Document the change to system_filter_user's default.
[exim.git] / src / src / exim.c
CommitLineData
73a46702 1/* $Cambridge: exim/src/src/exim.c,v 1.71 2010/06/07 00:12:42 pdp Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
0a49a7a4 7/* Copyright (c) University of Cambridge 1995 - 2009 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10
11/* The main function: entry point, initialization, and high-level control.
12Also a few functions that don't naturally fit elsewhere. */
13
14
15#include "exim.h"
16
17
18
19/*************************************************
20* Function interface to store functions *
21*************************************************/
22
23/* We need some real functions to pass to the PCRE regular expression library
24for store allocation via Exim's store manager. The normal calls are actually
25macros that pass over location information to make tracing easier. These
26functions just interface to the standard macro calls. A good compiler will
27optimize out the tail recursion and so not make them too expensive. There
28are two sets of functions; one for use when we want to retain the compiled
29regular expression for a long time; the other for short-term use. */
30
31static void *
32function_store_get(size_t size)
33{
34return store_get((int)size);
35}
36
37static void
38function_dummy_free(void *block) { block = block; }
39
40static void *
41function_store_malloc(size_t size)
42{
43return store_malloc((int)size);
44}
45
46static void
47function_store_free(void *block)
48{
49store_free(block);
50}
51
52
53
54
55/*************************************************
56* Compile regular expression and panic on fail *
57*************************************************/
58
59/* This function is called when failure to compile a regular expression leads
60to a panic exit. In other cases, pcre_compile() is called directly. In many
61cases where this function is used, the results of the compilation are to be
62placed in long-lived store, so we temporarily reset the store management
63functions that PCRE uses if the use_malloc flag is set.
64
65Argument:
66 pattern the pattern to compile
67 caseless TRUE if caseless matching is required
68 use_malloc TRUE if compile into malloc store
69
70Returns: pointer to the compiled pattern
71*/
72
73const pcre *
74regex_must_compile(uschar *pattern, BOOL caseless, BOOL use_malloc)
75{
76int offset;
77int options = PCRE_COPT;
78const pcre *yield;
79const uschar *error;
80if (use_malloc)
81 {
82 pcre_malloc = function_store_malloc;
83 pcre_free = function_store_free;
84 }
85if (caseless) options |= PCRE_CASELESS;
86yield = pcre_compile(CS pattern, options, (const char **)&error, &offset, NULL);
87pcre_malloc = function_store_get;
88pcre_free = function_dummy_free;
89if (yield == NULL)
90 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
91 "%s at offset %d while compiling %s", error, offset, pattern);
92return yield;
93}
94
95
96
97
98/*************************************************
99* Execute regular expression and set strings *
100*************************************************/
101
102/* This function runs a regular expression match, and sets up the pointers to
103the matched substrings.
104
105Arguments:
106 re the compiled expression
107 subject the subject string
108 options additional PCRE options
109 setup if < 0 do full setup
110 if >= 0 setup from setup+1 onwards,
111 excluding the full matched string
112
113Returns: TRUE or FALSE
114*/
115
116BOOL
117regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup)
118{
119int ovector[3*(EXPAND_MAXN+1)];
120int n = pcre_exec(re, NULL, CS subject, Ustrlen(subject), 0,
121 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
122BOOL yield = n >= 0;
123if (n == 0) n = EXPAND_MAXN + 1;
124if (yield)
125 {
126 int nn;
127 expand_nmax = (setup < 0)? 0 : setup + 1;
128 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
129 {
130 expand_nstring[expand_nmax] = subject + ovector[nn];
131 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
132 }
133 expand_nmax--;
134 }
135return yield;
136}
137
138
139
140
141/*************************************************
142* Handler for SIGUSR1 *
143*************************************************/
144
145/* SIGUSR1 causes any exim process to write to the process log details of
146what it is currently doing. It will only be used if the OS is capable of
147setting up a handler that causes automatic restarting of any system call
148that is in progress at the time.
149
150Argument: the signal number (SIGUSR1)
151Returns: nothing
152*/
153
154static void
155usr1_handler(int sig)
156{
157sig = sig; /* Keep picky compilers happy */
158log_write(0, LOG_PROCESS, "%s", process_info);
159log_close_all();
160os_restarting_signal(SIGUSR1, usr1_handler);
161}
162
163
164
165/*************************************************
166* Timeout handler *
167*************************************************/
168
169/* This handler is enabled most of the time that Exim is running. The handler
170doesn't actually get used unless alarm() has been called to set a timer, to
171place a time limit on a system call of some kind. When the handler is run, it
172re-enables itself.
173
174There are some other SIGALRM handlers that are used in special cases when more
175than just a flag setting is required; for example, when reading a message's
176input. These are normally set up in the code module that uses them, and the
177SIGALRM handler is reset to this one afterwards.
178
179Argument: the signal value (SIGALRM)
180Returns: nothing
181*/
182
183void
184sigalrm_handler(int sig)
185{
186sig = sig; /* Keep picky compilers happy */
187sigalrm_seen = TRUE;
188os_non_restarting_signal(SIGALRM, sigalrm_handler);
189}
190
191
192
193/*************************************************
194* Sleep for a fractional time interval *
195*************************************************/
196
197/* This function is called by millisleep() and exim_wait_tick() to wait for a
198period of time that may include a fraction of a second. The coding is somewhat
eb2c0248
PH
199tedious. We do not expect setitimer() ever to fail, but if it does, the process
200will wait for ever, so we panic in this instance. (There was a case of this
201when a bug in a function that calls milliwait() caused it to pass invalid data.
7086e875 202That's when I added the check. :-)
059ec3d9
PH
203
204Argument: an itimerval structure containing the interval
205Returns: nothing
206*/
207
208static void
209milliwait(struct itimerval *itval)
210{
211sigset_t sigmask;
212sigset_t old_sigmask;
213(void)sigemptyset(&sigmask); /* Empty mask */
214(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
215(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
7086e875 216if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
eb2c0248
PH
217 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
218 "setitimer() failed: %s", strerror(errno));
059ec3d9
PH
219(void)sigfillset(&sigmask); /* All signals */
220(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
221(void)sigsuspend(&sigmask); /* Until SIGALRM */
222(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
223}
224
225
226
227
228/*************************************************
229* Millisecond sleep function *
230*************************************************/
231
232/* The basic sleep() function has a granularity of 1 second, which is too rough
233in some cases - for example, when using an increasing delay to slow down
234spammers.
235
236Argument: number of millseconds
237Returns: nothing
238*/
239
240void
241millisleep(int msec)
242{
243struct itimerval itval;
244itval.it_interval.tv_sec = 0;
245itval.it_interval.tv_usec = 0;
246itval.it_value.tv_sec = msec/1000;
247itval.it_value.tv_usec = (msec % 1000) * 1000;
248milliwait(&itval);
249}
250
251
252
253/*************************************************
254* Compare microsecond times *
255*************************************************/
256
257/*
258Arguments:
259 tv1 the first time
260 tv2 the second time
261
262Returns: -1, 0, or +1
263*/
264
265int
266exim_tvcmp(struct timeval *t1, struct timeval *t2)
267{
268if (t1->tv_sec > t2->tv_sec) return +1;
269if (t1->tv_sec < t2->tv_sec) return -1;
270if (t1->tv_usec > t2->tv_usec) return +1;
271if (t1->tv_usec < t2->tv_usec) return -1;
272return 0;
273}
274
275
276
277
278/*************************************************
279* Clock tick wait function *
280*************************************************/
281
282/* Exim uses a time + a pid to generate a unique identifier in two places: its
283message IDs, and in file names for maildir deliveries. Because some OS now
284re-use pids within the same second, sub-second times are now being used.
285However, for absolute certaintly, we must ensure the clock has ticked before
286allowing the relevant process to complete. At the time of implementation of
287this code (February 2003), the speed of processors is such that the clock will
288invariably have ticked already by the time a process has done its job. This
289function prepares for the time when things are faster - and it also copes with
290clocks that go backwards.
291
292Arguments:
293 then_tv A timeval which was used to create uniqueness; its usec field
294 has been rounded down to the value of the resolution.
295 We want to be sure the current time is greater than this.
296 resolution The resolution that was used to divide the microseconds
297 (1 for maildir, larger for message ids)
298
299Returns: nothing
300*/
301
302void
303exim_wait_tick(struct timeval *then_tv, int resolution)
304{
305struct timeval now_tv;
306long int now_true_usec;
307
308(void)gettimeofday(&now_tv, NULL);
309now_true_usec = now_tv.tv_usec;
310now_tv.tv_usec = (now_true_usec/resolution) * resolution;
311
312if (exim_tvcmp(&now_tv, then_tv) <= 0)
313 {
314 struct itimerval itval;
315 itval.it_interval.tv_sec = 0;
316 itval.it_interval.tv_usec = 0;
317 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
318 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
319
320 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
321 negative value for the microseconds is possible only in the case when "now"
322 is more than a second less than "then". That means that itval.it_value.tv_sec
323 is greater than zero. The following correction is therefore safe. */
324
325 if (itval.it_value.tv_usec < 0)
326 {
327 itval.it_value.tv_usec += 1000000;
328 itval.it_value.tv_sec -= 1;
329 }
330
331 DEBUG(D_transport|D_receive)
332 {
333 if (!running_in_test_harness)
334 {
335 debug_printf("tick check: %lu.%06lu %lu.%06lu\n",
336 then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec);
337 debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec,
338 itval.it_value.tv_usec);
339 }
340 }
341
342 milliwait(&itval);
343 }
344}
345
346
347
348
349/*************************************************
350* Set up processing details *
351*************************************************/
352
353/* Save a text string for dumping when SIGUSR1 is received.
354Do checks for overruns.
355
356Arguments: format and arguments, as for printf()
357Returns: nothing
358*/
359
360void
361set_process_info(char *format, ...)
362{
363int len;
364va_list ap;
365sprintf(CS process_info, "%5d ", (int)getpid());
366len = Ustrlen(process_info);
367va_start(ap, format);
368if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len, format, ap))
369 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
370DEBUG(D_process_info) debug_printf("set_process_info: %s\n", process_info);
371va_end(ap);
372}
373
374
375
376
377
378/*************************************************
2632889e
PH
379* Call fopen() with umask 777 and adjust mode *
380*************************************************/
381
382/* Exim runs with umask(0) so that files created with open() have the mode that
383is specified in the open() call. However, there are some files, typically in
384the spool directory, that are created with fopen(). They end up world-writeable
385if no precautions are taken. Although the spool directory is not accessible to
386the world, this is an untidiness. So this is a wrapper function for fopen()
387that sorts out the mode of the created file.
388
389Arguments:
390 filename the file name
391 options the fopen() options
392 mode the required mode
393
394Returns: the fopened FILE or NULL
395*/
396
397FILE *
398modefopen(uschar *filename, char *options, mode_t mode)
399{
67d175de
PH
400mode_t saved_umask = umask(0777);
401FILE *f = Ufopen(filename, options);
402(void)umask(saved_umask);
2632889e
PH
403if (f != NULL) (void)fchmod(fileno(f), mode);
404return f;
405}
406
407
408
409
410/*************************************************
059ec3d9
PH
411* Ensure stdin, stdout, and stderr exist *
412*************************************************/
413
414/* Some operating systems grumble if an exec() happens without a standard
415input, output, and error (fds 0, 1, 2) being defined. The worry is that some
416file will be opened and will use these fd values, and then some other bit of
417code will assume, for example, that it can write error messages to stderr.
418This function ensures that fds 0, 1, and 2 are open if they do not already
419exist, by connecting them to /dev/null.
420
421This function is also used to ensure that std{in,out,err} exist at all times,
422so that if any library that Exim calls tries to use them, it doesn't crash.
423
424Arguments: None
425Returns: Nothing
426*/
427
428void
429exim_nullstd(void)
430{
431int i;
432int devnull = -1;
433struct stat statbuf;
434for (i = 0; i <= 2; i++)
435 {
436 if (fstat(i, &statbuf) < 0 && errno == EBADF)
437 {
438 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
439 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
440 string_open_failed(errno, "/dev/null"));
1fe64dcc 441 if (devnull != i) (void)dup2(devnull, i);
059ec3d9
PH
442 }
443 }
1fe64dcc 444if (devnull > 2) (void)close(devnull);
059ec3d9
PH
445}
446
447
448
449
450/*************************************************
451* Close unwanted file descriptors for delivery *
452*************************************************/
453
454/* This function is called from a new process that has been forked to deliver
455an incoming message, either directly, or using exec.
456
457We want any smtp input streams to be closed in this new process. However, it
458has been observed that using fclose() here causes trouble. When reading in -bS
459input, duplicate copies of messages have been seen. The files will be sharing a
460file pointer with the parent process, and it seems that fclose() (at least on
461some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
462least sometimes. Hence we go for closing the underlying file descriptors.
463
464If TLS is active, we want to shut down the TLS library, but without molesting
465the parent's SSL connection.
466
467For delivery of a non-SMTP message, we want to close stdin and stdout (and
468stderr unless debugging) because the calling process might have set them up as
469pipes and be waiting for them to close before it waits for the submission
470process to terminate. If they aren't closed, they hold up the calling process
471until the initial delivery process finishes, which is not what we want.
472
473Exception: We do want it for synchronous delivery!
474
475And notwithstanding all the above, if D_resolver is set, implying resolver
476debugging, leave stdout open, because that's where the resolver writes its
477debugging output.
478
479When we close stderr (which implies we've also closed stdout), we also get rid
480of any controlling terminal.
481
482Arguments: None
483Returns: Nothing
484*/
485
486static void
487close_unwanted(void)
488{
489if (smtp_input)
490 {
491 #ifdef SUPPORT_TLS
492 tls_close(FALSE); /* Shut down the TLS library */
493 #endif
1fe64dcc
PH
494 (void)close(fileno(smtp_in));
495 (void)close(fileno(smtp_out));
059ec3d9
PH
496 smtp_in = NULL;
497 }
498else
499 {
1fe64dcc
PH
500 (void)close(0); /* stdin */
501 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
502 if (debug_selector == 0) /* stderr */
059ec3d9
PH
503 {
504 if (!synchronous_delivery)
505 {
1fe64dcc 506 (void)close(2);
059ec3d9
PH
507 log_stderr = NULL;
508 }
509 (void)setsid();
510 }
511 }
512}
513
514
515
516
517/*************************************************
518* Set uid and gid *
519*************************************************/
520
521/* This function sets a new uid and gid permanently, optionally calling
522initgroups() to set auxiliary groups. There are some special cases when running
523Exim in unprivileged modes. In these situations the effective uid will not be
524root; if we already have the right effective uid/gid, and don't need to
525initialize any groups, leave things as they are.
526
527Arguments:
528 uid the uid
529 gid the gid
530 igflag TRUE if initgroups() wanted
531 msg text to use in debugging output and failure log
532
533Returns: nothing; bombs out on failure
534*/
535
536void
537exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
538{
539uid_t euid = geteuid();
540gid_t egid = getegid();
541
542if (euid == root_uid || euid != uid || egid != gid || igflag)
543 {
544 /* At least one OS returns +1 for initgroups failure, so just check for
545 non-zero. */
546
547 if (igflag)
548 {
549 struct passwd *pw = getpwuid(uid);
550 if (pw != NULL)
551 {
552 if (initgroups(pw->pw_name, gid) != 0)
553 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
554 (long int)uid, strerror(errno));
555 }
556 else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
557 "no passwd entry for uid=%ld", (long int)uid);
558 }
559
560 if (setgid(gid) < 0 || setuid(uid) < 0)
561 {
562 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
563 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
564 }
565 }
566
567/* Debugging output included uid/gid and all groups */
568
569DEBUG(D_uid)
570 {
571 int group_count;
572 gid_t group_list[NGROUPS_MAX];
573 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
574 (long int)geteuid(), (long int)getegid(), (long int)getpid());
575 group_count = getgroups(NGROUPS_MAX, group_list);
576 debug_printf(" auxiliary group list:");
577 if (group_count > 0)
578 {
579 int i;
580 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
581 }
582 else debug_printf(" <none>");
583 debug_printf("\n");
584 }
585}
586
587
588
589
590/*************************************************
591* Exit point *
592*************************************************/
593
594/* Exim exits via this function so that it always clears up any open
595databases.
596
597Arguments:
598 rc return code
599
600Returns: does not return
601*/
602
603void
604exim_exit(int rc)
605{
606search_tidyup();
607DEBUG(D_any)
608 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d "
609 ">>>>>>>>>>>>>>>>\n", (int)getpid(), rc);
610exit(rc);
611}
612
613
614
615
616/*************************************************
617* Extract port from host address *
618*************************************************/
619
620/* Called to extract the port from the values given to -oMa and -oMi.
b90c388a
PH
621It also checks the syntax of the address, and terminates it before the
622port data when a port is extracted.
