF
771 fprintf(f, " Experimental_SPF");
772#endif
773#ifdef EXPERIMENTAL_SRS
774 fprintf(f, " Experimental_SRS");
775#endif
776#ifdef EXPERIMENTAL_BRIGHTMAIL
777 fprintf(f, " Experimental_Brightmail");
778#endif
6a8f9482
TK
779#ifdef EXPERIMENTAL_DCC
780 fprintf(f, " Experimental_DCC");
781#endif
059ec3d9
PH
782fprintf(f, "\n");
783
e6d225ae
DW
784fprintf(f, "Lookups (built-in):");
785#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
059ec3d9
PH
786 fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
787#endif
e6d225ae 788#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
059ec3d9
PH
789 fprintf(f, " cdb");
790#endif
e6d225ae 791#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
059ec3d9
PH
792 fprintf(f, " dbm dbmnz");
793#endif
e6d225ae 794#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
059ec3d9
PH
795 fprintf(f, " dnsdb");
796#endif
e6d225ae 797#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
059ec3d9
PH
798 fprintf(f, " dsearch");
799#endif
e6d225ae 800#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
059ec3d9
PH
801 fprintf(f, " ibase");
802#endif
e6d225ae 803#if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
059ec3d9
PH
804 fprintf(f, " ldap ldapdn ldapm");
805#endif
e6d225ae 806#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
059ec3d9
PH
807 fprintf(f, " mysql");
808#endif
e6d225ae 809#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
059ec3d9
PH
810 fprintf(f, " nis nis0");
811#endif
e6d225ae 812#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
059ec3d9
PH
813 fprintf(f, " nisplus");
814#endif
e6d225ae 815#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
059ec3d9
PH
816 fprintf(f, " oracle");
817#endif
e6d225ae 818#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
059ec3d9
PH
819 fprintf(f, " passwd");
820#endif
e6d225ae 821#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
059ec3d9
PH
822 fprintf(f, " pgsql");
823#endif
e6d225ae 824#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
13b685f9
PH
825 fprintf(f, " sqlite");
826#endif
e6d225ae 827#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
059ec3d9
PH
828 fprintf(f, " testdb");
829#endif
e6d225ae 830#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
059ec3d9
PH
831 fprintf(f, " whoson");
832#endif
833fprintf(f, "\n");
834
835fprintf(f, "Authenticators:");
836#ifdef AUTH_CRAM_MD5
837 fprintf(f, " cram_md5");
838#endif
839#ifdef AUTH_CYRUS_SASL
840 fprintf(f, " cyrus_sasl");
841#endif
14aa5a05
PH
842#ifdef AUTH_DOVECOT
843 fprintf(f, " dovecot");
844#endif
059ec3d9
PH
845#ifdef AUTH_PLAINTEXT
846 fprintf(f, " plaintext");
847#endif
848#ifdef AUTH_SPA
849 fprintf(f, " spa");
850#endif
851fprintf(f, "\n");
852
853fprintf(f, "Routers:");
854#ifdef ROUTER_ACCEPT
855 fprintf(f, " accept");
856#endif
857#ifdef ROUTER_DNSLOOKUP
858 fprintf(f, " dnslookup");
859#endif
860#ifdef ROUTER_IPLITERAL
861 fprintf(f, " ipliteral");
862#endif
863#ifdef ROUTER_IPLOOKUP
864 fprintf(f, " iplookup");
865#endif
866#ifdef ROUTER_MANUALROUTE
867 fprintf(f, " manualroute");
868#endif
869#ifdef ROUTER_QUERYPROGRAM
870 fprintf(f, " queryprogram");
871#endif
872#ifdef ROUTER_REDIRECT
873 fprintf(f, " redirect");
874#endif
875fprintf(f, "\n");
876
877fprintf(f, "Transports:");
878#ifdef TRANSPORT_APPENDFILE
879 fprintf(f, " appendfile");
880 #ifdef SUPPORT_MAILDIR
881 fprintf(f, "/maildir");
882 #endif
883 #ifdef SUPPORT_MAILSTORE
884 fprintf(f, "/mailstore");
885 #endif
886 #ifdef SUPPORT_MBX
887 fprintf(f, "/mbx");
888 #endif
889#endif
890#ifdef TRANSPORT_AUTOREPLY
891 fprintf(f, " autoreply");
892#endif
893#ifdef TRANSPORT_LMTP
894 fprintf(f, " lmtp");
895#endif
896#ifdef TRANSPORT_PIPE
897 fprintf(f, " pipe");
898#endif
899#ifdef TRANSPORT_SMTP
900 fprintf(f, " smtp");
901#endif
902fprintf(f, "\n");
903
904if (fixed_never_users[0] > 0)
905 {
906 int i;
907 fprintf(f, "Fixed never_users: ");
908 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
909 fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
910 fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
911 }
21c28500 912
73a46702 913fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
36f12725 914
6545de78
PP
915/* Everything else is details which are only worth reporting when debugging.
916Perhaps the tls_version_report should move into this too. */
917DEBUG(D_any) do {
918
919 int i;
920
b3c261f7
PP
921/* clang defines __GNUC__ (at least, for me) so test for it first */
922#if defined(__clang__)
923 fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
924#elif defined(__GNUC__)
925 fprintf(f, "Compiler: GCC [%s]\n",
926# ifdef __VERSION__
927 __VERSION__
928# else
929 "? unknown version ?"
930# endif
931 );
932#else
933 fprintf(f, "Compiler: <unknown>\n");
934#endif
935
754a0503
PP
936#ifdef SUPPORT_TLS
937 tls_version_report(f);
938#endif
939
6545de78
PP
940#ifdef AUTH_CYRUS_SASL
941 auth_cyrus_sasl_version_report(f);
942#endif
943
944 fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
945 " Runtime: %s\n",
946 PCRE_MAJOR, PCRE_MINOR,
947 /* PRE_PRERELEASE is either defined and empty or a string.
aa097c4c
NM
948 * unless its an ancient version of PCRE in which case it
949 * is not defined */
950#ifdef PCRE_PRERELEASE
6545de78 951 PCRE_PRERELEASE "",
aa097c4c
NM
952#else
953 "",
954#endif
6545de78
PP
955 pcre_version());
956
957 init_lookup_list();
958 for (i = 0; i < lookup_list_count; i++)
959 {
960 if (lookup_list[i]->version_report)
961 lookup_list[i]->version_report(f);
962 }
963
b70d2586
PP
964#ifdef WHITELIST_D_MACROS
965 fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
966#else
967 fprintf(f, "WHITELIST_D_MACROS unset\n");
968#endif
969#ifdef TRUSTED_CONFIG_LIST
970 fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
971#else
972 fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
973#endif
974
6545de78 975} while (0);
059ec3d9
PH
976}
977
978
979
980
981/*************************************************
982* Quote a local part *
983*************************************************/
984
985/* This function is used when a sender address or a From: or Sender: header
986line is being created from the caller's login, or from an authenticated_id. It
987applies appropriate quoting rules for a local part.
988
989Argument: the local part
990Returns: the local part, quoted if necessary
991*/
992
993uschar *
994local_part_quote(uschar *lpart)
995{
996BOOL needs_quote = FALSE;
997int size, ptr;
998uschar *yield;
999uschar *t;
1000
1001for (t = lpart; !needs_quote && *t != 0; t++)
1002 {
1003 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1004 (*t != '.' || t == lpart || t[1] == 0);
1005 }
1006
1007if (!needs_quote) return lpart;
1008
1009size = ptr = 0;
1010yield = string_cat(NULL, &size, &ptr, US"\"", 1);
1011
1012for (;;)
1013 {
1014 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1015 if (nq == NULL)
1016 {
1017 yield = string_cat(yield, &size, &ptr, lpart, Ustrlen(lpart));
1018 break;
1019 }
1020 yield = string_cat(yield, &size, &ptr, lpart, nq - lpart);
1021 yield = string_cat(yield, &size, &ptr, US"\\", 1);
1022 yield = string_cat(yield, &size, &ptr, nq, 1);
1023 lpart = nq + 1;
1024 }
1025
1026yield = string_cat(yield, &size, &ptr, US"\"", 1);
1027yield[ptr] = 0;
1028return yield;
1029}
1030
1031
1032
1033#ifdef USE_READLINE
1034/*************************************************
1035* Load readline() functions *
1036*************************************************/
1037
1038/* This function is called from testing executions that read data from stdin,
1039but only when running as the calling user. Currently, only -be does this. The
1040function loads the readline() function library and passes back the functions.
1041On some systems, it needs the curses library, so load that too, but try without
1042it if loading fails. All this functionality has to be requested at build time.
1043
1044Arguments:
1045 fn_readline_ptr pointer to where to put the readline pointer
1046 fn_addhist_ptr pointer to where to put the addhistory function
1047
1048Returns: the dlopen handle or NULL on failure
1049*/
1050
1051static void *
1ba28e2b
PP
1052set_readline(char * (**fn_readline_ptr)(const char *),
1053 void (**fn_addhist_ptr)(const char *))
059ec3d9
PH
1054{
1055void *dlhandle;
1056void *dlhandle_curses = dlopen("libcurses.so", RTLD_GLOBAL|RTLD_LAZY);
1057
1058dlhandle = dlopen("libreadline.so", RTLD_GLOBAL|RTLD_NOW);
1059if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1060
1061if (dlhandle != NULL)
1062 {
1ba28e2b
PP
1063 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1064 * char * readline (const char *prompt);
1065 * void add_history (const char *string);
1066 */
1067 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1068 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
059ec3d9
PH
1069 }
1070else
1071 {
1072 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1073 }
1074
1075return dlhandle;
1076}
1077#endif
1078
1079
1080
1081/*************************************************
1082* Get a line from stdin for testing things *
1083*************************************************/
1084
1085/* This function is called when running tests that can take a number of lines
1086of input (for example, -be and -bt). It handles continuations and trailing
1087spaces. And prompting and a blank line output on eof. If readline() is in use,
1088the arguments are non-NULL and provide the relevant functions.
1089
1090Arguments:
1091 fn_readline readline function or NULL
1092 fn_addhist addhist function or NULL
1093
1094Returns: pointer to dynamic memory, or NULL at end of file
1095*/
1096
1097static uschar *
1ba28e2b 1098get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
059ec3d9
PH
1099{
1100int i;
1101int size = 0;
1102int ptr = 0;
1103uschar *yield = NULL;
1104
328895cc 1105if (fn_readline == NULL) { printf("> "); fflush(stdout); }
059ec3d9
PH
1106
1107for (i = 0;; i++)
1108 {
1109 uschar buffer[1024];
1110 uschar *p, *ss;
1111
1112 #ifdef USE_READLINE
1113 char *readline_line = NULL;
1114 if (fn_readline != NULL)
1115 {
1116 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1117 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1118 p = US readline_line;
1119 }
1120 else
1121 #endif
1122
1123 /* readline() not in use */
1124
1125 {
1126 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1127 p = buffer;
1128 }
1129
1130 /* Handle the line */
1131
1132 ss = p + (int)Ustrlen(p);
1133 while (ss > p && isspace(ss[-1])) ss--;
1134
1135 if (i > 0)
1136 {
1137 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1138 }
1139
1140 yield = string_cat(yield, &size, &ptr, p, ss - p);
1141
1142 #ifdef USE_READLINE
1143 if (fn_readline != NULL) free(readline_line);
1144 #endif
1145
1146 if (ss == p || yield[ptr-1] != '\\')
1147 {
1148 yield[ptr] = 0;
1149 break;
1150 }
1151 yield[--ptr] = 0;
1152 }
1153
1154if (yield == NULL) printf("\n");
1155return yield;
1156}
1157
1158
1159
1160/*************************************************
81ea09ca
NM
1161* Output usage information for the program *
1162*************************************************/
1163
1164/* This function is called when there are no recipients
1165 or a specific --help argument was added.
1166
1167Arguments:
1168 progname information on what name we were called by
1169
1170Returns: DOES NOT RETURN
1171*/
1172
1173static void
1174exim_usage(uschar *progname)
1175{
1176
1177/* Handle specific program invocation varients */
1178if (Ustrcmp(progname, US"-mailq") == 0)
1179 {
1180 fprintf(stderr,
e765a0f1 1181 "mailq - list the contents of the mail queue\n\n"
81ea09ca
NM
1182 "For a list of options, see the Exim documentation.\n");
1183 exit(EXIT_FAILURE);
1184 }
1185
1186/* Generic usage - we output this whatever happens */
1187fprintf(stderr,
1188 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1189 "not directly from a shell command line. Options and/or arguments control\n"
1190 "what it does when called. For a list of options, see the Exim documentation.\n");
1191
1192exit(EXIT_FAILURE);
1193}
1194
1195
1196
1197/*************************************************
a7cbbf50
PP
1198* Validate that the macros given are okay *
1199*************************************************/
1200
1201/* Typically, Exim will drop privileges if macros are supplied. In some
1202cases, we want to not do so.
1203
1204Arguments: none (macros is a global)
1205Returns: true if trusted, false otherwise
1206*/
1207
1208static BOOL
1209macros_trusted(void)
1210{
1211#ifdef WHITELIST_D_MACROS
1212macro_item *m;
1213uschar *whitelisted, *end, *p, **whites, **w;
1214int white_count, i, n;
1215size_t len;
1216BOOL prev_char_item, found;
1217#endif
1218
1219if (macros == NULL)
1220 return TRUE;
1221#ifndef WHITELIST_D_MACROS
1222return FALSE;
1223#else
1224
66581d1e
PP
1225/* We only trust -D overrides for some invoking users:
1226root, the exim run-time user, the optional config owner user.
