ChangeLog: note cyrus plugin use situation
[exim.git] / src / src / exim.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
c4ceed07 5/* Copyright (c) University of Cambridge 1995 - 2012 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8
9/* The main function: entry point, initialization, and high-level control.
10Also a few functions that don't naturally fit elsewhere. */
11
12
13#include "exim.h"
14
6545de78
PP
15extern void init_lookup_list(void);
16
059ec3d9
PH
17
18
19/*************************************************
20* Function interface to store functions *
21*************************************************/
22
23/* We need some real functions to pass to the PCRE regular expression library
24for store allocation via Exim's store manager. The normal calls are actually
25macros that pass over location information to make tracing easier. These
26functions just interface to the standard macro calls. A good compiler will
27optimize out the tail recursion and so not make them too expensive. There
28are two sets of functions; one for use when we want to retain the compiled
29regular expression for a long time; the other for short-term use. */
30
31static void *
32function_store_get(size_t size)
33{
34return store_get((int)size);
35}
36
37static void
38function_dummy_free(void *block) { block = block; }
39
40static void *
41function_store_malloc(size_t size)
42{
43return store_malloc((int)size);
44}
45
46static void
47function_store_free(void *block)
48{
49store_free(block);
50}
51
52
53
54
55/*************************************************
98a90c36
PP
56* Enums for cmdline interface *
57*************************************************/
58
59enum commandline_info { CMDINFO_NONE=0,
36a3ae5f 60 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
98a90c36
PP
61
62
63
64
65/*************************************************
059ec3d9
PH
66* Compile regular expression and panic on fail *
67*************************************************/
68
69/* This function is called when failure to compile a regular expression leads
70to a panic exit. In other cases, pcre_compile() is called directly. In many
71cases where this function is used, the results of the compilation are to be
72placed in long-lived store, so we temporarily reset the store management
73functions that PCRE uses if the use_malloc flag is set.
74
75Argument:
76 pattern the pattern to compile
77 caseless TRUE if caseless matching is required
78 use_malloc TRUE if compile into malloc store
79
80Returns: pointer to the compiled pattern
81*/
82
83const pcre *
84regex_must_compile(uschar *pattern, BOOL caseless, BOOL use_malloc)
85{
86int offset;
87int options = PCRE_COPT;
88const pcre *yield;
89const uschar *error;
90if (use_malloc)
91 {
92 pcre_malloc = function_store_malloc;
93 pcre_free = function_store_free;
94 }
95if (caseless) options |= PCRE_CASELESS;
96yield = pcre_compile(CS pattern, options, (const char **)&error, &offset, NULL);
97pcre_malloc = function_store_get;
98pcre_free = function_dummy_free;
99if (yield == NULL)
100 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
101 "%s at offset %d while compiling %s", error, offset, pattern);
102return yield;
103}
104
105
106
107
108/*************************************************
109* Execute regular expression and set strings *
110*************************************************/
111
112/* This function runs a regular expression match, and sets up the pointers to
113the matched substrings.
114
115Arguments:
116 re the compiled expression
117 subject the subject string
118 options additional PCRE options
119 setup if < 0 do full setup
120 if >= 0 setup from setup+1 onwards,
121 excluding the full matched string
122
123Returns: TRUE or FALSE
124*/
125
126BOOL
127regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup)
128{
129int ovector[3*(EXPAND_MAXN+1)];
130int n = pcre_exec(re, NULL, CS subject, Ustrlen(subject), 0,
131 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
132BOOL yield = n >= 0;
133if (n == 0) n = EXPAND_MAXN + 1;
134if (yield)
135 {
136 int nn;
137 expand_nmax = (setup < 0)? 0 : setup + 1;
138 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
139 {
140 expand_nstring[expand_nmax] = subject + ovector[nn];
141 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
142 }
143 expand_nmax--;
144 }
145return yield;
146}
147
148
149
150
151/*************************************************
921b12ca
TF
152* Set up processing details *
153*************************************************/
154
155/* Save a text string for dumping when SIGUSR1 is received.
156Do checks for overruns.
157
158Arguments: format and arguments, as for printf()
159Returns: nothing
160*/
161
162void
163set_process_info(const char *format, ...)
164{
165int len;
166va_list ap;
167sprintf(CS process_info, "%5d ", (int)getpid());
168len = Ustrlen(process_info);
169va_start(ap, format);
170if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len - 2, format, ap))
171 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
172len = Ustrlen(process_info);
173process_info[len+0] = '\n';
174process_info[len+1] = '\0';
175process_info_len = len + 1;
176DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
177va_end(ap);
178}
179
180
181
182
183/*************************************************
059ec3d9
PH
184* Handler for SIGUSR1 *
185*************************************************/
186
187/* SIGUSR1 causes any exim process to write to the process log details of
188what it is currently doing. It will only be used if the OS is capable of
189setting up a handler that causes automatic restarting of any system call
190that is in progress at the time.
191
921b12ca
TF
192This function takes care to be signal-safe.
193
059ec3d9
PH
194Argument: the signal number (SIGUSR1)
195Returns: nothing
196*/
197
198static void
199usr1_handler(int sig)
200{
921b12ca
TF
201int fd;
202
203os_restarting_signal(sig, usr1_handler);
204
205fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE);
206if (fd < 0)
207 {
208 /* If we are already running as the Exim user, try to create it in the
209 current process (assuming spool_directory exists). Otherwise, if we are
210 root, do the creation in an exim:exim subprocess. */
211
212 int euid = geteuid();
213 if (euid == exim_uid)
214 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
215 else if (euid == root_uid)
216 fd = log_create_as_exim(process_log_path);
217 }
218
219/* If we are neither exim nor root, or if we failed to create the log file,
220give up. There is not much useful we can do with errors, since we don't want
221to disrupt whatever is going on outside the signal handler. */
222
223if (fd < 0) return;
224
225(void)write(fd, process_info, process_info_len);
226(void)close(fd);
059ec3d9
PH
227}
228
229
230
231/*************************************************
232* Timeout handler *
233*************************************************/
234
235/* This handler is enabled most of the time that Exim is running. The handler
236doesn't actually get used unless alarm() has been called to set a timer, to
237place a time limit on a system call of some kind. When the handler is run, it
238re-enables itself.
239
240There are some other SIGALRM handlers that are used in special cases when more
241than just a flag setting is required; for example, when reading a message's
242input. These are normally set up in the code module that uses them, and the
243SIGALRM handler is reset to this one afterwards.
244
245Argument: the signal value (SIGALRM)
246Returns: nothing
247*/
248
249void
250sigalrm_handler(int sig)
251{
252sig = sig; /* Keep picky compilers happy */
253sigalrm_seen = TRUE;
254os_non_restarting_signal(SIGALRM, sigalrm_handler);
255}
256
257
258
259/*************************************************
260* Sleep for a fractional time interval *
261*************************************************/
262
263/* This function is called by millisleep() and exim_wait_tick() to wait for a
264period of time that may include a fraction of a second. The coding is somewhat
eb2c0248
PH
265tedious. We do not expect setitimer() ever to fail, but if it does, the process
266will wait for ever, so we panic in this instance. (There was a case of this
267when a bug in a function that calls milliwait() caused it to pass invalid data.
7086e875 268That's when I added the check. :-)
059ec3d9
PH
269
270Argument: an itimerval structure containing the interval
271Returns: nothing
272*/
273
274static void
275milliwait(struct itimerval *itval)
276{
277sigset_t sigmask;
278sigset_t old_sigmask;
279(void)sigemptyset(&sigmask); /* Empty mask */
280(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
281(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
7086e875 282if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
eb2c0248
PH
283 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
284 "setitimer() failed: %s", strerror(errno));
059ec3d9
PH
285(void)sigfillset(&sigmask); /* All signals */
286(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
287(void)sigsuspend(&sigmask); /* Until SIGALRM */
288(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
289}
290
291
292
293
294/*************************************************
295* Millisecond sleep function *
296*************************************************/
297
298/* The basic sleep() function has a granularity of 1 second, which is too rough
299in some cases - for example, when using an increasing delay to slow down
300spammers.
301
302Argument: number of millseconds
303Returns: nothing
304*/
305
306void
307millisleep(int msec)
308{
309struct itimerval itval;
310itval.it_interval.tv_sec = 0;
311itval.it_interval.tv_usec = 0;
312itval.it_value.tv_sec = msec/1000;
313itval.it_value.tv_usec = (msec % 1000) * 1000;
314milliwait(&itval);
315}
316
317
318
319/*************************************************
320* Compare microsecond times *
321*************************************************/
322
323/*
324Arguments:
325 tv1 the first time
326 tv2 the second time
327
328Returns: -1, 0, or +1
329*/
330
331int
332exim_tvcmp(struct timeval *t1, struct timeval *t2)
333{
334if (t1->tv_sec > t2->tv_sec) return +1;
335if (t1->tv_sec < t2->tv_sec) return -1;
336if (t1->tv_usec > t2->tv_usec) return +1;
337if (t1->tv_usec < t2->tv_usec) return -1;
338return 0;
339}
340
341
342
343
344/*************************************************
345* Clock tick wait function *
346*************************************************/
347
348/* Exim uses a time + a pid to generate a unique identifier in two places: its
349message IDs, and in file names for maildir deliveries. Because some OS now
350re-use pids within the same second, sub-second times are now being used.
351However, for absolute certaintly, we must ensure the clock has ticked before
352allowing the relevant process to complete. At the time of implementation of
353this code (February 2003), the speed of processors is such that the clock will
354invariably have ticked already by the time a process has done its job. This
355function prepares for the time when things are faster - and it also copes with
356clocks that go backwards.
357
358Arguments:
359 then_tv A timeval which was used to create uniqueness; its usec field
360 has been rounded down to the value of the resolution.
361 We want to be sure the current time is greater than this.
362 resolution The resolution that was used to divide the microseconds
363 (1 for maildir, larger for message ids)
364
365Returns: nothing
366*/
367
368void
369exim_wait_tick(struct timeval *then_tv, int resolution)
370{
371struct timeval now_tv;
372long int now_true_usec;
373
374(void)gettimeofday(&now_tv, NULL);
375now_true_usec = now_tv.tv_usec;
376now_tv.tv_usec = (now_true_usec/resolution) * resolution;
377
378if (exim_tvcmp(&now_tv, then_tv) <= 0)
379 {
380 struct itimerval itval;
381 itval.it_interval.tv_sec = 0;
382 itval.it_interval.tv_usec = 0;
383 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
384 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
385
386 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
387 negative value for the microseconds is possible only in the case when "now"
388 is more than a second less than "then". That means that itval.it_value.tv_sec
389 is greater than zero. The following correction is therefore safe. */
390
391 if (itval.it_value.tv_usec < 0)
392 {
393 itval.it_value.tv_usec += 1000000;
394 itval.it_value.tv_sec -= 1;
395 }
396
397 DEBUG(D_transport|D_receive)
398 {
399 if (!running_in_test_harness)
400 {
401 debug_printf("tick check: %lu.%06lu %lu.%06lu\n",
402 then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec);
403 debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec,
404 itval.it_value.tv_usec);
405 }
406 }
407
408 milliwait(&itval);
409 }
410}
411
412
413
414
415/*************************************************
2632889e
PH
416* Call fopen() with umask 777 and adjust mode *
417*************************************************/
418
419/* Exim runs with umask(0) so that files created with open() have the mode that
420is specified in the open() call. However, there are some files, typically in
421the spool directory, that are created with fopen(). They end up world-writeable
422if no precautions are taken. Although the spool directory is not accessible to
423the world, this is an untidiness. So this is a wrapper function for fopen()
424that sorts out the mode of the created file.
425
426Arguments:
427 filename the file name
428 options the fopen() options
429 mode the required mode
430
431Returns: the fopened FILE or NULL
432*/
433
434FILE *
1ba28e2b 435modefopen(const uschar *filename, const char *options, mode_t mode)
2632889e 436{
67d175de
PH
437mode_t saved_umask = umask(0777);
438FILE *f = Ufopen(filename, options);
439(void)umask(saved_umask);
2632889e
PH
440if (f != NULL) (void)fchmod(fileno(f), mode);
441return f;
442}
443
444
445
446
447/*************************************************
059ec3d9
PH
448* Ensure stdin, stdout, and stderr exist *
449*************************************************/
450
451/* Some operating systems grumble if an exec() happens without a standard
452input, output, and error (fds 0, 1, 2) being defined. The worry is that some
453file will be opened and will use these fd values, and then some other bit of
454code will assume, for example, that it can write error messages to stderr.
455This function ensures that fds 0, 1, and 2 are open if they do not already
456exist, by connecting them to /dev/null.
457
458This function is also used to ensure that std{in,out,err} exist at all times,
459so that if any library that Exim calls tries to use them, it doesn't crash.
460
461Arguments: None
462Returns: Nothing
463*/
464
465void
466exim_nullstd(void)
467{
468int i;
469int devnull = -1;
470struct stat statbuf;
471for (i = 0; i <= 2; i++)
472 {
473 if (fstat(i, &statbuf) < 0 && errno == EBADF)
474 {
475 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
476 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
477 string_open_failed(errno, "/dev/null"));
1fe64dcc 478 if (devnull != i) (void)dup2(devnull, i);
059ec3d9
PH
479 }
480 }
1fe64dcc 481if (devnull > 2) (void)close(devnull);
059ec3d9
PH
482}
483
484
485
486
487/*************************************************
488* Close unwanted file descriptors for delivery *
489*************************************************/
490
491/* This function is called from a new process that has been forked to deliver
492an incoming message, either directly, or using exec.
493
494We want any smtp input streams to be closed in this new process. However, it
495has been observed that using fclose() here causes trouble. When reading in -bS
496input, duplicate copies of messages have been seen. The files will be sharing a
497file pointer with the parent process, and it seems that fclose() (at least on
498some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
499least sometimes. Hence we go for closing the underlying file descriptors.
500
501If TLS is active, we want to shut down the TLS library, but without molesting
502the parent's SSL connection.
503
504For delivery of a non-SMTP message, we want to close stdin and stdout (and
505stderr unless debugging) because the calling process might have set them up as
506pipes and be waiting for them to close before it waits for the submission
507process to terminate. If they aren't closed, they hold up the calling process
508until the initial delivery process finishes, which is not what we want.
509
510Exception: We do want it for synchronous delivery!
511
512And notwithstanding all the above, if D_resolver is set, implying resolver
513debugging, leave stdout open, because that's where the resolver writes its
514debugging output.
515
516When we close stderr (which implies we've also closed stdout), we also get rid
517of any controlling terminal.
518
519Arguments: None
520Returns: Nothing
521*/
522
523static void
524close_unwanted(void)
525{
526if (smtp_input)
527 {
528 #ifdef SUPPORT_TLS
529 tls_close(FALSE); /* Shut down the TLS library */
530 #endif
1fe64dcc
PH
531 (void)close(fileno(smtp_in));
532 (void)close(fileno(smtp_out));
059ec3d9
PH
533 smtp_in = NULL;
534 }
535else
536 {
1fe64dcc
PH
537 (void)close(0); /* stdin */
538 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
539 if (debug_selector == 0) /* stderr */
059ec3d9
PH
540 {
541 if (!synchronous_delivery)
542 {
1fe64dcc 543 (void)close(2);
059ec3d9
PH
544 log_stderr = NULL;
545 }
546 (void)setsid();
547 }
548 }
549}
550
551
552
553
554/*************************************************
555* Set uid and gid *
556*************************************************/
557
558/* This function sets a new uid and gid permanently, optionally calling
559initgroups() to set auxiliary groups. There are some special cases when running
560Exim in unprivileged modes. In these situations the effective uid will not be
561root; if we already have the right effective uid/gid, and don't need to
562initialize any groups, leave things as they are.