059ec3d9
PH
623
624Argument:
625 address the address, with possible port on the end
626
627Returns: the port, or zero if there isn't one
628 bombs out on a syntax error
629*/
630
631static int
632check_port(uschar *address)
633{
7cd1141b 634int port = host_address_extract_port(address);
8e669ac1 635if (string_is_ip_address(address, NULL) == 0)
059ec3d9
PH
636 {
637 fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
638 exit(EXIT_FAILURE);
639 }
640return port;
641}
642
643
644
645/*************************************************
646* Test/verify an address *
647*************************************************/
648
649/* This function is called by the -bv and -bt code. It extracts a working
650address from a full RFC 822 address. This isn't really necessary per se, but it
651has the effect of collapsing source routes.
652
653Arguments:
654 s the address string
655 flags flag bits for verify_address()
656 exit_value to be set for failures
657
a5a28604 658Returns: nothing
059ec3d9
PH
659*/
660
661static void
662test_address(uschar *s, int flags, int *exit_value)
663{
664int start, end, domain;
665uschar *parse_error = NULL;
666uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
667 FALSE);
668if (address == NULL)
669 {
670 fprintf(stdout, "syntax error: %s\n", parse_error);
671 *exit_value = 2;
672 }
673else
674 {
675 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
4deaf07d 676 -1, -1, NULL, NULL, NULL);
059ec3d9
PH
677 if (rc == FAIL) *exit_value = 2;
678 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
679 }
680}
681
682
683
684/*************************************************
059ec3d9
PH
685* Show supported features *
686*************************************************/
687
4b2241d2
PP
688/* This function is called for -bV/--version and for -d to output the optional
689features of the current Exim binary.
059ec3d9
PH
690
691Arguments: a FILE for printing
692Returns: nothing
693*/
694
695static void
696show_whats_supported(FILE *f)
697{
698#ifdef DB_VERSION_STRING
699fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
700#elif defined(BTREEVERSION) && defined(HASHVERSION)
701 #ifdef USE_DB
702 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
703 #else
704 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
705 #endif
706#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
707fprintf(f, "Probably ndbm\n");
708#elif defined(USE_TDB)
709fprintf(f, "Using tdb\n");
710#else
711 #ifdef USE_GDBM
712 fprintf(f, "Probably GDBM (native mode)\n");
713 #else
714 fprintf(f, "Probably GDBM (compatibility mode)\n");
715 #endif
716#endif
717
718fprintf(f, "Support for:");
9cec981f
PH
719#ifdef SUPPORT_CRYPTEQ
720 fprintf(f, " crypteq");
721#endif
059ec3d9
PH
722#if HAVE_ICONV
723 fprintf(f, " iconv()");
724#endif
725#if HAVE_IPV6
726 fprintf(f, " IPv6");
727#endif
79378e0f
PH
728#ifdef HAVE_SETCLASSRESOURCES
729 fprintf(f, " use_setclassresources");
929ba01c 730#endif
059ec3d9
PH
731#ifdef SUPPORT_PAM
732 fprintf(f, " PAM");
733#endif
734#ifdef EXIM_PERL
735 fprintf(f, " Perl");
736#endif
1a46a8c5
PH
737#ifdef EXPAND_DLFUNC
738 fprintf(f, " Expand_dlfunc");
739#endif
059ec3d9
PH
740#ifdef USE_TCP_WRAPPERS
741 fprintf(f, " TCPwrappers");
742#endif
743#ifdef SUPPORT_TLS
744 #ifdef USE_GNUTLS
745 fprintf(f, " GnuTLS");
746 #else
747 fprintf(f, " OpenSSL");
748 #endif
749#endif
b2f5a032
PH
750#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
751 fprintf(f, " translate_ip_address");
752#endif
f174f16e
PH
753#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
754 fprintf(f, " move_frozen_messages");
755#endif
8523533c
TK
756#ifdef WITH_CONTENT_SCAN
757 fprintf(f, " Content_Scanning");
758#endif
80a47a2c
TK
759#ifndef DISABLE_DKIM
760 fprintf(f, " DKIM");
761#endif
8523533c
TK
762#ifdef WITH_OLD_DEMIME
763 fprintf(f, " Old_Demime");
764#endif
765#ifdef EXPERIMENTAL_SPF
766 fprintf(f, " Experimental_SPF");
767#endif
768#ifdef EXPERIMENTAL_SRS
769 fprintf(f, " Experimental_SRS");
770#endif
771#ifdef EXPERIMENTAL_BRIGHTMAIL
772 fprintf(f, " Experimental_Brightmail");
773#endif
6a8f9482
TK
774#ifdef EXPERIMENTAL_DCC
775 fprintf(f, " Experimental_DCC");
776#endif
059ec3d9
PH
777fprintf(f, "\n");
778
779fprintf(f, "Lookups:");
780#ifdef LOOKUP_LSEARCH
781 fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
782#endif
783#ifdef LOOKUP_CDB
784 fprintf(f, " cdb");
785#endif
786#ifdef LOOKUP_DBM
787 fprintf(f, " dbm dbmnz");
788#endif
789#ifdef LOOKUP_DNSDB
790 fprintf(f, " dnsdb");
791#endif
792#ifdef LOOKUP_DSEARCH
793 fprintf(f, " dsearch");
794#endif
795#ifdef LOOKUP_IBASE
796 fprintf(f, " ibase");
797#endif
798#ifdef LOOKUP_LDAP
799 fprintf(f, " ldap ldapdn ldapm");
800#endif
801#ifdef LOOKUP_MYSQL
802 fprintf(f, " mysql");
803#endif
804#ifdef LOOKUP_NIS
805 fprintf(f, " nis nis0");
806#endif
807#ifdef LOOKUP_NISPLUS
808 fprintf(f, " nisplus");
809#endif
810#ifdef LOOKUP_ORACLE
811 fprintf(f, " oracle");
812#endif
813#ifdef LOOKUP_PASSWD
814 fprintf(f, " passwd");
815#endif
816#ifdef LOOKUP_PGSQL
817 fprintf(f, " pgsql");
818#endif
13b685f9
PH
819#ifdef LOOKUP_SQLITE
820 fprintf(f, " sqlite");
821#endif
059ec3d9
PH
822#ifdef LOOKUP_TESTDB
823 fprintf(f, " testdb");
824#endif
825#ifdef LOOKUP_WHOSON
826 fprintf(f, " whoson");
827#endif
828fprintf(f, "\n");
829
830fprintf(f, "Authenticators:");
831#ifdef AUTH_CRAM_MD5
832 fprintf(f, " cram_md5");
833#endif
834#ifdef AUTH_CYRUS_SASL
835 fprintf(f, " cyrus_sasl");
836#endif
14aa5a05
PH
837#ifdef AUTH_DOVECOT
838 fprintf(f, " dovecot");
839#endif
059ec3d9
PH
840#ifdef AUTH_PLAINTEXT
841 fprintf(f, " plaintext");
842#endif
843#ifdef AUTH_SPA
844 fprintf(f, " spa");
845#endif
846fprintf(f, "\n");
847
848fprintf(f, "Routers:");
849#ifdef ROUTER_ACCEPT
850 fprintf(f, " accept");
851#endif
852#ifdef ROUTER_DNSLOOKUP
853 fprintf(f, " dnslookup");
854#endif
855#ifdef ROUTER_IPLITERAL
856 fprintf(f, " ipliteral");
857#endif
858#ifdef ROUTER_IPLOOKUP
859 fprintf(f, " iplookup");
860#endif
861#ifdef ROUTER_MANUALROUTE
862 fprintf(f, " manualroute");
863#endif
864#ifdef ROUTER_QUERYPROGRAM
865 fprintf(f, " queryprogram");
866#endif
867#ifdef ROUTER_REDIRECT
868 fprintf(f, " redirect");
869#endif
870fprintf(f, "\n");
871
872fprintf(f, "Transports:");
873#ifdef TRANSPORT_APPENDFILE
874 fprintf(f, " appendfile");
875 #ifdef SUPPORT_MAILDIR
876 fprintf(f, "/maildir");
877 #endif
878 #ifdef SUPPORT_MAILSTORE
879 fprintf(f, "/mailstore");
880 #endif
881 #ifdef SUPPORT_MBX
882 fprintf(f, "/mbx");
883 #endif
884#endif
885#ifdef TRANSPORT_AUTOREPLY
886 fprintf(f, " autoreply");
887#endif
888#ifdef TRANSPORT_LMTP
889 fprintf(f, " lmtp");
890#endif
891#ifdef TRANSPORT_PIPE
892 fprintf(f, " pipe");
893#endif
894#ifdef TRANSPORT_SMTP
895 fprintf(f, " smtp");
896#endif
897fprintf(f, "\n");
898
899if (fixed_never_users[0] > 0)
900 {
901 int i;
902 fprintf(f, "Fixed never_users: ");
903 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
904 fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
905 fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
906 }
21c28500 907
73a46702 908fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
36f12725
NM
909
910/* This runtime check is to help diagnose library linkage mismatches which
911result in segfaults and the like; as such, it's left until the end,
912just in case. There will still be a "Configuration file is" line still to
913come. */
914#ifdef SUPPORT_TLS
915tls_version_report(f);
916#endif
059ec3d9
PH
917}
918
919
920
921
922/*************************************************
923* Quote a local part *
924*************************************************/
925
926/* This function is used when a sender address or a From: or Sender: header
927line is being created from the caller's login, or from an authenticated_id. It
928applies appropriate quoting rules for a local part.
929
930Argument: the local part
931Returns: the local part, quoted if necessary
932*/
933
934uschar *
935local_part_quote(uschar *lpart)
936{
937BOOL needs_quote = FALSE;
938int size, ptr;
939uschar *yield;
940uschar *t;
941
942for (t = lpart; !needs_quote && *t != 0; t++)
943 {
944 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
945 (*t != '.' || t == lpart || t[1] == 0);
946 }
947
948if (!needs_quote) return lpart;
949
950size = ptr = 0;
951yield = string_cat(NULL, &size, &ptr, US"\"", 1);
952
953for (;;)
954 {
955 uschar *nq = US Ustrpbrk(lpart, "\\\"");
956 if (nq == NULL)
957 {
958 yield = string_cat(yield, &size, &ptr, lpart, Ustrlen(lpart));
959 break;
960 }
961 yield = string_cat(yield, &size, &ptr, lpart, nq - lpart);
962 yield = string_cat(yield, &size, &ptr, US"\\", 1);
963 yield = string_cat(yield, &size, &ptr, nq, 1);
964 lpart = nq + 1;
965 }
966
967yield = string_cat(yield, &size, &ptr, US"\"", 1);
968yield[ptr] = 0;
969return yield;
970}
971
972
973
974#ifdef USE_READLINE
975/*************************************************
976* Load readline() functions *
977*************************************************/
978
979/* This function is called from testing executions that read data from stdin,
980but only when running as the calling user. Currently, only -be does this. The
981function loads the readline() function library and passes back the functions.
982On some systems, it needs the curses library, so load that too, but try without
983it if loading fails. All this functionality has to be requested at build time.
984
985Arguments:
986 fn_readline_ptr pointer to where to put the readline pointer
987 fn_addhist_ptr pointer to where to put the addhistory function
988
989Returns: the dlopen handle or NULL on failure
990*/
991
992static void *
993set_readline(char * (**fn_readline_ptr)(char *),
994 char * (**fn_addhist_ptr)(char *))
995{
996void *dlhandle;
997void *dlhandle_curses = dlopen("libcurses.so", RTLD_GLOBAL|RTLD_LAZY);
998
999dlhandle = dlopen("libreadline.so", RTLD_GLOBAL|RTLD_NOW);
1000if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1001
1002if (dlhandle != NULL)
1003 {
1004 *fn_readline_ptr = (char *(*)(char*))dlsym(dlhandle, "readline");
1005 *fn_addhist_ptr = (char *(*)(char*))dlsym(dlhandle, "add_history");
1006 }
1007else
1008 {
1009 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1010 }
1011
1012return dlhandle;
1013}
1014#endif
1015
1016
1017
1018/*************************************************
1019* Get a line from stdin for testing things *
1020*************************************************/
1021
1022/* This function is called when running tests that can take a number of lines
1023of input (for example, -be and -bt). It handles continuations and trailing
1024spaces. And prompting and a blank line output on eof. If readline() is in use,
1025the arguments are non-NULL and provide the relevant functions.
1026
1027Arguments:
1028 fn_readline readline function or NULL
1029 fn_addhist addhist function or NULL
1030
1031Returns: pointer to dynamic memory, or NULL at end of file
1032*/
1033
1034static uschar *
1035get_stdinput(char *(*fn_readline)(char *), char *(*fn_addhist)(char *))
1036{
1037int i;
1038int size = 0;
1039int ptr = 0;
1040uschar *yield = NULL;
1041
328895cc 1042if (fn_readline == NULL) { printf("> "); fflush(stdout); }
059ec3d9
PH
1043
1044for (i = 0;; i++)
1045 {
1046 uschar buffer[1024];
1047 uschar *p, *ss;
1048
1049 #ifdef USE_READLINE
1050 char *readline_line = NULL;
1051 if (fn_readline != NULL)
1052 {
1053 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1054 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1055 p = US readline_line;
1056 }
1057 else
1058 #endif
1059
1060 /* readline() not in use */
1061
1062 {
1063 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1064 p = buffer;
1065 }
1066
1067 /* Handle the line */
1068
1069 ss = p + (int)Ustrlen(p);
1070 while (ss > p && isspace(ss[-1])) ss--;
1071
1072 if (i > 0)
1073 {
1074 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1075 }
1076
1077 yield = string_cat(yield, &size, &ptr, p, ss - p);
1078
1079 #ifdef USE_READLINE
1080 if (fn_readline != NULL) free(readline_line);
1081 #endif
1082
1083 if (ss == p || yield[ptr-1] != '\\')
1084 {
1085 yield[ptr] = 0;
1086 break;
1087 }
1088 yield[--ptr] = 0;
1089 }
1090
1091if (yield == NULL) printf("\n");
1092return yield;
1093}
1094
1095
1096
1097/*************************************************
81ea09ca
NM
1098* Output usage information for the program *
1099*************************************************/
1100
1101/* This function is called when there are no recipients
1102 or a specific --help argument was added.
1103
1104Arguments:
1105 progname information on what name we were called by
1106
1107Returns: DOES NOT RETURN
1108*/
1109
1110static void
1111exim_usage(uschar *progname)
1112{
1113
1114/* Handle specific program invocation varients */
1115if (Ustrcmp(progname, US"-mailq") == 0)
1116 {
1117 fprintf(stderr,
e765a0f1 1118 "mailq - list the contents of the mail queue\n\n"
81ea09ca
NM
1119 "For a list of options, see the Exim documentation.\n");
1120 exit(EXIT_FAILURE);
1121 }
1122
1123/* Generic usage - we output this whatever happens */
1124fprintf(stderr,
1125 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1126 "not directly from a shell command line. Options and/or arguments control\n"
1127 "what it does when called. For a list of options, see the Exim documentation.\n");
1128
1129exit(EXIT_FAILURE);
1130}
1131
1132
1133
1134/*************************************************
059ec3d9
PH
1135* Entry point and high-level code *
1136*************************************************/
1137
1138/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1139the appropriate action. All the necessary functions are present in the one
1140binary. I originally thought one should split it up, but it turns out that so
1141much of the apparatus is needed in each chunk that one might as well just have
1142it all available all the time, which then makes the coding easier as well.
