Recast more internal string routines to use growable-strings
[exim.git] / src / src / exim.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8
9/* The main function: entry point, initialization, and high-level control.
10Also a few functions that don't naturally fit elsewhere. */
11
12
13#include "exim.h"
14
98913c8e 15#if defined(__GLIBC__) && !defined(__UCLIBC__)
01f3091a
JH
16# include <gnu/libc-version.h>
17#endif
18
f797c123
JH
19#ifdef USE_GNUTLS
20# include <gnutls/gnutls.h>
21# if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22# define DISABLE_OCSP
23# endif
24#endif
25
6545de78
PP
26extern void init_lookup_list(void);
27
059ec3d9
PH
28
29
30/*************************************************
31* Function interface to store functions *
32*************************************************/
33
34/* We need some real functions to pass to the PCRE regular expression library
35for store allocation via Exim's store manager. The normal calls are actually
36macros that pass over location information to make tracing easier. These
37functions just interface to the standard macro calls. A good compiler will
38optimize out the tail recursion and so not make them too expensive. There
39are two sets of functions; one for use when we want to retain the compiled
40regular expression for a long time; the other for short-term use. */
41
42static void *
43function_store_get(size_t size)
44{
45return store_get((int)size);
46}
47
48static void
49function_dummy_free(void *block) { block = block; }
50
51static void *
52function_store_malloc(size_t size)
53{
54return store_malloc((int)size);
55}
56
57static void
58function_store_free(void *block)
59{
60store_free(block);
61}
62
63
64
65
66/*************************************************
98a90c36
PP
67* Enums for cmdline interface *
68*************************************************/
69
70enum commandline_info { CMDINFO_NONE=0,
36a3ae5f 71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
98a90c36
PP
72
73
74
75
76/*************************************************
059ec3d9
PH
77* Compile regular expression and panic on fail *
78*************************************************/
79
80/* This function is called when failure to compile a regular expression leads
81to a panic exit. In other cases, pcre_compile() is called directly. In many
82cases where this function is used, the results of the compilation are to be
83placed in long-lived store, so we temporarily reset the store management
84functions that PCRE uses if the use_malloc flag is set.
85
86Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91Returns: pointer to the compiled pattern
92*/
93
94const pcre *
476be7e2 95regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
059ec3d9
PH
96{
97int offset;
98int options = PCRE_COPT;
99const pcre *yield;
100const uschar *error;
101if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106if (caseless) options |= PCRE_CASELESS;
476be7e2 107yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
059ec3d9
PH
108pcre_malloc = function_store_get;
109pcre_free = function_dummy_free;
110if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113return yield;
114}
115
116
117
118
119/*************************************************
120* Execute regular expression and set strings *
121*************************************************/
122
123/* This function runs a regular expression match, and sets up the pointers to
124the matched substrings.
125
126Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134Returns: TRUE or FALSE
135*/
136
137BOOL
1dc92d5a 138regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
059ec3d9
PH
139{
140int ovector[3*(EXPAND_MAXN+1)];
1dc92d5a
JH
141uschar * s = string_copy(subject); /* de-constifying */
142int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
ee8b8090 143 PCRE_EOPT | options, ovector, nelem(ovector));
059ec3d9
PH
144BOOL yield = n >= 0;
145if (n == 0) n = EXPAND_MAXN + 1;
146if (yield)
147 {
148 int nn;
ee8b8090
JH
149 expand_nmax = setup < 0 ? 0 : setup + 1;
150 for (nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
059ec3d9 151 {
1dc92d5a 152 expand_nstring[expand_nmax] = s + ovector[nn];
059ec3d9
PH
153 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
154 }
155 expand_nmax--;
156 }
157return yield;
158}
159
160
161
162
163/*************************************************
921b12ca
TF
164* Set up processing details *
165*************************************************/
166
167/* Save a text string for dumping when SIGUSR1 is received.
168Do checks for overruns.
169
170Arguments: format and arguments, as for printf()
171Returns: nothing
172*/
173
174void
175set_process_info(const char *format, ...)
176{
d12746bc
JH
177gstring gs = { .size = PROCESS_INFO_SIZE - 2, .ptr = 0, .s = process_info };
178gstring * g;
179int len;
921b12ca 180va_list ap;
d12746bc
JH
181
182g = string_fmt_append(&gs, "%5d ", (int)getpid());
183len = g->ptr;
921b12ca 184va_start(ap, format);
d12746bc
JH
185if (!string_vformat(g, FALSE, format, ap))
186 {
187 gs.ptr = len;
188 g = string_cat(&gs, US"**** string overflowed buffer ****");
189 }
190g = string_catn(g, US"\n", 1);
191string_from_gstring(g);
192process_info_len = g->ptr;
921b12ca
TF
193DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
194va_end(ap);
195}
196
830832c9
HSHR
197/***********************************************
198* Handler for SIGTERM *
199***********************************************/
921b12ca 200
830832c9
HSHR
201static void
202term_handler(int sig)
203{
204 exit(1);
205}
921b12ca
TF
206
207
208/*************************************************
059ec3d9
PH
209* Handler for SIGUSR1 *
210*************************************************/
211
212/* SIGUSR1 causes any exim process to write to the process log details of
213what it is currently doing. It will only be used if the OS is capable of
214setting up a handler that causes automatic restarting of any system call
215that is in progress at the time.
216
921b12ca
TF
217This function takes care to be signal-safe.
218
059ec3d9
PH
219Argument: the signal number (SIGUSR1)
220Returns: nothing
221*/
222
223static void
224usr1_handler(int sig)
225{
921b12ca
TF
226int fd;
227
228os_restarting_signal(sig, usr1_handler);
229
cab0c277 230if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
921b12ca
TF
231 {
232 /* If we are already running as the Exim user, try to create it in the
233 current process (assuming spool_directory exists). Otherwise, if we are
234 root, do the creation in an exim:exim subprocess. */
235
236 int euid = geteuid();
237 if (euid == exim_uid)
238 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
239 else if (euid == root_uid)
240 fd = log_create_as_exim(process_log_path);
241 }
242
243/* If we are neither exim nor root, or if we failed to create the log file,
244give up. There is not much useful we can do with errors, since we don't want
245to disrupt whatever is going on outside the signal handler. */
246
247if (fd < 0) return;
248
2f21487f 249(void)write(fd, process_info, process_info_len);
921b12ca 250(void)close(fd);
059ec3d9
PH
251}
252
253
254
255/*************************************************
256* Timeout handler *
257*************************************************/
258
259/* This handler is enabled most of the time that Exim is running. The handler
260doesn't actually get used unless alarm() has been called to set a timer, to
261place a time limit on a system call of some kind. When the handler is run, it
262re-enables itself.
263
264There are some other SIGALRM handlers that are used in special cases when more
265than just a flag setting is required; for example, when reading a message's
266input. These are normally set up in the code module that uses them, and the
267SIGALRM handler is reset to this one afterwards.
268
269Argument: the signal value (SIGALRM)
270Returns: nothing
271*/
272
273void
274sigalrm_handler(int sig)
275{
276sig = sig; /* Keep picky compilers happy */
277sigalrm_seen = TRUE;
278os_non_restarting_signal(SIGALRM, sigalrm_handler);
279}
280
281
282
283/*************************************************
284* Sleep for a fractional time interval *
285*************************************************/
286
287/* This function is called by millisleep() and exim_wait_tick() to wait for a
288period of time that may include a fraction of a second. The coding is somewhat
eb2c0248
PH
289tedious. We do not expect setitimer() ever to fail, but if it does, the process
290will wait for ever, so we panic in this instance. (There was a case of this
291when a bug in a function that calls milliwait() caused it to pass invalid data.
7086e875 292That's when I added the check. :-)
059ec3d9 293
0f8ba377
JH
294We assume it to be not worth sleeping for under 100us; this value will
295require revisiting as hardware advances. This avoids the issue of
296a zero-valued timer setting meaning "never fire".
297
059ec3d9
PH
298Argument: an itimerval structure containing the interval
299Returns: nothing
300*/
301
302static void
303milliwait(struct itimerval *itval)
304{
305sigset_t sigmask;
306sigset_t old_sigmask;
0f8ba377
JH
307
308if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
309 return;
059ec3d9
PH
310(void)sigemptyset(&sigmask); /* Empty mask */
311(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
312(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
7086e875 313if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
eb2c0248
PH
314 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
315 "setitimer() failed: %s", strerror(errno));
059ec3d9
PH
316(void)sigfillset(&sigmask); /* All signals */
317(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
318(void)sigsuspend(&sigmask); /* Until SIGALRM */
319(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
320}
321
322
323
324
325/*************************************************
326* Millisecond sleep function *
327*************************************************/
328
329/* The basic sleep() function has a granularity of 1 second, which is too rough
330in some cases - for example, when using an increasing delay to slow down
331spammers.
332
333Argument: number of millseconds
334Returns: nothing
335*/
336
337void
338millisleep(int msec)
339{
340struct itimerval itval;
341itval.it_interval.tv_sec = 0;
342itval.it_interval.tv_usec = 0;
343itval.it_value.tv_sec = msec/1000;
344itval.it_value.tv_usec = (msec % 1000) * 1000;
345milliwait(&itval);
346}
347
348
349
350/*************************************************
351* Compare microsecond times *
352*************************************************/
353
354/*
355Arguments:
356 tv1 the first time
357 tv2 the second time
358
359Returns: -1, 0, or +1
360*/
361
32dfdf8b 362static int
059ec3d9
PH
363exim_tvcmp(struct timeval *t1, struct timeval *t2)
364{
365if (t1->tv_sec > t2->tv_sec) return +1;
366if (t1->tv_sec < t2->tv_sec) return -1;
367if (t1->tv_usec > t2->tv_usec) return +1;
368if (t1->tv_usec < t2->tv_usec) return -1;
369return 0;
370}
371
372
373
374
375/*************************************************
376* Clock tick wait function *
377*************************************************/
378
379/* Exim uses a time + a pid to generate a unique identifier in two places: its
380message IDs, and in file names for maildir deliveries. Because some OS now
381re-use pids within the same second, sub-second times are now being used.
4c04137d 382However, for absolute certainty, we must ensure the clock has ticked before
059ec3d9
PH
383allowing the relevant process to complete. At the time of implementation of
384this code (February 2003), the speed of processors is such that the clock will
385invariably have ticked already by the time a process has done its job. This
386function prepares for the time when things are faster - and it also copes with
387clocks that go backwards.
388
389Arguments:
390 then_tv A timeval which was used to create uniqueness; its usec field
391 has been rounded down to the value of the resolution.
392 We want to be sure the current time is greater than this.
393 resolution The resolution that was used to divide the microseconds
394 (1 for maildir, larger for message ids)
395
396Returns: nothing
397*/
398
399void
400exim_wait_tick(struct timeval *then_tv, int resolution)
401{
402struct timeval now_tv;
403long int now_true_usec;
404
405(void)gettimeofday(&now_tv, NULL);
406now_true_usec = now_tv.tv_usec;
407now_tv.tv_usec = (now_true_usec/resolution) * resolution;
408
409if (exim_tvcmp(&now_tv, then_tv) <= 0)
410 {
411 struct itimerval itval;
412 itval.it_interval.tv_sec = 0;
413 itval.it_interval.tv_usec = 0;
414 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
415 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
416
417 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
418 negative value for the microseconds is possible only in the case when "now"
419 is more than a second less than "then". That means that itval.it_value.tv_sec
420 is greater than zero. The following correction is therefore safe. */
421
422 if (itval.it_value.tv_usec < 0)
423 {
424 itval.it_value.tv_usec += 1000000;
425 itval.it_value.tv_sec -= 1;
426 }
427
428 DEBUG(D_transport|D_receive)
429 {
8768d548 430 if (!f.running_in_test_harness)
059ec3d9 431 {
d0291a0a 432 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
7437665e
JH
433 then_tv->tv_sec, (long) then_tv->tv_usec,
434 now_tv.tv_sec, (long) now_tv.tv_usec);
d0291a0a
JH
435 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
436 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
059ec3d9
PH
437 }
438 }
439
440 milliwait(&itval);
441 }
442}
443
444
445
446
447/*************************************************
2632889e
PH
448* Call fopen() with umask 777 and adjust mode *
449*************************************************/
450
451/* Exim runs with umask(0) so that files created with open() have the mode that
452is specified in the open() call. However, there are some files, typically in
453the spool directory, that are created with fopen(). They end up world-writeable
454if no precautions are taken. Although the spool directory is not accessible to
455the world, this is an untidiness. So this is a wrapper function for fopen()
456that sorts out the mode of the created file.
457
458Arguments:
459 filename the file name
460 options the fopen() options
461 mode the required mode
462
463Returns: the fopened FILE or NULL
464*/
465
466FILE *
1ba28e2b 467modefopen(const uschar *filename, const char *options, mode_t mode)
2632889e 468{
67d175de
PH
469mode_t saved_umask = umask(0777);
470FILE *f = Ufopen(filename, options);
471(void)umask(saved_umask);
2632889e
PH
472if (f != NULL) (void)fchmod(fileno(f), mode);
473return f;
474}
475
476
477
478
479/*************************************************
059ec3d9
PH
480* Ensure stdin, stdout, and stderr exist *
481*************************************************/
482
483/* Some operating systems grumble if an exec() happens without a standard
484input, output, and error (fds 0, 1, 2) being defined. The worry is that some
485file will be opened and will use these fd values, and then some other bit of
486code will assume, for example, that it can write error messages to stderr.
487This function ensures that fds 0, 1, and 2 are open if they do not already
488exist, by connecting them to /dev/null.
489
490This function is also used to ensure that std{in,out,err} exist at all times,
491so that if any library that Exim calls tries to use them, it doesn't crash.
492
493Arguments: None
494Returns: Nothing
495*/
496
497void
498exim_nullstd(void)
499{
500int i;
501int devnull = -1;
502struct stat statbuf;
503for (i = 0; i <= 2; i++)
504 {
505 if (fstat(i, &statbuf) < 0 && errno == EBADF)
506 {
507 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
508 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
509 string_open_failed(errno, "/dev/null"));
1fe64dcc 510 if (devnull != i) (void)dup2(devnull, i);
059ec3d9
PH
511 }
512 }
1fe64dcc 513if (devnull > 2) (void)close(devnull);
059ec3d9
PH
514}
515
516
517
518
519/*************************************************
520* Close unwanted file descriptors for delivery *
521*************************************************/
522
523/* This function is called from a new process that has been forked to deliver
524an incoming message, either directly, or using exec.
525
526We want any smtp input streams to be closed in this new process. However, it
527has been observed that using fclose() here causes trouble. When reading in -bS
528input, duplicate copies of messages have been seen. The files will be sharing a
529file pointer with the parent process, and it seems that fclose() (at least on
530some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
531least sometimes. Hence we go for closing the underlying file descriptors.
532
533If TLS is active, we want to shut down the TLS library, but without molesting
534the parent's SSL connection.
535
536For delivery of a non-SMTP message, we want to close stdin and stdout (and
537stderr unless debugging) because the calling process might have set them up as
538pipes and be waiting for them to close before it waits for the submission
539process to terminate. If they aren't closed, they hold up the calling process
540until the initial delivery process finishes, which is not what we want.
541
542Exception: We do want it for synchronous delivery!
543
544And notwithstanding all the above, if D_resolver is set, implying resolver
545debugging, leave stdout open, because that's where the resolver writes its
546debugging output.
547
548When we close stderr (which implies we've also closed stdout), we also get rid
549of any controlling terminal.