1227I don't know why config-owner would be needed, but since they can own the
1228config files anyway, there's no security risk to letting them override -D. */
1229if ( ! ((real_uid == root_uid)
1230 || (real_uid == exim_uid)
1231#ifdef CONFIGURE_OWNER
1232 || (real_uid == config_uid)
1233#endif
1234 ))
1235 {
1236 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1237 return FALSE;
1238 }
1239
a7cbbf50
PP
1240/* Get a list of macros which are whitelisted */
1241whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1242prev_char_item = FALSE;
1243white_count = 0;
1244for (p = whitelisted; *p != '\0'; ++p)
1245 {
1246 if (*p == ':' || isspace(*p))
1247 {
1248 *p = '\0';
1249 if (prev_char_item)
1250 ++white_count;
1251 prev_char_item = FALSE;
1252 continue;
1253 }
1254 if (!prev_char_item)
1255 prev_char_item = TRUE;
1256 }
1257end = p;
1258if (prev_char_item)
1259 ++white_count;
1260if (!white_count)
1261 return FALSE;
1262whites = store_malloc(sizeof(uschar *) * (white_count+1));
1263for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1264 {
1265 if (*p != '\0')
1266 {
1267 whites[i++] = p;
1268 if (i == white_count)
1269 break;
1270 while (*p != '\0' && p < end)
1271 ++p;
1272 }
1273 }
1274whites[i] = NULL;
1275
1276/* The list of macros should be very short. Accept the N*M complexity. */
1277for (m = macros; m != NULL; m = m->next)
1278 {
1279 found = FALSE;
1280 for (w = whites; *w; ++w)
1281 if (Ustrcmp(*w, m->name) == 0)
1282 {
1283 found = TRUE;
1284 break;
1285 }
1286 if (!found)
1287 return FALSE;
1288 if (m->replacement == NULL)
1289 continue;
1290 len = Ustrlen(m->replacement);
1291 if (len == 0)
1292 continue;
1293 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1294 0, PCRE_EOPT, NULL, 0);
1295 if (n < 0)
1296 {
1297 if (n != PCRE_ERROR_NOMATCH)
1298 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1299 return FALSE;
1300 }
1301 }
ebd9bd7d 1302DEBUG(D_any) debug_printf("macros_trusted overriden to true by whitelisting\n");
a7cbbf50
PP
1303return TRUE;
1304#endif
1305}
1306
1307
1308/*************************************************
059ec3d9
PH
1309* Entry point and high-level code *
1310*************************************************/
1311
1312/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1313the appropriate action. All the necessary functions are present in the one
1314binary. I originally thought one should split it up, but it turns out that so
1315much of the apparatus is needed in each chunk that one might as well just have
1316it all available all the time, which then makes the coding easier as well.
1317
1318Arguments:
1319 argc count of entries in argv
1320 argv argument strings, with argv[0] being the program name
1321
1322Returns: EXIT_SUCCESS if terminated successfully
1323 EXIT_FAILURE otherwise, except when a message has been sent
1324 to the sender, and -oee was given
1325*/
1326
1327int
1328main(int argc, char **cargv)
1329{
1330uschar **argv = USS cargv;
1331int arg_receive_timeout = -1;
1332int arg_smtp_receive_timeout = -1;
1333int arg_error_handling = error_handling;
f05da2e8
PH
1334int filter_sfd = -1;
1335int filter_ufd = -1;
059ec3d9 1336int group_count;
1670ef10 1337int i, rv;
059ec3d9
PH
1338int list_queue_option = 0;
1339int msg_action = 0;
1340int msg_action_arg = -1;
1341int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1342int queue_only_reason = 0;
1343#ifdef EXIM_PERL
1344int perl_start_option = 0;
1345#endif
1346int recipients_arg = argc;
1347int sender_address_domain = 0;
1348int test_retry_arg = -1;
1349int test_rewrite_arg = -1;
1350BOOL arg_queue_only = FALSE;
1351BOOL bi_option = FALSE;
1352BOOL checking = FALSE;
1353BOOL count_queue = FALSE;
1354BOOL expansion_test = FALSE;
1355BOOL extract_recipients = FALSE;
1356BOOL forced_delivery = FALSE;
1357BOOL f_end_dot = FALSE;
1358BOOL deliver_give_up = FALSE;
1359BOOL list_queue = FALSE;
1360BOOL list_options = FALSE;
1361BOOL local_queue_only;
1362BOOL more = TRUE;
1363BOOL one_msg_action = FALSE;
1364BOOL queue_only_set = FALSE;
1365BOOL receiving_message = TRUE;
33d73e3b 1366BOOL sender_ident_set = FALSE;
8669f003 1367BOOL session_local_queue_only;
059ec3d9
PH
1368BOOL unprivileged;
1369BOOL removed_privilege = FALSE;
81ea09ca 1370BOOL usage_wanted = FALSE;
059ec3d9
PH
1371BOOL verify_address_mode = FALSE;
1372BOOL verify_as_sender = FALSE;
1373BOOL version_printed = FALSE;
1374uschar *alias_arg = NULL;
1375uschar *called_as = US"";
1376uschar *start_queue_run_id = NULL;
1377uschar *stop_queue_run_id = NULL;
328895cc 1378uschar *expansion_test_message = NULL;
059ec3d9
PH
1379uschar *ftest_domain = NULL;
1380uschar *ftest_localpart = NULL;
1381uschar *ftest_prefix = NULL;
1382uschar *ftest_suffix = NULL;
8544e77a 1383uschar *malware_test_file = NULL;
059ec3d9
PH
1384uschar *real_sender_address;
1385uschar *originator_home = US"/";
059ec3d9
PH
1386void *reset_point;
1387
1388struct passwd *pw;
1389struct stat statbuf;
1390pid_t passed_qr_pid = (pid_t)0;
1391int passed_qr_pipe = -1;
1392gid_t group_list[NGROUPS_MAX];
1393
1394/* Possible options for -R and -S */
1395
1396static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1397
1398/* Need to define this in case we need to change the environment in order
1399to get rid of a bogus time zone. We have to make it char rather than uschar
1400because some OS define it in /usr/include/unistd.h. */
1401
1402extern char **environ;
1403
35edf2ff 1404/* If the Exim user and/or group and/or the configuration file owner/group were
059ec3d9
PH
1405defined by ref:name at build time, we must now find the actual uid/gid values.
1406This is a feature to make the lives of binary distributors easier. */
1407
1408#ifdef EXIM_USERNAME
1409if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1410 {
10385c15
PP
1411 if (exim_uid == 0)
1412 {
1413 fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
1414 EXIM_USERNAME);
1415 exit(EXIT_FAILURE);
1416 }
059ec3d9
PH
1417 exim_gid = pw->pw_gid;
1418 }
1419else
1420 {
1421 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1422 EXIM_USERNAME);
1423 exit(EXIT_FAILURE);
1424 }
1425#endif
1426
1427#ifdef EXIM_GROUPNAME
1428if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1429 {
1430 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1431 EXIM_GROUPNAME);
1432 exit(EXIT_FAILURE);
1433 }
1434#endif
1435
1436#ifdef CONFIGURE_OWNERNAME
1437if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1438 {
1439 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1440 CONFIGURE_OWNERNAME);
1441 exit(EXIT_FAILURE);
1442 }
1443#endif
1444
79d4bc3d
PP
1445/* We default the system_filter_user to be the Exim run-time user, as a
1446sane non-root value. */
1447system_filter_uid = exim_uid;
1448
35edf2ff
PH
1449#ifdef CONFIGURE_GROUPNAME
1450if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1451 {
1452 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1453 CONFIGURE_GROUPNAME);
1454 exit(EXIT_FAILURE);
1455 }
1456#endif
1457
059ec3d9
PH
1458/* In the Cygwin environment, some initialization needs doing. It is fudged
1459in by means of this macro. */
1460
1461#ifdef OS_INIT
1462OS_INIT
1463#endif
1464
1465/* Check a field which is patched when we are running Exim within its
1466testing harness; do a fast initial check, and then the whole thing. */
1467
1468running_in_test_harness =
1469 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1470
1471/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1472at the start of a program; however, it seems that some environments do not
1473follow this. A "strange" locale can affect the formatting of timestamps, so we
1474make quite sure. */
1475
1476setlocale(LC_ALL, "C");
1477
1478/* Set up the default handler for timing using alarm(). */
1479
1480os_non_restarting_signal(SIGALRM, sigalrm_handler);
1481
1482/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1483because store_malloc writes a log entry on failure. */
1484
1485log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
1486if (log_buffer == NULL)
1487 {
1488 fprintf(stderr, "exim: failed to get store for log buffer\n");
1489 exit(EXIT_FAILURE);
1490 }
1491
1492/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1493NULL when the daemon is run and the file is closed. We have to use this
1494indirection, because some systems don't allow writing to the variable "stderr".
1495*/
1496
1497if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1498
1499/* Arrange for the PCRE regex library to use our store functions. Note that
1500the normal calls are actually macros that add additional arguments for
1501debugging purposes so we have to assign specially constructed functions here.
1502The default is to use store in the stacking pool, but this is overridden in the
1503regex_must_compile() function. */
1504
1505pcre_malloc = function_store_get;
1506pcre_free = function_dummy_free;
1507
1508/* Ensure there is a big buffer for temporary use in several places. It is put
1509in malloc store so that it can be freed for enlargement if necessary. */
1510
1511big_buffer = store_malloc(big_buffer_size);
1512
1513/* Set up the handler for the data request signal, and set the initial
1514descriptive text. */
1515
1516set_process_info("initializing");
1517os_restarting_signal(SIGUSR1, usr1_handler);
1518
1519/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1520in the daemon code. For the rest of Exim's uses, we ignore it. */
1521
1522signal(SIGHUP, SIG_IGN);
1523
1524/* We don't want to die on pipe errors as the code is written to handle
1525the write error instead. */
1526
1527signal(SIGPIPE, SIG_IGN);
1528
1529/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1530set to SIG_IGN. This causes subprocesses that complete before the parent
1531process waits for them not to hang around, so when Exim calls wait(), nothing
1532is there. The wait() code has been made robust against this, but let's ensure
1533that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1534ending status. We use sigaction rather than plain signal() on those OS where
1535SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1536problem on AIX with this.) */
1537
1538#ifdef SA_NOCLDWAIT
1539 {
1540 struct sigaction act;
1541 act.sa_handler = SIG_DFL;
1542 sigemptyset(&(act.sa_mask));
1543 act.sa_flags = 0;
1544 sigaction(SIGCHLD, &act, NULL);
1545 }
1546#else
1547signal(SIGCHLD, SIG_DFL);
1548#endif
1549
1550/* Save the arguments for use if we re-exec exim as a daemon after receiving
1551SIGHUP. */
1552
1553sighup_argv = argv;
1554
1555/* Set up the version number. Set up the leading 'E' for the external form of
1556message ids, set the pointer to the internal form, and initialize it to
1557indicate no message being processed. */
1558
1559version_init();
1560message_id_option[0] = '-';
1561message_id_external = message_id_option + 1;
1562message_id_external[0] = 'E';
1563message_id = message_id_external + 1;
1564message_id[0] = 0;
1565
67d175de 1566/* Set the umask to zero so that any files Exim creates using open() are
2632889e
PH
1567created with the modes that it specifies. NOTE: Files created with fopen() have
1568a problem, which was not recognized till rather late (February 2006). With this
1569umask, such files will be world writeable. (They are all content scanning files
1570in the spool directory, which isn't world-accessible, so this is not a
1571disaster, but it's untidy.) I don't want to change this overall setting,
