Small delay in test harness to ensure debugging output comes out in the
[exim.git] / src / src / rda.c
CommitLineData
71d073ca 1/* $Cambridge: exim/src/src/rda.c,v 1.10 2005/08/08 13:21:46 ph10 Exp $ */
059ec3d9
PH
2
3/*************************************************
4* Exim - an Internet mail transport agent *
5*************************************************/
6
c988f1f4 7/* Copyright (c) University of Cambridge 1995 - 2005 */
059ec3d9
PH
8/* See the file NOTICE for conditions of use and distribution. */
9
10/* This module contains code for extracting addresses from a forwarding list
11(from an alias or forward file) or by running the filter interpreter. It may do
12this in a sub-process if a uid/gid are supplied. */
13
14
15#include "exim.h"
16
17enum { FILE_EXIST, FILE_NOT_EXIST, FILE_EXIST_UNCLEAR };
18
19#define REPLY_EXISTS 0x01
20#define REPLY_EXPAND 0x02
21#define REPLY_RETURN 0x04
22
23
24/*************************************************
25* Check string for filter program *
26*************************************************/
27
28/* This function checks whether a string is actually a filter program. The rule
29is that it must start with "# Exim filter ..." (any capitalization, spaces
30optional). It is envisaged that in future, other kinds of filter may be
31implemented. That's why it is implemented the way it is. The function is global
32because it is also called from filter.c when checking filters.
33
34Argument: the string
35
36Returns: FILTER_EXIM if it starts with "# Exim filter"
37 FILTER_SIEVE if it starts with "# Sieve filter"
38 FILTER_FORWARD otherwise
39*/
40
41/* This is an auxiliary function for matching a tag. */
42
43static BOOL
44match_tag(const uschar *s, const uschar *tag)
45{
46for (; *tag != 0; s++, tag++)
47 {
48 if (*tag == ' ')
49 {
50 while (*s == ' ' || *s == '\t') s++;
51 s--;
52 }
53 else if (tolower(*s) != tolower(*tag)) break;
54 }
55return (*tag == 0);
56}
57
58/* This is the real function. It should be easy to add checking different
59tags for other types of filter. */
60
61int
62rda_is_filter(const uschar *s)
63{
64while (isspace(*s)) s++; /* Skips initial blank lines */
65if (match_tag(s, CUS"# exim filter")) return FILTER_EXIM;
66 else if (match_tag(s, CUS"# sieve filter")) return FILTER_SIEVE;
67 else return FILTER_FORWARD;
68}
69
70
71
72
73/*************************************************
74* Check for existence of file *
75*************************************************/
76
77/* First of all, we stat the file. If this fails, we try to stat the enclosing
78directory, because a file in an unmounted NFS directory will look the same as a
79non-existent file. It seems that in Solaris 2.6, statting an entry in an
80indirect map that is currently unmounted does not cause the mount to happen.
81Instead, dummy data is returned, which defeats the whole point of this test.
82However, if a stat() is done on some object inside the directory, such as the
83"." back reference to itself, then the mount does occur. If an NFS host is
84taken offline, it is possible for the stat() to get stuck until it comes back.
85To guard against this, stick a timer round it. If we can't access the "."
86inside the directory, try the plain directory, just in case that helps.
87
88Argument:
89 filename the file name
90 error for message on error
91
92Returns: FILE_EXIST the file exists
93 FILE_NOT_EXIST the file does not exist
94 FILE_EXIST_UNCLEAR cannot determine existence
95*/
96
97static int
98rda_exists(uschar *filename, uschar **error)
99{
100int rc, saved_errno;
101uschar *slash;
102struct stat statbuf;
103
104if ((rc = Ustat(filename, &statbuf)) >= 0) return FILE_EXIST;
105saved_errno = errno;
106
107Ustrncpy(big_buffer, filename, big_buffer_size - 3);
108sigalrm_seen = FALSE;
109
110if (saved_errno == ENOENT)
111 {
112 slash = Ustrrchr(big_buffer, '/');
113 Ustrcpy(slash+1, ".");
114
115 alarm(30);
116 rc = Ustat(big_buffer, &statbuf);
117 if (rc != 0 && errno == EACCES && !sigalrm_seen)
118 {
119 *slash = 0;
120 rc = Ustat(big_buffer, &statbuf);
121 }
122 saved_errno = errno;
123 alarm(0);
124
125 DEBUG(D_route) debug_printf("stat(%s)=%d\n", big_buffer, rc);
126 }
127
128if (sigalrm_seen || rc != 0)
129 {
130 *error = string_sprintf("failed to stat %s (%s)", big_buffer,
131 sigalrm_seen? "timeout" : strerror(saved_errno));
132 return FILE_EXIST_UNCLEAR;
133 }
134
135*error = string_sprintf("%s does not exist", filename);
136DEBUG(D_route) debug_printf("%s\n", *error);
137return FILE_NOT_EXIST;
138}
139
140
141
142/*************************************************
143* Get forwarding list from a file *
144*************************************************/
145
146/* Open a file and read its entire contents into a block of memory. Certain
147opening errors are optionally treated the same as "file does not exist".
148
149ENOTDIR means that something along the line is not a directory: there are
150installations that set home directories to be /dev/null for non-login accounts
151but in normal circumstances this indicates some kind of configuration error.