550
551Arguments: None
552Returns: Nothing
553*/
554
555static void
556close_unwanted(void)
557{
558if (smtp_input)
559 {
74f1a423
JH
560#ifdef SUPPORT_TLS
561 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
562#endif
1fe64dcc
PH
563 (void)close(fileno(smtp_in));
564 (void)close(fileno(smtp_out));
059ec3d9
PH
565 smtp_in = NULL;
566 }
567else
568 {
1fe64dcc
PH
569 (void)close(0); /* stdin */
570 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
571 if (debug_selector == 0) /* stderr */
059ec3d9 572 {
8768d548 573 if (!f.synchronous_delivery)
059ec3d9 574 {
1fe64dcc 575 (void)close(2);
059ec3d9
PH
576 log_stderr = NULL;
577 }
578 (void)setsid();
579 }
580 }
581}
582
583
584
585
586/*************************************************
587* Set uid and gid *
588*************************************************/
589
590/* This function sets a new uid and gid permanently, optionally calling
591initgroups() to set auxiliary groups. There are some special cases when running
592Exim in unprivileged modes. In these situations the effective uid will not be
593root; if we already have the right effective uid/gid, and don't need to
594initialize any groups, leave things as they are.
595
596Arguments:
597 uid the uid
598 gid the gid
599 igflag TRUE if initgroups() wanted
600 msg text to use in debugging output and failure log
601
602Returns: nothing; bombs out on failure
603*/
604
605void
606exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
607{
608uid_t euid = geteuid();
609gid_t egid = getegid();
610
611if (euid == root_uid || euid != uid || egid != gid || igflag)
612 {
613 /* At least one OS returns +1 for initgroups failure, so just check for
614 non-zero. */
615
616 if (igflag)
617 {
618 struct passwd *pw = getpwuid(uid);
9af3c549
JH
619 if (!pw)
620 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
621 "no passwd entry for uid=%ld", (long int)uid);
622
623 if (initgroups(pw->pw_name, gid) != 0)
624 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
625 (long int)uid, strerror(errno));
059ec3d9
PH
626 }
627
628 if (setgid(gid) < 0 || setuid(uid) < 0)
059ec3d9
PH
629 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
630 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
059ec3d9
PH
631 }
632
633/* Debugging output included uid/gid and all groups */
634
635DEBUG(D_uid)
636 {
cd59ab18 637 int group_count, save_errno;
157d73b5 638 gid_t group_list[EXIM_GROUPLIST_SIZE];
059ec3d9
PH
639 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
640 (long int)geteuid(), (long int)getegid(), (long int)getpid());
157d73b5 641 group_count = getgroups(nelem(group_list), group_list);
cd59ab18 642 save_errno = errno;
059ec3d9
PH
643 debug_printf(" auxiliary group list:");
644 if (group_count > 0)
645 {
646 int i;
647 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
648 }
cd59ab18
PP
649 else if (group_count < 0)
650 debug_printf(" <error: %s>", strerror(save_errno));
059ec3d9
PH
651 else debug_printf(" <none>");
652 debug_printf("\n");
653 }
654}
655
656
657
658
659/*************************************************
660* Exit point *
661*************************************************/
662
663/* Exim exits via this function so that it always clears up any open
664databases.
665
666Arguments:
667 rc return code
668
669Returns: does not return
670*/
671
672void
9bfb7e1b 673exim_exit(int rc, const uschar * process)
059ec3d9
PH
674{
675search_tidyup();
676DEBUG(D_any)
9bfb7e1b
JH
677 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
678 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
679 process ? "(" : "", process, process ? ") " : "", rc);
059ec3d9
PH
680exit(rc);
681}
682
683
684
9af3c549
JH
685/* Print error string, then die */
686static void
687exim_fail(const char * fmt, ...)
688{
689va_list ap;
690va_start(ap, fmt);
691vfprintf(stderr, fmt, ap);
692exit(EXIT_FAILURE);
693}
694
695
059ec3d9
PH
696
697/*************************************************
698* Extract port from host address *
699*************************************************/
700
701/* Called to extract the port from the values given to -oMa and -oMi.
b90c388a
PH
702It also checks the syntax of the address, and terminates it before the
703port data when a port is extracted.
059ec3d9
PH
704
705Argument:
706 address the address, with possible port on the end
707
708Returns: the port, or zero if there isn't one
709 bombs out on a syntax error
710*/
711
712static int
713check_port(uschar *address)
714{
7cd1141b 715int port = host_address_extract_port(address);
8e669ac1 716if (string_is_ip_address(address, NULL) == 0)
9af3c549 717 exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
059ec3d9
PH
718return port;
719}
720
721
722
723/*************************************************
724* Test/verify an address *
725*************************************************/
726
727/* This function is called by the -bv and -bt code. It extracts a working
728address from a full RFC 822 address. This isn't really necessary per se, but it
729has the effect of collapsing source routes.
730
731Arguments:
732 s the address string
733 flags flag bits for verify_address()
734 exit_value to be set for failures
735
a5a28604 736Returns: nothing
059ec3d9
PH
737*/
738
739static void
740test_address(uschar *s, int flags, int *exit_value)
741{
742int start, end, domain;
743uschar *parse_error = NULL;
744uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
745 FALSE);
746if (address == NULL)
747 {
748 fprintf(stdout, "syntax error: %s\n", parse_error);
749 *exit_value = 2;
750 }
751else
752 {
753 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
4deaf07d 754 -1, -1, NULL, NULL, NULL);
059ec3d9
PH
755 if (rc == FAIL) *exit_value = 2;
756 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
757 }
758}
759
760
761
762/*************************************************
059ec3d9
PH
763* Show supported features *
764*************************************************/
765
059ec3d9 766static void
96508de1 767show_db_version(FILE * f)
059ec3d9
PH
768{
769#ifdef DB_VERSION_STRING
96508de1
JH
770DEBUG(D_any)
771 {
772 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
773 fprintf(f, " Runtime: %s\n",
774 db_version(NULL, NULL, NULL));
775 }
776else
777 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
778
059ec3d9
PH
779#elif defined(BTREEVERSION) && defined(HASHVERSION)
780 #ifdef USE_DB
781 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
782 #else
783 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
784 #endif
96508de1 785
059ec3d9
PH
786#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
787fprintf(f, "Probably ndbm\n");
788#elif defined(USE_TDB)
789fprintf(f, "Using tdb\n");
790#else
791 #ifdef USE_GDBM
792 fprintf(f, "Probably GDBM (native mode)\n");
793 #else
794 fprintf(f, "Probably GDBM (compatibility mode)\n");
795 #endif
796#endif
96508de1
JH
797}
798
799
800/* This function is called for -bV/--version and for -d to output the optional
801features of the current Exim binary.
802
803Arguments: a FILE for printing
804Returns: nothing
805*/
806
807static void
8768d548 808show_whats_supported(FILE * fp)
96508de1
JH
809{
810auth_info * authi;
811
8768d548 812DEBUG(D_any) {} else show_db_version(fp);
059ec3d9 813
8768d548 814fprintf(fp, "Support for:");
9cec981f 815#ifdef SUPPORT_CRYPTEQ
8768d548 816 fprintf(fp, " crypteq");
9cec981f 817#endif
059ec3d9 818#if HAVE_ICONV
8768d548 819 fprintf(fp, " iconv()");
059ec3d9
PH
820#endif
821#if HAVE_IPV6
8768d548 822 fprintf(fp, " IPv6");
059ec3d9 823#endif
79378e0f 824#ifdef HAVE_SETCLASSRESOURCES
8768d548 825 fprintf(fp, " use_setclassresources");
929ba01c 826#endif
059ec3d9 827#ifdef SUPPORT_PAM
8768d548 828 fprintf(fp, " PAM");
059ec3d9
PH
829#endif
830#ifdef EXIM_PERL
8768d548 831 fprintf(fp, " Perl");
059ec3d9 832#endif
1a46a8c5 833#ifdef EXPAND_DLFUNC
8768d548 834 fprintf(fp, " Expand_dlfunc");
1a46a8c5 835#endif
059ec3d9 836#ifdef USE_TCP_WRAPPERS
8768d548 837 fprintf(fp, " TCPwrappers");
059ec3d9
PH
838#endif
839#ifdef SUPPORT_TLS
c11d665d 840# ifdef USE_GNUTLS
8768d548 841 fprintf(fp, " GnuTLS");
c11d665d 842# else
8768d548 843 fprintf(fp, " OpenSSL");
c11d665d 844# endif
059ec3d9 845#endif
b2f5a032 846#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
8768d548 847 fprintf(fp, " translate_ip_address");
b2f5a032 848#endif
f174f16e 849#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
8768d548 850 fprintf(fp, " move_frozen_messages");
f174f16e 851#endif
8523533c 852#ifdef WITH_CONTENT_SCAN
8768d548 853 fprintf(fp, " Content_Scanning");
8523533c 854#endif
c0635b6d 855#ifdef SUPPORT_DANE
8768d548 856 fprintf(fp, " DANE");
c0635b6d 857#endif
74f150bf 858#ifndef DISABLE_DKIM
8768d548 859 fprintf(fp, " DKIM");
74f150bf 860#endif
ef1bbb27 861#ifndef DISABLE_DNSSEC
8768d548 862 fprintf(fp, " DNSSEC");
ef1bbb27 863#endif
0cbf2b82 864#ifndef DISABLE_EVENT
8768d548 865 fprintf(fp, " Event");
0cbf2b82 866#endif
8c5d388a 867#ifdef SUPPORT_I18N
8768d548 868 fprintf(fp, " I18N");
8c5d388a 869#endif
74f150bf 870#ifndef DISABLE_OCSP
8768d548 871 fprintf(fp, " OCSP");
74f150bf 872#endif
4d832da1 873#ifndef DISABLE_PRDR
8768d548 874 fprintf(fp, " PRDR");
4d832da1 875#endif
cee5f132 876#ifdef SUPPORT_PROXY
8768d548 877 fprintf(fp, " PROXY");
cee5f132 878#endif
f0989ec0 879#ifdef SUPPORT_SOCKS
8768d548 880 fprintf(fp, " SOCKS");
f2de3a33 881#endif
7952eef9 882#ifdef SUPPORT_SPF
8768d548 883 fprintf(fp, " SPF");
7952eef9 884#endif
1a2dfad5 885#ifdef TCP_FASTOPEN
10ac8d7f 886 deliver_init();
8768d548 887 if (f.tcp_fastopen_ok) fprintf(fp, " TCP_Fast_Open");
1a2dfad5 888#endif
5bde3efa 889#ifdef EXPERIMENTAL_LMDB
8768d548 890 fprintf(fp, " Experimental_LMDB");
5bde3efa 891#endif
3369a853 892#ifdef EXPERIMENTAL_QUEUEFILE
8768d548 893 fprintf(fp, " Experimental_QUEUEFILE");
3369a853 894#endif
8523533c 895#ifdef EXPERIMENTAL_SRS
8768d548 896 fprintf(fp, " Experimental_SRS");
8523533c 897#endif
617d3932 898#ifdef EXPERIMENTAL_ARC
8768d548 899 fprintf(fp, " Experimental_ARC");
617d3932 900#endif
8523533c 901#ifdef EXPERIMENTAL_BRIGHTMAIL
8768d548 902 fprintf(fp, " Experimental_Brightmail");
8523533c 903#endif
6a8f9482 904#ifdef EXPERIMENTAL_DCC
8768d548 905 fprintf(fp, " Experimental_DCC");
6a8f9482 906#endif
4840604e 907#ifdef EXPERIMENTAL_DMARC
8768d548 908 fprintf(fp, " Experimental_DMARC");
4840604e 909#endif
895fbaf2 910#ifdef EXPERIMENTAL_DSN_INFO
8768d548 911 fprintf(fp, " Experimental_DSN_info");
895fbaf2 912#endif
8ac90765 913#ifdef EXPERIMENTAL_REQUIRETLS
8768d548 914 fprintf(fp, " Experimental_REQUIRETLS");
8ac90765 915#endif
ee8b8090
JH
916#ifdef EXPERIMENTAL_PIPE_CONNECT
917 fprintf(fp, " Experimental_PIPE_CONNECT");
918#endif
8768d548 919fprintf(fp, "\n");
059ec3d9 920
8768d548 921fprintf(fp, "Lookups (built-in):");
e6d225ae 922#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
8768d548 923 fprintf(fp, " lsearch wildlsearch nwildlsearch iplsearch");
059ec3d9 924#endif
e6d225ae 925#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
8768d548 926 fprintf(fp, " cdb");
059ec3d9 927#endif
e6d225ae 928#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
8768d548 929 fprintf(fp, " dbm dbmjz dbmnz");
059ec3d9 930#endif
e6d225ae 931#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
8768d548 932 fprintf(fp, " dnsdb");
059ec3d9 933#endif
e6d225ae 934#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
8768d548 935 fprintf(fp, " dsearch");
059ec3d9 936#endif
e6d225ae 937#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
8768d548 938 fprintf(fp, " ibase");
059ec3d9 939#endif
e6d225ae 940#if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
8768d548 941 fprintf(fp, " ldap ldapdn ldapm");
059ec3d9 942#endif
5bde3efa 943#ifdef EXPERIMENTAL_LMDB
8768d548 944 fprintf(fp, " lmdb");
5bde3efa 945#endif
e6d225ae 946#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
8768d548 947 fprintf(fp, " mysql");
059ec3d9 948#endif
e6d225ae 949#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
8768d548 950 fprintf(fp, " nis nis0");
059ec3d9 951#endif
e6d225ae 952#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
8768d548 953 fprintf(fp, " nisplus");
059ec3d9 954#endif
e6d225ae 955#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
8768d548 956 fprintf(fp, " oracle");
059ec3d9 957#endif
e6d225ae 958#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
8768d548 959 fprintf(fp, " passwd");
059ec3d9 960#endif
e6d225ae 961#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
8768d548 962 fprintf(fp, " pgsql");
059ec3d9 963#endif
de78e2d5 964#if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
8768d548 965 fprintf(fp, " redis");
de78e2d5 966#endif
e6d225ae 967#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
8768d548 968 fprintf(fp, " sqlite");
13b685f9 969#endif
e6d225ae 970#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
8768d548 971 fprintf(fp, " testdb");
059ec3d9 972#endif
e6d225ae 973#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
8768d548 974 fprintf(fp, " whoson");
059ec3d9 975#endif
8768d548 976fprintf(fp, "\n");
059ec3d9 977
8768d548
JH
978auth_show_supported(fp);
979route_show_supported(fp);
980transport_show_supported(fp);
059ec3d9 981
c11d665d 982#ifdef WITH_CONTENT_SCAN
8768d548 983malware_show_supported(fp);
c11d665d
JH
984#endif
985
059ec3d9
PH
986if (fixed_never_users[0] > 0)
987 {
988 int i;
8768d548 989 fprintf(fp, "Fixed never_users: ");
059ec3d9 990 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
8768d548
JH
991 fprintf(fp, "%d:", (unsigned int)fixed_never_users[i]);
992 fprintf(fp, "%d\n", (unsigned int)fixed_never_users[i]);
059ec3d9 993 }
21c28500 994
8768d548 995fprintf(fp, "Configure owner: %d:%d\n", config_uid, config_gid);
19bfe9e7 996
8768d548 997fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
36f12725 998
6545de78
PP
999/* Everything else is details which are only worth reporting when debugging.