1143
1144Arguments:
1145 argc count of entries in argv
1146 argv argument strings, with argv[0] being the program name
1147
1148Returns: EXIT_SUCCESS if terminated successfully
1149 EXIT_FAILURE otherwise, except when a message has been sent
1150 to the sender, and -oee was given
1151*/
1152
1153int
1154main(int argc, char **cargv)
1155{
1156uschar **argv = USS cargv;
1157int arg_receive_timeout = -1;
1158int arg_smtp_receive_timeout = -1;
1159int arg_error_handling = error_handling;
f05da2e8
PH
1160int filter_sfd = -1;
1161int filter_ufd = -1;
059ec3d9
PH
1162int group_count;
1163int i;
1164int list_queue_option = 0;
1165int msg_action = 0;
1166int msg_action_arg = -1;
1167int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1168int queue_only_reason = 0;
1169#ifdef EXIM_PERL
1170int perl_start_option = 0;
1171#endif
1172int recipients_arg = argc;
1173int sender_address_domain = 0;
1174int test_retry_arg = -1;
1175int test_rewrite_arg = -1;
1176BOOL arg_queue_only = FALSE;
1177BOOL bi_option = FALSE;
1178BOOL checking = FALSE;
1179BOOL count_queue = FALSE;
1180BOOL expansion_test = FALSE;
1181BOOL extract_recipients = FALSE;
1182BOOL forced_delivery = FALSE;
1183BOOL f_end_dot = FALSE;
1184BOOL deliver_give_up = FALSE;
1185BOOL list_queue = FALSE;
1186BOOL list_options = FALSE;
1187BOOL local_queue_only;
1188BOOL more = TRUE;
1189BOOL one_msg_action = FALSE;
1190BOOL queue_only_set = FALSE;
1191BOOL receiving_message = TRUE;
33d73e3b 1192BOOL sender_ident_set = FALSE;
8669f003 1193BOOL session_local_queue_only;
059ec3d9
PH
1194BOOL unprivileged;
1195BOOL removed_privilege = FALSE;
81ea09ca 1196BOOL usage_wanted = FALSE;
059ec3d9
PH
1197BOOL verify_address_mode = FALSE;
1198BOOL verify_as_sender = FALSE;
1199BOOL version_printed = FALSE;
1200uschar *alias_arg = NULL;
1201uschar *called_as = US"";
1202uschar *start_queue_run_id = NULL;
1203uschar *stop_queue_run_id = NULL;
328895cc 1204uschar *expansion_test_message = NULL;
059ec3d9
PH
1205uschar *ftest_domain = NULL;
1206uschar *ftest_localpart = NULL;
1207uschar *ftest_prefix = NULL;
1208uschar *ftest_suffix = NULL;
8544e77a 1209uschar *malware_test_file = NULL;
059ec3d9
PH
1210uschar *real_sender_address;
1211uschar *originator_home = US"/";
059ec3d9
PH
1212void *reset_point;
1213
1214struct passwd *pw;
1215struct stat statbuf;
1216pid_t passed_qr_pid = (pid_t)0;
1217int passed_qr_pipe = -1;
1218gid_t group_list[NGROUPS_MAX];
1219
1220/* Possible options for -R and -S */
1221
1222static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1223
1224/* Need to define this in case we need to change the environment in order
1225to get rid of a bogus time zone. We have to make it char rather than uschar
1226because some OS define it in /usr/include/unistd.h. */
1227
1228extern char **environ;
1229
35edf2ff 1230/* If the Exim user and/or group and/or the configuration file owner/group were
059ec3d9
PH
1231defined by ref:name at build time, we must now find the actual uid/gid values.
1232This is a feature to make the lives of binary distributors easier. */
1233
1234#ifdef EXIM_USERNAME
1235if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1236 {
10385c15
PP
1237 if (exim_uid == 0)
1238 {
1239 fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
1240 EXIM_USERNAME);
1241 exit(EXIT_FAILURE);
1242 }
059ec3d9
PH
1243 exim_gid = pw->pw_gid;
1244 }
1245else
1246 {
1247 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1248 EXIM_USERNAME);
1249 exit(EXIT_FAILURE);
1250 }
1251#endif
1252
1253#ifdef EXIM_GROUPNAME
1254if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1255 {
1256 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1257 EXIM_GROUPNAME);
1258 exit(EXIT_FAILURE);
1259 }
1260#endif
1261
1262#ifdef CONFIGURE_OWNERNAME
1263if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1264 {
1265 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1266 CONFIGURE_OWNERNAME);
1267 exit(EXIT_FAILURE);
1268 }
1269#endif
1270
79d4bc3d
PP
1271/* We default the system_filter_user to be the Exim run-time user, as a
1272sane non-root value. */
1273system_filter_uid = exim_uid;
1274
35edf2ff
PH
1275#ifdef CONFIGURE_GROUPNAME
1276if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1277 {
1278 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1279 CONFIGURE_GROUPNAME);
1280 exit(EXIT_FAILURE);
1281 }
1282#endif
1283
059ec3d9
PH
1284/* In the Cygwin environment, some initialization needs doing. It is fudged
1285in by means of this macro. */
1286
1287#ifdef OS_INIT
1288OS_INIT
1289#endif
1290
1291/* Check a field which is patched when we are running Exim within its
1292testing harness; do a fast initial check, and then the whole thing. */
1293
1294running_in_test_harness =
1295 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1296
1297/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1298at the start of a program; however, it seems that some environments do not
1299follow this. A "strange" locale can affect the formatting of timestamps, so we
1300make quite sure. */
1301
1302setlocale(LC_ALL, "C");
1303
1304/* Set up the default handler for timing using alarm(). */
1305
1306os_non_restarting_signal(SIGALRM, sigalrm_handler);
1307
1308/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1309because store_malloc writes a log entry on failure. */
1310
1311log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
1312if (log_buffer == NULL)
1313 {
1314 fprintf(stderr, "exim: failed to get store for log buffer\n");
1315 exit(EXIT_FAILURE);
1316 }
1317
1318/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1319NULL when the daemon is run and the file is closed. We have to use this
1320indirection, because some systems don't allow writing to the variable "stderr".
1321*/
1322
1323if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1324
1325/* Arrange for the PCRE regex library to use our store functions. Note that
1326the normal calls are actually macros that add additional arguments for
1327debugging purposes so we have to assign specially constructed functions here.
1328The default is to use store in the stacking pool, but this is overridden in the
1329regex_must_compile() function. */
1330
1331pcre_malloc = function_store_get;
1332pcre_free = function_dummy_free;
1333
1334/* Ensure there is a big buffer for temporary use in several places. It is put
1335in malloc store so that it can be freed for enlargement if necessary. */
1336
1337big_buffer = store_malloc(big_buffer_size);
1338
1339/* Set up the handler for the data request signal, and set the initial
1340descriptive text. */
1341
1342set_process_info("initializing");
1343os_restarting_signal(SIGUSR1, usr1_handler);
1344
1345/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1346in the daemon code. For the rest of Exim's uses, we ignore it. */
1347
1348signal(SIGHUP, SIG_IGN);
1349
1350/* We don't want to die on pipe errors as the code is written to handle
1351the write error instead. */
1352
1353signal(SIGPIPE, SIG_IGN);
1354
1355/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1356set to SIG_IGN. This causes subprocesses that complete before the parent
1357process waits for them not to hang around, so when Exim calls wait(), nothing
1358is there. The wait() code has been made robust against this, but let's ensure
1359that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1360ending status. We use sigaction rather than plain signal() on those OS where
1361SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1362problem on AIX with this.) */
1363
1364#ifdef SA_NOCLDWAIT
1365 {
1366 struct sigaction act;
1367 act.sa_handler = SIG_DFL;
1368 sigemptyset(&(act.sa_mask));
1369 act.sa_flags = 0;
1370 sigaction(SIGCHLD, &act, NULL);
1371 }
1372#else
1373signal(SIGCHLD, SIG_DFL);
1374#endif
1375
1376/* Save the arguments for use if we re-exec exim as a daemon after receiving
1377SIGHUP. */
1378
1379sighup_argv = argv;
1380
1381/* Set up the version number. Set up the leading 'E' for the external form of
1382message ids, set the pointer to the internal form, and initialize it to
1383indicate no message being processed. */
1384
1385version_init();
1386message_id_option[0] = '-';
1387message_id_external = message_id_option + 1;
1388message_id_external[0] = 'E';
1389message_id = message_id_external + 1;
1390message_id[0] = 0;
1391
67d175de 1392/* Set the umask to zero so that any files Exim creates using open() are
2632889e
PH
1393created with the modes that it specifies. NOTE: Files created with fopen() have
1394a problem, which was not recognized till rather late (February 2006). With this
1395umask, such files will be world writeable. (They are all content scanning files
1396in the spool directory, which isn't world-accessible, so this is not a
1397disaster, but it's untidy.) I don't want to change this overall setting,
1398however, because it will interact badly with the open() calls. Instead, there's
1399now a function called modefopen() that fiddles with the umask while calling
1400fopen(). */
059ec3d9 1401
67d175de 1402(void)umask(0);
059ec3d9
PH
1403
1404/* Precompile the regular expression for matching a message id. Keep this in
1405step with the code that generates ids in the accept.c module. We need to do
1406this here, because the -M options check their arguments for syntactic validity
1407using mac_ismsgid, which uses this. */
1408
1409regex_ismsgid =
1410 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1411
a5bd321b 1412/* Precompile the regular expression that is used for matching an SMTP error
d6a96edc
PH
1413code, possibly extended, at the start of an error message. Note that the
1414terminating whitespace character is included. */
a5bd321b
PH
1415
1416regex_smtp_code =
1417 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1418 FALSE, TRUE);
1419
059ec3d9
PH
1420/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1421this seems to be a generally accepted convention, since one finds symbolic
1422links called "mailq" in standard OS configurations. */
1423
1424if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1425 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1426 {
1427 list_queue = TRUE;
1428 receiving_message = FALSE;
1429 called_as = US"-mailq";
1430 }
1431
1432/* If the program is called as "rmail" treat it as equivalent to
1433"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1434i.e. preventing a single dot on a line from terminating the message, and
1435returning with zero return code, even in cases of error (provided an error
1436message has been sent). */
1437
1438if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1439 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1440 {
1441 dot_ends = FALSE;
1442 called_as = US"-rmail";
1443 errors_sender_rc = EXIT_SUCCESS;
1444 }
1445
1446/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1447this is a smail convention. */
1448
1449if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1450 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1451 {
1452 smtp_input = smtp_batched_input = TRUE;
1453 called_as = US"-rsmtp";
1454 }
1455
1456/* If the program is called as "runq" treat it as equivalent to "exim -q";
1457this is a smail convention. */
1458
1459if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1460 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1461 {
1462 queue_interval = 0;
1463 receiving_message = FALSE;
1464 called_as = US"-runq";
1465 }
1466
1467/* If the program is called as "newaliases" treat it as equivalent to
1468"exim -bi"; this is a sendmail convention. */
1469
1470if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1471 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1472 {
1473 bi_option = TRUE;
1474 receiving_message = FALSE;
1475 called_as = US"-newaliases";
1476 }
1477
1478/* Save the original effective uid for a couple of uses later. It should
1479normally be root, but in some esoteric environments it may not be. */
1480
1481original_euid = geteuid();
1482
1483/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1484to be the same as the real ones. This makes a difference only if Exim is setuid
1485(or setgid) to something other than root, which could be the case in some
1486special configurations. */
1487
1488real_uid = getuid();
1489real_gid = getgid();
1490
1491if (real_uid == root_uid)
1492 {
1493 setgid(real_gid);
1494 setuid(real_uid);
1495 }
1496
1497/* If neither the original real uid nor the original euid was root, Exim is
1498running in an unprivileged state. */
1499
1500unprivileged = (real_uid != root_uid && original_euid != root_uid);
1501
059ec3d9
PH
1502/* Scan the program's arguments. Some can be dealt with right away; others are
1503simply recorded for checking and handling afterwards. Do a high-level switch
1504on the second character (the one after '-'), to save some effort. */
1505
1506for (i = 1; i < argc; i++)
1507 {
1508 BOOL badarg = FALSE;
1509 uschar *arg = argv[i];
1510 uschar *argrest;
1511 int switchchar;
1512
1513 /* An argument not starting with '-' is the start of a recipients list;
1514 break out of the options-scanning loop. */
1515
1516 if (arg[0] != '-')
1517 {
1518 recipients_arg = i;
1519 break;
1520 }
1521
1522 /* An option consistion of -- terminates the options */
1523
1524 if (Ustrcmp(arg, "--") == 0)
1525 {
1526 recipients_arg = i + 1;
1527 break;
1528 }
1529
1530 /* Handle flagged options */
1531
1532 switchchar = arg[1];
1533 argrest = arg+2;
1534
1535 /* Make all -ex options synonymous with -oex arguments, since that
1536 is assumed by various callers. Also make -qR options synonymous with -R
1537 options, as that seems to be required as well. Allow for -qqR too, and
1538 the same for -S options. */
1539
1540 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1541 Ustrncmp(arg+1, "qR", 2) == 0 ||
1542 Ustrncmp(arg+1, "qS", 2) == 0)
1543 {
1544 switchchar = arg[2];
1545 argrest++;
1546 }
1547 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1548 {
1549 switchchar = arg[3];
1550 argrest += 2;
1551 queue_2stage = TRUE;
1552 }
1553
1554 /* Make -r synonymous with -f, since it is a documented alias */
1555
1556 else if (arg[1] == 'r') switchchar = 'f';
1557
1558 /* Make -ov synonymous with -v */
1559
1560 else if (Ustrcmp(arg, "-ov") == 0)
1561 {
1562 switchchar = 'v';
1563 argrest++;
1564 }
1565
4b2241d2
PP
1566 /* deal with --option_aliases */
1567 else if (switchchar == '-')
1568 {
1569 if (Ustrcmp(argrest, "help") == 0)
1570 {
1571 usage_wanted = TRUE;
1572 break;
1573 }
1574 else if (Ustrcmp(argrest, "version") == 0)
1575 {
1576 switchchar = 'b';
73a46702 1577 argrest = US"V";
4b2241d2
PP
1578 }
1579 }
1580
059ec3d9
PH
1581 /* High-level switch on active initial letter */
1582
1583 switch(switchchar)
1584 {
1585 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1586 so has no need of it. */
1587
1588 case 'B':
1589 if (*argrest == 0) i++; /* Skip over the type */
1590 break;
1591
1592
1593 case 'b':
1594 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1595
1596 /* -bd: Run in daemon mode, awaiting SMTP connections.
1597 -bdf: Ditto, but in the foreground.
1598 */
1599
1600 if (*argrest == 'd')
1601 {
1602 daemon_listen = TRUE;
1603 if (*(++argrest) == 'f') background_daemon = FALSE;
1604 else if (*argrest != 0) { badarg = TRUE; break; }
1605 }
1606
328895cc
PH
1607 /* -be: Run in expansion test mode
1608 -bem: Ditto, but read a message from a file first
1609 */
059ec3d9
PH
1610
1611 else if (*argrest == 'e')
328895cc 1612 {
059ec3d9 1613 expansion_test = checking = TRUE;
328895cc
PH
1614 if (argrest[1] == 'm')
1615 {
1616 if (++i >= argc) { badarg = TRUE; break; }
1617 expansion_test_message = argv[i];
1618 argrest++;
1619 }
1620 if (argrest[1] != 0) { badarg = TRUE; break; }
1621 }
059ec3d9 1622
f05da2e8
PH
1623 /* -bF: Run system filter test */
1624
1625 else if (*argrest == 'F')
1626 {
1627 filter_test |= FTEST_SYSTEM;
1628 if (*(++argrest) != 0) { badarg = TRUE; break; }
1629 if (++i < argc) filter_test_sfile = argv[i]; else
1630 {
1631 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1632 exit(EXIT_FAILURE);
1633 }
1634 }
1635
1636 /* -bf: Run user filter test
059ec3d9
PH
1637 -bfd: Set domain for filter testing
1638 -bfl: Set local part for filter testing
1639 -bfp: Set prefix for filter testing
1640 -bfs: Set suffix for filter testing
1641 */
1642
f05da2e8 1643 else if (*argrest == 'f')
059ec3d9 1644 {
f05da2e8 1645 if (*(++argrest) == 0)
059ec3d9 1646 {
f05da2e8
PH
1647 filter_test |= FTEST_USER;
1648 if (++i < argc) filter_test_ufile = argv[i]; else
059ec3d9
PH
1649 {
1650 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1651 exit(EXIT_FAILURE);
1652 }
1653 }
1654 else
1655 {
1656 if (++i >= argc)
1657 {
1658 fprintf(stderr, "exim: string expected after %s\n", arg);
1659 exit(EXIT_FAILURE);
1660 }
1661 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
1662 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
1663 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
1664 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
1665 else { badarg = TRUE; break; }
1666 }
1667 }
1668
1669 /* -bh: Host checking - an IP address must follow. */
1670
1671 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
1672 {
1673 if (++i >= argc) { badarg = TRUE; break; }
1674 sender_host_address = argv[i];
1675 host_checking = checking = log_testing_mode = TRUE;
1676 host_checking_callout = argrest[1] == 'c';
1677 }
1678
1679 /* -bi: This option is used by sendmail to initialize *the* alias file,
1680 though it has the -oA option to specify a different file. Exim has no
1681 concept of *the* alias file, but since Sun's YP make script calls
1682 sendmail this way, some support must be provided. */
1683
1684 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
1685
1686 /* -bm: Accept and deliver message - the default option. Reinstate
1687 receiving_message, which got turned off for all -b options. */
1688
1689 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
1690
8544e77a
PP
1691 /* -bmalware: test the filename given for malware */
1692
1693 else if (Ustrcmp(argrest, "malware") == 0)
1694 {
1695 if (++i >= argc) { badarg = TRUE; break; }
1696 malware_test_file = argv[i];
1697 }
1698
059ec3d9
PH
1699 /* -bnq: For locally originating messages, do not qualify unqualified
1700 addresses. In the envelope, this causes errors; in header lines they
1701 just get left. */
1702
1703 else if (Ustrcmp(argrest, "nq") == 0)
1704 {
1705 allow_unqualified_sender = FALSE;
1706 allow_unqualified_recipient = FALSE;
1707 }
1708
1709 /* -bpxx: List the contents of the mail queue, in various forms. If
1710 the option is -bpc, just a queue count is needed. Otherwise, if the
1711 first letter after p is r, then order is random. */
1712
1713 else if (*argrest == 'p')
1714 {
1715 if (*(++argrest) == 'c')
1716 {
1717 count_queue = TRUE;
1718 if (*(++argrest) != 0) badarg = TRUE;
1719 break;
1720 }
1721
1722 if (*argrest == 'r')
1723 {
1724 list_queue_option = 8;
1725 argrest++;
1726 }
1727 else list_queue_option = 0;
1728
1729 list_queue = TRUE;
1730
1731 /* -bp: List the contents of the mail queue, top-level only */
1732
1733 if (*argrest == 0) {}
1734
1735 /* -bpu: List the contents of the mail queue, top-level undelivered */
1736
1737 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
1738
1739 /* -bpa: List the contents of the mail queue, including all delivered */
1740
1741 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
1742
1743 /* Unknown after -bp[r] */
1744
1745 else
1746 {
1747 badarg = TRUE;
1748 break;
1749 }
1750 }
1751
1752
1753 /* -bP: List the configuration variables given as the address list.