563
564Arguments:
565 uid the uid
566 gid the gid
567 igflag TRUE if initgroups() wanted
568 msg text to use in debugging output and failure log
569
570Returns: nothing; bombs out on failure
571*/
572
573void
574exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
575{
576uid_t euid = geteuid();
577gid_t egid = getegid();
578
579if (euid == root_uid || euid != uid || egid != gid || igflag)
580 {
581 /* At least one OS returns +1 for initgroups failure, so just check for
582 non-zero. */
583
584 if (igflag)
585 {
586 struct passwd *pw = getpwuid(uid);
587 if (pw != NULL)
588 {
589 if (initgroups(pw->pw_name, gid) != 0)
590 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
591 (long int)uid, strerror(errno));
592 }
593 else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
594 "no passwd entry for uid=%ld", (long int)uid);
595 }
596
597 if (setgid(gid) < 0 || setuid(uid) < 0)
598 {
599 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
600 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
601 }
602 }
603
604/* Debugging output included uid/gid and all groups */
605
606DEBUG(D_uid)
607 {
cd59ab18 608 int group_count, save_errno;
059ec3d9
PH
609 gid_t group_list[NGROUPS_MAX];
610 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
611 (long int)geteuid(), (long int)getegid(), (long int)getpid());
612 group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18 613 save_errno = errno;
059ec3d9
PH
614 debug_printf(" auxiliary group list:");
615 if (group_count > 0)
616 {
617 int i;
618 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
619 }
cd59ab18
PP
620 else if (group_count < 0)
621 debug_printf(" <error: %s>", strerror(save_errno));
059ec3d9
PH
622 else debug_printf(" <none>");
623 debug_printf("\n");
624 }
625}
626
627
628
629
630/*************************************************
631* Exit point *
632*************************************************/
633
634/* Exim exits via this function so that it always clears up any open
635databases.
636
637Arguments:
638 rc return code
639
640Returns: does not return
641*/
642
643void
644exim_exit(int rc)
645{
646search_tidyup();
647DEBUG(D_any)
648 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d "
649 ">>>>>>>>>>>>>>>>\n", (int)getpid(), rc);
650exit(rc);
651}
652
653
654
655
656/*************************************************
657* Extract port from host address *
658*************************************************/
659
660/* Called to extract the port from the values given to -oMa and -oMi.
b90c388a
PH
661It also checks the syntax of the address, and terminates it before the
662port data when a port is extracted.
059ec3d9
PH
663
664Argument:
665 address the address, with possible port on the end
666
667Returns: the port, or zero if there isn't one
668 bombs out on a syntax error
669*/
670
671static int
672check_port(uschar *address)
673{
7cd1141b 674int port = host_address_extract_port(address);
8e669ac1 675if (string_is_ip_address(address, NULL) == 0)
059ec3d9
PH
676 {
677 fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
678 exit(EXIT_FAILURE);
679 }
680return port;
681}
682
683
684
685/*************************************************
686* Test/verify an address *
687*************************************************/
688
689/* This function is called by the -bv and -bt code. It extracts a working
690address from a full RFC 822 address. This isn't really necessary per se, but it
691has the effect of collapsing source routes.
692
693Arguments:
694 s the address string
695 flags flag bits for verify_address()
696 exit_value to be set for failures
697
a5a28604 698Returns: nothing
059ec3d9
PH
699*/
700
701static void
702test_address(uschar *s, int flags, int *exit_value)
703{
704int start, end, domain;
705uschar *parse_error = NULL;
706uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
707 FALSE);
708if (address == NULL)
709 {
710 fprintf(stdout, "syntax error: %s\n", parse_error);
711 *exit_value = 2;
712 }
713else
714 {
715 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
4deaf07d 716 -1, -1, NULL, NULL, NULL);
059ec3d9
PH
717 if (rc == FAIL) *exit_value = 2;
718 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
719 }
720}
721
722
723
724/*************************************************
059ec3d9
PH
725* Show supported features *
726*************************************************/
727
4b2241d2
PP
728/* This function is called for -bV/--version and for -d to output the optional
729features of the current Exim binary.
059ec3d9
PH
730
731Arguments: a FILE for printing
732Returns: nothing
733*/
734
735static void
736show_whats_supported(FILE *f)
737{
44bbabb5
PP
738 auth_info *authi;
739
059ec3d9
PH
740#ifdef DB_VERSION_STRING
741fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
742#elif defined(BTREEVERSION) && defined(HASHVERSION)
743 #ifdef USE_DB
744 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
745 #else
746 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
747 #endif
748#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
749fprintf(f, "Probably ndbm\n");
750#elif defined(USE_TDB)
751fprintf(f, "Using tdb\n");
752#else
753 #ifdef USE_GDBM
754 fprintf(f, "Probably GDBM (native mode)\n");
755 #else
756 fprintf(f, "Probably GDBM (compatibility mode)\n");
757 #endif
758#endif
759
760fprintf(f, "Support for:");
9cec981f
PH
761#ifdef SUPPORT_CRYPTEQ
762 fprintf(f, " crypteq");
763#endif
059ec3d9
PH
764#if HAVE_ICONV
765 fprintf(f, " iconv()");
766#endif
767#if HAVE_IPV6
768 fprintf(f, " IPv6");
769#endif
79378e0f
PH
770#ifdef HAVE_SETCLASSRESOURCES
771 fprintf(f, " use_setclassresources");
929ba01c 772#endif
059ec3d9
PH
773#ifdef SUPPORT_PAM
774 fprintf(f, " PAM");
775#endif
776#ifdef EXIM_PERL
777 fprintf(f, " Perl");
778#endif
1a46a8c5
PH
779#ifdef EXPAND_DLFUNC
780 fprintf(f, " Expand_dlfunc");
781#endif
059ec3d9
PH
782#ifdef USE_TCP_WRAPPERS
783 fprintf(f, " TCPwrappers");
784#endif
785#ifdef SUPPORT_TLS
786 #ifdef USE_GNUTLS
787 fprintf(f, " GnuTLS");
788 #else
789 fprintf(f, " OpenSSL");
790 #endif
791#endif
b2f5a032
PH
792#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
793 fprintf(f, " translate_ip_address");
794#endif
f174f16e
PH
795#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
796 fprintf(f, " move_frozen_messages");
797#endif
8523533c
TK
798#ifdef WITH_CONTENT_SCAN
799 fprintf(f, " Content_Scanning");
800#endif
80a47a2c
TK
801#ifndef DISABLE_DKIM
802 fprintf(f, " DKIM");
803#endif
8523533c
TK
804#ifdef WITH_OLD_DEMIME
805 fprintf(f, " Old_Demime");
806#endif
807#ifdef EXPERIMENTAL_SPF
808 fprintf(f, " Experimental_SPF");
809#endif
810#ifdef EXPERIMENTAL_SRS
811 fprintf(f, " Experimental_SRS");
812#endif
813#ifdef EXPERIMENTAL_BRIGHTMAIL
814 fprintf(f, " Experimental_Brightmail");
815#endif
6a8f9482
TK
816#ifdef EXPERIMENTAL_DCC
817 fprintf(f, " Experimental_DCC");
818#endif
059ec3d9
PH
819fprintf(f, "\n");
820
e6d225ae
DW
821fprintf(f, "Lookups (built-in):");
822#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
059ec3d9
PH
823 fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
824#endif
e6d225ae 825#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
059ec3d9
PH
826 fprintf(f, " cdb");
827#endif
e6d225ae 828#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
4a6a987a 829 fprintf(f, " dbm dbmjz dbmnz");
059ec3d9 830#endif
e6d225ae 831#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
059ec3d9
PH
832 fprintf(f, " dnsdb");
833#endif
e6d225ae 834#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
059ec3d9
PH
835 fprintf(f, " dsearch");
836#endif
e6d225ae 837#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
059ec3d9
PH
838 fprintf(f, " ibase");
839#endif
e6d225ae 840#if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
059ec3d9
PH
841 fprintf(f, " ldap ldapdn ldapm");
842#endif
e6d225ae 843#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
059ec3d9
PH
844 fprintf(f, " mysql");
845#endif
e6d225ae 846#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
059ec3d9
PH
847 fprintf(f, " nis nis0");
848#endif
e6d225ae 849#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
059ec3d9
PH
850 fprintf(f, " nisplus");
851#endif
e6d225ae 852#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
059ec3d9
PH
853 fprintf(f, " oracle");
854#endif
e6d225ae 855#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
059ec3d9
PH
856 fprintf(f, " passwd");
857#endif
e6d225ae 858#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
059ec3d9
PH
859 fprintf(f, " pgsql");
860#endif
e6d225ae 861#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
13b685f9
PH
862 fprintf(f, " sqlite");
863#endif
e6d225ae 864#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
059ec3d9
PH
865 fprintf(f, " testdb");
866#endif
e6d225ae 867#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
059ec3d9
PH
868 fprintf(f, " whoson");
869#endif
870fprintf(f, "\n");
871
872fprintf(f, "Authenticators:");
873#ifdef AUTH_CRAM_MD5
874 fprintf(f, " cram_md5");
875#endif
876#ifdef AUTH_CYRUS_SASL
877 fprintf(f, " cyrus_sasl");
878#endif
14aa5a05
PH
879#ifdef AUTH_DOVECOT
880 fprintf(f, " dovecot");
881#endif
44bbabb5
PP
882#ifdef AUTH_GSASL
883 fprintf(f, " gsasl");
884#endif
dde3daac
PP
885#ifdef AUTH_HEIMDAL_GSSAPI
886 fprintf(f, " heimdal_gssapi");
887#endif
059ec3d9
PH
888#ifdef AUTH_PLAINTEXT
889 fprintf(f, " plaintext");
890#endif
891#ifdef AUTH_SPA
892 fprintf(f, " spa");
893#endif
894fprintf(f, "\n");
895
896fprintf(f, "Routers:");
897#ifdef ROUTER_ACCEPT
898 fprintf(f, " accept");
899#endif
900#ifdef ROUTER_DNSLOOKUP
901 fprintf(f, " dnslookup");
902#endif
903#ifdef ROUTER_IPLITERAL
904 fprintf(f, " ipliteral");
905#endif
906#ifdef ROUTER_IPLOOKUP
907 fprintf(f, " iplookup");
908#endif
909#ifdef ROUTER_MANUALROUTE
910 fprintf(f, " manualroute");
911#endif
912#ifdef ROUTER_QUERYPROGRAM
913 fprintf(f, " queryprogram");
914#endif
915#ifdef ROUTER_REDIRECT
916 fprintf(f, " redirect");
917#endif
918fprintf(f, "\n");
919
920fprintf(f, "Transports:");
921#ifdef TRANSPORT_APPENDFILE
922 fprintf(f, " appendfile");
923 #ifdef SUPPORT_MAILDIR
924 fprintf(f, "/maildir");
925 #endif
926 #ifdef SUPPORT_MAILSTORE
927 fprintf(f, "/mailstore");
928 #endif
929 #ifdef SUPPORT_MBX
930 fprintf(f, "/mbx");
931 #endif
932#endif
933#ifdef TRANSPORT_AUTOREPLY
934 fprintf(f, " autoreply");
935#endif
936#ifdef TRANSPORT_LMTP
937 fprintf(f, " lmtp");
938#endif
939#ifdef TRANSPORT_PIPE
940 fprintf(f, " pipe");
941#endif
942#ifdef TRANSPORT_SMTP
943 fprintf(f, " smtp");
944#endif
945fprintf(f, "\n");
946
947if (fixed_never_users[0] > 0)
948 {
949 int i;
950 fprintf(f, "Fixed never_users: ");
951 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
952 fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
953 fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
954 }
21c28500 955
73a46702 956fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
36f12725 957
6545de78
PP
958/* Everything else is details which are only worth reporting when debugging.
959Perhaps the tls_version_report should move into this too. */
960DEBUG(D_any) do {
961
962 int i;
963
b3c261f7
PP
964/* clang defines __GNUC__ (at least, for me) so test for it first */
965#if defined(__clang__)
966 fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
967#elif defined(__GNUC__)
968 fprintf(f, "Compiler: GCC [%s]\n",
969# ifdef __VERSION__
970 __VERSION__
971# else
972 "? unknown version ?"
973# endif
974 );
975#else
976 fprintf(f, "Compiler: <unknown>\n");
977#endif
978
754a0503
PP
979#ifdef SUPPORT_TLS
980 tls_version_report(f);
981#endif
982
44bbabb5
PP
983 for (authi = auths_available; *authi->driver_name != '\0'; ++authi) {
984 if (authi->version_report) {
985 (*authi->version_report)(f);
986 }
987 }
6545de78 988
decd95cb 989 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
6475bd82
PP
990 characters; unless it's an ancient version of PCRE in which case it
991 is not defined. */
992#ifndef PCRE_PRERELEASE
993#define PCRE_PRERELEASE
994#endif
995#define QUOTE(X) #X
996#define EXPAND_AND_QUOTE(X) QUOTE(X)
6545de78
PP
997 fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
998 " Runtime: %s\n",
999 PCRE_MAJOR, PCRE_MINOR,
6475bd82 1000 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
6545de78 1001 pcre_version());
6475bd82
PP
1002#undef QUOTE
1003#undef EXPAND_AND_QUOTE
6545de78
PP
1004
1005 init_lookup_list();
1006 for (i = 0; i < lookup_list_count; i++)
1007 {
1008 if (lookup_list[i]->version_report)
1009 lookup_list[i]->version_report(f);
1010 }
1011
b70d2586
PP
1012#ifdef WHITELIST_D_MACROS
1013 fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1014#else
1015 fprintf(f, "WHITELIST_D_MACROS unset\n");
1016#endif
1017#ifdef TRUSTED_CONFIG_LIST
1018 fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1019#else
1020 fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
1021#endif
1022
6545de78 1023} while (0);
059ec3d9
PH
1024}
1025
1026
98a90c36
PP
1027/*************************************************
1028* Show auxiliary information about Exim *
1029*************************************************/
1030
1031static void
1032show_exim_information(enum commandline_info request, FILE *stream)
1033{
1034const uschar **pp;
1035
1036switch(request)
1037 {
1038 case CMDINFO_NONE:
1039 fprintf(stream, "Oops, something went wrong.\n");
1040 return;
1041 case CMDINFO_HELP:
1042 fprintf(stream,
1043"The -bI: flag takes a string indicating which information to provide.\n"
1044"If the string is not recognised, you'll get this help (on stderr).\n"
1045"\n"
1046" exim -bI:help this information\n"
36a3ae5f 1047" exim -bI:dscp dscp value keywords known\n"
98a90c36
PP
1048" exim -bI:sieve list of supported sieve extensions, one per line.\n"
1049);
1050 return;
1051 case CMDINFO_SIEVE:
1052 for (pp = exim_sieve_extension_list; *pp; ++pp)
1053 fprintf(stream, "%s\n", *pp);
1054 return;
36a3ae5f
PP
1055 case CMDINFO_DSCP:
1056 dscp_list_to_stream(stream);
1057 return;
98a90c36
PP
1058 }
1059}
059ec3d9
PH
1060
1061
1062/*************************************************
1063* Quote a local part *
1064*************************************************/
1065
1066/* This function is used when a sender address or a From: or Sender: header
1067line is being created from the caller's login, or from an authenticated_id. It
1068applies appropriate quoting rules for a local part.
1069
1070Argument: the local part
1071Returns: the local part, quoted if necessary
1072*/
1073
1074uschar *
1075local_part_quote(uschar *lpart)
1076{
1077BOOL needs_quote = FALSE;
1078int size, ptr;
1079uschar *yield;
1080uschar *t;
1081
1082for (t = lpart; !needs_quote && *t != 0; t++)
1083 {
1084 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1085 (*t != '.' || t == lpart || t[1] == 0);
1086 }
1087
1088if (!needs_quote) return lpart;
1089
1090size = ptr = 0;
1091yield = string_cat(NULL, &size, &ptr, US"\"", 1);
1092
1093for (;;)
1094 {
1095 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1096 if (nq == NULL)
1097 {
1098 yield = string_cat(yield, &size, &ptr, lpart, Ustrlen(lpart));
1099 break;
1100 }
1101 yield = string_cat(yield, &size, &ptr, lpart, nq - lpart);
1102 yield = string_cat(yield, &size, &ptr, US"\\", 1);
1103 yield = string_cat(yield, &size, &ptr, nq, 1);
1104 lpart = nq + 1;
1105 }
1106
1107yield = string_cat(yield, &size, &ptr, US"\"", 1);
1108yield[ptr] = 0;
1109return yield;
1110}
1111
1112
1113
1114#ifdef USE_READLINE
1115/*************************************************
1116* Load readline() functions *
1117*************************************************/
1118
1119/* This function is called from testing executions that read data from stdin,
1120but only when running as the calling user. Currently, only -be does this. The
1121function loads the readline() function library and passes back the functions.
