Testsuite: MySQL portability
[exim.git] / src / src / exim.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
9242a7e8 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8
9/* The main function: entry point, initialization, and high-level control.
10Also a few functions that don't naturally fit elsewhere. */
11
12
13#include "exim.h"
14
98913c8e 15#if defined(__GLIBC__) && !defined(__UCLIBC__)
01f3091a
JH
16# include <gnu/libc-version.h>
17#endif
18
f797c123
JH
19#ifdef USE_GNUTLS
20# include <gnutls/gnutls.h>
21# if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22# define DISABLE_OCSP
23# endif
24#endif
25
6545de78
PP
26extern void init_lookup_list(void);
27
059ec3d9
PH
28
29
30/*************************************************
31* Function interface to store functions *
32*************************************************/
33
34/* We need some real functions to pass to the PCRE regular expression library
35for store allocation via Exim's store manager. The normal calls are actually
36macros that pass over location information to make tracing easier. These
37functions just interface to the standard macro calls. A good compiler will
38optimize out the tail recursion and so not make them too expensive. There
39are two sets of functions; one for use when we want to retain the compiled
40regular expression for a long time; the other for short-term use. */
41
42static void *
43function_store_get(size_t size)
44{
45return store_get((int)size);
46}
47
48static void
49function_dummy_free(void *block) { block = block; }
50
51static void *
52function_store_malloc(size_t size)
53{
54return store_malloc((int)size);
55}
56
57static void
58function_store_free(void *block)
59{
60store_free(block);
61}
62
63
64
65
66/*************************************************
98a90c36
PP
67* Enums for cmdline interface *
68*************************************************/
69
70enum commandline_info { CMDINFO_NONE=0,
36a3ae5f 71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
98a90c36
PP
72
73
74
75
76/*************************************************
059ec3d9
PH
77* Compile regular expression and panic on fail *
78*************************************************/
79
80/* This function is called when failure to compile a regular expression leads
81to a panic exit. In other cases, pcre_compile() is called directly. In many
82cases where this function is used, the results of the compilation are to be
83placed in long-lived store, so we temporarily reset the store management
84functions that PCRE uses if the use_malloc flag is set.
85
86Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91Returns: pointer to the compiled pattern
92*/
93
94const pcre *
476be7e2 95regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
059ec3d9
PH
96{
97int offset;
98int options = PCRE_COPT;
99const pcre *yield;
100const uschar *error;
101if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106if (caseless) options |= PCRE_CASELESS;
476be7e2 107yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
059ec3d9
PH
108pcre_malloc = function_store_get;
109pcre_free = function_dummy_free;
110if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113return yield;
114}
115
116
117
118
119/*************************************************
120* Execute regular expression and set strings *
121*************************************************/
122
123/* This function runs a regular expression match, and sets up the pointers to
124the matched substrings.
125
126Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134Returns: TRUE or FALSE
135*/
136
137BOOL
1dc92d5a 138regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
059ec3d9
PH
139{
140int ovector[3*(EXPAND_MAXN+1)];
1dc92d5a
JH
141uschar * s = string_copy(subject); /* de-constifying */
142int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
059ec3d9
PH
143 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
144BOOL yield = n >= 0;
145if (n == 0) n = EXPAND_MAXN + 1;
146if (yield)
147 {
148 int nn;
149 expand_nmax = (setup < 0)? 0 : setup + 1;
150 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
151 {
1dc92d5a 152 expand_nstring[expand_nmax] = s + ovector[nn];
059ec3d9
PH
153 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
154 }
155 expand_nmax--;
156 }
157return yield;
158}
159
160
161
162
163/*************************************************
921b12ca
TF
164* Set up processing details *
165*************************************************/
166
167/* Save a text string for dumping when SIGUSR1 is received.
168Do checks for overruns.
169
170Arguments: format and arguments, as for printf()
171Returns: nothing
172*/
173
174void
175set_process_info(const char *format, ...)
176{
92b0827a 177int len = sprintf(CS process_info, "%5d ", (int)getpid());
921b12ca 178va_list ap;
921b12ca
TF
179va_start(ap, format);
180if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len - 2, format, ap))
181 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
182len = Ustrlen(process_info);
183process_info[len+0] = '\n';
184process_info[len+1] = '\0';
185process_info_len = len + 1;
186DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
187va_end(ap);
188}
189
190
191
192
193/*************************************************
059ec3d9
PH
194* Handler for SIGUSR1 *
195*************************************************/
196
197/* SIGUSR1 causes any exim process to write to the process log details of
198what it is currently doing. It will only be used if the OS is capable of
199setting up a handler that causes automatic restarting of any system call
200that is in progress at the time.
201
921b12ca
TF
202This function takes care to be signal-safe.
203
059ec3d9
PH
204Argument: the signal number (SIGUSR1)
205Returns: nothing
206*/
207
208static void
209usr1_handler(int sig)
210{
921b12ca
TF
211int fd;
212
213os_restarting_signal(sig, usr1_handler);
214
cab0c277 215if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
921b12ca
TF
216 {
217 /* If we are already running as the Exim user, try to create it in the
218 current process (assuming spool_directory exists). Otherwise, if we are
219 root, do the creation in an exim:exim subprocess. */
220
221 int euid = geteuid();
222 if (euid == exim_uid)
223 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
224 else if (euid == root_uid)
225 fd = log_create_as_exim(process_log_path);
226 }
227
228/* If we are neither exim nor root, or if we failed to create the log file,
229give up. There is not much useful we can do with errors, since we don't want
230to disrupt whatever is going on outside the signal handler. */
231
232if (fd < 0) return;
233
2f21487f 234(void)write(fd, process_info, process_info_len);
921b12ca 235(void)close(fd);
059ec3d9
PH
236}
237
238
239
240/*************************************************
241* Timeout handler *
242*************************************************/
243
244/* This handler is enabled most of the time that Exim is running. The handler
245doesn't actually get used unless alarm() has been called to set a timer, to
246place a time limit on a system call of some kind. When the handler is run, it
247re-enables itself.
248
249There are some other SIGALRM handlers that are used in special cases when more
250than just a flag setting is required; for example, when reading a message's
251input. These are normally set up in the code module that uses them, and the
252SIGALRM handler is reset to this one afterwards.
253
254Argument: the signal value (SIGALRM)
255Returns: nothing
256*/
257
258void
259sigalrm_handler(int sig)
260{
261sig = sig; /* Keep picky compilers happy */
262sigalrm_seen = TRUE;
263os_non_restarting_signal(SIGALRM, sigalrm_handler);
264}
265
266
267
268/*************************************************
269* Sleep for a fractional time interval *
270*************************************************/
271
272/* This function is called by millisleep() and exim_wait_tick() to wait for a
273period of time that may include a fraction of a second. The coding is somewhat
eb2c0248
PH
274tedious. We do not expect setitimer() ever to fail, but if it does, the process
275will wait for ever, so we panic in this instance. (There was a case of this
276when a bug in a function that calls milliwait() caused it to pass invalid data.
7086e875 277That's when I added the check. :-)
059ec3d9 278
0f8ba377
JH
279We assume it to be not worth sleeping for under 100us; this value will
280require revisiting as hardware advances. This avoids the issue of
281a zero-valued timer setting meaning "never fire".
282
059ec3d9
PH
283Argument: an itimerval structure containing the interval
284Returns: nothing
285*/
286
287static void
288milliwait(struct itimerval *itval)
289{
290sigset_t sigmask;
291sigset_t old_sigmask;
0f8ba377
JH
292
293if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
294 return;
059ec3d9
PH
295(void)sigemptyset(&sigmask); /* Empty mask */
296(void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
297(void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
7086e875 298if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
eb2c0248
PH
299 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
300 "setitimer() failed: %s", strerror(errno));
059ec3d9
PH
301(void)sigfillset(&sigmask); /* All signals */
302(void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
303(void)sigsuspend(&sigmask); /* Until SIGALRM */
304(void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
305}
306
307
308
309
310/*************************************************
311* Millisecond sleep function *
312*************************************************/
313
314/* The basic sleep() function has a granularity of 1 second, which is too rough
315in some cases - for example, when using an increasing delay to slow down
316spammers.
317
318Argument: number of millseconds
319Returns: nothing
320*/
321
322void
323millisleep(int msec)
324{
325struct itimerval itval;
326itval.it_interval.tv_sec = 0;
327itval.it_interval.tv_usec = 0;
328itval.it_value.tv_sec = msec/1000;
329itval.it_value.tv_usec = (msec % 1000) * 1000;
330milliwait(&itval);
331}
332
333
334
335/*************************************************
336* Compare microsecond times *
337*************************************************/
338
339/*
340Arguments:
341 tv1 the first time
342 tv2 the second time
343
344Returns: -1, 0, or +1
345*/
346
32dfdf8b 347static int
059ec3d9
PH
348exim_tvcmp(struct timeval *t1, struct timeval *t2)
349{
350if (t1->tv_sec > t2->tv_sec) return +1;
351if (t1->tv_sec < t2->tv_sec) return -1;
352if (t1->tv_usec > t2->tv_usec) return +1;
353if (t1->tv_usec < t2->tv_usec) return -1;
354return 0;
355}
356
357
358
359
360/*************************************************
361* Clock tick wait function *
362*************************************************/
363
364/* Exim uses a time + a pid to generate a unique identifier in two places: its
365message IDs, and in file names for maildir deliveries. Because some OS now
366re-use pids within the same second, sub-second times are now being used.
4c04137d 367However, for absolute certainty, we must ensure the clock has ticked before
059ec3d9
PH
368allowing the relevant process to complete. At the time of implementation of
369this code (February 2003), the speed of processors is such that the clock will
370invariably have ticked already by the time a process has done its job. This
371function prepares for the time when things are faster - and it also copes with
372clocks that go backwards.
373
374Arguments:
375 then_tv A timeval which was used to create uniqueness; its usec field
376 has been rounded down to the value of the resolution.
377 We want to be sure the current time is greater than this.
378 resolution The resolution that was used to divide the microseconds
379 (1 for maildir, larger for message ids)
380
381Returns: nothing
382*/
383
384void
385exim_wait_tick(struct timeval *then_tv, int resolution)
386{
387struct timeval now_tv;
388long int now_true_usec;
389
390(void)gettimeofday(&now_tv, NULL);
391now_true_usec = now_tv.tv_usec;
392now_tv.tv_usec = (now_true_usec/resolution) * resolution;
393
394if (exim_tvcmp(&now_tv, then_tv) <= 0)
395 {
396 struct itimerval itval;
397 itval.it_interval.tv_sec = 0;
398 itval.it_interval.tv_usec = 0;
399 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
400 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
401
402 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
403 negative value for the microseconds is possible only in the case when "now"
404 is more than a second less than "then". That means that itval.it_value.tv_sec
405 is greater than zero. The following correction is therefore safe. */
406
407 if (itval.it_value.tv_usec < 0)
408 {
409 itval.it_value.tv_usec += 1000000;
410 itval.it_value.tv_sec -= 1;
411 }
412
413 DEBUG(D_transport|D_receive)
414 {
415 if (!running_in_test_harness)
416 {
d0291a0a 417 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
7437665e
JH
418 then_tv->tv_sec, (long) then_tv->tv_usec,
419 now_tv.tv_sec, (long) now_tv.tv_usec);
d0291a0a
JH
420 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
421 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
059ec3d9
PH
422 }
423 }
424
425 milliwait(&itval);
426 }
427}
428
429
430
431
432/*************************************************
2632889e
PH
433* Call fopen() with umask 777 and adjust mode *
434*************************************************/
435
436/* Exim runs with umask(0) so that files created with open() have the mode that
437is specified in the open() call. However, there are some files, typically in
438the spool directory, that are created with fopen(). They end up world-writeable
439if no precautions are taken. Although the spool directory is not accessible to
440the world, this is an untidiness. So this is a wrapper function for fopen()
441that sorts out the mode of the created file.
442
443Arguments:
444 filename the file name
445 options the fopen() options
446 mode the required mode
447
448Returns: the fopened FILE or NULL
449*/
450
451FILE *
1ba28e2b 452modefopen(const uschar *filename, const char *options, mode_t mode)
2632889e 453{
67d175de
PH
454mode_t saved_umask = umask(0777);
455FILE *f = Ufopen(filename, options);
456(void)umask(saved_umask);
2632889e
PH
457if (f != NULL) (void)fchmod(fileno(f), mode);
458return f;
459}
460
461
462
463
464/*************************************************
059ec3d9
PH
465* Ensure stdin, stdout, and stderr exist *
466*************************************************/
467
468/* Some operating systems grumble if an exec() happens without a standard
469input, output, and error (fds 0, 1, 2) being defined. The worry is that some
470file will be opened and will use these fd values, and then some other bit of
471code will assume, for example, that it can write error messages to stderr.
472This function ensures that fds 0, 1, and 2 are open if they do not already
473exist, by connecting them to /dev/null.
474
475This function is also used to ensure that std{in,out,err} exist at all times,
476so that if any library that Exim calls tries to use them, it doesn't crash.
477
478Arguments: None
479Returns: Nothing
480*/
481
482void
483exim_nullstd(void)
484{
485int i;
486int devnull = -1;
487struct stat statbuf;
488for (i = 0; i <= 2; i++)
489 {
490 if (fstat(i, &statbuf) < 0 && errno == EBADF)
491 {
492 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
493 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
494 string_open_failed(errno, "/dev/null"));
1fe64dcc 495 if (devnull != i) (void)dup2(devnull, i);
059ec3d9
PH
496 }
497 }
1fe64dcc 498if (devnull > 2) (void)close(devnull);
059ec3d9
PH
499}
500
501
502
503
504/*************************************************
505* Close unwanted file descriptors for delivery *
506*************************************************/
507
508/* This function is called from a new process that has been forked to deliver
509an incoming message, either directly, or using exec.
510
511We want any smtp input streams to be closed in this new process. However, it
512has been observed that using fclose() here causes trouble. When reading in -bS
513input, duplicate copies of messages have been seen. The files will be sharing a
514file pointer with the parent process, and it seems that fclose() (at least on
515some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
516least sometimes. Hence we go for closing the underlying file descriptors.
517
518If TLS is active, we want to shut down the TLS library, but without molesting
519the parent's SSL connection.
520
521For delivery of a non-SMTP message, we want to close stdin and stdout (and
522stderr unless debugging) because the calling process might have set them up as
523pipes and be waiting for them to close before it waits for the submission
524process to terminate. If they aren't closed, they hold up the calling process
525until the initial delivery process finishes, which is not what we want.
526
527Exception: We do want it for synchronous delivery!
528
529And notwithstanding all the above, if D_resolver is set, implying resolver
530debugging, leave stdout open, because that's where the resolver writes its
531debugging output.
532
533When we close stderr (which implies we've also closed stdout), we also get rid
534of any controlling terminal.
535
536Arguments: None
537Returns: Nothing
538*/
539
540static void
541close_unwanted(void)
542{
543if (smtp_input)
544 {
545 #ifdef SUPPORT_TLS
a400eccf 546 tls_close(TRUE, FALSE); /* Shut down the TLS library */
059ec3d9 547 #endif
1fe64dcc
PH
548 (void)close(fileno(smtp_in));
549 (void)close(fileno(smtp_out));
059ec3d9
PH
550 smtp_in = NULL;
551 }
552else
553 {
1fe64dcc
PH
554 (void)close(0); /* stdin */
555 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
556 if (debug_selector == 0) /* stderr */
059ec3d9
PH
557 {
558 if (!synchronous_delivery)
559 {
1fe64dcc 560 (void)close(2);
059ec3d9
PH
561 log_stderr = NULL;
562 }
563 (void)setsid();
564 }
565 }
566}
567
568
569
570
571/*************************************************
572* Set uid and gid *
573*************************************************/
574
575/* This function sets a new uid and gid permanently, optionally calling
576initgroups() to set auxiliary groups. There are some special cases when running
577Exim in unprivileged modes. In these situations the effective uid will not be
578root; if we already have the right effective uid/gid, and don't need to
579initialize any groups, leave things as they are.
