tidying
[exim.git] / src / src / exim.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8
9/* The main function: entry point, initialization, and high-level control.
10Also a few functions that don't naturally fit elsewhere. */
11
12
13#include "exim.h"
14
98913c8e 15#if defined(__GLIBC__) && !defined(__UCLIBC__)
01f3091a
JH
16# include <gnu/libc-version.h>
17#endif
18
f797c123
JH
19#ifdef USE_GNUTLS
20# include <gnutls/gnutls.h>
21# if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22# define DISABLE_OCSP
23# endif
24#endif
25
6545de78
PP
26extern void init_lookup_list(void);
27
059ec3d9
PH
28
29
30/*************************************************
31* Function interface to store functions *
32*************************************************/
33
34/* We need some real functions to pass to the PCRE regular expression library
35for store allocation via Exim's store manager. The normal calls are actually
36macros that pass over location information to make tracing easier. These
37functions just interface to the standard macro calls. A good compiler will
38optimize out the tail recursion and so not make them too expensive. There
39are two sets of functions; one for use when we want to retain the compiled
40regular expression for a long time; the other for short-term use. */
41
42static void *
43function_store_get(size_t size)
44{
45return store_get((int)size);
46}
47
48static void
49function_dummy_free(void *block) { block = block; }
50
51static void *
52function_store_malloc(size_t size)
53{
54return store_malloc((int)size);
55}
56
57static void
58function_store_free(void *block)
59{
60store_free(block);
61}
62
63
64
65
66/*************************************************
98a90c36
PP
67* Enums for cmdline interface *
68*************************************************/
69
70enum commandline_info { CMDINFO_NONE=0,
36a3ae5f 71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
98a90c36
PP
72
73
74
75
76/*************************************************
059ec3d9
PH
77* Compile regular expression and panic on fail *
78*************************************************/
79
80/* This function is called when failure to compile a regular expression leads
81to a panic exit. In other cases, pcre_compile() is called directly. In many
82cases where this function is used, the results of the compilation are to be
83placed in long-lived store, so we temporarily reset the store management
84functions that PCRE uses if the use_malloc flag is set.
85
86Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91Returns: pointer to the compiled pattern
92*/
93
94const pcre *
476be7e2 95regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
059ec3d9
PH
96{
97int offset;
98int options = PCRE_COPT;
99const pcre *yield;
100const uschar *error;
101if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106if (caseless) options |= PCRE_CASELESS;
476be7e2 107yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
059ec3d9
PH
108pcre_malloc = function_store_get;
109pcre_free = function_dummy_free;
110if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113return yield;
114}
115
116
117
118
119/*************************************************
120* Execute regular expression and set strings *
121*************************************************/
122
123/* This function runs a regular expression match, and sets up the pointers to
124the matched substrings.
125
126Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134Returns: TRUE or FALSE
135*/
136
137BOOL
1dc92d5a 138regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
059ec3d9
PH
139{
140int ovector[3*(EXPAND_MAXN+1)];
1dc92d5a
JH
141uschar * s = string_copy(subject); /* de-constifying */
142int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
059ec3d9
PH
143 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
144BOOL yield = n >= 0;
145if (n == 0) n = EXPAND_MAXN + 1;
146if (yield)
147 {
148 int nn;
149 expand_nmax = (setup < 0)? 0 : setup + 1;
150 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
151 {
1dc92d5a 152 expand_nstring[expand_nmax] = s + ovector[nn];
059ec3d9
PH
153 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
154 }
155 expand_nmax--;
156 }
157return yield;
158}
159
160
161
162
163/*************************************************
921b12ca
TF
164* Set up processing details *
165*************************************************/
166
167/* Save a text string for dumping when SIGUSR1 is received.
168Do checks for overruns.
169
170Arguments: format and arguments, as for printf()
171Returns: nothing
172*/
173
174void
175set_process_info(const char *format, ...)
176{
92b0827a 177int len = sprintf(CS process_info, "%5d ", (int)getpid());
921b12ca 178va_list ap;
921b12ca
TF
179va_start(ap, format);
180if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len - 2, format, ap))
181 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
182len = Ustrlen(process_info);
183process_info[len+0] = '\n';
184process_info[len+1] = '\0';
185process_info_len = len + 1;
186DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
187va_end(ap);
188}
189
190
191
192
193/*************************************************
059ec3d9
PH
194* Handler for SIGUSR1 *
195*************************************************/
196
197/* SIGUSR1 causes any exim process to write to the process log details of
198what it is currently doing. It will only be used if the OS is capable of
199setting up a handler that causes automatic restarting of any system call
200that is in progress at the time.
201
921b12ca
TF
202This function takes care to be signal-safe.
203
059ec3d9
PH
204Argument: the signal number (SIGUSR1)
205Returns: nothing
206*/
207
208static void
209usr1_handler(int sig)
210{
921b12ca
TF
211int fd;
212
213os_restarting_signal(sig, usr1_handler);
214
cab0c277 215if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
921b12ca
TF
216 {
217 /* If we are already running as the Exim user, try to create it in the
218 current process (assuming spool_directory exists). Otherwise, if we are
219 root, do the creation in an exim:exim subprocess. */
220
221 int euid = geteuid();
222 if (euid == exim_uid)
223 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
224 else if (euid == root_uid)
225 fd = log_create_as_exim(process_log_path);
226 }
227
228/* If we are neither exim nor root, or if we failed to create the log file,
229give up. There is not much useful we can do with errors, since we don't want
230to disrupt whatever is going on outside the signal handler. */
231
232if (fd < 0) return;
233
2f21487f 234(void)write(fd, process_info, process_info_len);
921b12ca 235(void)close(fd);
059ec3d9
PH
236}
237
238
239
240/*************************************************
241* Timeout handler *
242*************************************************/
243
244/* This handler is enabled most of the time that Exim is running. The handler
245doesn't actually get used unless alarm() has been called to set a timer, to
246place a time limit on a system call of some kind. When the handler is run, it
247re-enables itself.
248
249There are some other SIGALRM handlers that are used in special cases when more
250than just a flag setting is required; for example, when reading a message's
251input. These are normally set up in the code module that uses them, and the
252SIGALRM handler is reset to this one afterwards.
253
254Argument: the signal value (SIGALRM)
255Returns: nothing
256*/
257
258void
259sigalrm_handler(int sig)
260{
261sig = sig; /* Keep picky compilers happy */
262sigalrm_seen = TRUE;
263os_non_restarting_signal(SIGALRM, sigalrm_handler);
264}
265
266
267
268/*************************************************
269* Sleep for a fractional time interval *
270*************************************************/
271
272/* This function is called by millisleep() and exim_wait_tick() to wait for a
273period of time that may include a fraction of a second. The coding is somewhat
eb2c0248
PH
274tedious. We do not expect setitimer() ever to fail, but if it does, the process
275will wait for ever, so we panic in this instance. (There was a case of this
276when a bug in a function that calls milliwait() caused it to pass invalid data.
7086e875 277That's when I added the check. :-)
059ec3d9 278
0f8ba377
JH
279We assume it to be not worth sleeping for under 100us; this value will
280require revisiting as hardware advances. This avoids the issue of
281a zero-valued timer setting meaning "never fire".
282
059ec3d9
PH
283Argument: an itimerval structure containing the interval
284Returns: nothing
285*/
286
287static void
288milliwait(struct itimerval *itval)
289{
290sigset_t sigmask;
291sigset_t old_sigmask;
0f8ba377
JH
292
293if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
294 return;
059ec3d9
PH
295(void)sigemptyset(&sigmask); /* Empty mask */
296(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
297(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
7086e875 298if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
eb2c0248
PH
299 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
300 "setitimer() failed: %s", strerror(errno));
059ec3d9
PH
301(void)sigfillset(&sigmask); /* All signals */
302(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
303(void)sigsuspend(&sigmask); /* Until SIGALRM */
304(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
305}
306
307
308
309
310/*************************************************
311* Millisecond sleep function *
312*************************************************/
313
314/* The basic sleep() function has a granularity of 1 second, which is too rough
315in some cases - for example, when using an increasing delay to slow down
316spammers.
317
318Argument: number of millseconds
319Returns: nothing
320*/
321
322void
323millisleep(int msec)
324{
325struct itimerval itval;
326itval.it_interval.tv_sec = 0;
327itval.it_interval.tv_usec = 0;
328itval.it_value.tv_sec = msec/1000;
329itval.it_value.tv_usec = (msec % 1000) * 1000;
330milliwait(&itval);
331}
332
333
334
335/*************************************************
336* Compare microsecond times *
337*************************************************/
338
339/*
340Arguments:
341 tv1 the first time
342 tv2 the second time
343
344Returns: -1, 0, or +1
345*/
346
32dfdf8b 347static int
059ec3d9
PH
348exim_tvcmp(struct timeval *t1, struct timeval *t2)
349{
350if (t1->tv_sec > t2->tv_sec) return +1;
351if (t1->tv_sec < t2->tv_sec) return -1;
352if (t1->tv_usec > t2->tv_usec) return +1;
353if (t1->tv_usec < t2->tv_usec) return -1;
354return 0;
355}
356
357
358
359
360/*************************************************
361* Clock tick wait function *
362*************************************************/
363
364/* Exim uses a time + a pid to generate a unique identifier in two places: its
365message IDs, and in file names for maildir deliveries. Because some OS now
366re-use pids within the same second, sub-second times are now being used.
4c04137d 367However, for absolute certainty, we must ensure the clock has ticked before
059ec3d9
PH
368allowing the relevant process to complete. At the time of implementation of
369this code (February 2003), the speed of processors is such that the clock will
370invariably have ticked already by the time a process has done its job. This
371function prepares for the time when things are faster - and it also copes with
372clocks that go backwards.
373
374Arguments:
375 then_tv A timeval which was used to create uniqueness; its usec field
376 has been rounded down to the value of the resolution.
377 We want to be sure the current time is greater than this.
378 resolution The resolution that was used to divide the microseconds
379 (1 for maildir, larger for message ids)
380
381Returns: nothing
382*/
383
384void
385exim_wait_tick(struct timeval *then_tv, int resolution)
386{
387struct timeval now_tv;
388long int now_true_usec;
389
390(void)gettimeofday(&now_tv, NULL);
391now_true_usec = now_tv.tv_usec;
392now_tv.tv_usec = (now_true_usec/resolution) * resolution;
393
394if (exim_tvcmp(&now_tv, then_tv) <= 0)
395 {
396 struct itimerval itval;
397 itval.it_interval.tv_sec = 0;
398 itval.it_interval.tv_usec = 0;
399 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
400 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
401
402 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
403 negative value for the microseconds is possible only in the case when "now"
404 is more than a second less than "then". That means that itval.it_value.tv_sec
405 is greater than zero. The following correction is therefore safe. */
406
407 if (itval.it_value.tv_usec < 0)
408 {
409 itval.it_value.tv_usec += 1000000;
410 itval.it_value.tv_sec -= 1;
411 }
412
413 DEBUG(D_transport|D_receive)
414 {
415 if (!running_in_test_harness)
416 {
d0291a0a 417 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
7437665e
JH
418 then_tv->tv_sec, (long) then_tv->tv_usec,
419 now_tv.tv_sec, (long) now_tv.tv_usec);
d0291a0a
JH
420 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
421 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
059ec3d9
PH
422 }
423 }
424
425 milliwait(&itval);
426 }
427}
428
429
430
431
432/*************************************************
2632889e
PH
433* Call fopen() with umask 777 and adjust mode *
434*************************************************/
435
436/* Exim runs with umask(0) so that files created with open() have the mode that
437is specified in the open() call. However, there are some files, typically in
438the spool directory, that are created with fopen(). They end up world-writeable
439if no precautions are taken. Although the spool directory is not accessible to
440the world, this is an untidiness. So this is a wrapper function for fopen()
441that sorts out the mode of the created file.
442
443Arguments:
444 filename the file name
445 options the fopen() options
446 mode the required mode
447
448Returns: the fopened FILE or NULL
449*/
450
451FILE *
1ba28e2b 452modefopen(const uschar *filename, const char *options, mode_t mode)
2632889e 453{
67d175de
PH
454mode_t saved_umask = umask(0777);
455FILE *f = Ufopen(filename, options);
456(void)umask(saved_umask);
2632889e
PH
457if (f != NULL) (void)fchmod(fileno(f), mode);
458return f;
459}
460
461
462
463
464/*************************************************
059ec3d9
PH
465* Ensure stdin, stdout, and stderr exist *
466*************************************************/
467
468/* Some operating systems grumble if an exec() happens without a standard
469input, output, and error (fds 0, 1, 2) being defined. The worry is that some
470file will be opened and will use these fd values, and then some other bit of
471code will assume, for example, that it can write error messages to stderr.
472This function ensures that fds 0, 1, and 2 are open if they do not already
473exist, by connecting them to /dev/null.
474
475This function is also used to ensure that std{in,out,err} exist at all times,
476so that if any library that Exim calls tries to use them, it doesn't crash.
477
478Arguments: None
479Returns: Nothing
480*/
481
482void
483exim_nullstd(void)
484{
485int i;
486int devnull = -1;
487struct stat statbuf;
488for (i = 0; i <= 2; i++)
489 {
490 if (fstat(i, &statbuf) < 0 && errno == EBADF)
491 {
492 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
493 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
494 string_open_failed(errno, "/dev/null"));
1fe64dcc 495 if (devnull != i) (void)dup2(devnull, i);
059ec3d9
PH
496 }
497 }
1fe64dcc 498if (devnull > 2) (void)close(devnull);
059ec3d9
PH
499}
500
501
502
503
504/*************************************************
505* Close unwanted file descriptors for delivery *
506*************************************************/
507
508/* This function is called from a new process that has been forked to deliver
509an incoming message, either directly, or using exec.
510
511We want any smtp input streams to be closed in this new process. However, it
512has been observed that using fclose() here causes trouble. When reading in -bS
513input, duplicate copies of messages have been seen. The files will be sharing a
514file pointer with the parent process, and it seems that fclose() (at least on
515some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
516least sometimes. Hence we go for closing the underlying file descriptors.
517
518If TLS is active, we want to shut down the TLS library, but without molesting
519the parent's SSL connection.
520
521For delivery of a non-SMTP message, we want to close stdin and stdout (and
522stderr unless debugging) because the calling process might have set them up as
523pipes and be waiting for them to close before it waits for the submission
524process to terminate. If they aren't closed, they hold up the calling process
525until the initial delivery process finishes, which is not what we want.
526
527Exception: We do want it for synchronous delivery!
528
529And notwithstanding all the above, if D_resolver is set, implying resolver
530debugging, leave stdout open, because that's where the resolver writes its
531debugging output.
532
533When we close stderr (which implies we've also closed stdout), we also get rid
534of any controlling terminal.
535
536Arguments: None
537Returns: Nothing
538*/
539
540static void
541close_unwanted(void)
542{
543if (smtp_input)
544 {
545 #ifdef SUPPORT_TLS
a400eccf 546 tls_close(TRUE, FALSE); /* Shut down the TLS library */
059ec3d9 547 #endif
1fe64dcc
PH
548 (void)close(fileno(smtp_in));
549 (void)close(fileno(smtp_out));
059ec3d9
PH
550 smtp_in = NULL;
551 }
552else
553 {
1fe64dcc
PH
554 (void)close(0); /* stdin */
555 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
556 if (debug_selector == 0) /* stderr */
059ec3d9
PH
557 {
558 if (!synchronous_delivery)
559 {
1fe64dcc 560 (void)close(2);
059ec3d9
PH
561 log_stderr = NULL;
562 }
563 (void)setsid();
564 }
565 }
566}
567
568
569
570
571/*************************************************
572* Set uid and gid *
573*************************************************/
574
575/* This function sets a new uid and gid permanently, optionally calling
576initgroups() to set auxiliary groups. There are some special cases when running
577Exim in unprivileged modes. In these situations the effective uid will not be
578root; if we already have the right effective uid/gid, and don't need to
579initialize any groups, leave things as they are.