1572however, because it will interact badly with the open() calls. Instead, there's
1573now a function called modefopen() that fiddles with the umask while calling
1574fopen(). */
059ec3d9 1575
67d175de 1576(void)umask(0);
059ec3d9
PH
1577
1578/* Precompile the regular expression for matching a message id. Keep this in
1579step with the code that generates ids in the accept.c module. We need to do
1580this here, because the -M options check their arguments for syntactic validity
1581using mac_ismsgid, which uses this. */
1582
1583regex_ismsgid =
1584 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1585
a5bd321b 1586/* Precompile the regular expression that is used for matching an SMTP error
d6a96edc
PH
1587code, possibly extended, at the start of an error message. Note that the
1588terminating whitespace character is included. */
a5bd321b
PH
1589
1590regex_smtp_code =
1591 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1592 FALSE, TRUE);
1593
a7cbbf50
PP
1594#ifdef WHITELIST_D_MACROS
1595/* Precompile the regular expression used to filter the content of macros
1596given to -D for permissibility. */
1597
1598regex_whitelisted_macro =
1599 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1600#endif
1601
1602
059ec3d9
PH
1603/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1604this seems to be a generally accepted convention, since one finds symbolic
1605links called "mailq" in standard OS configurations. */
1606
1607if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1608 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1609 {
1610 list_queue = TRUE;
1611 receiving_message = FALSE;
1612 called_as = US"-mailq";
1613 }
1614
1615/* If the program is called as "rmail" treat it as equivalent to
1616"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1617i.e. preventing a single dot on a line from terminating the message, and
1618returning with zero return code, even in cases of error (provided an error
1619message has been sent). */
1620
1621if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1622 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1623 {
1624 dot_ends = FALSE;
1625 called_as = US"-rmail";
1626 errors_sender_rc = EXIT_SUCCESS;
1627 }
1628
1629/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1630this is a smail convention. */
1631
1632if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1633 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1634 {
1635 smtp_input = smtp_batched_input = TRUE;
1636 called_as = US"-rsmtp";
1637 }
1638
1639/* If the program is called as "runq" treat it as equivalent to "exim -q";
1640this is a smail convention. */
1641
1642if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1643 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1644 {
1645 queue_interval = 0;
1646 receiving_message = FALSE;
1647 called_as = US"-runq";
1648 }
1649
1650/* If the program is called as "newaliases" treat it as equivalent to
1651"exim -bi"; this is a sendmail convention. */
1652
1653if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1654 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1655 {
1656 bi_option = TRUE;
1657 receiving_message = FALSE;
1658 called_as = US"-newaliases";
1659 }
1660
1661/* Save the original effective uid for a couple of uses later. It should
1662normally be root, but in some esoteric environments it may not be. */
1663
1664original_euid = geteuid();
1665
1666/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1667to be the same as the real ones. This makes a difference only if Exim is setuid
1668(or setgid) to something other than root, which could be the case in some
1669special configurations. */
1670
1671real_uid = getuid();
1672real_gid = getgid();
1673
1674if (real_uid == root_uid)
1675 {
1670ef10
PP
1676 rv = setgid(real_gid);
1677 if (rv)
1678 {
1679 fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
1680 (long int)real_gid, strerror(errno));
1681 exit(EXIT_FAILURE);
1682 }
1683 rv = setuid(real_uid);
1684 if (rv)
1685 {
1686 fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
1687 (long int)real_uid, strerror(errno));
1688 exit(EXIT_FAILURE);
1689 }
059ec3d9
PH
1690 }
1691
1692/* If neither the original real uid nor the original euid was root, Exim is
1693running in an unprivileged state. */
1694
1695unprivileged = (real_uid != root_uid && original_euid != root_uid);
1696
059ec3d9
PH
1697/* Scan the program's arguments. Some can be dealt with right away; others are
1698simply recorded for checking and handling afterwards. Do a high-level switch
1699on the second character (the one after '-'), to save some effort. */
1700
1701for (i = 1; i < argc; i++)
1702 {
1703 BOOL badarg = FALSE;
1704 uschar *arg = argv[i];
1705 uschar *argrest;
1706 int switchchar;
1707
1708 /* An argument not starting with '-' is the start of a recipients list;
1709 break out of the options-scanning loop. */
1710
1711 if (arg[0] != '-')
1712 {
1713 recipients_arg = i;
1714 break;
1715 }
1716
1717 /* An option consistion of -- terminates the options */
1718
1719 if (Ustrcmp(arg, "--") == 0)
1720 {
1721 recipients_arg = i + 1;
1722 break;
1723 }
1724
1725 /* Handle flagged options */
1726
1727 switchchar = arg[1];
1728 argrest = arg+2;
1729
1730 /* Make all -ex options synonymous with -oex arguments, since that
1731 is assumed by various callers. Also make -qR options synonymous with -R
1732 options, as that seems to be required as well. Allow for -qqR too, and
1733 the same for -S options. */
1734
1735 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1736 Ustrncmp(arg+1, "qR", 2) == 0 ||
1737 Ustrncmp(arg+1, "qS", 2) == 0)
1738 {
1739 switchchar = arg[2];
1740 argrest++;
1741 }
1742 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1743 {
1744 switchchar = arg[3];
1745 argrest += 2;
1746 queue_2stage = TRUE;
1747 }
1748
1749 /* Make -r synonymous with -f, since it is a documented alias */
1750
1751 else if (arg[1] == 'r') switchchar = 'f';
1752
1753 /* Make -ov synonymous with -v */
1754
1755 else if (Ustrcmp(arg, "-ov") == 0)
1756 {
1757 switchchar = 'v';
1758 argrest++;
1759 }
1760
4b2241d2
PP
1761 /* deal with --option_aliases */
1762 else if (switchchar == '-')
1763 {
1764 if (Ustrcmp(argrest, "help") == 0)
1765 {
1766 usage_wanted = TRUE;
1767 break;
1768 }
1769 else if (Ustrcmp(argrest, "version") == 0)
1770 {
1771 switchchar = 'b';
73a46702 1772 argrest = US"V";
4b2241d2
PP
1773 }
1774 }
1775
059ec3d9
PH
1776 /* High-level switch on active initial letter */
1777
1778 switch(switchchar)
1779 {
1780 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1781 so has no need of it. */
1782
1783 case 'B':
1784 if (*argrest == 0) i++; /* Skip over the type */
1785 break;
1786
1787
1788 case 'b':
1789 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1790
1791 /* -bd: Run in daemon mode, awaiting SMTP connections.
1792 -bdf: Ditto, but in the foreground.
1793 */
1794
1795 if (*argrest == 'd')
1796 {
1797 daemon_listen = TRUE;
1798 if (*(++argrest) == 'f') background_daemon = FALSE;
1799 else if (*argrest != 0) { badarg = TRUE; break; }
1800 }
1801
328895cc
PH
1802 /* -be: Run in expansion test mode
1803 -bem: Ditto, but read a message from a file first
1804 */
059ec3d9
PH
1805
1806 else if (*argrest == 'e')
328895cc 1807 {
059ec3d9 1808 expansion_test = checking = TRUE;
328895cc
PH
1809 if (argrest[1] == 'm')
1810 {
1811 if (++i >= argc) { badarg = TRUE; break; }
1812 expansion_test_message = argv[i];
1813 argrest++;
1814 }
1815 if (argrest[1] != 0) { badarg = TRUE; break; }
1816 }
059ec3d9 1817
f05da2e8
PH
1818 /* -bF: Run system filter test */
1819
1820 else if (*argrest == 'F')
1821 {
1822 filter_test |= FTEST_SYSTEM;
1823 if (*(++argrest) != 0) { badarg = TRUE; break; }
1824 if (++i < argc) filter_test_sfile = argv[i]; else
1825 {
1826 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1827 exit(EXIT_FAILURE);
1828 }
1829 }
1830
1831 /* -bf: Run user filter test
059ec3d9
PH
1832 -bfd: Set domain for filter testing
1833 -bfl: Set local part for filter testing
1834 -bfp: Set prefix for filter testing
1835 -bfs: Set suffix for filter testing
1836 */
1837
f05da2e8 1838 else if (*argrest == 'f')
059ec3d9 1839 {
f05da2e8 1840 if (*(++argrest) == 0)
059ec3d9 1841 {
f05da2e8
PH
1842 filter_test |= FTEST_USER;
1843 if (++i < argc) filter_test_ufile = argv[i]; else
059ec3d9
PH
1844 {
1845 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1846 exit(EXIT_FAILURE);
1847 }
1848 }
1849 else
1850 {
1851 if (++i >= argc)
1852 {
1853 fprintf(stderr, "exim: string expected after %s\n", arg);
1854 exit(EXIT_FAILURE);
1855 }
1856 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
1857 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
1858 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
1859 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
1860 else { badarg = TRUE; break; }
1861 }
1862 }
1863
1864 /* -bh: Host checking - an IP address must follow. */
1865
1866 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
1867 {
1868 if (++i >= argc) { badarg = TRUE; break; }
1869 sender_host_address = argv[i];
1870 host_checking = checking = log_testing_mode = TRUE;
1871 host_checking_callout = argrest[1] == 'c';
1872 }
1873
1874 /* -bi: This option is used by sendmail to initialize *the* alias file,
1875 though it has the -oA option to specify a different file. Exim has no
1876 concept of *the* alias file, but since Sun's YP make script calls
1877 sendmail this way, some support must be provided. */
1878
1879 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
1880
1881 /* -bm: Accept and deliver message - the default option. Reinstate
1882 receiving_message, which got turned off for all -b options. */
1883
1884 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
1885
8544e77a
PP
1886 /* -bmalware: test the filename given for malware */
1887
1888 else if (Ustrcmp(argrest, "malware") == 0)
1889 {
1890 if (++i >= argc) { badarg = TRUE; break; }
1891 malware_test_file = argv[i];
1892 }
1893
059ec3d9
PH
1894 /* -bnq: For locally originating messages, do not qualify unqualified
1895 addresses. In the envelope, this causes errors; in header lines they
1896 just get left. */
1897
1898 else if (Ustrcmp(argrest, "nq") == 0)
1899 {
1900 allow_unqualified_sender = FALSE;
1901 allow_unqualified_recipient = FALSE;
1902 }
1903
1904 /* -bpxx: List the contents of the mail queue, in various forms. If
1905 the option is -bpc, just a queue count is needed. Otherwise, if the
1906 first letter after p is r, then order is random. */
1907
1908 else if (*argrest == 'p')
1909 {
1910 if (*(++argrest) == 'c')
1911 {
1912 count_queue = TRUE;
1913 if (*(++argrest) != 0) badarg = TRUE;
1914 break;
1915 }
1916
1917 if (*argrest == 'r')
1918 {
1919 list_queue_option = 8;
1920 argrest++;
1921 }
1922 else list_queue_option = 0;
1923
1924 list_queue = TRUE;
1925
1926 /* -bp: List the contents of the mail queue, top-level only */
1927
1928 if (*argrest == 0) {}
1929
1930 /* -bpu: List the contents of the mail queue, top-level undelivered */
1931
1932 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
1933
1934 /* -bpa: List the contents of the mail queue, including all delivered */
1935
1936 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
1937
1938 /* Unknown after -bp[r] */
1939
1940 else
1941 {
1942 badarg = TRUE;
1943 break;
1944 }
1945 }
1946
1947
1948 /* -bP: List the configuration variables given as the address list.