580
581Arguments:
582 uid the uid
583 gid the gid
584 igflag TRUE if initgroups() wanted
585 msg text to use in debugging output and failure log
586
587Returns: nothing; bombs out on failure
588*/
589
590void
591exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
592{
593uid_t euid = geteuid();
594gid_t egid = getegid();
595
596if (euid == root_uid || euid != uid || egid != gid || igflag)
597 {
598 /* At least one OS returns +1 for initgroups failure, so just check for
599 non-zero. */
600
601 if (igflag)
602 {
603 struct passwd *pw = getpwuid(uid);
604 if (pw != NULL)
605 {
606 if (initgroups(pw->pw_name, gid) != 0)
607 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
608 (long int)uid, strerror(errno));
609 }
610 else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
611 "no passwd entry for uid=%ld", (long int)uid);
612 }
613
614 if (setgid(gid) < 0 || setuid(uid) < 0)
615 {
616 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
617 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
618 }
619 }
620
621/* Debugging output included uid/gid and all groups */
622
623DEBUG(D_uid)
624 {
cd59ab18 625 int group_count, save_errno;
059ec3d9
PH
626 gid_t group_list[NGROUPS_MAX];
627 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
628 (long int)geteuid(), (long int)getegid(), (long int)getpid());
629 group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18 630 save_errno = errno;
059ec3d9
PH
631 debug_printf(" auxiliary group list:");
632 if (group_count > 0)
633 {
634 int i;
635 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
636 }
cd59ab18
PP
637 else if (group_count < 0)
638 debug_printf(" <error: %s>", strerror(save_errno));
059ec3d9
PH
639 else debug_printf(" <none>");
640 debug_printf("\n");
641 }
642}
643
644
645
646
647/*************************************************
648* Exit point *
649*************************************************/
650
651/* Exim exits via this function so that it always clears up any open
652databases.
653
654Arguments:
655 rc return code
656
657Returns: does not return
658*/
659
660void
9bfb7e1b 661exim_exit(int rc, const uschar * process)
059ec3d9
PH
662{
663search_tidyup();
664DEBUG(D_any)
9bfb7e1b
JH
665 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
666 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
667 process ? "(" : "", process, process ? ") " : "", rc);
059ec3d9
PH
668exit(rc);
669}
670
671
672
673
674/*************************************************
675* Extract port from host address *
676*************************************************/
677
678/* Called to extract the port from the values given to -oMa and -oMi.
b90c388a
PH
679It also checks the syntax of the address, and terminates it before the
680port data when a port is extracted.
059ec3d9
PH
681
682Argument:
683 address the address, with possible port on the end
684
685Returns: the port, or zero if there isn't one
686 bombs out on a syntax error
687*/
688
689static int
690check_port(uschar *address)
691{
7cd1141b 692int port = host_address_extract_port(address);
8e669ac1 693if (string_is_ip_address(address, NULL) == 0)
059ec3d9
PH
694 {
695 fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
696 exit(EXIT_FAILURE);
697 }
698return port;
699}
700
701
702
703/*************************************************
704* Test/verify an address *
705*************************************************/
706
707/* This function is called by the -bv and -bt code. It extracts a working
708address from a full RFC 822 address. This isn't really necessary per se, but it
709has the effect of collapsing source routes.
710
711Arguments:
712 s the address string
713 flags flag bits for verify_address()
714 exit_value to be set for failures
715
a5a28604 716Returns: nothing
059ec3d9
PH
717*/
718
719static void
720test_address(uschar *s, int flags, int *exit_value)
721{
722int start, end, domain;
723uschar *parse_error = NULL;
724uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
725 FALSE);
726if (address == NULL)
727 {
728 fprintf(stdout, "syntax error: %s\n", parse_error);
729 *exit_value = 2;
730 }
731else
732 {
733 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
4deaf07d 734 -1, -1, NULL, NULL, NULL);
059ec3d9
PH
735 if (rc == FAIL) *exit_value = 2;
736 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
737 }
738}
739
740
741
742/*************************************************
059ec3d9
PH
743* Show supported features *
744*************************************************/
745
4b2241d2
PP
746/* This function is called for -bV/--version and for -d to output the optional
747features of the current Exim binary.
059ec3d9
PH
748
749Arguments: a FILE for printing
750Returns: nothing
751*/
752
753static void
754show_whats_supported(FILE *f)
755{
44bbabb5
PP
756 auth_info *authi;
757
059ec3d9
PH
758#ifdef DB_VERSION_STRING
759fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
760#elif defined(BTREEVERSION) && defined(HASHVERSION)
761 #ifdef USE_DB
762 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
763 #else
764 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
765 #endif
766#elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
767fprintf(f, "Probably ndbm\n");
768#elif defined(USE_TDB)
769fprintf(f, "Using tdb\n");
770#else
771 #ifdef USE_GDBM
772 fprintf(f, "Probably GDBM (native mode)\n");
773 #else
774 fprintf(f, "Probably GDBM (compatibility mode)\n");
775 #endif
776#endif
777
778fprintf(f, "Support for:");
9cec981f
PH
779#ifdef SUPPORT_CRYPTEQ
780 fprintf(f, " crypteq");
781#endif
059ec3d9
PH
782#if HAVE_ICONV
783 fprintf(f, " iconv()");
784#endif
785#if HAVE_IPV6
786 fprintf(f, " IPv6");
787#endif
79378e0f
PH
788#ifdef HAVE_SETCLASSRESOURCES
789 fprintf(f, " use_setclassresources");
929ba01c 790#endif
059ec3d9
PH
791#ifdef SUPPORT_PAM
792 fprintf(f, " PAM");
793#endif
794#ifdef EXIM_PERL
795 fprintf(f, " Perl");
796#endif
1a46a8c5
PH
797#ifdef EXPAND_DLFUNC
798 fprintf(f, " Expand_dlfunc");
799#endif
059ec3d9
PH
800#ifdef USE_TCP_WRAPPERS
801 fprintf(f, " TCPwrappers");
802#endif
803#ifdef SUPPORT_TLS
c11d665d 804# ifdef USE_GNUTLS
059ec3d9 805 fprintf(f, " GnuTLS");
c11d665d 806# else
059ec3d9 807 fprintf(f, " OpenSSL");
c11d665d 808# endif
059ec3d9 809#endif
b2f5a032
PH
810#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
811 fprintf(f, " translate_ip_address");
812#endif
f174f16e
PH
813#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
814 fprintf(f, " move_frozen_messages");
815#endif
8523533c
TK
816#ifdef WITH_CONTENT_SCAN
817 fprintf(f, " Content_Scanning");
818#endif
74f150bf
JH
819#ifndef DISABLE_DKIM
820 fprintf(f, " DKIM");
821#endif
ef1bbb27
HSHR
822#ifndef DISABLE_DNSSEC
823 fprintf(f, " DNSSEC");
824#endif
0cbf2b82
JH
825#ifndef DISABLE_EVENT
826 fprintf(f, " Event");
827#endif
8c5d388a
JH
828#ifdef SUPPORT_I18N
829 fprintf(f, " I18N");
830#endif
74f150bf
JH
831#ifndef DISABLE_OCSP
832 fprintf(f, " OCSP");
833#endif
4d832da1
TL
834#ifndef DISABLE_PRDR
835 fprintf(f, " PRDR");
836#endif
cee5f132
JH
837#ifdef SUPPORT_PROXY
838 fprintf(f, " PROXY");
839#endif
f0989ec0 840#ifdef SUPPORT_SOCKS
74f150bf 841 fprintf(f, " SOCKS");
f2de3a33 842#endif
7952eef9
JH
843#ifdef SUPPORT_SPF
844 fprintf(f, " SPF");
845#endif
1a2dfad5 846#ifdef TCP_FASTOPEN
10ac8d7f
JH
847 deliver_init();
848 if (tcp_fastopen_ok) fprintf(f, " TCP_Fast_Open");
1a2dfad5 849#endif
5bde3efa
ACK
850#ifdef EXPERIMENTAL_LMDB
851 fprintf(f, " Experimental_LMDB");
852#endif
3369a853
ACK
853#ifdef EXPERIMENTAL_QUEUEFILE
854 fprintf(f, " Experimental_QUEUEFILE");
855#endif
8523533c
TK
856#ifdef EXPERIMENTAL_SRS
857 fprintf(f, " Experimental_SRS");
858#endif
859#ifdef EXPERIMENTAL_BRIGHTMAIL
860 fprintf(f, " Experimental_Brightmail");
861#endif
043b1248
JH
862#ifdef EXPERIMENTAL_DANE
863 fprintf(f, " Experimental_DANE");
864#endif
6a8f9482
TK
865#ifdef EXPERIMENTAL_DCC
866 fprintf(f, " Experimental_DCC");
867#endif
4840604e
TL
868#ifdef EXPERIMENTAL_DMARC
869 fprintf(f, " Experimental_DMARC");
870#endif
895fbaf2
JH
871#ifdef EXPERIMENTAL_DSN_INFO
872 fprintf(f, " Experimental_DSN_info");
873#endif
059ec3d9
PH
874fprintf(f, "\n");
875
e6d225ae
DW
876fprintf(f, "Lookups (built-in):");
877#if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
059ec3d9
PH
878 fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
879#endif
e6d225ae 880#if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
059ec3d9
PH
881 fprintf(f, " cdb");
882#endif
e6d225ae 883#if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
4a6a987a 884 fprintf(f, " dbm dbmjz dbmnz");
059ec3d9 885#endif
e6d225ae 886#if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
059ec3d9
PH
887 fprintf(f, " dnsdb");
888#endif
e6d225ae 889#if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
059ec3d9
PH
890 fprintf(f, " dsearch");
891#endif
e6d225ae 892#if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
059ec3d9
PH
893 fprintf(f, " ibase");
894#endif
e6d225ae 895#if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
059ec3d9
PH
896 fprintf(f, " ldap ldapdn ldapm");
897#endif
5bde3efa
ACK
898#ifdef EXPERIMENTAL_LMDB
899 fprintf(f, " lmdb");
900#endif
e6d225ae 901#if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
059ec3d9
PH
902 fprintf(f, " mysql");
903#endif
e6d225ae 904#if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
059ec3d9
PH
905 fprintf(f, " nis nis0");
906#endif
e6d225ae 907#if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
059ec3d9
PH
908 fprintf(f, " nisplus");
909#endif
e6d225ae 910#if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
059ec3d9
PH
911 fprintf(f, " oracle");
912#endif
e6d225ae 913#if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
059ec3d9
PH
914 fprintf(f, " passwd");
915#endif
e6d225ae 916#if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
059ec3d9
PH
917 fprintf(f, " pgsql");
918#endif
de78e2d5
JH
919#if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
920 fprintf(f, " redis");
921#endif
e6d225ae 922#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
13b685f9
PH
923 fprintf(f, " sqlite");
924#endif
e6d225ae 925#if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
059ec3d9
PH
926 fprintf(f, " testdb");
927#endif
e6d225ae 928#if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
059ec3d9
PH
929 fprintf(f, " whoson");
930#endif
931fprintf(f, "\n");
932
adf73d37
JH
933auth_show_supported(f);
934route_show_supported(f);
935transport_show_supported(f);
059ec3d9 936
c11d665d
JH
937#ifdef WITH_CONTENT_SCAN
938malware_show_supported(f);
939#endif
940
059ec3d9
PH
941if (fixed_never_users[0] > 0)
942 {
943 int i;
944 fprintf(f, "Fixed never_users: ");
945 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
946 fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
947 fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
948 }
21c28500 949
19bfe9e7
HSHR
950fprintf(f, "Configure owner: %d:%d\n", config_uid, config_gid);
951
73a46702 952fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
36f12725 953
6545de78
PP
954/* Everything else is details which are only worth reporting when debugging.
955Perhaps the tls_version_report should move into this too. */
956DEBUG(D_any) do {
957
958 int i;
959
b3c261f7
PP
960/* clang defines __GNUC__ (at least, for me) so test for it first */
961#if defined(__clang__)
962 fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
963#elif defined(__GNUC__)
964 fprintf(f, "Compiler: GCC [%s]\n",
965# ifdef __VERSION__
966 __VERSION__
967# else
968 "? unknown version ?"
969# endif
970 );
971#else
972 fprintf(f, "Compiler: <unknown>\n");
973#endif
974
98913c8e 975#if defined(__GLIBC__) && !defined(__UCLIBC__)
01f3091a
JH
976 fprintf(f, "Library version: Glibc: Compile: %d.%d\n",
977 __GLIBC__, __GLIBC_MINOR__);
978 if (__GLIBC_PREREQ(2, 1))
979 fprintf(f, " Runtime: %s\n",
980 gnu_get_libc_version());
981#endif
982
754a0503
PP
983#ifdef SUPPORT_TLS
984 tls_version_report(f);
985#endif
8c5d388a 986#ifdef SUPPORT_I18N
b04be5e7
JH
987 utf8_version_report(f);
988#endif
754a0503 989
fc362fc5
JH
990 for (authi = auths_available; *authi->driver_name != '\0'; ++authi)
991 if (authi->version_report)
44bbabb5 992 (*authi->version_report)(f);
6545de78 993
decd95cb 994 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
6475bd82
PP
995 characters; unless it's an ancient version of PCRE in which case it
996 is not defined. */
997#ifndef PCRE_PRERELEASE
01f3091a 998# define PCRE_PRERELEASE
6475bd82
PP
999#endif
1000#define QUOTE(X) #X
1001#define EXPAND_AND_QUOTE(X) QUOTE(X)
6545de78
PP
1002 fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
1003 " Runtime: %s\n",
1004 PCRE_MAJOR, PCRE_MINOR,
6475bd82 1005 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
6545de78 1006 pcre_version());
6475bd82
PP
1007#undef QUOTE
1008#undef EXPAND_AND_QUOTE
6545de78
PP
1009
1010 init_lookup_list();
1011 for (i = 0; i < lookup_list_count; i++)
6545de78
PP
1012 if (lookup_list[i]->version_report)
1013 lookup_list[i]->version_report(f);
6545de78 1014
b70d2586
PP
1015#ifdef WHITELIST_D_MACROS
1016 fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1017#else
1018 fprintf(f, "WHITELIST_D_MACROS unset\n");
1019#endif
1020#ifdef TRUSTED_CONFIG_LIST
1021 fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1022#else
1023 fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
1024#endif
1025
6545de78 1026} while (0);
059ec3d9
PH
1027}
1028
1029
98a90c36
PP
1030/*************************************************
1031* Show auxiliary information about Exim *
1032*************************************************/
1033
1034static void
1035show_exim_information(enum commandline_info request, FILE *stream)
1036{
1037const uschar **pp;
1038
1039switch(request)
1040 {
1041 case CMDINFO_NONE:
1042 fprintf(stream, "Oops, something went wrong.\n");
1043 return;
1044 case CMDINFO_HELP:
1045 fprintf(stream,
1046"The -bI: flag takes a string indicating which information to provide.\n"
1047"If the string is not recognised, you'll get this help (on stderr).\n"
1048"\n"
1049" exim -bI:help this information\n"
030caf2a
JS
1050" exim -bI:dscp list of known dscp value keywords\n"
1051" exim -bI:sieve list of supported sieve extensions\n"
98a90c36
PP
1052);
1053 return;
1054 case CMDINFO_SIEVE:
1055 for (pp = exim_sieve_extension_list; *pp; ++pp)
1056 fprintf(stream, "%s\n", *pp);
1057 return;
36a3ae5f
PP
1058 case CMDINFO_DSCP:
1059 dscp_list_to_stream(stream);
1060 return;
98a90c36
PP
1061 }
1062}
059ec3d9
PH
1063
1064
1065/*************************************************
1066* Quote a local part *
1067*************************************************/
1068
1069/* This function is used when a sender address or a From: or Sender: header
1070line is being created from the caller's login, or from an authenticated_id. It
1071applies appropriate quoting rules for a local part.