580
581Arguments:
582 uid the uid
583 gid the gid
584 igflag TRUE if initgroups() wanted
585 msg text to use in debugging output and failure log
586
587Returns: nothing; bombs out on failure
588*/
589
590void
591exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
592{
593uid_t euid = geteuid();
594gid_t egid = getegid();
595
596if (euid == root_uid || euid != uid || egid != gid || igflag)
597 {
598 /* At least one OS returns +1 for initgroups failure, so just check for
599 non-zero. */
600
601 if (igflag)
602 {
603 struct passwd *pw = getpwuid(uid);
604 if (pw != NULL)
605 {
606 if (initgroups(pw->pw_name, gid) != 0)
607 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
608 (long int)uid, strerror(errno));
609 }
610 else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
611 "no passwd entry for uid=%ld", (long int)uid);
612 }
613
614 if (setgid(gid) < 0 || setuid(uid) < 0)
615 {
616 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
617 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
618 }
619 }
620
621/* Debugging output included uid/gid and all groups */
622
623DEBUG(D_uid)
624 {
cd59ab18 625 int group_count, save_errno;
059ec3d9
PH
626 gid_t group_list[NGROUPS_MAX];
627 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
628 (long int)geteuid(), (long int)getegid(), (long int)getpid());
629 group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18 630 save_errno = errno;
059ec3d9
PH
631 debug_printf(" auxiliary group list:");
632 if (group_count > 0)
633 {
634 int i;
635 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
636 }
cd59ab18
PP
637 else if (group_count < 0)
638 debug_printf(" <error: %s>", strerror(save_errno));
059ec3d9
PH
639 else debug_printf(" <none>");
640 debug_printf("\n");
641 }
642}
643
644
645
646
647/*************************************************
648* Exit point *
649*************************************************/
650
651/* Exim exits via this function so that it always clears up any open
652databases.
653
654Arguments:
655 rc return code
656
657Returns: does not return
658*/
659
660void
661exim_exit(int rc)
662{
663search_tidyup();
664DEBUG(D_any)
665 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d "
666 ">>>>>>>>>>>>>>>>\n", (int)getpid(), rc);
667exit(rc);
668}
669
670
671
672
673/*************************************************
674* Extract port from host address *
675*************************************************/
676
677/* Called to extract the port from the values given to -oMa and -oMi.
b90c388a
PH
678It also checks the syntax of the address, and terminates it before the
679port data when a port is extracted.
059ec3d9
PH
680
681Argument:
682 address the address, with possible port on the end
683
684Returns: the port, or zero if there isn't one
685 bombs out on a syntax error
686*/
687
688static int
689check_port(uschar *address)
690{
7cd1141b 691int port = host_address_extract_port(address);
8e669ac1 692if (string_is_ip_address(address, NULL) == 0)
059ec3d9
PH
693 {
694 fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
695 exit(EXIT_FAILURE);
696 }
697return port;
698}
699
700
701
702/*************************************************
703* Test/verify an address *
704*************************************************/
705
706/* This function is called by the -bv and -bt code. It extracts a working
707address from a full RFC 822 address. This isn't really necessary per se, but it
708has the effect of collapsing source routes.
709
710Arguments:
711 s the address string
712 flags flag bits for verify_address()
713 exit_value to be set for failures
714
a5a28604 715Returns: nothing
059ec3d9
PH
716*/
717
718static void
719test_address(uschar *s, int flags, int *exit_value)
720{
721int start, end, domain;
722uschar *parse_error = NULL;
723uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
724 FALSE);
725if (address == NULL)
726 {
727 fprintf(stdout, "syntax error: %s\n", parse_error);
728 *exit_value = 2;
729 }
730else
731 {
732 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
4deaf07d 733 -1, -1, NULL, NULL, NULL);
059ec3d9
PH
734 if (rc == FAIL) *exit_value = 2;
735 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
736 }
737}
738
739
740
741/*************************************************
059ec3d9
PH
742* Show supported features *
743*************************************************/
744
4b2241d2
PP
745/* This function is called for -bV/--version and for -d to output the optional
746features of the current Exim binary.
059ec3d9
PH
747
748Arguments: a FILE for printing
749Returns: nothing
750*/
751
752static void
753show_whats_supported(FILE *f)
754{
44bbabb5
PP
755 auth_info *authi;
756
059ec3d9
PH
757#ifdef DB_VERSION_STRING
758fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
759#elif defined(BTREEVERSION) && defined(HASHVERSION)
760 #ifdef USE_DB
761 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
762 #else
763 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
764 #endif
765#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
766fprintf(f, "Probably ndbm\n");
767#elif defined(USE_TDB)
768fprintf(f, "Using tdb\n");
769#else
770 #ifdef USE_GDBM
771 fprintf(f, "Probably GDBM (native mode)\n");
772 #else
773 fprintf(f, "Probably GDBM (compatibility mode)\n");
774 #endif
775#endif
776
777fprintf(f, "Support for:");
9cec981f
PH
778#ifdef SUPPORT_CRYPTEQ
779 fprintf(f, " crypteq");
780#endif
059ec3d9
PH
781#if HAVE_ICONV
782 fprintf(f, " iconv()");
783#endif
784#if HAVE_IPV6
785 fprintf(f, " IPv6");
786#endif
79378e0f
PH
787#ifdef HAVE_SETCLASSRESOURCES
788 fprintf(f, " use_setclassresources");
929ba01c 789#endif
059ec3d9
PH
790#ifdef SUPPORT_PAM
791 fprintf(f, " PAM");
792#endif
793#ifdef EXIM_PERL
794 fprintf(f, " Perl");
795#endif
1a46a8c5
PH
796#ifdef EXPAND_DLFUNC
797 fprintf(f, " Expand_dlfunc");
798#endif
059ec3d9
PH
799#ifdef USE_TCP_WRAPPERS
800 fprintf(f, " TCPwrappers");
801#endif
802#ifdef SUPPORT_TLS
803 #ifdef USE_GNUTLS
804 fprintf(f, " GnuTLS");
805 #else
806 fprintf(f, " OpenSSL");
807 #endif
808#endif
b2f5a032
PH
809#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
810 fprintf(f, " translate_ip_address");
811#endif
f174f16e
PH
812#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
813 fprintf(f, " move_frozen_messages");
814#endif
8523533c
TK
815#ifdef WITH_CONTENT_SCAN
816 fprintf(f, " Content_Scanning");
817#endif
74f150bf
JH
818#ifndef DISABLE_DKIM
819 fprintf(f, " DKIM");
820#endif
ef1bbb27
HSHR
821#ifndef DISABLE_DNSSEC
822 fprintf(f, " DNSSEC");
823#endif
0cbf2b82
JH
824#ifndef DISABLE_EVENT
825 fprintf(f, " Event");
826#endif
8c5d388a
JH
827#ifdef SUPPORT_I18N
828 fprintf(f, " I18N");
829#endif
74f150bf
JH
830#ifndef DISABLE_OCSP
831 fprintf(f, " OCSP");
832#endif
4d832da1
TL
833#ifndef DISABLE_PRDR
834 fprintf(f, " PRDR");
835#endif
cee5f132
JH
836#ifdef SUPPORT_PROXY
837 fprintf(f, " PROXY");
838#endif
f0989ec0 839#ifdef SUPPORT_SOCKS
74f150bf 840 fprintf(f, " SOCKS");
f2de3a33 841#endif
1a2dfad5
JH
842#ifdef TCP_FASTOPEN
843 fprintf(f, " TCP_Fast_Open");
844#endif
5bde3efa
ACK
845#ifdef EXPERIMENTAL_LMDB
846 fprintf(f, " Experimental_LMDB");
847#endif
3369a853
ACK
848#ifdef EXPERIMENTAL_QUEUEFILE
849 fprintf(f, " Experimental_QUEUEFILE");
850#endif
8523533c
TK
851#ifdef EXPERIMENTAL_SPF
852 fprintf(f, " Experimental_SPF");
853#endif
854#ifdef EXPERIMENTAL_SRS
855 fprintf(f, " Experimental_SRS");
856#endif
857#ifdef EXPERIMENTAL_BRIGHTMAIL
858 fprintf(f, " Experimental_Brightmail");
859#endif
043b1248
JH
860#ifdef EXPERIMENTAL_DANE
861 fprintf(f, " Experimental_DANE");
862#endif
6a8f9482
TK
863#ifdef EXPERIMENTAL_DCC
864 fprintf(f, " Experimental_DCC");
865#endif
4840604e
TL
866#ifdef EXPERIMENTAL_DMARC
867 fprintf(f, " Experimental_DMARC");
868#endif
895fbaf2
JH
869#ifdef EXPERIMENTAL_DSN_INFO
870 fprintf(f, " Experimental_DSN_info");
871#endif
059ec3d9
PH
872fprintf(f, "\n");
873
e6d225ae
DW
874fprintf(f, "Lookups (built-in):");
875#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
059ec3d9
PH
876 fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
877#endif
e6d225ae 878#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
059ec3d9
PH
879 fprintf(f, " cdb");
880#endif
e6d225ae 881#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
4a6a987a 882 fprintf(f, " dbm dbmjz dbmnz");
059ec3d9 883#endif
e6d225ae 884#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
059ec3d9
PH
885 fprintf(f, " dnsdb");
886#endif
e6d225ae 887#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
059ec3d9
PH
888 fprintf(f, " dsearch");
889#endif
e6d225ae 890#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
059ec3d9
PH
891 fprintf(f, " ibase");
892#endif
e6d225ae 893#if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
059ec3d9
PH
894 fprintf(f, " ldap ldapdn ldapm");
895#endif
5bde3efa
ACK
896#ifdef EXPERIMENTAL_LMDB
897 fprintf(f, " lmdb");
898#endif
e6d225ae 899#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
059ec3d9
PH
900 fprintf(f, " mysql");
901#endif
e6d225ae 902#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
059ec3d9
PH
903 fprintf(f, " nis nis0");
904#endif
e6d225ae 905#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
059ec3d9
PH
906 fprintf(f, " nisplus");
907#endif
e6d225ae 908#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
059ec3d9
PH
909 fprintf(f, " oracle");
910#endif
e6d225ae 911#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
059ec3d9
PH
912 fprintf(f, " passwd");
913#endif
e6d225ae 914#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
059ec3d9
PH
915 fprintf(f, " pgsql");
916#endif
de78e2d5
JH
917#if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
918 fprintf(f, " redis");
919#endif
e6d225ae 920#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
13b685f9
PH
921 fprintf(f, " sqlite");
922#endif
e6d225ae 923#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
059ec3d9
PH
924 fprintf(f, " testdb");
925#endif
e6d225ae 926#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
059ec3d9
PH
927 fprintf(f, " whoson");
928#endif
929fprintf(f, "\n");
930
931fprintf(f, "Authenticators:");
932#ifdef AUTH_CRAM_MD5
933 fprintf(f, " cram_md5");
934#endif
935#ifdef AUTH_CYRUS_SASL
936 fprintf(f, " cyrus_sasl");
937#endif
14aa5a05
PH
938#ifdef AUTH_DOVECOT
939 fprintf(f, " dovecot");
940#endif
44bbabb5
PP
941#ifdef AUTH_GSASL
942 fprintf(f, " gsasl");
943#endif
dde3daac
PP
944#ifdef AUTH_HEIMDAL_GSSAPI
945 fprintf(f, " heimdal_gssapi");
946#endif
059ec3d9
PH
947#ifdef AUTH_PLAINTEXT
948 fprintf(f, " plaintext");
949#endif
950#ifdef AUTH_SPA
951 fprintf(f, " spa");
952#endif
b3ef41c9
JH
953#ifdef AUTH_TLS
954 fprintf(f, " tls");
955#endif
059ec3d9
PH
956fprintf(f, "\n");
957
958fprintf(f, "Routers:");
959#ifdef ROUTER_ACCEPT
960 fprintf(f, " accept");
961#endif
962#ifdef ROUTER_DNSLOOKUP
963 fprintf(f, " dnslookup");
964#endif
965#ifdef ROUTER_IPLITERAL
966 fprintf(f, " ipliteral");
967#endif
968#ifdef ROUTER_IPLOOKUP
969 fprintf(f, " iplookup");
970#endif
971#ifdef ROUTER_MANUALROUTE
972 fprintf(f, " manualroute");
973#endif
974#ifdef ROUTER_QUERYPROGRAM
975 fprintf(f, " queryprogram");
976#endif
977#ifdef ROUTER_REDIRECT
978 fprintf(f, " redirect");
979#endif
980fprintf(f, "\n");
981
982fprintf(f, "Transports:");
983#ifdef TRANSPORT_APPENDFILE
984 fprintf(f, " appendfile");
985 #ifdef SUPPORT_MAILDIR
986 fprintf(f, "/maildir");
987 #endif
988 #ifdef SUPPORT_MAILSTORE
989 fprintf(f, "/mailstore");
990 #endif
991 #ifdef SUPPORT_MBX
992 fprintf(f, "/mbx");
993 #endif
994#endif
995#ifdef TRANSPORT_AUTOREPLY
996 fprintf(f, " autoreply");
997#endif
998#ifdef TRANSPORT_LMTP
999 fprintf(f, " lmtp");
1000#endif
1001#ifdef TRANSPORT_PIPE
1002 fprintf(f, " pipe");
1003#endif
3369a853
ACK
1004#ifdef EXPERIMENTAL_QUEUEFILE
1005 fprintf(f, " queuefile");
1006#endif
059ec3d9
PH
1007#ifdef TRANSPORT_SMTP
1008 fprintf(f, " smtp");
1009#endif
1010fprintf(f, "\n");
1011
1012if (fixed_never_users[0] > 0)
1013 {
1014 int i;
1015 fprintf(f, "Fixed never_users: ");
1016 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
1017 fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
1018 fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
1019 }
21c28500 1020
19bfe9e7
HSHR
1021fprintf(f, "Configure owner: %d:%d\n", config_uid, config_gid);
1022
73a46702 1023fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
36f12725 1024
6545de78
PP
1025/* Everything else is details which are only worth reporting when debugging.
1026Perhaps the tls_version_report should move into this too. */
1027DEBUG(D_any) do {
1028
1029 int i;
1030
b3c261f7
PP
1031/* clang defines __GNUC__ (at least, for me) so test for it first */
1032#if defined(__clang__)
1033 fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
1034#elif defined(__GNUC__)
1035 fprintf(f, "Compiler: GCC [%s]\n",
1036# ifdef __VERSION__
1037 __VERSION__
1038# else
1039 "? unknown version ?"