1122On some systems, it needs the curses library, so load that too, but try without
1123it if loading fails. All this functionality has to be requested at build time.
1124
1125Arguments:
1126 fn_readline_ptr pointer to where to put the readline pointer
1127 fn_addhist_ptr pointer to where to put the addhistory function
1128
1129Returns: the dlopen handle or NULL on failure
1130*/
1131
1132static void *
1ba28e2b
PP
1133set_readline(char * (**fn_readline_ptr)(const char *),
1134 void (**fn_addhist_ptr)(const char *))
059ec3d9
PH
1135{
1136void *dlhandle;
e12f8c32 1137void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
059ec3d9 1138
e12f8c32 1139dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
059ec3d9
PH
1140if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1141
1142if (dlhandle != NULL)
1143 {
1ba28e2b
PP
1144 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1145 * char * readline (const char *prompt);
1146 * void add_history (const char *string);
1147 */
1148 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1149 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
059ec3d9
PH
1150 }
1151else
1152 {
1153 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1154 }
1155
1156return dlhandle;
1157}
1158#endif
1159
1160
1161
1162/*************************************************
1163* Get a line from stdin for testing things *
1164*************************************************/
1165
1166/* This function is called when running tests that can take a number of lines
1167of input (for example, -be and -bt). It handles continuations and trailing
1168spaces. And prompting and a blank line output on eof. If readline() is in use,
1169the arguments are non-NULL and provide the relevant functions.
1170
1171Arguments:
1172 fn_readline readline function or NULL
1173 fn_addhist addhist function or NULL
1174
1175Returns: pointer to dynamic memory, or NULL at end of file
1176*/
1177
1178static uschar *
1ba28e2b 1179get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
059ec3d9
PH
1180{
1181int i;
1182int size = 0;
1183int ptr = 0;
1184uschar *yield = NULL;
1185
328895cc 1186if (fn_readline == NULL) { printf("> "); fflush(stdout); }
059ec3d9
PH
1187
1188for (i = 0;; i++)
1189 {
1190 uschar buffer[1024];
1191 uschar *p, *ss;
1192
1193 #ifdef USE_READLINE
1194 char *readline_line = NULL;
1195 if (fn_readline != NULL)
1196 {
1197 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1198 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1199 p = US readline_line;
1200 }
1201 else
1202 #endif
1203
1204 /* readline() not in use */
1205
1206 {
1207 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1208 p = buffer;
1209 }
1210
1211 /* Handle the line */
1212
1213 ss = p + (int)Ustrlen(p);
1214 while (ss > p && isspace(ss[-1])) ss--;
1215
1216 if (i > 0)
1217 {
1218 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1219 }
1220
1221 yield = string_cat(yield, &size, &ptr, p, ss - p);
1222
1223 #ifdef USE_READLINE
1224 if (fn_readline != NULL) free(readline_line);
1225 #endif
1226
1227 if (ss == p || yield[ptr-1] != '\\')
1228 {
1229 yield[ptr] = 0;
1230 break;
1231 }
1232 yield[--ptr] = 0;
1233 }
1234
1235if (yield == NULL) printf("\n");
1236return yield;
1237}
1238
1239
1240
1241/*************************************************
81ea09ca
NM
1242* Output usage information for the program *
1243*************************************************/
1244
1245/* This function is called when there are no recipients
1246 or a specific --help argument was added.
1247
1248Arguments:
1249 progname information on what name we were called by
1250
1251Returns: DOES NOT RETURN
1252*/
1253
1254static void
1255exim_usage(uschar *progname)
1256{
1257
1258/* Handle specific program invocation varients */
1259if (Ustrcmp(progname, US"-mailq") == 0)
1260 {
1261 fprintf(stderr,
e765a0f1 1262 "mailq - list the contents of the mail queue\n\n"
81ea09ca
NM
1263 "For a list of options, see the Exim documentation.\n");
1264 exit(EXIT_FAILURE);
1265 }
1266
1267/* Generic usage - we output this whatever happens */
1268fprintf(stderr,
1269 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1270 "not directly from a shell command line. Options and/or arguments control\n"
1271 "what it does when called. For a list of options, see the Exim documentation.\n");
1272
1273exit(EXIT_FAILURE);
1274}
1275
1276
1277
1278/*************************************************
a7cbbf50
PP
1279* Validate that the macros given are okay *
1280*************************************************/
1281
1282/* Typically, Exim will drop privileges if macros are supplied. In some
1283cases, we want to not do so.
1284
1285Arguments: none (macros is a global)
1286Returns: true if trusted, false otherwise
1287*/
1288
1289static BOOL
1290macros_trusted(void)
1291{
1292#ifdef WHITELIST_D_MACROS
1293macro_item *m;
1294uschar *whitelisted, *end, *p, **whites, **w;
1295int white_count, i, n;
1296size_t len;
1297BOOL prev_char_item, found;
1298#endif
1299
1300if (macros == NULL)
1301 return TRUE;
1302#ifndef WHITELIST_D_MACROS
1303return FALSE;
1304#else
1305
66581d1e
PP
1306/* We only trust -D overrides for some invoking users:
1307root, the exim run-time user, the optional config owner user.
1308I don't know why config-owner would be needed, but since they can own the
1309config files anyway, there's no security risk to letting them override -D. */
1310if ( ! ((real_uid == root_uid)
1311 || (real_uid == exim_uid)
1312#ifdef CONFIGURE_OWNER
1313 || (real_uid == config_uid)
1314#endif
1315 ))
1316 {
1317 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1318 return FALSE;
1319 }
1320
a7cbbf50
PP
1321/* Get a list of macros which are whitelisted */
1322whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1323prev_char_item = FALSE;
1324white_count = 0;
1325for (p = whitelisted; *p != '\0'; ++p)
1326 {
1327 if (*p == ':' || isspace(*p))
1328 {
1329 *p = '\0';
1330 if (prev_char_item)
1331 ++white_count;
1332 prev_char_item = FALSE;
1333 continue;
1334 }
1335 if (!prev_char_item)
1336 prev_char_item = TRUE;
1337 }
1338end = p;
1339if (prev_char_item)
1340 ++white_count;
1341if (!white_count)
1342 return FALSE;
1343whites = store_malloc(sizeof(uschar *) * (white_count+1));
1344for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1345 {
1346 if (*p != '\0')
1347 {
1348 whites[i++] = p;
1349 if (i == white_count)
1350 break;
1351 while (*p != '\0' && p < end)
1352 ++p;
1353 }
1354 }
1355whites[i] = NULL;
1356
1357/* The list of macros should be very short. Accept the N*M complexity. */
1358for (m = macros; m != NULL; m = m->next)
1359 {
1360 found = FALSE;
1361 for (w = whites; *w; ++w)
1362 if (Ustrcmp(*w, m->name) == 0)
1363 {
1364 found = TRUE;
1365 break;
1366 }
1367 if (!found)
1368 return FALSE;
1369 if (m->replacement == NULL)
1370 continue;
1371 len = Ustrlen(m->replacement);
1372 if (len == 0)
1373 continue;
1374 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1375 0, PCRE_EOPT, NULL, 0);
1376 if (n < 0)
1377 {
1378 if (n != PCRE_ERROR_NOMATCH)
1379 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1380 return FALSE;
1381 }
1382 }
43236f35 1383DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
a7cbbf50
PP
1384return TRUE;
1385#endif
1386}
1387
1388
1389/*************************************************
059ec3d9
PH
1390* Entry point and high-level code *
1391*************************************************/
1392
1393/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1394the appropriate action. All the necessary functions are present in the one
1395binary. I originally thought one should split it up, but it turns out that so
1396much of the apparatus is needed in each chunk that one might as well just have
1397it all available all the time, which then makes the coding easier as well.
1398
1399Arguments:
1400 argc count of entries in argv
1401 argv argument strings, with argv[0] being the program name
1402
1403Returns: EXIT_SUCCESS if terminated successfully
1404 EXIT_FAILURE otherwise, except when a message has been sent
1405 to the sender, and -oee was given
1406*/
1407
1408int
1409main(int argc, char **cargv)
1410{
1411uschar **argv = USS cargv;
1412int arg_receive_timeout = -1;
1413int arg_smtp_receive_timeout = -1;
1414int arg_error_handling = error_handling;
f05da2e8
PH
1415int filter_sfd = -1;
1416int filter_ufd = -1;
059ec3d9 1417int group_count;
1670ef10 1418int i, rv;
059ec3d9
PH
1419int list_queue_option = 0;
1420int msg_action = 0;
1421int msg_action_arg = -1;
1422int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1423int queue_only_reason = 0;
1424#ifdef EXIM_PERL
1425int perl_start_option = 0;
1426#endif
1427int recipients_arg = argc;
1428int sender_address_domain = 0;
1429int test_retry_arg = -1;
1430int test_rewrite_arg = -1;
1431BOOL arg_queue_only = FALSE;
1432BOOL bi_option = FALSE;
1433BOOL checking = FALSE;
1434BOOL count_queue = FALSE;
1435BOOL expansion_test = FALSE;
1436BOOL extract_recipients = FALSE;
12f69989 1437BOOL flag_n = FALSE;
059ec3d9
PH
1438BOOL forced_delivery = FALSE;
1439BOOL f_end_dot = FALSE;
1440BOOL deliver_give_up = FALSE;
1441BOOL list_queue = FALSE;
1442BOOL list_options = FALSE;
1443BOOL local_queue_only;
1444BOOL more = TRUE;
1445BOOL one_msg_action = FALSE;
1446BOOL queue_only_set = FALSE;
1447BOOL receiving_message = TRUE;
33d73e3b 1448BOOL sender_ident_set = FALSE;
8669f003 1449BOOL session_local_queue_only;
059ec3d9
PH
1450BOOL unprivileged;
1451BOOL removed_privilege = FALSE;
81ea09ca 1452BOOL usage_wanted = FALSE;
059ec3d9
PH
1453BOOL verify_address_mode = FALSE;
1454BOOL verify_as_sender = FALSE;
1455BOOL version_printed = FALSE;
1456uschar *alias_arg = NULL;
1457uschar *called_as = US"";
1458uschar *start_queue_run_id = NULL;
1459uschar *stop_queue_run_id = NULL;
328895cc 1460uschar *expansion_test_message = NULL;
059ec3d9
PH
1461uschar *ftest_domain = NULL;
1462uschar *ftest_localpart = NULL;
1463uschar *ftest_prefix = NULL;
1464uschar *ftest_suffix = NULL;
8544e77a 1465uschar *malware_test_file = NULL;
059ec3d9
PH
1466uschar *real_sender_address;
1467uschar *originator_home = US"/";
059ec3d9
PH
1468void *reset_point;
1469
1470struct passwd *pw;
1471struct stat statbuf;
1472pid_t passed_qr_pid = (pid_t)0;
1473int passed_qr_pipe = -1;
1474gid_t group_list[NGROUPS_MAX];
1475
98a90c36
PP
1476/* For the -bI: flag */
1477enum commandline_info info_flag = CMDINFO_NONE;
1478BOOL info_stdout = FALSE;
1479
059ec3d9
PH
1480/* Possible options for -R and -S */
1481
1482static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1483
1484/* Need to define this in case we need to change the environment in order
1485to get rid of a bogus time zone. We have to make it char rather than uschar
1486because some OS define it in /usr/include/unistd.h. */
1487
1488extern char **environ;
1489
35edf2ff 1490/* If the Exim user and/or group and/or the configuration file owner/group were
059ec3d9
PH
1491defined by ref:name at build time, we must now find the actual uid/gid values.
1492This is a feature to make the lives of binary distributors easier. */
1493
1494#ifdef EXIM_USERNAME
1495if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1496 {
10385c15
PP
1497 if (exim_uid == 0)
1498 {
1499 fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
1500 EXIM_USERNAME);
1501 exit(EXIT_FAILURE);
1502 }
084c1d8c
PP
1503 /* If ref:name uses a number as the name, route_finduser() returns
1504 TRUE with exim_uid set and pw coerced to NULL. */
1505 if (pw)
1506 exim_gid = pw->pw_gid;
1507#ifndef EXIM_GROUPNAME
1508 else
1509 {
1510 fprintf(stderr,
1511 "exim: ref:name should specify a usercode, not a group.\n"
1512 "exim: can't let you get away with it unless you also specify a group.\n");
1513 exit(EXIT_FAILURE);
1514 }
1515#endif
059ec3d9
PH
1516 }
1517else
1518 {
1519 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1520 EXIM_USERNAME);
1521 exit(EXIT_FAILURE);
1522 }
1523#endif
1524
1525#ifdef EXIM_GROUPNAME
1526if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1527 {
1528 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1529 EXIM_GROUPNAME);
1530 exit(EXIT_FAILURE);
1531 }
1532#endif
1533
1534#ifdef CONFIGURE_OWNERNAME
1535if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1536 {
1537 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1538 CONFIGURE_OWNERNAME);
1539 exit(EXIT_FAILURE);
1540 }
1541#endif
1542
79d4bc3d
PP
1543/* We default the system_filter_user to be the Exim run-time user, as a
1544sane non-root value. */
1545system_filter_uid = exim_uid;
1546
35edf2ff
PH
1547#ifdef CONFIGURE_GROUPNAME
1548if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1549 {
1550 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1551 CONFIGURE_GROUPNAME);
1552 exit(EXIT_FAILURE);
1553 }
1554#endif
1555
059ec3d9
PH
1556/* In the Cygwin environment, some initialization needs doing. It is fudged
1557in by means of this macro. */
1558
1559#ifdef OS_INIT
1560OS_INIT
1561#endif
1562
1563/* Check a field which is patched when we are running Exim within its
1564testing harness; do a fast initial check, and then the whole thing. */
1565
1566running_in_test_harness =
1567 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1568
1569/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1570at the start of a program; however, it seems that some environments do not
1571follow this. A "strange" locale can affect the formatting of timestamps, so we
1572make quite sure. */
1573
1574setlocale(LC_ALL, "C");
1575
1576/* Set up the default handler for timing using alarm(). */
1577
1578os_non_restarting_signal(SIGALRM, sigalrm_handler);
1579
1580/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1581because store_malloc writes a log entry on failure. */
1582
1583log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
1584if (log_buffer == NULL)
1585 {
1586 fprintf(stderr, "exim: failed to get store for log buffer\n");
1587 exit(EXIT_FAILURE);
1588 }
1589
1590/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1591NULL when the daemon is run and the file is closed. We have to use this
1592indirection, because some systems don't allow writing to the variable "stderr".
1593*/
1594
1595if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1596
1597/* Arrange for the PCRE regex library to use our store functions. Note that
1598the normal calls are actually macros that add additional arguments for
1599debugging purposes so we have to assign specially constructed functions here.