1000Perhaps the tls_version_report should move into this too. */
1001DEBUG(D_any) do {
1002
1003 int i;
1004
b3c261f7
PP
1005/* clang defines __GNUC__ (at least, for me) so test for it first */
1006#if defined(__clang__)
8768d548 1007 fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
b3c261f7 1008#elif defined(__GNUC__)
8768d548 1009 fprintf(fp, "Compiler: GCC [%s]\n",
b3c261f7
PP
1010# ifdef __VERSION__
1011 __VERSION__
1012# else
1013 "? unknown version ?"
1014# endif
1015 );
1016#else
8768d548 1017 fprintf(fp, "Compiler: <unknown>\n");
b3c261f7
PP
1018#endif
1019
98913c8e 1020#if defined(__GLIBC__) && !defined(__UCLIBC__)
8768d548 1021 fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
01f3091a
JH
1022 __GLIBC__, __GLIBC_MINOR__);
1023 if (__GLIBC_PREREQ(2, 1))
8768d548 1024 fprintf(fp, " Runtime: %s\n",
01f3091a
JH
1025 gnu_get_libc_version());
1026#endif
1027
8768d548 1028show_db_version(fp);
96508de1 1029
754a0503 1030#ifdef SUPPORT_TLS
8768d548 1031 tls_version_report(fp);
754a0503 1032#endif
8c5d388a 1033#ifdef SUPPORT_I18N
8768d548 1034 utf8_version_report(fp);
b04be5e7 1035#endif
754a0503 1036
fc362fc5
JH
1037 for (authi = auths_available; *authi->driver_name != '\0'; ++authi)
1038 if (authi->version_report)
8768d548 1039 (*authi->version_report)(fp);
6545de78 1040
decd95cb 1041 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
6475bd82
PP
1042 characters; unless it's an ancient version of PCRE in which case it
1043 is not defined. */
1044#ifndef PCRE_PRERELEASE
01f3091a 1045# define PCRE_PRERELEASE
6475bd82
PP
1046#endif
1047#define QUOTE(X) #X
1048#define EXPAND_AND_QUOTE(X) QUOTE(X)
8768d548 1049 fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
6545de78
PP
1050 " Runtime: %s\n",
1051 PCRE_MAJOR, PCRE_MINOR,
6475bd82 1052 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
6545de78 1053 pcre_version());
6475bd82
PP
1054#undef QUOTE
1055#undef EXPAND_AND_QUOTE
6545de78
PP
1056
1057 init_lookup_list();
1058 for (i = 0; i < lookup_list_count; i++)
6545de78 1059 if (lookup_list[i]->version_report)
8768d548 1060 lookup_list[i]->version_report(fp);
6545de78 1061
b70d2586 1062#ifdef WHITELIST_D_MACROS
8768d548 1063 fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
b70d2586 1064#else
8768d548 1065 fprintf(fp, "WHITELIST_D_MACROS unset\n");
b70d2586
PP
1066#endif
1067#ifdef TRUSTED_CONFIG_LIST
8768d548 1068 fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
b70d2586 1069#else
8768d548 1070 fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
b70d2586
PP
1071#endif
1072
6545de78 1073} while (0);
059ec3d9
PH
1074}
1075
1076
98a90c36
PP
1077/*************************************************
1078* Show auxiliary information about Exim *
1079*************************************************/
1080
1081static void
1082show_exim_information(enum commandline_info request, FILE *stream)
1083{
1084const uschar **pp;
1085
1086switch(request)
1087 {
1088 case CMDINFO_NONE:
1089 fprintf(stream, "Oops, something went wrong.\n");
1090 return;
1091 case CMDINFO_HELP:
1092 fprintf(stream,
1093"The -bI: flag takes a string indicating which information to provide.\n"
1094"If the string is not recognised, you'll get this help (on stderr).\n"
1095"\n"
1096" exim -bI:help this information\n"
030caf2a
JS
1097" exim -bI:dscp list of known dscp value keywords\n"
1098" exim -bI:sieve list of supported sieve extensions\n"
98a90c36
PP
1099);
1100 return;
1101 case CMDINFO_SIEVE:
1102 for (pp = exim_sieve_extension_list; *pp; ++pp)
1103 fprintf(stream, "%s\n", *pp);
1104 return;
36a3ae5f
PP
1105 case CMDINFO_DSCP:
1106 dscp_list_to_stream(stream);
1107 return;
98a90c36
PP
1108 }
1109}
059ec3d9
PH
1110
1111
1112/*************************************************
1113* Quote a local part *
1114*************************************************/
1115
1116/* This function is used when a sender address or a From: or Sender: header
1117line is being created from the caller's login, or from an authenticated_id. It
1118applies appropriate quoting rules for a local part.
1119
1120Argument: the local part
1121Returns: the local part, quoted if necessary
1122*/
1123
1124uschar *
1125local_part_quote(uschar *lpart)
1126{
1127BOOL needs_quote = FALSE;
acec9514 1128gstring * g;
059ec3d9
PH
1129uschar *t;
1130
1131for (t = lpart; !needs_quote && *t != 0; t++)
1132 {
1133 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1134 (*t != '.' || t == lpart || t[1] == 0);
1135 }
1136
1137if (!needs_quote) return lpart;
1138
acec9514 1139g = string_catn(NULL, US"\"", 1);
059ec3d9
PH
1140
1141for (;;)
1142 {
1143 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1144 if (nq == NULL)
1145 {
acec9514 1146 g = string_cat(g, lpart);
059ec3d9
PH
1147 break;
1148 }
acec9514
JH
1149 g = string_catn(g, lpart, nq - lpart);
1150 g = string_catn(g, US"\\", 1);
1151 g = string_catn(g, nq, 1);
059ec3d9
PH
1152 lpart = nq + 1;
1153 }
1154
acec9514
JH
1155g = string_catn(g, US"\"", 1);
1156return string_from_gstring(g);
059ec3d9
PH
1157}
1158
1159
1160
1161#ifdef USE_READLINE
1162/*************************************************
1163* Load readline() functions *
1164*************************************************/
1165
1166/* This function is called from testing executions that read data from stdin,
1167but only when running as the calling user. Currently, only -be does this. The
1168function loads the readline() function library and passes back the functions.
1169On some systems, it needs the curses library, so load that too, but try without
1170it if loading fails. All this functionality has to be requested at build time.
1171
1172Arguments:
1173 fn_readline_ptr pointer to where to put the readline pointer
1174 fn_addhist_ptr pointer to where to put the addhistory function
1175
1176Returns: the dlopen handle or NULL on failure
1177*/
1178
1179static void *
1ba28e2b
PP
1180set_readline(char * (**fn_readline_ptr)(const char *),
1181 void (**fn_addhist_ptr)(const char *))
059ec3d9
PH
1182{
1183void *dlhandle;
e12f8c32 1184void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
059ec3d9 1185
e12f8c32 1186dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
059ec3d9
PH
1187if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1188
1189if (dlhandle != NULL)
1190 {
1ba28e2b
PP
1191 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1192 * char * readline (const char *prompt);
1193 * void add_history (const char *string);
1194 */
1195 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1196 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
059ec3d9
PH
1197 }
1198else
1199 {
1200 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1201 }
1202
1203return dlhandle;
1204}
1205#endif
1206
1207
1208
1209/*************************************************
1210* Get a line from stdin for testing things *
1211*************************************************/
1212
1213/* This function is called when running tests that can take a number of lines
1214of input (for example, -be and -bt). It handles continuations and trailing
1215spaces. And prompting and a blank line output on eof. If readline() is in use,
1216the arguments are non-NULL and provide the relevant functions.
1217
1218Arguments:
1219 fn_readline readline function or NULL
1220 fn_addhist addhist function or NULL
1221
1222Returns: pointer to dynamic memory, or NULL at end of file
1223*/
1224
1225static uschar *
1ba28e2b 1226get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
059ec3d9
PH
1227{
1228int i;
acec9514 1229gstring * g = NULL;
059ec3d9 1230
acec9514 1231if (!fn_readline) { printf("> "); fflush(stdout); }
059ec3d9
PH
1232
1233for (i = 0;; i++)
1234 {
1235 uschar buffer[1024];
1236 uschar *p, *ss;
1237
1238 #ifdef USE_READLINE
1239 char *readline_line = NULL;
1240 if (fn_readline != NULL)
1241 {
1242 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1243 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1244 p = US readline_line;
1245 }
1246 else
1247 #endif
1248
1249 /* readline() not in use */
1250
1251 {
1252 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1253 p = buffer;
1254 }
1255
1256 /* Handle the line */
1257
1258 ss = p + (int)Ustrlen(p);
1259 while (ss > p && isspace(ss[-1])) ss--;
1260
1261 if (i > 0)
1262 {
1263 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1264 }
1265
acec9514 1266 g = string_catn(g, p, ss - p);
059ec3d9
PH
1267
1268 #ifdef USE_READLINE
acec9514 1269 if (fn_readline) free(readline_line);
059ec3d9
PH
1270 #endif
1271
acec9514
JH
1272 /* g can only be NULL if ss==p */
1273 if (ss == p || g->s[g->ptr-1] != '\\')
059ec3d9 1274 break;
acec9514
JH
1275
1276 --g->ptr;
1277 (void) string_from_gstring(g);
059ec3d9
PH
1278 }
1279
acec9514
JH
1280if (!g) printf("\n");
1281return string_from_gstring(g);
059ec3d9
PH
1282}
1283
1284
1285
1286/*************************************************
81ea09ca
NM
1287* Output usage information for the program *
1288*************************************************/
1289
1290/* This function is called when there are no recipients
1291 or a specific --help argument was added.
1292
1293Arguments:
1294 progname information on what name we were called by
1295
1296Returns: DOES NOT RETURN
1297*/
1298
1299static void
1300exim_usage(uschar *progname)
1301{
1302
4c04137d 1303/* Handle specific program invocation variants */
81ea09ca 1304if (Ustrcmp(progname, US"-mailq") == 0)
9af3c549 1305 exim_fail(
e765a0f1 1306 "mailq - list the contents of the mail queue\n\n"
81ea09ca 1307 "For a list of options, see the Exim documentation.\n");
81ea09ca
NM
1308
1309/* Generic usage - we output this whatever happens */
9af3c549 1310exim_fail(
81ea09ca
NM
1311 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1312 "not directly from a shell command line. Options and/or arguments control\n"
1313 "what it does when called. For a list of options, see the Exim documentation.\n");
81ea09ca
NM
1314}
1315
1316
1317
1318/*************************************************
a7cbbf50
PP
1319* Validate that the macros given are okay *
1320*************************************************/
1321
1322/* Typically, Exim will drop privileges if macros are supplied. In some
1323cases, we want to not do so.
1324
a4034eb8 1325Arguments: opt_D_used - true if the commandline had a "-D" option
a7cbbf50
PP
1326Returns: true if trusted, false otherwise
1327*/
1328
1329static BOOL
a4034eb8 1330macros_trusted(BOOL opt_D_used)
a7cbbf50
PP
1331{
1332#ifdef WHITELIST_D_MACROS
1333macro_item *m;
1a7c9a48 1334uschar *whitelisted, *end, *p, **whites, **w;
a7cbbf50
PP
1335int white_count, i, n;
1336size_t len;
1337BOOL prev_char_item, found;
1338#endif
1339
a4034eb8 1340if (!opt_D_used)
a7cbbf50
PP
1341 return TRUE;
1342#ifndef WHITELIST_D_MACROS
1343return FALSE;
1344#else
1345
66581d1e
PP
1346/* We only trust -D overrides for some invoking users:
1347root, the exim run-time user, the optional config owner user.
1348I don't know why config-owner would be needed, but since they can own the
1349config files anyway, there's no security risk to letting them override -D. */
1350if ( ! ((real_uid == root_uid)
1351 || (real_uid == exim_uid)
1352#ifdef CONFIGURE_OWNER
1353 || (real_uid == config_uid)
1354#endif
1355 ))
1356 {
1357 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1358 return FALSE;
1359 }
1360
a7cbbf50
PP
1361/* Get a list of macros which are whitelisted */
1362whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1363prev_char_item = FALSE;
1364white_count = 0;
1365for (p = whitelisted; *p != '\0'; ++p)
1366 {
1367 if (*p == ':' || isspace(*p))
1368 {
1369 *p = '\0';
1370 if (prev_char_item)
1371 ++white_count;
1372 prev_char_item = FALSE;
1373 continue;
1374 }
1375 if (!prev_char_item)
1376 prev_char_item = TRUE;
1377 }
1378end = p;
1379if (prev_char_item)
1380 ++white_count;
1381if (!white_count)
1382 return FALSE;
1383whites = store_malloc(sizeof(uschar *) * (white_count+1));
1384for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1385 {
1386 if (*p != '\0')
1387 {
1388 whites[i++] = p;
1389 if (i == white_count)
1390 break;
1391 while (*p != '\0' && p < end)
1392 ++p;
1393 }
1394 }
1395whites[i] = NULL;
1396
1a7c9a48
JH
1397/* The list of commandline macros should be very short.
1398Accept the N*M complexity. */
85e03244 1399for (m = macros_user; m; m = m->next) if (m->command_line)
1a7c9a48
JH
1400 {
1401 found = FALSE;
1402 for (w = whites; *w; ++w)
1403 if (Ustrcmp(*w, m->name) == 0)
1404 {
1405 found = TRUE;
1406 break;
1407 }
1408 if (!found)
1409 return FALSE;
1410 if (!m->replacement)
1411 continue;
1412 if ((len = m->replen) == 0)
1413 continue;
1414 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1415 0, PCRE_EOPT, NULL, 0);
1416 if (n < 0)
1417 {
1418 if (n != PCRE_ERROR_NOMATCH)
1419 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1420 return FALSE;
1421 }
1422 }
43236f35 1423DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
a7cbbf50
PP
1424return TRUE;
1425#endif
1426}
1427
1428
1429/*************************************************
9650d98a
JH
1430* Expansion testing *
1431*************************************************/
1432
1433/* Expand and print one item, doing macro-processing.
1434
1435Arguments:
1436 item line for expansion
1437*/
1438
1439static void
1440expansion_test_line(uschar * line)
1441{
1442int len;
1443BOOL dummy_macexp;
1444
1445Ustrncpy(big_buffer, line, big_buffer_size);
1446big_buffer[big_buffer_size-1] = '\0';
1447len = Ustrlen(big_buffer);
1448
1449(void) macros_expand(0, &len, &dummy_macexp);
1450
1451if (isupper(big_buffer[0]))
1452 {
1453 if (macro_read_assignment(big_buffer))
1a7c9a48 1454 printf("Defined macro '%s'\n", mlast->name);
9650d98a
JH
1455 }
1456else
1457 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1458 else printf("Failed: %s\n", expand_string_message);
1459}
1460
1461
9af3c549 1462
9650d98a 1463/*************************************************
059ec3d9
PH
1464* Entry point and high-level code *
1465*************************************************/
1466
1467/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1468the appropriate action. All the necessary functions are present in the one
1469binary. I originally thought one should split it up, but it turns out that so
1470much of the apparatus is needed in each chunk that one might as well just have
1471it all available all the time, which then makes the coding easier as well.