1040# endif
1041 );
1042#else
1043 fprintf(f, "Compiler: <unknown>\n");
1044#endif
1045
98913c8e 1046#if defined(__GLIBC__) && !defined(__UCLIBC__)
01f3091a
JH
1047 fprintf(f, "Library version: Glibc: Compile: %d.%d\n",
1048 __GLIBC__, __GLIBC_MINOR__);
1049 if (__GLIBC_PREREQ(2, 1))
1050 fprintf(f, " Runtime: %s\n",
1051 gnu_get_libc_version());
1052#endif
1053
754a0503
PP
1054#ifdef SUPPORT_TLS
1055 tls_version_report(f);
1056#endif
8c5d388a 1057#ifdef SUPPORT_I18N
b04be5e7
JH
1058 utf8_version_report(f);
1059#endif
754a0503 1060
fc362fc5
JH
1061 for (authi = auths_available; *authi->driver_name != '\0'; ++authi)
1062 if (authi->version_report)
44bbabb5 1063 (*authi->version_report)(f);
6545de78 1064
decd95cb 1065 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
6475bd82
PP
1066 characters; unless it's an ancient version of PCRE in which case it
1067 is not defined. */
1068#ifndef PCRE_PRERELEASE
01f3091a 1069# define PCRE_PRERELEASE
6475bd82
PP
1070#endif
1071#define QUOTE(X) #X
1072#define EXPAND_AND_QUOTE(X) QUOTE(X)
6545de78
PP
1073 fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
1074 " Runtime: %s\n",
1075 PCRE_MAJOR, PCRE_MINOR,
6475bd82 1076 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
6545de78 1077 pcre_version());
6475bd82
PP
1078#undef QUOTE
1079#undef EXPAND_AND_QUOTE
6545de78
PP
1080
1081 init_lookup_list();
1082 for (i = 0; i < lookup_list_count; i++)
6545de78
PP
1083 if (lookup_list[i]->version_report)
1084 lookup_list[i]->version_report(f);
6545de78 1085
b70d2586
PP
1086#ifdef WHITELIST_D_MACROS
1087 fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1088#else
1089 fprintf(f, "WHITELIST_D_MACROS unset\n");
1090#endif
1091#ifdef TRUSTED_CONFIG_LIST
1092 fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1093#else
1094 fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
1095#endif
1096
6545de78 1097} while (0);
059ec3d9
PH
1098}
1099
1100
98a90c36
PP
1101/*************************************************
1102* Show auxiliary information about Exim *
1103*************************************************/
1104
1105static void
1106show_exim_information(enum commandline_info request, FILE *stream)
1107{
1108const uschar **pp;
1109
1110switch(request)
1111 {
1112 case CMDINFO_NONE:
1113 fprintf(stream, "Oops, something went wrong.\n");
1114 return;
1115 case CMDINFO_HELP:
1116 fprintf(stream,
1117"The -bI: flag takes a string indicating which information to provide.\n"
1118"If the string is not recognised, you'll get this help (on stderr).\n"
1119"\n"
1120" exim -bI:help this information\n"
36a3ae5f 1121" exim -bI:dscp dscp value keywords known\n"
98a90c36
PP
1122" exim -bI:sieve list of supported sieve extensions, one per line.\n"
1123);
1124 return;
1125 case CMDINFO_SIEVE:
1126 for (pp = exim_sieve_extension_list; *pp; ++pp)
1127 fprintf(stream, "%s\n", *pp);
1128 return;
36a3ae5f
PP
1129 case CMDINFO_DSCP:
1130 dscp_list_to_stream(stream);
1131 return;
98a90c36
PP
1132 }
1133}
059ec3d9
PH
1134
1135
1136/*************************************************
1137* Quote a local part *
1138*************************************************/
1139
1140/* This function is used when a sender address or a From: or Sender: header
1141line is being created from the caller's login, or from an authenticated_id. It
1142applies appropriate quoting rules for a local part.
1143
1144Argument: the local part
1145Returns: the local part, quoted if necessary
1146*/
1147
1148uschar *
1149local_part_quote(uschar *lpart)
1150{
1151BOOL needs_quote = FALSE;
1152int size, ptr;
1153uschar *yield;
1154uschar *t;
1155
1156for (t = lpart; !needs_quote && *t != 0; t++)
1157 {
1158 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1159 (*t != '.' || t == lpart || t[1] == 0);
1160 }
1161
1162if (!needs_quote) return lpart;
1163
1164size = ptr = 0;
c2f669a4 1165yield = string_catn(NULL, &size, &ptr, US"\"", 1);
059ec3d9
PH
1166
1167for (;;)
1168 {
1169 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1170 if (nq == NULL)
1171 {
c2f669a4 1172 yield = string_cat(yield, &size, &ptr, lpart);
059ec3d9
PH
1173 break;
1174 }
c2f669a4
JH
1175 yield = string_catn(yield, &size, &ptr, lpart, nq - lpart);
1176 yield = string_catn(yield, &size, &ptr, US"\\", 1);
1177 yield = string_catn(yield, &size, &ptr, nq, 1);
059ec3d9
PH
1178 lpart = nq + 1;
1179 }
1180
c2f669a4 1181yield = string_catn(yield, &size, &ptr, US"\"", 1);
059ec3d9
PH
1182yield[ptr] = 0;
1183return yield;
1184}
1185
1186
1187
1188#ifdef USE_READLINE
1189/*************************************************
1190* Load readline() functions *
1191*************************************************/
1192
1193/* This function is called from testing executions that read data from stdin,
1194but only when running as the calling user. Currently, only -be does this. The
1195function loads the readline() function library and passes back the functions.
1196On some systems, it needs the curses library, so load that too, but try without
1197it if loading fails. All this functionality has to be requested at build time.
1198
1199Arguments:
1200 fn_readline_ptr pointer to where to put the readline pointer
1201 fn_addhist_ptr pointer to where to put the addhistory function
1202
1203Returns: the dlopen handle or NULL on failure
1204*/
1205
1206static void *
1ba28e2b
PP
1207set_readline(char * (**fn_readline_ptr)(const char *),
1208 void (**fn_addhist_ptr)(const char *))
059ec3d9
PH
1209{
1210void *dlhandle;
e12f8c32 1211void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
059ec3d9 1212
e12f8c32 1213dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
059ec3d9
PH
1214if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1215
1216if (dlhandle != NULL)
1217 {
1ba28e2b
PP
1218 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1219 * char * readline (const char *prompt);
1220 * void add_history (const char *string);
1221 */
1222 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1223 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
059ec3d9
PH
1224 }
1225else
1226 {
1227 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1228 }
1229
1230return dlhandle;
1231}
1232#endif
1233
1234
1235
1236/*************************************************
1237* Get a line from stdin for testing things *
1238*************************************************/
1239
1240/* This function is called when running tests that can take a number of lines
1241of input (for example, -be and -bt). It handles continuations and trailing
1242spaces. And prompting and a blank line output on eof. If readline() is in use,
1243the arguments are non-NULL and provide the relevant functions.
1244
1245Arguments:
1246 fn_readline readline function or NULL
1247 fn_addhist addhist function or NULL
1248
1249Returns: pointer to dynamic memory, or NULL at end of file
1250*/
1251
1252static uschar *
1ba28e2b 1253get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
059ec3d9
PH
1254{
1255int i;
1256int size = 0;
1257int ptr = 0;
1258uschar *yield = NULL;
1259
328895cc 1260if (fn_readline == NULL) { printf("> "); fflush(stdout); }
059ec3d9
PH
1261
1262for (i = 0;; i++)
1263 {
1264 uschar buffer[1024];
1265 uschar *p, *ss;
1266
1267 #ifdef USE_READLINE
1268 char *readline_line = NULL;
1269 if (fn_readline != NULL)
1270 {
1271 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1272 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1273 p = US readline_line;
1274 }
1275 else
1276 #endif
1277
1278 /* readline() not in use */
1279
1280 {
1281 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1282 p = buffer;
1283 }
1284
1285 /* Handle the line */
1286
1287 ss = p + (int)Ustrlen(p);
1288 while (ss > p && isspace(ss[-1])) ss--;
1289
1290 if (i > 0)
1291 {
1292 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1293 }
1294
c2f669a4 1295 yield = string_catn(yield, &size, &ptr, p, ss - p);
059ec3d9
PH
1296
1297 #ifdef USE_READLINE
1298 if (fn_readline != NULL) free(readline_line);
1299 #endif
1300
5f5be492 1301 /* yield can only be NULL if ss==p */
059ec3d9
PH
1302 if (ss == p || yield[ptr-1] != '\\')
1303 {
5f5be492 1304 if (yield) yield[ptr] = 0;
059ec3d9
PH
1305 break;
1306 }
1307 yield[--ptr] = 0;
1308 }
1309
1310if (yield == NULL) printf("\n");
1311return yield;
1312}
1313
1314
1315
1316/*************************************************
81ea09ca
NM
1317* Output usage information for the program *
1318*************************************************/
1319
1320/* This function is called when there are no recipients
1321 or a specific --help argument was added.
1322
1323Arguments:
1324 progname information on what name we were called by
1325
1326Returns: DOES NOT RETURN
1327*/
1328
1329static void
1330exim_usage(uschar *progname)
1331{
1332
4c04137d 1333/* Handle specific program invocation variants */
81ea09ca
NM
1334if (Ustrcmp(progname, US"-mailq") == 0)
1335 {
1336 fprintf(stderr,
e765a0f1 1337 "mailq - list the contents of the mail queue\n\n"
81ea09ca
NM
1338 "For a list of options, see the Exim documentation.\n");
1339 exit(EXIT_FAILURE);
1340 }
1341
1342/* Generic usage - we output this whatever happens */
1343fprintf(stderr,
1344 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1345 "not directly from a shell command line. Options and/or arguments control\n"
1346 "what it does when called. For a list of options, see the Exim documentation.\n");
1347
1348exit(EXIT_FAILURE);
1349}
1350
1351
1352
1353/*************************************************
a7cbbf50
PP
1354* Validate that the macros given are okay *
1355*************************************************/
1356
1357/* Typically, Exim will drop privileges if macros are supplied. In some
1358cases, we want to not do so.
1359
a4034eb8 1360Arguments: opt_D_used - true if the commandline had a "-D" option
a7cbbf50
PP
1361Returns: true if trusted, false otherwise
1362*/
1363
1364static BOOL
a4034eb8 1365macros_trusted(BOOL opt_D_used)
a7cbbf50
PP
1366{
1367#ifdef WHITELIST_D_MACROS
1368macro_item *m;
1369uschar *whitelisted, *end, *p, **whites, **w;
1370int white_count, i, n;
1371size_t len;
1372BOOL prev_char_item, found;
1373#endif
1374
a4034eb8 1375if (!opt_D_used)
a7cbbf50
PP
1376 return TRUE;
1377#ifndef WHITELIST_D_MACROS
1378return FALSE;
1379#else
1380
66581d1e
PP
1381/* We only trust -D overrides for some invoking users:
1382root, the exim run-time user, the optional config owner user.
1383I don't know why config-owner would be needed, but since they can own the
1384config files anyway, there's no security risk to letting them override -D. */
1385if ( ! ((real_uid == root_uid)
1386 || (real_uid == exim_uid)
1387#ifdef CONFIGURE_OWNER
1388 || (real_uid == config_uid)
1389#endif
1390 ))
1391 {
1392 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1393 return FALSE;
1394 }
1395
a7cbbf50
PP
1396/* Get a list of macros which are whitelisted */
1397whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1398prev_char_item = FALSE;
1399white_count = 0;
1400for (p = whitelisted; *p != '\0'; ++p)
1401 {
1402 if (*p == ':' || isspace(*p))
1403 {
1404 *p = '\0';
1405 if (prev_char_item)
1406 ++white_count;
1407 prev_char_item = FALSE;
1408 continue;
1409 }
1410 if (!prev_char_item)
1411 prev_char_item = TRUE;
1412 }
1413end = p;
1414if (prev_char_item)
1415 ++white_count;
1416if (!white_count)
1417 return FALSE;
1418whites = store_malloc(sizeof(uschar *) * (white_count+1));
1419for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1420 {
1421 if (*p != '\0')
1422 {
1423 whites[i++] = p;
1424 if (i == white_count)
1425 break;
1426 while (*p != '\0' && p < end)
1427 ++p;
1428 }
1429 }
1430whites[i] = NULL;
1431
c193398d
JH
1432/* The list of commandline macros should be very short.
1433Accept the N*M complexity. */
1434for (m = macros; m; m = m->next) if (m->command_line)
a7cbbf50
PP
1435 {
1436 found = FALSE;
1437 for (w = whites; *w; ++w)
1438 if (Ustrcmp(*w, m->name) == 0)
1439 {
1440 found = TRUE;
1441 break;
1442 }
1443 if (!found)
1444 return FALSE;
b8f899cf 1445 if (!m->replacement)
a7cbbf50 1446 continue;
b8f899cf 1447 if ((len = m->replen) == 0)
a7cbbf50
PP
1448 continue;
1449 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1450 0, PCRE_EOPT, NULL, 0);
1451 if (n < 0)
1452 {
1453 if (n != PCRE_ERROR_NOMATCH)
1454 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1455 return FALSE;
1456 }
1457 }
43236f35 1458DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
a7cbbf50
PP
1459return TRUE;
1460#endif
1461}
1462
1463
1464/*************************************************
059ec3d9
PH
1465* Entry point and high-level code *
1466*************************************************/
1467
1468/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1469the appropriate action. All the necessary functions are present in the one
1470binary. I originally thought one should split it up, but it turns out that so
1471much of the apparatus is needed in each chunk that one might as well just have
1472it all available all the time, which then makes the coding easier as well.
1473
1474Arguments:
1475 argc count of entries in argv
1476 argv argument strings, with argv[0] being the program name
1477
1478Returns: EXIT_SUCCESS if terminated successfully
1479 EXIT_FAILURE otherwise, except when a message has been sent
1480 to the sender, and -oee was given
1481*/
1482
1483int
1484main(int argc, char **cargv)
1485{
1486uschar **argv = USS cargv;
1487int arg_receive_timeout = -1;
1488int arg_smtp_receive_timeout = -1;
1489int arg_error_handling = error_handling;
f05da2e8
PH
1490int filter_sfd = -1;
1491int filter_ufd = -1;
059ec3d9 1492int group_count;
1670ef10 1493int i, rv;
059ec3d9
PH
1494int list_queue_option = 0;
1495int msg_action = 0;
1496int msg_action_arg = -1;
1497int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1498int queue_only_reason = 0;
1499#ifdef EXIM_PERL
1500int perl_start_option = 0;
1501#endif
1502int recipients_arg = argc;
1503int sender_address_domain = 0;
1504int test_retry_arg = -1;
1505int test_rewrite_arg = -1;
1506BOOL arg_queue_only = FALSE;
1507BOOL bi_option = FALSE;
1508BOOL checking = FALSE;
1509BOOL count_queue = FALSE;
1510BOOL expansion_test = FALSE;
1511BOOL extract_recipients = FALSE;
f4ee74ac 1512BOOL flag_G = FALSE;
12f69989 1513BOOL flag_n = FALSE;
059ec3d9
PH
1514BOOL forced_delivery = FALSE;
1515BOOL f_end_dot = FALSE;
1516BOOL deliver_give_up = FALSE;
1517BOOL list_queue = FALSE;
1518BOOL list_options = FALSE;
bf3c2c6b 1519BOOL list_config = FALSE;
059ec3d9
PH
1520BOOL local_queue_only;
1521BOOL more = TRUE;
1522BOOL one_msg_action = FALSE;
4ab69ec7 1523BOOL opt_D_used = FALSE;
059ec3d9
PH
1524BOOL queue_only_set = FALSE;
1525BOOL receiving_message = TRUE;
33d73e3b 1526BOOL sender_ident_set = FALSE;
8669f003 1527BOOL session_local_queue_only;
059ec3d9
PH
1528BOOL unprivileged;
1529BOOL removed_privilege = FALSE;
81ea09ca 1530BOOL usage_wanted = FALSE;
059ec3d9
PH
1531BOOL verify_address_mode = FALSE;
1532BOOL verify_as_sender = FALSE;
1533BOOL version_printed = FALSE;
1534uschar *alias_arg = NULL;
1535uschar *called_as = US"";
a3fb9793 1536uschar *cmdline_syslog_name = NULL;
059ec3d9
PH
1537uschar *start_queue_run_id = NULL;
1538uschar *stop_queue_run_id = NULL;
328895cc 1539uschar *expansion_test_message = NULL;
059ec3d9
PH
1540uschar *ftest_domain = NULL;
1541uschar *ftest_localpart = NULL;
1542uschar *ftest_prefix = NULL;
1543uschar *ftest_suffix = NULL;
0ad2e0fc 1544uschar *log_oneline = NULL;
8544e77a 1545uschar *malware_test_file = NULL;
059ec3d9
PH
1546uschar *real_sender_address;
1547uschar *originator_home = US"/";
a3fb9793 1548size_t sz;
059ec3d9
PH
1549void *reset_point;
1550
1551struct passwd *pw;
1552struct stat statbuf;
1553pid_t passed_qr_pid = (pid_t)0;
1554int passed_qr_pipe = -1;
1555gid_t group_list[NGROUPS_MAX];
1556
98a90c36
PP
1557/* For the -bI: flag */
1558enum commandline_info info_flag = CMDINFO_NONE;
1559BOOL info_stdout = FALSE;
1560
059ec3d9
PH
1561/* Possible options for -R and -S */
1562
1563static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1564
1565/* Need to define this in case we need to change the environment in order
1566to get rid of a bogus time zone. We have to make it char rather than uschar
1567because some OS define it in /usr/include/unistd.h. */
1568
1569extern char **environ;
1570
35edf2ff 1571/* If the Exim user and/or group and/or the configuration file owner/group were
059ec3d9
PH
1572defined by ref:name at build time, we must now find the actual uid/gid values.