1600The default is to use store in the stacking pool, but this is overridden in the
1601regex_must_compile() function. */
1602
1603pcre_malloc = function_store_get;
1604pcre_free = function_dummy_free;
1605
1606/* Ensure there is a big buffer for temporary use in several places. It is put
1607in malloc store so that it can be freed for enlargement if necessary. */
1608
1609big_buffer = store_malloc(big_buffer_size);
1610
1611/* Set up the handler for the data request signal, and set the initial
1612descriptive text. */
1613
1614set_process_info("initializing");
1615os_restarting_signal(SIGUSR1, usr1_handler);
1616
1617/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1618in the daemon code. For the rest of Exim's uses, we ignore it. */
1619
1620signal(SIGHUP, SIG_IGN);
1621
1622/* We don't want to die on pipe errors as the code is written to handle
1623the write error instead. */
1624
1625signal(SIGPIPE, SIG_IGN);
1626
1627/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1628set to SIG_IGN. This causes subprocesses that complete before the parent
1629process waits for them not to hang around, so when Exim calls wait(), nothing
1630is there. The wait() code has been made robust against this, but let's ensure
1631that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1632ending status. We use sigaction rather than plain signal() on those OS where
1633SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1634problem on AIX with this.) */
1635
1636#ifdef SA_NOCLDWAIT
1637 {
1638 struct sigaction act;
1639 act.sa_handler = SIG_DFL;
1640 sigemptyset(&(act.sa_mask));
1641 act.sa_flags = 0;
1642 sigaction(SIGCHLD, &act, NULL);
1643 }
1644#else
1645signal(SIGCHLD, SIG_DFL);
1646#endif
1647
1648/* Save the arguments for use if we re-exec exim as a daemon after receiving
1649SIGHUP. */
1650
1651sighup_argv = argv;
1652
1653/* Set up the version number. Set up the leading 'E' for the external form of
1654message ids, set the pointer to the internal form, and initialize it to
1655indicate no message being processed. */
1656
1657version_init();
1658message_id_option[0] = '-';
1659message_id_external = message_id_option + 1;
1660message_id_external[0] = 'E';
1661message_id = message_id_external + 1;
1662message_id[0] = 0;
1663
67d175de 1664/* Set the umask to zero so that any files Exim creates using open() are
2632889e
PH
1665created with the modes that it specifies. NOTE: Files created with fopen() have
1666a problem, which was not recognized till rather late (February 2006). With this
1667umask, such files will be world writeable. (They are all content scanning files
1668in the spool directory, which isn't world-accessible, so this is not a
1669disaster, but it's untidy.) I don't want to change this overall setting,
1670however, because it will interact badly with the open() calls. Instead, there's
1671now a function called modefopen() that fiddles with the umask while calling
1672fopen(). */
059ec3d9 1673
67d175de 1674(void)umask(0);
059ec3d9
PH
1675
1676/* Precompile the regular expression for matching a message id. Keep this in
1677step with the code that generates ids in the accept.c module. We need to do
1678this here, because the -M options check their arguments for syntactic validity
1679using mac_ismsgid, which uses this. */
1680
1681regex_ismsgid =
1682 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1683
a5bd321b 1684/* Precompile the regular expression that is used for matching an SMTP error
d6a96edc
PH
1685code, possibly extended, at the start of an error message. Note that the
1686terminating whitespace character is included. */
a5bd321b
PH
1687
1688regex_smtp_code =
1689 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1690 FALSE, TRUE);
1691
a7cbbf50
PP
1692#ifdef WHITELIST_D_MACROS
1693/* Precompile the regular expression used to filter the content of macros
1694given to -D for permissibility. */
1695
1696regex_whitelisted_macro =
1697 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1698#endif
1699
1700
059ec3d9
PH
1701/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1702this seems to be a generally accepted convention, since one finds symbolic
1703links called "mailq" in standard OS configurations. */
1704
1705if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1706 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1707 {
1708 list_queue = TRUE;
1709 receiving_message = FALSE;
1710 called_as = US"-mailq";
1711 }
1712
1713/* If the program is called as "rmail" treat it as equivalent to
1714"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1715i.e. preventing a single dot on a line from terminating the message, and
1716returning with zero return code, even in cases of error (provided an error
1717message has been sent). */
1718
1719if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1720 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1721 {
1722 dot_ends = FALSE;
1723 called_as = US"-rmail";
1724 errors_sender_rc = EXIT_SUCCESS;
1725 }
1726
1727/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1728this is a smail convention. */
1729
1730if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1731 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1732 {
1733 smtp_input = smtp_batched_input = TRUE;
1734 called_as = US"-rsmtp";
1735 }
1736
1737/* If the program is called as "runq" treat it as equivalent to "exim -q";
1738this is a smail convention. */
1739
1740if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1741 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1742 {
1743 queue_interval = 0;
1744 receiving_message = FALSE;
1745 called_as = US"-runq";
1746 }
1747
1748/* If the program is called as "newaliases" treat it as equivalent to
1749"exim -bi"; this is a sendmail convention. */
1750
1751if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1752 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1753 {
1754 bi_option = TRUE;
1755 receiving_message = FALSE;
1756 called_as = US"-newaliases";
1757 }
1758
1759/* Save the original effective uid for a couple of uses later. It should
1760normally be root, but in some esoteric environments it may not be. */
1761
1762original_euid = geteuid();
1763
1764/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1765to be the same as the real ones. This makes a difference only if Exim is setuid
1766(or setgid) to something other than root, which could be the case in some
1767special configurations. */
1768
1769real_uid = getuid();
1770real_gid = getgid();
1771
1772if (real_uid == root_uid)
1773 {
1670ef10
PP
1774 rv = setgid(real_gid);
1775 if (rv)
1776 {
1777 fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
1778 (long int)real_gid, strerror(errno));
1779 exit(EXIT_FAILURE);
1780 }
1781 rv = setuid(real_uid);
1782 if (rv)
1783 {
1784 fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
1785 (long int)real_uid, strerror(errno));
1786 exit(EXIT_FAILURE);
1787 }
059ec3d9
PH
1788 }
1789
1790/* If neither the original real uid nor the original euid was root, Exim is
1791running in an unprivileged state. */
1792
1793unprivileged = (real_uid != root_uid && original_euid != root_uid);
1794
059ec3d9
PH
1795/* Scan the program's arguments. Some can be dealt with right away; others are
1796simply recorded for checking and handling afterwards. Do a high-level switch
1797on the second character (the one after '-'), to save some effort. */
1798
1799for (i = 1; i < argc; i++)
1800 {
1801 BOOL badarg = FALSE;
1802 uschar *arg = argv[i];
1803 uschar *argrest;
1804 int switchchar;
1805
1806 /* An argument not starting with '-' is the start of a recipients list;
1807 break out of the options-scanning loop. */
1808
1809 if (arg[0] != '-')
1810 {
1811 recipients_arg = i;
1812 break;
1813 }
1814
1815 /* An option consistion of -- terminates the options */
1816
1817 if (Ustrcmp(arg, "--") == 0)
1818 {
1819 recipients_arg = i + 1;
1820 break;
1821 }
1822
1823 /* Handle flagged options */
1824
1825 switchchar = arg[1];
1826 argrest = arg+2;
1827
1828 /* Make all -ex options synonymous with -oex arguments, since that
1829 is assumed by various callers. Also make -qR options synonymous with -R
1830 options, as that seems to be required as well. Allow for -qqR too, and
1831 the same for -S options. */
1832
1833 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1834 Ustrncmp(arg+1, "qR", 2) == 0 ||
1835 Ustrncmp(arg+1, "qS", 2) == 0)
1836 {
1837 switchchar = arg[2];
1838 argrest++;
1839 }
1840 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1841 {
1842 switchchar = arg[3];
1843 argrest += 2;
1844 queue_2stage = TRUE;
1845 }
1846
1847 /* Make -r synonymous with -f, since it is a documented alias */
1848
1849 else if (arg[1] == 'r') switchchar = 'f';
1850
1851 /* Make -ov synonymous with -v */
1852
1853 else if (Ustrcmp(arg, "-ov") == 0)
1854 {
1855 switchchar = 'v';
1856 argrest++;
1857 }
1858
4b2241d2
PP
1859 /* deal with --option_aliases */
1860 else if (switchchar == '-')
1861 {
1862 if (Ustrcmp(argrest, "help") == 0)
1863 {
1864 usage_wanted = TRUE;
1865 break;
1866 }
1867 else if (Ustrcmp(argrest, "version") == 0)
1868 {
1869 switchchar = 'b';
73a46702 1870 argrest = US"V";
4b2241d2
PP
1871 }
1872 }
1873
059ec3d9
PH
1874 /* High-level switch on active initial letter */
1875
1876 switch(switchchar)
1877 {
1878 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1879 so has no need of it. */
1880
1881 case 'B':
1882 if (*argrest == 0) i++; /* Skip over the type */
1883 break;
1884
1885
1886 case 'b':
1887 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1888
1889 /* -bd: Run in daemon mode, awaiting SMTP connections.
1890 -bdf: Ditto, but in the foreground.
1891 */
1892
1893 if (*argrest == 'd')
1894 {
1895 daemon_listen = TRUE;
1896 if (*(++argrest) == 'f') background_daemon = FALSE;
1897 else if (*argrest != 0) { badarg = TRUE; break; }
1898 }
1899
328895cc
PH
1900 /* -be: Run in expansion test mode
1901 -bem: Ditto, but read a message from a file first
1902 */
059ec3d9
PH
1903
1904 else if (*argrest == 'e')
328895cc 1905 {
059ec3d9 1906 expansion_test = checking = TRUE;
328895cc
PH
1907 if (argrest[1] == 'm')
1908 {
1909 if (++i >= argc) { badarg = TRUE; break; }
1910 expansion_test_message = argv[i];
1911 argrest++;
1912 }
1913 if (argrest[1] != 0) { badarg = TRUE; break; }
1914 }
059ec3d9 1915
f05da2e8
PH
1916 /* -bF: Run system filter test */
1917
1918 else if (*argrest == 'F')
1919 {
1920 filter_test |= FTEST_SYSTEM;
1921 if (*(++argrest) != 0) { badarg = TRUE; break; }
1922 if (++i < argc) filter_test_sfile = argv[i]; else
1923 {
1924 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1925 exit(EXIT_FAILURE);
1926 }
1927 }
1928
1929 /* -bf: Run user filter test
059ec3d9
PH
1930 -bfd: Set domain for filter testing
1931 -bfl: Set local part for filter testing
1932 -bfp: Set prefix for filter testing
1933 -bfs: Set suffix for filter testing
1934 */
1935
f05da2e8 1936 else if (*argrest == 'f')
059ec3d9 1937 {
f05da2e8 1938 if (*(++argrest) == 0)
059ec3d9 1939 {
f05da2e8
PH
1940 filter_test |= FTEST_USER;
1941 if (++i < argc) filter_test_ufile = argv[i]; else
059ec3d9
PH
1942 {
1943 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1944 exit(EXIT_FAILURE);
1945 }
1946 }
1947 else
1948 {
1949 if (++i >= argc)
1950 {
1951 fprintf(stderr, "exim: string expected after %s\n", arg);
1952 exit(EXIT_FAILURE);
1953 }
1954 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
1955 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
1956 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
1957 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
1958 else { badarg = TRUE; break; }
1959 }
1960 }
1961
1962 /* -bh: Host checking - an IP address must follow. */
1963
1964 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
1965 {
1966 if (++i >= argc) { badarg = TRUE; break; }
1967 sender_host_address = argv[i];
1968 host_checking = checking = log_testing_mode = TRUE;
1969 host_checking_callout = argrest[1] == 'c';
1970 }
1971
1972 /* -bi: This option is used by sendmail to initialize *the* alias file,
1973 though it has the -oA option to specify a different file. Exim has no
1974 concept of *the* alias file, but since Sun's YP make script calls
1975 sendmail this way, some support must be provided. */
1976
1977 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
1978
98a90c36
PP
1979 /* -bI: provide information, of the type to follow after a colon.
1980 This is an Exim flag. */
1981
1982 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
1983 {
1984 uschar *p = &argrest[2];
1985 info_flag = CMDINFO_HELP;
1986 if (Ustrlen(p))
1987 {
1988 if (strcmpic(p, CUS"sieve") == 0)
1989 {
1990 info_flag = CMDINFO_SIEVE;
1991 info_stdout = TRUE;
1992 }
36a3ae5f
PP
1993 else if (strcmpic(p, CUS"dscp") == 0)
1994 {
1995 info_flag = CMDINFO_DSCP;
1996 info_stdout = TRUE;
1997 }
98a90c36
PP
1998 else if (strcmpic(p, CUS"help") == 0)
1999 {
2000 info_stdout = TRUE;
2001 }
2002 }
2003 }
2004
059ec3d9
PH
2005 /* -bm: Accept and deliver message - the default option. Reinstate
2006 receiving_message, which got turned off for all -b options. */
2007
2008 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2009
8544e77a
PP
2010 /* -bmalware: test the filename given for malware */
2011
2012 else if (Ustrcmp(argrest, "malware") == 0)
2013 {
2014 if (++i >= argc) { badarg = TRUE; break; }
2015 malware_test_file = argv[i];
2016 }
2017
059ec3d9
PH
2018 /* -bnq: For locally originating messages, do not qualify unqualified
2019 addresses. In the envelope, this causes errors; in header lines they
2020 just get left. */
2021
2022 else if (Ustrcmp(argrest, "nq") == 0)
2023 {
2024 allow_unqualified_sender = FALSE;
2025 allow_unqualified_recipient = FALSE;
2026 }
2027
2028 /* -bpxx: List the contents of the mail queue, in various forms. If
2029 the option is -bpc, just a queue count is needed. Otherwise, if the
2030 first letter after p is r, then order is random. */
2031
2032 else if (*argrest == 'p')
2033 {
2034 if (*(++argrest) == 'c')
2035 {
2036 count_queue = TRUE;
2037 if (*(++argrest) != 0) badarg = TRUE;
2038 break;
2039 }
2040
2041 if (*argrest == 'r')
2042 {
2043 list_queue_option = 8;
2044 argrest++;
2045 }
2046 else list_queue_option = 0;
2047
2048 list_queue = TRUE;
2049
2050 /* -bp: List the contents of the mail queue, top-level only */
2051
2052 if (*argrest == 0) {}
2053
2054 /* -bpu: List the contents of the mail queue, top-level undelivered */
2055
2056 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2057
2058 /* -bpa: List the contents of the mail queue, including all delivered */
2059
2060 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2061
2062 /* Unknown after -bp[r] */
2063
2064 else
2065 {
2066 badarg = TRUE;
2067 break;
2068 }
2069 }
2070
2071
2072 /* -bP: List the configuration variables given as the address list.