1754 Force -v, so configuration errors get displayed. */
1755
1756 else if (Ustrcmp(argrest, "P") == 0)
1757 {
1758 list_options = TRUE;
1759 debug_selector |= D_v;
1760 debug_file = stderr;
1761 }
1762
1763 /* -brt: Test retry configuration lookup */
1764
1765 else if (Ustrcmp(argrest, "rt") == 0)
1766 {
1767 test_retry_arg = i + 1;
1768 goto END_ARG;
1769 }
1770
1771 /* -brw: Test rewrite configuration */
1772
1773 else if (Ustrcmp(argrest, "rw") == 0)
1774 {
1775 test_rewrite_arg = i + 1;
1776 goto END_ARG;
1777 }
1778
1779 /* -bS: Read SMTP commands on standard input, but produce no replies -
1780 all errors are reported by sending messages. */
1781
1782 else if (Ustrcmp(argrest, "S") == 0)
1783 smtp_input = smtp_batched_input = receiving_message = TRUE;
1784
1785 /* -bs: Read SMTP commands on standard input and produce SMTP replies
1786 on standard output. */
1787
1788 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
1789
1790 /* -bt: address testing mode */
1791
1792 else if (Ustrcmp(argrest, "t") == 0)
1793 address_test_mode = checking = log_testing_mode = TRUE;
1794
1795 /* -bv: verify addresses */
1796
1797 else if (Ustrcmp(argrest, "v") == 0)
1798 verify_address_mode = checking = log_testing_mode = TRUE;
1799
1800 /* -bvs: verify sender addresses */
1801
1802 else if (Ustrcmp(argrest, "vs") == 0)
1803 {
1804 verify_address_mode = checking = log_testing_mode = TRUE;
1805 verify_as_sender = TRUE;
1806 }
1807
1808 /* -bV: Print version string and support details */
1809
1810 else if (Ustrcmp(argrest, "V") == 0)
1811 {
1812 printf("Exim version %s #%s built %s\n", version_string,
1813 version_cnumber, version_date);
1814 printf("%s\n", CS version_copyright);
1815 version_printed = TRUE;
1816 show_whats_supported(stdout);
1817 }
1818
1819 else badarg = TRUE;
1820 break;
1821
1822
1823 /* -C: change configuration file list; ignore if it isn't really
1824 a change! Enforce a prefix check if required. */
1825
1826 case 'C':
1827 if (*argrest == 0)
1828 {
1829 if(++i < argc) argrest = argv[i]; else
1830 { badarg = TRUE; break; }
1831 }
1832 if (Ustrcmp(config_main_filelist, argrest) != 0)
1833 {
1834 #ifdef ALT_CONFIG_PREFIX
1835 int sep = 0;
1836 int len = Ustrlen(ALT_CONFIG_PREFIX);
1837 uschar *list = argrest;
1838 uschar *filename;
1839 while((filename = string_nextinlist(&list, &sep, big_buffer,
1840 big_buffer_size)) != NULL)
1841 {
1842 if ((Ustrlen(filename) < len ||
1843 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
1844 Ustrstr(filename, "/../") != NULL) &&
1845 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
1846 {
1847 fprintf(stderr, "-C Permission denied\n");
1848 exit(EXIT_FAILURE);
1849 }
1850 }
1851 #endif
261dc43e
DW
1852 if (real_uid != root_uid)
1853 {
1854 #ifdef TRUSTED_CONFIG_PREFIX_LIST
1855
1856 if (Ustrstr(argrest, "/../"))
1857 trusted_config = FALSE;
1858 else
1859 {
1860 FILE *trust_list = Ufopen(TRUSTED_CONFIG_PREFIX_LIST, "rb");
1861 if (trust_list)
1862 {
1863 struct stat statbuf;
1864
1865 if (fstat(fileno(trust_list), &statbuf) != 0 ||
1866 (statbuf.st_uid != root_uid /* owner not root */
1867 #ifdef CONFIGURE_OWNER
1868 && statbuf.st_uid != config_uid /* owner not the special one */
1869 #endif
1870 ) || /* or */
1871 (statbuf.st_gid != root_gid /* group not root */
1872 #ifdef CONFIGURE_GROUP
1873 && statbuf.st_gid != config_gid /* group not the special one */
1874 #endif
1875 && (statbuf.st_mode & 020) != 0 /* group writeable */
1876 ) || /* or */
1877 (statbuf.st_mode & 2) != 0) /* world writeable */
1878 {
1879 trusted_config = FALSE;
1880 fclose(trust_list);
1881 }
1882 else
1883 {
1884 /* Well, the trust list at least is up to scratch... */
1885 void *reset_point = store_get(0);
1886 uschar *trusted_prefixes[32];
1887 int nr_prefixes = 0;
1888 int i = 0;
1889
1890 while (Ufgets(big_buffer, big_buffer_size, trust_list))
1891 {
1892 uschar *start = big_buffer, *nl;
1893 while (*start && isspace(*start))
1894 start++;
1e83d68b 1895 if (*start != '/')
261dc43e
DW
1896 continue;
1897 nl = Ustrchr(start, '\n');
1898 if (nl)
1899 *nl = 0;
1900 trusted_prefixes[nr_prefixes++] = string_copy(start);
1901 if (nr_prefixes == 32)
1902 break;
1903 }
1904 fclose(trust_list);
1905
1906 if (nr_prefixes)
1907 {
1908 int sep = 0;
1909 uschar *list = argrest;
1910 uschar *filename;
1911 while (trusted_config && (filename = string_nextinlist(&list,
1912 &sep, big_buffer, big_buffer_size)) != NULL)
1913 {
1914 for (i=0; i < nr_prefixes; i++)
1915 {
1916 int len = Ustrlen(trusted_prefixes[i]);
1917 if (Ustrlen(filename) >= len &&
1918 Ustrncmp(filename, trusted_prefixes[i], len) == 0)
1919 break;
1920 }
1921 if (i == nr_prefixes)
1922 {
1923 trusted_config = FALSE;
1924 break;
1925 }
1926 }
1e83d68b 1927 store_reset(reset_point);
261dc43e
DW
1928 }
1929 else
1930 {
1931 /* No valid prefixes found in trust_list file. */
1932 trusted_config = FALSE;
1933 }
1934 }
1935 }
1936 else
1937 {
1938 /* Could not open trust_list file. */
1939 trusted_config = FALSE;
1940 }
1941 }
1942 #else
1943 /* Not root; don't trust config */
1944 trusted_config = FALSE;
1945 #endif
1946 }
059ec3d9
PH
1947
1948 config_main_filelist = argrest;
1949 config_changed = TRUE;
1950 }
1951 break;
1952
1953
1954 /* -D: set up a macro definition */
1955
1956 case 'D':
1957 #ifdef DISABLE_D_OPTION
1958 fprintf(stderr, "exim: -D is not available in this Exim binary\n");
1959 exit(EXIT_FAILURE);
1960 #else
1961 {
1962 int ptr = 0;
1963 macro_item *mlast = NULL;
1964 macro_item *m;
1965 uschar name[24];
1966 uschar *s = argrest;
1967
1968 while (isspace(*s)) s++;
1969
1970 if (*s < 'A' || *s > 'Z')
1971 {
1972 fprintf(stderr, "exim: macro name set by -D must start with "
1973 "an upper case letter\n");
1974 exit(EXIT_FAILURE);
1975 }
1976
1977 while (isalnum(*s) || *s == '_')
1978 {
1979 if (ptr < sizeof(name)-1) name[ptr++] = *s;
1980 s++;
1981 }
1982 name[ptr] = 0;
1983 if (ptr == 0) { badarg = TRUE; break; }
1984 while (isspace(*s)) s++;
1985 if (*s != 0)
1986 {
1987 if (*s++ != '=') { badarg = TRUE; break; }
1988 while (isspace(*s)) s++;
1989 }
1990
1991 for (m = macros; m != NULL; m = m->next)
1992 {
1993 if (Ustrcmp(m->name, name) == 0)
1994 {
1995 fprintf(stderr, "exim: duplicated -D in command line\n");
1996 exit(EXIT_FAILURE);
1997 }
1998 mlast = m;
1999 }
2000
2001 m = store_get(sizeof(macro_item) + Ustrlen(name));
2002 m->next = NULL;
2003 m->command_line = TRUE;
2004 if (mlast == NULL) macros = m; else mlast->next = m;
2005 Ustrcpy(m->name, name);
2006 m->replacement = string_copy(s);
2007
2008 if (clmacro_count >= MAX_CLMACROS)
2009 {
2010 fprintf(stderr, "exim: too many -D options on command line\n");
2011 exit(EXIT_FAILURE);
2012 }
2013 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2014 m->replacement);
2015 }
2016 #endif
2017 break;
2018
2019 /* -d: Set debug level (see also -v below) or set the drop_cr option.
8e669ac1 2020 The latter is now a no-op, retained for compatibility only. If -dd is used,
3d235903 2021 debugging subprocesses of the daemon is disabled. */
059ec3d9
PH
2022
2023 case 'd':
2024 if (Ustrcmp(argrest, "ropcr") == 0)
2025 {
2026 /* drop_cr = TRUE; */
2027 }
2028
2029 /* Use an intermediate variable so that we don't set debugging while
2030 decoding the debugging bits. */
2031
2032 else
2033 {
2034 unsigned int selector = D_default;
2035 debug_selector = 0;
2036 debug_file = NULL;
3d235903
PH
2037 if (*argrest == 'd')
2038 {
2039 debug_daemon = TRUE;
2040 argrest++;
2041 }
059ec3d9 2042 if (*argrest != 0)
1fe64dcc 2043 decode_bits(&selector, NULL, D_memory, 0, argrest, debug_options,
ed7f7860 2044 debug_options_count, US"debug", 0);
059ec3d9
PH
2045 debug_selector = selector;
2046 }
2047 break;
2048
2049
2050 /* -E: This is a local error message. This option is not intended for
2051 external use at all, but is not restricted to trusted callers because it
2052 does no harm (just suppresses certain error messages) and if Exim is run
2053 not setuid root it won't always be trusted when it generates error
2054 messages using this option. If there is a message id following -E, point
2055 message_reference at it, for logging. */
2056
2057 case 'E':
2058 local_error_message = TRUE;
2059 if (mac_ismsgid(argrest)) message_reference = argrest;
2060 break;
2061
2062
2063 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2064 option, so it looks as if historically the -oex options are also callable
2065 without the leading -o. So we have to accept them. Before the switch,
2066 anything starting -oe has been converted to -e. Exim does not support all
2067 of the sendmail error options. */
2068
2069 case 'e':
2070 if (Ustrcmp(argrest, "e") == 0)
2071 {
2072 arg_error_handling = ERRORS_SENDER;
2073 errors_sender_rc = EXIT_SUCCESS;
2074 }
2075 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2076 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2077 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2078 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2079 else badarg = TRUE;
2080 break;
2081
2082
2083 /* -F: Set sender's full name, used instead of the gecos entry from
2084 the password file. Since users can usually alter their gecos entries,
2085 there's no security involved in using this instead. The data can follow
2086 the -F or be in the next argument. */
2087
2088 case 'F':
2089 if (*argrest == 0)
2090 {
2091 if(++i < argc) argrest = argv[i]; else
2092 { badarg = TRUE; break; }
2093 }
2094 originator_name = argrest;
2fe1a124 2095 sender_name_forced = TRUE;
059ec3d9
PH
2096 break;
2097
2098
2099 /* -f: Set sender's address - this value is only actually used if Exim is
2100 run by a trusted user, or if untrusted_set_sender is set and matches the
2101 address, except that the null address can always be set by any user. The
2102 test for this happens later, when the value given here is ignored when not
2103 permitted. For an untrusted user, the actual sender is still put in Sender:
2104 if it doesn't match the From: header (unless no_local_from_check is set).
2105 The data can follow the -f or be in the next argument. The -r switch is an
2106 obsolete form of -f but since there appear to be programs out there that
2107 use anything that sendmail has ever supported, better accept it - the
2108 synonymizing is done before the switch above.
2109
2110 At this stage, we must allow domain literal addresses, because we don't
2111 know what the setting of allow_domain_literals is yet. Ditto for trailing
2112 dots and strip_trailing_dot. */
2113
2114 case 'f':
2115 {
2116 int start, end;
2117 uschar *errmess;
2118 if (*argrest == 0)
2119 {
2120 if (i+1 < argc) argrest = argv[++i]; else
2121 { badarg = TRUE; break; }
2122 }
2123 if (*argrest == 0)
2124 {
2125 sender_address = string_sprintf(""); /* Ensure writeable memory */
2126 }
2127 else
2128 {
2129 uschar *temp = argrest + Ustrlen(argrest) - 1;
2130 while (temp >= argrest && isspace(*temp)) temp--;
2131 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2132 allow_domain_literals = TRUE;
2133 strip_trailing_dot = TRUE;
2134 sender_address = parse_extract_address(argrest, &errmess, &start, &end,
2135 &sender_address_domain, TRUE);
2136 allow_domain_literals = FALSE;
2137 strip_trailing_dot = FALSE;
2138 if (sender_address == NULL)
2139 {
2140 fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2141 return EXIT_FAILURE;
2142 }
2143 }
2144 sender_address_forced = TRUE;
2145 }
2146 break;
2147
2148 /* This is some Sendmail thing which can be ignored */
2149
2150 case 'G':
2151 break;
2152
2153 /* -h: Set the hop count for an incoming message. Exim does not currently
2154 support this; it always computes it by counting the Received: headers.
2155 To put it in will require a change to the spool header file format. */
2156
2157 case 'h':
2158 if (*argrest == 0)
2159 {
2160 if(++i < argc) argrest = argv[i]; else
2161 { badarg = TRUE; break; }
2162 }
2163 if (!isdigit(*argrest)) badarg = TRUE;
2164 break;
2165
2166
2167 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2168 not to be documented for sendmail but mailx (at least) uses it) */
2169
2170 case 'i':
2171 if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2172 break;
2173
2174
2175 case 'M':
2176 receiving_message = FALSE;
2177
2178 /* -MC: continue delivery of another message via an existing open
2179 file descriptor. This option is used for an internal call by the
2180 smtp transport when there is a pending message waiting to go to an
2181 address to which it has got a connection. Five subsequent arguments are
2182 required: transport name, host name, IP address, sequence number, and
2183 message_id. Transports may decline to create new processes if the sequence
2184 number gets too big. The channel is stdin. This (-MC) must be the last
2185 argument. There's a subsequent check that the real-uid is privileged.