1573This is a feature to make the lives of binary distributors easier. */
1574
1575#ifdef EXIM_USERNAME
1576if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1577 {
10385c15
PP
1578 if (exim_uid == 0)
1579 {
1580 fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
1581 EXIM_USERNAME);
1582 exit(EXIT_FAILURE);
1583 }
084c1d8c
PP
1584 /* If ref:name uses a number as the name, route_finduser() returns
1585 TRUE with exim_uid set and pw coerced to NULL. */
1586 if (pw)
1587 exim_gid = pw->pw_gid;
1588#ifndef EXIM_GROUPNAME
1589 else
1590 {
1591 fprintf(stderr,
1592 "exim: ref:name should specify a usercode, not a group.\n"
1593 "exim: can't let you get away with it unless you also specify a group.\n");
1594 exit(EXIT_FAILURE);
1595 }
1596#endif
059ec3d9
PH
1597 }
1598else
1599 {
1600 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1601 EXIM_USERNAME);
1602 exit(EXIT_FAILURE);
1603 }
1604#endif
1605
1606#ifdef EXIM_GROUPNAME
1607if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1608 {
1609 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1610 EXIM_GROUPNAME);
1611 exit(EXIT_FAILURE);
1612 }
1613#endif
1614
1615#ifdef CONFIGURE_OWNERNAME
1616if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1617 {
1618 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1619 CONFIGURE_OWNERNAME);
1620 exit(EXIT_FAILURE);
1621 }
1622#endif
1623
79d4bc3d
PP
1624/* We default the system_filter_user to be the Exim run-time user, as a
1625sane non-root value. */
1626system_filter_uid = exim_uid;
1627
35edf2ff
PH
1628#ifdef CONFIGURE_GROUPNAME
1629if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1630 {
1631 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1632 CONFIGURE_GROUPNAME);
1633 exit(EXIT_FAILURE);
1634 }
1635#endif
1636
92e6a3d9
JH
1637/* In the Cygwin environment, some initialization used to need doing.
1638It was fudged in by means of this macro; now no longer but we'll leave
1639it in case of others. */
059ec3d9
PH
1640
1641#ifdef OS_INIT
1642OS_INIT
1643#endif
1644
1645/* Check a field which is patched when we are running Exim within its
1646testing harness; do a fast initial check, and then the whole thing. */
1647
1648running_in_test_harness =
1649 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1650
1651/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1652at the start of a program; however, it seems that some environments do not
1653follow this. A "strange" locale can affect the formatting of timestamps, so we
1654make quite sure. */
1655
1656setlocale(LC_ALL, "C");
1657
1658/* Set up the default handler for timing using alarm(). */
1659
1660os_non_restarting_signal(SIGALRM, sigalrm_handler);
1661
1662/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1663because store_malloc writes a log entry on failure. */
1664
40c90bca 1665if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
059ec3d9
PH
1666 {
1667 fprintf(stderr, "exim: failed to get store for log buffer\n");
1668 exit(EXIT_FAILURE);
1669 }
1670
6c6d6e48
TF
1671/* Initialize the default log options. */
1672
1673bits_set(log_selector, log_selector_size, log_default);
1674
059ec3d9
PH
1675/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1676NULL when the daemon is run and the file is closed. We have to use this
1677indirection, because some systems don't allow writing to the variable "stderr".
1678*/
1679
1680if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1681
1682/* Arrange for the PCRE regex library to use our store functions. Note that
1683the normal calls are actually macros that add additional arguments for
1684debugging purposes so we have to assign specially constructed functions here.
1685The default is to use store in the stacking pool, but this is overridden in the
1686regex_must_compile() function. */
1687
1688pcre_malloc = function_store_get;
1689pcre_free = function_dummy_free;
1690
1691/* Ensure there is a big buffer for temporary use in several places. It is put
1692in malloc store so that it can be freed for enlargement if necessary. */
1693
1694big_buffer = store_malloc(big_buffer_size);
1695
1696/* Set up the handler for the data request signal, and set the initial
1697descriptive text. */
1698
1699set_process_info("initializing");
1700os_restarting_signal(SIGUSR1, usr1_handler);
1701
1702/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1703in the daemon code. For the rest of Exim's uses, we ignore it. */
1704
1705signal(SIGHUP, SIG_IGN);
1706
1707/* We don't want to die on pipe errors as the code is written to handle
1708the write error instead. */
1709
1710signal(SIGPIPE, SIG_IGN);
1711
1712/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1713set to SIG_IGN. This causes subprocesses that complete before the parent
1714process waits for them not to hang around, so when Exim calls wait(), nothing
1715is there. The wait() code has been made robust against this, but let's ensure
1716that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1717ending status. We use sigaction rather than plain signal() on those OS where
1718SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1719problem on AIX with this.) */
1720
1721#ifdef SA_NOCLDWAIT
1722 {
1723 struct sigaction act;
1724 act.sa_handler = SIG_DFL;
1725 sigemptyset(&(act.sa_mask));
1726 act.sa_flags = 0;
1727 sigaction(SIGCHLD, &act, NULL);
1728 }
1729#else
1730signal(SIGCHLD, SIG_DFL);
1731#endif
1732
1733/* Save the arguments for use if we re-exec exim as a daemon after receiving
1734SIGHUP. */
1735
1736sighup_argv = argv;
1737
1738/* Set up the version number. Set up the leading 'E' for the external form of
1739message ids, set the pointer to the internal form, and initialize it to
1740indicate no message being processed. */
1741
1742version_init();
1743message_id_option[0] = '-';
1744message_id_external = message_id_option + 1;
1745message_id_external[0] = 'E';
1746message_id = message_id_external + 1;
1747message_id[0] = 0;
1748
67d175de 1749/* Set the umask to zero so that any files Exim creates using open() are
2632889e
PH
1750created with the modes that it specifies. NOTE: Files created with fopen() have
1751a problem, which was not recognized till rather late (February 2006). With this
1752umask, such files will be world writeable. (They are all content scanning files
1753in the spool directory, which isn't world-accessible, so this is not a
1754disaster, but it's untidy.) I don't want to change this overall setting,
1755however, because it will interact badly with the open() calls. Instead, there's
1756now a function called modefopen() that fiddles with the umask while calling
1757fopen(). */
059ec3d9 1758
67d175de 1759(void)umask(0);
059ec3d9
PH
1760
1761/* Precompile the regular expression for matching a message id. Keep this in
1762step with the code that generates ids in the accept.c module. We need to do
1763this here, because the -M options check their arguments for syntactic validity
1764using mac_ismsgid, which uses this. */
1765
1766regex_ismsgid =
1767 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1768
a5bd321b 1769/* Precompile the regular expression that is used for matching an SMTP error
d6a96edc
PH
1770code, possibly extended, at the start of an error message. Note that the
1771terminating whitespace character is included. */
a5bd321b
PH
1772
1773regex_smtp_code =
1774 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1775 FALSE, TRUE);
1776
a7cbbf50
PP
1777#ifdef WHITELIST_D_MACROS
1778/* Precompile the regular expression used to filter the content of macros
1779given to -D for permissibility. */
1780
1781regex_whitelisted_macro =
1782 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1783#endif
1784
f38917cc
JH
1785for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1786
059ec3d9
PH
1787/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1788this seems to be a generally accepted convention, since one finds symbolic
1789links called "mailq" in standard OS configurations. */
1790
1791if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1792 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1793 {
1794 list_queue = TRUE;
1795 receiving_message = FALSE;
1796 called_as = US"-mailq";
1797 }
1798
1799/* If the program is called as "rmail" treat it as equivalent to
1800"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1801i.e. preventing a single dot on a line from terminating the message, and
1802returning with zero return code, even in cases of error (provided an error
1803message has been sent). */
1804
1805if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1806 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1807 {
1808 dot_ends = FALSE;
1809 called_as = US"-rmail";
1810 errors_sender_rc = EXIT_SUCCESS;
1811 }
1812
1813/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1814this is a smail convention. */
1815
1816if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1817 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1818 {
1819 smtp_input = smtp_batched_input = TRUE;
1820 called_as = US"-rsmtp";
1821 }
1822
1823/* If the program is called as "runq" treat it as equivalent to "exim -q";
1824this is a smail convention. */
1825
1826if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1827 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1828 {
1829 queue_interval = 0;
1830 receiving_message = FALSE;
1831 called_as = US"-runq";
1832 }
1833
1834/* If the program is called as "newaliases" treat it as equivalent to
1835"exim -bi"; this is a sendmail convention. */
1836
1837if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1838 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1839 {
1840 bi_option = TRUE;
1841 receiving_message = FALSE;
1842 called_as = US"-newaliases";
1843 }
1844
1845/* Save the original effective uid for a couple of uses later. It should
1846normally be root, but in some esoteric environments it may not be. */
1847
1848original_euid = geteuid();
1849
1850/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1851to be the same as the real ones. This makes a difference only if Exim is setuid
1852(or setgid) to something other than root, which could be the case in some
1853special configurations. */
1854
1855real_uid = getuid();
1856real_gid = getgid();
1857
1858if (real_uid == root_uid)
1859 {
1670ef10
PP
1860 rv = setgid(real_gid);
1861 if (rv)
1862 {
1863 fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
1864 (long int)real_gid, strerror(errno));
1865 exit(EXIT_FAILURE);
1866 }
1867 rv = setuid(real_uid);
1868 if (rv)
1869 {
1870 fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
1871 (long int)real_uid, strerror(errno));
1872 exit(EXIT_FAILURE);
1873 }
059ec3d9
PH
1874 }
1875
1876/* If neither the original real uid nor the original euid was root, Exim is
1877running in an unprivileged state. */
1878
1879unprivileged = (real_uid != root_uid && original_euid != root_uid);
1880
059ec3d9
PH
1881/* Scan the program's arguments. Some can be dealt with right away; others are
1882simply recorded for checking and handling afterwards. Do a high-level switch
1883on the second character (the one after '-'), to save some effort. */
1884
1885for (i = 1; i < argc; i++)
1886 {
1887 BOOL badarg = FALSE;
1888 uschar *arg = argv[i];
1889 uschar *argrest;
1890 int switchchar;
1891
1892 /* An argument not starting with '-' is the start of a recipients list;
1893 break out of the options-scanning loop. */
1894
1895 if (arg[0] != '-')
1896 {
1897 recipients_arg = i;
1898 break;
1899 }
1900
4c04137d 1901 /* An option consisting of -- terminates the options */
059ec3d9
PH
1902
1903 if (Ustrcmp(arg, "--") == 0)
1904 {
1905 recipients_arg = i + 1;
1906 break;
1907 }
1908
1909 /* Handle flagged options */
1910
1911 switchchar = arg[1];
1912 argrest = arg+2;
1913
1914 /* Make all -ex options synonymous with -oex arguments, since that
1915 is assumed by various callers. Also make -qR options synonymous with -R
1916 options, as that seems to be required as well. Allow for -qqR too, and
1917 the same for -S options. */
1918
1919 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1920 Ustrncmp(arg+1, "qR", 2) == 0 ||
1921 Ustrncmp(arg+1, "qS", 2) == 0)
1922 {
1923 switchchar = arg[2];
1924 argrest++;
1925 }
1926 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1927 {
1928 switchchar = arg[3];
1929 argrest += 2;
1930 queue_2stage = TRUE;
1931 }
1932
1933 /* Make -r synonymous with -f, since it is a documented alias */
1934
1935 else if (arg[1] == 'r') switchchar = 'f';
1936
1937 /* Make -ov synonymous with -v */
1938
1939 else if (Ustrcmp(arg, "-ov") == 0)
1940 {
1941 switchchar = 'v';
1942 argrest++;
1943 }
1944
4b2241d2
PP
1945 /* deal with --option_aliases */
1946 else if (switchchar == '-')
1947 {
1948 if (Ustrcmp(argrest, "help") == 0)
1949 {
1950 usage_wanted = TRUE;
1951 break;
1952 }
1953 else if (Ustrcmp(argrest, "version") == 0)
1954 {
1955 switchchar = 'b';
73a46702 1956 argrest = US"V";
4b2241d2
PP
1957 }
1958 }
1959
059ec3d9
PH
1960 /* High-level switch on active initial letter */
1961
1962 switch(switchchar)
1963 {
a3fb9793
PP
1964
1965 /* sendmail uses -Ac and -Am to control which .cf file is used;
1966 we ignore them. */
1967 case 'A':
1968 if (*argrest == '\0') { badarg = TRUE; break; }
1969 else
1970 {
1971 BOOL ignore = FALSE;
1972 switch (*argrest)
1973 {
1974 case 'c':
1975 case 'm':
1976 if (*(argrest + 1) == '\0')
1977 ignore = TRUE;
1978 break;
1979 }
1980 if (!ignore) { badarg = TRUE; break; }
1981 }
1982 break;
1983
059ec3d9
PH
1984 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1985 so has no need of it. */
1986
1987 case 'B':
1988 if (*argrest == 0) i++; /* Skip over the type */
1989 break;
1990
1991
1992 case 'b':
1993 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1994
1995 /* -bd: Run in daemon mode, awaiting SMTP connections.
1996 -bdf: Ditto, but in the foreground.