1472
1473Arguments:
1474 argc count of entries in argv
1475 argv argument strings, with argv[0] being the program name
1476
1477Returns: EXIT_SUCCESS if terminated successfully
1478 EXIT_FAILURE otherwise, except when a message has been sent
1479 to the sender, and -oee was given
1480*/
1481
1482int
1483main(int argc, char **cargv)
1484{
1485uschar **argv = USS cargv;
1486int arg_receive_timeout = -1;
1487int arg_smtp_receive_timeout = -1;
1488int arg_error_handling = error_handling;
f05da2e8
PH
1489int filter_sfd = -1;
1490int filter_ufd = -1;
059ec3d9 1491int group_count;
1670ef10 1492int i, rv;
059ec3d9
PH
1493int list_queue_option = 0;
1494int msg_action = 0;
1495int msg_action_arg = -1;
1496int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1497int queue_only_reason = 0;
1498#ifdef EXIM_PERL
1499int perl_start_option = 0;
1500#endif
1501int recipients_arg = argc;
1502int sender_address_domain = 0;
1503int test_retry_arg = -1;
1504int test_rewrite_arg = -1;
3b7ac02c 1505gid_t original_egid;
059ec3d9
PH
1506BOOL arg_queue_only = FALSE;
1507BOOL bi_option = FALSE;
1508BOOL checking = FALSE;
1509BOOL count_queue = FALSE;
1510BOOL expansion_test = FALSE;
1511BOOL extract_recipients = FALSE;
f4ee74ac 1512BOOL flag_G = FALSE;
12f69989 1513BOOL flag_n = FALSE;
059ec3d9
PH
1514BOOL forced_delivery = FALSE;
1515BOOL f_end_dot = FALSE;
1516BOOL deliver_give_up = FALSE;
1517BOOL list_queue = FALSE;
1518BOOL list_options = FALSE;
bf3c2c6b 1519BOOL list_config = FALSE;
059ec3d9
PH
1520BOOL local_queue_only;
1521BOOL more = TRUE;
1522BOOL one_msg_action = FALSE;
4ab69ec7 1523BOOL opt_D_used = FALSE;
059ec3d9
PH
1524BOOL queue_only_set = FALSE;
1525BOOL receiving_message = TRUE;
33d73e3b 1526BOOL sender_ident_set = FALSE;
8669f003 1527BOOL session_local_queue_only;
059ec3d9
PH
1528BOOL unprivileged;
1529BOOL removed_privilege = FALSE;
81ea09ca 1530BOOL usage_wanted = FALSE;
059ec3d9
PH
1531BOOL verify_address_mode = FALSE;
1532BOOL verify_as_sender = FALSE;
1533BOOL version_printed = FALSE;
1534uschar *alias_arg = NULL;
1535uschar *called_as = US"";
a3fb9793 1536uschar *cmdline_syslog_name = NULL;
059ec3d9
PH
1537uschar *start_queue_run_id = NULL;
1538uschar *stop_queue_run_id = NULL;
328895cc 1539uschar *expansion_test_message = NULL;
059ec3d9
PH
1540uschar *ftest_domain = NULL;
1541uschar *ftest_localpart = NULL;
1542uschar *ftest_prefix = NULL;
1543uschar *ftest_suffix = NULL;
0ad2e0fc 1544uschar *log_oneline = NULL;
8544e77a 1545uschar *malware_test_file = NULL;
059ec3d9
PH
1546uschar *real_sender_address;
1547uschar *originator_home = US"/";
a3fb9793 1548size_t sz;
059ec3d9
PH
1549void *reset_point;
1550
1551struct passwd *pw;
1552struct stat statbuf;
1553pid_t passed_qr_pid = (pid_t)0;
1554int passed_qr_pipe = -1;
157d73b5 1555gid_t group_list[EXIM_GROUPLIST_SIZE];
059ec3d9 1556
98a90c36
PP
1557/* For the -bI: flag */
1558enum commandline_info info_flag = CMDINFO_NONE;
1559BOOL info_stdout = FALSE;
1560
059ec3d9
PH
1561/* Possible options for -R and -S */
1562
1563static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1564
1565/* Need to define this in case we need to change the environment in order
1566to get rid of a bogus time zone. We have to make it char rather than uschar
1567because some OS define it in /usr/include/unistd.h. */
1568
1569extern char **environ;
1570
35edf2ff 1571/* If the Exim user and/or group and/or the configuration file owner/group were
059ec3d9
PH
1572defined by ref:name at build time, we must now find the actual uid/gid values.
1573This is a feature to make the lives of binary distributors easier. */
1574
1575#ifdef EXIM_USERNAME
1576if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1577 {
10385c15 1578 if (exim_uid == 0)
9af3c549
JH
1579 exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
1580
084c1d8c
PP
1581 /* If ref:name uses a number as the name, route_finduser() returns
1582 TRUE with exim_uid set and pw coerced to NULL. */
1583 if (pw)
1584 exim_gid = pw->pw_gid;
1585#ifndef EXIM_GROUPNAME
1586 else
9af3c549 1587 exim_fail(
084c1d8c
PP
1588 "exim: ref:name should specify a usercode, not a group.\n"
1589 "exim: can't let you get away with it unless you also specify a group.\n");
084c1d8c 1590#endif
059ec3d9
PH
1591 }
1592else
9af3c549 1593 exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
059ec3d9
PH
1594#endif
1595
1596#ifdef EXIM_GROUPNAME
1597if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
9af3c549 1598 exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
059ec3d9
PH
1599#endif
1600
1601#ifdef CONFIGURE_OWNERNAME
1602if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
9af3c549 1603 exim_fail("exim: failed to find uid for user name \"%s\"\n",
059ec3d9 1604 CONFIGURE_OWNERNAME);
059ec3d9
PH
1605#endif
1606
79d4bc3d
PP
1607/* We default the system_filter_user to be the Exim run-time user, as a
1608sane non-root value. */
1609system_filter_uid = exim_uid;
1610
35edf2ff
PH
1611#ifdef CONFIGURE_GROUPNAME
1612if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
9af3c549 1613 exim_fail("exim: failed to find gid for group name \"%s\"\n",
35edf2ff 1614 CONFIGURE_GROUPNAME);
35edf2ff
PH
1615#endif
1616
92e6a3d9
JH
1617/* In the Cygwin environment, some initialization used to need doing.
1618It was fudged in by means of this macro; now no longer but we'll leave
1619it in case of others. */
059ec3d9
PH
1620
1621#ifdef OS_INIT
1622OS_INIT
1623#endif
1624
1625/* Check a field which is patched when we are running Exim within its
1626testing harness; do a fast initial check, and then the whole thing. */
1627
8768d548 1628f.running_in_test_harness =
059ec3d9 1629 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
8768d548 1630if (f.running_in_test_harness)
65a32f85 1631 debug_store = TRUE;
059ec3d9
PH
1632
1633/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1634at the start of a program; however, it seems that some environments do not
1635follow this. A "strange" locale can affect the formatting of timestamps, so we
1636make quite sure. */
1637
1638setlocale(LC_ALL, "C");
1639
1640/* Set up the default handler for timing using alarm(). */
1641
1642os_non_restarting_signal(SIGALRM, sigalrm_handler);
1643
1644/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1645because store_malloc writes a log entry on failure. */
1646
40c90bca 1647if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
9af3c549 1648 exim_fail("exim: failed to get store for log buffer\n");
059ec3d9 1649
6c6d6e48
TF
1650/* Initialize the default log options. */
1651
1652bits_set(log_selector, log_selector_size, log_default);
1653
059ec3d9
PH
1654/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1655NULL when the daemon is run and the file is closed. We have to use this
1656indirection, because some systems don't allow writing to the variable "stderr".
1657*/
1658
1659if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1660
1661/* Arrange for the PCRE regex library to use our store functions. Note that
1662the normal calls are actually macros that add additional arguments for
1663debugging purposes so we have to assign specially constructed functions here.
1664The default is to use store in the stacking pool, but this is overridden in the
1665regex_must_compile() function. */
1666
1667pcre_malloc = function_store_get;
1668pcre_free = function_dummy_free;
1669
1670/* Ensure there is a big buffer for temporary use in several places. It is put
1671in malloc store so that it can be freed for enlargement if necessary. */
1672
1673big_buffer = store_malloc(big_buffer_size);
1674
1675/* Set up the handler for the data request signal, and set the initial
1676descriptive text. */
1677
1678set_process_info("initializing");
1679os_restarting_signal(SIGUSR1, usr1_handler);
1680
830832c9
HSHR
1681/* If running in a dockerized environment, the TERM signal is only
1682delegated to the PID 1 if we request it by setting an signal handler */
1683if (getpid() == 1) signal(SIGTERM, term_handler);
1684
059ec3d9
PH
1685/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1686in the daemon code. For the rest of Exim's uses, we ignore it. */
1687
1688signal(SIGHUP, SIG_IGN);
1689
1690/* We don't want to die on pipe errors as the code is written to handle
1691the write error instead. */
1692
1693signal(SIGPIPE, SIG_IGN);
1694
1695/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1696set to SIG_IGN. This causes subprocesses that complete before the parent
1697process waits for them not to hang around, so when Exim calls wait(), nothing
1698is there. The wait() code has been made robust against this, but let's ensure
1699that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1700ending status. We use sigaction rather than plain signal() on those OS where
1701SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1702problem on AIX with this.) */
1703
1704#ifdef SA_NOCLDWAIT
1705 {
1706 struct sigaction act;
1707 act.sa_handler = SIG_DFL;
1708 sigemptyset(&(act.sa_mask));
1709 act.sa_flags = 0;
1710 sigaction(SIGCHLD, &act, NULL);
1711 }
1712#else
1713signal(SIGCHLD, SIG_DFL);
1714#endif
1715
1716/* Save the arguments for use if we re-exec exim as a daemon after receiving
1717SIGHUP. */
1718
1719sighup_argv = argv;
1720
1721/* Set up the version number. Set up the leading 'E' for the external form of
1722message ids, set the pointer to the internal form, and initialize it to
1723indicate no message being processed. */
1724
1725version_init();
1726message_id_option[0] = '-';
1727message_id_external = message_id_option + 1;
1728message_id_external[0] = 'E';
1729message_id = message_id_external + 1;
1730message_id[0] = 0;
1731
67d175de 1732/* Set the umask to zero so that any files Exim creates using open() are
2632889e
PH
1733created with the modes that it specifies. NOTE: Files created with fopen() have
1734a problem, which was not recognized till rather late (February 2006). With this
1735umask, such files will be world writeable. (They are all content scanning files
1736in the spool directory, which isn't world-accessible, so this is not a
1737disaster, but it's untidy.) I don't want to change this overall setting,
1738however, because it will interact badly with the open() calls. Instead, there's
1739now a function called modefopen() that fiddles with the umask while calling
1740fopen(). */
059ec3d9 1741
67d175de 1742(void)umask(0);
059ec3d9
PH
1743
1744/* Precompile the regular expression for matching a message id. Keep this in
1745step with the code that generates ids in the accept.c module. We need to do
1746this here, because the -M options check their arguments for syntactic validity
1747using mac_ismsgid, which uses this. */
1748
1749regex_ismsgid =
1750 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1751
a5bd321b 1752/* Precompile the regular expression that is used for matching an SMTP error
d6a96edc
PH
1753code, possibly extended, at the start of an error message. Note that the
1754terminating whitespace character is included. */
a5bd321b
PH
1755
1756regex_smtp_code =
1757 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1758 FALSE, TRUE);
1759
a7cbbf50
PP
1760#ifdef WHITELIST_D_MACROS
1761/* Precompile the regular expression used to filter the content of macros
1762given to -D for permissibility. */
1763
1764regex_whitelisted_macro =
1765 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1766#endif
1767
f38917cc
JH
1768for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1769
059ec3d9
PH
1770/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1771this seems to be a generally accepted convention, since one finds symbolic
1772links called "mailq" in standard OS configurations. */
1773
1774if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1775 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1776 {
1777 list_queue = TRUE;
1778 receiving_message = FALSE;
1779 called_as = US"-mailq";
1780 }
1781
1782/* If the program is called as "rmail" treat it as equivalent to
1783"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1784i.e. preventing a single dot on a line from terminating the message, and
1785returning with zero return code, even in cases of error (provided an error
1786message has been sent). */
1787
1788if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1789 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1790 {
8768d548 1791 f.dot_ends = FALSE;
059ec3d9
PH
1792 called_as = US"-rmail";
1793 errors_sender_rc = EXIT_SUCCESS;
1794 }
1795
1796/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1797this is a smail convention. */
1798
1799if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1800 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1801 {
1802 smtp_input = smtp_batched_input = TRUE;
1803 called_as = US"-rsmtp";
1804 }
1805
1806/* If the program is called as "runq" treat it as equivalent to "exim -q";
1807this is a smail convention. */
1808
1809if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1810 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1811 {
1812 queue_interval = 0;
1813 receiving_message = FALSE;
1814 called_as = US"-runq";
1815 }
1816
1817/* If the program is called as "newaliases" treat it as equivalent to
1818"exim -bi"; this is a sendmail convention. */
1819
1820if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1821 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1822 {
1823 bi_option = TRUE;
1824 receiving_message = FALSE;
1825 called_as = US"-newaliases";
1826 }
1827
1828/* Save the original effective uid for a couple of uses later. It should
1829normally be root, but in some esoteric environments it may not be. */
1830
1831original_euid = geteuid();
3b7ac02c 1832original_egid = getegid();
059ec3d9
PH
1833
1834/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1835to be the same as the real ones. This makes a difference only if Exim is setuid
1836(or setgid) to something other than root, which could be the case in some
1837special configurations. */
1838
1839real_uid = getuid();
1840real_gid = getgid();
1841
1842if (real_uid == root_uid)
1843 {
9af3c549
JH
1844 if ((rv = setgid(real_gid)))
1845 exim_fail("exim: setgid(%ld) failed: %s\n",
1670ef10 1846 (long int)real_gid, strerror(errno));
9af3c549
JH
1847 if ((rv = setuid(real_uid)))
1848 exim_fail("exim: setuid(%ld) failed: %s\n",
1670ef10 1849 (long int)real_uid, strerror(errno));
059ec3d9
PH
1850 }
1851
1852/* If neither the original real uid nor the original euid was root, Exim is
1853running in an unprivileged state. */
1854
1855unprivileged = (real_uid != root_uid && original_euid != root_uid);
1856
059ec3d9
PH
1857/* Scan the program's arguments. Some can be dealt with right away; others are
1858simply recorded for checking and handling afterwards. Do a high-level switch
1859on the second character (the one after '-'), to save some effort. */
1860
1861for (i = 1; i < argc; i++)
1862 {
1863 BOOL badarg = FALSE;
1864 uschar *arg = argv[i];
1865 uschar *argrest;
1866 int switchchar;
1867
1868 /* An argument not starting with '-' is the start of a recipients list;
1869 break out of the options-scanning loop. */
1870
1871 if (arg[0] != '-')
1872 {
1873 recipients_arg = i;
1874 break;
1875 }
1876
4c04137d 1877 /* An option consisting of -- terminates the options */
059ec3d9
PH
1878
1879 if (Ustrcmp(arg, "--") == 0)
1880 {
1881 recipients_arg = i + 1;
1882 break;
1883 }
1884
1885 /* Handle flagged options */
1886
1887 switchchar = arg[1];
1888 argrest = arg+2;
1889
1890 /* Make all -ex options synonymous with -oex arguments, since that
1891 is assumed by various callers. Also make -qR options synonymous with -R
1892 options, as that seems to be required as well. Allow for -qqR too, and
1893 the same for -S options. */
1894
1895 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1896 Ustrncmp(arg+1, "qR", 2) == 0 ||
1897 Ustrncmp(arg+1, "qS", 2) == 0)
1898 {
1899 switchchar = arg[2];
1900 argrest++;
1901 }
1902 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1903 {
1904 switchchar = arg[3];
1905 argrest += 2;
8768d548 1906 f.queue_2stage = TRUE;
059ec3d9
PH
1907 }
1908
1909 /* Make -r synonymous with -f, since it is a documented alias */
1910
1911 else if (arg[1] == 'r') switchchar = 'f';
1912
1913 /* Make -ov synonymous with -v */
1914
1915 else if (Ustrcmp(arg, "-ov") == 0)
1916 {
1917 switchchar = 'v';
1918 argrest++;
1919 }
1920
4b2241d2
PP
1921 /* deal with --option_aliases */
1922 else if (switchchar == '-')
1923 {
1924 if (Ustrcmp(argrest, "help") == 0)
1925 {
1926 usage_wanted = TRUE;
1927 break;
1928 }
1929 else if (Ustrcmp(argrest, "version") == 0)
1930 {
1931 switchchar = 'b';
73a46702 1932 argrest = US"V";
4b2241d2
PP
1933 }
1934 }
1935
059ec3d9
PH
1936 /* High-level switch on active initial letter */
1937
1938 switch(switchchar)
1939 {
a3fb9793
PP
1940
1941 /* sendmail uses -Ac and -Am to control which .cf file is used;
1942 we ignore them. */
1943 case 'A':
1944 if (*argrest == '\0') { badarg = TRUE; break; }
1945 else
1946 {
1947 BOOL ignore = FALSE;
1948 switch (*argrest)
1949 {
1950 case 'c':
1951 case 'm':
1952 if (*(argrest + 1) == '\0')
1953 ignore = TRUE;
1954 break;
1955 }
1956 if (!ignore) { badarg = TRUE; break; }
1957 }
1958 break;
1959
059ec3d9
PH
1960 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1961 so has no need of it. */
1962
1963 case 'B':
1964 if (*argrest == 0) i++; /* Skip over the type */
1965 break;
1966
1967
1968 case 'b':
1969 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1970
1971 /* -bd: Run in daemon mode, awaiting SMTP connections.