2186
2187 If we are running in the test harness. delay for a bit, to let the process
2188 that set this one up complete. This makes for repeatability of the logging,
2189 etc. output. */
2190
2191 if (Ustrcmp(argrest, "C") == 0)
2192 {
41c7c167
PH
2193 union sockaddr_46 interface_sock;
2194 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2195
059ec3d9
PH
2196 if (argc != i + 6)
2197 {
2198 fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2199 return EXIT_FAILURE;
2200 }
2201
2202 if (msg_action_arg >= 0)
2203 {
2204 fprintf(stderr, "exim: incompatible arguments\n");
2205 return EXIT_FAILURE;
2206 }
2207
2208 continue_transport = argv[++i];
2209 continue_hostname = argv[++i];
2210 continue_host_address = argv[++i];
2211 continue_sequence = Uatoi(argv[++i]);
2212 msg_action = MSG_DELIVER;
2213 msg_action_arg = ++i;
2214 forced_delivery = TRUE;
2215 queue_run_pid = passed_qr_pid;
2216 queue_run_pipe = passed_qr_pipe;
2217
2218 if (!mac_ismsgid(argv[i]))
2219 {
2220 fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2221 argv[i]);
2222 return EXIT_FAILURE;
2223 }
2224
41c7c167
PH
2225 /* Set up $sending_ip_address and $sending_port */
2226
2227 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2228 &size) == 0)
2229 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2230 &sending_port);
2231 else
2232 {
2233 fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2234 strerror(errno));
2235 return EXIT_FAILURE;
2236 }
2237
059ec3d9
PH
2238 if (running_in_test_harness) millisleep(500);
2239 break;
2240 }
2241
2242 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2243 precedes -MC (see above). The flag indicates that the host to which
2244 Exim is connected has accepted an AUTH sequence. */
2245
2246 else if (Ustrcmp(argrest, "CA") == 0)
2247 {
2248 smtp_authenticated = TRUE;
2249 break;
2250 }
2251
2252 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2253 it preceded -MC (see above) */
2254
2255 else if (Ustrcmp(argrest, "CP") == 0)
2256 {
2257 smtp_use_pipelining = TRUE;
2258 break;
2259 }
2260
2261 /* -MCQ: pass on the pid of the queue-running process that started
2262 this chain of deliveries and the fd of its synchronizing pipe; this
2263 is useful only when it precedes -MC (see above) */
2264
2265 else if (Ustrcmp(argrest, "CQ") == 0)
2266 {
2267 if(++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2268 else badarg = TRUE;
2269 if(++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2270 else badarg = TRUE;
2271 break;
2272 }
2273
2274 /* -MCS: set the smtp_use_size flag; this is useful only when it
2275 precedes -MC (see above) */
2276
2277 else if (Ustrcmp(argrest, "CS") == 0)
2278 {
2279 smtp_use_size = TRUE;
2280 break;
2281 }
2282
2283 /* -MCT: set the tls_offered flag; this is useful only when it
2284 precedes -MC (see above). The flag indicates that the host to which
2285 Exim is connected has offered TLS support. */
2286
2287 #ifdef SUPPORT_TLS
2288 else if (Ustrcmp(argrest, "CT") == 0)
2289 {
2290 tls_offered = TRUE;
2291 break;
2292 }
2293 #endif
2294
2295 /* -M[x]: various operations on the following list of message ids:
2296 -M deliver the messages, ignoring next retry times and thawing
2297 -Mc deliver the messages, checking next retry times, no thawing
2298 -Mf freeze the messages
2299 -Mg give up on the messages
2300 -Mt thaw the messages
2301 -Mrm remove the messages
2302 In the above cases, this must be the last option. There are also the
2303 following options which are followed by a single message id, and which
2304 act on that message. Some of them use the "recipient" addresses as well.
2305 -Mar add recipient(s)
2306 -Mmad mark all recipients delivered
2307 -Mmd mark recipients(s) delivered
2308 -Mes edit sender
0ef732d9 2309 -Mset load a message for use with -be
059ec3d9 2310 -Mvb show body
a96603a0 2311 -Mvc show copy (of whole message, in RFC 2822 format)
059ec3d9
PH
2312 -Mvh show header
2313 -Mvl show log
2314 */
2315
2316 else if (*argrest == 0)
2317 {
2318 msg_action = MSG_DELIVER;
2319 forced_delivery = deliver_force_thaw = TRUE;
2320 }
2321 else if (Ustrcmp(argrest, "ar") == 0)
2322 {
2323 msg_action = MSG_ADD_RECIPIENT;
2324 one_msg_action = TRUE;
2325 }
2326 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2327 else if (Ustrcmp(argrest, "es") == 0)
2328 {
2329 msg_action = MSG_EDIT_SENDER;
2330 one_msg_action = TRUE;
2331 }
2332 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2333 else if (Ustrcmp(argrest, "g") == 0)
2334 {
2335 msg_action = MSG_DELIVER;
2336 deliver_give_up = TRUE;
2337 }
2338 else if (Ustrcmp(argrest, "mad") == 0)
2339 {
2340 msg_action = MSG_MARK_ALL_DELIVERED;
2341 }
2342 else if (Ustrcmp(argrest, "md") == 0)
2343 {
2344 msg_action = MSG_MARK_DELIVERED;
2345 one_msg_action = TRUE;
2346 }
2347 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
0ef732d9
PH
2348 else if (Ustrcmp(argrest, "set") == 0)
2349 {
2350 msg_action = MSG_LOAD;
2351 one_msg_action = TRUE;
2352 }
059ec3d9
PH
2353 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2354 else if (Ustrcmp(argrest, "vb") == 0)
2355 {
2356 msg_action = MSG_SHOW_BODY;
2357 one_msg_action = TRUE;
2358 }
a96603a0
PH
2359 else if (Ustrcmp(argrest, "vc") == 0)
2360 {
2361 msg_action = MSG_SHOW_COPY;
2362 one_msg_action = TRUE;
2363 }
059ec3d9
PH
2364 else if (Ustrcmp(argrest, "vh") == 0)
2365 {
2366 msg_action = MSG_SHOW_HEADER;
2367 one_msg_action = TRUE;
2368 }
2369 else if (Ustrcmp(argrest, "vl") == 0)
2370 {
2371 msg_action = MSG_SHOW_LOG;
2372 one_msg_action = TRUE;
2373 }
2374 else { badarg = TRUE; break; }
2375
2376 /* All the -Mxx options require at least one message id. */
2377
2378 msg_action_arg = i + 1;
2379 if (msg_action_arg >= argc)
2380 {
2381 fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2382 return EXIT_FAILURE;
2383 }
2384
2385 /* Some require only message ids to follow */
2386
2387 if (!one_msg_action)
2388 {
2389 int j;
2390 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2391 {
2392 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2393 argv[j], arg);
2394 return EXIT_FAILURE;
2395 }
2396 goto END_ARG; /* Remaining args are ids */
2397 }
2398
2399 /* Others require only one message id, possibly followed by addresses,
2400 which will be handled as normal arguments. */
2401
2402 else
2403 {
2404 if (!mac_ismsgid(argv[msg_action_arg]))
2405 {
2406 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2407 argv[msg_action_arg], arg);
2408 return EXIT_FAILURE;
2409 }
2410 i++;
2411 }
2412 break;
2413
2414
2415 /* Some programs seem to call the -om option without the leading o;
2416 for sendmail it askes for "me too". Exim always does this. */
2417
2418 case 'm':
2419 if (*argrest != 0) badarg = TRUE;
2420 break;
2421
2422
2423 /* -N: don't do delivery - a debugging option that stops transports doing
2424 their thing. It implies debugging at the D_v level. */
2425
2426 case 'N':
2427 if (*argrest == 0)
2428 {
2429 dont_deliver = TRUE;
2430 debug_selector |= D_v;
2431 debug_file = stderr;
2432 }
2433 else badarg = TRUE;
2434 break;
2435
2436
2437 /* -n: This means "don't alias" in sendmail, apparently. Just ignore
2438 it. */
2439
2440 case 'n':
2441 break;
2442
2443 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2444 option to the specified value. This form uses long names. We need to handle
2445 -O option=value and -Ooption=value. */
2446
2447 case 'O':
2448 if (*argrest == 0)
2449 {
2450 if (++i >= argc)
2451 {
2452 fprintf(stderr, "exim: string expected after -O\n");
2453 exit(EXIT_FAILURE);
2454 }
2455 }
2456 break;
2457
2458 case 'o':
2459
2460 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2461 file" option). */
2462
2463 if (*argrest == 'A')
2464 {
2465 alias_arg = argrest + 1;
2466 if (alias_arg[0] == 0)
2467 {
2468 if (i+1 < argc) alias_arg = argv[++i]; else
2469 {
2470 fprintf(stderr, "exim: string expected after -oA\n");
2471 exit(EXIT_FAILURE);
2472 }
2473 }
2474 }
2475
2476 /* -oB: Set a connection message max value for remote deliveries */
2477
2478 else if (*argrest == 'B')
2479 {
2480 uschar *p = argrest + 1;
2481 if (p[0] == 0)
2482 {
2483 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2484 {
2485 connection_max_messages = 1;
2486 p = NULL;
2487 }
2488 }
2489
2490 if (p != NULL)
2491 {
2492 if (!isdigit(*p))
2493 {
2494 fprintf(stderr, "exim: number expected after -oB\n");
2495 exit(EXIT_FAILURE);
2496 }
2497 connection_max_messages = Uatoi(p);
2498 }
2499 }
2500
2501 /* -odb: background delivery */
2502
2503 else if (Ustrcmp(argrest, "db") == 0)
2504 {
2505 synchronous_delivery = FALSE;
2506 arg_queue_only = FALSE;
2507 queue_only_set = TRUE;
2508 }
2509
2510 /* -odf: foreground delivery (smail-compatible option); same effect as
2511 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2512 */
2513
2514 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2515 {
2516 synchronous_delivery = TRUE;
2517 arg_queue_only = FALSE;
2518 queue_only_set = TRUE;
2519 }
2520
2521 /* -odq: queue only */
2522
2523 else if (Ustrcmp(argrest, "dq") == 0)
2524 {
2525 synchronous_delivery = FALSE;
2526 arg_queue_only = TRUE;
2527 queue_only_set = TRUE;
2528 }
2529
2530 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2531 but no remote delivery */
2532
2533 else if (Ustrcmp(argrest, "dqs") == 0)
2534 {
2535 queue_smtp = TRUE;
2536 arg_queue_only = FALSE;
2537 queue_only_set = TRUE;
2538 }
2539
2540 /* -oex: Sendmail error flags. As these are also accepted without the
2541 leading -o prefix, for compatibility with vacation and other callers,
2542 they are handled with -e above. */
2543
2544 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2545 -oitrue: Another sendmail syntax for the same */
2546
2547 else if (Ustrcmp(argrest, "i") == 0 ||
2548 Ustrcmp(argrest, "itrue") == 0)
2549 dot_ends = FALSE;
2550
2551 /* -oM*: Set various characteristics for an incoming message; actually
2552 acted on for trusted callers only. */
2553
2554 else if (*argrest == 'M')
2555 {
2556 if (i+1 >= argc)
2557 {
2558 fprintf(stderr, "exim: data expected after -o%s\n", argrest);
2559 exit(EXIT_FAILURE);
2560 }
2561
2562 /* -oMa: Set sender host address */
2563
2564 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2565
2566 /* -oMaa: Set authenticator name */
2567
2568 else if (Ustrcmp(argrest, "Maa") == 0)
2569 sender_host_authenticated = argv[++i];
2570
2571 /* -oMas: setting authenticated sender */
2572
2573 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2574
2575 /* -oMai: setting authenticated id */
2576
2577 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2578
2579 /* -oMi: Set incoming interface address */
2580
2581 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2582
2583 /* -oMr: Received protocol */
2584
2585 else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
2586
2587 /* -oMs: Set sender host name */
2588
2589 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
2590
2591 /* -oMt: Set sender ident */
2592
33d73e3b
PH
2593 else if (Ustrcmp(argrest, "Mt") == 0)
2594 {
2595 sender_ident_set = TRUE;
2596 sender_ident = argv[++i];
2597 }
059ec3d9
PH
2598
2599 /* Else a bad argument */
2600
2601 else
2602 {
2603 badarg = TRUE;
2604 break;
2605 }
2606 }
2607
2608 /* -om: Me-too flag for aliases. Exim always does this. Some programs
2609 seem to call this as -m (undocumented), so that is also accepted (see
2610 above). */
2611
2612 else if (Ustrcmp(argrest, "m") == 0) {}
2613
2614 /* -oo: An ancient flag for old-style addresses which still seems to
2615 crop up in some calls (see in SCO). */
2616
2617 else if (Ustrcmp(argrest, "o") == 0) {}
2618
2619 /* -oP <name>: set pid file path for daemon */
2620
2621 else if (Ustrcmp(argrest, "P") == 0)
2622 override_pid_file_path = argv[++i];
2623
2624 /* -or <n>: set timeout for non-SMTP acceptance
2625 -os <n>: set timeout for SMTP acceptance */
2626
2627 else if (*argrest == 'r' || *argrest == 's')
2628 {
2629 int *tp = (*argrest == 'r')?
2630 &arg_receive_timeout : &arg_smtp_receive_timeout;
2631 if (argrest[1] == 0)
2632 {
2633 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
2634 }
2635 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
2636 if (*tp < 0)
2637 {
2638 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2639 exit(EXIT_FAILURE);
2640 }
2641 }
2642
2643 /* -oX <list>: Override local_interfaces and/or default daemon ports */
2644
2645 else if (Ustrcmp(argrest, "X") == 0)
2646 override_local_interfaces = argv[++i];
2647
2648 /* Unknown -o argument */
2649
2650 else badarg = TRUE;
2651 break;
2652
2653
2654 /* -ps: force Perl startup; -pd force delayed Perl startup */
2655
2656 case 'p':
2657 #ifdef EXIM_PERL
2658 if (*argrest == 's' && argrest[1] == 0)
2659 {
2660 perl_start_option = 1;
2661 break;
2662 }
2663 if (*argrest == 'd' && argrest[1] == 0)
2664 {
2665 perl_start_option = -1;
2666 break;
2667 }
2668 #endif
2669
2670 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
2671 which sets the host protocol and host name */
2672
2673 if (*argrest == 0)
2674 {
2675 if (i+1 < argc) argrest = argv[++i]; else
2676 { badarg = TRUE; break; }
2677 }
2678
2679 if (*argrest != 0)
2680 {
2681 uschar *hn = Ustrchr(argrest, ':');
2682 if (hn == NULL)
2683 {
2684 received_protocol = argrest;
2685 }
2686 else
2687 {
2688 received_protocol = string_copyn(argrest, hn - argrest);
2689 sender_host_name = hn + 1;
2690 }
2691 }
2692 break;
2693
2694
2695 case 'q':
2696 receiving_message = FALSE;
3cc66b45
PH
2697 if (queue_interval >= 0)
2698 {
2699 fprintf(stderr, "exim: -q specified more than once\n");
2700 exit(EXIT_FAILURE);
2701 }
059ec3d9
PH
2702
2703 /* -qq...: Do queue runs in a 2-stage manner */
2704
2705 if (*argrest == 'q')
2706 {
2707 queue_2stage = TRUE;
2708 argrest++;
2709 }
2710
2711 /* -qi...: Do only first (initial) deliveries */
2712
2713 if (*argrest == 'i')
2714 {
2715 queue_run_first_delivery = TRUE;
2716 argrest++;
2717 }
2718
2719 /* -qf...: Run the queue, forcing deliveries
2720 -qff..: Ditto, forcing thawing as well */
2721
2722 if (*argrest == 'f')
2723 {
2724 queue_run_force = TRUE;
2725 if (*(++argrest) == 'f')
2726 {
2727 deliver_force_thaw = TRUE;
2728 argrest++;
2729 }
2730 }
2731
2732 /* -q[f][f]l...: Run the queue only on local deliveries */
2733
2734 if (*argrest == 'l')
2735 {
2736 queue_run_local = TRUE;
2737 argrest++;
2738 }
2739
2740 /* -q[f][f][l]: Run the queue, optionally forced, optionally local only,
2741 optionally starting from a given message id. */
2742
2743 if (*argrest == 0 &&
2744 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
2745 {
2746 queue_interval = 0;
2747 if (i+1 < argc && mac_ismsgid(argv[i+1]))
2748 start_queue_run_id = argv[++i];
2749 if (i+1 < argc && mac_ismsgid(argv[i+1]))
2750 stop_queue_run_id = argv[++i];
2751 }
2752
2753 /* -q[f][f][l]<n>: Run the queue at regular intervals, optionally forced,
2754 optionally local only. */
2755
2756 else
2757 {
2758 if (*argrest != 0)
2759 queue_interval = readconf_readtime(argrest, 0, FALSE);
2760 else
2761 queue_interval = readconf_readtime(argv[++i], 0, FALSE);
2762 if (queue_interval <= 0)
2763 {
2764 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2765 exit(EXIT_FAILURE);
2766 }
2767 }
2768 break;
2769
2770
2771 case 'R': /* Synonymous with -qR... */
2772 receiving_message = FALSE;
2773
2774 /* -Rf: As -R (below) but force all deliveries,
2775 -Rff: Ditto, but also thaw all frozen messages,
2776 -Rr: String is regex
2777 -Rrf: Regex and force
2778 -Rrff: Regex and force and thaw
2779
2780 in all cases provided there are no further characters in this
2781 argument. */
2782
2783 if (*argrest != 0)
2784 {
2785 int i;
2786 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
2787 {
2788 if (Ustrcmp(argrest, rsopts[i]) == 0)
2789 {
2790 if (i != 2) queue_run_force = TRUE;
2791 if (i >= 2) deliver_selectstring_regex = TRUE;
2792 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
2793 argrest += Ustrlen(rsopts[i]);
2794 }
2795 }
2796 }
2797
2798 /* -R: Set string to match in addresses for forced queue run to
2799 pick out particular messages. */
2800
2801 if (*argrest == 0)
2802 {
2803 if (i+1 < argc) deliver_selectstring = argv[++i]; else
2804 {
2805 fprintf(stderr, "exim: string expected after -R\n");
2806 exit(EXIT_FAILURE);
2807 }
2808 }
2809 else deliver_selectstring = argrest;
059ec3d9
PH
2810 break;
2811
2812
2813 /* -r: an obsolete synonym for -f (see above) */
2814
2815
2816 /* -S: Like -R but works on sender. */
2817
2818 case 'S': /* Synonymous with -qS... */
2819 receiving_message = FALSE;
2820
2821 /* -Sf: As -S (below) but force all deliveries,
2822 -Sff: Ditto, but also thaw all frozen messages,
2823 -Sr: String is regex
2824 -Srf: Regex and force
2825 -Srff: Regex and force and thaw
2826
2827 in all cases provided there are no further characters in this
2828 argument. */
2829
2830 if (*argrest != 0)
2831 {
2832 int i;
2833 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
2834 {
2835 if (Ustrcmp(argrest, rsopts[i]) == 0)
2836 {
2837 if (i != 2) queue_run_force = TRUE;
2838 if (i >= 2) deliver_selectstring_sender_regex = TRUE;
2839 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
2840 argrest += Ustrlen(rsopts[i]);
2841 }
2842 }
2843 }
2844
2845 /* -S: Set string to match in addresses for forced queue run to
2846 pick out particular messages. */
2847
2848 if (*argrest == 0)
2849 {
2850 if (i+1 < argc) deliver_selectstring_sender = argv[++i]; else
2851 {
2852 fprintf(stderr, "exim: string expected after -S\n");
2853 exit(EXIT_FAILURE);
2854 }
2855 }
2856 else deliver_selectstring_sender = argrest;
059ec3d9
PH
2857 break;
2858
2859 /* -Tqt is an option that is exclusively for use by the testing suite.