1997 */
1998
1999 if (*argrest == 'd')
2000 {
2001 daemon_listen = TRUE;
2002 if (*(++argrest) == 'f') background_daemon = FALSE;
2003 else if (*argrest != 0) { badarg = TRUE; break; }
2004 }
2005
328895cc
PH
2006 /* -be: Run in expansion test mode
2007 -bem: Ditto, but read a message from a file first
2008 */
059ec3d9
PH
2009
2010 else if (*argrest == 'e')
328895cc 2011 {
059ec3d9 2012 expansion_test = checking = TRUE;
328895cc
PH
2013 if (argrest[1] == 'm')
2014 {
2015 if (++i >= argc) { badarg = TRUE; break; }
2016 expansion_test_message = argv[i];
2017 argrest++;
2018 }
2019 if (argrest[1] != 0) { badarg = TRUE; break; }
2020 }
059ec3d9 2021
f05da2e8
PH
2022 /* -bF: Run system filter test */
2023
2024 else if (*argrest == 'F')
2025 {
34e86e20 2026 filter_test |= checking = FTEST_SYSTEM;
f05da2e8
PH
2027 if (*(++argrest) != 0) { badarg = TRUE; break; }
2028 if (++i < argc) filter_test_sfile = argv[i]; else
2029 {
2030 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
2031 exit(EXIT_FAILURE);
2032 }
2033 }
2034
2035 /* -bf: Run user filter test
059ec3d9
PH
2036 -bfd: Set domain for filter testing
2037 -bfl: Set local part for filter testing
2038 -bfp: Set prefix for filter testing
2039 -bfs: Set suffix for filter testing
2040 */
2041
f05da2e8 2042 else if (*argrest == 'f')
059ec3d9 2043 {
f05da2e8 2044 if (*(++argrest) == 0)
059ec3d9 2045 {
34e86e20 2046 filter_test |= checking = FTEST_USER;
f05da2e8 2047 if (++i < argc) filter_test_ufile = argv[i]; else
059ec3d9
PH
2048 {
2049 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
2050 exit(EXIT_FAILURE);
2051 }
2052 }
2053 else
2054 {
2055 if (++i >= argc)
2056 {
2057 fprintf(stderr, "exim: string expected after %s\n", arg);
2058 exit(EXIT_FAILURE);
2059 }
2060 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2061 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2062 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2063 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2064 else { badarg = TRUE; break; }
2065 }
2066 }
2067
2068 /* -bh: Host checking - an IP address must follow. */
2069
2070 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2071 {
2072 if (++i >= argc) { badarg = TRUE; break; }
2073 sender_host_address = argv[i];
2074 host_checking = checking = log_testing_mode = TRUE;
2075 host_checking_callout = argrest[1] == 'c';
1a6230a3 2076 message_logs = FALSE;
059ec3d9
PH
2077 }
2078
2079 /* -bi: This option is used by sendmail to initialize *the* alias file,
2080 though it has the -oA option to specify a different file. Exim has no
2081 concept of *the* alias file, but since Sun's YP make script calls
2082 sendmail this way, some support must be provided. */
2083
2084 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2085
98a90c36
PP
2086 /* -bI: provide information, of the type to follow after a colon.
2087 This is an Exim flag. */
2088
2089 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2090 {
2091 uschar *p = &argrest[2];
2092 info_flag = CMDINFO_HELP;
2093 if (Ustrlen(p))
2094 {
2095 if (strcmpic(p, CUS"sieve") == 0)
2096 {
2097 info_flag = CMDINFO_SIEVE;
2098 info_stdout = TRUE;
2099 }
36a3ae5f
PP
2100 else if (strcmpic(p, CUS"dscp") == 0)
2101 {
2102 info_flag = CMDINFO_DSCP;
2103 info_stdout = TRUE;
2104 }
98a90c36
PP
2105 else if (strcmpic(p, CUS"help") == 0)
2106 {
2107 info_stdout = TRUE;
2108 }
2109 }
2110 }
2111
059ec3d9
PH
2112 /* -bm: Accept and deliver message - the default option. Reinstate
2113 receiving_message, which got turned off for all -b options. */
2114
2115 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2116
8544e77a
PP
2117 /* -bmalware: test the filename given for malware */
2118
2119 else if (Ustrcmp(argrest, "malware") == 0)
2120 {
2121 if (++i >= argc) { badarg = TRUE; break; }
34e86e20 2122 checking = TRUE;
8544e77a
PP
2123 malware_test_file = argv[i];
2124 }
2125
059ec3d9
PH
2126 /* -bnq: For locally originating messages, do not qualify unqualified
2127 addresses. In the envelope, this causes errors; in header lines they
2128 just get left. */
2129
2130 else if (Ustrcmp(argrest, "nq") == 0)
2131 {
2132 allow_unqualified_sender = FALSE;
2133 allow_unqualified_recipient = FALSE;
2134 }
2135
2136 /* -bpxx: List the contents of the mail queue, in various forms. If
2137 the option is -bpc, just a queue count is needed. Otherwise, if the
2138 first letter after p is r, then order is random. */
2139
2140 else if (*argrest == 'p')
2141 {
2142 if (*(++argrest) == 'c')
2143 {
2144 count_queue = TRUE;
2145 if (*(++argrest) != 0) badarg = TRUE;
2146 break;
2147 }
2148
2149 if (*argrest == 'r')
2150 {
2151 list_queue_option = 8;
2152 argrest++;
2153 }
2154 else list_queue_option = 0;
2155
2156 list_queue = TRUE;
2157
2158 /* -bp: List the contents of the mail queue, top-level only */
2159
2160 if (*argrest == 0) {}
2161
2162 /* -bpu: List the contents of the mail queue, top-level undelivered */
2163
2164 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2165
2166 /* -bpa: List the contents of the mail queue, including all delivered */
2167
2168 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2169
2170 /* Unknown after -bp[r] */
2171
2172 else
2173 {
2174 badarg = TRUE;
2175 break;
2176 }
2177 }
2178
2179
2180 /* -bP: List the configuration variables given as the address list.
2181 Force -v, so configuration errors get displayed. */
2182
2183 else if (Ustrcmp(argrest, "P") == 0)
2184 {
bf3c2c6b
HSHR
2185 /* -bP config: we need to setup here, because later,
2186 * when list_options is checked, the config is read already */
2187 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2188 {
2189 list_config = TRUE;
2190 readconf_save_config(version_string);
2191 }
2192 else
2193 {
2194 list_options = TRUE;
2195 debug_selector |= D_v;
2196 debug_file = stderr;
2197 }
059ec3d9
PH
2198 }
2199
2200 /* -brt: Test retry configuration lookup */
2201
2202 else if (Ustrcmp(argrest, "rt") == 0)
2203 {
34e86e20 2204 checking = TRUE;
059ec3d9
PH
2205 test_retry_arg = i + 1;
2206 goto END_ARG;
2207 }
2208
2209 /* -brw: Test rewrite configuration */
2210
2211 else if (Ustrcmp(argrest, "rw") == 0)
2212 {
34e86e20 2213 checking = TRUE;
059ec3d9
PH
2214 test_rewrite_arg = i + 1;
2215 goto END_ARG;
2216 }
2217
2218 /* -bS: Read SMTP commands on standard input, but produce no replies -
2219 all errors are reported by sending messages. */
2220
2221 else if (Ustrcmp(argrest, "S") == 0)
2222 smtp_input = smtp_batched_input = receiving_message = TRUE;
2223
2224 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2225 on standard output. */
2226
2227 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2228
2229 /* -bt: address testing mode */
2230
2231 else if (Ustrcmp(argrest, "t") == 0)
2232 address_test_mode = checking = log_testing_mode = TRUE;
2233
2234 /* -bv: verify addresses */
2235
2236 else if (Ustrcmp(argrest, "v") == 0)
2237 verify_address_mode = checking = log_testing_mode = TRUE;
2238
2239 /* -bvs: verify sender addresses */
2240
2241 else if (Ustrcmp(argrest, "vs") == 0)
2242 {
2243 verify_address_mode = checking = log_testing_mode = TRUE;
2244 verify_as_sender = TRUE;
2245 }
2246
2247 /* -bV: Print version string and support details */
2248
2249 else if (Ustrcmp(argrest, "V") == 0)
2250 {
2251 printf("Exim version %s #%s built %s\n", version_string,
2252 version_cnumber, version_date);
2253 printf("%s\n", CS version_copyright);
2254 version_printed = TRUE;
2255 show_whats_supported(stdout);
b25c9675 2256 log_testing_mode = TRUE;
059ec3d9
PH
2257 }
2258
9ee44efb
PP
2259 /* -bw: inetd wait mode, accept a listening socket as stdin */
2260
2261 else if (*argrest == 'w')
2262 {
2263 inetd_wait_mode = TRUE;
2264 background_daemon = FALSE;
2265 daemon_listen = TRUE;
2266 if (*(++argrest) != '\0')
2267 {
2268 inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE);
2269 if (inetd_wait_timeout <= 0)
2270 {
2271 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2272 exit(EXIT_FAILURE);
2273 }
2274 }
2275 }
2276
059ec3d9
PH
2277 else badarg = TRUE;
2278 break;
2279
2280
2281 /* -C: change configuration file list; ignore if it isn't really
2282 a change! Enforce a prefix check if required. */
2283
2284 case 'C':
2285 if (*argrest == 0)
2286 {
2287 if(++i < argc) argrest = argv[i]; else
2288 { badarg = TRUE; break; }
2289 }
2290 if (Ustrcmp(config_main_filelist, argrest) != 0)
2291 {
2292 #ifdef ALT_CONFIG_PREFIX
2293 int sep = 0;
2294 int len = Ustrlen(ALT_CONFIG_PREFIX);
863bd541 2295 const uschar *list = argrest;
059ec3d9
PH
2296 uschar *filename;
2297 while((filename = string_nextinlist(&list, &sep, big_buffer,
2298 big_buffer_size)) != NULL)
2299 {
2300 if ((Ustrlen(filename) < len ||
2301 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2302 Ustrstr(filename, "/../") != NULL) &&
2303 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2304 {
2305 fprintf(stderr, "-C Permission denied\n");
2306 exit(EXIT_FAILURE);
2307 }
2308 }
2309 #endif
261dc43e
DW
2310 if (real_uid != root_uid)
2311 {
90b6341f 2312 #ifdef TRUSTED_CONFIG_LIST
261dc43e 2313
90b6341f
DW
2314 if (real_uid != exim_uid
2315 #ifdef CONFIGURE_OWNER
2316 && real_uid != config_uid
2317 #endif
2318 )
261dc43e
DW
2319 trusted_config = FALSE;
2320 else
2321 {
90b6341f 2322 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
261dc43e
DW
2323 if (trust_list)
2324 {
2325 struct stat statbuf;
2326
2327 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2328 (statbuf.st_uid != root_uid /* owner not root */
2329 #ifdef CONFIGURE_OWNER
2330 && statbuf.st_uid != config_uid /* owner not the special one */
2331 #endif
2332 ) || /* or */
2333 (statbuf.st_gid != root_gid /* group not root */
2334 #ifdef CONFIGURE_GROUP
2335 && statbuf.st_gid != config_gid /* group not the special one */
2336 #endif
2337 && (statbuf.st_mode & 020) != 0 /* group writeable */
2338 ) || /* or */
2339 (statbuf.st_mode & 2) != 0) /* world writeable */
2340 {
2341 trusted_config = FALSE;
2342 fclose(trust_list);
2343 }
2344 else
2345 {
2346 /* Well, the trust list at least is up to scratch... */
2347 void *reset_point = store_get(0);
90b6341f
DW
2348 uschar *trusted_configs[32];
2349 int nr_configs = 0;
261dc43e
DW
2350 int i = 0;
2351
2352 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2353 {
2354 uschar *start = big_buffer, *nl;
2355 while (*start && isspace(*start))
2356 start++;
1e83d68b 2357 if (*start != '/')
261dc43e
DW
2358 continue;
2359 nl = Ustrchr(start, '\n');
2360 if (nl)
2361 *nl = 0;
90b6341f
DW
2362 trusted_configs[nr_configs++] = string_copy(start);
2363 if (nr_configs == 32)
261dc43e
DW
2364 break;
2365 }
2366 fclose(trust_list);
2367
90b6341f 2368 if (nr_configs)
261dc43e
DW
2369 {
2370 int sep = 0;
55414b25 2371 const uschar *list = argrest;
261dc43e
DW
2372 uschar *filename;
2373 while (trusted_config && (filename = string_nextinlist(&list,
2374 &sep, big_buffer, big_buffer_size)) != NULL)
2375 {
90b6341f 2376 for (i=0; i < nr_configs; i++)
261dc43e 2377 {
90b6341f 2378 if (Ustrcmp(filename, trusted_configs[i]) == 0)
261dc43e
DW
2379 break;
2380 }
90b6341f 2381 if (i == nr_configs)
261dc43e
DW
2382 {
2383 trusted_config = FALSE;
2384 break;
2385 }
2386 }
1e83d68b 2387 store_reset(reset_point);
261dc43e
DW
2388 }
2389 else
2390 {
2391 /* No valid prefixes found in trust_list file. */
2392 trusted_config = FALSE;
2393 }
2394 }
2395 }
2396 else
2397 {
2398 /* Could not open trust_list file. */
2399 trusted_config = FALSE;
2400 }
2401 }
2402 #else
2403 /* Not root; don't trust config */
2404 trusted_config = FALSE;
2405 #endif
2406 }
059ec3d9
PH
2407
2408 config_main_filelist = argrest;
2409 config_changed = TRUE;
2410 }
2411 break;
2412
2413
2414 /* -D: set up a macro definition */
2415
2416 case 'D':
2417 #ifdef DISABLE_D_OPTION
2418 fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2419 exit(EXIT_FAILURE);
2420 #else
2421 {
2422 int ptr = 0;
059ec3d9
PH
2423 macro_item *m;
2424 uschar name[24];
2425 uschar *s = argrest;
2426
4ab69ec7 2427 opt_D_used = TRUE;
059ec3d9
PH
2428 while (isspace(*s)) s++;
2429
2430 if (*s < 'A' || *s > 'Z')
2431 {
2432 fprintf(stderr, "exim: macro name set by -D must start with "
2433 "an upper case letter\n");
2434 exit(EXIT_FAILURE);
2435 }
2436
2437 while (isalnum(*s) || *s == '_')
2438 {
2439 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2440 s++;
2441 }
2442 name[ptr] = 0;
2443 if (ptr == 0) { badarg = TRUE; break; }
2444 while (isspace(*s)) s++;
2445 if (*s != 0)
2446 {
2447 if (*s++ != '=') { badarg = TRUE; break; }
2448 while (isspace(*s)) s++;
2449 }
2450
c193398d 2451 for (m = macros; m; m = m->next)
059ec3d9
PH
2452 if (Ustrcmp(m->name, name) == 0)
2453 {
2454 fprintf(stderr, "exim: duplicated -D in command line\n");
2455 exit(EXIT_FAILURE);
2456 }
059ec3d9 2457
d185889f 2458 m = macro_create(string_copy(name), string_copy(s), TRUE);
059ec3d9
PH
2459
2460 if (clmacro_count >= MAX_CLMACROS)
2461 {
2462 fprintf(stderr, "exim: too many -D options on command line\n");
2463 exit(EXIT_FAILURE);
2464 }
2465 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2466 m->replacement);
2467 }
2468 #endif
2469 break;
2470
2471 /* -d: Set debug level (see also -v below) or set the drop_cr option.