2073 Force -v, so configuration errors get displayed. */
2074
2075 else if (Ustrcmp(argrest, "P") == 0)
2076 {
2077 list_options = TRUE;
2078 debug_selector |= D_v;
2079 debug_file = stderr;
2080 }
2081
2082 /* -brt: Test retry configuration lookup */
2083
2084 else if (Ustrcmp(argrest, "rt") == 0)
2085 {
2086 test_retry_arg = i + 1;
2087 goto END_ARG;
2088 }
2089
2090 /* -brw: Test rewrite configuration */
2091
2092 else if (Ustrcmp(argrest, "rw") == 0)
2093 {
2094 test_rewrite_arg = i + 1;
2095 goto END_ARG;
2096 }
2097
2098 /* -bS: Read SMTP commands on standard input, but produce no replies -
2099 all errors are reported by sending messages. */
2100
2101 else if (Ustrcmp(argrest, "S") == 0)
2102 smtp_input = smtp_batched_input = receiving_message = TRUE;
2103
2104 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2105 on standard output. */
2106
2107 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2108
2109 /* -bt: address testing mode */
2110
2111 else if (Ustrcmp(argrest, "t") == 0)
2112 address_test_mode = checking = log_testing_mode = TRUE;
2113
2114 /* -bv: verify addresses */
2115
2116 else if (Ustrcmp(argrest, "v") == 0)
2117 verify_address_mode = checking = log_testing_mode = TRUE;
2118
2119 /* -bvs: verify sender addresses */
2120
2121 else if (Ustrcmp(argrest, "vs") == 0)
2122 {
2123 verify_address_mode = checking = log_testing_mode = TRUE;
2124 verify_as_sender = TRUE;
2125 }
2126
2127 /* -bV: Print version string and support details */
2128
2129 else if (Ustrcmp(argrest, "V") == 0)
2130 {
2131 printf("Exim version %s #%s built %s\n", version_string,
2132 version_cnumber, version_date);
2133 printf("%s\n", CS version_copyright);
2134 version_printed = TRUE;
2135 show_whats_supported(stdout);
2136 }
2137
9ee44efb
PP
2138 /* -bw: inetd wait mode, accept a listening socket as stdin */
2139
2140 else if (*argrest == 'w')
2141 {
2142 inetd_wait_mode = TRUE;
2143 background_daemon = FALSE;
2144 daemon_listen = TRUE;
2145 if (*(++argrest) != '\0')
2146 {
2147 inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE);
2148 if (inetd_wait_timeout <= 0)
2149 {
2150 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2151 exit(EXIT_FAILURE);
2152 }
2153 }
2154 }
2155
059ec3d9
PH
2156 else badarg = TRUE;
2157 break;
2158
2159
2160 /* -C: change configuration file list; ignore if it isn't really
2161 a change! Enforce a prefix check if required. */
2162
2163 case 'C':
2164 if (*argrest == 0)
2165 {
2166 if(++i < argc) argrest = argv[i]; else
2167 { badarg = TRUE; break; }
2168 }
2169 if (Ustrcmp(config_main_filelist, argrest) != 0)
2170 {
2171 #ifdef ALT_CONFIG_PREFIX
2172 int sep = 0;
2173 int len = Ustrlen(ALT_CONFIG_PREFIX);
2174 uschar *list = argrest;
2175 uschar *filename;
2176 while((filename = string_nextinlist(&list, &sep, big_buffer,
2177 big_buffer_size)) != NULL)
2178 {
2179 if ((Ustrlen(filename) < len ||
2180 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2181 Ustrstr(filename, "/../") != NULL) &&
2182 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2183 {
2184 fprintf(stderr, "-C Permission denied\n");
2185 exit(EXIT_FAILURE);
2186 }
2187 }
2188 #endif
261dc43e
DW
2189 if (real_uid != root_uid)
2190 {
90b6341f 2191 #ifdef TRUSTED_CONFIG_LIST
261dc43e 2192
90b6341f
DW
2193 if (real_uid != exim_uid
2194 #ifdef CONFIGURE_OWNER
2195 && real_uid != config_uid
2196 #endif
2197 )
261dc43e
DW
2198 trusted_config = FALSE;
2199 else
2200 {
90b6341f 2201 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
261dc43e
DW
2202 if (trust_list)
2203 {
2204 struct stat statbuf;
2205
2206 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2207 (statbuf.st_uid != root_uid /* owner not root */
2208 #ifdef CONFIGURE_OWNER
2209 && statbuf.st_uid != config_uid /* owner not the special one */
2210 #endif
2211 ) || /* or */
2212 (statbuf.st_gid != root_gid /* group not root */
2213 #ifdef CONFIGURE_GROUP
2214 && statbuf.st_gid != config_gid /* group not the special one */
2215 #endif
2216 && (statbuf.st_mode & 020) != 0 /* group writeable */
2217 ) || /* or */
2218 (statbuf.st_mode & 2) != 0) /* world writeable */
2219 {
2220 trusted_config = FALSE;
2221 fclose(trust_list);
2222 }
2223 else
2224 {
2225 /* Well, the trust list at least is up to scratch... */
2226 void *reset_point = store_get(0);
90b6341f
DW
2227 uschar *trusted_configs[32];
2228 int nr_configs = 0;
261dc43e
DW
2229 int i = 0;
2230
2231 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2232 {
2233 uschar *start = big_buffer, *nl;
2234 while (*start && isspace(*start))
2235 start++;
1e83d68b 2236 if (*start != '/')
261dc43e
DW
2237 continue;
2238 nl = Ustrchr(start, '\n');
2239 if (nl)
2240 *nl = 0;
90b6341f
DW
2241 trusted_configs[nr_configs++] = string_copy(start);
2242 if (nr_configs == 32)
261dc43e
DW
2243 break;
2244 }
2245 fclose(trust_list);
2246
90b6341f 2247 if (nr_configs)
261dc43e
DW
2248 {
2249 int sep = 0;
2250 uschar *list = argrest;
2251 uschar *filename;
2252 while (trusted_config && (filename = string_nextinlist(&list,
2253 &sep, big_buffer, big_buffer_size)) != NULL)
2254 {
90b6341f 2255 for (i=0; i < nr_configs; i++)
261dc43e 2256 {
90b6341f 2257 if (Ustrcmp(filename, trusted_configs[i]) == 0)
261dc43e
DW
2258 break;
2259 }
90b6341f 2260 if (i == nr_configs)
261dc43e
DW
2261 {
2262 trusted_config = FALSE;
2263 break;
2264 }
2265 }
1e83d68b 2266 store_reset(reset_point);
261dc43e
DW
2267 }
2268 else
2269 {
2270 /* No valid prefixes found in trust_list file. */
2271 trusted_config = FALSE;
2272 }
2273 }
2274 }
2275 else
2276 {
2277 /* Could not open trust_list file. */
2278 trusted_config = FALSE;
2279 }
2280 }
2281 #else
2282 /* Not root; don't trust config */
2283 trusted_config = FALSE;
2284 #endif
2285 }
059ec3d9
PH
2286
2287 config_main_filelist = argrest;
2288 config_changed = TRUE;
2289 }
2290 break;
2291
2292
2293 /* -D: set up a macro definition */
2294
2295 case 'D':
2296 #ifdef DISABLE_D_OPTION
2297 fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2298 exit(EXIT_FAILURE);
2299 #else
2300 {
2301 int ptr = 0;
2302 macro_item *mlast = NULL;
2303 macro_item *m;
2304 uschar name[24];
2305 uschar *s = argrest;
2306
2307 while (isspace(*s)) s++;
2308
2309 if (*s < 'A' || *s > 'Z')
2310 {
2311 fprintf(stderr, "exim: macro name set by -D must start with "
2312 "an upper case letter\n");
2313 exit(EXIT_FAILURE);
2314 }
2315
2316 while (isalnum(*s) || *s == '_')
2317 {
2318 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2319 s++;
2320 }
2321 name[ptr] = 0;
2322 if (ptr == 0) { badarg = TRUE; break; }
2323 while (isspace(*s)) s++;
2324 if (*s != 0)
2325 {
2326 if (*s++ != '=') { badarg = TRUE; break; }
2327 while (isspace(*s)) s++;
2328 }
2329
2330 for (m = macros; m != NULL; m = m->next)
2331 {
2332 if (Ustrcmp(m->name, name) == 0)
2333 {
2334 fprintf(stderr, "exim: duplicated -D in command line\n");
2335 exit(EXIT_FAILURE);
2336 }
2337 mlast = m;
2338 }
2339
2340 m = store_get(sizeof(macro_item) + Ustrlen(name));
2341 m->next = NULL;
2342 m->command_line = TRUE;
2343 if (mlast == NULL) macros = m; else mlast->next = m;
2344 Ustrcpy(m->name, name);
2345 m->replacement = string_copy(s);
2346
2347 if (clmacro_count >= MAX_CLMACROS)
2348 {
2349 fprintf(stderr, "exim: too many -D options on command line\n");
2350 exit(EXIT_FAILURE);
2351 }
2352 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2353 m->replacement);
2354 }
2355 #endif
2356 break;
2357
2358 /* -d: Set debug level (see also -v below) or set the drop_cr option.
8e669ac1 2359 The latter is now a no-op, retained for compatibility only. If -dd is used,
3d235903 2360 debugging subprocesses of the daemon is disabled. */
059ec3d9
PH
2361
2362 case 'd':
2363 if (Ustrcmp(argrest, "ropcr") == 0)
2364 {
2365 /* drop_cr = TRUE; */
2366 }
2367
2368 /* Use an intermediate variable so that we don't set debugging while
2369 decoding the debugging bits. */
2370
2371 else
2372 {
2373 unsigned int selector = D_default;
2374 debug_selector = 0;
2375 debug_file = NULL;
3d235903
PH
2376 if (*argrest == 'd')
2377 {
2378 debug_daemon = TRUE;
2379 argrest++;
2380 }
059ec3d9 2381 if (*argrest != 0)
1fe64dcc 2382 decode_bits(&selector, NULL, D_memory, 0, argrest, debug_options,
ed7f7860 2383 debug_options_count, US"debug", 0);
059ec3d9
PH
2384 debug_selector = selector;
2385 }
2386 break;
2387
2388
2389 /* -E: This is a local error message. This option is not intended for
2390 external use at all, but is not restricted to trusted callers because it
2391 does no harm (just suppresses certain error messages) and if Exim is run
2392 not setuid root it won't always be trusted when it generates error
2393 messages using this option. If there is a message id following -E, point
2394 message_reference at it, for logging. */
2395
2396 case 'E':
2397 local_error_message = TRUE;
2398 if (mac_ismsgid(argrest)) message_reference = argrest;
2399 break;
2400
2401
2402 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2403 option, so it looks as if historically the -oex options are also callable
2404 without the leading -o. So we have to accept them. Before the switch,
2405 anything starting -oe has been converted to -e. Exim does not support all
2406 of the sendmail error options. */
2407
2408 case 'e':
2409 if (Ustrcmp(argrest, "e") == 0)
2410 {
2411 arg_error_handling = ERRORS_SENDER;
2412 errors_sender_rc = EXIT_SUCCESS;
2413 }
2414 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2415 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2416 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2417 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2418 else badarg = TRUE;
2419 break;
2420
2421
2422 /* -F: Set sender's full name, used instead of the gecos entry from
2423 the password file. Since users can usually alter their gecos entries,
2424 there's no security involved in using this instead. The data can follow
2425 the -F or be in the next argument. */
2426
2427 case 'F':
2428 if (*argrest == 0)
2429 {
2430 if(++i < argc) argrest = argv[i]; else
2431 { badarg = TRUE; break; }
2432 }
2433 originator_name = argrest;
2fe1a124 2434 sender_name_forced = TRUE;
059ec3d9
PH
2435 break;
2436
2437
2438 /* -f: Set sender's address - this value is only actually used if Exim is
2439 run by a trusted user, or if untrusted_set_sender is set and matches the
2440 address, except that the null address can always be set by any user. The
2441 test for this happens later, when the value given here is ignored when not
2442 permitted. For an untrusted user, the actual sender is still put in Sender:
2443 if it doesn't match the From: header (unless no_local_from_check is set).
2444 The data can follow the -f or be in the next argument. The -r switch is an
2445 obsolete form of -f but since there appear to be programs out there that
2446 use anything that sendmail has ever supported, better accept it - the
2447 synonymizing is done before the switch above.
2448
2449 At this stage, we must allow domain literal addresses, because we don't
2450 know what the setting of allow_domain_literals is yet. Ditto for trailing
2451 dots and strip_trailing_dot. */
2452
2453 case 'f':
2454 {
2455 int start, end;
2456 uschar *errmess;
2457 if (*argrest == 0)
2458 {
2459 if (i+1 < argc) argrest = argv[++i]; else
2460 { badarg = TRUE; break; }
2461 }
2462 if (*argrest == 0)
2463 {
2464 sender_address = string_sprintf(""); /* Ensure writeable memory */
2465 }
2466 else
2467 {
2468 uschar *temp = argrest + Ustrlen(argrest) - 1;
2469 while (temp >= argrest && isspace(*temp)) temp--;
2470 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2471 allow_domain_literals = TRUE;
2472 strip_trailing_dot = TRUE;
2473 sender_address = parse_extract_address(argrest, &errmess, &start, &end,
2474 &sender_address_domain, TRUE);
2475 allow_domain_literals = FALSE;
2476 strip_trailing_dot = FALSE;
2477 if (sender_address == NULL)
2478 {
2479 fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2480 return EXIT_FAILURE;
2481 }
2482 }
2483 sender_address_forced = TRUE;
2484 }
2485 break;
2486
2487 /* This is some Sendmail thing which can be ignored */
2488
2489 case 'G':
2490 break;
2491
2492 /* -h: Set the hop count for an incoming message. Exim does not currently
2493 support this; it always computes it by counting the Received: headers.
2494 To put it in will require a change to the spool header file format. */
2495
2496 case 'h':
2497 if (*argrest == 0)
2498 {
2499 if(++i < argc) argrest = argv[i]; else
2500 { badarg = TRUE; break; }
2501 }
2502 if (!isdigit(*argrest)) badarg = TRUE;
2503 break;
2504
2505
2506 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2507 not to be documented for sendmail but mailx (at least) uses it) */
2508
2509 case 'i':
2510 if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2511 break;
2512
2513
2514 case 'M':
2515 receiving_message = FALSE;
2516
2517 /* -MC: continue delivery of another message via an existing open
2518 file descriptor. This option is used for an internal call by the
2519 smtp transport when there is a pending message waiting to go to an
2520 address to which it has got a connection. Five subsequent arguments are
2521 required: transport name, host name, IP address, sequence number, and
2522 message_id. Transports may decline to create new processes if the sequence
2523 number gets too big. The channel is stdin. This (-MC) must be the last
2524 argument. There's a subsequent check that the real-uid is privileged.
2525
2526 If we are running in the test harness. delay for a bit, to let the process
2527 that set this one up complete. This makes for repeatability of the logging,
2528 etc. output. */
2529
2530 if (Ustrcmp(argrest, "C") == 0)
2531 {
41c7c167
PH
2532 union sockaddr_46 interface_sock;
2533 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2534
059ec3d9
PH
2535 if (argc != i + 6)
2536 {
2537 fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2538 return EXIT_FAILURE;
2539 }
2540
2541 if (msg_action_arg >= 0)
2542 {
2543 fprintf(stderr, "exim: incompatible arguments\n");
2544 return EXIT_FAILURE;
2545 }
2546
2547 continue_transport = argv[++i];
2548 continue_hostname = argv[++i];
2549 continue_host_address = argv[++i];
2550 continue_sequence = Uatoi(argv[++i]);
2551 msg_action = MSG_DELIVER;
2552 msg_action_arg = ++i;
2553 forced_delivery = TRUE;
2554 queue_run_pid = passed_qr_pid;
2555 queue_run_pipe = passed_qr_pipe;
2556
2557 if (!mac_ismsgid(argv[i]))
2558 {
2559 fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2560 argv[i]);
2561 return EXIT_FAILURE;
2562 }
2563
41c7c167
PH
2564 /* Set up $sending_ip_address and $sending_port */
2565
2566 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2567 &size) == 0)
2568 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2569 &sending_port);
2570 else
2571 {
2572 fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2573 strerror(errno));
2574 return EXIT_FAILURE;
2575 }
2576
059ec3d9
PH
2577 if (running_in_test_harness) millisleep(500);
2578 break;
2579 }
2580
2581 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2582 precedes -MC (see above). The flag indicates that the host to which
2583 Exim is connected has accepted an AUTH sequence. */
2584
2585 else if (Ustrcmp(argrest, "CA") == 0)
2586 {
2587 smtp_authenticated = TRUE;
2588 break;
2589 }
2590
2591 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2592 it preceded -MC (see above) */
2593
2594 else if (Ustrcmp(argrest, "CP") == 0)
2595 {
2596 smtp_use_pipelining = TRUE;
2597 break;
2598 }
2599
2600 /* -MCQ: pass on the pid of the queue-running process that started
2601 this chain of deliveries and the fd of its synchronizing pipe; this
2602 is useful only when it precedes -MC (see above) */
2603
2604 else if (Ustrcmp(argrest, "CQ") == 0)
2605 {
2606 if(++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2607 else badarg = TRUE;
2608 if(++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2609 else badarg = TRUE;
2610 break;
2611 }
2612
2613 /* -MCS: set the smtp_use_size flag; this is useful only when it
2614 precedes -MC (see above) */
2615
2616 else if (Ustrcmp(argrest, "CS") == 0)
2617 {
2618 smtp_use_size = TRUE;
2619 break;
2620 }
2621
2622 /* -MCT: set the tls_offered flag; this is useful only when it
2623 precedes -MC (see above). The flag indicates that the host to which
2624 Exim is connected has offered TLS support. */
2625
2626 #ifdef SUPPORT_TLS
2627 else if (Ustrcmp(argrest, "CT") == 0)
2628 {
2629 tls_offered = TRUE;
2630 break;
2631 }
2632 #endif
2633
2634 /* -M[x]: various operations on the following list of message ids:
2635 -M deliver the messages, ignoring next retry times and thawing
2636 -Mc deliver the messages, checking next retry times, no thawing
2637 -Mf freeze the messages
2638 -Mg give up on the messages
2639 -Mt thaw the messages
2640 -Mrm remove the messages
2641 In the above cases, this must be the last option. There are also the
2642 following options which are followed by a single message id, and which
2643 act on that message. Some of them use the "recipient" addresses as well.