1949 Force -v, so configuration errors get displayed. */
1950
1951 else if (Ustrcmp(argrest, "P") == 0)
1952 {
1953 list_options = TRUE;
1954 debug_selector |= D_v;
1955 debug_file = stderr;
1956 }
1957
1958 /* -brt: Test retry configuration lookup */
1959
1960 else if (Ustrcmp(argrest, "rt") == 0)
1961 {
1962 test_retry_arg = i + 1;
1963 goto END_ARG;
1964 }
1965
1966 /* -brw: Test rewrite configuration */
1967
1968 else if (Ustrcmp(argrest, "rw") == 0)
1969 {
1970 test_rewrite_arg = i + 1;
1971 goto END_ARG;
1972 }
1973
1974 /* -bS: Read SMTP commands on standard input, but produce no replies -
1975 all errors are reported by sending messages. */
1976
1977 else if (Ustrcmp(argrest, "S") == 0)
1978 smtp_input = smtp_batched_input = receiving_message = TRUE;
1979
1980 /* -bs: Read SMTP commands on standard input and produce SMTP replies
1981 on standard output. */
1982
1983 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
1984
1985 /* -bt: address testing mode */
1986
1987 else if (Ustrcmp(argrest, "t") == 0)
1988 address_test_mode = checking = log_testing_mode = TRUE;
1989
1990 /* -bv: verify addresses */
1991
1992 else if (Ustrcmp(argrest, "v") == 0)
1993 verify_address_mode = checking = log_testing_mode = TRUE;
1994
1995 /* -bvs: verify sender addresses */
1996
1997 else if (Ustrcmp(argrest, "vs") == 0)
1998 {
1999 verify_address_mode = checking = log_testing_mode = TRUE;
2000 verify_as_sender = TRUE;
2001 }
2002
2003 /* -bV: Print version string and support details */
2004
2005 else if (Ustrcmp(argrest, "V") == 0)
2006 {
2007 printf("Exim version %s #%s built %s\n", version_string,
2008 version_cnumber, version_date);
2009 printf("%s\n", CS version_copyright);
2010 version_printed = TRUE;
2011 show_whats_supported(stdout);
2012 }
2013
2014 else badarg = TRUE;
2015 break;
2016
2017
2018 /* -C: change configuration file list; ignore if it isn't really
2019 a change! Enforce a prefix check if required. */
2020
2021 case 'C':
2022 if (*argrest == 0)
2023 {
2024 if(++i < argc) argrest = argv[i]; else
2025 { badarg = TRUE; break; }
2026 }
2027 if (Ustrcmp(config_main_filelist, argrest) != 0)
2028 {
2029 #ifdef ALT_CONFIG_PREFIX
2030 int sep = 0;
2031 int len = Ustrlen(ALT_CONFIG_PREFIX);
2032 uschar *list = argrest;
2033 uschar *filename;
2034 while((filename = string_nextinlist(&list, &sep, big_buffer,
2035 big_buffer_size)) != NULL)
2036 {
2037 if ((Ustrlen(filename) < len ||
2038 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2039 Ustrstr(filename, "/../") != NULL) &&
2040 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2041 {
2042 fprintf(stderr, "-C Permission denied\n");
2043 exit(EXIT_FAILURE);
2044 }
2045 }
2046 #endif
261dc43e
DW
2047 if (real_uid != root_uid)
2048 {
90b6341f 2049 #ifdef TRUSTED_CONFIG_LIST
261dc43e 2050
90b6341f
DW
2051 if (real_uid != exim_uid
2052 #ifdef CONFIGURE_OWNER
2053 && real_uid != config_uid
2054 #endif
2055 )
261dc43e
DW
2056 trusted_config = FALSE;
2057 else
2058 {
90b6341f 2059 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
261dc43e
DW
2060 if (trust_list)
2061 {
2062 struct stat statbuf;
2063
2064 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2065 (statbuf.st_uid != root_uid /* owner not root */
2066 #ifdef CONFIGURE_OWNER
2067 && statbuf.st_uid != config_uid /* owner not the special one */
2068 #endif
2069 ) || /* or */
2070 (statbuf.st_gid != root_gid /* group not root */
2071 #ifdef CONFIGURE_GROUP
2072 && statbuf.st_gid != config_gid /* group not the special one */
2073 #endif
2074 && (statbuf.st_mode & 020) != 0 /* group writeable */
2075 ) || /* or */
2076 (statbuf.st_mode & 2) != 0) /* world writeable */
2077 {
2078 trusted_config = FALSE;
2079 fclose(trust_list);
2080 }
2081 else
2082 {
2083 /* Well, the trust list at least is up to scratch... */
2084 void *reset_point = store_get(0);
90b6341f
DW
2085 uschar *trusted_configs[32];
2086 int nr_configs = 0;
261dc43e
DW
2087 int i = 0;
2088
2089 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2090 {
2091 uschar *start = big_buffer, *nl;
2092 while (*start && isspace(*start))
2093 start++;
1e83d68b 2094 if (*start != '/')
261dc43e
DW
2095 continue;
2096 nl = Ustrchr(start, '\n');
2097 if (nl)
2098 *nl = 0;
90b6341f
DW
2099 trusted_configs[nr_configs++] = string_copy(start);
2100 if (nr_configs == 32)
261dc43e
DW
2101 break;
2102 }
2103 fclose(trust_list);
2104
90b6341f 2105 if (nr_configs)
261dc43e
DW
2106 {
2107 int sep = 0;
2108 uschar *list = argrest;
2109 uschar *filename;
2110 while (trusted_config && (filename = string_nextinlist(&list,
2111 &sep, big_buffer, big_buffer_size)) != NULL)
2112 {
90b6341f 2113 for (i=0; i < nr_configs; i++)
261dc43e 2114 {
90b6341f 2115 if (Ustrcmp(filename, trusted_configs[i]) == 0)
261dc43e
DW
2116 break;
2117 }
90b6341f 2118 if (i == nr_configs)
261dc43e
DW
2119 {
2120 trusted_config = FALSE;
2121 break;
2122 }
2123 }
1e83d68b 2124 store_reset(reset_point);
261dc43e
DW
2125 }
2126 else
2127 {
2128 /* No valid prefixes found in trust_list file. */
2129 trusted_config = FALSE;
2130 }
2131 }
2132 }
2133 else
2134 {
2135 /* Could not open trust_list file. */
2136 trusted_config = FALSE;
2137 }
2138 }
2139 #else
2140 /* Not root; don't trust config */
2141 trusted_config = FALSE;
2142 #endif
2143 }
059ec3d9
PH
2144
2145 config_main_filelist = argrest;
2146 config_changed = TRUE;
2147 }
2148 break;
2149
2150
2151 /* -D: set up a macro definition */
2152
2153 case 'D':
2154 #ifdef DISABLE_D_OPTION
2155 fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2156 exit(EXIT_FAILURE);
2157 #else
2158 {
2159 int ptr = 0;
2160 macro_item *mlast = NULL;
2161 macro_item *m;
2162 uschar name[24];
2163 uschar *s = argrest;
2164
2165 while (isspace(*s)) s++;
2166
2167 if (*s < 'A' || *s > 'Z')
2168 {
2169 fprintf(stderr, "exim: macro name set by -D must start with "
2170 "an upper case letter\n");
2171 exit(EXIT_FAILURE);
2172 }
2173
2174 while (isalnum(*s) || *s == '_')
2175 {
2176 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2177 s++;
2178 }
2179 name[ptr] = 0;
2180 if (ptr == 0) { badarg = TRUE; break; }
2181 while (isspace(*s)) s++;
2182 if (*s != 0)
2183 {
2184 if (*s++ != '=') { badarg = TRUE; break; }
2185 while (isspace(*s)) s++;
2186 }
2187
2188 for (m = macros; m != NULL; m = m->next)
2189 {
2190 if (Ustrcmp(m->name, name) == 0)
2191 {
2192 fprintf(stderr, "exim: duplicated -D in command line\n");
2193 exit(EXIT_FAILURE);
2194 }
2195 mlast = m;
2196 }
2197
2198 m = store_get(sizeof(macro_item) + Ustrlen(name));
2199 m->next = NULL;
2200 m->command_line = TRUE;
2201 if (mlast == NULL) macros = m; else mlast->next = m;
2202 Ustrcpy(m->name, name);
2203 m->replacement = string_copy(s);
2204
2205 if (clmacro_count >= MAX_CLMACROS)
2206 {
2207 fprintf(stderr, "exim: too many -D options on command line\n");
2208 exit(EXIT_FAILURE);
2209 }
2210 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2211 m->replacement);
2212 }
2213 #endif
2214 break;
2215
2216 /* -d: Set debug level (see also -v below) or set the drop_cr option.
8e669ac1 2217 The latter is now a no-op, retained for compatibility only. If -dd is used,
3d235903 2218 debugging subprocesses of the daemon is disabled. */
059ec3d9
PH
2219
2220 case 'd':
2221 if (Ustrcmp(argrest, "ropcr") == 0)
2222 {
2223 /* drop_cr = TRUE; */
2224 }
2225
2226 /* Use an intermediate variable so that we don't set debugging while
2227 decoding the debugging bits. */
2228
2229 else
2230 {
2231 unsigned int selector = D_default;
2232 debug_selector = 0;
2233 debug_file = NULL;
3d235903
PH
2234 if (*argrest == 'd')
2235 {
2236 debug_daemon = TRUE;
2237 argrest++;
2238 }
059ec3d9 2239 if (*argrest != 0)
1fe64dcc 2240 decode_bits(&selector, NULL, D_memory, 0, argrest, debug_options,
ed7f7860 2241 debug_options_count, US"debug", 0);
059ec3d9
PH
2242 debug_selector = selector;
2243 }
2244 break;
2245
2246
2247 /* -E: This is a local error message. This option is not intended for
2248 external use at all, but is not restricted to trusted callers because it
2249 does no harm (just suppresses certain error messages) and if Exim is run
2250 not setuid root it won't always be trusted when it generates error
2251 messages using this option. If there is a message id following -E, point
2252 message_reference at it, for logging. */
2253
2254 case 'E':
2255 local_error_message = TRUE;
2256 if (mac_ismsgid(argrest)) message_reference = argrest;
2257 break;
2258
2259
2260 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2261 option, so it looks as if historically the -oex options are also callable
2262 without the leading -o. So we have to accept them. Before the switch,
2263 anything starting -oe has been converted to -e. Exim does not support all
2264 of the sendmail error options. */
2265
2266 case 'e':
2267 if (Ustrcmp(argrest, "e") == 0)
2268 {
2269 arg_error_handling = ERRORS_SENDER;
2270 errors_sender_rc = EXIT_SUCCESS;
2271 }
2272 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2273 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2274 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2275 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2276 else badarg = TRUE;
2277 break;
2278
2279
2280 /* -F: Set sender's full name, used instead of the gecos entry from
2281 the password file. Since users can usually alter their gecos entries,
2282 there's no security involved in using this instead. The data can follow
2283 the -F or be in the next argument. */
2284
2285 case 'F':
2286 if (*argrest == 0)
2287 {
2288 if(++i < argc) argrest = argv[i]; else
2289 { badarg = TRUE; break; }
2290 }
2291 originator_name = argrest;
2fe1a124 2292 sender_name_forced = TRUE;
059ec3d9
PH
2293 break;
2294
2295
2296 /* -f: Set sender's address - this value is only actually used if Exim is
2297 run by a trusted user, or if untrusted_set_sender is set and matches the
2298 address, except that the null address can always be set by any user. The
2299 test for this happens later, when the value given here is ignored when not
2300 permitted. For an untrusted user, the actual sender is still put in Sender:
2301 if it doesn't match the From: header (unless no_local_from_check is set).
2302 The data can follow the -f or be in the next argument. The -r switch is an
2303 obsolete form of -f but since there appear to be programs out there that
2304 use anything that sendmail has ever supported, better accept it - the
2305 synonymizing is done before the switch above.
2306
2307 At this stage, we must allow domain literal addresses, because we don't
2308 know what the setting of allow_domain_literals is yet. Ditto for trailing
2309 dots and strip_trailing_dot. */
2310
2311 case 'f':
2312 {
2313 int start, end;
2314 uschar *errmess;
2315 if (*argrest == 0)
2316 {
2317 if (i+1 < argc) argrest = argv[++i]; else
2318 { badarg = TRUE; break; }
2319 }
2320 if (*argrest == 0)
2321 {
2322 sender_address = string_sprintf(""); /* Ensure writeable memory */
2323 }
2324 else
2325 {
2326 uschar *temp = argrest + Ustrlen(argrest) - 1;
2327 while (temp >= argrest && isspace(*temp)) temp--;
2328 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2329 allow_domain_literals = TRUE;
2330 strip_trailing_dot = TRUE;
2331 sender_address = parse_extract_address(argrest, &errmess, &start, &end,
2332 &sender_address_domain, TRUE);
2333 allow_domain_literals = FALSE;
2334 strip_trailing_dot = FALSE;
2335 if (sender_address == NULL)
2336 {
2337 fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2338 return EXIT_FAILURE;
2339 }
2340 }
2341 sender_address_forced = TRUE;
2342 }
2343 break;
2344
2345 /* This is some Sendmail thing which can be ignored */
2346
2347 case 'G':
2348 break;
2349
2350 /* -h: Set the hop count for an incoming message. Exim does not currently
2351 support this; it always computes it by counting the Received: headers.
2352 To put it in will require a change to the spool header file format. */
2353
2354 case 'h':
2355 if (*argrest == 0)
2356 {
2357 if(++i < argc) argrest = argv[i]; else
2358 { badarg = TRUE; break; }
2359 }
2360 if (!isdigit(*argrest)) badarg = TRUE;
2361 break;
2362
2363
2364 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2365 not to be documented for sendmail but mailx (at least) uses it) */
2366
2367 case 'i':
2368 if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2369 break;
2370
2371
2372 case 'M':
2373 receiving_message = FALSE;
2374
2375 /* -MC: continue delivery of another message via an existing open
2376 file descriptor. This option is used for an internal call by the
2377 smtp transport when there is a pending message waiting to go to an
2378 address to which it has got a connection. Five subsequent arguments are
2379 required: transport name, host name, IP address, sequence number, and
2380 message_id. Transports may decline to create new processes if the sequence
2381 number gets too big. The channel is stdin. This (-MC) must be the last
2382 argument. There's a subsequent check that the real-uid is privileged.
2383
2384 If we are running in the test harness. delay for a bit, to let the process
2385 that set this one up complete. This makes for repeatability of the logging,
2386 etc. output. */
2387
2388 if (Ustrcmp(argrest, "C") == 0)
2389 {
41c7c167
PH
2390 union sockaddr_46 interface_sock;
2391 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2392
059ec3d9
PH
2393 if (argc != i + 6)
2394 {
2395 fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2396 return EXIT_FAILURE;
2397 }
2398
2399 if (msg_action_arg >= 0)
2400 {
2401 fprintf(stderr, "exim: incompatible arguments\n");
2402 return EXIT_FAILURE;
2403 }
2404
2405 continue_transport = argv[++i];
2406 continue_hostname = argv[++i];
2407 continue_host_address = argv[++i];
2408 continue_sequence = Uatoi(argv[++i]);
2409 msg_action = MSG_DELIVER;
2410 msg_action_arg = ++i;
2411 forced_delivery = TRUE;
2412 queue_run_pid = passed_qr_pid;
2413 queue_run_pipe = passed_qr_pipe;
2414
2415 if (!mac_ismsgid(argv[i]))
2416 {
2417 fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2418 argv[i]);
2419 return EXIT_FAILURE;
2420 }
2421
41c7c167
PH
2422 /* Set up $sending_ip_address and $sending_port */
2423
2424 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2425 &size) == 0)
2426 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2427 &sending_port);
2428 else
2429 {
2430 fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2431 strerror(errno));
2432 return EXIT_FAILURE;
2433 }
2434
059ec3d9
PH
2435 if (running_in_test_harness) millisleep(500);
2436 break;
2437 }
2438
2439 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2440 precedes -MC (see above). The flag indicates that the host to which
2441 Exim is connected has accepted an AUTH sequence. */
2442
2443 else if (Ustrcmp(argrest, "CA") == 0)
2444 {
2445 smtp_authenticated = TRUE;
2446 break;
2447 }
2448
2449 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2450 it preceded -MC (see above) */
2451
2452 else if (Ustrcmp(argrest, "CP") == 0)
2453 {
2454 smtp_use_pipelining = TRUE;
2455 break;
2456 }
2457
2458 /* -MCQ: pass on the pid of the queue-running process that started
2459 this chain of deliveries and the fd of its synchronizing pipe; this
2460 is useful only when it precedes -MC (see above) */
2461
2462 else if (Ustrcmp(argrest, "CQ") == 0)
2463 {
2464 if(++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2465 else badarg = TRUE;
2466 if(++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2467 else badarg = TRUE;
2468 break;
2469 }
2470
2471 /* -MCS: set the smtp_use_size flag; this is useful only when it
2472 precedes -MC (see above) */
2473
2474 else if (Ustrcmp(argrest, "CS") == 0)
2475 {
2476 smtp_use_size = TRUE;
2477 break;
2478 }
2479
2480 /* -MCT: set the tls_offered flag; this is useful only when it
2481 precedes -MC (see above). The flag indicates that the host to which
2482 Exim is connected has offered TLS support. */
2483
2484 #ifdef SUPPORT_TLS
2485 else if (Ustrcmp(argrest, "CT") == 0)
2486 {
2487 tls_offered = TRUE;
2488 break;
2489 }
2490 #endif
2491
2492 /* -M[x]: various operations on the following list of message ids:
2493 -M deliver the messages, ignoring next retry times and thawing
2494 -Mc deliver the messages, checking next retry times, no thawing
2495 -Mf freeze the messages
2496 -Mg give up on the messages
2497 -Mt thaw the messages
2498 -Mrm remove the messages
2499 In the above cases, this must be the last option. There are also the
2500 following options which are followed by a single message id, and which
2501 act on that message. Some of them use the "recipient" addresses as well.