1972 -bdf: Ditto, but in the foreground.
1973 */
1974
1975 if (*argrest == 'd')
1976 {
8768d548
JH
1977 f.daemon_listen = TRUE;
1978 if (*(++argrest) == 'f') f.background_daemon = FALSE;
059ec3d9
PH
1979 else if (*argrest != 0) { badarg = TRUE; break; }
1980 }
1981
328895cc
PH
1982 /* -be: Run in expansion test mode
1983 -bem: Ditto, but read a message from a file first
1984 */
059ec3d9
PH
1985
1986 else if (*argrest == 'e')
328895cc 1987 {
059ec3d9 1988 expansion_test = checking = TRUE;
328895cc
PH
1989 if (argrest[1] == 'm')
1990 {
1991 if (++i >= argc) { badarg = TRUE; break; }
1992 expansion_test_message = argv[i];
1993 argrest++;
1994 }
1995 if (argrest[1] != 0) { badarg = TRUE; break; }
1996 }
059ec3d9 1997
f05da2e8
PH
1998 /* -bF: Run system filter test */
1999
2000 else if (*argrest == 'F')
2001 {
34e86e20 2002 filter_test |= checking = FTEST_SYSTEM;
f05da2e8
PH
2003 if (*(++argrest) != 0) { badarg = TRUE; break; }
2004 if (++i < argc) filter_test_sfile = argv[i]; else
9af3c549 2005 exim_fail("exim: file name expected after %s\n", argv[i-1]);
f05da2e8
PH
2006 }
2007
2008 /* -bf: Run user filter test
059ec3d9
PH
2009 -bfd: Set domain for filter testing
2010 -bfl: Set local part for filter testing
2011 -bfp: Set prefix for filter testing
2012 -bfs: Set suffix for filter testing
2013 */
2014
f05da2e8 2015 else if (*argrest == 'f')
059ec3d9 2016 {
f05da2e8 2017 if (*(++argrest) == 0)
059ec3d9 2018 {
34e86e20 2019 filter_test |= checking = FTEST_USER;
f05da2e8 2020 if (++i < argc) filter_test_ufile = argv[i]; else
9af3c549 2021 exim_fail("exim: file name expected after %s\n", argv[i-1]);
059ec3d9
PH
2022 }
2023 else
2024 {
2025 if (++i >= argc)
9af3c549 2026 exim_fail("exim: string expected after %s\n", arg);
059ec3d9
PH
2027 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2028 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2029 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2030 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2031 else { badarg = TRUE; break; }
2032 }
2033 }
2034
2035 /* -bh: Host checking - an IP address must follow. */
2036
2037 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2038 {
2039 if (++i >= argc) { badarg = TRUE; break; }
2040 sender_host_address = argv[i];
8768d548
JH
2041 host_checking = checking = f.log_testing_mode = TRUE;
2042 f.host_checking_callout = argrest[1] == 'c';
1a6230a3 2043 message_logs = FALSE;
059ec3d9
PH
2044 }
2045
2046 /* -bi: This option is used by sendmail to initialize *the* alias file,
2047 though it has the -oA option to specify a different file. Exim has no
2048 concept of *the* alias file, but since Sun's YP make script calls
2049 sendmail this way, some support must be provided. */
2050
2051 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2052
98a90c36
PP
2053 /* -bI: provide information, of the type to follow after a colon.
2054 This is an Exim flag. */
2055
2056 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2057 {
2058 uschar *p = &argrest[2];
2059 info_flag = CMDINFO_HELP;
2060 if (Ustrlen(p))
2061 {
2062 if (strcmpic(p, CUS"sieve") == 0)
2063 {
2064 info_flag = CMDINFO_SIEVE;
2065 info_stdout = TRUE;
2066 }
36a3ae5f
PP
2067 else if (strcmpic(p, CUS"dscp") == 0)
2068 {
2069 info_flag = CMDINFO_DSCP;
2070 info_stdout = TRUE;
2071 }
98a90c36
PP
2072 else if (strcmpic(p, CUS"help") == 0)
2073 {
2074 info_stdout = TRUE;
2075 }
2076 }
2077 }
2078
059ec3d9
PH
2079 /* -bm: Accept and deliver message - the default option. Reinstate
2080 receiving_message, which got turned off for all -b options. */
2081
2082 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2083
8544e77a
PP
2084 /* -bmalware: test the filename given for malware */
2085
2086 else if (Ustrcmp(argrest, "malware") == 0)
2087 {
2088 if (++i >= argc) { badarg = TRUE; break; }
34e86e20 2089 checking = TRUE;
8544e77a
PP
2090 malware_test_file = argv[i];
2091 }
2092
059ec3d9
PH
2093 /* -bnq: For locally originating messages, do not qualify unqualified
2094 addresses. In the envelope, this causes errors; in header lines they
2095 just get left. */
2096
2097 else if (Ustrcmp(argrest, "nq") == 0)
2098 {
8768d548
JH
2099 f.allow_unqualified_sender = FALSE;
2100 f.allow_unqualified_recipient = FALSE;
059ec3d9
PH
2101 }
2102
2103 /* -bpxx: List the contents of the mail queue, in various forms. If
2104 the option is -bpc, just a queue count is needed. Otherwise, if the
2105 first letter after p is r, then order is random. */
2106
2107 else if (*argrest == 'p')
2108 {
2109 if (*(++argrest) == 'c')
2110 {
2111 count_queue = TRUE;
2112 if (*(++argrest) != 0) badarg = TRUE;
2113 break;
2114 }
2115
2116 if (*argrest == 'r')
2117 {
2118 list_queue_option = 8;
2119 argrest++;
2120 }
2121 else list_queue_option = 0;
2122
2123 list_queue = TRUE;
2124
2125 /* -bp: List the contents of the mail queue, top-level only */
2126
2127 if (*argrest == 0) {}
2128
2129 /* -bpu: List the contents of the mail queue, top-level undelivered */
2130
2131 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2132
2133 /* -bpa: List the contents of the mail queue, including all delivered */
2134
2135 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2136
2137 /* Unknown after -bp[r] */
2138
2139 else
2140 {
2141 badarg = TRUE;
2142 break;
2143 }
2144 }
2145
2146
2147 /* -bP: List the configuration variables given as the address list.
2148 Force -v, so configuration errors get displayed. */
2149
2150 else if (Ustrcmp(argrest, "P") == 0)
2151 {
bf3c2c6b
HSHR
2152 /* -bP config: we need to setup here, because later,
2153 * when list_options is checked, the config is read already */
2154 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2155 {
2156 list_config = TRUE;
2157 readconf_save_config(version_string);
2158 }
2159 else
2160 {
2161 list_options = TRUE;
2162 debug_selector |= D_v;
2163 debug_file = stderr;
2164 }
059ec3d9
PH
2165 }
2166
2167 /* -brt: Test retry configuration lookup */
2168
2169 else if (Ustrcmp(argrest, "rt") == 0)
2170 {
34e86e20 2171 checking = TRUE;
059ec3d9
PH
2172 test_retry_arg = i + 1;
2173 goto END_ARG;
2174 }
2175
2176 /* -brw: Test rewrite configuration */
2177
2178 else if (Ustrcmp(argrest, "rw") == 0)
2179 {
34e86e20 2180 checking = TRUE;
059ec3d9
PH
2181 test_rewrite_arg = i + 1;
2182 goto END_ARG;
2183 }
2184
2185 /* -bS: Read SMTP commands on standard input, but produce no replies -
2186 all errors are reported by sending messages. */
2187
2188 else if (Ustrcmp(argrest, "S") == 0)
2189 smtp_input = smtp_batched_input = receiving_message = TRUE;
2190
2191 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2192 on standard output. */
2193
2194 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2195
2196 /* -bt: address testing mode */
2197
2198 else if (Ustrcmp(argrest, "t") == 0)
8768d548 2199 f.address_test_mode = checking = f.log_testing_mode = TRUE;
059ec3d9
PH
2200
2201 /* -bv: verify addresses */
2202
2203 else if (Ustrcmp(argrest, "v") == 0)
8768d548 2204 verify_address_mode = checking = f.log_testing_mode = TRUE;
059ec3d9
PH
2205
2206 /* -bvs: verify sender addresses */
2207
2208 else if (Ustrcmp(argrest, "vs") == 0)
2209 {
8768d548 2210 verify_address_mode = checking = f.log_testing_mode = TRUE;
059ec3d9
PH
2211 verify_as_sender = TRUE;
2212 }
2213
2214 /* -bV: Print version string and support details */
2215
2216 else if (Ustrcmp(argrest, "V") == 0)
2217 {
2218 printf("Exim version %s #%s built %s\n", version_string,
2219 version_cnumber, version_date);
2220 printf("%s\n", CS version_copyright);
2221 version_printed = TRUE;
2222 show_whats_supported(stdout);
8768d548 2223 f.log_testing_mode = TRUE;
059ec3d9
PH
2224 }
2225
9ee44efb
PP
2226 /* -bw: inetd wait mode, accept a listening socket as stdin */
2227
2228 else if (*argrest == 'w')
2229 {
8768d548
JH
2230 f.inetd_wait_mode = TRUE;
2231 f.background_daemon = FALSE;
2232 f.daemon_listen = TRUE;
9ee44efb 2233 if (*(++argrest) != '\0')
9af3c549
JH
2234 if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
2235 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
9ee44efb
PP
2236 }
2237
059ec3d9
PH
2238 else badarg = TRUE;
2239 break;
2240
2241
2242 /* -C: change configuration file list; ignore if it isn't really
2243 a change! Enforce a prefix check if required. */
2244
2245 case 'C':
2246 if (*argrest == 0)
2247 {
2248 if(++i < argc) argrest = argv[i]; else
2249 { badarg = TRUE; break; }
2250 }
2251 if (Ustrcmp(config_main_filelist, argrest) != 0)
2252 {
2253 #ifdef ALT_CONFIG_PREFIX
2254 int sep = 0;
2255 int len = Ustrlen(ALT_CONFIG_PREFIX);
863bd541 2256 const uschar *list = argrest;
059ec3d9
PH
2257 uschar *filename;
2258 while((filename = string_nextinlist(&list, &sep, big_buffer,
2259 big_buffer_size)) != NULL)
2260 {
2261 if ((Ustrlen(filename) < len ||
2262 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2263 Ustrstr(filename, "/../") != NULL) &&
2264 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
9af3c549 2265 exim_fail("-C Permission denied\n");
059ec3d9
PH
2266 }
2267 #endif
261dc43e
DW
2268 if (real_uid != root_uid)
2269 {
90b6341f 2270 #ifdef TRUSTED_CONFIG_LIST
261dc43e 2271
90b6341f
DW
2272 if (real_uid != exim_uid
2273 #ifdef CONFIGURE_OWNER
2274 && real_uid != config_uid
2275 #endif
2276 )
8768d548 2277 f.trusted_config = FALSE;
261dc43e
DW
2278 else
2279 {
90b6341f 2280 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
261dc43e
DW
2281 if (trust_list)
2282 {
2283 struct stat statbuf;
2284
2285 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2286 (statbuf.st_uid != root_uid /* owner not root */
2287 #ifdef CONFIGURE_OWNER
2288 && statbuf.st_uid != config_uid /* owner not the special one */
2289 #endif
2290 ) || /* or */
2291 (statbuf.st_gid != root_gid /* group not root */
2292 #ifdef CONFIGURE_GROUP
2293 && statbuf.st_gid != config_gid /* group not the special one */
2294 #endif
2295 && (statbuf.st_mode & 020) != 0 /* group writeable */
2296 ) || /* or */
2297 (statbuf.st_mode & 2) != 0) /* world writeable */
2298 {
8768d548 2299 f.trusted_config = FALSE;
261dc43e
DW
2300 fclose(trust_list);
2301 }
2302 else
2303 {
2304 /* Well, the trust list at least is up to scratch... */
2305 void *reset_point = store_get(0);
90b6341f
DW
2306 uschar *trusted_configs[32];
2307 int nr_configs = 0;
261dc43e
DW
2308 int i = 0;
2309
2310 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2311 {
2312 uschar *start = big_buffer, *nl;
2313 while (*start && isspace(*start))
2314 start++;
1e83d68b 2315 if (*start != '/')
261dc43e
DW
2316 continue;
2317 nl = Ustrchr(start, '\n');
2318 if (nl)
2319 *nl = 0;
90b6341f
DW
2320 trusted_configs[nr_configs++] = string_copy(start);
2321 if (nr_configs == 32)
261dc43e
DW
2322 break;
2323 }
2324 fclose(trust_list);
2325
90b6341f 2326 if (nr_configs)
261dc43e
DW
2327 {
2328 int sep = 0;
55414b25 2329 const uschar *list = argrest;
261dc43e 2330 uschar *filename;
8768d548 2331 while (f.trusted_config && (filename = string_nextinlist(&list,
261dc43e
DW
2332 &sep, big_buffer, big_buffer_size)) != NULL)
2333 {
90b6341f 2334 for (i=0; i < nr_configs; i++)
261dc43e 2335 {
90b6341f 2336 if (Ustrcmp(filename, trusted_configs[i]) == 0)
261dc43e
DW
2337 break;
2338 }
90b6341f 2339 if (i == nr_configs)
261dc43e 2340 {
8768d548 2341 f.trusted_config = FALSE;
261dc43e
DW
2342 break;
2343 }
2344 }
1e83d68b 2345 store_reset(reset_point);
261dc43e
DW
2346 }
2347 else
2348 {
2349 /* No valid prefixes found in trust_list file. */
8768d548 2350 f.trusted_config = FALSE;
261dc43e
DW
2351 }
2352 }
2353 }
2354 else
2355 {
2356 /* Could not open trust_list file. */
8768d548 2357 f.trusted_config = FALSE;
261dc43e
DW
2358 }
2359 }
2360 #else
2361 /* Not root; don't trust config */
8768d548 2362 f.trusted_config = FALSE;
261dc43e
DW
2363 #endif
2364 }
059ec3d9
PH
2365
2366 config_main_filelist = argrest;
8768d548 2367 f.config_changed = TRUE;
059ec3d9
PH
2368 }
2369 break;
2370
2371
2372 /* -D: set up a macro definition */
2373
2374 case 'D':
9af3c549
JH
2375#ifdef DISABLE_D_OPTION
2376 exim_fail("exim: -D is not available in this Exim binary\n");
2377#else
059ec3d9
PH
2378 {
2379 int ptr = 0;
059ec3d9
PH
2380 macro_item *m;
2381 uschar name[24];
2382 uschar *s = argrest;
2383
4ab69ec7 2384 opt_D_used = TRUE;
059ec3d9
PH
2385 while (isspace(*s)) s++;
2386
2387 if (*s < 'A' || *s > 'Z')
9af3c549 2388 exim_fail("exim: macro name set by -D must start with "
059ec3d9 2389 "an upper case letter\n");
059ec3d9
PH
2390
2391 while (isalnum(*s) || *s == '_')
2392 {
2393 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2394 s++;
2395 }
2396 name[ptr] = 0;
2397 if (ptr == 0) { badarg = TRUE; break; }
2398 while (isspace(*s)) s++;
2399 if (*s != 0)
2400 {
2401 if (*s++ != '=') { badarg = TRUE; break; }
2402 while (isspace(*s)) s++;
2403 }
2404
85e03244 2405 for (m = macros_user; m; m = m->next)
1a7c9a48 2406 if (Ustrcmp(m->name, name) == 0)
9af3c549 2407 exim_fail("exim: duplicated -D in command line\n");
059ec3d9 2408
85e03244 2409 m = macro_create(name, s, TRUE);
059ec3d9
PH
2410
2411 if (clmacro_count >= MAX_CLMACROS)
9af3c549 2412 exim_fail("exim: too many -D options on command line\n");
1a7c9a48
JH
2413 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2414 m->replacement);
059ec3d9
PH
2415 }
2416 #endif
2417 break;
2418
2419 /* -d: Set debug level (see also -v below) or set the drop_cr option.