1072
1073Argument: the local part
1074Returns: the local part, quoted if necessary
1075*/
1076
1077uschar *
1078local_part_quote(uschar *lpart)
1079{
1080BOOL needs_quote = FALSE;
acec9514 1081gstring * g;
059ec3d9
PH
1082uschar *t;
1083
1084for (t = lpart; !needs_quote && *t != 0; t++)
1085 {
1086 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1087 (*t != '.' || t == lpart || t[1] == 0);
1088 }
1089
1090if (!needs_quote) return lpart;
1091
acec9514 1092g = string_catn(NULL, US"\"", 1);
059ec3d9
PH
1093
1094for (;;)
1095 {
1096 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1097 if (nq == NULL)
1098 {
acec9514 1099 g = string_cat(g, lpart);
059ec3d9
PH
1100 break;
1101 }
acec9514
JH
1102 g = string_catn(g, lpart, nq - lpart);
1103 g = string_catn(g, US"\\", 1);
1104 g = string_catn(g, nq, 1);
059ec3d9
PH
1105 lpart = nq + 1;
1106 }
1107
acec9514
JH
1108g = string_catn(g, US"\"", 1);
1109return string_from_gstring(g);
059ec3d9
PH
1110}
1111
1112
1113
1114#ifdef USE_READLINE
1115/*************************************************
1116* Load readline() functions *
1117*************************************************/
1118
1119/* This function is called from testing executions that read data from stdin,
1120but only when running as the calling user. Currently, only -be does this. The
1121function loads the readline() function library and passes back the functions.
1122On some systems, it needs the curses library, so load that too, but try without
1123it if loading fails. All this functionality has to be requested at build time.
1124
1125Arguments:
1126 fn_readline_ptr pointer to where to put the readline pointer
1127 fn_addhist_ptr pointer to where to put the addhistory function
1128
1129Returns: the dlopen handle or NULL on failure
1130*/
1131
1132static void *
1ba28e2b
PP
1133set_readline(char * (**fn_readline_ptr)(const char *),
1134 void (**fn_addhist_ptr)(const char *))
059ec3d9
PH
1135{
1136void *dlhandle;
e12f8c32 1137void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
059ec3d9 1138
e12f8c32 1139dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
059ec3d9
PH
1140if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1141
1142if (dlhandle != NULL)
1143 {
1ba28e2b
PP
1144 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1145 * char * readline (const char *prompt);
1146 * void add_history (const char *string);
1147 */
1148 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1149 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
059ec3d9
PH
1150 }
1151else
1152 {
1153 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1154 }
1155
1156return dlhandle;
1157}
1158#endif
1159
1160
1161
1162/*************************************************
1163* Get a line from stdin for testing things *
1164*************************************************/
1165
1166/* This function is called when running tests that can take a number of lines
1167of input (for example, -be and -bt). It handles continuations and trailing
1168spaces. And prompting and a blank line output on eof. If readline() is in use,
1169the arguments are non-NULL and provide the relevant functions.
1170
1171Arguments:
1172 fn_readline readline function or NULL
1173 fn_addhist addhist function or NULL
1174
1175Returns: pointer to dynamic memory, or NULL at end of file
1176*/
1177
1178static uschar *
1ba28e2b 1179get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
059ec3d9
PH
1180{
1181int i;
acec9514 1182gstring * g = NULL;
059ec3d9 1183
acec9514 1184if (!fn_readline) { printf("> "); fflush(stdout); }
059ec3d9
PH
1185
1186for (i = 0;; i++)
1187 {
1188 uschar buffer[1024];
1189 uschar *p, *ss;
1190
1191 #ifdef USE_READLINE
1192 char *readline_line = NULL;
1193 if (fn_readline != NULL)
1194 {
1195 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1196 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1197 p = US readline_line;
1198 }
1199 else
1200 #endif
1201
1202 /* readline() not in use */
1203
1204 {
1205 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1206 p = buffer;
1207 }
1208
1209 /* Handle the line */
1210
1211 ss = p + (int)Ustrlen(p);
1212 while (ss > p && isspace(ss[-1])) ss--;
1213
1214 if (i > 0)
1215 {
1216 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1217 }
1218
acec9514 1219 g = string_catn(g, p, ss - p);
059ec3d9
PH
1220
1221 #ifdef USE_READLINE
acec9514 1222 if (fn_readline) free(readline_line);
059ec3d9
PH
1223 #endif
1224
acec9514
JH
1225 /* g can only be NULL if ss==p */
1226 if (ss == p || g->s[g->ptr-1] != '\\')
059ec3d9 1227 break;
acec9514
JH
1228
1229 --g->ptr;
1230 (void) string_from_gstring(g);
059ec3d9
PH
1231 }
1232
acec9514
JH
1233if (!g) printf("\n");
1234return string_from_gstring(g);
059ec3d9
PH
1235}
1236
1237
1238
1239/*************************************************
81ea09ca
NM
1240* Output usage information for the program *
1241*************************************************/
1242
1243/* This function is called when there are no recipients
1244 or a specific --help argument was added.
1245
1246Arguments:
1247 progname information on what name we were called by
1248
1249Returns: DOES NOT RETURN
1250*/
1251
1252static void
1253exim_usage(uschar *progname)
1254{
1255
4c04137d 1256/* Handle specific program invocation variants */
81ea09ca
NM
1257if (Ustrcmp(progname, US"-mailq") == 0)
1258 {
1259 fprintf(stderr,
e765a0f1 1260 "mailq - list the contents of the mail queue\n\n"
81ea09ca
NM
1261 "For a list of options, see the Exim documentation.\n");
1262 exit(EXIT_FAILURE);
1263 }
1264
1265/* Generic usage - we output this whatever happens */
1266fprintf(stderr,
1267 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1268 "not directly from a shell command line. Options and/or arguments control\n"
1269 "what it does when called. For a list of options, see the Exim documentation.\n");
1270
1271exit(EXIT_FAILURE);
1272}
1273
1274
1275
1276/*************************************************
a7cbbf50
PP
1277* Validate that the macros given are okay *
1278*************************************************/
1279
1280/* Typically, Exim will drop privileges if macros are supplied. In some
1281cases, we want to not do so.
1282
a4034eb8 1283Arguments: opt_D_used - true if the commandline had a "-D" option
a7cbbf50
PP
1284Returns: true if trusted, false otherwise
1285*/
1286
1287static BOOL
a4034eb8 1288macros_trusted(BOOL opt_D_used)
a7cbbf50
PP
1289{
1290#ifdef WHITELIST_D_MACROS
1291macro_item *m;
1292uschar *whitelisted, *end, *p, **whites, **w;
1293int white_count, i, n;
1294size_t len;
1295BOOL prev_char_item, found;
1296#endif
1297
a4034eb8 1298if (!opt_D_used)
a7cbbf50
PP
1299 return TRUE;
1300#ifndef WHITELIST_D_MACROS
1301return FALSE;
1302#else
1303
66581d1e
PP
1304/* We only trust -D overrides for some invoking users:
1305root, the exim run-time user, the optional config owner user.
1306I don't know why config-owner would be needed, but since they can own the
1307config files anyway, there's no security risk to letting them override -D. */
1308if ( ! ((real_uid == root_uid)
1309 || (real_uid == exim_uid)
1310#ifdef CONFIGURE_OWNER
1311 || (real_uid == config_uid)
1312#endif
1313 ))
1314 {
1315 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1316 return FALSE;
1317 }
1318
a7cbbf50
PP
1319/* Get a list of macros which are whitelisted */
1320whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1321prev_char_item = FALSE;
1322white_count = 0;
1323for (p = whitelisted; *p != '\0'; ++p)
1324 {
1325 if (*p == ':' || isspace(*p))
1326 {
1327 *p = '\0';
1328 if (prev_char_item)
1329 ++white_count;
1330 prev_char_item = FALSE;
1331 continue;
1332 }
1333 if (!prev_char_item)
1334 prev_char_item = TRUE;
1335 }
1336end = p;
1337if (prev_char_item)
1338 ++white_count;
1339if (!white_count)
1340 return FALSE;
1341whites = store_malloc(sizeof(uschar *) * (white_count+1));
1342for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1343 {
1344 if (*p != '\0')
1345 {
1346 whites[i++] = p;
1347 if (i == white_count)
1348 break;
1349 while (*p != '\0' && p < end)
1350 ++p;
1351 }
1352 }
1353whites[i] = NULL;
1354
c193398d
JH
1355/* The list of commandline macros should be very short.
1356Accept the N*M complexity. */
1357for (m = macros; m; m = m->next) if (m->command_line)
a7cbbf50
PP
1358 {
1359 found = FALSE;
1360 for (w = whites; *w; ++w)
1361 if (Ustrcmp(*w, m->name) == 0)
1362 {
1363 found = TRUE;
1364 break;
1365 }
1366 if (!found)
1367 return FALSE;
b8f899cf 1368 if (!m->replacement)
a7cbbf50 1369 continue;
b8f899cf 1370 if ((len = m->replen) == 0)
a7cbbf50
PP
1371 continue;
1372 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1373 0, PCRE_EOPT, NULL, 0);
1374 if (n < 0)
1375 {
1376 if (n != PCRE_ERROR_NOMATCH)
1377 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1378 return FALSE;
1379 }
1380 }
43236f35 1381DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
a7cbbf50
PP
1382return TRUE;
1383#endif
1384}
1385
1386
1387/*************************************************
9650d98a
JH
1388* Expansion testing *
1389*************************************************/
1390
1391/* Expand and print one item, doing macro-processing.
1392
1393Arguments:
1394 item line for expansion
1395*/
1396
1397static void
1398expansion_test_line(uschar * line)
1399{
1400int len;
1401BOOL dummy_macexp;
1402
1403Ustrncpy(big_buffer, line, big_buffer_size);
1404big_buffer[big_buffer_size-1] = '\0';
1405len = Ustrlen(big_buffer);
1406
1407(void) macros_expand(0, &len, &dummy_macexp);
1408
1409if (isupper(big_buffer[0]))
1410 {
1411 if (macro_read_assignment(big_buffer))
1412 printf("Defined macro '%s'\n", mlast->name);
1413 }
1414else
1415 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1416 else printf("Failed: %s\n", expand_string_message);
1417}
1418
1419
1420/*************************************************
059ec3d9
PH
1421* Entry point and high-level code *
1422*************************************************/
1423
1424/* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1425the appropriate action. All the necessary functions are present in the one
1426binary. I originally thought one should split it up, but it turns out that so
1427much of the apparatus is needed in each chunk that one might as well just have
1428it all available all the time, which then makes the coding easier as well.
1429
1430Arguments:
1431 argc count of entries in argv
1432 argv argument strings, with argv[0] being the program name
1433
1434Returns: EXIT_SUCCESS if terminated successfully
1435 EXIT_FAILURE otherwise, except when a message has been sent
1436 to the sender, and -oee was given
1437*/
1438
1439int
1440main(int argc, char **cargv)
1441{
1442uschar **argv = USS cargv;
1443int arg_receive_timeout = -1;
1444int arg_smtp_receive_timeout = -1;
1445int arg_error_handling = error_handling;
f05da2e8
PH
1446int filter_sfd = -1;
1447int filter_ufd = -1;
059ec3d9 1448int group_count;
1670ef10 1449int i, rv;
059ec3d9
PH
1450int list_queue_option = 0;
1451int msg_action = 0;
1452int msg_action_arg = -1;
1453int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1454int queue_only_reason = 0;
1455#ifdef EXIM_PERL
1456int perl_start_option = 0;
1457#endif
1458int recipients_arg = argc;
1459int sender_address_domain = 0;
1460int test_retry_arg = -1;
1461int test_rewrite_arg = -1;
1462BOOL arg_queue_only = FALSE;
1463BOOL bi_option = FALSE;
1464BOOL checking = FALSE;
1465BOOL count_queue = FALSE;
1466BOOL expansion_test = FALSE;
1467BOOL extract_recipients = FALSE;
f4ee74ac 1468BOOL flag_G = FALSE;
12f69989 1469BOOL flag_n = FALSE;
059ec3d9
PH
1470BOOL forced_delivery = FALSE;
1471BOOL f_end_dot = FALSE;
1472BOOL deliver_give_up = FALSE;
1473BOOL list_queue = FALSE;
1474BOOL list_options = FALSE;
bf3c2c6b 1475BOOL list_config = FALSE;
059ec3d9
PH
1476BOOL local_queue_only;
1477BOOL more = TRUE;
1478BOOL one_msg_action = FALSE;
4ab69ec7 1479BOOL opt_D_used = FALSE;
059ec3d9
PH
1480BOOL queue_only_set = FALSE;
1481BOOL receiving_message = TRUE;
33d73e3b 1482BOOL sender_ident_set = FALSE;
8669f003 1483BOOL session_local_queue_only;
059ec3d9
PH
1484BOOL unprivileged;
1485BOOL removed_privilege = FALSE;
81ea09ca 1486BOOL usage_wanted = FALSE;
059ec3d9
PH
1487BOOL verify_address_mode = FALSE;
1488BOOL verify_as_sender = FALSE;
1489BOOL version_printed = FALSE;
1490uschar *alias_arg = NULL;
1491uschar *called_as = US"";
a3fb9793 1492uschar *cmdline_syslog_name = NULL;
059ec3d9
PH
1493uschar *start_queue_run_id = NULL;
1494uschar *stop_queue_run_id = NULL;
328895cc 1495uschar *expansion_test_message = NULL;
059ec3d9
PH
1496uschar *ftest_domain = NULL;
1497uschar *ftest_localpart = NULL;
1498uschar *ftest_prefix = NULL;
1499uschar *ftest_suffix = NULL;
0ad2e0fc 1500uschar *log_oneline = NULL;
8544e77a 1501uschar *malware_test_file = NULL;
059ec3d9
PH
1502uschar *real_sender_address;
1503uschar *originator_home = US"/";
a3fb9793 1504size_t sz;
059ec3d9
PH
1505void *reset_point;
1506
1507struct passwd *pw;
1508struct stat statbuf;
1509pid_t passed_qr_pid = (pid_t)0;
1510int passed_qr_pipe = -1;
1511gid_t group_list[NGROUPS_MAX];
1512
98a90c36
PP
1513/* For the -bI: flag */
1514enum commandline_info info_flag = CMDINFO_NONE;
1515BOOL info_stdout = FALSE;
1516
059ec3d9
PH
1517/* Possible options for -R and -S */
1518
1519static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1520
1521/* Need to define this in case we need to change the environment in order
1522to get rid of a bogus time zone. We have to make it char rather than uschar
1523because some OS define it in /usr/include/unistd.h. */
1524
1525extern char **environ;
1526
35edf2ff 1527/* If the Exim user and/or group and/or the configuration file owner/group were
059ec3d9
PH
1528defined by ref:name at build time, we must now find the actual uid/gid values.