2502 -Mar add recipient(s)
2503 -Mmad mark all recipients delivered
2504 -Mmd mark recipients(s) delivered
2505 -Mes edit sender
0ef732d9 2506 -Mset load a message for use with -be
059ec3d9 2507 -Mvb show body
a96603a0 2508 -Mvc show copy (of whole message, in RFC 2822 format)
059ec3d9
PH
2509 -Mvh show header
2510 -Mvl show log
2511 */
2512
2513 else if (*argrest == 0)
2514 {
2515 msg_action = MSG_DELIVER;
2516 forced_delivery = deliver_force_thaw = TRUE;
2517 }
2518 else if (Ustrcmp(argrest, "ar") == 0)
2519 {
2520 msg_action = MSG_ADD_RECIPIENT;
2521 one_msg_action = TRUE;
2522 }
2523 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2524 else if (Ustrcmp(argrest, "es") == 0)
2525 {
2526 msg_action = MSG_EDIT_SENDER;
2527 one_msg_action = TRUE;
2528 }
2529 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2530 else if (Ustrcmp(argrest, "g") == 0)
2531 {
2532 msg_action = MSG_DELIVER;
2533 deliver_give_up = TRUE;
2534 }
2535 else if (Ustrcmp(argrest, "mad") == 0)
2536 {
2537 msg_action = MSG_MARK_ALL_DELIVERED;
2538 }
2539 else if (Ustrcmp(argrest, "md") == 0)
2540 {
2541 msg_action = MSG_MARK_DELIVERED;
2542 one_msg_action = TRUE;
2543 }
2544 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
0ef732d9
PH
2545 else if (Ustrcmp(argrest, "set") == 0)
2546 {
2547 msg_action = MSG_LOAD;
2548 one_msg_action = TRUE;
2549 }
059ec3d9
PH
2550 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2551 else if (Ustrcmp(argrest, "vb") == 0)
2552 {
2553 msg_action = MSG_SHOW_BODY;
2554 one_msg_action = TRUE;
2555 }
a96603a0
PH
2556 else if (Ustrcmp(argrest, "vc") == 0)
2557 {
2558 msg_action = MSG_SHOW_COPY;
2559 one_msg_action = TRUE;
2560 }
059ec3d9
PH
2561 else if (Ustrcmp(argrest, "vh") == 0)
2562 {
2563 msg_action = MSG_SHOW_HEADER;
2564 one_msg_action = TRUE;
2565 }
2566 else if (Ustrcmp(argrest, "vl") == 0)
2567 {
2568 msg_action = MSG_SHOW_LOG;
2569 one_msg_action = TRUE;
2570 }
2571 else { badarg = TRUE; break; }
2572
2573 /* All the -Mxx options require at least one message id. */
2574
2575 msg_action_arg = i + 1;
2576 if (msg_action_arg >= argc)
2577 {
2578 fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2579 return EXIT_FAILURE;
2580 }
2581
2582 /* Some require only message ids to follow */
2583
2584 if (!one_msg_action)
2585 {
2586 int j;
2587 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2588 {
2589 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2590 argv[j], arg);
2591 return EXIT_FAILURE;
2592 }
2593 goto END_ARG; /* Remaining args are ids */
2594 }
2595
2596 /* Others require only one message id, possibly followed by addresses,
2597 which will be handled as normal arguments. */
2598
2599 else
2600 {
2601 if (!mac_ismsgid(argv[msg_action_arg]))
2602 {
2603 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2604 argv[msg_action_arg], arg);
2605 return EXIT_FAILURE;
2606 }
2607 i++;
2608 }
2609 break;
2610
2611
2612 /* Some programs seem to call the -om option without the leading o;
2613 for sendmail it askes for "me too". Exim always does this. */
2614
2615 case 'm':
2616 if (*argrest != 0) badarg = TRUE;
2617 break;
2618
2619
2620 /* -N: don't do delivery - a debugging option that stops transports doing
2621 their thing. It implies debugging at the D_v level. */
2622
2623 case 'N':
2624 if (*argrest == 0)
2625 {
2626 dont_deliver = TRUE;
2627 debug_selector |= D_v;
2628 debug_file = stderr;
2629 }
2630 else badarg = TRUE;
2631 break;
2632
2633
2634 /* -n: This means "don't alias" in sendmail, apparently. Just ignore
2635 it. */
2636
2637 case 'n':
2638 break;
2639
2640 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2641 option to the specified value. This form uses long names. We need to handle
2642 -O option=value and -Ooption=value. */
2643
2644 case 'O':
2645 if (*argrest == 0)
2646 {
2647 if (++i >= argc)
2648 {
2649 fprintf(stderr, "exim: string expected after -O\n");
2650 exit(EXIT_FAILURE);
2651 }
2652 }
2653 break;
2654
2655 case 'o':
2656
2657 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2658 file" option). */
2659
2660 if (*argrest == 'A')
2661 {
2662 alias_arg = argrest + 1;
2663 if (alias_arg[0] == 0)
2664 {
2665 if (i+1 < argc) alias_arg = argv[++i]; else
2666 {
2667 fprintf(stderr, "exim: string expected after -oA\n");
2668 exit(EXIT_FAILURE);
2669 }
2670 }
2671 }
2672
2673 /* -oB: Set a connection message max value for remote deliveries */
2674
2675 else if (*argrest == 'B')
2676 {
2677 uschar *p = argrest + 1;
2678 if (p[0] == 0)
2679 {
2680 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2681 {
2682 connection_max_messages = 1;
2683 p = NULL;
2684 }
2685 }
2686
2687 if (p != NULL)
2688 {
2689 if (!isdigit(*p))
2690 {
2691 fprintf(stderr, "exim: number expected after -oB\n");
2692 exit(EXIT_FAILURE);
2693 }
2694 connection_max_messages = Uatoi(p);
2695 }
2696 }
2697
2698 /* -odb: background delivery */
2699
2700 else if (Ustrcmp(argrest, "db") == 0)
2701 {
2702 synchronous_delivery = FALSE;
2703 arg_queue_only = FALSE;
2704 queue_only_set = TRUE;
2705 }
2706
2707 /* -odf: foreground delivery (smail-compatible option); same effect as
2708 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2709 */
2710
2711 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2712 {
2713 synchronous_delivery = TRUE;
2714 arg_queue_only = FALSE;
2715 queue_only_set = TRUE;
2716 }
2717
2718 /* -odq: queue only */
2719
2720 else if (Ustrcmp(argrest, "dq") == 0)
2721 {
2722 synchronous_delivery = FALSE;
2723 arg_queue_only = TRUE;
2724 queue_only_set = TRUE;
2725 }
2726
2727 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2728 but no remote delivery */
2729
2730 else if (Ustrcmp(argrest, "dqs") == 0)
2731 {
2732 queue_smtp = TRUE;
2733 arg_queue_only = FALSE;
2734 queue_only_set = TRUE;
2735 }
2736
2737 /* -oex: Sendmail error flags. As these are also accepted without the
2738 leading -o prefix, for compatibility with vacation and other callers,
2739 they are handled with -e above. */
2740
2741 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2742 -oitrue: Another sendmail syntax for the same */
2743
2744 else if (Ustrcmp(argrest, "i") == 0 ||
2745 Ustrcmp(argrest, "itrue") == 0)
2746 dot_ends = FALSE;
2747
2748 /* -oM*: Set various characteristics for an incoming message; actually
2749 acted on for trusted callers only. */
2750
2751 else if (*argrest == 'M')
2752 {
2753 if (i+1 >= argc)
2754 {
2755 fprintf(stderr, "exim: data expected after -o%s\n", argrest);
2756 exit(EXIT_FAILURE);
2757 }
2758
2759 /* -oMa: Set sender host address */
2760
2761 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2762
2763 /* -oMaa: Set authenticator name */
2764
2765 else if (Ustrcmp(argrest, "Maa") == 0)
2766 sender_host_authenticated = argv[++i];
2767
2768 /* -oMas: setting authenticated sender */
2769
2770 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2771
2772 /* -oMai: setting authenticated id */
2773
2774 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2775
2776 /* -oMi: Set incoming interface address */
2777
2778 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2779
2780 /* -oMr: Received protocol */
2781
2782 else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
2783
2784 /* -oMs: Set sender host name */
2785
2786 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
2787
2788 /* -oMt: Set sender ident */
2789
33d73e3b
PH
2790 else if (Ustrcmp(argrest, "Mt") == 0)
2791 {
2792 sender_ident_set = TRUE;
2793 sender_ident = argv[++i];
2794 }
059ec3d9
PH
2795
2796 /* Else a bad argument */
2797
2798 else
2799 {
2800 badarg = TRUE;
2801 break;
2802 }
2803 }
2804
2805 /* -om: Me-too flag for aliases. Exim always does this. Some programs
2806 seem to call this as -m (undocumented), so that is also accepted (see
2807 above). */
2808
2809 else if (Ustrcmp(argrest, "m") == 0) {}
2810
2811 /* -oo: An ancient flag for old-style addresses which still seems to
2812 crop up in some calls (see in SCO). */
2813
2814 else if (Ustrcmp(argrest, "o") == 0) {}
2815
2816 /* -oP <name>: set pid file path for daemon */
2817
2818 else if (Ustrcmp(argrest, "P") == 0)
2819 override_pid_file_path = argv[++i];
2820
2821 /* -or <n>: set timeout for non-SMTP acceptance
2822 -os <n>: set timeout for SMTP acceptance */
2823
2824 else if (*argrest == 'r' || *argrest == 's')
2825 {
2826 int *tp = (*argrest == 'r')?