8e669ac1 2420 The latter is now a no-op, retained for compatibility only. If -dd is used,
3d235903 2421 debugging subprocesses of the daemon is disabled. */
059ec3d9
PH
2422
2423 case 'd':
2424 if (Ustrcmp(argrest, "ropcr") == 0)
2425 {
2426 /* drop_cr = TRUE; */
2427 }
2428
2429 /* Use an intermediate variable so that we don't set debugging while
2430 decoding the debugging bits. */
2431
2432 else
2433 {
2434 unsigned int selector = D_default;
2435 debug_selector = 0;
2436 debug_file = NULL;
3d235903
PH
2437 if (*argrest == 'd')
2438 {
8768d548 2439 f.debug_daemon = TRUE;
3d235903
PH
2440 argrest++;
2441 }
059ec3d9 2442 if (*argrest != 0)
6c6d6e48
TF
2443 decode_bits(&selector, 1, debug_notall, argrest,
2444 debug_options, debug_options_count, US"debug", 0);
059ec3d9
PH
2445 debug_selector = selector;
2446 }
2447 break;
2448
2449
2450 /* -E: This is a local error message. This option is not intended for
2451 external use at all, but is not restricted to trusted callers because it
2452 does no harm (just suppresses certain error messages) and if Exim is run
2453 not setuid root it won't always be trusted when it generates error
2454 messages using this option. If there is a message id following -E, point
2455 message_reference at it, for logging. */
2456
2457 case 'E':
8768d548 2458 f.local_error_message = TRUE;
059ec3d9
PH
2459 if (mac_ismsgid(argrest)) message_reference = argrest;
2460 break;
2461
2462
2463 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2464 option, so it looks as if historically the -oex options are also callable
2465 without the leading -o. So we have to accept them. Before the switch,
2466 anything starting -oe has been converted to -e. Exim does not support all
2467 of the sendmail error options. */
2468
2469 case 'e':
2470 if (Ustrcmp(argrest, "e") == 0)
2471 {
2472 arg_error_handling = ERRORS_SENDER;
2473 errors_sender_rc = EXIT_SUCCESS;
2474 }
2475 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2476 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2477 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2478 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2479 else badarg = TRUE;
2480 break;
2481
2482
2483 /* -F: Set sender's full name, used instead of the gecos entry from
2484 the password file. Since users can usually alter their gecos entries,
2485 there's no security involved in using this instead. The data can follow
2486 the -F or be in the next argument. */
2487
2488 case 'F':
2489 if (*argrest == 0)
2490 {
2491 if(++i < argc) argrest = argv[i]; else
2492 { badarg = TRUE; break; }
2493 }
2494 originator_name = argrest;
8768d548 2495 f.sender_name_forced = TRUE;
059ec3d9
PH
2496 break;
2497
2498
2499 /* -f: Set sender's address - this value is only actually used if Exim is
2500 run by a trusted user, or if untrusted_set_sender is set and matches the
2501 address, except that the null address can always be set by any user. The
2502 test for this happens later, when the value given here is ignored when not
2503 permitted. For an untrusted user, the actual sender is still put in Sender:
2504 if it doesn't match the From: header (unless no_local_from_check is set).
2505 The data can follow the -f or be in the next argument. The -r switch is an
2506 obsolete form of -f but since there appear to be programs out there that
2507 use anything that sendmail has ever supported, better accept it - the
2508 synonymizing is done before the switch above.
2509
2510 At this stage, we must allow domain literal addresses, because we don't
2511 know what the setting of allow_domain_literals is yet. Ditto for trailing
2512 dots and strip_trailing_dot. */
2513
2514 case 'f':
2515 {
250b6871 2516 int dummy_start, dummy_end;
059ec3d9
PH
2517 uschar *errmess;
2518 if (*argrest == 0)
2519 {
2520 if (i+1 < argc) argrest = argv[++i]; else
2521 { badarg = TRUE; break; }
2522 }
2523 if (*argrest == 0)
059ec3d9 2524 sender_address = string_sprintf(""); /* Ensure writeable memory */
059ec3d9
PH
2525 else
2526 {
2527 uschar *temp = argrest + Ustrlen(argrest) - 1;
2528 while (temp >= argrest && isspace(*temp)) temp--;
2529 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2530 allow_domain_literals = TRUE;
2531 strip_trailing_dot = TRUE;
8c5d388a 2532#ifdef SUPPORT_I18N
250b6871
JH
2533 allow_utf8_domains = TRUE;
2534#endif
2535 sender_address = parse_extract_address(argrest, &errmess,
2536 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
8c5d388a 2537#ifdef SUPPORT_I18N
250b6871
JH
2538 message_smtputf8 = string_is_utf8(sender_address);
2539 allow_utf8_domains = FALSE;
2540#endif
059ec3d9
PH
2541 allow_domain_literals = FALSE;
2542 strip_trailing_dot = FALSE;
9af3c549
JH
2543 if (!sender_address)
2544 exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
059ec3d9 2545 }
8768d548 2546 f.sender_address_forced = TRUE;
059ec3d9
PH
2547 }
2548 break;
2549
a3fb9793 2550 /* -G: sendmail invocation to specify that it's a gateway submission and
f4ee74ac
PP
2551 sendmail may complain about problems instead of fixing them.
2552 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2553 not at this time complain about problems. */
059ec3d9
PH
2554
2555 case 'G':
f4ee74ac 2556 flag_G = TRUE;
059ec3d9
PH
2557 break;
2558
2559 /* -h: Set the hop count for an incoming message. Exim does not currently
2560 support this; it always computes it by counting the Received: headers.
2561 To put it in will require a change to the spool header file format. */
2562
2563 case 'h':
2564 if (*argrest == 0)
2565 {
2566 if(++i < argc) argrest = argv[i]; else
2567 { badarg = TRUE; break; }
2568 }
2569 if (!isdigit(*argrest)) badarg = TRUE;
2570 break;
2571
2572
2573 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2574 not to be documented for sendmail but mailx (at least) uses it) */
2575
2576 case 'i':
8768d548 2577 if (*argrest == 0) f.dot_ends = FALSE; else badarg = TRUE;
059ec3d9
PH
2578 break;
2579
2580
a3fb9793
PP
2581 /* -L: set the identifier used for syslog; equivalent to setting
2582 syslog_processname in the config file, but needs to be an admin option. */
2583
2584 case 'L':
2585 if (*argrest == '\0')
2586 {
2587 if(++i < argc) argrest = argv[i]; else
2588 { badarg = TRUE; break; }
2589 }
9af3c549
JH
2590 if ((sz = Ustrlen(argrest)) > 32)
2591 exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
a3fb9793 2592 if (sz < 1)
9af3c549 2593 exim_fail("exim: the -L syslog name is too short\n");
a3fb9793
PP
2594 cmdline_syslog_name = argrest;
2595 break;
2596
059ec3d9
PH
2597 case 'M':
2598 receiving_message = FALSE;
2599
2600 /* -MC: continue delivery of another message via an existing open
2601 file descriptor. This option is used for an internal call by the
2602 smtp transport when there is a pending message waiting to go to an
2603 address to which it has got a connection. Five subsequent arguments are
2604 required: transport name, host name, IP address, sequence number, and
2605 message_id. Transports may decline to create new processes if the sequence
2606 number gets too big. The channel is stdin. This (-MC) must be the last
2607 argument. There's a subsequent check that the real-uid is privileged.
2608
2609 If we are running in the test harness. delay for a bit, to let the process
2610 that set this one up complete. This makes for repeatability of the logging,
2611 etc. output. */
2612
2613 if (Ustrcmp(argrest, "C") == 0)
2614 {
41c7c167
PH
2615 union sockaddr_46 interface_sock;
2616 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2617
059ec3d9 2618 if (argc != i + 6)
9af3c549 2619 exim_fail("exim: too many or too few arguments after -MC\n");
059ec3d9
PH
2620
2621 if (msg_action_arg >= 0)
9af3c549 2622 exim_fail("exim: incompatible arguments\n");
059ec3d9
PH
2623
2624 continue_transport = argv[++i];
2625 continue_hostname = argv[++i];
2626 continue_host_address = argv[++i];
2627 continue_sequence = Uatoi(argv[++i]);
2628 msg_action = MSG_DELIVER;
2629 msg_action_arg = ++i;
2630 forced_delivery = TRUE;
2631 queue_run_pid = passed_qr_pid;
2632 queue_run_pipe = passed_qr_pipe;
2633
2634 if (!mac_ismsgid(argv[i]))
9af3c549 2635 exim_fail("exim: malformed message id %s after -MC option\n",
059ec3d9 2636 argv[i]);
059ec3d9 2637
875512a3
JH
2638 /* Set up $sending_ip_address and $sending_port, unless proxied */
2639
5013d912 2640 if (!continue_proxy_cipher)
875512a3
JH
2641 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2642 &size) == 0)
2643 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2644 &sending_port);
2645 else
9af3c549 2646 exim_fail("exim: getsockname() failed after -MC option: %s\n",
875512a3 2647 strerror(errno));
41c7c167 2648
8768d548 2649 if (f.running_in_test_harness) millisleep(500);
059ec3d9
PH
2650 break;
2651 }
2652
2d14f397
JH
2653 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2654 {
875512a3 2655 switch(argrest[1])
2d14f397 2656 {
059ec3d9
PH
2657 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2658 precedes -MC (see above). The flag indicates that the host to which
2659 Exim is connected has accepted an AUTH sequence. */
2660
8768d548 2661 case 'A': f.smtp_authenticated = TRUE; break;
059ec3d9 2662
6c1c3d1d
WB
2663 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2664 that exim is connected to supports the esmtp extension DSN */
28b3821f 2665
14de8063 2666 case 'D': smtp_peer_options |= OPTION_DSN; break;
6c1c3d1d 2667
e37f8a84 2668 /* -MCG: set the queue name, to a non-default value */
28b3821f 2669
2d14f397
JH
2670 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2671 else badarg = TRUE;
2672 break;
2673
2674 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2675
14de8063 2676 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
28b3821f 2677
059ec3d9
PH
2678 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2679 it preceded -MC (see above) */
2680
14de8063 2681 case 'P': smtp_peer_options |= OPTION_PIPE; break;
059ec3d9
PH
2682
2683 /* -MCQ: pass on the pid of the queue-running process that started
2684 this chain of deliveries and the fd of its synchronizing pipe; this
2685 is useful only when it precedes -MC (see above) */
2686
2d14f397
JH
2687 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2688 else badarg = TRUE;
2689 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2690 else badarg = TRUE;
2691 break;
059ec3d9
PH
2692
2693 /* -MCS: set the smtp_use_size flag; this is useful only when it
2694 precedes -MC (see above) */
2695
14de8063 2696 case 'S': smtp_peer_options |= OPTION_SIZE; break;
059ec3d9 2697
2d14f397 2698#ifdef SUPPORT_TLS
875512a3
JH
2699 /* -MCt: similar to -MCT below but the connection is still open
2700 via a proxy proces which handles the TLS context and coding.
5013d912
JH
2701 Require three arguments for the proxied local address and port,
2702 and the TLS cipher. */
875512a3 2703
5013d912 2704 case 't': if (++i < argc) sending_ip_address = argv[i];
875512a3
JH
2705 else badarg = TRUE;
2706 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2707 else badarg = TRUE;
5013d912
JH
2708 if (++i < argc) continue_proxy_cipher = argv[i];
2709 else badarg = TRUE;
875512a3
JH
2710 /*FALLTHROUGH*/
2711
059ec3d9
PH
2712 /* -MCT: set the tls_offered flag; this is useful only when it
2713 precedes -MC (see above). The flag indicates that the host to which
2714 Exim is connected has offered TLS support. */
2715
14de8063 2716 case 'T': smtp_peer_options |= OPTION_TLS; break;
2d14f397
JH
2717#endif
2718
2719 default: badarg = TRUE; break;
2720 }
8ac90765
JH
2721 break;
2722 }
2723
2724#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
2725 /* -MS set REQUIRETLS on (new) message */
2726
2727 else if (*argrest == 'S')
2728 {
2729 tls_requiretls |= REQUIRETLS_MSG;
2730 break;
059ec3d9 2731 }
8ac90765 2732#endif
059ec3d9
PH
2733
2734 /* -M[x]: various operations on the following list of message ids:
2735 -M deliver the messages, ignoring next retry times and thawing
2736 -Mc deliver the messages, checking next retry times, no thawing
2737 -Mf freeze the messages
2738 -Mg give up on the messages
2739 -Mt thaw the messages
2740 -Mrm remove the messages
2741 In the above cases, this must be the last option. There are also the
2742 following options which are followed by a single message id, and which
2743 act on that message. Some of them use the "recipient" addresses as well.