8e669ac1 2472 The latter is now a no-op, retained for compatibility only. If -dd is used,
3d235903 2473 debugging subprocesses of the daemon is disabled. */
059ec3d9
PH
2474
2475 case 'd':
2476 if (Ustrcmp(argrest, "ropcr") == 0)
2477 {
2478 /* drop_cr = TRUE; */
2479 }
2480
2481 /* Use an intermediate variable so that we don't set debugging while
2482 decoding the debugging bits. */
2483
2484 else
2485 {
2486 unsigned int selector = D_default;
2487 debug_selector = 0;
2488 debug_file = NULL;
3d235903
PH
2489 if (*argrest == 'd')
2490 {
2491 debug_daemon = TRUE;
2492 argrest++;
2493 }
059ec3d9 2494 if (*argrest != 0)
6c6d6e48
TF
2495 decode_bits(&selector, 1, debug_notall, argrest,
2496 debug_options, debug_options_count, US"debug", 0);
059ec3d9
PH
2497 debug_selector = selector;
2498 }
2499 break;
2500
2501
2502 /* -E: This is a local error message. This option is not intended for
2503 external use at all, but is not restricted to trusted callers because it
2504 does no harm (just suppresses certain error messages) and if Exim is run
2505 not setuid root it won't always be trusted when it generates error
2506 messages using this option. If there is a message id following -E, point
2507 message_reference at it, for logging. */
2508
2509 case 'E':
2510 local_error_message = TRUE;
2511 if (mac_ismsgid(argrest)) message_reference = argrest;
2512 break;
2513
2514
2515 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2516 option, so it looks as if historically the -oex options are also callable
2517 without the leading -o. So we have to accept them. Before the switch,
2518 anything starting -oe has been converted to -e. Exim does not support all
2519 of the sendmail error options. */
2520
2521 case 'e':
2522 if (Ustrcmp(argrest, "e") == 0)
2523 {
2524 arg_error_handling = ERRORS_SENDER;
2525 errors_sender_rc = EXIT_SUCCESS;
2526 }
2527 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2528 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2529 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2530 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2531 else badarg = TRUE;
2532 break;
2533
2534
2535 /* -F: Set sender's full name, used instead of the gecos entry from
2536 the password file. Since users can usually alter their gecos entries,
2537 there's no security involved in using this instead. The data can follow
2538 the -F or be in the next argument. */
2539
2540 case 'F':
2541 if (*argrest == 0)
2542 {
2543 if(++i < argc) argrest = argv[i]; else
2544 { badarg = TRUE; break; }
2545 }
2546 originator_name = argrest;
2fe1a124 2547 sender_name_forced = TRUE;
059ec3d9
PH
2548 break;
2549
2550
2551 /* -f: Set sender's address - this value is only actually used if Exim is
2552 run by a trusted user, or if untrusted_set_sender is set and matches the
2553 address, except that the null address can always be set by any user. The
2554 test for this happens later, when the value given here is ignored when not
2555 permitted. For an untrusted user, the actual sender is still put in Sender:
2556 if it doesn't match the From: header (unless no_local_from_check is set).
2557 The data can follow the -f or be in the next argument. The -r switch is an
2558 obsolete form of -f but since there appear to be programs out there that
2559 use anything that sendmail has ever supported, better accept it - the
2560 synonymizing is done before the switch above.
2561
2562 At this stage, we must allow domain literal addresses, because we don't
2563 know what the setting of allow_domain_literals is yet. Ditto for trailing
2564 dots and strip_trailing_dot. */
2565
2566 case 'f':
2567 {
250b6871 2568 int dummy_start, dummy_end;
059ec3d9
PH
2569 uschar *errmess;
2570 if (*argrest == 0)
2571 {
2572 if (i+1 < argc) argrest = argv[++i]; else
2573 { badarg = TRUE; break; }
2574 }
2575 if (*argrest == 0)
059ec3d9 2576 sender_address = string_sprintf(""); /* Ensure writeable memory */
059ec3d9
PH
2577 else
2578 {
2579 uschar *temp = argrest + Ustrlen(argrest) - 1;
2580 while (temp >= argrest && isspace(*temp)) temp--;
2581 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2582 allow_domain_literals = TRUE;
2583 strip_trailing_dot = TRUE;
8c5d388a 2584#ifdef SUPPORT_I18N
250b6871
JH
2585 allow_utf8_domains = TRUE;
2586#endif
2587 sender_address = parse_extract_address(argrest, &errmess,
2588 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
8c5d388a 2589#ifdef SUPPORT_I18N
250b6871
JH
2590 message_smtputf8 = string_is_utf8(sender_address);
2591 allow_utf8_domains = FALSE;
2592#endif
059ec3d9
PH
2593 allow_domain_literals = FALSE;
2594 strip_trailing_dot = FALSE;
2595 if (sender_address == NULL)
2596 {
2597 fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2598 return EXIT_FAILURE;
2599 }
2600 }
2601 sender_address_forced = TRUE;
2602 }
2603 break;
2604
a3fb9793 2605 /* -G: sendmail invocation to specify that it's a gateway submission and
f4ee74ac
PP
2606 sendmail may complain about problems instead of fixing them.
2607 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2608 not at this time complain about problems. */
059ec3d9
PH
2609
2610 case 'G':
f4ee74ac 2611 flag_G = TRUE;
059ec3d9
PH
2612 break;
2613
2614 /* -h: Set the hop count for an incoming message. Exim does not currently
2615 support this; it always computes it by counting the Received: headers.
2616 To put it in will require a change to the spool header file format. */
2617
2618 case 'h':
2619 if (*argrest == 0)
2620 {
2621 if(++i < argc) argrest = argv[i]; else
2622 { badarg = TRUE; break; }
2623 }
2624 if (!isdigit(*argrest)) badarg = TRUE;
2625 break;
2626
2627
2628 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2629 not to be documented for sendmail but mailx (at least) uses it) */
2630
2631 case 'i':
2632 if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2633 break;
2634
2635
a3fb9793
PP
2636 /* -L: set the identifier used for syslog; equivalent to setting
2637 syslog_processname in the config file, but needs to be an admin option. */
2638
2639 case 'L':
2640 if (*argrest == '\0')
2641 {
2642 if(++i < argc) argrest = argv[i]; else
2643 { badarg = TRUE; break; }
2644 }
2645 sz = Ustrlen(argrest);
2646 if (sz > 32)
2647 {
2648 fprintf(stderr, "exim: the -L syslog name is too long: \"%s\"\n", argrest);
2649 return EXIT_FAILURE;
2650 }
2651 if (sz < 1)
2652 {
2653 fprintf(stderr, "exim: the -L syslog name is too short\n");
2654 return EXIT_FAILURE;
2655 }
2656 cmdline_syslog_name = argrest;
2657 break;
2658
059ec3d9
PH
2659 case 'M':
2660 receiving_message = FALSE;
2661
2662 /* -MC: continue delivery of another message via an existing open
2663 file descriptor. This option is used for an internal call by the
2664 smtp transport when there is a pending message waiting to go to an
2665 address to which it has got a connection. Five subsequent arguments are
2666 required: transport name, host name, IP address, sequence number, and
2667 message_id. Transports may decline to create new processes if the sequence
2668 number gets too big. The channel is stdin. This (-MC) must be the last
2669 argument. There's a subsequent check that the real-uid is privileged.
2670
2671 If we are running in the test harness. delay for a bit, to let the process
2672 that set this one up complete. This makes for repeatability of the logging,
2673 etc. output. */
2674
2675 if (Ustrcmp(argrest, "C") == 0)
2676 {
41c7c167
PH
2677 union sockaddr_46 interface_sock;
2678 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2679
059ec3d9
PH
2680 if (argc != i + 6)
2681 {
2682 fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2683 return EXIT_FAILURE;
2684 }
2685
2686 if (msg_action_arg >= 0)
2687 {
2688 fprintf(stderr, "exim: incompatible arguments\n");
2689 return EXIT_FAILURE;
2690 }
2691
2692 continue_transport = argv[++i];
2693 continue_hostname = argv[++i];
2694 continue_host_address = argv[++i];
2695 continue_sequence = Uatoi(argv[++i]);
2696 msg_action = MSG_DELIVER;
2697 msg_action_arg = ++i;
2698 forced_delivery = TRUE;
2699 queue_run_pid = passed_qr_pid;
2700 queue_run_pipe = passed_qr_pipe;
2701
2702 if (!mac_ismsgid(argv[i]))
2703 {
2704 fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2705 argv[i]);
2706 return EXIT_FAILURE;
2707 }
2708
875512a3
JH
2709 /* Set up $sending_ip_address and $sending_port, unless proxied */
2710
5013d912 2711 if (!continue_proxy_cipher)
875512a3
JH
2712 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2713 &size) == 0)
2714 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2715 &sending_port);
2716 else
2717 {
2718 fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2719 strerror(errno));
2720 return EXIT_FAILURE;
2721 }
41c7c167 2722
059ec3d9
PH
2723 if (running_in_test_harness) millisleep(500);
2724 break;
2725 }
2726
2d14f397
JH
2727 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2728 {
875512a3 2729 switch(argrest[1])
2d14f397 2730 {
059ec3d9
PH
2731 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2732 precedes -MC (see above). The flag indicates that the host to which
2733 Exim is connected has accepted an AUTH sequence. */
2734
2d14f397 2735 case 'A': smtp_authenticated = TRUE; break;
059ec3d9 2736
6c1c3d1d
WB
2737 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2738 that exim is connected to supports the esmtp extension DSN */
28b3821f 2739
14de8063 2740 case 'D': smtp_peer_options |= OPTION_DSN; break;
6c1c3d1d 2741
e37f8a84 2742 /* -MCG: set the queue name, to a non-default value */
28b3821f 2743
2d14f397
JH
2744 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2745 else badarg = TRUE;
2746 break;
2747
2748 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2749
14de8063 2750 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
28b3821f 2751
059ec3d9
PH
2752 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2753 it preceded -MC (see above) */
2754
14de8063 2755 case 'P': smtp_peer_options |= OPTION_PIPE; break;
059ec3d9
PH
2756
2757 /* -MCQ: pass on the pid of the queue-running process that started
2758 this chain of deliveries and the fd of its synchronizing pipe; this
2759 is useful only when it precedes -MC (see above) */
2760
2d14f397
JH
2761 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2762 else badarg = TRUE;
2763 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2764 else badarg = TRUE;
2765 break;
059ec3d9
PH
2766
2767 /* -MCS: set the smtp_use_size flag; this is useful only when it
2768 precedes -MC (see above) */
2769
14de8063 2770 case 'S': smtp_peer_options |= OPTION_SIZE; break;
059ec3d9 2771
2d14f397 2772#ifdef SUPPORT_TLS
875512a3
JH
2773 /* -MCt: similar to -MCT below but the connection is still open
2774 via a proxy proces which handles the TLS context and coding.
5013d912
JH
2775 Require three arguments for the proxied local address and port,
2776 and the TLS cipher. */
875512a3 2777
5013d912 2778 case 't': if (++i < argc) sending_ip_address = argv[i];
875512a3
JH
2779 else badarg = TRUE;
2780 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2781 else badarg = TRUE;
5013d912
JH
2782 if (++i < argc) continue_proxy_cipher = argv[i];
2783 else badarg = TRUE;
875512a3
JH
2784 /*FALLTHROUGH*/
2785
059ec3d9
PH
2786 /* -MCT: set the tls_offered flag; this is useful only when it
2787 precedes -MC (see above). The flag indicates that the host to which
2788 Exim is connected has offered TLS support. */
2789
14de8063 2790 case 'T': smtp_peer_options |= OPTION_TLS; break;
2d14f397
JH
2791#endif
2792
2793 default: badarg = TRUE; break;
2794 }
2795 break;
059ec3d9 2796 }
059ec3d9
PH
2797
2798 /* -M[x]: various operations on the following list of message ids:
2799 -M deliver the messages, ignoring next retry times and thawing
2800 -Mc deliver the messages, checking next retry times, no thawing
2801 -Mf freeze the messages
2802 -Mg give up on the messages
2803 -Mt thaw the messages
2804 -Mrm remove the messages
2805 In the above cases, this must be the last option. There are also the
2806 following options which are followed by a single message id, and which
2807 act on that message. Some of them use the "recipient" addresses as well.
2808 -Mar add recipient(s)
2809 -Mmad mark all recipients delivered
2810 -Mmd mark recipients(s) delivered
2811 -Mes edit sender
0ef732d9 2812 -Mset load a message for use with -be
059ec3d9 2813 -Mvb show body
a96603a0 2814 -Mvc show copy (of whole message, in RFC 2822 format)
059ec3d9
PH
2815 -Mvh show header
2816 -Mvl show log
2817 */
2818
2819 else if (*argrest == 0)
2820 {
2821 msg_action = MSG_DELIVER;
2822 forced_delivery = deliver_force_thaw = TRUE;
2823 }
2824 else if (Ustrcmp(argrest, "ar") == 0)
2825 {
2826 msg_action = MSG_ADD_RECIPIENT;
2827 one_msg_action = TRUE;
2828 }
2829 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2830 else if (Ustrcmp(argrest, "es") == 0)
2831 {
2832 msg_action = MSG_EDIT_SENDER;
2833 one_msg_action = TRUE;
2834 }
2835 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2836 else if (Ustrcmp(argrest, "g") == 0)
2837 {
2838 msg_action = MSG_DELIVER;
2839 deliver_give_up = TRUE;
2840 }
2841 else if (Ustrcmp(argrest, "mad") == 0)
2842 {
2843 msg_action = MSG_MARK_ALL_DELIVERED;
2844 }
2845 else if (Ustrcmp(argrest, "md") == 0)
2846 {
2847 msg_action = MSG_MARK_DELIVERED;
2848 one_msg_action = TRUE;
2849 }
2850 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
0ef732d9
PH
2851 else if (Ustrcmp(argrest, "set") == 0)
2852 {
2853 msg_action = MSG_LOAD;
2854 one_msg_action = TRUE;
2855 }
059ec3d9
PH
2856 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2857 else if (Ustrcmp(argrest, "vb") == 0)
2858 {
2859 msg_action = MSG_SHOW_BODY;
2860 one_msg_action = TRUE;
2861 }
a96603a0
PH
2862 else if (Ustrcmp(argrest, "vc") == 0)
2863 {
2864 msg_action = MSG_SHOW_COPY;
2865 one_msg_action = TRUE;
2866 }
059ec3d9
PH
2867 else if (Ustrcmp(argrest, "vh") == 0)
2868 {
2869 msg_action = MSG_SHOW_HEADER;
2870 one_msg_action = TRUE;
2871 }
2872 else if (Ustrcmp(argrest, "vl") == 0)
2873 {
2874 msg_action = MSG_SHOW_LOG;
2875 one_msg_action = TRUE;
2876 }
2877 else { badarg = TRUE; break; }
2878
2879 /* All the -Mxx options require at least one message id. */
2880
2881 msg_action_arg = i + 1;
2882 if (msg_action_arg >= argc)
2883 {
2884 fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2885 return EXIT_FAILURE;
2886 }
2887
2888 /* Some require only message ids to follow */
2889
2890 if (!one_msg_action)
2891 {
2892 int j;
2893 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2894 {
2895 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2896 argv[j], arg);
2897 return EXIT_FAILURE;
2898 }
2899 goto END_ARG; /* Remaining args are ids */
2900 }
2901
2902 /* Others require only one message id, possibly followed by addresses,
2903 which will be handled as normal arguments. */
2904
2905 else
2906 {
2907 if (!mac_ismsgid(argv[msg_action_arg]))
2908 {
2909 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2910 argv[msg_action_arg], arg);
2911 return EXIT_FAILURE;
2912 }
2913 i++;
2914 }
2915 break;
2916
2917
2918 /* Some programs seem to call the -om option without the leading o;
2919 for sendmail it askes for "me too". Exim always does this. */
2920
2921 case 'm':
2922 if (*argrest != 0) badarg = TRUE;
2923 break;
2924
2925
2926 /* -N: don't do delivery - a debugging option that stops transports doing
2927 their thing. It implies debugging at the D_v level. */
2928
2929 case 'N':
2930 if (*argrest == 0)
2931 {
2932 dont_deliver = TRUE;
2933 debug_selector |= D_v;
2934 debug_file = stderr;
2935 }
2936 else badarg = TRUE;
2937 break;
2938
2939
12f69989
PP
2940 /* -n: This means "don't alias" in sendmail, apparently.