2827 &arg_receive_timeout : &arg_smtp_receive_timeout;
2828 if (argrest[1] == 0)
2829 {
2830 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
2831 }
2832 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
2833 if (*tp < 0)
2834 {
2835 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2836 exit(EXIT_FAILURE);
2837 }
2838 }
2839
2840 /* -oX <list>: Override local_interfaces and/or default daemon ports */
2841
2842 else if (Ustrcmp(argrest, "X") == 0)
2843 override_local_interfaces = argv[++i];
2844
2845 /* Unknown -o argument */
2846
2847 else badarg = TRUE;
2848 break;
2849
2850
2851 /* -ps: force Perl startup; -pd force delayed Perl startup */
2852
2853 case 'p':
2854 #ifdef EXIM_PERL
2855 if (*argrest == 's' && argrest[1] == 0)
2856 {
2857 perl_start_option = 1;
2858 break;
2859 }
2860 if (*argrest == 'd' && argrest[1] == 0)
2861 {
2862 perl_start_option = -1;
2863 break;
2864 }
2865 #endif
2866
2867 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
2868 which sets the host protocol and host name */
2869
2870 if (*argrest == 0)
2871 {
2872 if (i+1 < argc) argrest = argv[++i]; else
2873 { badarg = TRUE; break; }
2874 }
2875
2876 if (*argrest != 0)
2877 {
2878 uschar *hn = Ustrchr(argrest, ':');
2879 if (hn == NULL)
2880 {
2881 received_protocol = argrest;
2882 }
2883 else
2884 {
2885 received_protocol = string_copyn(argrest, hn - argrest);
2886 sender_host_name = hn + 1;
2887 }
2888 }
2889 break;
2890
2891
2892 case 'q':
2893 receiving_message = FALSE;
3cc66b45
PH
2894 if (queue_interval >= 0)
2895 {
2896 fprintf(stderr, "exim: -q specified more than once\n");
2897 exit(EXIT_FAILURE);
2898 }
059ec3d9
PH
2899
2900 /* -qq...: Do queue runs in a 2-stage manner */
2901
2902 if (*argrest == 'q')
2903 {
2904 queue_2stage = TRUE;
2905 argrest++;
2906 }
2907
2908 /* -qi...: Do only first (initial) deliveries */
2909
2910 if (*argrest == 'i')
2911 {
2912 queue_run_first_delivery = TRUE;
2913 argrest++;
2914 }
2915
2916 /* -qf...: Run the queue, forcing deliveries
2917 -qff..: Ditto, forcing thawing as well */
2918
2919 if (*argrest == 'f')
2920 {
2921 queue_run_force = TRUE;
2922 if (*(++argrest) == 'f')
2923 {
2924 deliver_force_thaw = TRUE;
2925 argrest++;
2926 }
2927 }
2928
2929 /* -q[f][f]l...: Run the queue only on local deliveries */
2930
2931 if (*argrest == 'l')
2932 {
2933 queue_run_local = TRUE;
2934 argrest++;
2935 }
2936
2937 /* -q[f][f][l]: Run the queue, optionally forced, optionally local only,
2938 optionally starting from a given message id. */
2939
2940 if (*argrest == 0 &&
2941 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
2942 {
2943 queue_interval = 0;
2944 if (i+1 < argc && mac_ismsgid(argv[i+1]))
2945 start_queue_run_id = argv[++i];
2946 if (i+1 < argc && mac_ismsgid(argv[i+1]))
2947 stop_queue_run_id = argv[++i];
2948 }
2949
2950 /* -q[f][f][l]<n>: Run the queue at regular intervals, optionally forced,
2951 optionally local only. */
2952
2953 else
2954 {
2955 if (*argrest != 0)
2956 queue_interval = readconf_readtime(argrest, 0, FALSE);
2957 else
2958 queue_interval = readconf_readtime(argv[++i], 0, FALSE);
2959 if (queue_interval <= 0)
2960 {
2961 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2962 exit(EXIT_FAILURE);
2963 }
2964 }
2965 break;
2966
2967
2968 case 'R': /* Synonymous with -qR... */
2969 receiving_message = FALSE;
2970
2971 /* -Rf: As -R (below) but force all deliveries,
2972 -Rff: Ditto, but also thaw all frozen messages,
2973 -Rr: String is regex
2974 -Rrf: Regex and force
2975 -Rrff: Regex and force and thaw
2976
2977 in all cases provided there are no further characters in this
2978 argument. */
2979
2980 if (*argrest != 0)
2981 {
2982 int i;
2983 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
2984 {
2985 if (Ustrcmp(argrest, rsopts[i]) == 0)
2986 {
2987 if (i != 2) queue_run_force = TRUE;
2988 if (i >= 2) deliver_selectstring_regex = TRUE;
2989 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
2990 argrest += Ustrlen(rsopts[i]);
2991 }
2992 }
2993 }
2994
2995 /* -R: Set string to match in addresses for forced queue run to
2996 pick out particular messages. */
2997
2998 if (*argrest == 0)
2999 {
3000 if (i+1 < argc) deliver_selectstring = argv[++i]; else
3001 {
3002 fprintf(stderr, "exim: string expected after -R\n");
3003 exit(EXIT_FAILURE);
3004 }
3005 }
3006 else deliver_selectstring = argrest;
059ec3d9
PH
3007 break;
3008
3009
3010 /* -r: an obsolete synonym for -f (see above) */
3011
3012
3013 /* -S: Like -R but works on sender. */
3014
3015 case 'S': /* Synonymous with -qS... */
3016 receiving_message = FALSE;
3017
3018 /* -Sf: As -S (below) but force all deliveries,
3019 -Sff: Ditto, but also thaw all frozen messages,
3020 -Sr: String is regex
3021 -Srf: Regex and force
3022 -Srff: Regex and force and thaw
3023
3024 in all cases provided there are no further characters in this
3025 argument. */
3026
3027 if (*argrest != 0)
3028 {
3029 int i;
3030 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3031 {
3032 if (Ustrcmp(argrest, rsopts[i]) == 0)
3033 {
3034 if (i != 2) queue_run_force = TRUE;
3035 if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3036 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3037 argrest += Ustrlen(rsopts[i]);
3038 }
3039 }
3040 }
3041
3042 /* -S: Set string to match in addresses for forced queue run to
3043 pick out particular messages. */
3044
3045 if (*argrest == 0)
3046 {
3047 if (i+1 < argc) deliver_selectstring_sender = argv[++i]; else
3048 {
3049 fprintf(stderr, "exim: string expected after -S\n");
3050 exit(EXIT_FAILURE);
3051 }
3052 }
3053 else deliver_selectstring_sender = argrest;
059ec3d9
PH
3054 break;
3055
3056 /* -Tqt is an option that is exclusively for use by the testing suite.
3057 It is not recognized in other circumstances. It allows for the setting up
3058 of explicit "queue times" so that various warning/retry things can be
3059 tested. Otherwise variability of clock ticks etc. cause problems. */
3060
3061 case 'T':
3062 if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3063 fudged_queue_times = argv[++i];
3064 else badarg = TRUE;
3065 break;
3066
3067
3068 /* -t: Set flag to extract recipients from body of message. */
3069
3070 case 't':
3071 if (*argrest == 0) extract_recipients = TRUE;
3072
3073 /* -ti: Set flag to extract recipients from body of message, and also
3074 specify that dot does not end the message. */
3075
3076 else if (Ustrcmp(argrest, "i") == 0)
3077 {
3078 extract_recipients = TRUE;
3079 dot_ends = FALSE;
3080 }
3081
3082 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3083
3084 #ifdef SUPPORT_TLS
3085 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE;
3086 #endif
3087
3088 else badarg = TRUE;
3089 break;
3090
3091
3092 /* -U: This means "initial user submission" in sendmail, apparently. The
3093 doc claims that in future sendmail may refuse syntactically invalid
3094 messages instead of fixing them. For the moment, we just ignore it. */
3095
3096 case 'U':
3097 break;
3098
3099
3100 /* -v: verify things - this is a very low-level debugging */
3101
3102 case 'v':
3103 if (*argrest == 0)
3104 {
3105 debug_selector |= D_v;
3106 debug_file = stderr;
3107 }
3108 else badarg = TRUE;
3109 break;
3110
3111
3112 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3113
3114 The -x flag tells the sendmail command that mail from a local
3115 mail program has National Language Support (NLS) extended characters
3116 in the body of the mail item. The sendmail command can send mail with
3117 extended NLS characters across networks that normally corrupts these
3118 8-bit characters.
3119
3120 As Exim is 8-bit clean, it just ignores this flag. */
3121
3122 case 'x':
3123 if (*argrest != 0) badarg = TRUE;
3124 break;
3125
3126 /* All other initial characters are errors */
3127
3128 default:
3129 badarg = TRUE;
3130 break;
3131 } /* End of high-level switch statement */
3132
3133 /* Failed to recognize the option, or syntax error */
3134
3135 if (badarg)
3136 {
3137 fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3138 "option %s\n", arg);
3139 exit(EXIT_FAILURE);
3140 }
3141 }
3142
3143
3cc66b45
PH
3144/* If -R or -S have been specified without -q, assume a single queue run. */
3145
3146if ((deliver_selectstring != NULL || deliver_selectstring_sender != NULL) &&
3147 queue_interval < 0) queue_interval = 0;
3148
3149
059ec3d9 3150END_ARG:
81ea09ca
NM
3151/* If usage_wanted is set we call the usage function - which never returns */
3152if (usage_wanted) exim_usage(called_as);
3153
3154/* Arguments have been processed. Check for incompatibilities. */
059ec3d9
PH
3155if ((
3156 (smtp_input || extract_recipients || recipients_arg < argc) &&
3157 (daemon_listen || queue_interval >= 0 || bi_option ||
3158 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
f05da2e8 3159 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
059ec3d9
PH
3160 ) ||
3161 (
3162 msg_action_arg > 0 &&
0ef732d9
PH
3163 (daemon_listen || queue_interval >= 0 || list_options ||
3164 (checking && msg_action != MSG_LOAD) ||
3165 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
059ec3d9
PH
3166 ) ||
3167 (
3168 (daemon_listen || queue_interval >= 0) &&
3169 (sender_address != NULL || list_options || list_queue || checking ||
0ef732d9 3170 bi_option)
059ec3d9
PH
3171 ) ||
3172 (
3173 daemon_listen && queue_interval == 0
3174 ) ||
3175 (
3176 list_options &&
3177 (checking || smtp_input || extract_recipients ||
f05da2e8 3178 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3179 ) ||
3180 (
3181 verify_address_mode &&
3182 (address_test_mode || smtp_input || extract_recipients ||
f05da2e8 3183 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3184 ) ||
3185 (
3186 address_test_mode && (smtp_input || extract_recipients ||
f05da2e8 3187 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3188 ) ||
3189 (
f05da2e8 3190 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
059ec3d9
PH
3191 extract_recipients)
3192 ) ||
3193 (
3194 deliver_selectstring != NULL && queue_interval < 0
328895cc
PH
3195 ) ||
3196 (
3197 msg_action == MSG_LOAD &&
3198 (!expansion_test || expansion_test_message != NULL)
059ec3d9
PH
3199 )
3200 )
3201 {
3202 fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3203 exit(EXIT_FAILURE);
3204 }
3205
3206/* If debugging is set up, set the file and the file descriptor to pass on to
3207child processes. It should, of course, be 2 for stderr. Also, force the daemon
3208to run in the foreground. */
3209
3210if (debug_selector != 0)
3211 {
3212 debug_file = stderr;
3213 debug_fd = fileno(debug_file);
3214 background_daemon = FALSE;
3215 if (running_in_test_harness) millisleep(100); /* lets caller finish */
3216 if (debug_selector != D_v) /* -v only doesn't show this */
3217 {
3218 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3219 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3220 debug_selector);
6545de78
PP
3221 if (!version_printed)
3222 show_whats_supported(stderr);
059ec3d9
PH
3223 }
3224 }
3225
3226/* When started with root privilege, ensure that the limits on the number of
3227open files and the number of processes (where that is accessible) are
3228sufficiently large, or are unset, in case Exim has been called from an
3229environment where the limits are screwed down. Not all OS have the ability to
3230change some of these limits. */
3231
3232if (unprivileged)
3233 {
3234 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3235 }
3236else
3237 {
3238 struct rlimit rlp;
3239
3240 #ifdef RLIMIT_NOFILE
3241 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3242 {
3243 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3244 strerror(errno));
3245 rlp.rlim_cur = rlp.rlim_max = 0;
3246 }
eb2c0248
PH
3247
3248 /* I originally chose 1000 as a nice big number that was unlikely to
a494b1e1
PH
3249 be exceeded. It turns out that some older OS have a fixed upper limit of
3250 256. */
eb2c0248 3251
059ec3d9
PH
3252 if (rlp.rlim_cur < 1000)
3253 {
3254 rlp.rlim_cur = rlp.rlim_max = 1000;
3255 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
eb2c0248 3256 {
a494b1e1
PH
3257 rlp.rlim_cur = rlp.rlim_max = 256;
3258 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3259 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3260 strerror(errno));
eb2c0248 3261 }
059ec3d9
PH
3262 }
3263 #endif
3264
3265 #ifdef RLIMIT_NPROC
3266 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3267 {
3268 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3269 strerror(errno));
3270 rlp.rlim_cur = rlp.rlim_max = 0;
3271 }
3272
3273 #ifdef RLIM_INFINITY
3274 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3275 {
3276 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3277 #else
3278 if (rlp.rlim_cur < 1000)
3279 {
3280 rlp.rlim_cur = rlp.rlim_max = 1000;
3281 #endif
3282 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3283 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3284 strerror(errno));
3285 }
3286 #endif
3287 }
3288
3289/* Exim is normally entered as root (but some special configurations are
3290possible that don't do this). However, it always spins off sub-processes that
3291set their uid and gid as required for local delivery. We don't want to pass on
3292any extra groups that root may belong to, so we want to get rid of them all at
3293this point.
3294
3295We need to obey setgroups() at this stage, before possibly giving up root
3296privilege for a changed configuration file, but later on we might need to
3297check on the additional groups for the admin user privilege - can't do that
3298till after reading the config, which might specify the exim gid. Therefore,
3299save the group list here first. */
3300
3301group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18
PP
3302if (group_count < 0)
3303 {
3304 fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
3305 exit(EXIT_FAILURE);
3306 }
059ec3d9
PH
3307
3308/* There is a fundamental difference in some BSD systems in the matter of
3309groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3310known not to be different. On the "different" systems there is a single group
3311list, and the first entry in it is the current group. On all other versions of
3312Unix there is a supplementary group list, which is in *addition* to the current
3313group. Consequently, to get rid of all extraneous groups on a "standard" system
3314you pass over 0 groups to setgroups(), while on a "different" system you pass
3315over a single group - the current group, which is always the first group in the
3316list. Calling setgroups() with zero groups on a "different" system results in
3317an error return. The following code should cope with both types of system.
3318
3319However, if this process isn't running as root, setgroups() can't be used
3320since you have to be root to run it, even if throwing away groups. Not being
3321root here happens only in some unusual configurations. We just ignore the
3322error. */
3323
3324if (setgroups(0, NULL) != 0)
3325 {
3326 if (setgroups(1, group_list) != 0 && !unprivileged)
3327 {
3328 fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3329 exit(EXIT_FAILURE);
3330 }
3331 }
3332
3333/* If the configuration file name has been altered by an argument on the
3334command line (either a new file name or a macro definition) and the caller is
cd25e41d
DW
3335not root, or if this is a filter testing run, remove any setuid privilege the
3336program has and run as the underlying user.
059ec3d9 3337
cd25e41d
DW
3338The exim user is locked out of this, which severely restricts the use of -C
3339for some purposes.
059ec3d9
PH
3340
3341Otherwise, set the real ids to the effective values (should be root unless run
3342from inetd, which it can either be root or the exim uid, if one is configured).
3343
3344There is a private mechanism for bypassing some of this, in order to make it
3345possible to test lots of configurations automatically, without having either to
3346recompile each time, or to patch in an actual configuration file name and other
3347values (such as the path name). If running in the test harness, pretend that
3348configuration file changes and macro definitions haven't happened. */
3349
3350if (( /* EITHER */
a7cbbf50
PP
3351 (!trusted_config || /* Config changed, or */
3352 !macros_trusted()) && /* impermissible macros and */
059ec3d9 3353 real_uid != root_uid && /* Not root, and */
059ec3d9
PH
3354 !running_in_test_harness /* Not fudged */
3355 ) || /* OR */
3356 expansion_test /* expansion testing */
3357 || /* OR */
f05da2e8 3358 filter_test != FTEST_NONE) /* Filter testing */
059ec3d9
PH
3359 {
3360 setgroups(group_count, group_list);
3361 exim_setugid(real_uid, real_gid, FALSE,
3362 US"-C, -D, -be or -bf forces real uid");
3363 removed_privilege = TRUE;
3364
3365 /* In the normal case when Exim is called like this, stderr is available
3366 and should be used for any logging information because attempts to write
3367 to the log will usually fail. To arrange this, we unset really_exim. However,
3368 if no stderr is available there is no point - we might as well have a go
b7487bce 3369 at the log (if it fails, syslog will be written).