2744 -Mar add recipient(s)
2745 -Mmad mark all recipients delivered
2746 -Mmd mark recipients(s) delivered
2747 -Mes edit sender
0ef732d9 2748 -Mset load a message for use with -be
059ec3d9 2749 -Mvb show body
a96603a0 2750 -Mvc show copy (of whole message, in RFC 2822 format)
059ec3d9
PH
2751 -Mvh show header
2752 -Mvl show log
2753 */
2754
2755 else if (*argrest == 0)
2756 {
2757 msg_action = MSG_DELIVER;
8768d548 2758 forced_delivery = f.deliver_force_thaw = TRUE;
059ec3d9
PH
2759 }
2760 else if (Ustrcmp(argrest, "ar") == 0)
2761 {
2762 msg_action = MSG_ADD_RECIPIENT;
2763 one_msg_action = TRUE;
2764 }
2765 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2766 else if (Ustrcmp(argrest, "es") == 0)
2767 {
2768 msg_action = MSG_EDIT_SENDER;
2769 one_msg_action = TRUE;
2770 }
2771 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2772 else if (Ustrcmp(argrest, "g") == 0)
2773 {
2774 msg_action = MSG_DELIVER;
2775 deliver_give_up = TRUE;
2776 }
2777 else if (Ustrcmp(argrest, "mad") == 0)
2778 {
2779 msg_action = MSG_MARK_ALL_DELIVERED;
2780 }
2781 else if (Ustrcmp(argrest, "md") == 0)
2782 {
2783 msg_action = MSG_MARK_DELIVERED;
2784 one_msg_action = TRUE;
2785 }
2786 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
0ef732d9
PH
2787 else if (Ustrcmp(argrest, "set") == 0)
2788 {
2789 msg_action = MSG_LOAD;
2790 one_msg_action = TRUE;
2791 }
059ec3d9
PH
2792 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2793 else if (Ustrcmp(argrest, "vb") == 0)
2794 {
2795 msg_action = MSG_SHOW_BODY;
2796 one_msg_action = TRUE;
2797 }
a96603a0
PH
2798 else if (Ustrcmp(argrest, "vc") == 0)
2799 {
2800 msg_action = MSG_SHOW_COPY;
2801 one_msg_action = TRUE;
2802 }
059ec3d9
PH
2803 else if (Ustrcmp(argrest, "vh") == 0)
2804 {
2805 msg_action = MSG_SHOW_HEADER;
2806 one_msg_action = TRUE;
2807 }
2808 else if (Ustrcmp(argrest, "vl") == 0)
2809 {
2810 msg_action = MSG_SHOW_LOG;
2811 one_msg_action = TRUE;
2812 }
2813 else { badarg = TRUE; break; }
2814
2815 /* All the -Mxx options require at least one message id. */
2816
2817 msg_action_arg = i + 1;
2818 if (msg_action_arg >= argc)
9af3c549 2819 exim_fail("exim: no message ids given after %s option\n", arg);
059ec3d9
PH
2820
2821 /* Some require only message ids to follow */
2822
2823 if (!one_msg_action)
2824 {
2825 int j;
2826 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
9af3c549 2827 exim_fail("exim: malformed message id %s after %s option\n",
059ec3d9 2828 argv[j], arg);
059ec3d9
PH
2829 goto END_ARG; /* Remaining args are ids */
2830 }
2831
2832 /* Others require only one message id, possibly followed by addresses,
2833 which will be handled as normal arguments. */
2834
2835 else
2836 {
2837 if (!mac_ismsgid(argv[msg_action_arg]))
9af3c549 2838 exim_fail("exim: malformed message id %s after %s option\n",
059ec3d9 2839 argv[msg_action_arg], arg);
059ec3d9
PH
2840 i++;
2841 }
2842 break;
2843
2844
2845 /* Some programs seem to call the -om option without the leading o;
2846 for sendmail it askes for "me too". Exim always does this. */
2847
2848 case 'm':
2849 if (*argrest != 0) badarg = TRUE;
2850 break;
2851
2852
2853 /* -N: don't do delivery - a debugging option that stops transports doing
2854 their thing. It implies debugging at the D_v level. */
2855
2856 case 'N':
2857 if (*argrest == 0)
2858 {
8768d548 2859 f.dont_deliver = TRUE;
059ec3d9
PH
2860 debug_selector |= D_v;
2861 debug_file = stderr;
2862 }
2863 else badarg = TRUE;
2864 break;
2865
2866
12f69989
PP
2867 /* -n: This means "don't alias" in sendmail, apparently.
2868 For normal invocations, it has no effect.
2869 It may affect some other options. */
059ec3d9
PH
2870
2871 case 'n':
12f69989 2872 flag_n = TRUE;
059ec3d9
PH
2873 break;
2874
2875 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2876 option to the specified value. This form uses long names. We need to handle
2877 -O option=value and -Ooption=value. */
2878
2879 case 'O':
2880 if (*argrest == 0)
2881 {
2882 if (++i >= argc)
9af3c549 2883 exim_fail("exim: string expected after -O\n");
059ec3d9
PH
2884 }
2885 break;
2886
2887 case 'o':
2888
2889 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2890 file" option). */
2891
2892 if (*argrest == 'A')
2893 {
2894 alias_arg = argrest + 1;
2895 if (alias_arg[0] == 0)
2896 {
2897 if (i+1 < argc) alias_arg = argv[++i]; else
9af3c549 2898 exim_fail("exim: string expected after -oA\n");
059ec3d9
PH
2899 }
2900 }
2901
2902 /* -oB: Set a connection message max value for remote deliveries */
2903
2904 else if (*argrest == 'B')
2905 {
2906 uschar *p = argrest + 1;
2907 if (p[0] == 0)
2908 {
2909 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2910 {
2911 connection_max_messages = 1;
2912 p = NULL;
2913 }
2914 }
2915
2916 if (p != NULL)
2917 {
2918 if (!isdigit(*p))
9af3c549 2919 exim_fail("exim: number expected after -oB\n");
059ec3d9
PH
2920 connection_max_messages = Uatoi(p);
2921 }
2922 }
2923
2924 /* -odb: background delivery */
2925
2926 else if (Ustrcmp(argrest, "db") == 0)
2927 {
8768d548 2928 f.synchronous_delivery = FALSE;
059ec3d9
PH
2929 arg_queue_only = FALSE;
2930 queue_only_set = TRUE;
2931 }
2932
2933 /* -odf: foreground delivery (smail-compatible option); same effect as
2934 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2935 */
2936
2937 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2938 {
8768d548 2939 f.synchronous_delivery = TRUE;
059ec3d9
PH
2940 arg_queue_only = FALSE;
2941 queue_only_set = TRUE;
2942 }
2943
2944 /* -odq: queue only */
2945
2946 else if (Ustrcmp(argrest, "dq") == 0)
2947 {
8768d548 2948 f.synchronous_delivery = FALSE;
059ec3d9
PH
2949 arg_queue_only = TRUE;
2950 queue_only_set = TRUE;
2951 }
2952
2953 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2954 but no remote delivery */
2955
2956 else if (Ustrcmp(argrest, "dqs") == 0)
2957 {
8768d548 2958 f.queue_smtp = TRUE;
059ec3d9
PH
2959 arg_queue_only = FALSE;
2960 queue_only_set = TRUE;
2961 }
2962
2963 /* -oex: Sendmail error flags. As these are also accepted without the
2964 leading -o prefix, for compatibility with vacation and other callers,
2965 they are handled with -e above. */
2966
2967 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2968 -oitrue: Another sendmail syntax for the same */
2969
2970 else if (Ustrcmp(argrest, "i") == 0 ||
2971 Ustrcmp(argrest, "itrue") == 0)
8768d548 2972 f.dot_ends = FALSE;
059ec3d9
PH
2973
2974 /* -oM*: Set various characteristics for an incoming message; actually
2975 acted on for trusted callers only. */
2976
2977 else if (*argrest == 'M')
2978 {
2979 if (i+1 >= argc)
9af3c549 2980 exim_fail("exim: data expected after -o%s\n", argrest);
059ec3d9
PH
2981
2982 /* -oMa: Set sender host address */
2983
2984 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2985
2986 /* -oMaa: Set authenticator name */
2987
2988 else if (Ustrcmp(argrest, "Maa") == 0)
2989 sender_host_authenticated = argv[++i];
2990
2991 /* -oMas: setting authenticated sender */
2992
2993 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2994
2995 /* -oMai: setting authenticated id */
2996
2997 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2998
2999 /* -oMi: Set incoming interface address */
3000
3001 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
3002
d2af03f4
HS
3003 /* -oMm: Message reference */
3004
3005 else if (Ustrcmp(argrest, "Mm") == 0)
3006 {
3007 if (!mac_ismsgid(argv[i+1]))
9af3c549 3008 exim_fail("-oMm must be a valid message ID\n");
8768d548 3009 if (!f.trusted_config)
9af3c549 3010 exim_fail("-oMm must be called by a trusted user/config\n");
d2af03f4
HS
3011 message_reference = argv[++i];
3012 }
3013
059ec3d9
PH
3014 /* -oMr: Received protocol */
3015
65e061b7
HSHR
3016 else if (Ustrcmp(argrest, "Mr") == 0)
3017
3018 if (received_protocol)
9af3c549
JH
3019 exim_fail("received_protocol is set already\n");
3020 else
3021 received_protocol = argv[++i];
059ec3d9
PH
3022
3023 /* -oMs: Set sender host name */
3024
3025 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3026
3027 /* -oMt: Set sender ident */
3028
33d73e3b
PH
3029 else if (Ustrcmp(argrest, "Mt") == 0)
3030 {
3031 sender_ident_set = TRUE;
3032 sender_ident = argv[++i];
3033 }
059ec3d9
PH
3034
3035 /* Else a bad argument */
3036
3037 else
3038 {
3039 badarg = TRUE;
3040 break;
3041 }
3042 }
3043
3044 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3045 seem to call this as -m (undocumented), so that is also accepted (see
3046 above). */
3047
3048 else if (Ustrcmp(argrest, "m") == 0) {}
3049
3050 /* -oo: An ancient flag for old-style addresses which still seems to
3051 crop up in some calls (see in SCO). */
3052
3053 else if (Ustrcmp(argrest, "o") == 0) {}
3054
3055 /* -oP <name>: set pid file path for daemon */
3056
3057 else if (Ustrcmp(argrest, "P") == 0)
3058 override_pid_file_path = argv[++i];
3059
3060 /* -or <n>: set timeout for non-SMTP acceptance
3061 -os <n>: set timeout for SMTP acceptance */
3062
3063 else if (*argrest == 'r' || *argrest == 's')
3064 {
3065 int *tp = (*argrest == 'r')?
3066 &arg_receive_timeout : &arg_smtp_receive_timeout;
3067 if (argrest[1] == 0)
3068 {
3069 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3070 }
3071 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3072 if (*tp < 0)
9af3c549 3073 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
059ec3d9
PH
3074 }
3075
3076 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3077
3078 else if (Ustrcmp(argrest, "X") == 0)
3079 override_local_interfaces = argv[++i];
3080
3081 /* Unknown -o argument */
3082
3083 else badarg = TRUE;
3084 break;
3085
3086
3087 /* -ps: force Perl startup; -pd force delayed Perl startup */
3088
3089 case 'p':
3090 #ifdef EXIM_PERL
3091 if (*argrest == 's' && argrest[1] == 0)
3092 {
3093 perl_start_option = 1;
3094 break;
3095 }
3096 if (*argrest == 'd' && argrest[1] == 0)
3097 {
3098 perl_start_option = -1;
3099 break;
3100 }
3101 #endif
3102
3103 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3104 which sets the host protocol and host name */
3105
3106 if (*argrest == 0)
5bfe3b35
JH
3107 if (i+1 < argc)
3108 argrest = argv[++i];
3109 else
059ec3d9 3110 { badarg = TRUE; break; }
059ec3d9
PH
3111
3112 if (*argrest != 0)
3113 {
65e061b7
HSHR
3114 uschar *hn;
3115
3116 if (received_protocol)
9af3c549 3117 exim_fail("received_protocol is set already\n");
65e061b7
HSHR
3118
3119 hn = Ustrchr(argrest, ':');
059ec3d9 3120 if (hn == NULL)
059ec3d9 3121 received_protocol = argrest;
059ec3d9
PH
3122 else
3123 {
90341c71
JH
3124 int old_pool = store_pool;
3125 store_pool = POOL_PERM;
059ec3d9 3126 received_protocol = string_copyn(argrest, hn - argrest);
90341c71 3127 store_pool = old_pool;
059ec3d9
PH
3128 sender_host_name = hn + 1;
3129 }
3130 }
3131 break;
3132
3133
3134 case 'q':
3135 receiving_message = FALSE;
3cc66b45 3136 if (queue_interval >= 0)
9af3c549 3137 exim_fail("exim: -q specified more than once\n");
059ec3d9
PH
3138
3139 /* -qq...: Do queue runs in a 2-stage manner */
3140
3141 if (*argrest == 'q')
3142 {
8768d548 3143 f.queue_2stage = TRUE;
059ec3d9
PH
3144 argrest++;
3145 }
3146
3147 /* -qi...: Do only first (initial) deliveries */
3148
3149 if (*argrest == 'i')
3150 {
8768d548 3151 f.queue_run_first_delivery = TRUE;
059ec3d9
PH
3152 argrest++;
3153 }
3154
3155 /* -qf...: Run the queue, forcing deliveries
3156 -qff..: Ditto, forcing thawing as well */
3157
3158 if (*argrest == 'f')
3159 {
8768d548 3160 f.queue_run_force = TRUE;
55e70e76 3161 if (*++argrest == 'f')
059ec3d9 3162 {
8768d548 3163 f.deliver_force_thaw = TRUE;
059ec3d9
PH
3164 argrest++;
3165 }
3166 }
3167
3168 /* -q[f][f]l...: Run the queue only on local deliveries */
3169
3170 if (*argrest == 'l')
3171 {
8768d548 3172 f.queue_run_local = TRUE;
059ec3d9
PH
3173 argrest++;
3174 }
3175
55e70e76 3176 /* -q[f][f][l][G<name>]... Work on the named queue */
28b3821f
JH
3177
3178 if (*argrest == 'G')
3179 {
fa665e0b
JH
3180 int i;
3181 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3182 queue_name = string_copyn(argrest, i);
3183 argrest += i;
3184 if (*argrest == '/') argrest++;
28b3821f
JH
3185 }
3186
3187 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3188 only, optionally named, optionally starting from a given message id. */
059ec3d9
PH
3189
3190 if (*argrest == 0 &&
3191 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3192 {
3193 queue_interval = 0;
3194 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3195 start_queue_run_id = argv[++i];
3196 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3197 stop_queue_run_id = argv[++i];
3198 }
3199
fa665e0b
JH
3200 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3201 forced, optionally local only, optionally named. */
059ec3d9 3202
55e70e76
JH
3203 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3204 0, FALSE)) <= 0)
9af3c549 3205 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
059ec3d9
PH
3206 break;
3207
3208
3209 case 'R': /* Synonymous with -qR... */
3210 receiving_message = FALSE;
3211
3212 /* -Rf: As -R (below) but force all deliveries,
3213 -Rff: Ditto, but also thaw all frozen messages,
3214 -Rr: String is regex
3215 -Rrf: Regex and force
3216 -Rrff: Regex and force and thaw
3217
3218 in all cases provided there are no further characters in this
3219 argument. */
3220
3221 if (*argrest != 0)
3222 {
3223 int i;
55e70e76 3224 for (i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3225 if (Ustrcmp(argrest, rsopts[i]) == 0)
3226 {
8768d548
JH
3227 if (i != 2) f.queue_run_force = TRUE;
3228 if (i >= 2) f.deliver_selectstring_regex = TRUE;
3229 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
059ec3d9
PH
3230 argrest += Ustrlen(rsopts[i]);
3231 }
059ec3d9
PH
3232 }
3233
3234 /* -R: Set string to match in addresses for forced queue run to
3235 pick out particular messages. */
3236
55e70e76
JH
3237 if (*argrest)
3238 deliver_selectstring = argrest;
3239 else if (i+1 < argc)
3240 deliver_selectstring = argv[++i];
3241 else
9af3c549 3242 exim_fail("exim: string expected after -R\n");
059ec3d9
PH
3243 break;
3244
3245
3246 /* -r: an obsolete synonym for -f (see above) */
3247
3248
3249 /* -S: Like -R but works on sender. */
3250
3251 case 'S': /* Synonymous with -qS... */
3252 receiving_message = FALSE;
3253
3254 /* -Sf: As -S (below) but force all deliveries,
3255 -Sff: Ditto, but also thaw all frozen messages,
3256 -Sr: String is regex
3257 -Srf: Regex and force
3258 -Srff: Regex and force and thaw
3259
3260 in all cases provided there are no further characters in this
3261 argument. */
3262
55e70e76 3263 if (*argrest)
059ec3d9
PH
3264 {
3265 int i;
55e70e76 3266 for (i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3267 if (Ustrcmp(argrest, rsopts[i]) == 0)
3268 {
8768d548
JH
3269 if (i != 2) f.queue_run_force = TRUE;
3270 if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
3271 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
059ec3d9
PH
3272 argrest += Ustrlen(rsopts[i]);
3273 }
059ec3d9
PH
3274 }
3275
3276 /* -S: Set string to match in addresses for forced queue run to
3277 pick out particular messages. */
3278
55e70e76
JH
3279 if (*argrest)
3280 deliver_selectstring_sender = argrest;
3281 else if (i+1 < argc)
3282 deliver_selectstring_sender = argv[++i];
3283 else
9af3c549 3284 exim_fail("exim: string expected after -S\n");
059ec3d9
PH
3285 break;
3286
3287 /* -Tqt is an option that is exclusively for use by the testing suite.