1529This is a feature to make the lives of binary distributors easier. */
1530
1531#ifdef EXIM_USERNAME
1532if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1533 {
10385c15
PP
1534 if (exim_uid == 0)
1535 {
1536 fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
1537 EXIM_USERNAME);
1538 exit(EXIT_FAILURE);
1539 }
084c1d8c
PP
1540 /* If ref:name uses a number as the name, route_finduser() returns
1541 TRUE with exim_uid set and pw coerced to NULL. */
1542 if (pw)
1543 exim_gid = pw->pw_gid;
1544#ifndef EXIM_GROUPNAME
1545 else
1546 {
1547 fprintf(stderr,
1548 "exim: ref:name should specify a usercode, not a group.\n"
1549 "exim: can't let you get away with it unless you also specify a group.\n");
1550 exit(EXIT_FAILURE);
1551 }
1552#endif
059ec3d9
PH
1553 }
1554else
1555 {
1556 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1557 EXIM_USERNAME);
1558 exit(EXIT_FAILURE);
1559 }
1560#endif
1561
1562#ifdef EXIM_GROUPNAME
1563if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1564 {
1565 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1566 EXIM_GROUPNAME);
1567 exit(EXIT_FAILURE);
1568 }
1569#endif
1570
1571#ifdef CONFIGURE_OWNERNAME
1572if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1573 {
1574 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1575 CONFIGURE_OWNERNAME);
1576 exit(EXIT_FAILURE);
1577 }
1578#endif
1579
79d4bc3d
PP
1580/* We default the system_filter_user to be the Exim run-time user, as a
1581sane non-root value. */
1582system_filter_uid = exim_uid;
1583
35edf2ff
PH
1584#ifdef CONFIGURE_GROUPNAME
1585if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1586 {
1587 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1588 CONFIGURE_GROUPNAME);
1589 exit(EXIT_FAILURE);
1590 }
1591#endif
1592
92e6a3d9
JH
1593/* In the Cygwin environment, some initialization used to need doing.
1594It was fudged in by means of this macro; now no longer but we'll leave
1595it in case of others. */
059ec3d9
PH
1596
1597#ifdef OS_INIT
1598OS_INIT
1599#endif
1600
1601/* Check a field which is patched when we are running Exim within its
1602testing harness; do a fast initial check, and then the whole thing. */
1603
1604running_in_test_harness =
1605 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1606
1607/* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1608at the start of a program; however, it seems that some environments do not
1609follow this. A "strange" locale can affect the formatting of timestamps, so we
1610make quite sure. */
1611
1612setlocale(LC_ALL, "C");
1613
1614/* Set up the default handler for timing using alarm(). */
1615
1616os_non_restarting_signal(SIGALRM, sigalrm_handler);
1617
1618/* Ensure we have a buffer for constructing log entries. Use malloc directly,
1619because store_malloc writes a log entry on failure. */
1620
40c90bca 1621if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
059ec3d9
PH
1622 {
1623 fprintf(stderr, "exim: failed to get store for log buffer\n");
1624 exit(EXIT_FAILURE);
1625 }
1626
6c6d6e48
TF
1627/* Initialize the default log options. */
1628
1629bits_set(log_selector, log_selector_size, log_default);
1630
059ec3d9
PH
1631/* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1632NULL when the daemon is run and the file is closed. We have to use this
1633indirection, because some systems don't allow writing to the variable "stderr".
1634*/
1635
1636if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1637
1638/* Arrange for the PCRE regex library to use our store functions. Note that
1639the normal calls are actually macros that add additional arguments for
1640debugging purposes so we have to assign specially constructed functions here.
1641The default is to use store in the stacking pool, but this is overridden in the
1642regex_must_compile() function. */
1643
1644pcre_malloc = function_store_get;
1645pcre_free = function_dummy_free;
1646
1647/* Ensure there is a big buffer for temporary use in several places. It is put
1648in malloc store so that it can be freed for enlargement if necessary. */
1649
1650big_buffer = store_malloc(big_buffer_size);
1651
1652/* Set up the handler for the data request signal, and set the initial
1653descriptive text. */
1654
1655set_process_info("initializing");
1656os_restarting_signal(SIGUSR1, usr1_handler);
1657
1658/* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1659in the daemon code. For the rest of Exim's uses, we ignore it. */
1660
1661signal(SIGHUP, SIG_IGN);
1662
1663/* We don't want to die on pipe errors as the code is written to handle
1664the write error instead. */
1665
1666signal(SIGPIPE, SIG_IGN);
1667
1668/* Under some circumstance on some OS, Exim can get called with SIGCHLD
1669set to SIG_IGN. This causes subprocesses that complete before the parent
1670process waits for them not to hang around, so when Exim calls wait(), nothing
1671is there. The wait() code has been made robust against this, but let's ensure
1672that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1673ending status. We use sigaction rather than plain signal() on those OS where
1674SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1675problem on AIX with this.) */
1676
1677#ifdef SA_NOCLDWAIT
1678 {
1679 struct sigaction act;
1680 act.sa_handler = SIG_DFL;
1681 sigemptyset(&(act.sa_mask));
1682 act.sa_flags = 0;
1683 sigaction(SIGCHLD, &act, NULL);
1684 }
1685#else
1686signal(SIGCHLD, SIG_DFL);
1687#endif
1688
1689/* Save the arguments for use if we re-exec exim as a daemon after receiving
1690SIGHUP. */
1691
1692sighup_argv = argv;
1693
1694/* Set up the version number. Set up the leading 'E' for the external form of
1695message ids, set the pointer to the internal form, and initialize it to
1696indicate no message being processed. */
1697
1698version_init();
1699message_id_option[0] = '-';
1700message_id_external = message_id_option + 1;
1701message_id_external[0] = 'E';
1702message_id = message_id_external + 1;
1703message_id[0] = 0;
1704
67d175de 1705/* Set the umask to zero so that any files Exim creates using open() are
2632889e
PH
1706created with the modes that it specifies. NOTE: Files created with fopen() have
1707a problem, which was not recognized till rather late (February 2006). With this
1708umask, such files will be world writeable. (They are all content scanning files
1709in the spool directory, which isn't world-accessible, so this is not a
1710disaster, but it's untidy.) I don't want to change this overall setting,
1711however, because it will interact badly with the open() calls. Instead, there's
1712now a function called modefopen() that fiddles with the umask while calling
1713fopen(). */
059ec3d9 1714
67d175de 1715(void)umask(0);
059ec3d9
PH
1716
1717/* Precompile the regular expression for matching a message id. Keep this in
1718step with the code that generates ids in the accept.c module. We need to do
1719this here, because the -M options check their arguments for syntactic validity
1720using mac_ismsgid, which uses this. */
1721
1722regex_ismsgid =
1723 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1724
a5bd321b 1725/* Precompile the regular expression that is used for matching an SMTP error
d6a96edc
PH
1726code, possibly extended, at the start of an error message. Note that the
1727terminating whitespace character is included. */
a5bd321b
PH
1728
1729regex_smtp_code =
1730 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1731 FALSE, TRUE);
1732
a7cbbf50
PP
1733#ifdef WHITELIST_D_MACROS
1734/* Precompile the regular expression used to filter the content of macros
1735given to -D for permissibility. */
1736
1737regex_whitelisted_macro =
1738 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1739#endif
1740
f38917cc
JH
1741for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1742
059ec3d9
PH
1743/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1744this seems to be a generally accepted convention, since one finds symbolic
1745links called "mailq" in standard OS configurations. */
1746
1747if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1748 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1749 {
1750 list_queue = TRUE;
1751 receiving_message = FALSE;
1752 called_as = US"-mailq";
1753 }
1754
1755/* If the program is called as "rmail" treat it as equivalent to
1756"exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1757i.e. preventing a single dot on a line from terminating the message, and
1758returning with zero return code, even in cases of error (provided an error
1759message has been sent). */
1760
1761if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1762 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1763 {
1764 dot_ends = FALSE;
1765 called_as = US"-rmail";
1766 errors_sender_rc = EXIT_SUCCESS;
1767 }
1768
1769/* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1770this is a smail convention. */
1771
1772if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1773 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1774 {
1775 smtp_input = smtp_batched_input = TRUE;
1776 called_as = US"-rsmtp";
1777 }
1778
1779/* If the program is called as "runq" treat it as equivalent to "exim -q";
1780this is a smail convention. */
1781
1782if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1783 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1784 {
1785 queue_interval = 0;
1786 receiving_message = FALSE;
1787 called_as = US"-runq";
1788 }
1789
1790/* If the program is called as "newaliases" treat it as equivalent to
1791"exim -bi"; this is a sendmail convention. */
1792
1793if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1794 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1795 {
1796 bi_option = TRUE;
1797 receiving_message = FALSE;
1798 called_as = US"-newaliases";
1799 }
1800
1801/* Save the original effective uid for a couple of uses later. It should
1802normally be root, but in some esoteric environments it may not be. */
1803
1804original_euid = geteuid();
1805
1806/* Get the real uid and gid. If the caller is root, force the effective uid/gid
1807to be the same as the real ones. This makes a difference only if Exim is setuid
1808(or setgid) to something other than root, which could be the case in some
1809special configurations. */
1810
1811real_uid = getuid();
1812real_gid = getgid();
1813
1814if (real_uid == root_uid)
1815 {
1670ef10
PP
1816 rv = setgid(real_gid);
1817 if (rv)
1818 {
1819 fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
1820 (long int)real_gid, strerror(errno));
1821 exit(EXIT_FAILURE);
1822 }
1823 rv = setuid(real_uid);
1824 if (rv)
1825 {
1826 fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
1827 (long int)real_uid, strerror(errno));
1828 exit(EXIT_FAILURE);
1829 }
059ec3d9
PH
1830 }
1831
1832/* If neither the original real uid nor the original euid was root, Exim is
1833running in an unprivileged state. */
1834
1835unprivileged = (real_uid != root_uid && original_euid != root_uid);
1836
059ec3d9
PH
1837/* Scan the program's arguments. Some can be dealt with right away; others are
1838simply recorded for checking and handling afterwards. Do a high-level switch
1839on the second character (the one after '-'), to save some effort. */
1840
1841for (i = 1; i < argc; i++)
1842 {
1843 BOOL badarg = FALSE;
1844 uschar *arg = argv[i];
1845 uschar *argrest;
1846 int switchchar;
1847
1848 /* An argument not starting with '-' is the start of a recipients list;
1849 break out of the options-scanning loop. */
1850
1851 if (arg[0] != '-')
1852 {
1853 recipients_arg = i;
1854 break;
1855 }
1856
4c04137d 1857 /* An option consisting of -- terminates the options */
059ec3d9
PH
1858
1859 if (Ustrcmp(arg, "--") == 0)
1860 {
1861 recipients_arg = i + 1;
1862 break;
1863 }
1864
1865 /* Handle flagged options */
1866
1867 switchchar = arg[1];
1868 argrest = arg+2;
1869
1870 /* Make all -ex options synonymous with -oex arguments, since that
1871 is assumed by various callers. Also make -qR options synonymous with -R
1872 options, as that seems to be required as well. Allow for -qqR too, and
1873 the same for -S options. */
1874
1875 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1876 Ustrncmp(arg+1, "qR", 2) == 0 ||
1877 Ustrncmp(arg+1, "qS", 2) == 0)
1878 {
1879 switchchar = arg[2];
1880 argrest++;
1881 }
1882 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1883 {
1884 switchchar = arg[3];
1885 argrest += 2;
1886 queue_2stage = TRUE;
1887 }
1888
1889 /* Make -r synonymous with -f, since it is a documented alias */
1890
1891 else if (arg[1] == 'r') switchchar = 'f';
1892
1893 /* Make -ov synonymous with -v */
1894
1895 else if (Ustrcmp(arg, "-ov") == 0)
1896 {
1897 switchchar = 'v';
1898 argrest++;
1899 }
1900
4b2241d2
PP
1901 /* deal with --option_aliases */
1902 else if (switchchar == '-')
1903 {
1904 if (Ustrcmp(argrest, "help") == 0)
1905 {
1906 usage_wanted = TRUE;
1907 break;
1908 }
1909 else if (Ustrcmp(argrest, "version") == 0)
1910 {
1911 switchchar = 'b';
73a46702 1912 argrest = US"V";
4b2241d2
PP
1913 }
1914 }
1915
059ec3d9
PH
1916 /* High-level switch on active initial letter */
1917
1918 switch(switchchar)
1919 {
a3fb9793
PP
1920
1921 /* sendmail uses -Ac and -Am to control which .cf file is used;
1922 we ignore them. */
1923 case 'A':
1924 if (*argrest == '\0') { badarg = TRUE; break; }
1925 else
1926 {
1927 BOOL ignore = FALSE;
1928 switch (*argrest)
1929 {
1930 case 'c':
1931 case 'm':
1932 if (*(argrest + 1) == '\0')
1933 ignore = TRUE;
1934 break;
1935 }
1936 if (!ignore) { badarg = TRUE; break; }
1937 }
1938 break;
1939
059ec3d9
PH
1940 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1941 so has no need of it. */
1942
1943 case 'B':
1944 if (*argrest == 0) i++; /* Skip over the type */
1945 break;
1946
1947
1948 case 'b':
1949 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1950
1951 /* -bd: Run in daemon mode, awaiting SMTP connections.
1952 -bdf: Ditto, but in the foreground.
1953 */
1954
1955 if (*argrest == 'd')
1956 {
1957 daemon_listen = TRUE;
1958 if (*(++argrest) == 'f') background_daemon = FALSE;
1959 else if (*argrest != 0) { badarg = TRUE; break; }
1960 }
1961
328895cc
PH
1962 /* -be: Run in expansion test mode
1963 -bem: Ditto, but read a message from a file first
1964 */
059ec3d9
PH
1965
1966 else if (*argrest == 'e')
328895cc 1967 {
059ec3d9 1968 expansion_test = checking = TRUE;
328895cc
PH
1969 if (argrest[1] == 'm')
1970 {
1971 if (++i >= argc) { badarg = TRUE; break; }
1972 expansion_test_message = argv[i];
1973 argrest++;
1974 }
1975 if (argrest[1] != 0) { badarg = TRUE; break; }
1976 }
059ec3d9 1977
f05da2e8
PH
1978 /* -bF: Run system filter test */
1979
1980 else if (*argrest == 'F')
1981 {
34e86e20 1982 filter_test |= checking = FTEST_SYSTEM;
f05da2e8
PH
1983 if (*(++argrest) != 0) { badarg = TRUE; break; }
1984 if (++i < argc) filter_test_sfile = argv[i]; else
1985 {
1986 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1987 exit(EXIT_FAILURE);
1988 }
1989 }
1990
1991 /* -bf: Run user filter test
059ec3d9
PH
1992 -bfd: Set domain for filter testing
1993 -bfl: Set local part for filter testing
1994 -bfp: Set prefix for filter testing
1995 -bfs: Set suffix for filter testing
1996 */
1997
f05da2e8 1998 else if (*argrest == 'f')
059ec3d9 1999 {
f05da2e8 2000 if (*(++argrest) == 0)
059ec3d9 2001 {
34e86e20 2002 filter_test |= checking = FTEST_USER;
f05da2e8 2003 if (++i < argc) filter_test_ufile = argv[i]; else
059ec3d9
PH
2004 {
2005 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
2006 exit(EXIT_FAILURE);
2007 }
2008 }
2009 else
2010 {
2011 if (++i >= argc)
2012 {
2013 fprintf(stderr, "exim: string expected after %s\n", arg);
2014 exit(EXIT_FAILURE);
2015 }
2016 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2017 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2018 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2019 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2020 else { badarg = TRUE; break; }
2021 }
2022 }
2023
2024 /* -bh: Host checking - an IP address must follow. */
2025
2026 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2027 {
2028 if (++i >= argc) { badarg = TRUE; break; }
2029 sender_host_address = argv[i];
2030 host_checking = checking = log_testing_mode = TRUE;
2031 host_checking_callout = argrest[1] == 'c';
1a6230a3 2032 message_logs = FALSE;
059ec3d9
PH
2033 }
2034
2035 /* -bi: This option is used by sendmail to initialize *the* alias file,
2036 though it has the -oA option to specify a different file. Exim has no
2037 concept of *the* alias file, but since Sun's YP make script calls
2038 sendmail this way, some support must be provided. */
2039
2040 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2041
98a90c36
PP
2042 /* -bI: provide information, of the type to follow after a colon.