059ec3d9 3370
b7487bce
PP
3371 Note that if the invoker is Exim, the logs remain available. Messing with
3372 this causes unlogged successful deliveries. */
3373
3374 if ((log_stderr != NULL) && (real_uid != exim_uid))
3375 really_exim = FALSE;
059ec3d9
PH
3376 }
3377
3378/* Privilege is to be retained for the moment. It may be dropped later,
3379depending on the job that this Exim process has been asked to do. For now, set
3380the real uid to the effective so that subsequent re-execs of Exim are done by a
3381privileged user. */
3382
3383else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3384
f05da2e8 3385/* If testing a filter, open the file(s) now, before wasting time doing other
059ec3d9
PH
3386setups and reading the message. */
3387
f05da2e8
PH
3388if ((filter_test & FTEST_SYSTEM) != 0)
3389 {
3390 filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3391 if (filter_sfd < 0)
3392 {
3393 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3394 strerror(errno));
3395 return EXIT_FAILURE;
3396 }
3397 }
3398
3399if ((filter_test & FTEST_USER) != 0)
059ec3d9 3400 {
f05da2e8
PH
3401 filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3402 if (filter_ufd < 0)
059ec3d9 3403 {
f05da2e8 3404 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
059ec3d9
PH
3405 strerror(errno));
3406 return EXIT_FAILURE;
3407 }
3408 }
3409
3410/* Read the main runtime configuration data; this gives up if there
3411is a failure. It leaves the configuration file open so that the subsequent
3412configuration data for delivery can be read if needed. */
3413
3414readconf_main();
3415
3416/* Handle the decoding of logging options. */
3417
ed7f7860
PP
3418decode_bits(&log_write_selector, &log_extra_selector, 0, 0,
3419 log_selector_string, log_options, log_options_count, US"log", 0);
059ec3d9
PH
3420
3421DEBUG(D_any)
3422 {
3423 debug_printf("configuration file is %s\n", config_main_filename);
3424 debug_printf("log selectors = %08x %08x\n", log_write_selector,
3425 log_extra_selector);
3426 }
3427
3428/* If domain literals are not allowed, check the sender address that was
3429supplied with -f. Ditto for a stripped trailing dot. */
3430
3431if (sender_address != NULL)
3432 {
3433 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3434 {
3435 fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
3436 "allowed\n", sender_address);
3437 return EXIT_FAILURE;
3438 }
3439 if (f_end_dot && !strip_trailing_dot)
3440 {
3441 fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed "
3442 "(trailing dot not allowed)\n", sender_address);
3443 return EXIT_FAILURE;
3444 }
3445 }
3446
3447/* Paranoia check of maximum lengths of certain strings. There is a check
3448on the length of the log file path in log.c, which will come into effect
3449if there are any calls to write the log earlier than this. However, if we
3450get this far but the string is very long, it is better to stop now than to
3451carry on and (e.g.) receive a message and then have to collapse. The call to
3452log_write() from here will cause the ultimate panic collapse if the complete
3453file name exceeds the buffer length. */
3454
3455if (Ustrlen(log_file_path) > 200)
3456 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3457 "log_file_path is longer than 200 chars: aborting");
3458
3459if (Ustrlen(pid_file_path) > 200)
3460 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3461 "pid_file_path is longer than 200 chars: aborting");
3462
3463if (Ustrlen(spool_directory) > 200)
3464 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3465 "spool_directory is longer than 200 chars: aborting");
3466
3467/* Length check on the process name given to syslog for its TAG field,
3468which is only permitted to be 32 characters or less. See RFC 3164. */
3469
3470if (Ustrlen(syslog_processname) > 32)
3471 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3472 "syslog_processname is longer than 32 chars: aborting");
3473
3474/* In some operating systems, the environment variable TMPDIR controls where
3475temporary files are created; Exim doesn't use these (apart from when delivering
3476to MBX mailboxes), but called libraries such as DBM libraries may require them.
3477If TMPDIR is found in the environment, reset it to the value defined in the
3478TMPDIR macro, if this macro is defined. */
3479
3480#ifdef TMPDIR
3481 {
3482 uschar **p;
3483 for (p = USS environ; *p != NULL; p++)
3484 {
3485 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 &&
3486 Ustrcmp(*p+7, TMPDIR) != 0)
3487 {
3488 uschar *newp = malloc(Ustrlen(TMPDIR) + 8);
3489 sprintf(CS newp, "TMPDIR=%s", TMPDIR);
3490 *p = newp;
3491 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", TMPDIR);
3492 }
3493 }
3494 }
3495#endif
3496
3497/* Timezone handling. If timezone_string is "utc", set a flag to cause all
3498timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3499we may need to get rid of a bogus timezone setting. This can arise when Exim is
3500called by a user who has set the TZ variable. This then affects the timestamps
3501in log files and in Received: headers, and any created Date: header lines. The
3502required timezone is settable in the configuration file, so nothing can be done
3503about this earlier - but hopefully nothing will normally be logged earlier than
3504this. We have to make a new environment if TZ is wrong, but don't bother if
3505timestamps_utc is set, because then all times are in UTC anyway. */
3506
3507if (timezone_string != NULL && strcmpic(timezone_string, US"UTC") == 0)
3508 {
3509 timestamps_utc = TRUE;
3510 }
3511else
3512 {
3513 uschar *envtz = US getenv("TZ");
3514 if ((envtz == NULL && timezone_string != NULL) ||
3515 (envtz != NULL &&
3516 (timezone_string == NULL ||
3517 Ustrcmp(timezone_string, envtz) != 0)))
3518 {
3519 uschar **p = USS environ;
3520 uschar **new;
3521 uschar **newp;
3522 int count = 0;
3523 while (*p++ != NULL) count++;
3524 if (envtz == NULL) count++;
3525 newp = new = malloc(sizeof(uschar *) * (count + 1));
3526 for (p = USS environ; *p != NULL; p++)
3527 {
3528 if (Ustrncmp(*p, "TZ=", 3) == 0) continue;
3529 *newp++ = *p;
3530 }
3531 if (timezone_string != NULL)
3532 {
3533 *newp = malloc(Ustrlen(timezone_string) + 4);
3534 sprintf(CS *newp++, "TZ=%s", timezone_string);
3535 }
3536 *newp = NULL;
3537 environ = CSS new;
3538 tzset();
3539 DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3540 tod_stamp(tod_log));
3541 }
3542 }
3543
3544/* Handle the case when we have removed the setuid privilege because of -C or
cd25e41d 3545-D. This means that the caller of Exim was not root.
059ec3d9 3546
cd25e41d
DW
3547There is a problem if we were running as the Exim user. The sysadmin may
3548expect this case to retain privilege because "the binary was called by the
3549Exim user", but it hasn't, because either the -D option set macros, or the
261dc43e 3550-C option set a non-trusted configuration file. There are two possibilities:
059ec3d9
PH
3551
3552 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3553 to do message deliveries. Thus, the fact that it is running as a
3554 non-privileged user is plausible, and might be wanted in some special
3555 configurations. However, really_exim will have been set false when
3556 privilege was dropped, to stop Exim trying to write to its normal log
3557 files. Therefore, re-enable normal log processing, assuming the sysadmin
3558 has set up the log directory correctly.
3559
3560 (2) If deliver_drop_privilege is not set, the configuration won't work as
3561 apparently intended, and so we log a panic message. In order to retain
261dc43e
DW
3562 root for -C or -D, the caller must either be root or be invoking a
3563 trusted configuration file (when deliver_drop_privilege is false). */
059ec3d9 3564
e2f5dc15 3565if (removed_privilege && (!trusted_config || macros != NULL) &&
059ec3d9
PH
3566 real_uid == exim_uid)
3567 {
059ec3d9
PH
3568 if (deliver_drop_privilege)
3569 really_exim = TRUE; /* let logging work normally */
3570 else
3571 log_write(0, LOG_MAIN|LOG_PANIC,
cd25e41d 3572 "exim user lost privilege for using %s option",
90b6341f 3573 trusted_config? "-D" : "-C");
059ec3d9
PH
3574 }
3575
3576/* Start up Perl interpreter if Perl support is configured and there is a
3577perl_startup option, and the configuration or the command line specifies
3578initializing starting. Note that the global variables are actually called
3579opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3580
3581#ifdef EXIM_PERL
3582if (perl_start_option != 0)
3583 opt_perl_at_start = (perl_start_option > 0);
3584if (opt_perl_at_start && opt_perl_startup != NULL)
3585 {
3586 uschar *errstr;
3587 DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3588 errstr = init_perl(opt_perl_startup);
3589 if (errstr != NULL)
3590 {
3591 fprintf(stderr, "exim: error in perl_startup code: %s\n", errstr);
3592 return EXIT_FAILURE;
3593 }
3594 opt_perl_started = TRUE;
3595 }
3596#endif /* EXIM_PERL */
3597
6545de78
PP
3598/* Initialise lookup_list
3599If debugging, already called above via version reporting.
3600This does mean that debugging causes the list to be initialised while root.
3601This *should* be harmless -- all modules are loaded from a fixed dir and
3602it's code that would, if not a module, be part of Exim already. */
e6d225ae
DW
3603init_lookup_list();
3604
059ec3d9
PH
3605/* Log the arguments of the call if the configuration file said so. This is
3606a debugging feature for finding out what arguments certain MUAs actually use.
3607Don't attempt it if logging is disabled, or if listing variables or if
3608verifying/testing addresses or expansions. */
3609
31619da6
PH
3610if (((debug_selector & D_any) != 0 || (log_extra_selector & LX_arguments) != 0)
3611 && really_exim && !list_options && !checking)
059ec3d9
PH
3612 {
3613 int i;
3614 uschar *p = big_buffer;
3615 Ustrcpy(p, "cwd=");
3616 (void)getcwd(CS p+4, big_buffer_size - 4);
3617 while (*p) p++;
3618 (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3619 while (*p) p++;
3620 for (i = 0; i < argc; i++)
3621 {
3622 int len = Ustrlen(argv[i]);
3623 uschar *printing;
3624 uschar *quote;
3625 if (p + len + 8 >= big_buffer + big_buffer_size)
3626 {
3627 Ustrcpy(p, " ...");
3628 log_write(0, LOG_MAIN, "%s", big_buffer);
3629 Ustrcpy(big_buffer, "...");
3630 p = big_buffer + 3;
3631 }
3632 printing = string_printing(argv[i]);
3633 if (printing[0] == 0) quote = US"\""; else
3634 {
3635 uschar *pp = printing;
3636 quote = US"";
3637 while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3638 }
3639 sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3640 (p - big_buffer) - 4), printing, quote);
3641 while (*p) p++;
3642 }
31619da6
PH
3643
3644 if ((log_extra_selector & LX_arguments) != 0)
3645 log_write(0, LOG_MAIN, "%s", big_buffer);
3646 else
3647 debug_printf("%s\n", big_buffer);
059ec3d9
PH
3648 }
3649
3650/* Set the working directory to be the top-level spool directory. We don't rely
3651on this in the code, which always uses fully qualified names, but it's useful
3652for core dumps etc. Don't complain if it fails - the spool directory might not
3653be generally accessible and calls with the -C option (and others) have lost
ba18e66a
PH
3654privilege by now. Before the chdir, we try to ensure that the directory exists.
3655*/
059ec3d9
PH
3656
3657if (Uchdir(spool_directory) != 0)
3658 {
ba18e66a 3659 (void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
059ec3d9
PH
3660 (void)Uchdir(spool_directory);
3661 }
3662
3663/* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3664alias file. Exim doesn't have such a concept, but this call is screwed into
3665Sun's YP makefiles. Handle this by calling a configured script, as the real
3666user who called Exim. The -oA option can be used to pass an argument to the
3667script. */
3668
3669if (bi_option)
3670 {
1fe64dcc 3671 (void)fclose(config_file);
059ec3d9
PH
3672 if (bi_command != NULL)
3673 {
3674 int i = 0;
3675 uschar *argv[3];
3676 argv[i++] = bi_command;
3677 if (alias_arg != NULL) argv[i++] = alias_arg;
3678 argv[i++] = NULL;
3679
3680 setgroups(group_count, group_list);
3681 exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
3682
3683 DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
3684 (argv[1] == NULL)? US"" : argv[1]);
3685
3686 execv(CS argv[0], (char *const *)argv);
3687 fprintf(stderr, "exim: exec failed: %s\n", strerror(errno));
3688 exit(EXIT_FAILURE);
3689 }
3690 else
3691 {
3692 DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
3693 exit(EXIT_SUCCESS);
3694 }
3695 }
3696
3697/* If an action on specific messages is requested, or if a daemon or queue
3698runner is being started, we need to know if Exim was called by an admin user.