2860 It is not recognized in other circumstances. It allows for the setting up
2861 of explicit "queue times" so that various warning/retry things can be
2862 tested. Otherwise variability of clock ticks etc. cause problems. */
2863
2864 case 'T':
2865 if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
2866 fudged_queue_times = argv[++i];
2867 else badarg = TRUE;
2868 break;
2869
2870
2871 /* -t: Set flag to extract recipients from body of message. */
2872
2873 case 't':
2874 if (*argrest == 0) extract_recipients = TRUE;
2875
2876 /* -ti: Set flag to extract recipients from body of message, and also
2877 specify that dot does not end the message. */
2878
2879 else if (Ustrcmp(argrest, "i") == 0)
2880 {
2881 extract_recipients = TRUE;
2882 dot_ends = FALSE;
2883 }
2884
2885 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
2886
2887 #ifdef SUPPORT_TLS
2888 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE;
2889 #endif
2890
2891 else badarg = TRUE;
2892 break;
2893
2894
2895 /* -U: This means "initial user submission" in sendmail, apparently. The
2896 doc claims that in future sendmail may refuse syntactically invalid
2897 messages instead of fixing them. For the moment, we just ignore it. */
2898
2899 case 'U':
2900 break;
2901
2902
2903 /* -v: verify things - this is a very low-level debugging */
2904
2905 case 'v':
2906 if (*argrest == 0)
2907 {
2908 debug_selector |= D_v;
2909 debug_file = stderr;
2910 }
2911 else badarg = TRUE;
2912 break;
2913
2914
2915 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
2916
2917 The -x flag tells the sendmail command that mail from a local
2918 mail program has National Language Support (NLS) extended characters
2919 in the body of the mail item. The sendmail command can send mail with
2920 extended NLS characters across networks that normally corrupts these
2921 8-bit characters.
2922
2923 As Exim is 8-bit clean, it just ignores this flag. */
2924
2925 case 'x':
2926 if (*argrest != 0) badarg = TRUE;
2927 break;
2928
2929 /* All other initial characters are errors */
2930
2931 default:
2932 badarg = TRUE;
2933 break;
2934 } /* End of high-level switch statement */
2935
2936 /* Failed to recognize the option, or syntax error */
2937
2938 if (badarg)
2939 {
2940 fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
2941 "option %s\n", arg);
2942 exit(EXIT_FAILURE);
2943 }
2944 }
2945
2946
3cc66b45
PH
2947/* If -R or -S have been specified without -q, assume a single queue run. */
2948
2949if ((deliver_selectstring != NULL || deliver_selectstring_sender != NULL) &&
2950 queue_interval < 0) queue_interval = 0;
2951
2952
059ec3d9 2953END_ARG:
81ea09ca
NM
2954/* If usage_wanted is set we call the usage function - which never returns */
2955if (usage_wanted) exim_usage(called_as);
2956
2957/* Arguments have been processed. Check for incompatibilities. */
059ec3d9
PH
2958if ((
2959 (smtp_input || extract_recipients || recipients_arg < argc) &&
2960 (daemon_listen || queue_interval >= 0 || bi_option ||
2961 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
f05da2e8 2962 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
059ec3d9
PH
2963 ) ||
2964 (
2965 msg_action_arg > 0 &&
0ef732d9
PH
2966 (daemon_listen || queue_interval >= 0 || list_options ||
2967 (checking && msg_action != MSG_LOAD) ||
2968 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
059ec3d9
PH
2969 ) ||
2970 (
2971 (daemon_listen || queue_interval >= 0) &&
2972 (sender_address != NULL || list_options || list_queue || checking ||
0ef732d9 2973 bi_option)
059ec3d9
PH
2974 ) ||
2975 (
2976 daemon_listen && queue_interval == 0
2977 ) ||
2978 (
2979 list_options &&
2980 (checking || smtp_input || extract_recipients ||
f05da2e8 2981 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
2982 ) ||
2983 (
2984 verify_address_mode &&
2985 (address_test_mode || smtp_input || extract_recipients ||
f05da2e8 2986 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
2987 ) ||
2988 (
2989 address_test_mode && (smtp_input || extract_recipients ||
f05da2e8 2990 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
2991 ) ||
2992 (
f05da2e8 2993 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
059ec3d9
PH
2994 extract_recipients)
2995 ) ||
2996 (
2997 deliver_selectstring != NULL && queue_interval < 0
328895cc
PH
2998 ) ||
2999 (
3000 msg_action == MSG_LOAD &&
3001 (!expansion_test || expansion_test_message != NULL)
059ec3d9
PH
3002 )
3003 )
3004 {
3005 fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3006 exit(EXIT_FAILURE);
3007 }
3008
3009/* If debugging is set up, set the file and the file descriptor to pass on to
3010child processes. It should, of course, be 2 for stderr. Also, force the daemon
3011to run in the foreground. */
3012
3013if (debug_selector != 0)
3014 {
3015 debug_file = stderr;
3016 debug_fd = fileno(debug_file);
3017 background_daemon = FALSE;
3018 if (running_in_test_harness) millisleep(100); /* lets caller finish */
3019 if (debug_selector != D_v) /* -v only doesn't show this */
3020 {
3021 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3022 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3023 debug_selector);
3024 show_whats_supported(stderr);
3025 }
3026 }
3027
3028/* When started with root privilege, ensure that the limits on the number of
3029open files and the number of processes (where that is accessible) are
3030sufficiently large, or are unset, in case Exim has been called from an
3031environment where the limits are screwed down. Not all OS have the ability to
3032change some of these limits. */
3033
3034if (unprivileged)
3035 {
3036 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3037 }
3038else
3039 {
3040 struct rlimit rlp;
3041
3042 #ifdef RLIMIT_NOFILE
3043 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3044 {
3045 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3046 strerror(errno));
3047 rlp.rlim_cur = rlp.rlim_max = 0;
3048 }
eb2c0248
PH
3049
3050 /* I originally chose 1000 as a nice big number that was unlikely to
a494b1e1
PH
3051 be exceeded. It turns out that some older OS have a fixed upper limit of
3052 256. */
eb2c0248 3053
059ec3d9
PH
3054 if (rlp.rlim_cur < 1000)
3055 {
3056 rlp.rlim_cur = rlp.rlim_max = 1000;
3057 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
eb2c0248 3058 {
a494b1e1
PH
3059 rlp.rlim_cur = rlp.rlim_max = 256;
3060 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3061 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3062 strerror(errno));
eb2c0248 3063 }
059ec3d9
PH
3064 }
3065 #endif
3066
3067 #ifdef RLIMIT_NPROC
3068 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3069 {
3070 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3071 strerror(errno));
3072 rlp.rlim_cur = rlp.rlim_max = 0;
3073 }
3074
3075 #ifdef RLIM_INFINITY
3076 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3077 {
3078 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3079 #else
3080 if (rlp.rlim_cur < 1000)
3081 {
3082 rlp.rlim_cur = rlp.rlim_max = 1000;
3083 #endif
3084 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3085 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3086 strerror(errno));
3087 }
3088 #endif
3089 }
3090
3091/* Exim is normally entered as root (but some special configurations are
3092possible that don't do this). However, it always spins off sub-processes that
3093set their uid and gid as required for local delivery. We don't want to pass on
3094any extra groups that root may belong to, so we want to get rid of them all at
3095this point.
3096
3097We need to obey setgroups() at this stage, before possibly giving up root
3098privilege for a changed configuration file, but later on we might need to
3099check on the additional groups for the admin user privilege - can't do that
3100till after reading the config, which might specify the exim gid. Therefore,
3101save the group list here first. */
3102
3103group_count = getgroups(NGROUPS_MAX, group_list);
3104
3105/* There is a fundamental difference in some BSD systems in the matter of
3106groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3107known not to be different. On the "different" systems there is a single group
3108list, and the first entry in it is the current group. On all other versions of
3109Unix there is a supplementary group list, which is in *addition* to the current
3110group. Consequently, to get rid of all extraneous groups on a "standard" system
3111you pass over 0 groups to setgroups(), while on a "different" system you pass
3112over a single group - the current group, which is always the first group in the
3113list. Calling setgroups() with zero groups on a "different" system results in
3114an error return. The following code should cope with both types of system.
3115
3116However, if this process isn't running as root, setgroups() can't be used
3117since you have to be root to run it, even if throwing away groups. Not being
3118root here happens only in some unusual configurations. We just ignore the
3119error. */
3120
3121if (setgroups(0, NULL) != 0)
3122 {
3123 if (setgroups(1, group_list) != 0 && !unprivileged)
3124 {
3125 fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3126 exit(EXIT_FAILURE);
3127 }
3128 }
3129
3130/* If the configuration file name has been altered by an argument on the
3131command line (either a new file name or a macro definition) and the caller is
cd25e41d
DW
3132not root, or if this is a filter testing run, remove any setuid privilege the
3133program has and run as the underlying user.
059ec3d9 3134
cd25e41d
DW
3135The exim user is locked out of this, which severely restricts the use of -C
3136for some purposes.
059ec3d9
PH
3137
3138Otherwise, set the real ids to the effective values (should be root unless run
3139from inetd, which it can either be root or the exim uid, if one is configured).
3140
3141There is a private mechanism for bypassing some of this, in order to make it
3142possible to test lots of configurations automatically, without having either to
3143recompile each time, or to patch in an actual configuration file name and other
3144values (such as the path name). If running in the test harness, pretend that
3145configuration file changes and macro definitions haven't happened. */
3146
3147if (( /* EITHER */
e2f5dc15 3148 (!trusted_config || macros != NULL) && /* Config changed, and */
059ec3d9 3149 real_uid != root_uid && /* Not root, and */
059ec3d9
PH
3150 !running_in_test_harness /* Not fudged */
3151 ) || /* OR */
3152 expansion_test /* expansion testing */
3153 || /* OR */
f05da2e8 3154 filter_test != FTEST_NONE) /* Filter testing */
059ec3d9
PH
3155 {
3156 setgroups(group_count, group_list);
3157 exim_setugid(real_uid, real_gid, FALSE,
3158 US"-C, -D, -be or -bf forces real uid");
3159 removed_privilege = TRUE;
3160
3161 /* In the normal case when Exim is called like this, stderr is available
3162 and should be used for any logging information because attempts to write
3163 to the log will usually fail. To arrange this, we unset really_exim. However,
3164 if no stderr is available there is no point - we might as well have a go
3165 at the log (if it fails, syslog will be written). */
3166
3167 if (log_stderr != NULL) really_exim = FALSE;
3168 }
3169
3170/* Privilege is to be retained for the moment. It may be dropped later,
3171depending on the job that this Exim process has been asked to do. For now, set
3172the real uid to the effective so that subsequent re-execs of Exim are done by a
3173privileged user. */
3174
3175else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3176
f05da2e8 3177/* If testing a filter, open the file(s) now, before wasting time doing other
059ec3d9
PH
3178setups and reading the message. */
3179
f05da2e8
PH
3180if ((filter_test & FTEST_SYSTEM) != 0)
3181 {
3182 filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3183 if (filter_sfd < 0)
3184 {
3185 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3186 strerror(errno));
3187 return EXIT_FAILURE;
3188 }
3189 }
3190
3191if ((filter_test & FTEST_USER) != 0)
059ec3d9 3192 {
f05da2e8
PH
3193 filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3194 if (filter_ufd < 0)
059ec3d9 3195 {
f05da2e8 3196 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
059ec3d9
PH
3197 strerror(errno));
3198 return EXIT_FAILURE;
3199 }
3200 }
3201
3202/* Read the main runtime configuration data; this gives up if there
3203is a failure. It leaves the configuration file open so that the subsequent
3204configuration data for delivery can be read if needed. */
3205
3206readconf_main();
3207
3208/* Handle the decoding of logging options. */
3209
ed7f7860
PP
3210decode_bits(&log_write_selector, &log_extra_selector, 0, 0,
3211 log_selector_string, log_options, log_options_count, US"log", 0);
059ec3d9
PH
3212
3213DEBUG(D_any)
3214 {
3215 debug_printf("configuration file is %s\n", config_main_filename);
3216 debug_printf("log selectors = %08x %08x\n", log_write_selector,
3217 log_extra_selector);
3218 }
3219
3220/* If domain literals are not allowed, check the sender address that was
3221supplied with -f. Ditto for a stripped trailing dot. */
3222
3223if (sender_address != NULL)
3224 {
3225 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3226 {
3227 fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
3228 "allowed\n", sender_address);
3229 return EXIT_FAILURE;
3230 }
3231 if (f_end_dot && !strip_trailing_dot)
3232 {
3233 fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed "
3234 "(trailing dot not allowed)\n", sender_address);
3235 return EXIT_FAILURE;
3236 }
3237 }
3238
3239/* Paranoia check of maximum lengths of certain strings. There is a check
3240on the length of the log file path in log.c, which will come into effect
3241if there are any calls to write the log earlier than this. However, if we
3242get this far but the string is very long, it is better to stop now than to
3243carry on and (e.g.) receive a message and then have to collapse. The call to
3244log_write() from here will cause the ultimate panic collapse if the complete
3245file name exceeds the buffer length. */
3246
3247if (Ustrlen(log_file_path) > 200)
3248 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3249 "log_file_path is longer than 200 chars: aborting");
3250
3251if (Ustrlen(pid_file_path) > 200)
3252 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3253 "pid_file_path is longer than 200 chars: aborting");
3254
3255if (Ustrlen(spool_directory) > 200)
3256 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3257 "spool_directory is longer than 200 chars: aborting");
3258
3259/* Length check on the process name given to syslog for its TAG field,
3260which is only permitted to be 32 characters or less. See RFC 3164. */
3261
3262if (Ustrlen(syslog_processname) > 32)
3263 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3264 "syslog_processname is longer than 32 chars: aborting");
3265
3266/* In some operating systems, the environment variable TMPDIR controls where
3267temporary files are created; Exim doesn't use these (apart from when delivering
3268to MBX mailboxes), but called libraries such as DBM libraries may require them.