2043 This is an Exim flag. */
2044
2045 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2046 {
2047 uschar *p = &argrest[2];
2048 info_flag = CMDINFO_HELP;
2049 if (Ustrlen(p))
2050 {
2051 if (strcmpic(p, CUS"sieve") == 0)
2052 {
2053 info_flag = CMDINFO_SIEVE;
2054 info_stdout = TRUE;
2055 }
36a3ae5f
PP
2056 else if (strcmpic(p, CUS"dscp") == 0)
2057 {
2058 info_flag = CMDINFO_DSCP;
2059 info_stdout = TRUE;
2060 }
98a90c36
PP
2061 else if (strcmpic(p, CUS"help") == 0)
2062 {
2063 info_stdout = TRUE;
2064 }
2065 }
2066 }
2067
059ec3d9
PH
2068 /* -bm: Accept and deliver message - the default option. Reinstate
2069 receiving_message, which got turned off for all -b options. */
2070
2071 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2072
8544e77a
PP
2073 /* -bmalware: test the filename given for malware */
2074
2075 else if (Ustrcmp(argrest, "malware") == 0)
2076 {
2077 if (++i >= argc) { badarg = TRUE; break; }
34e86e20 2078 checking = TRUE;
8544e77a
PP
2079 malware_test_file = argv[i];
2080 }
2081
059ec3d9
PH
2082 /* -bnq: For locally originating messages, do not qualify unqualified
2083 addresses. In the envelope, this causes errors; in header lines they
2084 just get left. */
2085
2086 else if (Ustrcmp(argrest, "nq") == 0)
2087 {
2088 allow_unqualified_sender = FALSE;
2089 allow_unqualified_recipient = FALSE;
2090 }
2091
2092 /* -bpxx: List the contents of the mail queue, in various forms. If
2093 the option is -bpc, just a queue count is needed. Otherwise, if the
2094 first letter after p is r, then order is random. */
2095
2096 else if (*argrest == 'p')
2097 {
2098 if (*(++argrest) == 'c')
2099 {
2100 count_queue = TRUE;
2101 if (*(++argrest) != 0) badarg = TRUE;
2102 break;
2103 }
2104
2105 if (*argrest == 'r')
2106 {
2107 list_queue_option = 8;
2108 argrest++;
2109 }
2110 else list_queue_option = 0;
2111
2112 list_queue = TRUE;
2113
2114 /* -bp: List the contents of the mail queue, top-level only */
2115
2116 if (*argrest == 0) {}
2117
2118 /* -bpu: List the contents of the mail queue, top-level undelivered */
2119
2120 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2121
2122 /* -bpa: List the contents of the mail queue, including all delivered */
2123
2124 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2125
2126 /* Unknown after -bp[r] */
2127
2128 else
2129 {
2130 badarg = TRUE;
2131 break;
2132 }
2133 }
2134
2135
2136 /* -bP: List the configuration variables given as the address list.
2137 Force -v, so configuration errors get displayed. */
2138
2139 else if (Ustrcmp(argrest, "P") == 0)
2140 {
bf3c2c6b
HSHR
2141 /* -bP config: we need to setup here, because later,
2142 * when list_options is checked, the config is read already */
2143 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2144 {
2145 list_config = TRUE;
2146 readconf_save_config(version_string);
2147 }
2148 else
2149 {
2150 list_options = TRUE;
2151 debug_selector |= D_v;
2152 debug_file = stderr;
2153 }
059ec3d9
PH
2154 }
2155
2156 /* -brt: Test retry configuration lookup */
2157
2158 else if (Ustrcmp(argrest, "rt") == 0)
2159 {
34e86e20 2160 checking = TRUE;
059ec3d9
PH
2161 test_retry_arg = i + 1;
2162 goto END_ARG;
2163 }
2164
2165 /* -brw: Test rewrite configuration */
2166
2167 else if (Ustrcmp(argrest, "rw") == 0)
2168 {
34e86e20 2169 checking = TRUE;
059ec3d9
PH
2170 test_rewrite_arg = i + 1;
2171 goto END_ARG;
2172 }
2173
2174 /* -bS: Read SMTP commands on standard input, but produce no replies -
2175 all errors are reported by sending messages. */
2176
2177 else if (Ustrcmp(argrest, "S") == 0)
2178 smtp_input = smtp_batched_input = receiving_message = TRUE;
2179
2180 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2181 on standard output. */
2182
2183 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2184
2185 /* -bt: address testing mode */
2186
2187 else if (Ustrcmp(argrest, "t") == 0)
2188 address_test_mode = checking = log_testing_mode = TRUE;
2189
2190 /* -bv: verify addresses */
2191
2192 else if (Ustrcmp(argrest, "v") == 0)
2193 verify_address_mode = checking = log_testing_mode = TRUE;
2194
2195 /* -bvs: verify sender addresses */
2196
2197 else if (Ustrcmp(argrest, "vs") == 0)
2198 {
2199 verify_address_mode = checking = log_testing_mode = TRUE;
2200 verify_as_sender = TRUE;
2201 }
2202
2203 /* -bV: Print version string and support details */
2204
2205 else if (Ustrcmp(argrest, "V") == 0)
2206 {
2207 printf("Exim version %s #%s built %s\n", version_string,
2208 version_cnumber, version_date);
2209 printf("%s\n", CS version_copyright);
2210 version_printed = TRUE;
2211 show_whats_supported(stdout);
b25c9675 2212 log_testing_mode = TRUE;
059ec3d9
PH
2213 }
2214
9ee44efb
PP
2215 /* -bw: inetd wait mode, accept a listening socket as stdin */
2216
2217 else if (*argrest == 'w')
2218 {
2219 inetd_wait_mode = TRUE;
2220 background_daemon = FALSE;
2221 daemon_listen = TRUE;
2222 if (*(++argrest) != '\0')
2223 {
2224 inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE);
2225 if (inetd_wait_timeout <= 0)
2226 {
2227 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2228 exit(EXIT_FAILURE);
2229 }
2230 }
2231 }
2232
059ec3d9
PH
2233 else badarg = TRUE;
2234 break;
2235
2236
2237 /* -C: change configuration file list; ignore if it isn't really
2238 a change! Enforce a prefix check if required. */
2239
2240 case 'C':
2241 if (*argrest == 0)
2242 {
2243 if(++i < argc) argrest = argv[i]; else
2244 { badarg = TRUE; break; }
2245 }
2246 if (Ustrcmp(config_main_filelist, argrest) != 0)
2247 {
2248 #ifdef ALT_CONFIG_PREFIX
2249 int sep = 0;
2250 int len = Ustrlen(ALT_CONFIG_PREFIX);
863bd541 2251 const uschar *list = argrest;
059ec3d9
PH
2252 uschar *filename;
2253 while((filename = string_nextinlist(&list, &sep, big_buffer,
2254 big_buffer_size)) != NULL)
2255 {
2256 if ((Ustrlen(filename) < len ||
2257 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2258 Ustrstr(filename, "/../") != NULL) &&
2259 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2260 {
2261 fprintf(stderr, "-C Permission denied\n");
2262 exit(EXIT_FAILURE);
2263 }
2264 }
2265 #endif
261dc43e
DW
2266 if (real_uid != root_uid)
2267 {
90b6341f 2268 #ifdef TRUSTED_CONFIG_LIST
261dc43e 2269
90b6341f
DW
2270 if (real_uid != exim_uid
2271 #ifdef CONFIGURE_OWNER
2272 && real_uid != config_uid
2273 #endif
2274 )
261dc43e
DW
2275 trusted_config = FALSE;
2276 else
2277 {
90b6341f 2278 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
261dc43e
DW
2279 if (trust_list)
2280 {
2281 struct stat statbuf;
2282
2283 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2284 (statbuf.st_uid != root_uid /* owner not root */
2285 #ifdef CONFIGURE_OWNER
2286 && statbuf.st_uid != config_uid /* owner not the special one */
2287 #endif
2288 ) || /* or */
2289 (statbuf.st_gid != root_gid /* group not root */
2290 #ifdef CONFIGURE_GROUP
2291 && statbuf.st_gid != config_gid /* group not the special one */
2292 #endif
2293 && (statbuf.st_mode & 020) != 0 /* group writeable */
2294 ) || /* or */
2295 (statbuf.st_mode & 2) != 0) /* world writeable */
2296 {
2297 trusted_config = FALSE;
2298 fclose(trust_list);
2299 }
2300 else
2301 {
2302 /* Well, the trust list at least is up to scratch... */
2303 void *reset_point = store_get(0);
90b6341f
DW
2304 uschar *trusted_configs[32];
2305 int nr_configs = 0;
261dc43e
DW
2306 int i = 0;
2307
2308 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2309 {
2310 uschar *start = big_buffer, *nl;
2311 while (*start && isspace(*start))
2312 start++;
1e83d68b 2313 if (*start != '/')
261dc43e
DW
2314 continue;
2315 nl = Ustrchr(start, '\n');
2316 if (nl)
2317 *nl = 0;
90b6341f
DW
2318 trusted_configs[nr_configs++] = string_copy(start);
2319 if (nr_configs == 32)
261dc43e
DW
2320 break;
2321 }
2322 fclose(trust_list);
2323
90b6341f 2324 if (nr_configs)
261dc43e
DW
2325 {
2326 int sep = 0;
55414b25 2327 const uschar *list = argrest;
261dc43e
DW
2328 uschar *filename;
2329 while (trusted_config && (filename = string_nextinlist(&list,
2330 &sep, big_buffer, big_buffer_size)) != NULL)
2331 {
90b6341f 2332 for (i=0; i < nr_configs; i++)
261dc43e 2333 {
90b6341f 2334 if (Ustrcmp(filename, trusted_configs[i]) == 0)
261dc43e
DW
2335 break;
2336 }
90b6341f 2337 if (i == nr_configs)
261dc43e
DW
2338 {
2339 trusted_config = FALSE;
2340 break;
2341 }
2342 }
1e83d68b 2343 store_reset(reset_point);
261dc43e
DW
2344 }
2345 else
2346 {
2347 /* No valid prefixes found in trust_list file. */
2348 trusted_config = FALSE;
2349 }
2350 }
2351 }
2352 else
2353 {
2354 /* Could not open trust_list file. */
2355 trusted_config = FALSE;
2356 }
2357 }
2358 #else
2359 /* Not root; don't trust config */
2360 trusted_config = FALSE;
2361 #endif
2362 }
059ec3d9
PH
2363
2364 config_main_filelist = argrest;
2365 config_changed = TRUE;
2366 }
2367 break;
2368
2369
2370 /* -D: set up a macro definition */
2371
2372 case 'D':
2373 #ifdef DISABLE_D_OPTION
2374 fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2375 exit(EXIT_FAILURE);
2376 #else
2377 {
2378 int ptr = 0;
059ec3d9
PH
2379 macro_item *m;
2380 uschar name[24];
2381 uschar *s = argrest;
2382
4ab69ec7 2383 opt_D_used = TRUE;
059ec3d9
PH
2384 while (isspace(*s)) s++;
2385
2386 if (*s < 'A' || *s > 'Z')
2387 {
2388 fprintf(stderr, "exim: macro name set by -D must start with "
2389 "an upper case letter\n");
2390 exit(EXIT_FAILURE);
2391 }
2392
2393 while (isalnum(*s) || *s == '_')
2394 {
2395 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2396 s++;
2397 }
2398 name[ptr] = 0;
2399 if (ptr == 0) { badarg = TRUE; break; }
2400 while (isspace(*s)) s++;
2401 if (*s != 0)
2402 {
2403 if (*s++ != '=') { badarg = TRUE; break; }
2404 while (isspace(*s)) s++;
2405 }
2406
c193398d 2407 for (m = macros; m; m = m->next)
059ec3d9
PH
2408 if (Ustrcmp(m->name, name) == 0)
2409 {
2410 fprintf(stderr, "exim: duplicated -D in command line\n");
2411 exit(EXIT_FAILURE);
2412 }
059ec3d9 2413
d185889f 2414 m = macro_create(string_copy(name), string_copy(s), TRUE);
059ec3d9
PH
2415
2416 if (clmacro_count >= MAX_CLMACROS)
2417 {
2418 fprintf(stderr, "exim: too many -D options on command line\n");
2419 exit(EXIT_FAILURE);
2420 }
2421 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2422 m->replacement);
2423 }
2424 #endif
2425 break;
2426
2427 /* -d: Set debug level (see also -v below) or set the drop_cr option.
8e669ac1 2428 The latter is now a no-op, retained for compatibility only. If -dd is used,
3d235903 2429 debugging subprocesses of the daemon is disabled. */
059ec3d9
PH
2430
2431 case 'd':
2432 if (Ustrcmp(argrest, "ropcr") == 0)
2433 {
2434 /* drop_cr = TRUE; */
2435 }
2436
2437 /* Use an intermediate variable so that we don't set debugging while
2438 decoding the debugging bits. */
2439
2440 else
2441 {
2442 unsigned int selector = D_default;
2443 debug_selector = 0;
2444 debug_file = NULL;
3d235903
PH
2445 if (*argrest == 'd')
2446 {
2447 debug_daemon = TRUE;
2448 argrest++;
2449 }
059ec3d9 2450 if (*argrest != 0)
6c6d6e48
TF
2451 decode_bits(&selector, 1, debug_notall, argrest,
2452 debug_options, debug_options_count, US"debug", 0);
059ec3d9
PH
2453 debug_selector = selector;
2454 }
2455 break;
2456
2457
2458 /* -E: This is a local error message. This option is not intended for
2459 external use at all, but is not restricted to trusted callers because it
2460 does no harm (just suppresses certain error messages) and if Exim is run
2461 not setuid root it won't always be trusted when it generates error
2462 messages using this option. If there is a message id following -E, point
2463 message_reference at it, for logging. */
2464
2465 case 'E':
2466 local_error_message = TRUE;
2467 if (mac_ismsgid(argrest)) message_reference = argrest;
2468 break;
2469
2470
2471 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2472 option, so it looks as if historically the -oex options are also callable
2473 without the leading -o. So we have to accept them. Before the switch,
2474 anything starting -oe has been converted to -e. Exim does not support all
2475 of the sendmail error options. */
2476
2477 case 'e':
2478 if (Ustrcmp(argrest, "e") == 0)
2479 {
2480 arg_error_handling = ERRORS_SENDER;
2481 errors_sender_rc = EXIT_SUCCESS;
2482 }
2483 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2484 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2485 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2486 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2487 else badarg = TRUE;
2488 break;
2489
2490
2491 /* -F: Set sender's full name, used instead of the gecos entry from
2492 the password file. Since users can usually alter their gecos entries,
2493 there's no security involved in using this instead. The data can follow
2494 the -F or be in the next argument. */
2495
2496 case 'F':
2497 if (*argrest == 0)
2498 {
2499 if(++i < argc) argrest = argv[i]; else
2500 { badarg = TRUE; break; }
2501 }
2502 originator_name = argrest;
2fe1a124 2503 sender_name_forced = TRUE;
059ec3d9
PH
2504 break;
2505
2506
2507 /* -f: Set sender's address - this value is only actually used if Exim is
2508 run by a trusted user, or if untrusted_set_sender is set and matches the
2509 address, except that the null address can always be set by any user. The
2510 test for this happens later, when the value given here is ignored when not
2511 permitted. For an untrusted user, the actual sender is still put in Sender:
2512 if it doesn't match the From: header (unless no_local_from_check is set).