2644 -Mar add recipient(s)
2645 -Mmad mark all recipients delivered
2646 -Mmd mark recipients(s) delivered
2647 -Mes edit sender
0ef732d9 2648 -Mset load a message for use with -be
059ec3d9 2649 -Mvb show body
a96603a0 2650 -Mvc show copy (of whole message, in RFC 2822 format)
059ec3d9
PH
2651 -Mvh show header
2652 -Mvl show log
2653 */
2654
2655 else if (*argrest == 0)
2656 {
2657 msg_action = MSG_DELIVER;
2658 forced_delivery = deliver_force_thaw = TRUE;
2659 }
2660 else if (Ustrcmp(argrest, "ar") == 0)
2661 {
2662 msg_action = MSG_ADD_RECIPIENT;
2663 one_msg_action = TRUE;
2664 }
2665 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2666 else if (Ustrcmp(argrest, "es") == 0)
2667 {
2668 msg_action = MSG_EDIT_SENDER;
2669 one_msg_action = TRUE;
2670 }
2671 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2672 else if (Ustrcmp(argrest, "g") == 0)
2673 {
2674 msg_action = MSG_DELIVER;
2675 deliver_give_up = TRUE;
2676 }
2677 else if (Ustrcmp(argrest, "mad") == 0)
2678 {
2679 msg_action = MSG_MARK_ALL_DELIVERED;
2680 }
2681 else if (Ustrcmp(argrest, "md") == 0)
2682 {
2683 msg_action = MSG_MARK_DELIVERED;
2684 one_msg_action = TRUE;
2685 }
2686 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
0ef732d9
PH
2687 else if (Ustrcmp(argrest, "set") == 0)
2688 {
2689 msg_action = MSG_LOAD;
2690 one_msg_action = TRUE;
2691 }
059ec3d9
PH
2692 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2693 else if (Ustrcmp(argrest, "vb") == 0)
2694 {
2695 msg_action = MSG_SHOW_BODY;
2696 one_msg_action = TRUE;
2697 }
a96603a0
PH
2698 else if (Ustrcmp(argrest, "vc") == 0)
2699 {
2700 msg_action = MSG_SHOW_COPY;
2701 one_msg_action = TRUE;
2702 }
059ec3d9
PH
2703 else if (Ustrcmp(argrest, "vh") == 0)
2704 {
2705 msg_action = MSG_SHOW_HEADER;
2706 one_msg_action = TRUE;
2707 }
2708 else if (Ustrcmp(argrest, "vl") == 0)
2709 {
2710 msg_action = MSG_SHOW_LOG;
2711 one_msg_action = TRUE;
2712 }
2713 else { badarg = TRUE; break; }
2714
2715 /* All the -Mxx options require at least one message id. */
2716
2717 msg_action_arg = i + 1;
2718 if (msg_action_arg >= argc)
2719 {
2720 fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2721 return EXIT_FAILURE;
2722 }
2723
2724 /* Some require only message ids to follow */
2725
2726 if (!one_msg_action)
2727 {
2728 int j;
2729 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2730 {
2731 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2732 argv[j], arg);
2733 return EXIT_FAILURE;
2734 }
2735 goto END_ARG; /* Remaining args are ids */
2736 }
2737
2738 /* Others require only one message id, possibly followed by addresses,
2739 which will be handled as normal arguments. */
2740
2741 else
2742 {
2743 if (!mac_ismsgid(argv[msg_action_arg]))
2744 {
2745 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2746 argv[msg_action_arg], arg);
2747 return EXIT_FAILURE;
2748 }
2749 i++;
2750 }
2751 break;
2752
2753
2754 /* Some programs seem to call the -om option without the leading o;
2755 for sendmail it askes for "me too". Exim always does this. */
2756
2757 case 'm':
2758 if (*argrest != 0) badarg = TRUE;
2759 break;
2760
2761
2762 /* -N: don't do delivery - a debugging option that stops transports doing
2763 their thing. It implies debugging at the D_v level. */
2764
2765 case 'N':
2766 if (*argrest == 0)
2767 {
2768 dont_deliver = TRUE;
2769 debug_selector |= D_v;
2770 debug_file = stderr;
2771 }
2772 else badarg = TRUE;
2773 break;
2774
2775
12f69989
PP
2776 /* -n: This means "don't alias" in sendmail, apparently.
2777 For normal invocations, it has no effect.
2778 It may affect some other options. */
059ec3d9
PH
2779
2780 case 'n':
12f69989 2781 flag_n = TRUE;
059ec3d9
PH
2782 break;
2783
2784 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2785 option to the specified value. This form uses long names. We need to handle
2786 -O option=value and -Ooption=value. */
2787
2788 case 'O':
2789 if (*argrest == 0)
2790 {
2791 if (++i >= argc)
2792 {
2793 fprintf(stderr, "exim: string expected after -O\n");
2794 exit(EXIT_FAILURE);
2795 }
2796 }
2797 break;
2798
2799 case 'o':
2800
2801 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2802 file" option). */
2803
2804 if (*argrest == 'A')
2805 {
2806 alias_arg = argrest + 1;
2807 if (alias_arg[0] == 0)
2808 {
2809 if (i+1 < argc) alias_arg = argv[++i]; else
2810 {
2811 fprintf(stderr, "exim: string expected after -oA\n");
2812 exit(EXIT_FAILURE);
2813 }
2814 }
2815 }
2816
2817 /* -oB: Set a connection message max value for remote deliveries */
2818
2819 else if (*argrest == 'B')
2820 {
2821 uschar *p = argrest + 1;
2822 if (p[0] == 0)
2823 {
2824 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2825 {
2826 connection_max_messages = 1;
2827 p = NULL;
2828 }
2829 }
2830
2831 if (p != NULL)
2832 {
2833 if (!isdigit(*p))
2834 {
2835 fprintf(stderr, "exim: number expected after -oB\n");
2836 exit(EXIT_FAILURE);
2837 }
2838 connection_max_messages = Uatoi(p);
2839 }
2840 }
2841
2842 /* -odb: background delivery */
2843
2844 else if (Ustrcmp(argrest, "db") == 0)
2845 {
2846 synchronous_delivery = FALSE;
2847 arg_queue_only = FALSE;
2848 queue_only_set = TRUE;
2849 }
2850
2851 /* -odf: foreground delivery (smail-compatible option); same effect as
2852 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2853 */
2854
2855 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2856 {
2857 synchronous_delivery = TRUE;
2858 arg_queue_only = FALSE;
2859 queue_only_set = TRUE;
2860 }
2861
2862 /* -odq: queue only */
2863
2864 else if (Ustrcmp(argrest, "dq") == 0)
2865 {
2866 synchronous_delivery = FALSE;
2867 arg_queue_only = TRUE;
2868 queue_only_set = TRUE;
2869 }
2870
2871 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2872 but no remote delivery */
2873
2874 else if (Ustrcmp(argrest, "dqs") == 0)
2875 {
2876 queue_smtp = TRUE;
2877 arg_queue_only = FALSE;
2878 queue_only_set = TRUE;
2879 }
2880
2881 /* -oex: Sendmail error flags. As these are also accepted without the
2882 leading -o prefix, for compatibility with vacation and other callers,
2883 they are handled with -e above. */
2884
2885 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2886 -oitrue: Another sendmail syntax for the same */
2887
2888 else if (Ustrcmp(argrest, "i") == 0 ||
2889 Ustrcmp(argrest, "itrue") == 0)
2890 dot_ends = FALSE;
2891
2892 /* -oM*: Set various characteristics for an incoming message; actually
2893 acted on for trusted callers only. */
2894
2895 else if (*argrest == 'M')
2896 {
2897 if (i+1 >= argc)
2898 {
2899 fprintf(stderr, "exim: data expected after -o%s\n", argrest);
2900 exit(EXIT_FAILURE);
2901 }
2902
2903 /* -oMa: Set sender host address */
2904
2905 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2906
2907 /* -oMaa: Set authenticator name */
2908
2909 else if (Ustrcmp(argrest, "Maa") == 0)
2910 sender_host_authenticated = argv[++i];
2911
2912 /* -oMas: setting authenticated sender */
2913
2914 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2915
2916 /* -oMai: setting authenticated id */
2917
2918 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2919
2920 /* -oMi: Set incoming interface address */
2921
2922 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2923
2924 /* -oMr: Received protocol */
2925
2926 else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
2927
2928 /* -oMs: Set sender host name */
2929
2930 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
2931
2932 /* -oMt: Set sender ident */
2933
33d73e3b
PH
2934 else if (Ustrcmp(argrest, "Mt") == 0)
2935 {
2936 sender_ident_set = TRUE;
2937 sender_ident = argv[++i];
2938 }
059ec3d9
PH
2939
2940 /* Else a bad argument */
2941
2942 else
2943 {
2944 badarg = TRUE;
2945 break;
2946 }
2947 }
2948
2949 /* -om: Me-too flag for aliases. Exim always does this. Some programs
2950 seem to call this as -m (undocumented), so that is also accepted (see
2951 above). */
2952
2953 else if (Ustrcmp(argrest, "m") == 0) {}
2954
2955 /* -oo: An ancient flag for old-style addresses which still seems to
2956 crop up in some calls (see in SCO). */
2957
2958 else if (Ustrcmp(argrest, "o") == 0) {}
2959
2960 /* -oP <name>: set pid file path for daemon */
2961
2962 else if (Ustrcmp(argrest, "P") == 0)
2963 override_pid_file_path = argv[++i];
2964
2965 /* -or <n>: set timeout for non-SMTP acceptance
2966 -os <n>: set timeout for SMTP acceptance */
2967
2968 else if (*argrest == 'r' || *argrest == 's')
2969 {
2970 int *tp = (*argrest == 'r')?
2971 &arg_receive_timeout : &arg_smtp_receive_timeout;
2972 if (argrest[1] == 0)
2973 {
2974 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
2975 }
2976 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
2977 if (*tp < 0)
2978 {
2979 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2980 exit(EXIT_FAILURE);
2981 }
2982 }
2983
2984 /* -oX <list>: Override local_interfaces and/or default daemon ports */
2985
2986 else if (Ustrcmp(argrest, "X") == 0)
2987 override_local_interfaces = argv[++i];
2988
2989 /* Unknown -o argument */
2990
2991 else badarg = TRUE;
2992 break;
2993
2994
2995 /* -ps: force Perl startup; -pd force delayed Perl startup */
2996
2997 case 'p':
2998 #ifdef EXIM_PERL
2999 if (*argrest == 's' && argrest[1] == 0)
3000 {
3001 perl_start_option = 1;
3002 break;
3003 }
3004 if (*argrest == 'd' && argrest[1] == 0)
3005 {
3006 perl_start_option = -1;
3007 break;
3008 }
3009 #endif
3010
3011 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3012 which sets the host protocol and host name */
3013
3014 if (*argrest == 0)
3015 {
3016 if (i+1 < argc) argrest = argv[++i]; else
3017 { badarg = TRUE; break; }
3018 }
3019
3020 if (*argrest != 0)
3021 {
3022 uschar *hn = Ustrchr(argrest, ':');
3023 if (hn == NULL)
3024 {
3025 received_protocol = argrest;
3026 }
3027 else
3028 {
3029 received_protocol = string_copyn(argrest, hn - argrest);
3030 sender_host_name = hn + 1;
3031 }
3032 }
3033 break;
3034
3035
3036 case 'q':
3037 receiving_message = FALSE;
3cc66b45
PH
3038 if (queue_interval >= 0)
3039 {
3040 fprintf(stderr, "exim: -q specified more than once\n");
3041 exit(EXIT_FAILURE);
3042 }
059ec3d9
PH
3043
3044 /* -qq...: Do queue runs in a 2-stage manner */
3045
3046 if (*argrest == 'q')
3047 {
3048 queue_2stage = TRUE;
3049 argrest++;
3050 }
3051
3052 /* -qi...: Do only first (initial) deliveries */
3053
3054 if (*argrest == 'i')
3055 {
3056 queue_run_first_delivery = TRUE;
3057 argrest++;
3058 }
3059
3060 /* -qf...: Run the queue, forcing deliveries
3061 -qff..: Ditto, forcing thawing as well */
3062
3063 if (*argrest == 'f')
3064 {
3065 queue_run_force = TRUE;
3066 if (*(++argrest) == 'f')
3067 {
3068 deliver_force_thaw = TRUE;
3069 argrest++;
3070 }
3071 }
3072
3073 /* -q[f][f]l...: Run the queue only on local deliveries */
3074
3075 if (*argrest == 'l')
3076 {
3077 queue_run_local = TRUE;
3078 argrest++;
3079 }
3080
3081 /* -q[f][f][l]: Run the queue, optionally forced, optionally local only,
3082 optionally starting from a given message id. */
3083
3084 if (*argrest == 0 &&
3085 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3086 {
3087 queue_interval = 0;
3088 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3089 start_queue_run_id = argv[++i];
3090 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3091 stop_queue_run_id = argv[++i];
3092 }
3093
3094 /* -q[f][f][l]<n>: Run the queue at regular intervals, optionally forced,
3095 optionally local only. */
3096
3097 else
3098 {
3099 if (*argrest != 0)
3100 queue_interval = readconf_readtime(argrest, 0, FALSE);
3101 else
3102 queue_interval = readconf_readtime(argv[++i], 0, FALSE);
3103 if (queue_interval <= 0)
3104 {
3105 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3106 exit(EXIT_FAILURE);
3107 }
3108 }
3109 break;
3110
3111
3112 case 'R': /* Synonymous with -qR... */
3113 receiving_message = FALSE;
3114
3115 /* -Rf: As -R (below) but force all deliveries,
3116 -Rff: Ditto, but also thaw all frozen messages,
3117 -Rr: String is regex
3118 -Rrf: Regex and force
3119 -Rrff: Regex and force and thaw
3120
3121 in all cases provided there are no further characters in this
3122 argument. */
3123
3124 if (*argrest != 0)
3125 {
3126 int i;
3127 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3128 {
3129 if (Ustrcmp(argrest, rsopts[i]) == 0)
3130 {
3131 if (i != 2) queue_run_force = TRUE;
3132 if (i >= 2) deliver_selectstring_regex = TRUE;
3133 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3134 argrest += Ustrlen(rsopts[i]);
3135 }
3136 }
3137 }
3138
3139 /* -R: Set string to match in addresses for forced queue run to
3140 pick out particular messages. */
3141
3142 if (*argrest == 0)
3143 {
3144 if (i+1 < argc) deliver_selectstring = argv[++i]; else
3145 {
3146 fprintf(stderr, "exim: string expected after -R\n");
3147 exit(EXIT_FAILURE);
3148 }
3149 }
3150 else deliver_selectstring = argrest;
059ec3d9
PH
3151 break;
3152
3153
3154 /* -r: an obsolete synonym for -f (see above) */
3155
3156
3157 /* -S: Like -R but works on sender. */
3158
3159 case 'S': /* Synonymous with -qS... */
3160 receiving_message = FALSE;
3161
3162 /* -Sf: As -S (below) but force all deliveries,
3163 -Sff: Ditto, but also thaw all frozen messages,
3164 -Sr: String is regex
3165 -Srf: Regex and force
3166 -Srff: Regex and force and thaw
3167
3168 in all cases provided there are no further characters in this
3169 argument. */
3170
3171 if (*argrest != 0)
3172 {
3173 int i;
3174 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3175 {
3176 if (Ustrcmp(argrest, rsopts[i]) == 0)
3177 {
3178 if (i != 2) queue_run_force = TRUE;
3179 if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3180 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3181 argrest += Ustrlen(rsopts[i]);
3182 }
3183 }
3184 }
3185
3186 /* -S: Set string to match in addresses for forced queue run to
3187 pick out particular messages. */
3188
3189 if (*argrest == 0)
3190 {
3191 if (i+1 < argc) deliver_selectstring_sender = argv[++i]; else
3192 {
3193 fprintf(stderr, "exim: string expected after -S\n");
3194 exit(EXIT_FAILURE);
3195 }
3196 }
3197 else deliver_selectstring_sender = argrest;
059ec3d9
PH
3198 break;
3199
3200 /* -Tqt is an option that is exclusively for use by the testing suite.