3699This is the case if the real user is root or exim, or if the real group is
3700exim, or if one of the supplementary groups is exim or a group listed in
3701admin_groups. We don't fail all message actions immediately if not admin_user,
3702since some actions can be performed by non-admin users. Instead, set admin_user
3703for later interrogation. */
3704
3705if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3706 admin_user = TRUE;
3707else
3708 {
3709 int i, j;
059ec3d9
PH
3710 for (i = 0; i < group_count; i++)
3711 {
3712 if (group_list[i] == exim_gid) admin_user = TRUE;
3713 else if (admin_groups != NULL)
3714 {
3715 for (j = 1; j <= (int)(admin_groups[0]); j++)
3716 if (admin_groups[j] == group_list[i])
3717 { admin_user = TRUE; break; }
3718 }
3719 if (admin_user) break;
3720 }
3721 }
3722
3723/* Another group of privileged users are the trusted users. These are root,
3724exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3725are permitted to specify sender_addresses with -f on the command line, and
3726other message parameters as well. */
3727
3728if (real_uid == root_uid || real_uid == exim_uid)
3729 trusted_caller = TRUE;
3730else
3731 {
3732 int i, j;
3733
3734 if (trusted_users != NULL)
3735 {
3736 for (i = 1; i <= (int)(trusted_users[0]); i++)
3737 if (trusted_users[i] == real_uid)
3738 { trusted_caller = TRUE; break; }
3739 }
3740
3741 if (!trusted_caller && trusted_groups != NULL)
3742 {
3743 for (i = 1; i <= (int)(trusted_groups[0]); i++)
3744 {
3745 if (trusted_groups[i] == real_gid)
3746 trusted_caller = TRUE;
3747 else for (j = 0; j < group_count; j++)
3748 {
3749 if (trusted_groups[i] == group_list[j])
3750 { trusted_caller = TRUE; break; }
3751 }
3752 if (trusted_caller) break;
3753 }
3754 }
3755 }
3756
3757if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
3758if (admin_user) DEBUG(D_any) debug_printf("admin user\n");
3759
3760/* Only an admin user may start the daemon or force a queue run in the default
3761configuration, but the queue run restriction can be relaxed. Only an admin
3762user may request that a message be returned to its sender forthwith. Only an
3763admin user may specify a debug level greater than D_v (because it might show
3764passwords, etc. in lookup queries). Only an admin user may request a queue
8544e77a
PP
3765count. Only an admin user can use the test interface to scan for email
3766(because Exim will be in the spool dir and able to look at mails). */
059ec3d9
PH
3767
3768if (!admin_user)
3769 {
3770 BOOL debugset = (debug_selector & ~D_v) != 0;
8544e77a 3771 if (deliver_give_up || daemon_listen || malware_test_file ||
059ec3d9
PH
3772 (count_queue && queue_list_requires_admin) ||
3773 (list_queue && queue_list_requires_admin) ||
3774 (queue_interval >= 0 && prod_requires_admin) ||
3775 (debugset && !running_in_test_harness))
3776 {
3777 fprintf(stderr, "exim:%s permission denied\n", debugset? " debugging" : "");
3778 exit(EXIT_FAILURE);
3779 }
3780 }
3781
3782/* If the real user is not root or the exim uid, the argument for passing
3783in an open TCP/IP connection for another message is not permitted, nor is
3784running with the -N option for any delivery action, unless this call to exim is
3785one that supplied an input message, or we are using a patched exim for
3786regression testing. */
3787
3788if (real_uid != root_uid && real_uid != exim_uid &&
3789 (continue_hostname != NULL ||
3790 (dont_deliver &&
3791 (queue_interval >= 0 || daemon_listen || msg_action_arg > 0)
3792 )) && !running_in_test_harness)
3793 {
3794 fprintf(stderr, "exim: Permission denied\n");
3795 return EXIT_FAILURE;
3796 }
3797
3798/* If the caller is not trusted, certain arguments are ignored when running for
f05da2e8
PH
3799real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
3800Note that authority for performing certain actions on messages is tested in the
059ec3d9
PH
3801queue_action() function. */
3802
f05da2e8 3803if (!trusted_caller && !checking && filter_test == FTEST_NONE)
059ec3d9
PH
3804 {
3805 sender_host_name = sender_host_address = interface_address =
3806 sender_ident = received_protocol = NULL;
3807 sender_host_port = interface_port = 0;
3808 sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
3809 }
3810
3811/* If a sender host address is set, extract the optional port number off the
3812end of it and check its syntax. Do the same thing for the interface address.
3813Exim exits if the syntax is bad. */
3814
3815else
3816 {
3817 if (sender_host_address != NULL)
3818 sender_host_port = check_port(sender_host_address);
3819 if (interface_address != NULL)
3820 interface_port = check_port(interface_address);
3821 }
3822
3823/* If an SMTP message is being received check to see if the standard input is a
3824TCP/IP socket. If it is, we assume that Exim was called from inetd if the
3825caller is root or the Exim user, or if the port is a privileged one. Otherwise,
3826barf. */
3827
3828if (smtp_input)
3829 {
3830 union sockaddr_46 inetd_sock;
36a3b041 3831 EXIM_SOCKLEN_T size = sizeof(inetd_sock);
059ec3d9
PH
3832 if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0)
3833 {
3834 int family = ((struct sockaddr *)(&inetd_sock))->sa_family;
3835 if (family == AF_INET || family == AF_INET6)
3836 {
3837 union sockaddr_46 interface_sock;
3838 size = sizeof(interface_sock);
3839
3840 if (getsockname(0, (struct sockaddr *)(&interface_sock), &size) == 0)
3841 interface_address = host_ntoa(-1, &interface_sock, NULL,
3842 &interface_port);
3843
3844 if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE;
3845
3846 if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
3847 {
3848 is_inetd = TRUE;
3849 sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock),
3850 NULL, &sender_host_port);
3851 if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from "
3852 "inetd is not supported when mua_wrapper is set");
3853 }
3854 else
3855 {
3856 fprintf(stderr,
3857 "exim: Permission denied (unprivileged user, unprivileged port)\n");
3858 return EXIT_FAILURE;
3859 }
3860 }
3861 }
3862 }
3863
3864/* If the load average is going to be needed while receiving a message, get it
3865now for those OS that require the first call to os_getloadavg() to be done as
3866root. There will be further calls later for each message received. */
3867
3868#ifdef LOAD_AVG_NEEDS_ROOT
3869if (receiving_message &&
3870 (queue_only_load >= 0 ||
3871 (is_inetd && smtp_load_reserve >= 0)
3872 ))
3873 {
8669f003 3874 load_average = OS_GETLOADAVG();
059ec3d9
PH
3875 }
3876#endif
3877
3878/* The queue_only configuration option can be overridden by -odx on the command
3879line, except that if queue_only_override is false, queue_only cannot be unset
3880from the command line. */
3881
3882if (queue_only_set && (queue_only_override || arg_queue_only))
3883 queue_only = arg_queue_only;
3884
3885/* The receive_timeout and smtp_receive_timeout options can be overridden by
3886-or and -os. */
3887
3888if (arg_receive_timeout >= 0) receive_timeout = arg_receive_timeout;
3889if (arg_smtp_receive_timeout >= 0)
3890 smtp_receive_timeout = arg_smtp_receive_timeout;
3891
3892/* If Exim was started with root privilege, unless we have already removed the
3893root privilege above as a result of -C, -D, -be, -bf or -bF, remove it now
3894except when starting the daemon or doing some kind of delivery or address
3895testing (-bt). These are the only cases when root need to be retained. We run
3896as exim for -bv and -bh. However, if deliver_drop_privilege is set, root is
805e5aab
TF
3897retained only for starting the daemon. We always do the initgroups() in this
3898situation (controlled by the TRUE below), in order to be as close as possible
3899to the state Exim usually runs in. */
059ec3d9
PH
3900
3901if (!unprivileged && /* originally had root AND */
3902 !removed_privilege && /* still got root AND */
3903 !daemon_listen && /* not starting the daemon */
3904 queue_interval <= 0 && /* (either kind of daemon) */
3905 ( /* AND EITHER */
3906 deliver_drop_privilege || /* requested unprivileged */
3907 ( /* OR */
3908 queue_interval < 0 && /* not running the queue */
3909 (msg_action_arg < 0 || /* and */
3910 msg_action != MSG_DELIVER) && /* not delivering and */
3911 (!checking || !address_test_mode) /* not address checking */
3912 )
3913 ))
3914 {
805e5aab 3915 exim_setugid(exim_uid, exim_gid, TRUE, US"privilege not needed");
059ec3d9
PH
3916 }
3917
3918/* When we are retaining a privileged uid, we still change to the exim gid. */
3919
1670ef10
PP
3920else
3921 {
3922 int rv;
3923 rv = setgid(exim_gid);
3924 /* Impact of failure is that some stuff might end up with an incorrect group.
3925 We track this for failures from root, since any attempt to change privilege
3926 by root should succeed and failures should be examined. For non-root,
3927 there's no security risk. For me, it's { exim -bV } on a just-built binary,
3928 no need to complain then. */
3929 if (rv == -1)
3930 {
33191679 3931 if (!(unprivileged || removed_privilege))
1670ef10
PP
3932 {
3933 fprintf(stderr,
3934 "exim: changing group failed: %s\n", strerror(errno));
3935 exit(EXIT_FAILURE);
3936 }
3937 else
33191679 3938 DEBUG(D_any) debug_printf("changing group to %ld failed: %s\n",
1670ef10
PP
3939 (long int)exim_gid, strerror(errno));
3940 }
3941 }
059ec3d9 3942
8544e77a
PP
3943/* Handle a request to scan a file for malware */
3944if (malware_test_file)
3945 {
dbc4b90d 3946#ifdef WITH_CONTENT_SCAN
8544e77a
PP
3947 int result;
3948 set_process_info("scanning file for malware");
3949 result = malware_in_file(malware_test_file);
3950 if (result == FAIL)
3951 {
3952 printf("No malware found.\n");
3953 exit(EXIT_SUCCESS);
3954 }
3955 if (result != OK)
3956 {
3957 printf("Malware lookup returned non-okay/fail: %d\n", result);
3958 exit(EXIT_FAILURE);
3959 }
3960 if (malware_name)
3961 printf("Malware found: %s\n", malware_name);
3962 else
3963 printf("Malware scan detected malware of unknown name.\n");
dbc4b90d
PP
3964#else
3965 printf("Malware scanning not enabled at compile time.\n");
3966#endif
8544e77a
PP
3967 exit(EXIT_FAILURE);
3968 }
3969
059ec3d9
PH
3970/* Handle a request to list the delivery queue */
3971
3972if (list_queue)
3973 {
3974 set_process_info("listing the queue");
3975 queue_list(list_queue_option, argv + recipients_arg, argc - recipients_arg);
3976 exit(EXIT_SUCCESS);
3977 }
3978
3979/* Handle a request to count the delivery queue */
3980
3981if (count_queue)
3982 {
3983 set_process_info("counting the queue");
3984 queue_count();
3985 exit(EXIT_SUCCESS);
3986 }
3987
0ef732d9
PH
3988/* Handle actions on specific messages, except for the force delivery and
3989message load actions, which are done below. Some actions take a whole list of
3990message ids, which are known to continue up to the end of the arguments. Others
3991take a single message id and then operate on the recipients list. */
059ec3d9 3992
0ef732d9 3993if (msg_action_arg > 0 && msg_action != MSG_DELIVER && msg_action != MSG_LOAD)
059ec3d9
PH
3994 {
3995 int yield = EXIT_SUCCESS;
3996 set_process_info("acting on specified messages");
3997
3998 if (!one_msg_action)
3999 {
4000 for (i = msg_action_arg; i < argc; i++)
4001 if (!queue_action(argv[i], msg_action, NULL, 0, 0))
4002 yield = EXIT_FAILURE;
4003 }
4004
4005 else if (!queue_action(argv[msg_action_arg], msg_action, argv, argc,
4006 recipients_arg)) yield = EXIT_FAILURE;
4007 exit(yield);
4008 }
4009
4010/* All the modes below here require the remaining configuration sections
4011to be read, except that we can skip over the ACL setting when delivering
4012specific messages, or doing a queue run. (For various testing cases we could
4013skip too, but as they are rare, it doesn't really matter.) The argument is TRUE
4014for skipping. */
4015
4016readconf_rest(msg_action_arg > 0 || (queue_interval == 0 && !daemon_listen));
4017
4018/* The configuration data will have been read into POOL_PERM because we won't
4019ever want to reset back past it. Change the current pool to POOL_MAIN. In fact,
4020this is just a bit of pedantic tidiness. It wouldn't really matter if the
4021configuration were read into POOL_MAIN, because we don't do any resets till
4022later on. However, it seems right, and it does ensure that both pools get used.
4023*/
4024
4025store_pool = POOL_MAIN;
4026
4027/* Handle the -brt option. This is for checking out retry configurations.
4028The next three arguments are a domain name or a complete address, and
4029optionally two error numbers. All it does is to call the function that
4030scans the retry configuration data. */
4031
4032if (test_retry_arg >= 0)
4033 {
4034 retry_config *yield;
4035 int basic_errno = 0;
4036 int more_errno = 0;
4037 uschar *s1, *s2;
4038
4039 if (test_retry_arg >= argc)
4040 {
4041 printf("-brt needs a domain or address argument\n");
4042 exim_exit(EXIT_FAILURE);
4043 }
4044 s1 = argv[test_retry_arg++];
4045 s2 = NULL;
4046
4047 /* If the first argument contains no @ and no . it might be a local user
4048 or it might be a single-component name. Treat as a domain. */
4049
4050 if (Ustrchr(s1, '@') == NULL &&am