2513 The data can follow the -f or be in the next argument. The -r switch is an
2514 obsolete form of -f but since there appear to be programs out there that
2515 use anything that sendmail has ever supported, better accept it - the
2516 synonymizing is done before the switch above.
2517
2518 At this stage, we must allow domain literal addresses, because we don't
2519 know what the setting of allow_domain_literals is yet. Ditto for trailing
2520 dots and strip_trailing_dot. */
2521
2522 case 'f':
2523 {
250b6871 2524 int dummy_start, dummy_end;
059ec3d9
PH
2525 uschar *errmess;
2526 if (*argrest == 0)
2527 {
2528 if (i+1 < argc) argrest = argv[++i]; else
2529 { badarg = TRUE; break; }
2530 }
2531 if (*argrest == 0)
059ec3d9 2532 sender_address = string_sprintf(""); /* Ensure writeable memory */
059ec3d9
PH
2533 else
2534 {
2535 uschar *temp = argrest + Ustrlen(argrest) - 1;
2536 while (temp >= argrest && isspace(*temp)) temp--;
2537 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2538 allow_domain_literals = TRUE;
2539 strip_trailing_dot = TRUE;
8c5d388a 2540#ifdef SUPPORT_I18N
250b6871
JH
2541 allow_utf8_domains = TRUE;
2542#endif
2543 sender_address = parse_extract_address(argrest, &errmess,
2544 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
8c5d388a 2545#ifdef SUPPORT_I18N
250b6871
JH
2546 message_smtputf8 = string_is_utf8(sender_address);
2547 allow_utf8_domains = FALSE;
2548#endif
059ec3d9
PH
2549 allow_domain_literals = FALSE;
2550 strip_trailing_dot = FALSE;
2551 if (sender_address == NULL)
2552 {
2553 fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2554 return EXIT_FAILURE;
2555 }
2556 }
2557 sender_address_forced = TRUE;
2558 }
2559 break;
2560
a3fb9793 2561 /* -G: sendmail invocation to specify that it's a gateway submission and
f4ee74ac
PP
2562 sendmail may complain about problems instead of fixing them.
2563 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2564 not at this time complain about problems. */
059ec3d9
PH
2565
2566 case 'G':
f4ee74ac 2567 flag_G = TRUE;
059ec3d9
PH
2568 break;
2569
2570 /* -h: Set the hop count for an incoming message. Exim does not currently
2571 support this; it always computes it by counting the Received: headers.
2572 To put it in will require a change to the spool header file format. */
2573
2574 case 'h':
2575 if (*argrest == 0)
2576 {
2577 if(++i < argc) argrest = argv[i]; else
2578 { badarg = TRUE; break; }
2579 }
2580 if (!isdigit(*argrest)) badarg = TRUE;
2581 break;
2582
2583
2584 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2585 not to be documented for sendmail but mailx (at least) uses it) */
2586
2587 case 'i':
2588 if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2589 break;
2590
2591
a3fb9793
PP
2592 /* -L: set the identifier used for syslog; equivalent to setting
2593 syslog_processname in the config file, but needs to be an admin option. */
2594
2595 case 'L':
2596 if (*argrest == '\0')
2597 {
2598 if(++i < argc) argrest = argv[i]; else
2599 { badarg = TRUE; break; }
2600 }
2601 sz = Ustrlen(argrest);
2602 if (sz > 32)
2603 {
2604 fprintf(stderr, "exim: the -L syslog name is too long: \"%s\"\n", argrest);
2605 return EXIT_FAILURE;
2606 }
2607 if (sz < 1)
2608 {
2609 fprintf(stderr, "exim: the -L syslog name is too short\n");
2610 return EXIT_FAILURE;
2611 }
2612 cmdline_syslog_name = argrest;
2613 break;
2614
059ec3d9
PH
2615 case 'M':
2616 receiving_message = FALSE;
2617
2618 /* -MC: continue delivery of another message via an existing open
2619 file descriptor. This option is used for an internal call by the
2620 smtp transport when there is a pending message waiting to go to an
2621 address to which it has got a connection. Five subsequent arguments are
2622 required: transport name, host name, IP address, sequence number, and
2623 message_id. Transports may decline to create new processes if the sequence
2624 number gets too big. The channel is stdin. This (-MC) must be the last
2625 argument. There's a subsequent check that the real-uid is privileged.
2626
2627 If we are running in the test harness. delay for a bit, to let the process
2628 that set this one up complete. This makes for repeatability of the logging,
2629 etc. output. */
2630
2631 if (Ustrcmp(argrest, "C") == 0)
2632 {
41c7c167
PH
2633 union sockaddr_46 interface_sock;
2634 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2635
059ec3d9
PH
2636 if (argc != i + 6)
2637 {
2638 fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2639 return EXIT_FAILURE;
2640 }
2641
2642 if (msg_action_arg >= 0)
2643 {
2644 fprintf(stderr, "exim: incompatible arguments\n");
2645 return EXIT_FAILURE;
2646 }
2647
2648 continue_transport = argv[++i];
2649 continue_hostname = argv[++i];
2650 continue_host_address = argv[++i];
2651 continue_sequence = Uatoi(argv[++i]);
2652 msg_action = MSG_DELIVER;
2653 msg_action_arg = ++i;
2654 forced_delivery = TRUE;
2655 queue_run_pid = passed_qr_pid;
2656 queue_run_pipe = passed_qr_pipe;
2657
2658 if (!mac_ismsgid(argv[i]))
2659 {
2660 fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2661 argv[i]);
2662 return EXIT_FAILURE;
2663 }
2664
875512a3
JH
2665 /* Set up $sending_ip_address and $sending_port, unless proxied */
2666
5013d912 2667 if (!continue_proxy_cipher)
875512a3
JH
2668 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2669 &size) == 0)
2670 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2671 &sending_port);
2672 else
2673 {
2674 fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2675 strerror(errno));
2676 return EXIT_FAILURE;
2677 }
41c7c167 2678
059ec3d9
PH
2679 if (running_in_test_harness) millisleep(500);
2680 break;
2681 }
2682
2d14f397
JH
2683 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2684 {
875512a3 2685 switch(argrest[1])
2d14f397 2686 {
059ec3d9
PH
2687 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2688 precedes -MC (see above). The flag indicates that the host to which
2689 Exim is connected has accepted an AUTH sequence. */
2690
2d14f397 2691 case 'A': smtp_authenticated = TRUE; break;
059ec3d9 2692
6c1c3d1d
WB
2693 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2694 that exim is connected to supports the esmtp extension DSN */
28b3821f 2695
14de8063 2696 case 'D': smtp_peer_options |= OPTION_DSN; break;
6c1c3d1d 2697
e37f8a84 2698 /* -MCG: set the queue name, to a non-default value */
28b3821f 2699
2d14f397
JH
2700 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2701 else badarg = TRUE;
2702 break;
2703
2704 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2705
14de8063 2706 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
28b3821f 2707
059ec3d9
PH
2708 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2709 it preceded -MC (see above) */
2710
14de8063 2711 case 'P': smtp_peer_options |= OPTION_PIPE; break;
059ec3d9
PH
2712
2713 /* -MCQ: pass on the pid of the queue-running process that started
2714 this chain of deliveries and the fd of its synchronizing pipe; this
2715 is useful only when it precedes -MC (see above) */
2716
2d14f397
JH
2717 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2718 else badarg = TRUE;
2719 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2720 else badarg = TRUE;
2721 break;
059ec3d9
PH
2722
2723 /* -MCS: set the smtp_use_size flag; this is useful only when it
2724 precedes -MC (see above) */
2725
14de8063 2726 case 'S': smtp_peer_options |= OPTION_SIZE; break;
059ec3d9 2727
2d14f397 2728#ifdef SUPPORT_TLS
875512a3
JH
2729 /* -MCt: similar to -MCT below but the connection is still open
2730 via a proxy proces which handles the TLS context and coding.
5013d912
JH
2731 Require three arguments for the proxied local address and port,
2732 and the TLS cipher. */
875512a3 2733
5013d912 2734 case 't': if (++i < argc) sending_ip_address = argv[i];
875512a3
JH
2735 else badarg = TRUE;
2736 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2737 else badarg = TRUE;
5013d912
JH
2738 if (++i < argc) continue_proxy_cipher = argv[i];
2739 else badarg = TRUE;
875512a3
JH
2740 /*FALLTHROUGH*/
2741
059ec3d9
PH
2742 /* -MCT: set the tls_offered flag; this is useful only when it
2743 precedes -MC (see above). The flag indicates that the host to which
2744 Exim is connected has offered TLS support. */
2745
14de8063 2746 case 'T': smtp_peer_options |= OPTION_TLS; break;
2d14f397
JH
2747#endif
2748
2749 default: badarg = TRUE; break;
2750 }
2751 break;
059ec3d9 2752 }
059ec3d9
PH
2753
2754 /* -M[x]: various operations on the following list of message ids:
2755 -M deliver the messages, ignoring next retry times and thawing
2756 -Mc deliver the messages, checking next retry times, no thawing
2757 -Mf freeze the messages
2758 -Mg give up on the messages
2759 -Mt thaw the messages
2760 -Mrm remove the messages
2761 In the above cases, this must be the last option. There are also the
2762 following options which are followed by a single message id, and which
2763 act on that message. Some of them use the "recipient" addresses as well.
2764 -Mar add recipient(s)
2765 -Mmad mark all recipients delivered
2766 -Mmd mark recipients(s) delivered
2767 -Mes edit sender
0ef732d9 2768 -Mset load a message for use with -be
059ec3d9 2769 -Mvb show body
a96603a0 2770 -Mvc show copy (of whole message, in RFC 2822 format)
059ec3d9
PH
2771 -Mvh show header
2772 -Mvl show log
2773 */
2774
2775 else if (*argrest == 0)
2776 {
2777 msg_action = MSG_DELIVER;
2778 forced_delivery = deliver_force_thaw = TRUE;
2779 }
2780 else if (Ustrcmp(argrest, "ar") == 0)
2781 {
2782 msg_action = MSG_ADD_RECIPIENT;
2783 one_msg_action = TRUE;
2784 }
2785 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2786 else if (Ustrcmp(argrest, "es") == 0)
2787 {
2788 msg_action = MSG_EDIT_SENDER;
2789 one_msg_action = TRUE;
2790 }
2791 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2792 else if (Ustrcmp(argrest, "g") == 0)
2793 {
2794 msg_action = MSG_DELIVER;
2795 deliver_give_up = TRUE;
2796 }
2797 else if (Ustrcmp(argrest, "mad") == 0)
2798 {
2799 msg_action = MSG_MARK_ALL_DELIVERED;
2800 }
2801 else if (Ustrcmp(argrest, "md") == 0)
2802 {
2803 msg_action = MSG_MARK_DELIVERED;
2804 one_msg_action = TRUE;
2805 }
2806 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
0ef732d9
PH
2807 else if (Ustrcmp(argrest, "set") == 0)
2808 {
2809 msg_action = MSG_LOAD;
2810 one_msg_action = TRUE;
2811 }
059ec3d9
PH
2812 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2813 else if (Ustrcmp(argrest, "vb") == 0)
2814 {
2815 msg_action = MSG_SHOW_BODY;
2816 one_msg_action = TRUE;
2817 }
a96603a0
PH
2818 else if (Ustrcmp(argrest, "vc") == 0)
2819 {
2820 msg_action = MSG_SHOW_COPY;
2821 one_msg_action = TRUE;
2822 }
059ec3d9
PH
2823 else if (Ustrcmp(argrest, "vh") == 0)
2824 {
2825 msg_action = MSG_SHOW_HEADER;
2826 one_msg_action = TRUE;
2827 }
2828 else if (Ustrcmp(argrest, "vl") == 0)
2829 {
2830 msg_action = MSG_SHOW_LOG;
2831 one_msg_action = TRUE;
2832 }
2833 else { badarg = TRUE; break; }
2834
2835 /* All the -Mxx options require at least one message id. */
2836
2837 msg_action_arg = i + 1;
2838 if (msg_action_arg >= argc)
2839 {
2840 fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2841 return EXIT_FAILURE;
2842 }
2843
2844 /* Some require only message ids to follow */
2845
2846 if (!one_msg_action)
2847 {
2848 int j;
2849 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2850 {
2851 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2852 argv[j], arg);
2853 return EXIT_FAILURE;
2854 }
2855 goto END_ARG; /* Remaining args are ids */
2856 }
2857
2858 /* Others require only one message id, possibly followed by addresses,
2859 which will be handled as normal arguments. */
2860
2861 else
2862 {
2863 if (!mac_ismsgid(argv[msg_action_arg]))
2864 {
2865 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2866 argv[msg_action_arg], arg);
2867 return EXIT_FAILURE;
2868 }
2869 i++;
2870 }
2871 break;
2872
2873
2874 /* Some programs seem to call the -om option without the leading o;
2875 for sendmail it askes for "me too". Exim always does this. */
2876
2877 case 'm':
2878 if (*argrest != 0) badarg = TRUE;
2879 break;
2880
2881
2882 /* -N: don't do delivery - a debugging option that stops transports doing
2883 their thing. It implies debugging at the D_v level. */
2884
2885 case 'N':
2886 if (*argrest == 0)
2887 {
2888 dont_deliver = TRUE;
2889 debug_selector |= D_v;
2890 debug_file = stderr;
2891 }
2892 else badarg = TRUE;
2893 break;
2894
2895
12f69989
PP
2896 /* -n: This means "don't alias" in sendmail, apparently.