3288 It is not recognized in other circumstances. It allows for the setting up
3289 of explicit "queue times" so that various warning/retry things can be
3290 tested. Otherwise variability of clock ticks etc. cause problems. */
3291
3292 case 'T':
8768d548 3293 if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
059ec3d9
PH
3294 fudged_queue_times = argv[++i];
3295 else badarg = TRUE;
3296 break;
3297
3298
3299 /* -t: Set flag to extract recipients from body of message. */
3300
3301 case 't':
3302 if (*argrest == 0) extract_recipients = TRUE;
3303
3304 /* -ti: Set flag to extract recipients from body of message, and also
3305 specify that dot does not end the message. */
3306
3307 else if (Ustrcmp(argrest, "i") == 0)
3308 {
3309 extract_recipients = TRUE;
8768d548 3310 f.dot_ends = FALSE;
059ec3d9
PH
3311 }
3312
3313 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3314
3315 #ifdef SUPPORT_TLS
817d9f57 3316 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
059ec3d9
PH
3317 #endif
3318
3319 else badarg = TRUE;
3320 break;
3321
3322
3323 /* -U: This means "initial user submission" in sendmail, apparently. The
3324 doc claims that in future sendmail may refuse syntactically invalid
3325 messages instead of fixing them. For the moment, we just ignore it. */
3326
3327 case 'U':
3328 break;
3329
3330
3331 /* -v: verify things - this is a very low-level debugging */
3332
3333 case 'v':
3334 if (*argrest == 0)
3335 {
3336 debug_selector |= D_v;
3337 debug_file = stderr;
3338 }
3339 else badarg = TRUE;
3340 break;
3341
3342
3343 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3344
3345 The -x flag tells the sendmail command that mail from a local
3346 mail program has National Language Support (NLS) extended characters
3347 in the body of the mail item. The sendmail command can send mail with
3348 extended NLS characters across networks that normally corrupts these
3349 8-bit characters.
3350
3351 As Exim is 8-bit clean, it just ignores this flag. */
3352
3353 case 'x':
3354 if (*argrest != 0) badarg = TRUE;
3355 break;
3356
a3fb9793
PP
3357 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3358 logs to that file. We swallow the parameter and otherwise ignore it. */
3359
3360 case 'X':
3361 if (*argrest == '\0')
a3fb9793 3362 if (++i >= argc)
9af3c549 3363 exim_fail("exim: string expected after -X\n");
0ad2e0fc
JH
3364 break;
3365
3366 case 'z':
3367 if (*argrest == '\0')
9af3c549
JH
3368 if (++i < argc)
3369 log_oneline = argv[i];
3370 else
3371 exim_fail("exim: file name expected after %s\n", argv[i-1]);
a3fb9793
PP
3372 break;
3373
059ec3d9
PH
3374 /* All other initial characters are errors */
3375
3376 default:
3377 badarg = TRUE;
3378 break;
3379 } /* End of high-level switch statement */
3380
3381 /* Failed to recognize the option, or syntax error */
3382
3383 if (badarg)
9af3c549 3384 exim_fail("exim abandoned: unknown, malformed, or incomplete "
059ec3d9 3385 "option %s\n", arg);
059ec3d9
PH
3386 }
3387
3388
3cc66b45
PH
3389/* If -R or -S have been specified without -q, assume a single queue run. */
3390
55e70e76
JH
3391if ( (deliver_selectstring || deliver_selectstring_sender)
3392 && queue_interval < 0)
3393 queue_interval = 0;
3cc66b45
PH
3394
3395
059ec3d9 3396END_ARG:
81ea09ca
NM
3397/* If usage_wanted is set we call the usage function - which never returns */
3398if (usage_wanted) exim_usage(called_as);
3399
3400/* Arguments have been processed. Check for incompatibilities. */
059ec3d9
PH
3401if ((
3402 (smtp_input || extract_recipients || recipients_arg < argc) &&
8768d548 3403 (f.daemon_listen || queue_interval >= 0 || bi_option ||
059ec3d9 3404 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
f05da2e8 3405 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
059ec3d9
PH
3406 ) ||
3407 (
3408 msg_action_arg > 0 &&
8768d548 3409 (f.daemon_listen || queue_interval > 0 || list_options ||
0ef732d9
PH
3410 (checking && msg_action != MSG_LOAD) ||
3411 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
059ec3d9
PH
3412 ) ||
3413 (
8768d548 3414 (f.daemon_listen || queue_interval > 0) &&
059ec3d9 3415 (sender_address != NULL || list_options || list_queue || checking ||
0ef732d9 3416 bi_option)
059ec3d9
PH
3417 ) ||
3418 (
8768d548 3419 f.daemon_listen && queue_interval == 0
059ec3d9
PH
3420 ) ||
3421 (
8768d548 3422 f.inetd_wait_mode && queue_interval >= 0
9ee44efb
PP
3423 ) ||
3424 (
059ec3d9
PH
3425 list_options &&
3426 (checking || smtp_input || extract_recipients ||
f05da2e8 3427 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3428 ) ||
3429 (
3430 verify_address_mode &&
8768d548 3431 (f.address_test_mode || smtp_input || extract_recipients ||
f05da2e8 3432 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3433 ) ||
3434 (
8768d548 3435 f.address_test_mode && (smtp_input || extract_recipients ||
f05da2e8 3436 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3437 ) ||
3438 (
f05da2e8 3439 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
059ec3d9
PH
3440 extract_recipients)
3441 ) ||
3442 (
3443 deliver_selectstring != NULL && queue_interval < 0
328895cc
PH
3444 ) ||
3445 (
3446 msg_action == MSG_LOAD &&
3447 (!expansion_test || expansion_test_message != NULL)
059ec3d9
PH
3448 )
3449 )
9af3c549 3450 exim_fail("exim: incompatible command-line options or arguments\n");
059ec3d9
PH
3451
3452/* If debugging is set up, set the file and the file descriptor to pass on to
3453child processes. It should, of course, be 2 for stderr. Also, force the daemon
3454to run in the foreground. */
3455
3456if (debug_selector != 0)
3457 {
3458 debug_file = stderr;
3459 debug_fd = fileno(debug_file);
8768d548
JH
3460 f.background_daemon = FALSE;
3461 if (f.running_in_test_harness) millisleep(100); /* lets caller finish */
059ec3d9
PH
3462 if (debug_selector != D_v) /* -v only doesn't show this */
3463 {
3464 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3465 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3466 debug_selector);
6545de78
PP
3467 if (!version_printed)
3468 show_whats_supported(stderr);
059ec3d9
PH
3469 }
3470 }
3471
3472/* When started with root privilege, ensure that the limits on the number of
3473open files and the number of processes (where that is accessible) are
3474sufficiently large, or are unset, in case Exim has been called from an
3475environment where the limits are screwed down. Not all OS have the ability to
3476change some of these limits. */
3477
3478if (unprivileged)
3479 {
3480 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3481 }
3482else
3483 {
3484 struct rlimit rlp;
3485
3486 #ifdef RLIMIT_NOFILE
3487 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3488 {
3489 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3490 strerror(errno));
3491 rlp.rlim_cur = rlp.rlim_max = 0;
3492 }
eb2c0248
PH
3493
3494 /* I originally chose 1000 as a nice big number that was unlikely to
a494b1e1
PH
3495 be exceeded. It turns out that some older OS have a fixed upper limit of
3496 256. */
eb2c0248 3497
059ec3d9
PH
3498 if (rlp.rlim_cur < 1000)
3499 {
3500 rlp.rlim_cur = rlp.rlim_max = 1000;
3501 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
eb2c0248 3502 {
a494b1e1
PH
3503 rlp.rlim_cur = rlp.rlim_max = 256;
3504 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3505 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3506 strerror(errno));
eb2c0248 3507 }
059ec3d9
PH
3508 }
3509 #endif
3510
3511 #ifdef RLIMIT_NPROC
3512 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3513 {
3514 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3515 strerror(errno));
3516 rlp.rlim_cur = rlp.rlim_max = 0;
3517 }
3518
3519 #ifdef RLIM_INFINITY
3520 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3521 {
3522 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3523 #else
3524 if (rlp.rlim_cur < 1000)
3525 {
3526 rlp.rlim_cur = rlp.rlim_max = 1000;
3527 #endif
3528 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3529 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3530 strerror(errno));
3531 }
3532 #endif
3533 }
3534
3535/* Exim is normally entered as root (but some special configurations are
3536possible that don't do this). However, it always spins off sub-processes that
3537set their uid and gid as required for local delivery. We don't want to pass on
3538any extra groups that root may belong to, so we want to get rid of them all at
3539this point.
3540
3541We need to obey setgroups() at this stage, before possibly giving up root
3542privilege for a changed configuration file, but later on we might need to
3543check on the additional groups for the admin user privilege - can't do that
3544till after reading the config, which might specify the exim gid. Therefore,
3545save the group list here first. */
3546
157d73b5 3547if ((group_count = getgroups(nelem(group_list), group_list)) < 0)
9af3c549 3548 exim_fail("exim: getgroups() failed: %s\n", strerror(errno));
059ec3d9
PH
3549
3550/* There is a fundamental difference in some BSD systems in the matter of
3551groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3552known not to be different. On the "different" systems there is a single group
3553list, and the first entry in it is the current group. On all other versions of
3554Unix there is a supplementary group list, which is in *addition* to the current
3555group. Consequently, to get rid of all extraneous groups on a "standard" system
3556you pass over 0 groups to setgroups(), while on a "different" system you pass
3557over a single group - the current group, which is always the first group in the
3558list. Calling setgroups() with zero groups on a "different" system results in
3559an error return. The following code should cope with both types of system.
3560
3b7ac02c
JH
3561 Unfortunately, recent MacOS, which should be a FreeBSD, "helpfully" succeeds
3562 the "setgroups() with zero groups" - and changes the egid.
3563 Thanks to that we had to stash the original_egid above, for use below
3564 in the call to exim_setugid().
3565
059ec3d9
PH
3566However, if this process isn't running as root, setgroups() can't be used
3567since you have to be root to run it, even if throwing away groups. Not being
3568root here happens only in some unusual configurations. We just ignore the
3569error. */
3570
9af3c549
JH
3571if (setgroups(0, NULL) != 0 && setgroups(1, group_list) != 0 && !unprivileged)
3572 exim_fail("exim: setgroups() failed: %s\n", strerror(errno));
059ec3d9
PH
3573
3574/* If the configuration file name has been altered by an argument on the
3575command line (either a new file name or a macro definition) and the caller is
cd25e41d
DW
3576not root, or if this is a filter testing run, remove any setuid privilege the
3577program has and run as the underlying user.
059ec3d9 3578
cd25e41d
DW
3579The exim user is locked out of this, which severely restricts the use of -C
3580for some purposes.
059ec3d9
PH
3581
3582Otherwise, set the real ids to the effective values (should be root unless run
3583from inetd, which it can either be root or the exim uid, if one is configured).
3584
3585There is a private mechanism for bypassing some of this, in order to make it
3586possible to test lots of configurations automatically, without having either to
3587recompile each time, or to patch in an actual configuration file name and other
3588values (such as the path name). If running in the test harness, pretend that
3589configuration file changes and macro definitions haven't happened. */
3590
3591if (( /* EITHER */
8768d548 3592 (!f.trusted_config || /* Config changed, or */
a4034eb8 3593 !macros_trusted(opt_D_used)) && /* impermissible macros and */
059ec3d9 3594 real_uid != root_uid && /* Not root, and */
8768d548 3595 !f.running_in_test_harness /* Not fudged */
059ec3d9
PH
3596 ) || /* OR */
3597 expansion_test /* expansion testing */
3598 || /* OR */
f05da2e8 3599 filter_test != FTEST_NONE) /* Filter testing */
059ec3d9
PH
3600 {
3601 setgroups(group_count, group_list);
3602 exim_setugid(real_uid, real_gid, FALSE,
3603 US"-C, -D, -be or -bf forces real uid");
3604 removed_privilege = TRUE;
3605
3606 /* In the normal case when Exim is called like this, stderr is available
3607 and should be used for any logging information because attempts to write
3608 to the log will usually fail. To arrange this, we unset really_exim. However,
3609 if no stderr is available there is no point - we might as well have a go
b7487bce 3610 at the log (if it fails, syslog will be written).
059ec3d9 3611
b7487bce
PP
3612 Note that if the invoker is Exim, the logs remain available. Messing with
3613 this causes unlogged successful deliveries. */
3614
9af3c549 3615 if (log_stderr && real_uid != exim_uid)
8768d548 3616 f.really_exim = FALSE;
059ec3d9
PH
3617 }
3618
3619/* Privilege is to be retained for the moment. It may be dropped later,
3620depending on the job that this Exim process has been asked to do. For now, set
3621the real uid to the effective so that subsequent re-execs of Exim are done by a
3622privileged user. */
3623
9af3c549 3624else
3b7ac02c 3625 exim_setugid(geteuid(), original_egid, FALSE, US"forcing real = effective");
059ec3d9 3626
f05da2e8 3627/* If testing a filter, open the file(s) now, before wasting time doing other
059ec3d9
PH
3628setups and reading the message. */
3629
9af3c549
JH
3630if (filter_test & FTEST_SYSTEM)
3631 if ((filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0)) < 0)
3632 exim_fail("exim: failed to open %s: %s\n", filter_test_sfile,
f05da2e8 3633 strerror(errno));
f05da2e8 3634
9af3c549
JH
3635if (filter_test & FTEST_USER)
3636 if ((filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0)) < 0)
3637 exim_fail("exim: failed to open %s: %s\n", filter_test_ufile,
059ec3d9 3638 strerror(errno));
059ec3d9 3639
8829633f
PP
3640/* Initialise lookup_list
3641If debugging, already called above via version reporting.
3642In either case, we initialise the list of available lookups while running
3643as root. All dynamically modules are loaded from a directory which is
3644hard-coded into the binary and is code which, if not a module, would be
3645part of Exim already. Ability to modify the content of the directory
3646is equivalent to the ability to modify a setuid binary!