2941 For normal invocations, it has no effect.
2942 It may affect some other options. */
059ec3d9
PH
2943
2944 case 'n':
12f69989 2945 flag_n = TRUE;
059ec3d9
PH
2946 break;
2947
2948 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2949 option to the specified value. This form uses long names. We need to handle
2950 -O option=value and -Ooption=value. */
2951
2952 case 'O':
2953 if (*argrest == 0)
2954 {
2955 if (++i >= argc)
2956 {
2957 fprintf(stderr, "exim: string expected after -O\n");
2958 exit(EXIT_FAILURE);
2959 }
2960 }
2961 break;
2962
2963 case 'o':
2964
2965 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2966 file" option). */
2967
2968 if (*argrest == 'A')
2969 {
2970 alias_arg = argrest + 1;
2971 if (alias_arg[0] == 0)
2972 {
2973 if (i+1 < argc) alias_arg = argv[++i]; else
2974 {
2975 fprintf(stderr, "exim: string expected after -oA\n");
2976 exit(EXIT_FAILURE);
2977 }
2978 }
2979 }
2980
2981 /* -oB: Set a connection message max value for remote deliveries */
2982
2983 else if (*argrest == 'B')
2984 {
2985 uschar *p = argrest + 1;
2986 if (p[0] == 0)
2987 {
2988 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2989 {
2990 connection_max_messages = 1;
2991 p = NULL;
2992 }
2993 }
2994
2995 if (p != NULL)
2996 {
2997 if (!isdigit(*p))
2998 {
2999 fprintf(stderr, "exim: number expected after -oB\n");
3000 exit(EXIT_FAILURE);
3001 }
3002 connection_max_messages = Uatoi(p);
3003 }
3004 }
3005
3006 /* -odb: background delivery */
3007
3008 else if (Ustrcmp(argrest, "db") == 0)
3009 {
3010 synchronous_delivery = FALSE;
3011 arg_queue_only = FALSE;
3012 queue_only_set = TRUE;
3013 }
3014
3015 /* -odf: foreground delivery (smail-compatible option); same effect as
3016 -odi: interactive (synchronous) delivery (sendmail-compatible option)
3017 */
3018
3019 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
3020 {
3021 synchronous_delivery = TRUE;
3022 arg_queue_only = FALSE;
3023 queue_only_set = TRUE;
3024 }
3025
3026 /* -odq: queue only */
3027
3028 else if (Ustrcmp(argrest, "dq") == 0)
3029 {
3030 synchronous_delivery = FALSE;
3031 arg_queue_only = TRUE;
3032 queue_only_set = TRUE;
3033 }
3034
3035 /* -odqs: queue SMTP only - do local deliveries and remote routing,
3036 but no remote delivery */
3037
3038 else if (Ustrcmp(argrest, "dqs") == 0)
3039 {
3040 queue_smtp = TRUE;
3041 arg_queue_only = FALSE;
3042 queue_only_set = TRUE;
3043 }
3044
3045 /* -oex: Sendmail error flags. As these are also accepted without the
3046 leading -o prefix, for compatibility with vacation and other callers,
3047 they are handled with -e above. */
3048
3049 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
3050 -oitrue: Another sendmail syntax for the same */
3051
3052 else if (Ustrcmp(argrest, "i") == 0 ||
3053 Ustrcmp(argrest, "itrue") == 0)
3054 dot_ends = FALSE;
3055
3056 /* -oM*: Set various characteristics for an incoming message; actually
3057 acted on for trusted callers only. */
3058
3059 else if (*argrest == 'M')
3060 {
3061 if (i+1 >= argc)
3062 {
3063 fprintf(stderr, "exim: data expected after -o%s\n", argrest);
3064 exit(EXIT_FAILURE);
3065 }
3066
3067 /* -oMa: Set sender host address */
3068
3069 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
3070
3071 /* -oMaa: Set authenticator name */
3072
3073 else if (Ustrcmp(argrest, "Maa") == 0)
3074 sender_host_authenticated = argv[++i];
3075
3076 /* -oMas: setting authenticated sender */
3077
3078 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
3079
3080 /* -oMai: setting authenticated id */
3081
3082 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
3083
3084 /* -oMi: Set incoming interface address */
3085
3086 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
3087
d2af03f4
HS
3088 /* -oMm: Message reference */
3089
3090 else if (Ustrcmp(argrest, "Mm") == 0)
3091 {
3092 if (!mac_ismsgid(argv[i+1]))
3093 {
3094 fprintf(stderr,"-oMm must be a valid message ID\n");
3095 exit(EXIT_FAILURE);
3096 }
3097 if (!trusted_config)
3098 {
3099 fprintf(stderr,"-oMm must be called by a trusted user/config\n");
3100 exit(EXIT_FAILURE);
3101 }
3102 message_reference = argv[++i];
3103 }
3104
059ec3d9
PH
3105 /* -oMr: Received protocol */
3106
65e061b7
HSHR
3107 else if (Ustrcmp(argrest, "Mr") == 0)
3108
3109 if (received_protocol)
3110 {
3111 fprintf(stderr, "received_protocol is set already\n");
3112 exit(EXIT_FAILURE);
3113 }
3114 else received_protocol = argv[++i];
059ec3d9
PH
3115
3116 /* -oMs: Set sender host name */
3117
3118 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3119
3120 /* -oMt: Set sender ident */
3121
33d73e3b
PH
3122 else if (Ustrcmp(argrest, "Mt") == 0)
3123 {
3124 sender_ident_set = TRUE;
3125 sender_ident = argv[++i];
3126 }
059ec3d9
PH
3127
3128 /* Else a bad argument */
3129
3130 else
3131 {
3132 badarg = TRUE;
3133 break;
3134 }
3135 }
3136
3137 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3138 seem to call this as -m (undocumented), so that is also accepted (see
3139 above). */
3140
3141 else if (Ustrcmp(argrest, "m") == 0) {}
3142
3143 /* -oo: An ancient flag for old-style addresses which still seems to
3144 crop up in some calls (see in SCO). */
3145
3146 else if (Ustrcmp(argrest, "o") == 0) {}
3147
3148 /* -oP <name>: set pid file path for daemon */
3149
3150 else if (Ustrcmp(argrest, "P") == 0)
3151 override_pid_file_path = argv[++i];
3152
3153 /* -or <n>: set timeout for non-SMTP acceptance
3154 -os <n>: set timeout for SMTP acceptance */
3155
3156 else if (*argrest == 'r' || *argrest == 's')
3157 {
3158 int *tp = (*argrest == 'r')?
3159 &arg_receive_timeout : &arg_smtp_receive_timeout;
3160 if (argrest[1] == 0)
3161 {
3162 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3163 }
3164 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3165 if (*tp < 0)
3166 {
3167 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3168 exit(EXIT_FAILURE);
3169 }
3170 }
3171
3172 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3173
3174 else if (Ustrcmp(argrest, "X") == 0)
3175 override_local_interfaces = argv[++i];
3176
3177 /* Unknown -o argument */
3178
3179 else badarg = TRUE;
3180 break;
3181
3182
3183 /* -ps: force Perl startup; -pd force delayed Perl startup */
3184
3185 case 'p':
3186 #ifdef EXIM_PERL
3187 if (*argrest == 's' && argrest[1] == 0)
3188 {
3189 perl_start_option = 1;
3190 break;
3191 }
3192 if (*argrest == 'd' && argrest[1] == 0)
3193 {
3194 perl_start_option = -1;
3195 break;
3196 }
3197 #endif
3198
3199 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3200 which sets the host protocol and host name */
3201
3202 if (*argrest == 0)
3203 {
3204 if (i+1 < argc) argrest = argv[++i]; else
3205 { badarg = TRUE; break; }
3206 }
3207
3208 if (*argrest != 0)
3209 {
65e061b7
HSHR
3210 uschar *hn;
3211
3212 if (received_protocol)
3213 {
3214 fprintf(stderr, "received_protocol is set already\n");
3215 exit(EXIT_FAILURE);
3216 }
3217
3218 hn = Ustrchr(argrest, ':');
059ec3d9
PH
3219 if (hn == NULL)
3220 {
3221 received_protocol = argrest;
3222 }
3223 else
3224 {
90341c71
JH
3225 int old_pool = store_pool;
3226 store_pool = POOL_PERM;
059ec3d9 3227 received_protocol = string_copyn(argrest, hn - argrest);
90341c71 3228 store_pool = old_pool;
059ec3d9
PH
3229 sender_host_name = hn + 1;
3230 }
3231 }
3232 break;
3233
3234
3235 case 'q':
3236 receiving_message = FALSE;
3cc66b45
PH
3237 if (queue_interval >= 0)
3238 {
3239 fprintf(stderr, "exim: -q specified more than once\n");
3240 exit(EXIT_FAILURE);
3241 }
059ec3d9
PH
3242
3243 /* -qq...: Do queue runs in a 2-stage manner */
3244
3245 if (*argrest == 'q')
3246 {
3247 queue_2stage = TRUE;
3248 argrest++;
3249 }
3250
3251 /* -qi...: Do only first (initial) deliveries */
3252
3253 if (*argrest == 'i')
3254 {
3255 queue_run_first_delivery = TRUE;
3256 argrest++;
3257 }
3258
3259 /* -qf...: Run the queue, forcing deliveries
3260 -qff..: Ditto, forcing thawing as well */
3261
3262 if (*argrest == 'f')
3263 {
3264 queue_run_force = TRUE;
55e70e76 3265 if (*++argrest == 'f')
059ec3d9
PH
3266 {
3267 deliver_force_thaw = TRUE;
3268 argrest++;
3269 }
3270 }
3271
3272 /* -q[f][f]l...: Run the queue only on local deliveries */
3273
3274 if (*argrest == 'l')
3275 {
3276 queue_run_local = TRUE;
3277 argrest++;
3278 }
3279
55e70e76 3280 /* -q[f][f][l][G<name>]... Work on the named queue */
28b3821f
JH
3281
3282 if (*argrest == 'G')
3283 {
fa665e0b
JH
3284 int i;
3285 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3286 queue_name = string_copyn(argrest, i);
3287 argrest += i;
3288 if (*argrest == '/') argrest++;
28b3821f
JH
3289 }
3290
3291 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3292 only, optionally named, optionally starting from a given message id. */
059ec3d9
PH
3293
3294 if (*argrest == 0 &&
3295 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3296 {
3297 queue_interval = 0;
3298 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3299 start_queue_run_id = argv[++i];
3300 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3301 stop_queue_run_id = argv[++i];
3302 }
3303
fa665e0b
JH
3304 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3305 forced, optionally local only, optionally named. */
059ec3d9 3306
55e70e76
JH
3307 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3308 0, FALSE)) <= 0)
059ec3d9 3309 {
55e70e76
JH
3310 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3311 exit(EXIT_FAILURE);
059ec3d9
PH
3312 }
3313 break;
3314
3315
3316 case 'R': /* Synonymous with -qR... */
3317 receiving_message = FALSE;
3318
3319 /* -Rf: As -R (below) but force all deliveries,
3320 -Rff: Ditto, but also thaw all frozen messages,
3321 -Rr: String is regex
3322 -Rrf: Regex and force
3323 -Rrff: Regex and force and thaw
3324
3325 in all cases provided there are no further characters in this
3326 argument. */
3327
3328 if (*argrest != 0)
3329 {
3330 int i;
55e70e76 3331 for (i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3332 if (Ustrcmp(argrest, rsopts[i]) == 0)
3333 {
3334 if (i != 2) queue_run_force = TRUE;
3335 if (i >= 2) deliver_selectstring_regex = TRUE;
3336 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3337 argrest += Ustrlen(rsopts[i]);
3338 }
059ec3d9
PH
3339 }
3340
3341 /* -R: Set string to match in addresses for forced queue run to
3342 pick out particular messages. */
3343
55e70e76
JH
3344 if (*argrest)
3345 deliver_selectstring = argrest;
3346 else if (i+1 < argc)
3347 deliver_selectstring = argv[++i];
3348 else
059ec3d9 3349 {
55e70e76
JH
3350 fprintf(stderr, "exim: string expected after -R\n");
3351 exit(EXIT_FAILURE);
059ec3d9 3352 }
059ec3d9
PH
3353 break;
3354
3355
3356 /* -r: an obsolete synonym for -f (see above) */
3357
3358
3359 /* -S: Like -R but works on sender. */
3360
3361 case 'S': /* Synonymous with -qS... */
3362 receiving_message = FALSE;
3363
3364 /* -Sf: As -S (below) but force all deliveries,
3365 -Sff: Ditto, but also thaw all frozen messages,
3366 -Sr: String is regex
3367 -Srf: Regex and force
3368 -Srff: Regex and force and thaw
3369
3370 in all cases provided there are no further characters in this
3371 argument. */
3372
55e70e76 3373 if (*argrest)
059ec3d9
PH
3374 {
3375 int i;
55e70e76 3376 for (i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3377 if (Ustrcmp(argrest, rsopts[i]) == 0)
3378 {
3379 if (i != 2) queue_run_force = TRUE;
3380 if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3381 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3382 argrest += Ustrlen(rsopts[i]);
3383 }
059ec3d9
PH
3384 }
3385
3386 /* -S: Set string to match in addresses for forced queue run to
3387 pick out particular messages. */
3388
55e70e76
JH
3389 if (*argrest)
3390 deliver_selectstring_sender = argrest;
3391 else if (i+1 < argc)
3392 deliver_selectstring_sender = argv[++i];
3393 else
059ec3d9 3394 {
55e70e76
JH
3395 fprintf(stderr, "exim: string expected after -S\n");
3396 exit(EXIT_FAILURE);
059ec3d9 3397 }
059ec3d9
PH
3398 break;
3399
3400 /* -Tqt is an option that is exclusively for use by the testing suite.
3401 It is not recognized in other circumstances. It allows for the setting up
3402 of explicit "queue times" so that various warning/retry things can be
3403 tested. Otherwise variability of clock ticks etc. cause problems. */
3404
3405 case 'T':
3406 if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3407 fudged_queue_times = argv[++i];
3408 else badarg = TRUE;
3409 break;
3410
3411
3412 /* -t: Set flag to extract recipients from body of message. */
3413
3414 case 't':
3415 if (*argrest == 0) extract_recipients = TRUE;
3416
3417 /* -ti: Set flag to extract recipients from body of message, and also
3418 specify that dot does not end the message. */
3419
3420 else if (Ustrcmp(argrest, "i") == 0)
3421 {
3422 extract_recipients = TRUE;
3423 dot_ends = FALSE;
3424 }
3425
3426 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3427
3428 #ifdef SUPPORT_TLS
817d9f57 3429 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
059ec3d9
PH
3430 #endif
3431
3432 else badarg = TRUE;
3433 break;
3434
3435
3436 /* -U: This means "initial user submission" in sendmail, apparently. The
3437 doc claims that in future sendmail may refuse syntactically invalid
3438 messages instead of fixing them. For the moment, we just ignore it. */
3439
3440 case 'U':
3441 break;
3442
3443
3444 /* -v: verify things - this is a very low-level debugging */
3445
3446 case 'v':
3447 if (*argrest == 0)
3448 {
3449 debug_selector |= D_v;
3450 debug_file = stderr;
3451 }
3452 else badarg = TRUE;
3453 break;
3454
3455
3456 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3457
3458 The -x flag tells the sendmail command that mail from a local
3459 mail program has National Language Support (NLS) extended characters
3460 in the body of the mail item. The sendmail command can send mail with
3461 extended NLS characters across networks that normally corrupts these
3462 8-bit characters.