2897 For normal invocations, it has no effect.
2898 It may affect some other options. */
059ec3d9
PH
2899
2900 case 'n':
12f69989 2901 flag_n = TRUE;
059ec3d9
PH
2902 break;
2903
2904 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2905 option to the specified value. This form uses long names. We need to handle
2906 -O option=value and -Ooption=value. */
2907
2908 case 'O':
2909 if (*argrest == 0)
2910 {
2911 if (++i >= argc)
2912 {
2913 fprintf(stderr, "exim: string expected after -O\n");
2914 exit(EXIT_FAILURE);
2915 }
2916 }
2917 break;
2918
2919 case 'o':
2920
2921 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2922 file" option). */
2923
2924 if (*argrest == 'A')
2925 {
2926 alias_arg = argrest + 1;
2927 if (alias_arg[0] == 0)
2928 {
2929 if (i+1 < argc) alias_arg = argv[++i]; else
2930 {
2931 fprintf(stderr, "exim: string expected after -oA\n");
2932 exit(EXIT_FAILURE);
2933 }
2934 }
2935 }
2936
2937 /* -oB: Set a connection message max value for remote deliveries */
2938
2939 else if (*argrest == 'B')
2940 {
2941 uschar *p = argrest + 1;
2942 if (p[0] == 0)
2943 {
2944 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2945 {
2946 connection_max_messages = 1;
2947 p = NULL;
2948 }
2949 }
2950
2951 if (p != NULL)
2952 {
2953 if (!isdigit(*p))
2954 {
2955 fprintf(stderr, "exim: number expected after -oB\n");
2956 exit(EXIT_FAILURE);
2957 }
2958 connection_max_messages = Uatoi(p);
2959 }
2960 }
2961
2962 /* -odb: background delivery */
2963
2964 else if (Ustrcmp(argrest, "db") == 0)
2965 {
2966 synchronous_delivery = FALSE;
2967 arg_queue_only = FALSE;
2968 queue_only_set = TRUE;
2969 }
2970
2971 /* -odf: foreground delivery (smail-compatible option); same effect as
2972 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2973 */
2974
2975 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2976 {
2977 synchronous_delivery = TRUE;
2978 arg_queue_only = FALSE;
2979 queue_only_set = TRUE;
2980 }
2981
2982 /* -odq: queue only */
2983
2984 else if (Ustrcmp(argrest, "dq") == 0)
2985 {
2986 synchronous_delivery = FALSE;
2987 arg_queue_only = TRUE;
2988 queue_only_set = TRUE;
2989 }
2990
2991 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2992 but no remote delivery */
2993
2994 else if (Ustrcmp(argrest, "dqs") == 0)
2995 {
2996 queue_smtp = TRUE;
2997 arg_queue_only = FALSE;
2998 queue_only_set = TRUE;
2999 }
3000
3001 /* -oex: Sendmail error flags. As these are also accepted without the
3002 leading -o prefix, for compatibility with vacation and other callers,
3003 they are handled with -e above. */
3004
3005 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
3006 -oitrue: Another sendmail syntax for the same */
3007
3008 else if (Ustrcmp(argrest, "i") == 0 ||
3009 Ustrcmp(argrest, "itrue") == 0)
3010 dot_ends = FALSE;
3011
3012 /* -oM*: Set various characteristics for an incoming message; actually
3013 acted on for trusted callers only. */
3014
3015 else if (*argrest == 'M')
3016 {
3017 if (i+1 >= argc)
3018 {
3019 fprintf(stderr, "exim: data expected after -o%s\n", argrest);
3020 exit(EXIT_FAILURE);
3021 }
3022
3023 /* -oMa: Set sender host address */
3024
3025 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
3026
3027 /* -oMaa: Set authenticator name */
3028
3029 else if (Ustrcmp(argrest, "Maa") == 0)
3030 sender_host_authenticated = argv[++i];
3031
3032 /* -oMas: setting authenticated sender */
3033
3034 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
3035
3036 /* -oMai: setting authenticated id */
3037
3038 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
3039
3040 /* -oMi: Set incoming interface address */
3041
3042 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
3043
d2af03f4
HS
3044 /* -oMm: Message reference */
3045
3046 else if (Ustrcmp(argrest, "Mm") == 0)
3047 {
3048 if (!mac_ismsgid(argv[i+1]))
3049 {
3050 fprintf(stderr,"-oMm must be a valid message ID\n");
3051 exit(EXIT_FAILURE);
3052 }
3053 if (!trusted_config)
3054 {
3055 fprintf(stderr,"-oMm must be called by a trusted user/config\n");
3056 exit(EXIT_FAILURE);
3057 }
3058 message_reference = argv[++i];
3059 }
3060
059ec3d9
PH
3061 /* -oMr: Received protocol */
3062
65e061b7
HSHR
3063 else if (Ustrcmp(argrest, "Mr") == 0)
3064
3065 if (received_protocol)
3066 {
3067 fprintf(stderr, "received_protocol is set already\n");
3068 exit(EXIT_FAILURE);
3069 }
3070 else received_protocol = argv[++i];
059ec3d9
PH
3071
3072 /* -oMs: Set sender host name */
3073
3074 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3075
3076 /* -oMt: Set sender ident */
3077
33d73e3b
PH
3078 else if (Ustrcmp(argrest, "Mt") == 0)
3079 {
3080 sender_ident_set = TRUE;
3081 sender_ident = argv[++i];
3082 }
059ec3d9
PH
3083
3084 /* Else a bad argument */
3085
3086 else
3087 {
3088 badarg = TRUE;
3089 break;
3090 }
3091 }
3092
3093 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3094 seem to call this as -m (undocumented), so that is also accepted (see
3095 above). */
3096
3097 else if (Ustrcmp(argrest, "m") == 0) {}
3098
3099 /* -oo: An ancient flag for old-style addresses which still seems to
3100 crop up in some calls (see in SCO). */
3101
3102 else if (Ustrcmp(argrest, "o") == 0) {}
3103
3104 /* -oP <name>: set pid file path for daemon */
3105
3106 else if (Ustrcmp(argrest, "P") == 0)
3107 override_pid_file_path = argv[++i];
3108
3109 /* -or <n>: set timeout for non-SMTP acceptance
3110 -os <n>: set timeout for SMTP acceptance */
3111
3112 else if (*argrest == 'r' || *argrest == 's')
3113 {
3114 int *tp = (*argrest == 'r')?
3115 &arg_receive_timeout : &arg_smtp_receive_timeout;
3116 if (argrest[1] == 0)
3117 {
3118 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3119 }
3120 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3121 if (*tp < 0)
3122 {
3123 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3124 exit(EXIT_FAILURE);
3125 }
3126 }
3127
3128 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3129
3130 else if (Ustrcmp(argrest, "X") == 0)
3131 override_local_interfaces = argv[++i];
3132
3133 /* Unknown -o argument */
3134
3135 else badarg = TRUE;
3136 break;
3137
3138
3139 /* -ps: force Perl startup; -pd force delayed Perl startup */
3140
3141 case 'p':
3142 #ifdef EXIM_PERL
3143 if (*argrest == 's' && argrest[1] == 0)
3144 {
3145 perl_start_option = 1;
3146 break;
3147 }
3148 if (*argrest == 'd' && argrest[1] == 0)
3149 {
3150 perl_start_option = -1;
3151 break;
3152 }
3153 #endif
3154
3155 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3156 which sets the host protocol and host name */
3157
3158 if (*argrest == 0)
5bfe3b35
JH
3159 if (i+1 < argc)
3160 argrest = argv[++i];
3161 else
059ec3d9 3162 { badarg = TRUE; break; }
059ec3d9
PH
3163
3164 if (*argrest != 0)
3165 {
65e061b7
HSHR
3166 uschar *hn;
3167
3168 if (received_protocol)
3169 {
3170 fprintf(stderr, "received_protocol is set already\n");
3171 exit(EXIT_FAILURE);
3172 }
3173
3174 hn = Ustrchr(argrest, ':');
059ec3d9 3175 if (hn == NULL)
059ec3d9 3176 received_protocol = argrest;
059ec3d9
PH
3177 else
3178 {
90341c71
JH
3179 int old_pool = store_pool;
3180 store_pool = POOL_PERM;
059ec3d9 3181 received_protocol = string_copyn(argrest, hn - argrest);
90341c71 3182 store_pool = old_pool;
059ec3d9
PH
3183 sender_host_name = hn + 1;
3184 }
3185 }
3186 break;
3187
3188
3189 case 'q':
3190 receiving_message = FALSE;
3cc66b45
PH
3191 if (queue_interval >= 0)
3192 {
3193 fprintf(stderr, "exim: -q specified more than once\n");
3194 exit(EXIT_FAILURE);
3195 }
059ec3d9
PH
3196
3197 /* -qq...: Do queue runs in a 2-stage manner */
3198
3199 if (*argrest == 'q')
3200 {
3201 queue_2stage = TRUE;
3202 argrest++;
3203 }
3204
3205 /* -qi...: Do only first (initial) deliveries */
3206
3207 if (*argrest == 'i')
3208 {
3209 queue_run_first_delivery = TRUE;
3210 argrest++;
3211 }
3212
3213 /* -qf...: Run the queue, forcing deliveries
3214 -qff..: Ditto, forcing thawing as well */
3215
3216 if (*argrest == 'f')
3217 {
3218 queue_run_force = TRUE;
55e70e76 3219 if (*++argrest == 'f')
059ec3d9
PH
3220 {
3221 deliver_force_thaw = TRUE;
3222 argrest++;
3223 }
3224 }
3225
3226 /* -q[f][f]l...: Run the queue only on local deliveries */
3227
3228 if (*argrest == 'l')
3229 {
3230 queue_run_local = TRUE;
3231 argrest++;
3232 }
3233
55e70e76 3234 /* -q[f][f][l][G<name>]... Work on the named queue */
28b3821f
JH
3235
3236 if (*argrest == 'G')
3237 {
fa665e0b
JH
3238 int i;
3239 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3240 queue_name = string_copyn(argrest, i);
3241 argrest += i;
3242 if (*argrest == '/') argrest++;
28b3821f
JH
3243 }
3244
3245 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3246 only, optionally named, optionally starting from a given message id. */
059ec3d9
PH
3247
3248 if (*argrest == 0 &&
3249 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3250 {
3251 queue_interval = 0;
3252 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3253 start_queue_run_id = argv[++i];
3254 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3255 stop_queue_run_id = argv[++i];
3256 }
3257
fa665e0b
JH
3258 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3259 forced, optionally local only, optionally named. */
059ec3d9 3260
55e70e76
JH
3261 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3262 0, FALSE)) <= 0)
059ec3d9 3263 {
55e70e76
JH
3264 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3265 exit(EXIT_FAILURE);
059ec3d9
PH
3266 }
3267 break;
3268
3269
3270 case 'R': /* Synonymous with -qR... */
3271 receiving_message = FALSE;
3272
3273 /* -Rf: As -R (below) but force all deliveries,
3274 -Rff: Ditto, but also thaw all frozen messages,
3275 -Rr: String is regex
3276 -Rrf: Regex and force
3277 -Rrff: Regex and force and thaw
3278
3279 in all cases provided there are no further characters in this
3280 argument. */
3281
3282 if (*argrest != 0)
3283 {
3284 int i;
55e70e76 3285 for (i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3286 if (Ustrcmp(argrest, rsopts[i]) == 0)
3287 {
3288 if (i != 2) queue_run_force = TRUE;
3289 if (i >= 2) deliver_selectstring_regex = TRUE;
3290 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3291 argrest += Ustrlen(rsopts[i]);
3292 }
059ec3d9
PH
3293 }
3294
3295 /* -R: Set string to match in addresses for forced queue run to
3296 pick out particular messages. */
3297
55e70e76
JH
3298 if (*argrest)
3299 deliver_selectstring = argrest;
3300 else if (i+1 < argc)
3301 deliver_selectstring = argv[++i];
3302 else
059ec3d9 3303 {
55e70e76
JH
3304 fprintf(stderr, "exim: string expected after -R\n");
3305 exit(EXIT_FAILURE);
059ec3d9 3306 }
059ec3d9
PH
3307 break;
3308
3309
3310 /* -r: an obsolete synonym for -f (see above) */
3311
3312
3313 /* -S: Like -R but works on sender. */
3314
3315 case 'S': /* Synonymous with -qS... */
3316 receiving_message = FALSE;
3317
3318 /* -Sf: As -S (below) but force all deliveries,
3319 -Sff: Ditto, but also thaw all frozen messages,
3320 -Sr: String is regex
3321 -Srf: Regex and force
3322 -Srff: Regex and force and thaw
3323
3324 in all cases provided there are no further characters in this
3325 argument. */
3326
55e70e76 3327 if (*argrest)
059ec3d9
PH
3328 {
3329 int i;
55e70e76 3330 for (i = 0; i < nelem(rsopts); i++)
059ec3d9
PH
3331 if (Ustrcmp(argrest, rsopts[i]) == 0)
3332 {
3333 if (i != 2) queue_run_force = TRUE;
3334 if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3335 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3336 argrest += Ustrlen(rsopts[i]);
3337 }
059ec3d9
PH
3338 }
3339
3340 /* -S: Set string to match in addresses for forced queue run to
3341 pick out particular messages. */
3342
55e70e76
JH
3343 if (*argrest)
3344 deliver_selectstring_sender = argrest;
3345 else if (i+1 < argc)
3346 deliver_selectstring_sender = argv[++i];
3347 else
059ec3d9 3348 {
55e70e76
JH
3349 fprintf(stderr, "exim: string expected after -S\n");
3350 exit(EXIT_FAILURE);
059ec3d9 3351 }
059ec3d9
PH
3352 break;
3353
3354 /* -Tqt is an option that is exclusively for use by the testing suite.
3355 It is not recognized in other circumstances. It allows for the setting up
3356 of explicit "queue times" so that various warning/retry things can be
3357 tested. Otherwise variability of clock ticks etc. cause problems. */
3358
3359 case 'T':
3360 if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3361 fudged_queue_times = argv[++i];
3362 else badarg = TRUE;
3363 break;
3364
3365
3366 /* -t: Set flag to extract recipients from body of message. */
3367
3368 case 't':
3369 if (*argrest == 0) extract_recipients = TRUE;
3370
3371 /* -ti: Set flag to extract recipients from body of message, and also
3372 specify that dot does not end the message. */
3373
3374 else if (Ustrcmp(argrest, "i") == 0)
3375 {
3376 extract_recipients = TRUE;
3377 dot_ends = FALSE;
3378 }
3379
3380 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3381
3382 #ifdef SUPPORT_TLS
817d9f57 3383 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
059ec3d9
PH
3384 #endif
3385
3386 else badarg = TRUE;
3387 break;
3388
3389
3390 /* -U: This means "initial user submission" in sendmail, apparently. The
3391 doc claims that in future sendmail may refuse syntactically invalid
3392 messages instead of fixing them. For the moment, we just ignore it. */
3393
3394 case 'U':
3395 break;
3396
3397
3398 /* -v: verify things - this is a very low-level debugging */
3399
3400 case 'v':
3401 if (*argrest == 0)
3402 {
3403 debug_selector |= D_v;
3404 debug_file = stderr;
3405 }
3406 else badarg = TRUE;
3407 break;
3408
3409
3410 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3411
3412 The -x flag tells the sendmail command that mail from a local
3413 mail program has National Language Support (NLS) extended characters
3414 in the body of the mail item. The sendmail command can send mail with
3415 extended NLS characters across networks that normally corrupts these
3416 8-bit characters.