3201 It is not recognized in other circumstances. It allows for the setting up
3202 of explicit "queue times" so that various warning/retry things can be
3203 tested. Otherwise variability of clock ticks etc. cause problems. */
3204
3205 case 'T':
3206 if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3207 fudged_queue_times = argv[++i];
3208 else badarg = TRUE;
3209 break;
3210
3211
3212 /* -t: Set flag to extract recipients from body of message. */
3213
3214 case 't':
3215 if (*argrest == 0) extract_recipients = TRUE;
3216
3217 /* -ti: Set flag to extract recipients from body of message, and also
3218 specify that dot does not end the message. */
3219
3220 else if (Ustrcmp(argrest, "i") == 0)
3221 {
3222 extract_recipients = TRUE;
3223 dot_ends = FALSE;
3224 }
3225
3226 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3227
3228 #ifdef SUPPORT_TLS
3229 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE;
3230 #endif
3231
3232 else badarg = TRUE;
3233 break;
3234
3235
3236 /* -U: This means "initial user submission" in sendmail, apparently. The
3237 doc claims that in future sendmail may refuse syntactically invalid
3238 messages instead of fixing them. For the moment, we just ignore it. */
3239
3240 case 'U':
3241 break;
3242
3243
3244 /* -v: verify things - this is a very low-level debugging */
3245
3246 case 'v':
3247 if (*argrest == 0)
3248 {
3249 debug_selector |= D_v;
3250 debug_file = stderr;
3251 }
3252 else badarg = TRUE;
3253 break;
3254
3255
3256 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3257
3258 The -x flag tells the sendmail command that mail from a local
3259 mail program has National Language Support (NLS) extended characters
3260 in the body of the mail item. The sendmail command can send mail with
3261 extended NLS characters across networks that normally corrupts these
3262 8-bit characters.
3263
3264 As Exim is 8-bit clean, it just ignores this flag. */
3265
3266 case 'x':
3267 if (*argrest != 0) badarg = TRUE;
3268 break;
3269
3270 /* All other initial characters are errors */
3271
3272 default:
3273 badarg = TRUE;
3274 break;
3275 } /* End of high-level switch statement */
3276
3277 /* Failed to recognize the option, or syntax error */
3278
3279 if (badarg)
3280 {
3281 fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3282 "option %s\n", arg);
3283 exit(EXIT_FAILURE);
3284 }
3285 }
3286
3287
3cc66b45
PH
3288/* If -R or -S have been specified without -q, assume a single queue run. */
3289
3290if ((deliver_selectstring != NULL || deliver_selectstring_sender != NULL) &&
3291 queue_interval < 0) queue_interval = 0;
3292
3293
059ec3d9 3294END_ARG:
81ea09ca
NM
3295/* If usage_wanted is set we call the usage function - which never returns */
3296if (usage_wanted) exim_usage(called_as);
3297
3298/* Arguments have been processed. Check for incompatibilities. */
059ec3d9
PH
3299if ((
3300 (smtp_input || extract_recipients || recipients_arg < argc) &&
3301 (daemon_listen || queue_interval >= 0 || bi_option ||
3302 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
f05da2e8 3303 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
059ec3d9
PH
3304 ) ||
3305 (
3306 msg_action_arg > 0 &&
0ef732d9
PH
3307 (daemon_listen || queue_interval >= 0 || list_options ||
3308 (checking && msg_action != MSG_LOAD) ||
3309 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
059ec3d9
PH
3310 ) ||
3311 (
3312 (daemon_listen || queue_interval >= 0) &&
3313 (sender_address != NULL || list_options || list_queue || checking ||
0ef732d9 3314 bi_option)
059ec3d9
PH
3315 ) ||
3316 (
3317 daemon_listen && queue_interval == 0
3318 ) ||
3319 (
9ee44efb
PP
3320 inetd_wait_mode && queue_interval >= 0
3321 ) ||
3322 (
059ec3d9
PH
3323 list_options &&
3324 (checking || smtp_input || extract_recipients ||
f05da2e8 3325 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3326 ) ||
3327 (
3328 verify_address_mode &&
3329 (address_test_mode || smtp_input || extract_recipients ||
f05da2e8 3330 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3331 ) ||
3332 (
3333 address_test_mode && (smtp_input || extract_recipients ||
f05da2e8 3334 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3335 ) ||
3336 (
f05da2e8 3337 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
059ec3d9
PH
3338 extract_recipients)
3339 ) ||
3340 (
3341 deliver_selectstring != NULL && queue_interval < 0
328895cc
PH
3342 ) ||
3343 (
3344 msg_action == MSG_LOAD &&
3345 (!expansion_test || expansion_test_message != NULL)
059ec3d9
PH
3346 )
3347 )
3348 {
3349 fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3350 exit(EXIT_FAILURE);
3351 }
3352
3353/* If debugging is set up, set the file and the file descriptor to pass on to
3354child processes. It should, of course, be 2 for stderr. Also, force the daemon
3355to run in the foreground. */
3356
3357if (debug_selector != 0)
3358 {
3359 debug_file = stderr;
3360 debug_fd = fileno(debug_file);
3361 background_daemon = FALSE;
3362 if (running_in_test_harness) millisleep(100); /* lets caller finish */
3363 if (debug_selector != D_v) /* -v only doesn't show this */
3364 {
3365 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3366 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3367 debug_selector);
6545de78
PP
3368 if (!version_printed)
3369 show_whats_supported(stderr);
059ec3d9
PH
3370 }
3371 }
3372
3373/* When started with root privilege, ensure that the limits on the number of
3374open files and the number of processes (where that is accessible) are
3375sufficiently large, or are unset, in case Exim has been called from an
3376environment where the limits are screwed down. Not all OS have the ability to
3377change some of these limits. */
3378
3379if (unprivileged)
3380 {
3381 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3382 }
3383else
3384 {
3385 struct rlimit rlp;
3386
3387 #ifdef RLIMIT_NOFILE
3388 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3389 {
3390 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3391 strerror(errno));
3392 rlp.rlim_cur = rlp.rlim_max = 0;
3393 }
eb2c0248
PH
3394
3395 /* I originally chose 1000 as a nice big number that was unlikely to
a494b1e1
PH
3396 be exceeded. It turns out that some older OS have a fixed upper limit of
3397 256. */
eb2c0248 3398
059ec3d9
PH
3399 if (rlp.rlim_cur < 1000)
3400 {
3401 rlp.rlim_cur = rlp.rlim_max = 1000;
3402 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
eb2c0248 3403 {
a494b1e1
PH
3404 rlp.rlim_cur = rlp.rlim_max = 256;
3405 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3406 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3407 strerror(errno));
eb2c0248 3408 }
059ec3d9
PH
3409 }
3410 #endif
3411
3412 #ifdef RLIMIT_NPROC
3413 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3414 {
3415 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3416 strerror(errno));
3417 rlp.rlim_cur = rlp.rlim_max = 0;
3418 }
3419
3420 #ifdef RLIM_INFINITY
3421 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3422 {
3423 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3424 #else
3425 if (rlp.rlim_cur < 1000)
3426 {
3427 rlp.rlim_cur = rlp.rlim_max = 1000;
3428 #endif
3429 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3430 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3431 strerror(errno));
3432 }
3433 #endif
3434 }
3435
3436/* Exim is normally entered as root (but some special configurations are
3437possible that don't do this). However, it always spins off sub-processes that
3438set their uid and gid as required for local delivery. We don't want to pass on
3439any extra groups that root may belong to, so we want to get rid of them all at
3440this point.
3441
3442We need to obey setgroups() at this stage, before possibly giving up root
3443privilege for a changed configuration file, but later on we might need to
3444check on the additional groups for the admin user privilege - can't do that
3445till after reading the config, which might specify the exim gid. Therefore,
3446save the group list here first. */
3447
3448group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18
PP
3449if (group_count < 0)
3450 {
3451 fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
3452 exit(EXIT_FAILURE);
3453 }
059ec3d9
PH
3454
3455/* There is a fundamental difference in some BSD systems in the matter of
3456groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3457known not to be different. On the "different" systems there is a single group
3458list, and the first entry in it is the current group. On all other versions of
3459Unix there is a supplementary group list, which is in *addition* to the current
3460group. Consequently, to get rid of all extraneous groups on a "standard" system
3461you pass over 0 groups to setgroups(), while on a "different" system you pass
3462over a single group - the current group, which is always the first group in the
3463list. Calling setgroups() with zero groups on a "different" system results in
3464an error return. The following code should cope with both types of system.
3465
3466However, if this process isn't running as root, setgroups() can't be used
3467since you have to be root to run it, even if throwing away groups. Not being
3468root here happens only in some unusual configurations. We just ignore the
3469error. */
3470
3471if (setgroups(0, NULL) != 0)
3472 {
3473 if (setgroups(1, group_list) != 0 && !unprivileged)
3474 {
3475 fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3476 exit(EXIT_FAILURE);
3477 }
3478 }
3479
3480/* If the configuration file name has been altered by an argument on the
3481command line (either a new file name or a macro definition) and the caller is
cd25e41d
DW
3482not root, or if this is a filter testing run, remove any setuid privilege the
3483program has and run as the underlying user.
059ec3d9 3484
cd25e41d
DW
3485The exim user is locked out of this, which severely restricts the use of -C
3486for some purposes.
059ec3d9
PH
3487
3488Otherwise, set the real ids to the effective values (should be root unless run
3489from inetd, which it can either be root or the exim uid, if one is configured).
3490
3491There is a private mechanism for bypassing some of this, in order to make it
3492possible to test lots of configurations automatically, without having either to
3493recompile each time, or to patch in an actual configuration file name and other
3494values (such as the path name). If running in the test harness, pretend that
3495configuration file changes and macro definitions haven't happened. */
3496
3497if (( /* EITHER */
a7cbbf50
PP
3498 (!trusted_config || /* Config changed, or */
3499 !macros_trusted()) && /* impermissible macros and */
059ec3d9 3500 real_uid != root_uid && /* Not root, and */
059ec3d9
PH
3501 !running_in_test_harness /* Not fudged */
3502 ) || /* OR */
3503 expansion_test /* expansion testing */
3504 || /* OR */
f05da2e8 3505 filter_test != FTEST_NONE) /* Filter testing */
059ec3d9
PH
3506 {
3507 setgroups(group_count, group_list);
3508 exim_setugid(real_uid, real_gid, FALSE,
3509 US"-C, -D, -be or -bf forces real uid");
3510 removed_privilege = TRUE;
3511
3512 /* In the normal case when Exim is called like this, stderr is available
3513 and should be used for any logging information because attempts to write
3514 to the log will usually fail. To arrange this, we unset really_exim. However,
3515 if no stderr is available there is no point - we might as well have a go
b7487bce 3516 at the log (if it fails, syslog will be written).
059ec3d9 3517
b7487bce
PP
3518 Note that if the invoker is Exim, the logs remain available. Messing with
3519 this causes unlogged successful deliveries. */
3520
3521 if ((log_stderr != NULL) && (real_uid != exim_uid))
3522 really_exim = FALSE;
059ec3d9
PH
3523 }
3524
3525/* Privilege is to be retained for the moment. It may be dropped later,
3526depending on the job that this Exim process has been asked to do. For now, set
3527the real uid to the effective so that subsequent re-execs of Exim are done by a
3528privileged user. */
3529
3530else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3531
f05da2e8 3532/* If testing a filter, open the file(s) now, before wasting time doing other
059ec3d9
PH
3533setups and reading the message. */
3534
f05da2e8
PH
3535if ((filter_test & FTEST_SYSTEM) != 0)
3536 {
3537 filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3538 if (filter_sfd < 0)
3539 {
3540 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3541 strerror(errno));
3542 return EXIT_FAILURE;
3543 }
3544 }
3545
3546if ((filter_test & FTEST_USER) != 0)
059ec3d9 3547 {
f05da2e8
PH
3548 filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3549 if (filter_ufd < 0)
059ec3d9 3550 {
f05da2e8 3551 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
059ec3d9
PH
3552 strerror(errno));
3553 return EXIT_FAILURE;
3554 }
3555 }
3556
8829633f
PP
3557/* Initialise lookup_list
3558If debugging, already called above via version reporting.
3559In either case, we initialise the list of available lookups while running
3560as root. All dynamically modules are loaded from a directory which is
3561hard-coded into the binary and is code which, if not a module, would be
3562part of Exim already. Ability to modify the content of the directory
3563is equivalent to the ability to modify a setuid binary!
3564
3565This needs to happen before we read the main configuration. */
3566init_lookup_list();
3567
059ec3d9
PH
3568/* Read the main runtime configuration data; this gives up if there
3569is a failure. It leaves the configuration file open so that the subsequent
3570configuration data for delivery can be read if needed. */
3571
3572readconf_main();
3573
3574/* Handle the decoding of logging options. */
3575
ed7f7860
PP
3576decode_bits(&log_write_selector, &log_extra_selector, 0, 0,
3577 log_selector_string, log_options, log_options_count, US"log", 0);
059ec3d9
PH
3578
3579DEBUG(D_any)
3580 {
3581 debug_printf("configuration file is %s\n", config_main_filename);
3582 debug_printf("log selectors = %08x %08x\n", log_write_selector,
3583 log_extra_selector);
3584 }
3585
3586/* If domain literals are not allowed, check the sender address that was
3587supplied with -f. Ditto for a stripped trailing dot. */
3588
3589if (sender_address != NULL)
3590 {
3591 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3592 {
3593 fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
3594 "allowed\n", sender_address);
3595 return EXIT_FAILURE;
3596 }
3597 if (f_end_dot && !strip_trailing_dot)
3598 {
3599 fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed "
3600 "(trailing dot not allowed)\n", sender_address);
3601 return EXIT_FAILURE;
3602 }
3603 }
3604
3605/* Paranoia check of maximum lengths of certain strings. There is a check
3606on the length of the log file path in log.c, which will come into effect
3607if there are any calls to write the log earlier than this. However, if we
3608get this far but the string is very long, it is better to stop now than to
3609carry on and (e.g.) receive a message and then have to collapse. The call to
3610log_write() from here will cause the ultimate panic collapse if the complete
3611file name exceeds the buffer length. */
3612
3613if (Ustrlen(log_file_path) > 200)
3614 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3615 "log_file_path is longer than 200 chars: aborting");
3616
3617if (Ustrlen(pid_file_path) > 200)
3618 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3619 "pid_file_path is longer than 200 chars: aborting");
3620
3621if (Ustrlen(spool_directory) > 200)
3622 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3623 "spool_directory is longer than 200 chars: aborting");
3624
3625/* Length check on the process name given to syslog for its TAG field,
3626which is only permitted to be 32 characters or less. See RFC 3164. */
3627
3628if (Ustrlen(syslog_processname) > 32)
3629 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3630 "syslog_processname is longer than 32 chars: aborting");
3631
3632/* In some operating systems, the environment variable TMPDIR controls where
3633temporary files are created; Exim doesn't use these (apart from when delivering
3634to MBX mailboxes), but called libraries such as DBM libraries may require them.