3269If TMPDIR is found in the environment, reset it to the value defined in the
3270TMPDIR macro, if this macro is defined. */
3271
3272#ifdef TMPDIR
3273 {
3274 uschar **p;
3275 for (p = USS environ; *p != NULL; p++)
3276 {
3277 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 &&
3278 Ustrcmp(*p+7, TMPDIR) != 0)
3279 {
3280 uschar *newp = malloc(Ustrlen(TMPDIR) + 8);
3281 sprintf(CS newp, "TMPDIR=%s", TMPDIR);
3282 *p = newp;
3283 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", TMPDIR);
3284 }
3285 }
3286 }
3287#endif
3288
3289/* Timezone handling. If timezone_string is "utc", set a flag to cause all
3290timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3291we may need to get rid of a bogus timezone setting. This can arise when Exim is
3292called by a user who has set the TZ variable. This then affects the timestamps
3293in log files and in Received: headers, and any created Date: header lines. The
3294required timezone is settable in the configuration file, so nothing can be done
3295about this earlier - but hopefully nothing will normally be logged earlier than
3296this. We have to make a new environment if TZ is wrong, but don't bother if
3297timestamps_utc is set, because then all times are in UTC anyway. */
3298
3299if (timezone_string != NULL && strcmpic(timezone_string, US"UTC") == 0)
3300 {
3301 timestamps_utc = TRUE;
3302 }
3303else
3304 {
3305 uschar *envtz = US getenv("TZ");
3306 if ((envtz == NULL && timezone_string != NULL) ||
3307 (envtz != NULL &&
3308 (timezone_string == NULL ||
3309 Ustrcmp(timezone_string, envtz) != 0)))
3310 {
3311 uschar **p = USS environ;
3312 uschar **new;
3313 uschar **newp;
3314 int count = 0;
3315 while (*p++ != NULL) count++;
3316 if (envtz == NULL) count++;
3317 newp = new = malloc(sizeof(uschar *) * (count + 1));
3318 for (p = USS environ; *p != NULL; p++)
3319 {
3320 if (Ustrncmp(*p, "TZ=", 3) == 0) continue;
3321 *newp++ = *p;
3322 }
3323 if (timezone_string != NULL)
3324 {
3325 *newp = malloc(Ustrlen(timezone_string) + 4);
3326 sprintf(CS *newp++, "TZ=%s", timezone_string);
3327 }
3328 *newp = NULL;
3329 environ = CSS new;
3330 tzset();
3331 DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3332 tod_stamp(tod_log));
3333 }
3334 }
3335
3336/* Handle the case when we have removed the setuid privilege because of -C or
cd25e41d 3337-D. This means that the caller of Exim was not root.
059ec3d9 3338
cd25e41d
DW
3339There is a problem if we were running as the Exim user. The sysadmin may
3340expect this case to retain privilege because "the binary was called by the
3341Exim user", but it hasn't, because either the -D option set macros, or the
261dc43e 3342-C option set a non-trusted configuration file. There are two possibilities:
059ec3d9
PH
3343
3344 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3345 to do message deliveries. Thus, the fact that it is running as a
3346 non-privileged user is plausible, and might be wanted in some special
3347 configurations. However, really_exim will have been set false when
3348 privilege was dropped, to stop Exim trying to write to its normal log
3349 files. Therefore, re-enable normal log processing, assuming the sysadmin
3350 has set up the log directory correctly.
3351
3352 (2) If deliver_drop_privilege is not set, the configuration won't work as
3353 apparently intended, and so we log a panic message. In order to retain
261dc43e
DW
3354 root for -C or -D, the caller must either be root or be invoking a
3355 trusted configuration file (when deliver_drop_privilege is false). */
059ec3d9 3356
e2f5dc15 3357if (removed_privilege && (!trusted_config || macros != NULL) &&
059ec3d9
PH
3358 real_uid == exim_uid)
3359 {
059ec3d9
PH
3360 if (deliver_drop_privilege)
3361 really_exim = TRUE; /* let logging work normally */
3362 else
3363 log_write(0, LOG_MAIN|LOG_PANIC,
cd25e41d 3364 "exim user lost privilege for using %s option",
e2f5dc15 3365 (int)exim_uid, trusted_config? "-D" : "-C");
059ec3d9
PH
3366 }
3367
3368/* Start up Perl interpreter if Perl support is configured and there is a
3369perl_startup option, and the configuration or the command line specifies
3370initializing starting. Note that the global variables are actually called
3371opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3372
3373#ifdef EXIM_PERL
3374if (perl_start_option != 0)
3375 opt_perl_at_start = (perl_start_option > 0);
3376if (opt_perl_at_start && opt_perl_startup != NULL)
3377 {
3378 uschar *errstr;
3379 DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3380 errstr = init_perl(opt_perl_startup);
3381 if (errstr != NULL)
3382 {
3383 fprintf(stderr, "exim: error in perl_startup code: %s\n", errstr);
3384 return EXIT_FAILURE;
3385 }
3386 opt_perl_started = TRUE;
3387 }
3388#endif /* EXIM_PERL */
3389
3390/* Log the arguments of the call if the configuration file said so. This is
3391a debugging feature for finding out what arguments certain MUAs actually use.
3392Don't attempt it if logging is disabled, or if listing variables or if
3393verifying/testing addresses or expansions. */
3394
31619da6
PH
3395if (((debug_selector & D_any) != 0 || (log_extra_selector & LX_arguments) != 0)
3396 && really_exim && !list_options && !checking)
059ec3d9
PH
3397 {
3398 int i;
3399 uschar *p = big_buffer;
3400 Ustrcpy(p, "cwd=");
3401 (void)getcwd(CS p+4, big_buffer_size - 4);
3402 while (*p) p++;
3403 (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3404 while (*p) p++;
3405 for (i = 0; i < argc; i++)
3406 {
3407 int len = Ustrlen(argv[i]);
3408 uschar *printing;
3409 uschar *quote;
3410 if (p + len + 8 >= big_buffer + big_buffer_size)
3411 {
3412 Ustrcpy(p, " ...");
3413 log_write(0, LOG_MAIN, "%s", big_buffer);
3414 Ustrcpy(big_buffer, "...");
3415 p = big_buffer + 3;
3416 }
3417 printing = string_printing(argv[i]);
3418 if (printing[0] == 0) quote = US"\""; else
3419 {
3420 uschar *pp = printing;
3421 quote = US"";
3422 while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3423 }
3424 sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3425 (p - big_buffer) - 4), printing, quote);
3426 while (*p) p++;
3427 }
31619da6
PH
3428
3429 if ((log_extra_selector & LX_arguments) != 0)
3430 log_write(0, LOG_MAIN, "%s", big_buffer);
3431 else
3432 debug_printf("%s\n", big_buffer);
059ec3d9
PH
3433 }
3434
3435/* Set the working directory to be the top-level spool directory. We don't rely
3436on this in the code, which always uses fully qualified names, but it's useful
3437for core dumps etc. Don't complain if it fails - the spool directory might not
3438be generally accessible and calls with the -C option (and others) have lost
ba18e66a
PH
3439privilege by now. Before the chdir, we try to ensure that the directory exists.
3440*/
059ec3d9
PH
3441
3442if (Uchdir(spool_directory) != 0)
3443 {
ba18e66a 3444 (void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
059ec3d9
PH
3445 (void)Uchdir(spool_directory);
3446 }
3447
3448/* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3449alias file. Exim doesn't have such a concept, but this call is screwed into
3450Sun's YP makefiles. Handle this by calling a configured script, as the real
3451user who called Exim. The -oA option can be used to pass an argument to the
3452script. */
3453
3454if (bi_option)
3455 {
1fe64dcc 3456 (void)fclose(config_file);
059ec3d9
PH
3457 if (bi_command != NULL)
3458 {
3459 int i = 0;
3460 uschar *argv[3];
3461 argv[i++] = bi_command;
3462 if (alias_arg != NULL) argv[i++] = alias_arg;
3463 argv[i++] = NULL;
3464
3465 setgroups(group_count, group_list);
3466 exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
3467
3468 DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
3469 (argv[1] == NULL)? US"" : argv[1]);
3470
3471 execv(CS argv[0], (char *const *)argv);
3472 fprintf(stderr, "exim: exec failed: %s\n", strerror(errno));
3473 exit(EXIT_FAILURE);
3474 }
3475 else
3476 {
3477 DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
3478 exit(EXIT_SUCCESS);
3479 }
3480 }
3481
3482/* If an action on specific messages is requested, or if a daemon or queue
3483runner is being started, we need to know if Exim was called by an admin user.
3484This is the case if the real user is root or exim, or if the real group is
3485exim, or if one of the supplementary groups is exim or a group listed in
3486admin_groups. We don't fail all message actions immediately if not admin_user,
3487since some actions can be performed by non-admin users. Instead, set admin_user
3488for later interrogation. */
3489
3490if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3491 admin_user = TRUE;
3492else
3493 {
3494 int i, j;
059ec3d9
PH
3495 for (i = 0; i < group_count; i++)
3496 {
3497 if (group_list[i] == exim_gid) admin_user = TRUE;
3498 else if (admin_groups != NULL)
3499 {
3500 for (j = 1; j <= (int)(admin_groups[0]); j++)
3501 if (admin_groups[j] == group_list[i])
3502 { admin_user = TRUE; break; }
3503 }
3504 if (admin_user) break;
3505 }
3506 }
3507
3508/* Another group of privileged users are the trusted users. These are root,
3509exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3510are permitted to specify sender_addresses with -f on the command line, and
3511other message parameters as well. */
3512
3513if (real_uid == root_uid || real_uid == exim_uid)
3514 trusted_caller = TRUE;
3515else
3516 {
3517 int i, j;
3518
3519 if (trusted_users != NULL)
3520 {
3521 for (i = 1; i <= (int)(trusted_users[0]); i++)
3522 if (trusted_users[i] == real_uid)
3523 { trusted_caller = TRUE; break; }
3524 }
3525
3526 if (!trusted_caller && trusted_groups != NULL)
3527 {
3528 for (i = 1; i <= (int)(trusted_groups[0]); i++)
3529 {
3530 if (trusted_groups[i] == real_gid)
3531 trusted_caller = TRUE;
3532 else for (j = 0; j < group_count; j++)
3533 {
3534 if (trusted_groups[i] == group_list[j])
3535 { trusted_caller = TRUE; break; }
3536 }
3537 if (trusted_caller) break;
3538 }
3539 }
3540 }
3541
3542if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
3543if (admin_user) DEBUG(D_any) debug_printf("admin user\n");
3544
3545/* Only an admin user may start the daemon or force a queue run in the default
3546configuration, but the queue run restriction can be relaxed. Only an admin
3547user may request that a message be returned to its sender forthwith. Only an
3548admin user may specify a debug level greater than D_v (because it might show
3549passwords, etc. in lookup queries). Only an admin user may request a queue
8544e77a
PP
3550count. Only an admin user can use the test interface to scan for email
3551(because Exim will be in the spool dir and able to look at mails). */
059ec3d9
PH
3552
3553if (!admin_user)
3554 {
3555 BOOL debugset = (debug_selector & ~D_v) != 0;
8544e77a 3556 if (deliver_give_up || daemon_listen || malware_test_file ||
059ec3d9
PH
3557 (count_queue && queue_list_requires_admin) ||
3558 (list_queue && queue_list_requires_admin) ||
3559 (queue_interval >= 0 && prod_requires_admin) ||
3560 (debugset && !running_in_test_harness))
3561 {
3562 fprintf(stderr, "exim:%s permission denied\n", debugset? " debugging" : "");
3563 exit(EXIT_FAILURE);
3564 }
3565 }
3566
3567/* If the real user is not root or the exim uid, the argument for passing
3568in an open TCP/IP connection for another message is not permitted, nor is
3569running with the -N option for any delivery action, unless this call to exim is
3570one that supplied an input message, or we are using a patched exim for
3571regression testing. */
3572
3573if (real_uid != root_uid && real_uid != exim_uid &&
3574 (continue_hostname != NULL ||
3575 (dont_deliver &&
3576 (queue_interval >= 0 || daemon_listen || msg_action_arg > 0)
3577 )) && !running_in_test_harness)
3578 {
3579 fprintf(stderr, "exim: Permission denied\n");
3580 return EXIT_FAILURE;
3581 }
3582
3583/* If the caller is not trusted, certain arguments are ignored when running for
f05da2e8
PH
3584real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
3585Note that authority for performing certain actions on messages is tested in the
059ec3d9
PH
3586queue_action() function. */
3587
f05da2e8 3588if (!trusted_caller && !checking && filter_test == FTEST_NONE)
059ec3d9
PH
3589 {
3590 sender_host_name = sender_host_address = interface_address =
3591 sender_ident = received_protocol = NULL;
3592 sender_host_port = interface_port = 0;
3593 sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
3594 }
3595
3596/* If a sender host address is set, extract the optional port number off the
3597end of it and check its syntax. Do the same thing for the interface address.