3417
3418 As Exim is 8-bit clean, it just ignores this flag. */
3419
3420 case 'x':
3421 if (*argrest != 0) badarg = TRUE;
3422 break;
3423
a3fb9793
PP
3424 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3425 logs to that file. We swallow the parameter and otherwise ignore it. */
3426
3427 case 'X':
3428 if (*argrest == '\0')
a3fb9793
PP
3429 if (++i >= argc)
3430 {
3431 fprintf(stderr, "exim: string expected after -X\n");
3432 exit(EXIT_FAILURE);
3433 }
0ad2e0fc
JH
3434 break;
3435
3436 case 'z':
3437 if (*argrest == '\0')
3438 if (++i < argc) log_oneline = argv[i]; else
3439 {
3440 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
3441 exit(EXIT_FAILURE);
3442 }
a3fb9793
PP
3443 break;
3444
059ec3d9
PH
3445 /* All other initial characters are errors */
3446
3447 default:
3448 badarg = TRUE;
3449 break;
3450 } /* End of high-level switch statement */
3451
3452 /* Failed to recognize the option, or syntax error */
3453
3454 if (badarg)
3455 {
3456 fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3457 "option %s\n", arg);
3458 exit(EXIT_FAILURE);
3459 }
3460 }
3461
3462
3cc66b45
PH
3463/* If -R or -S have been specified without -q, assume a single queue run. */
3464
55e70e76
JH
3465if ( (deliver_selectstring || deliver_selectstring_sender)
3466 && queue_interval < 0)
3467 queue_interval = 0;
3cc66b45
PH
3468
3469
059ec3d9 3470END_ARG:
81ea09ca
NM
3471/* If usage_wanted is set we call the usage function - which never returns */
3472if (usage_wanted) exim_usage(called_as);
3473
3474/* Arguments have been processed. Check for incompatibilities. */
059ec3d9
PH
3475if ((
3476 (smtp_input || extract_recipients || recipients_arg < argc) &&
3477 (daemon_listen || queue_interval >= 0 || bi_option ||
3478 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
f05da2e8 3479 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
059ec3d9
PH
3480 ) ||
3481 (
3482 msg_action_arg > 0 &&
44915474 3483 (daemon_listen || queue_interval > 0 || list_options ||
0ef732d9
PH
3484 (checking && msg_action != MSG_LOAD) ||
3485 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
059ec3d9
PH
3486 ) ||
3487 (
55e70e76 3488 (daemon_listen || queue_interval > 0) &&
059ec3d9 3489 (sender_address != NULL || list_options || list_queue || checking ||
0ef732d9 3490 bi_option)
059ec3d9
PH
3491 ) ||
3492 (
3493 daemon_listen && queue_interval == 0
3494 ) ||
3495 (
9ee44efb
PP
3496 inetd_wait_mode && queue_interval >= 0
3497 ) ||
3498 (
059ec3d9
PH
3499 list_options &&
3500 (checking || smtp_input || extract_recipients ||
f05da2e8 3501 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3502 ) ||
3503 (
3504 verify_address_mode &&
3505 (address_test_mode || smtp_input || extract_recipients ||
f05da2e8 3506 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3507 ) ||
3508 (
3509 address_test_mode && (smtp_input || extract_recipients ||
f05da2e8 3510 filter_test != FTEST_NONE || bi_option)
059ec3d9
PH
3511 ) ||
3512 (
f05da2e8 3513 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
059ec3d9
PH
3514 extract_recipients)
3515 ) ||
3516 (
3517 deliver_selectstring != NULL && queue_interval < 0
328895cc
PH
3518 ) ||
3519 (
3520 msg_action == MSG_LOAD &&
3521 (!expansion_test || expansion_test_message != NULL)
059ec3d9
PH
3522 )
3523 )
3524 {
3525 fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3526 exit(EXIT_FAILURE);
3527 }
3528
3529/* If debugging is set up, set the file and the file descriptor to pass on to
3530child processes. It should, of course, be 2 for stderr. Also, force the daemon
3531to run in the foreground. */
3532
3533if (debug_selector != 0)
3534 {
3535 debug_file = stderr;
3536 debug_fd = fileno(debug_file);
3537 background_daemon = FALSE;
3538 if (running_in_test_harness) millisleep(100); /* lets caller finish */
3539 if (debug_selector != D_v) /* -v only doesn't show this */
3540 {
3541 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3542 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3543 debug_selector);
6545de78
PP
3544 if (!version_printed)
3545 show_whats_supported(stderr);
059ec3d9
PH
3546 }
3547 }
3548
3549/* When started with root privilege, ensure that the limits on the number of
3550open files and the number of processes (where that is accessible) are
3551sufficiently large, or are unset, in case Exim has been called from an
3552environment where the limits are screwed down. Not all OS have the ability to
3553change some of these limits. */
3554
3555if (unprivileged)
3556 {
3557 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3558 }
3559else
3560 {
3561 struct rlimit rlp;
3562
3563 #ifdef RLIMIT_NOFILE
3564 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3565 {
3566 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3567 strerror(errno));
3568 rlp.rlim_cur = rlp.rlim_max = 0;
3569 }
eb2c0248
PH
3570
3571 /* I originally chose 1000 as a nice big number that was unlikely to
a494b1e1
PH
3572 be exceeded. It turns out that some older OS have a fixed upper limit of
3573 256. */
eb2c0248 3574
059ec3d9
PH
3575 if (rlp.rlim_cur < 1000)
3576 {
3577 rlp.rlim_cur = rlp.rlim_max = 1000;
3578 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
eb2c0248 3579 {
a494b1e1
PH
3580 rlp.rlim_cur = rlp.rlim_max = 256;
3581 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3582 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3583 strerror(errno));
eb2c0248 3584 }
059ec3d9
PH
3585 }
3586 #endif
3587
3588 #ifdef RLIMIT_NPROC
3589 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3590 {
3591 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3592 strerror(errno));
3593 rlp.rlim_cur = rlp.rlim_max = 0;
3594 }
3595
3596 #ifdef RLIM_INFINITY
3597 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3598 {
3599 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3600 #else
3601 if (rlp.rlim_cur < 1000)
3602 {
3603 rlp.rlim_cur = rlp.rlim_max = 1000;
3604 #endif
3605 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3606 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3607 strerror(errno));
3608 }
3609 #endif
3610 }
3611
3612/* Exim is normally entered as root (but some special configurations are
3613possible that don't do this). However, it always spins off sub-processes that
3614set their uid and gid as required for local delivery. We don't want to pass on
3615any extra groups that root may belong to, so we want to get rid of them all at
3616this point.
3617
3618We need to obey setgroups() at this stage, before possibly giving up root
3619privilege for a changed configuration file, but later on we might need to
3620check on the additional groups for the admin user privilege - can't do that
3621till after reading the config, which might specify the exim gid. Therefore,
3622save the group list here first. */
3623
3624group_count = getgroups(NGROUPS_MAX, group_list);
cd59ab18
PP
3625if (group_count < 0)
3626 {
3627 fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
3628 exit(EXIT_FAILURE);
3629 }
059ec3d9
PH
3630
3631/* There is a fundamental difference in some BSD systems in the matter of
3632groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3633known not to be different. On the "different" systems there is a single group
3634list, and the first entry in it is the current group. On all other versions of
3635Unix there is a supplementary group list, which is in *addition* to the current
3636group. Consequently, to get rid of all extraneous groups on a "standard" system
3637you pass over 0 groups to setgroups(), while on a "different" system you pass
3638over a single group - the current group, which is always the first group in the
3639list. Calling setgroups() with zero groups on a "different" system results in
3640an error return. The following code should cope with both types of system.
3641
3642However, if this process isn't running as root, setgroups() can't be used
3643since you have to be root to run it, even if throwing away groups. Not being
3644root here happens only in some unusual configurations. We just ignore the
3645error. */
3646
3647if (setgroups(0, NULL) != 0)
3648 {
3649 if (setgroups(1, group_list) != 0 && !unprivileged)
3650 {
3651 fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3652 exit(EXIT_FAILURE);
3653 }
3654 }
3655
3656/* If the configuration file name has been altered by an argument on the
3657command line (either a new file name or a macro definition) and the caller is
cd25e41d
DW
3658not root, or if this is a filter testing run, remove any setuid privilege the
3659program has and run as the underlying user.
059ec3d9 3660
cd25e41d
DW
3661The exim user is locked out of this, which severely restricts the use of -C
3662for some purposes.
059ec3d9
PH
3663
3664Otherwise, set the real ids to the effective values (should be root unless run
3665from inetd, which it can either be root or the exim uid, if one is configured).
3666
3667There is a private mechanism for bypassing some of this, in order to make it
3668possible to test lots of configurations automatically, without having either to
3669recompile each time, or to patch in an actual configuration file name and other
3670values (such as the path name). If running in the test harness, pretend that
3671configuration file changes and macro definitions haven't happened. */
3672
3673if (( /* EITHER */
a7cbbf50 3674 (!trusted_config || /* Config changed, or */
a4034eb8 3675 !macros_trusted(opt_D_used)) && /* impermissible macros and */
059ec3d9 3676 real_uid != root_uid && /* Not root, and */
059ec3d9
PH
3677 !running_in_test_harness /* Not fudged */
3678 ) || /* OR */
3679 expansion_test /* expansion testing */
3680 || /* OR */
f05da2e8 3681 filter_test != FTEST_NONE) /* Filter testing */
059ec3d9
PH
3682 {
3683 setgroups(group_count, group_list);
3684 exim_setugid(real_uid, real_gid, FALSE,
3685 US"-C, -D, -be or -bf forces real uid");
3686 removed_privilege = TRUE;
3687
3688 /* In the normal case when Exim is called like this, stderr is available
3689 and should be used for any logging information because attempts to write
3690 to the log will usually fail. To arrange this, we unset really_exim. However,
3691 if no stderr is available there is no point - we might as well have a go
b7487bce 3692 at the log (if it fails, syslog will be written).
059ec3d9 3693
b7487bce
PP
3694 Note that if the invoker is Exim, the logs remain available. Messing with
3695 this causes unlogged successful deliveries. */
3696
3697 if ((log_stderr != NULL) && (real_uid != exim_uid))
3698 really_exim = FALSE;
059ec3d9
PH
3699 }
3700
3701/* Privilege is to be retained for the moment. It may be dropped later,
3702depending on the job that this Exim process has been asked to do. For now, set
3703the real uid to the effective so that subsequent re-execs of Exim are done by a
3704privileged user. */
3705
3706else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3707
f05da2e8 3708/* If testing a filter, open the file(s) now, before wasting time doing other
059ec3d9
PH
3709setups and reading the message. */
3710
f05da2e8
PH
3711if ((filter_test & FTEST_SYSTEM) != 0)
3712 {
3713 filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3714 if (filter_sfd < 0)
3715 {
3716 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3717 strerror(errno));
3718 return EXIT_FAILURE;
3719 }
3720 }
3721
3722if ((filter_test & FTEST_USER) != 0)
059ec3d9 3723 {
f05da2e8
PH
3724 filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3725 if (filter_ufd < 0)
059ec3d9 3726 {
f05da2e8 3727 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
059ec3d9
PH
3728 strerror(errno));
3729 return EXIT_FAILURE;
3730 }
3731 }
3732
8829633f
PP
3733/* Initialise lookup_list
3734If debugging, already called above via version reporting.
3735In either case, we initialise the list of available lookups while running
3736as root. All dynamically modules are loaded from a directory which is
3737hard-coded into the binary and is code which, if not a module, would be
3738part of Exim already. Ability to modify the content of the directory
3739is equivalent to the ability to modify a setuid binary!
3740
3741This needs to happen before we read the main configuration. */
3742init_lookup_list();
3743
8c5d388a 3744#ifdef SUPPORT_I18N
9d4319df
JH
3745if (running_in_test_harness) smtputf8_advertise_hosts = NULL;
3746#endif
3747
059ec3d9
PH
3748/* Read the main runtime configuration data; this gives up if there
3749is a failure. It leaves the configuration file open so that the subsequent
3de973a2 3750configuration data for delivery can be read if needed.
059ec3d9 3751
3de973a2
HSHR
3752NOTE: immediatly after opening the configuration file we change the working
3753directory to "/"! Later we change to $spool_directory. We do it there, because
3754during readconf_main() some expansion takes place already. */
bc3c7bb7 3755
cd328be9
JH
3756/* Store the initial cwd before we change directories. Can be NULL if the
3757dir has already been unlinked. */
3758initial_cwd = os_getcwd(NULL, 0);
3615fa9a 3759
34e86e20
HSHR
3760/* checking:
3761 -be[m] expansion test -
3762 -b[fF] filter test new
3763 -bh[c] host test -
3764 -bmalware malware_test_file new
3765 -brt retry test new
3766 -brw rewrite test new
3767 -bt address test -
3768 -bv[s] address verify -
3769 list_options:
3770 -bP <option> (except -bP config, which sets list_config)
3771
3772If any of these options is set, we suppress warnings about configuration
3773issues (currently about tls_advertise_hosts and keep_environment not being
3774defined) */
3775
3776readconf_main(checking || list_options);
059ec3d9 3777
32b8ce41
JH
3778if (builtin_macros_create_trigger) DEBUG(D_any)
3779 debug_printf("Builtin macros created (expensive) due to config line '%.*s'\n",
3780 Ustrlen(builtin_macros_create_trigger)-1, builtin_macros_create_trigger);
3781
3de973a2
HSHR
3782/* Now in directory "/" */
3783
bc3c7bb7
HSHR
3784if (cleanup_environment() == FALSE)
3785 log_write(0, LOG_PANIC_DIE, "Can't cleanup environment");
3786
3787
a3fb9793
PP
3788/* If an action on specific messages is requested, or if a daemon or queue
3789runner is being started, we need to know if Exim was called by an admin user.
3790This is the case if the real user is root or exim, or if the real group is
3791exim, or if one of the supplementary groups is exim or a group listed in
3792admin_groups. We don't fail all message actions immediately if not admin_user,
3793since some actions can be performed by non-admin users. Instead, set admin_user
3794for later interrogation. */
3795
3796if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3797 admin_user = TRUE;
3798else
3799 {
3800 int i, j;
32b8ce41
JH
3801 for (i = 0; i < group_count && !admin_user; i++)
3802 if (group_list[i] == exim_gid)
3803 admin_user = TRUE;
3804 else if (admin_groups)
3805 for (j = 1; j <= (int)admin_groups[0] && !admin_user; j++)
a3fb9793 3806 if (admin_groups[j] == group_list[i])
32b8ce41 3807 admin_user = TRUE;
a3fb9793
PP
3808 }
3809
3810/* Another group of privileged users are the trusted users. These are root,
3811exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3812are permitted to specify sender_addresses with -f on the command line, and
3813other message parameters as well. */
3814
3815if (real_uid == root_uid || real_uid == exim_uid)
3816 trusted_caller = TRUE;
3817else
3818 {
3819 int i, j;
3820
32b8ce41
JH
3821 if (trusted_users)
3822 for (i = 1; i <= (int)trusted_users[0] && !trusted_caller; i++)
a3fb9793 3823 if (trusted_users[i] == real_uid)
32b8ce41 3824 trusted_caller = TRUE;
a3fb9793 3825
32b8ce41
JH
3826 if (trusted_groups)
3827 for (i = 1; i <= (int)trusted_groups[0] && !trusted_caller; i++)
a3fb9793
PP
3828 if (trusted_groups[i] == real_gid)
3829 trusted_caller = TRUE;
32b8ce41 3830 else for (j = 0; j < group_count && !trusted_caller; j++)
a3fb9793 3831 if (trusted_groups[i] == group_list[j])
32b8ce41 3832 trusted_caller = TRUE;
a3fb9793
PP
3833 }
3834
f33875c3 3835/* At this point, we know if the user is privileged and some command-line
b4a1e238 3836options become possibly impermissible, depending upon the configuration file. */
f33875c3
PP
3837
3838if (checking && commandline_checks_require_admin && !admin_user) {
3839 fprintf(stderr, "exim: those command-line flags are set to require admin\n");
3840 exit(EXIT_FAILURE);
3841}
3842
059ec3d9
PH
3843/* Handle the decoding of logging options. */
3844
6c6d6e48 3845decode_bits(log_selector, log_selector_size, log_notall,
ed7f7860 3846 log_selector_string, log_options, log_options_count, US"log", 0);
059ec3d9
PH
3847
3848DEBUG(D_any)
3849 {
6c6d6e48 3850 int i;
059ec3d9 3851 debug_printf("configuration file is %s\n", config_main_filename);
6c6d6e48
TF
3852 debug_printf("log selectors =");
3853 for (i = 0; i < log_selector_size; i++)
3854 debug_printf(" %08x", log_selector[i]);
3855 debug_printf("\n");
059ec3d9
PH
3856 }
3857
3858/* If domain literals are not allowed, check the sender address that was
3859supplied with -f. Ditto for a stripped trailing dot. */
3860
3861if (sender_address != NULL)
3862 {
3863 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3864 {
3865 fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
3866 "allowed\n", sender_address);
3867 return EXIT_FAILURE;
3868 }
3869 if (f_end_dot && !strip_trailing_dot)