3635If TMPDIR is found in the environment, reset it to the value defined in the
3636TMPDIR macro, if this macro is defined. */
3637
3638#ifdef TMPDIR
3639 {
3640 uschar **p;
3641 for (p = USS environ; *p != NULL; p++)
3642 {
3643 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 &&
3644 Ustrcmp(*p+7, TMPDIR) != 0)
3645 {
3646 uschar *newp = malloc(Ustrlen(TMPDIR) + 8);
3647 sprintf(CS newp, "TMPDIR=%s", TMPDIR);
3648 *p = newp;
3649 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", TMPDIR);
3650 }
3651 }
3652 }
3653#endif
3654
3655/* Timezone handling. If timezone_string is "utc", set a flag to cause all
3656timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3657we may need to get rid of a bogus timezone setting. This can arise when Exim is
3658called by a user who has set the TZ variable. This then affects the timestamps
3659in log files and in Received: headers, and any created Date: header lines. The
3660required timezone is settable in the configuration file, so nothing can be done
3661about this earlier - but hopefully nothing will normally be logged earlier than
3662this. We have to make a new environment if TZ is wrong, but don't bother if
3663timestamps_utc is set, because then all times are in UTC anyway. */
3664
3665if (timezone_string != NULL && strcmpic(timezone_string, US"UTC") == 0)
3666 {
3667 timestamps_utc = TRUE;
3668 }
3669else
3670 {
3671 uschar *envtz = US getenv("TZ");
3672 if ((envtz == NULL && timezone_string != NULL) ||
3673 (envtz != NULL &&
3674 (timezone_string == NULL ||
3675 Ustrcmp(timezone_string, envtz) != 0)))
3676 {
3677 uschar **p = USS environ;
3678 uschar **new;
3679 uschar **newp;
3680 int count = 0;
3681 while (*p++ != NULL) count++;
3682 if (envtz == NULL) count++;
3683 newp = new = malloc(sizeof(uschar *) * (count + 1));
3684 for (p = USS environ; *p != NULL; p++)
3685 {
3686 if (Ustrncmp(*p, "TZ=", 3) == 0) continue;
3687 *newp++ = *p;
3688 }
3689 if (timezone_string != NULL)
3690 {
3691 *newp = malloc(Ustrlen(timezone_string) + 4);
3692 sprintf(CS *newp++, "TZ=%s", timezone_string);
3693 }
3694 *newp = NULL;
3695 environ = CSS new;
3696 tzset();
3697 DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3698 tod_stamp(tod_log));
3699 }
3700 }
3701
3702/* Handle the case when we have removed the setuid privilege because of -C or
cd25e41d 3703-D. This means that the caller of Exim was not root.
059ec3d9 3704
cd25e41d
DW
3705There is a problem if we were running as the Exim user. The sysadmin may
3706expect this case to retain privilege because "the binary was called by the
3707Exim user", but it hasn't, because either the -D option set macros, or the
261dc43e 3708-C option set a non-trusted configuration file. There are two possibilities:
059ec3d9
PH
3709
3710 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3711 to do message deliveries. Thus, the fact that it is running as a
3712 non-privileged user is plausible, and might be wanted in some special
3713 configurations. However, really_exim will have been set false when
3714 privilege was dropped, to stop Exim trying to write to its normal log
3715 files. Therefore, re-enable normal log processing, assuming the sysadmin
3716 has set up the log directory correctly.
3717
3718 (2) If deliver_drop_privilege is not set, the configuration won't work as
3719 apparently intended, and so we log a panic message. In order to retain
261dc43e
DW
3720 root for -C or -D, the caller must either be root or be invoking a
3721 trusted configuration file (when deliver_drop_privilege is false). */
059ec3d9 3722
e2f5dc15 3723if (removed_privilege && (!trusted_config || macros != NULL) &&
059ec3d9
PH
3724 real_uid == exim_uid)
3725 {
059ec3d9
PH
3726 if (deliver_drop_privilege)
3727 really_exim = TRUE; /* let logging work normally */
3728 else
3729 log_write(0, LOG_MAIN|LOG_PANIC,
cd25e41d 3730 "exim user lost privilege for using %s option",
90b6341f 3731 trusted_config? "-D" : "-C");
059ec3d9
PH
3732 }
3733
3734/* Start up Perl interpreter if Perl support is configured and there is a
3735perl_startup option, and the configuration or the command line specifies
3736initializing starting. Note that the global variables are actually called
3737opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3738
3739#ifdef EXIM_PERL
3740if (perl_start_option != 0)
3741 opt_perl_at_start = (perl_start_option > 0);
3742if (opt_perl_at_start && opt_perl_startup != NULL)
3743 {
3744 uschar *errstr;
3745 DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3746 errstr = init_perl(opt_perl_startup);
3747 if (errstr != NULL)
3748 {
3749 fprintf(stderr, "exim: error in perl_startup code: %s\n", errstr);
3750 return EXIT_FAILURE;
3751 }
3752 opt_perl_started = TRUE;
3753 }
3754#endif /* EXIM_PERL */
3755
3756/* Log the arguments of the call if the configuration file said so. This is
3757a debugging feature for finding out what arguments certain MUAs actually use.
3758Don't attempt it if logging is disabled, or if listing variables or if
3759verifying/testing addresses or expansions. */
3760
31619da6
PH
3761if (((debug_selector & D_any) != 0 || (log_extra_selector & LX_arguments) != 0)
3762 && really_exim && !list_options && !checking)
059ec3d9
PH
3763 {
3764 int i;
3765 uschar *p = big_buffer;
3766 Ustrcpy(p, "cwd=");
3767 (void)getcwd(CS p+4, big_buffer_size - 4);
3768 while (*p) p++;
3769 (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3770 while (*p) p++;
3771 for (i = 0; i < argc; i++)
3772 {
3773 int len = Ustrlen(argv[i]);
3774 uschar *printing;
3775 uschar *quote;
3776 if (p + len + 8 >= big_buffer + big_buffer_size)
3777 {
3778 Ustrcpy(p, " ...");
3779 log_write(0, LOG_MAIN, "%s", big_buffer);
3780 Ustrcpy(big_buffer, "...");
3781 p = big_buffer + 3;
3782 }
3783 printing = string_printing(argv[i]);
3784 if (printing[0] == 0) quote = US"\""; else
3785 {
3786 uschar *pp = printing;
3787 quote = US"";
3788 while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3789 }
3790 sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3791 (p - big_buffer) - 4), printing, quote);
3792 while (*p) p++;
3793 }
31619da6
PH
3794
3795 if ((log_extra_selector & LX_arguments) != 0)
3796 log_write(0, LOG_MAIN, "%s", big_buffer);
3797 else
3798 debug_printf("%s\n", big_buffer);
059ec3d9
PH
3799 }
3800
3801/* Set the working directory to be the top-level spool directory. We don't rely
3802on this in the code, which always uses fully qualified names, but it's useful
3803for core dumps etc. Don't complain if it fails - the spool directory might not
3804be generally accessible and calls with the -C option (and others) have lost
ba18e66a
PH
3805privilege by now. Before the chdir, we try to ensure that the directory exists.
3806*/
059ec3d9
PH
3807
3808if (Uchdir(spool_directory) != 0)
3809 {
ba18e66a 3810 (void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
059ec3d9
PH
3811 (void)Uchdir(spool_directory);
3812 }
3813
3814/* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3815alias file. Exim doesn't have such a concept, but this call is screwed into
3816Sun's YP makefiles. Handle this by calling a configured script, as the real
3817user who called Exim. The -oA option can be used to pass an argument to the
3818script. */
3819
3820if (bi_option)
3821 {
1fe64dcc 3822 (void)fclose(config_file);
059ec3d9
PH
3823 if (bi_command != NULL)
3824 {
3825 int i = 0;
3826 uschar *argv[3];
3827 argv[i++] = bi_command;
3828 if (alias_arg != NULL) argv[i++] = alias_arg;
3829 argv[i++] = NULL;
3830
3831 setgroups(group_count, group_list);
3832 exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
3833
3834 DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
3835 (argv[1] == NULL)? US"" : argv[1]);
3836
3837 execv(CS argv[0], (char *const *)argv);
3838 fprintf(stderr, "exim: exec failed: %s\n", strerror(errno));
3839 exit(EXIT_FAILURE);
3840 }
3841 else
3842 {
3843 DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
3844 exit(EXIT_SUCCESS);
3845 }
3846 }
3847
3848/* If an action on specific messages is requested, or if a daemon or queue
3849runner is being started, we need to know if Exim was called by an admin user.
3850This is the case if the real user is root or exim, or if the real group is
3851exim, or if one of the supplementary groups is exim or a group listed in
3852admin_groups. We don't fail all message actions immediately if not admin_user,
3853since some actions can be performed by non-admin users. Instead, set admin_user
3854for later interrogation. */
3855
3856if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3857 admin_user = TRUE;
3858else
3859 {
3860 int i, j;
059ec3d9
PH
3861 for (i = 0; i < group_count; i++)
3862 {
3863 if (group_list[i] == exim_gid) admin_user = TRUE;
3864 else if (admin_groups != NULL)
3865 {
3866 for (j = 1; j <= (int)(admin_groups[0]); j++)
3867 if (admin_groups[j] == group_list[i])
3868 { admin_user = TRUE; break; }
3869 }
3870 if (admin_user) break;
3871 }
3872 }
3873
3874/* Another group of privileged users are the trusted users. These are root,
3875exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3876are permitted to specify sender_addresses with -f on the command line, and
3877other message parameters as well. */
3878
3879if (real_uid == root_uid || real_uid == exim_uid)
3880 trusted_caller = TRUE;
3881else
3882 {
3883 int i, j;
3884
3885 if (trusted_users != NULL)
3886 {
3887 for (i = 1; i <= (int)(trusted_users[0]); i++)
3888 if (trusted_users[i] == real_uid)
3889 { trusted_caller = TRUE; break; }
3890 }
3891
3892 if (!trusted_caller && trusted_groups != NULL)
3893 {
3894 for (i = 1; i <= (int)(trusted_groups[0]); i++)
3895 {
3896 if (trusted_groups[i] == real_gid)
3897 trusted_caller = TRUE;
3898 else for (j = 0; j < group_count; j++)
3899 {
3900 if (trusted_groups[i] == group_list[j])
3901 { trusted_caller = TRUE; break; }
3902 }
3903 if (trusted_caller) break;
3904 }
3905 }
3906 }
3907
3908if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
3909if (admin_user) DEBUG(D_any) debug_printf("admin user\n");
3910
3911/* Only an admin user may start the daemon or force a queue run in the default
3912configuration, but the queue run restriction can be relaxed. Only an admin
3913user may request that a message be returned to its sender forthwith. Only an
3914admin user may specify a debug level greater than D_v (because it might show
3915passwords, etc. in lookup queries). Only an admin user may request a queue
8544e77a
PP
3916count. Only an admin user can use the test interface to scan for email
3917(because Exim will be in the spool dir and able to look at mails). */
059ec3d9
PH
3918
3919if (!admin_user)
3920 {
3921 BOOL debugset = (debug_selector & ~D_v) != 0;
8544e77a 3922 if (deliver_give_up || daemon_listen || malware_test_file ||
059ec3d9
PH
3923 (count_queue && queue_list_requires_admin) ||
3924 (list_queue && queue_list_requires_admin) ||
3925 (queue_interval >= 0 && prod_requires_admin) ||
3926 (debugset && !running_in_test_harness))
3927 {
3928 fprintf(stderr, "exim:%s permission denied\n", debugset? " debugging" : "");
3929 exit(EXIT_FAILURE);
3930 }
3931 }
3932
3933/* If the real user is not root or the exim uid, the argument for passing
3934in an open TCP/IP connection for another message is not permitted, nor is
3935running with the -N option for any delivery action, unless this call to exim is
3936one that supplied an input message, or we are using a patched exim for
3937regression testing. */
3938
3939if (real_uid != root_uid && real_uid != exim_uid &&
3940 (continue_hostname != NULL ||
3941 (dont_deliver &&
3942 (queue_interval >= 0 || daemon_listen || msg_action_arg > 0)
3943 )) && !running_in_test_harness)
3944 {
3945 fprintf(stderr, "exim: Permission denied\n");
3946 return EXIT_FAILURE;
3947 }
3948
3949/* If the caller is not trusted, certain arguments are ignored when running for
f05da2e8
PH
3950real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
3951Note that authority for performing certain actions on messages is tested in the
059ec3d9
PH
3952queue_action() function. */
3953
f05da2e8 3954if (!trusted_caller && !checking && filter_test == FTEST_NONE)
059ec3d9
PH
3955 {
3956 sender_host_name = sender_host_address = interface_address =
3957 sender_ident = received_protocol = NULL;
3958 sender_host_port = interface_port = 0;
3959 sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
3960 }
3961
3962/* If a sender host address is set, extract the optional port number off the
3963end of it and check its syntax. Do the same thing for the interface address.
3964Exim exits if the syntax is bad. */
3965
3966else
3967 {
3968 if (sender_host_address != NULL)
3969 sender_host_port = check_port(sender_host_address);
3970 if (interface_address != NULL)
3971 interface_port = check_port(interface_address);
3972 }
3973
3974/* If an SMTP message is being received check to see if the standard input is a
3975TCP/IP socket. If it is, we assume that Exim was called from inetd if the
3976caller is root or the Exim user, or if the port is a privileged one. Otherwise,
3977barf. */
3978
3979if (smtp_input)
3980 {
3981 union sockaddr_46 inetd_sock;
36a3b041 3982 EXIM_SOCKLEN_T size = sizeof(inetd_sock);
059ec3d9
PH
3983 if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0)
3984 {
3985 int family = ((struct sockaddr *)(&inetd_sock))->sa_family;
3986 if (family == AF_INET || family == AF_INET6)
3987 {
3988 union sockaddr_46 interface_sock;
3989 size = sizeof(interface_sock);
3990
3991 if (getsockname(0, (struct sockaddr *)(&interface_sock), &size) == 0)
3992 interface_address = host_ntoa(-1, &interface_sock, NULL,
3993 &interface_port);
3994
3995 if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE;
3996
3997 if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
3998 {
3999 is_inetd = TRUE;
4000 sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock),
4001 NULL, &sender_host_port);
4002 if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from "
4003 "inetd is not supported when mua_wrapper is set");
4004 }
4005 else
4006 {
4007 fprintf(stderr,
4008 "exim: Permission denied (unprivileged user, unprivileged port)\n");
4009 return EXIT_FAILURE;
4010 }
4011 }
4012 }
4013 }
4014
4015/* If the load average is going to be needed while receiving a message, get it
4016now for those OS that require the first call to os_getloadavg() to be done as
4017root. There will be further calls later for each message received. */
4018
4019#ifdef LOAD_AVG_NEEDS_ROOT
4020if (receiving_message &&
4021 (queue_only_load >= 0 ||
4022 (is_inetd && smtp_load_reserve >= 0)
4023 ))
4024 {
8669f003 4025 load_average = OS_GETLOADAVG();
059ec3d9
PH
4026 }
4027#endif
4028
4029/* The queue_only configuration option can be overridden by -odx on the command
4030line, except that if queue_only_override is false, queue_only cannot be unset
4031from the command line. */
4032
4033if (queue_only_set && (queue_only_override || arg_queue_only))
4034 queue_only = arg_queue_only;
4035
4036/* The receive_timeout and smtp_receive_timeout options can be overridden by
4037-or and -os. */
4038
4039if (arg_receive_timeout >= 0) receive_timeout = arg_receive_timeout;
4040if (arg_smtp_receive_timeout >= 0)
4041 smtp_receive_timeout = arg_smtp_receive_timeout;
4042