3598Exim exits if the syntax is bad. */
3599
3600else
3601 {
3602 if (sender_host_address != NULL)
3603 sender_host_port = check_port(sender_host_address);
3604 if (interface_address != NULL)
3605 interface_port = check_port(interface_address);
3606 }
3607
3608/* If an SMTP message is being received check to see if the standard input is a
3609TCP/IP socket. If it is, we assume that Exim was called from inetd if the
3610caller is root or the Exim user, or if the port is a privileged one. Otherwise,
3611barf. */
3612
3613if (smtp_input)
3614 {
3615 union sockaddr_46 inetd_sock;
36a3b041 3616 EXIM_SOCKLEN_T size = sizeof(inetd_sock);
059ec3d9
PH
3617 if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0)
3618 {
3619 int family = ((struct sockaddr *)(&inetd_sock))->sa_family;
3620 if (family == AF_INET || family == AF_INET6)
3621 {
3622 union sockaddr_46 interface_sock;
3623 size = sizeof(interface_sock);
3624
3625 if (getsockname(0, (struct sockaddr *)(&interface_sock), &size) == 0)
3626 interface_address = host_ntoa(-1, &interface_sock, NULL,
3627 &interface_port);
3628
3629 if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE;
3630
3631 if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
3632 {
3633 is_inetd = TRUE;
3634 sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock),
3635 NULL, &sender_host_port);
3636 if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from "
3637 "inetd is not supported when mua_wrapper is set");
3638 }
3639 else
3640 {
3641 fprintf(stderr,
3642 "exim: Permission denied (unprivileged user, unprivileged port)\n");
3643 return EXIT_FAILURE;
3644 }
3645 }
3646 }
3647 }
3648
3649/* If the load average is going to be needed while receiving a message, get it
3650now for those OS that require the first call to os_getloadavg() to be done as
3651root. There will be further calls later for each message received. */
3652
3653#ifdef LOAD_AVG_NEEDS_ROOT
3654if (receiving_message &&
3655 (queue_only_load >= 0 ||
3656 (is_inetd && smtp_load_reserve >= 0)
3657 ))
3658 {
8669f003 3659 load_average = OS_GETLOADAVG();
059ec3d9
PH
3660 }
3661#endif
3662
3663/* The queue_only configuration option can be overridden by -odx on the command
3664line, except that if queue_only_override is false, queue_only cannot be unset
3665from the command line. */
3666
3667if (queue_only_set && (queue_only_override || arg_queue_only))
3668 queue_only = arg_queue_only;
3669
3670/* The receive_timeout and smtp_receive_timeout options can be overridden by
3671-or and -os. */
3672
3673if (arg_receive_timeout >= 0) receive_timeout = arg_receive_timeout;
3674if (arg_smtp_receive_timeout >= 0)
3675 smtp_receive_timeout = arg_smtp_receive_timeout;
3676
3677/* If Exim was started with root privilege, unless we have already removed the
3678root privilege above as a result of -C, -D, -be, -bf or -bF, remove it now
3679except when starting the daemon or doing some kind of delivery or address
3680testing (-bt). These are the only cases when root need to be retained. We run
3681as exim for -bv and -bh. However, if deliver_drop_privilege is set, root is
805e5aab
TF
3682retained only for starting the daemon. We always do the initgroups() in this
3683situation (controlled by the TRUE below), in order to be as close as possible
3684to the state Exim usually runs in. */
059ec3d9
PH
3685
3686if (!unprivileged && /* originally had root AND */
3687 !removed_privilege && /* still got root AND */
3688 !daemon_listen && /* not starting the daemon */
3689 queue_interval <= 0 && /* (either kind of daemon) */
3690 ( /* AND EITHER */
3691 deliver_drop_privilege || /* requested unprivileged */
3692 ( /* OR */
3693 queue_interval < 0 && /* not running the queue */
3694 (msg_action_arg < 0 || /* and */
3695 msg_action != MSG_DELIVER) && /* not delivering and */
3696 (!checking || !address_test_mode) /* not address checking */
3697 )
3698 ))
3699 {
805e5aab 3700 exim_setugid(exim_uid, exim_gid, TRUE, US"privilege not needed");
059ec3d9
PH
3701 }
3702
3703/* When we are retaining a privileged uid, we still change to the exim gid. */
3704
3705else setgid(exim_gid);
3706
8544e77a
PP
3707/* Handle a request to scan a file for malware */
3708if (malware_test_file)
3709 {
dbc4b90d 3710#ifdef WITH_CONTENT_SCAN
8544e77a
PP
3711 int result;
3712 set_process_info("scanning file for malware");
3713 result = malware_in_file(malware_test_file);
3714 if (result == FAIL)
3715 {
3716 printf("No malware found.\n");
3717 exit(EXIT_SUCCESS);
3718 }
3719 if (result != OK)
3720 {
3721 printf("Malware lookup returned non-okay/fail: %d\n", result);
3722 exit(EXIT_FAILURE);
3723 }
3724 if (malware_name)
3725 printf("Malware found: %s\n", malware_name);
3726 else
3727 printf("Malware scan detected malware of unknown name.\n");
dbc4b90d
PP
3728#else
3729 printf("Malware scanning not enabled at compile time.\n");
3730#endif
8544e77a
PP
3731 exit(EXIT_FAILURE);
3732 }
3733
059ec3d9
PH
3734/* Handle a request to list the delivery queue */
3735
3736if (list_queue)
3737 {
3738 set_process_info("listing the queue");
3739 queue_list(list_queue_option, argv + recipients_arg, argc - recipients_arg);
3740 exit(EXIT_SUCCESS);
3741 }
3742
3743/* Handle a request to count the delivery queue */
3744
3745if (count_queue)
3746 {
3747 set_process_info("counting the queue");
3748 queue_count();
3749 exit(EXIT_SUCCESS);
3750 }
3751
0ef732d9
PH
3752/* Handle actions on specific messages, except for the force delivery and
3753message load actions, which are done below. Some actions take a whole list of
3754message ids, which are known to continue up to the end of the arguments. Others
3755take a single message id and then operate on the recipients list. */
059ec3d9 3756
0ef732d9 3757if (msg_action_arg > 0 && msg_action != MSG_DELIVER && msg_action != MSG_LOAD)
059ec3d9
PH
3758 {
3759 int yield = EXIT_SUCCESS;
3760 set_process_info("acting on specified messages");
3761
3762 if (!one_msg_action)
3763 {
3764 for (i = msg_action_arg; i < argc; i++)
3765 if (!queue_action(argv[i], msg_action, NULL, 0, 0))
3766 yield = EXIT_FAILURE;
3767 }
3768
3769 else if (!queue_action(argv[msg_action_arg], msg_action, argv, argc,
3770 recipients_arg)) yield = EXIT_FAILURE;
3771 exit(yield);
3772 }
3773
3774/* All the modes below here require the remaining configuration sections
3775to be read, except that we can skip over the ACL setting when delivering
3776specific messages, or doing a queue run. (For various testing cases we could
3777skip too, but as they are rare, it doesn't really matter.) The argument is TRUE
3778for skipping. */
3779
3780readconf_rest(msg_action_arg > 0 || (queue_interval == 0 && !daemon_listen));
3781
3782/* The configuration data will have been read into POOL_PERM because we won't
3783ever want to reset back past it. Change the current pool to POOL_MAIN. In fact,
3784this is just a bit of pedantic tidiness. It wouldn't really matter if the
3785configuration were read into POOL_MAIN, because we don't do any resets till
3786later on. However, it seems right, and it does ensure that both pools get used.
3787*/
3788
3789store_pool = POOL_MAIN;
3790
3791/* Handle the -brt option. This is for checking out retry configurations.
3792The next three arguments are a domain name or a complete address, and
3793optionally two error numbers. All it does is to call the function that
3794scans the retry configuration data. */
3795
3796if (test_retry_arg >= 0)
3797 {
3798 retry_config *yield;
3799 int basic_errno = 0;
3800 int more_errno = 0;
3801 uschar *s1, *s2;
3802
3803 if (test_retry_arg >= argc)
3804 {
3805 printf("-brt needs a domain or address argument\n");
3806 exim_exit(EXIT_FAILURE);
3807 }
3808 s1 = argv[test_retry_arg++];
3809 s2 = NULL;
3810
3811 /* If the first argument contains no @ and no . it might be a local user
3812 or it might be a single-component name. Treat as a domain. */
3813
3814 if (Ustrchr(s1, '@') == NULL && Ustrchr(s1, '.') == NULL)
3815 {
3816 printf("Warning: \"%s\" contains no '@' and no '.' characters. It is "
3817 "being \ntreated as a one-component domain, not as a local part.\n\n",
3818 s1);
3819 }
3820
3821 /* There may be an optional second domain arg. */
3822
3823 if (test_retry_arg < argc && Ustrchr(argv[test_retry_arg], '.') != NULL)
3824 s2 = argv[test_retry_arg++];
3825
3826 /* The final arg is an error name */
3827
3828 if (test_retry_arg < argc)
3829 {
3830 uschar *ss = argv[test_retry_arg];
3831 uschar *error =
3832 readconf_retry_error(ss, ss + Ustrlen(ss), &basic_errno, &more_errno);
3833 if (error != NULL)
3834 {
3835 printf("%s\n", CS error);
3836 return EXIT_FAILURE;
3837 }
3838
e97957bc
PH
3839 /* For the {MAIL,RCPT,DATA}_4xx errors, a value of 255 means "any", and a
3840 code > 100 as an error is for matching codes to the decade. Turn them into
3841 a real error code, off the decade. */
059ec3d9 3842
e97957bc
PH
3843 if (basic_errno == ERRNO_MAIL4XX ||
3844 basic_errno == ERRNO_RCPT4XX ||
3845 basic_errno == ERRNO_DATA4XX)
059ec3d9
PH
3846 {
3847 int code = (more_errno >> 8) & 255;
3848 if (code == 255)
3849 more_errno = (more_errno & 0xffff00ff) | (21 << 8);
3850 else if (code > 100)
3851 more_errno = (more_errno & 0xffff00ff) | ((code - 96) << 8);
3852 }
3853 }
3854
3855 yield = retry_find_config(s1, s2, basic_errno, more_errno);
3856 if (yield == NULL) printf("No retry information found\n"); else
3857 {
3858 retry_rule *r;
3859 more_errno = yield->more_errno;
3860 printf("Retry rule: %s ", yield->pattern);
3861
3862 if (yield->basic_errno == ERRNO_EXIMQUOTA)
3863 {
3864 printf("quota%s%s ",
3865 (more_errno > 0)? "_" : "",
3866 (more_errno > 0)? readconf_printtime(more_errno) : US"");
3867 }
3868 else if (yield->basic_errno == ECONNREFUSED)
3869 {
3870 printf("refused%s%s ",
3871 (more_errno > 0)? "_" : "",
3872 (more_errno == 'M')? "MX" :
3873 (more_errno == 'A')? "A" : "");
3874 }
3875 else if (yield->basic_errno == ETIMEDOUT)
3876 {
3877 printf("timeout");
3878 if ((more_errno & RTEF_CTOUT) != 0) printf("_connect");
3879 more_errno &= 255;
3880 if (more_errno != 0) printf("_%s",
3881 (more_errno == 'M')? "MX" : "A");
3882 printf(" ");
3883 }
3884 else if (yield->basic_errno == ERRNO_AUTHFAIL)
3885 printf("auth_failed ");
3886 else printf("* ");
3887
3888 for (r = yield->rules; r != NULL; r = r->next)
3889 {
3890 printf("%c,%s", r->rule, readconf_printtime(r->timeout)); /* Do not */
3891 printf(",%s", readconf_printtime(r->p1)); /* amalgamate */
3892 if (r->rule == 'G')
3893 {
3894 int x = r->p2;
3895 int f = x % 1000;
3896 int d = 100;
3897 printf(",%d.", x/1000);
3898 do
3899 {
3900 printf("%d", f/d);
3901 f %= d;
3902 d /= 10;
3903 }
3904 while (f != 0);
3905 }
3906 printf("; ");
3907 }
3908
3909 printf("\n");
3910 }
3911 exim_exit(EXIT_SUCCESS);
3912 }
3913
3914/* Handle a request to list one or more configuration options */
3915
3916if (list_options)
3917 {
3918 set_process_info("listing variables");
3919 if (recipients_arg >= argc) readconf_print(US"all", NULL);
3920 else for (i = recipients_arg; i < argc; i++)
3921 {
3922 if (i < argc - 1 &&
3923 (Ustrcmp(argv[i], "router") == 0 ||
3924 Ustrcmp(argv[i], "transport") == 0 ||
5d9c27ec
TK
3925 Ustrcmp(argv[i], "authenticator") == 0 ||
3926 Ustrcmp(argv[i], "macro") == 0))
059ec3d9
PH
3927 {
3928 readconf_print(argv[i+1], argv[i]);
3929 i++;
3930 }
3931 else readconf_print(argv[i], NULL);
3932 }
3933 exim_exit(EXIT_SUCCESS);
3934 }
3935
3936
3937/* Handle a request to deliver one or more messages that are already on the
0ef732d9
PH
3938queue. Values of msg_action other than MSG_DELIVER and MSG_LOAD are dealt with
3939above. MSG_LOAD is handled with -be (which is the only time it applies) below.
3940
3941Delivery of specific messages is typically used for a small number when
3942prodding by hand (when the option forced_delivery will be set) or when
3943re-execing to regain root privilege. Each message delivery must happen in a
3944separate process, so we fork a process for each one, and run them sequentially
3945so that debugging output doesn't get intertwined, and to avoid spawning too
3946many processes if a long list is given. However, don't fork for the last one;
3947this saves a process in the common case when Exim is called to deliver just one
3948message. */
3949
3950if (msg_action_arg > 0 && msg_action != MSG_LOAD)
059ec3d9
PH
3951 {
3952 if (prod_requires_admin && !admin_user)
3953 {
3954 fprintf(stderr, "exim: Permission denied\n");
3955 exim_exit(EXIT_FAILURE);
3956 }
3957 set_process_info("delivering specified messages");
3958 if (deliver_give_up) forced_delivery = deliver_force_thaw = TRUE;
3959 for (i = msg_action_arg; i < argc; i++)
3960 {
3961 int status;
3962 pid_t pid;
3963 if (i == argc - 1)
3964 (void)deliver_message(argv[i], forced_delivery, deliver_give_up);
3965 else if ((pid = fork()) == 0)
3966 {
3967 (void)deliver_message(argv[i], forced_delivery, deliver_give_up);
3968 _exit(EXIT_SUCCESS);
3969 }
3970 else if (pid < 0)
3971 {
3972 fprintf(stderr, "failed to fork delivery process for %s: %s\n", argv[i],
3973 strerror(errno));
3974 exim_exit(EXIT_FAILURE);
3975 }
3976 else wait(&status);
3977 }
3978 exim_exit(EXIT_SUCCESS);
3979 }
3980
3981
3982/* If only a single queue run is requested, without SMTP listening, we can just
3983turn into a queue runner, with an optional starting message id. */
3984
3985if (queue_interval == 0 && !daemon_listen)
3986 {
3987 DEBUG(D_queue_run) debug_printf("Single queue run%s%s%s%s\n",
3988 (start_queue_run_id == NULL)? US"" : US" starting at ",
3989 (start_queue_run_id == NULL)? US"" : start_queue_run_id,
3990 (stop_queue_run_id == NULL)? US"" : US" stopping at ",
3991 (stop_queue_run_id == NULL)? US"" : stop_queue_run_id);
3992 set_process_info("running the queue (single queue run)");
3993 queue_run(start_queue_run_id, stop_queue_run_id, FALSE);
3994 exim_exit(EXIT_SUCCESS);
3995 }
3996
3997
3998/* Find the login name of the real user running this process. This is always
3999needed when receiving a message, because it is written into the spool file. It
4000may also be used to construct a from: or a sender: header, and in this case we
4001need the user's full name as well, so save a copy of it, checked for RFC822
4002syntax and munged if necessary, if it hasn't previously been set by the -F
4003argument. We may try to get the passwd entry more than once, in case NIS or
4004other delays are in evidence. Save the home directory for use in filter testing
4005(only). */
4006
4007for (i = 0;;)
4008 {
4009 if ((pw = getpwuid(real_uid)) != NULL)
4010 {
4011 originator_login = string_copy(US pw->pw_name);
4012 originator_home = string_copy(US pw->pw_dir);
4013
4014 /* If user name has not been set by -F, set it from the passwd entry
4015 unless -f has been used to set the sender address by a trusted user. */
4016
4017 if (originator_name == NULL)
4018 {
4019 if (sender_address == NULL ||
f05da2e8 4020 (!trusted_caller && filter_test == FTEST_NONE))
059ec3d9
PH
4021 {
4022 uschar *name = US pw->pw_gecos;
4023 uschar *amp = Ustrchr(name, '&');
4024 uschar buffer[256];
4025
4026 /* Most Unix specify that a '&' character in the gecos field is
4027 replaced by a copy of the login name, and some even specify that
4028 the first character should be upper cased, so that's what we do. */
4029
4030 if (amp != NULL)
4031 {
4032 int loffset;
4033 string_format(buffer, sizeof(buffer), "%.*s%n%s%s",
4034 amp - name, name, &loffset, originator_login, amp + 1);
4035 buffer[loffset] = toupper(buffer[loffset]);
4036 name = buffer;
4037 }
4038
4039 /* If a pattern for matching the gecos field was supplied, apply
4040 it and then expand the name string. */
4041
4042 if (gecos_pattern != NULL && gecos_name != NULL)
4043 {
4044 const pcre *re;
4045 re = regex_must_compile(gecos_pattern, FALSE, TRUE); /* Use malloc */
4046
4047 if (regex_match_and_setup(re, name, 0, -1))
4048 {
4049 uschar *new_name = expand_string(gecos_name);
4050 expand_nmax = -1;
4051 if (new_name != NULL)
4052 {
4053 DEBUG(D_receive) debug_printf("user name \"%s\" extracted from "
4054 "gecos field \"%s\"\n", new_name, name);
4055 name = new_name;
4056 }
4057 else DEBUG(D_receive) debug_printf("failed to expand gecos_name string "
4058 "\"%s\": %s\n", gecos_name, expand_string_message);
4059 }
4060 else DEBUG(D_receive) debug_printf("gecos_pattern \"%s\" did not match "
4061 "gecos field \"%s\"\n", gecos_pattern, name);
4062 store_free((void *)re);
4063 }
4064 originator_name = string_copy(name);
4065 }
4066
4067 /* A trusted caller has used -f but not -F */
4068
4069 else originator_name = US"";
4070 }
4071
4072 /* Break the retry loop */
4073
4074 break;
4075 }
4076
4077 if (++i > finduser_retries) break;
4078 sleep(1);
4079 }
4080
4081/* If we cannot get a user login, log the incident and give up, unless the
4082configuration specifies something to use. When running in the test harness,
8800895a 4083any setting of unknown_login overrides the actual name. */
059ec3d9
PH
4084
4085if (originator_login == NULL || running_in_test_harness)
4086 {
4087 if (unknown_login != NULL)
4088 {
4089 originator_login = expand_string(unknown_login);
4090 if (originator_name == NULL && unknown_username != NULL)
4091 originator_name = expand_string(unknown_username);
4092 if (originator_name == NULL) originator_name = US"";
4093 }
4094 if (originator_login == NULL)
4095 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to get user name for uid %d",
4096 (int)real_uid);
4097 }
4098
4099/* Ensure that the user name is in a suitable form for use as a "phrase" in an