3463
3464 As Exim is 8-bit clean, it just ignores this flag. */
3465
3466 case 'x':
3467 if (*argrest != 0) badarg = TRUE;
3468 break;
3469
a3fb9793
PP
3470 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3471 logs to that file. We swallow the parameter and otherwise ignore it. */
3472
3473 case 'X':
3474 if (*argrest == '\0')
a3fb9793
PP
3475 if (++i >= argc)
3476 {
3477 fprintf(stderr, "exim: string expected after -X\n");
3478 exit(EXIT_FAILURE);
3479 }
0ad2e0fc
JH
3480 break;
3481
3482 case 'z':
3483 if (*argrest == '\0')
3484 if (++i < argc) log_oneline = argv[i]; else
3485 {
3486 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
3487 exit(EXIT_FAILURE);
3488 }
a3fb9793
PP
3489 break;
3490
059ec3d9
PH
3491 /* All other initial characters are errors */
3492
3493 default:
3494 badarg = TRUE;
3495 break;
3496 } /* End of high-level switch statement */
3497
3498 /* Failed to recognize the option, or syntax error */
3499
3500 if (badarg)
3501 {
3502 fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3503 "option %s\n", arg);
3504 exit(EXIT_FAILURE);
3505 }
3506 }
3507
3508
3cc66b45
PH
3509/* If -R or -S have been specified without -q, assume a single queue run. */
3510
55e70e76
JH
3511if ( (deliver_selectstring || deliver_selectstring_sender)
3512 && queue_interval < 0)
3513 queue_interval = 0;
3cc66b45
PH
3514
3515
059ec3d9 3516END_ARG:
81ea09ca
NM
3517/* If usage_wanted is set we call the usage function - which never returns */
3518if (usage_wanted) exim_usage(called_as);
3519
3520/* Arguments have been processed. Check for incompatibilities. */
059ec3d9
PH
3521if ((
3522 (smtp_input || extract_recipients || recipients_arg < argc) &&
3523 (daemon_listen || queue_interval >= 0 || bi_option ||
3524 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
f05da2e8 3525 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
059ec3d9
PH
3526 ) ||
3527 (
3528 msg_action_arg > 0 &&
44915474 3529 (daemon_listen || queue_interval > 0 || list_options ||
0ef732d9
PH
3530 (checking && msg_action != MSG_LOAD) ||
3531 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
059ec3d9
PH
3532 ) ||
3533 (
55e70e76 3534 (daemon_listen || queue_interval > 0) &&
059ec3d9 3535 (sender_address != NULL || list_options || list_queue || checking ||
0ef732d9 3536 bi_option)
059ec3d9
PH
3537 ) ||
3538 (
3539 daemon_listen && queue_interval == 0
3540 ) ||
3541 (
9ee44efb
PP
3542 inetd_wait_mode && queue_interval >= 0
3543 ) ||
3544 (
059ec3d9
PH
3545 list_options &&
3546 (checking || smtp_input || extract_recipients ||
f05da2e8 3547 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3548 ) ||
3549 (
3550 verify_address_mode &&
3551 (address_test_mode || smtp_input || extract_recipients ||
f05da2e8 3552 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3553 ) ||
3554 (
3555 address_test_mode && (smtp_input || extract_recipients ||
f05da2e8 3556 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3557 ) ||
3558 (
f05da2e8 3559 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
059ec3d9
PH
3560 extract_recipients)
3561 ) ||
3562 (
3563 deliver_selectstring != NULL && queue_interval < 0
328895cc
PH
3564 ) ||
3565 (
3566 msg_action == MSG_LOAD &&
3567 (!expansion_test || expansion_test_message != NULL)
059ec3d9
PH
3568 )
3569 )
3570 {
3571 fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3572 exit(EXIT_FAILURE);
3573 }
3574
3575/* If debugging is set up, set the file and the file descriptor to pass on to
3576child processes. It should, of course, be 2 for stderr. Also, force the daemon
3577to run in the foreground. */
3578
3579if (debug_selector != 0)
3580 {
3581 debug_file = stderr;
3582 debug_fd = fileno(debug_file);
3583 background_daemon = FALSE;
3584 if (running_in_test_harness) millisleep(100); /* lets caller finish */
3585 if (debug_selector != D_v) /* -v only doesn't show this */
3586 {
3587 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3588 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3589 debug_selector);
6545de78
PP
3590 if (!version_printed)
3591 show_whats_supported(stderr);
059ec3d9
PH
3592 }
3593 }
3594
3595/* When started with root privilege, ensure that the limits on the number of
3596open files and the number of processes (where that is accessible) are
3597sufficiently large, or are unset, in case Exim has been called from an
3598environment where the limits are screwed down. Not all OS have the ability to
3599change some of these limits. */
3600
3601if (unprivileged)
3602 {
3603 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3604 }
3605else
3606 {
3607 struct rlimit rlp;
3608
3609 #ifdef RLIMIT_NOFILE
3610 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3611 {
3612 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3613 strerror(errno));
3614 rlp.rlim_cur = rlp.rlim_max = 0;
3615 }
eb2c0248
PH
3616
3617 /* I originally chose 1000 as a nice big number that was unlikely to
a494b1e1
PH
3618 be exceeded. It turns out that some older OS have a fixed upper limit of
3619 256. */
eb2c0248 3620
059ec3d9
PH
3621 if (rlp.rlim_cur < 1000)
3622 {
3623 rlp.rlim_cur = rlp.rlim_max = 1000;
3624 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
eb2c0248 3625 {
a494b1e1
PH
3626 rlp.rlim_cur = rlp.rlim_max = 256;
3627 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3628 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3629 strerror(errno));
eb2c0248 3630 }
059ec3d9
PH
3631 }
3632 #endif
3633
3634 #ifdef RLIMIT_NPROC
3635 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3636 {
3637 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3638 strerror(errno));
3639 rlp.rlim_cur = rlp.rlim_max = 0;
3640 }
3641
3642 #ifdef RLIM_INFINITY
3643 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3644 {
3645 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3646 #else
3647 if (rlp.rlim_cur < 1000)
3648 {
3649 rlp.rlim_cur = rlp.rlim_max = 1000;
3650 #endif
3651 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3652 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3653 strerror(errno));
3654 }
3655 #endif
3656 }
3657
3658/* Exim is normally entered as root (but some special configurations are
3659possible that don't do this). However, it always spins off sub-processes that
3660set their uid and gid as required for local delivery. We don't want to pass on
3661any extra groups that root may belong to, so we want to get rid of them all at
3662this point.
3663
3664We need to obey setgroups() at this stage, before possibly giving up root
3665privilege for a changed configuration file, but later on we might need to
3666check on the additional groups for the admin user privilege - can't do that
3667till after reading the config, which might specify the exim gid. Therefore,
3668save the group list here first. */
3669
3670group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18
PP
3671if (group_count < 0)
3672 {
3673 fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
3674 exit(EXIT_FAILURE);
3675 }
059ec3d9
PH
3676
3677/* There is a fundamental difference in some BSD systems in the matter of
3678groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3679known not to be different. On the "different" systems there is a single group
3680list, and the first entry in it is the current group. On all other versions of
3681Unix there is a supplementary group list, which is in *addition* to the current
3682group. Consequently, to get rid of all extraneous groups on a "standard" system
3683you pass over 0 groups to setgroups(), while on a "different" system you pass
3684over a single group - the current group, which is always the first group in the
3685list. Calling setgroups() with zero groups on a "different" system results in
3686an error return. The following code should cope with both types of system.
3687
3688However, if this process isn't running as root, setgroups() can't be used
3689since you have to be root to run it, even if throwing away groups. Not being
3690root here happens only in some unusual configurations. We just ignore the
3691error. */
3692
3693if (setgroups(0, NULL) != 0)
3694 {
3695 if (setgroups(1, group_list) != 0 && !unprivileged)
3696 {
3697 fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3698 exit(EXIT_FAILURE);
3699 }
3700 }
3701
3702/* If the configuration file name has been altered by an argument on the
3703command line (either a new file name or a macro definition) and the caller is
cd25e41d
DW
3704not root, or if this is a filter testing run, remove any setuid privilege the
3705program has and run as the underlying user.
059ec3d9 3706
cd25e41d
DW
3707The exim user is locked out of this, which severely restricts the use of -C
3708for some purposes.
059ec3d9
PH
3709
3710Otherwise, set the real ids to the effective values (should be root unless run
3711from inetd, which it can either be root or the exim uid, if one is configured).
3712
3713There is a private mechanism for bypassing some of this, in order to make it
3714possible to test lots of configurations automatically, without having either to
3715recompile each time, or to patch in an actual configuration file name and other
3716values (such as the path name). If running in the test harness, pretend that
3717configuration file changes and macro definitions haven't happened. */
3718
3719if (( /* EITHER */
a7cbbf50 3720 (!trusted_config || /* Config changed, or */
a4034eb8 3721 !macros_trusted(opt_D_used)) && /* impermissible macros and */
059ec3d9 3722 real_uid != root_uid && /* Not root, and */
059ec3d9
PH
3723 !running_in_test_harness /* Not fudged */
3724 ) || /* OR */
3725 expansion_test /* expansion testing */
3726 || /* OR */
f05da2e8 3727 filter_test != FTEST_NONE) /* Filter testing */
059ec3d9
PH
3728 {
3729 setgroups(group_count, group_list);
3730 exim_setugid(real_uid, real_gid, FALSE,
3731 US"-C, -D, -be or -bf forces real uid");
3732 removed_privilege = TRUE;
3733
3734 /* In the normal case when Exim is called like this, stderr is available
3735 and should be used for any logging information because attempts to write
3736 to the log will usually fail. To arrange this, we unset really_exim. However,
3737 if no stderr is available there is no point - we might as well have a go
b7487bce 3738 at the log (if it fails, syslog will be written).
059ec3d9 3739
b7487bce
PP
3740 Note that if the invoker is Exim, the logs remain available. Messing with
3741 this causes unlogged successful deliveries. */
3742
3743 if ((log_stderr != NULL) && (real_uid != exim_uid))
3744 really_exim = FALSE;
059ec3d9
PH
3745 }
3746
3747/* Privilege is to be retained for the moment. It may be dropped later,
3748depending on the job that this Exim process has been asked to do. For now, set
3749the real uid to the effective so that subsequent re-execs of Exim are done by a
3750privileged user. */
3751
3752else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3753
f05da2e8 3754/* If testing a filter, open the file(s) now, before wasting time doing other
059ec3d9
PH
3755setups and reading the message. */
3756
f05da2e8
PH
3757if ((filter_test & FTEST_SYSTEM) != 0)
3758 {
3759 filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3760 if (filter_sfd < 0)
3761 {
3762 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3763 strerror(errno));
3764 return EXIT_FAILURE;
3765 }
3766 }
3767
3768if ((filter_test & FTEST_USER) != 0)
059ec3d9 3769 {
f05da2e8
PH
3770 filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3771 if (filter_ufd < 0)
059ec3d9 3772 {
f05da2e8 3773 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
059ec3d9
PH
3774 strerror(errno));
3775 return EXIT_FAILURE;
3776 }
3777 }
3778
8829633f
PP
3779/* Initialise lookup_list
3780If debugging, already called above via version reporting.
3781In either case, we initialise the list of available lookups while running
3782as root. All dynamically modules are loaded from a directory which is
3783hard-coded into the binary and is code which, if not a module, would be
3784part of Exim already. Ability to modify the content of the directory
3785is equivalent to the ability to modify a setuid binary!
3786
3787This needs to happen before we read the main configuration. */
3788init_lookup_list();
3789
8c5d388a 3790#ifdef SUPPORT_I18N
9d4319df
JH
3791if (running_in_test_harness) smtputf8_advertise_hosts = NULL;
3792#endif
3793
059ec3d9
PH
3794/* Read the main runtime configuration data; this gives up if there
3795is a failure. It leaves the configuration file open so that the subsequent
3de973a2 3796configuration data for delivery can be read if needed.
059ec3d9 3797
3de973a2
HSHR
3798NOTE: immediatly after opening the configuration file we change the working
3799directory to "/"! Later we change to $spool_directory. We do it there, because
3800during readconf_main() some expansion takes place already. */
bc3c7bb7 3801
3615fa9a 3802/* Store the initial cwd before we change directories */
3ae121c9 3803if ((initial_cwd = os_getcwd(NULL, 0)) == NULL)
fae3a611
HSHR
3804 {
3805 perror("exim: can't get the current working directory");
3806 exit(EXIT_FAILURE);
3807 }
3615fa9a 3808
34e86e20
HSHR
3809/* checking:
3810 -be[m] expansion test -
3811 -b[fF] filter test new
3812 -bh[c] host test -
3813 -bmalware malware_test_file new
3814 -brt retry test new
3815 -brw rewrite test new
3816 -bt address test -
3817 -bv[s] address verify -
3818 list_options:
3819 -bP <option> (except -bP config, which sets list_config)
3820
3821If any of these options is set, we suppress warnings about configuration
3822issues (currently about tls_advertise_hosts and keep_environment not being
3823defined) */
3824
3825readconf_main(checking || list_options);
059ec3d9 3826
32b8ce41
JH
3827if (builtin_macros_create_trigger) DEBUG(D_any)
3828 debug_printf("Builtin macros created (expensive) due to config line '%.*s'\n",
3829 Ustrlen(builtin_macros_create_trigger)-1, builtin_macros_create_trigger);
3830
3de973a2
HSHR
3831/* Now in directory "/" */
3832
bc3c7bb7
HSHR
3833if (cleanup_environment() == FALSE)
3834 log_write(0, LOG_PANIC_DIE, "Can't cleanup environment");
3835
3836
a3fb9793
PP
3837/* If an action on specific messages is requested, or if a daemon or queue
3838runner is being started, we need to know if Exim was called by an admin user.
3839This is the case if the real user is root or exim, or if the real group is
3840exim, or if one of the supplementary groups is exim or a group listed in
3841admin_groups. We don't fail all message actions immediately if not admin_user,
3842since some actions can be performed by non-admin users. Instead, set admin_user
3843for later interrogation. */
3844
3845if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3846 admin_user = TRUE;
3847else
3848 {
3849 int i, j;
32b8ce41
JH
3850 for (i = 0; i < group_count && !admin_user; i++)
3851 if (group_list[i] == exim_gid)
3852 admin_user = TRUE;
3853 else if (admin_groups)
3854 for (j = 1; j <= (int)admin_groups[0] && !admin_user; j++)
a3fb9793 3855 if (admin_groups[j] == group_list[i])
32b8ce41 3856 admin_user = TRUE;
a3fb9793
PP
3857 }
3858
3859/* Another group of privileged users are the trusted users. These are root,
3860exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3861are permitted to specify sender_addresses with -f on the command line, and
3862other message parameters as well. */
3863
3864if (real_uid == root_uid || real_uid == exim_uid)
3865 trusted_caller = TRUE;
3866else
3867 {
3868 int i, j;
3869
32b8ce41
JH
3870 if (trusted_users)
3871 for (i = 1; i <= (int)trusted_users[0] && !trusted_caller; i++)
a3fb9793 3872 if (trusted_users[i] == real_uid)
32b8ce41 3873 trusted_caller = TRUE;
a3fb9793 3874
32b8ce41
JH
3875 if (trusted_groups)
3876 for (i = 1; i <= (int)trusted_groups[0] && !trusted_caller; i++)
a3fb9793
PP
3877 if (trusted_groups[i] == real_gid)
3878 trusted_caller = TRUE;
32b8ce41 3879 else for (j = 0; j < group_count && !trusted_caller; j++)
a3fb9793 3880 if (trusted_groups[i] == group_list[j])
32b8ce41 3881 trusted_caller = TRUE;
a3fb9793
PP
3882 }
3883
f33875c3
PP
3884/* At this point, we know if the user is privileged and some command-line
3885options become possibly imperssible, depending upon the configuration file. */
3886
3887if (checking && commandline_checks_require_admin && !admin_user) {
3888 fprintf(stderr, "exim: those command-line flags are set to require admin\n");
3889 exit(EXIT_FAILURE);
3890}
3891