152
153EACCES means there's a permissions failure. Some users turn off read permission
154on a .forward file to suspend forwarding, but this is probably an error in any
155kind of mailing list processing.
156
157The redirect block that contains the file name also contains constraints such
158as who may own the file, and mode bits that must not be set. This function is
159
160Arguments:
161 rdata rdirect block, containing file name and constraints
162 options for the RDO_ENOTDIR and RDO_EACCES options
163 error where to put an error message
164 yield what to return from rda_interpret on error
165
166Returns: pointer to string in store; NULL on error
167*/
168
169static uschar *
170rda_get_file_contents(redirect_block *rdata, int options, uschar **error,
171 int *yield)
172{
173FILE *fwd;
174uschar *filebuf;
175uschar *filename = rdata->string;
176BOOL uid_ok = !rdata->check_owner;
177BOOL gid_ok = !rdata->check_group;
178struct stat statbuf;
179
180/* Attempt to open the file. If it appears not to exist, check up on the
181containing directory by statting it. If the directory does not exist, we treat
182this situation as an error (which will cause delivery to defer); otherwise we
183pass back FF_NONEXIST, which causes the redirect router to decline.
184
185However, if the ignore_enotdir option is set (to ignore "something on the
186path is not a directory" errors), the right behaviour seems to be not to do the
187directory test. */
188
189fwd = Ufopen(filename, "rb");
190if (fwd == NULL)
191 {
192 switch(errno)
193 {
194 case ENOENT: /* File does not exist */
195 DEBUG(D_route) debug_printf("%s does not exist\n%schecking parent directory\n",
196 filename,
197 ((options & RDO_ENOTDIR) != 0)? "ignore_enotdir set => skip " : "");
198 *yield = (((options & RDO_ENOTDIR) != 0) ||
199 rda_exists(filename, error) == FILE_NOT_EXIST)?
200 FF_NONEXIST : FF_ERROR;
201 return NULL;
202
203 case ENOTDIR: /* Something on the path isn't a directory */
204 if ((options & RDO_ENOTDIR) == 0) goto DEFAULT_ERROR;
205 DEBUG(D_route) debug_printf("non-directory on path %s: file assumed not to "
206 "exist\n", filename);
207 *yield = FF_NONEXIST;
208 return NULL;
209
210 case EACCES: /* Permission denied */
211 if ((options & RDO_EACCES) == 0) goto DEFAULT_ERROR;
212 DEBUG(D_route) debug_printf("permission denied for %s: file assumed not to "
213 "exist\n", filename);
214 *yield = FF_NONEXIST;
215 return NULL;
216
217 DEFAULT_ERROR:
218 default:
219 *error = string_open_failed(errno, "%s", filename);
220 *yield = FF_ERROR;
221 return NULL;
222 }
223 }
224
225/* Check that we have a regular file. */
226
227if (fstat(fileno(fwd), &statbuf) != 0)
228 {
229 *error = string_sprintf("failed to stat %s: %s", filename, strerror(errno));
230 goto ERROR_RETURN;
231 }
232
233if ((statbuf.st_mode & S_IFMT) != S_IFREG)
234 {
235 *error = string_sprintf("%s is not a regular file", filename);
236 goto ERROR_RETURN;
237 }
238
239/* Check for unwanted mode bits */
240
241if ((statbuf.st_mode & rdata->modemask) != 0)
242 {
243 *error = string_sprintf("bad mode (0%o) for %s: 0%o bit(s) unexpected",
244 statbuf.st_mode, filename, statbuf.st_mode & rdata->modemask);
245 goto ERROR_RETURN;
246 }
247
248/* Check the file owner and file group if required to do so. */
249
250if (!uid_ok)
251 {
252 if (rdata->pw != NULL && statbuf.st_uid == rdata->pw->pw_uid)
253 uid_ok = TRUE;
254 else if (rdata->owners != NULL)
255 {
256 int i;
257 for (i = 1; i <= (int)(rdata->owners[0]); i++)
258 if (rdata->owners[i] == statbuf.st_uid) { uid_ok = TRUE; break; }
259 }
260 }
261
262if (!gid_ok)
263 {
264 if (rdata->pw != NULL && statbuf.st_gid == rdata->pw->pw_gid)
265 gid_ok = TRUE;
266 else if (rdata->owngroups != NULL)
267 {
268 int i;
269 for (i = 1; i <= (int)(rdata->owngroups[0]); i++)
270 if (rdata->owngroups[i] == statbuf.st_gid) { gid_ok = TRUE; break; }
271 }
272 }
273
274if (!uid_ok || !gid_ok)
275 {
276 *error = string_sprintf("bad %s for %s", uid_ok? "group" : "owner", filename);
277 goto ERROR_RETURN;
278 }
279
280/* Put an upper limit on the size of the file, just to stop silly people
281feeding in ridiculously large files, which can easily be created by making
282files that have holes in them. */
283
284if (statbuf.st_size > MAX_FILTER_SIZE)
285 {
286 *error = string_sprintf("%s is too big (max %d)", filename, MAX_FILTER_SIZE);
287 goto ERROR_RETURN;
288 }
289
290/* Read the file in one go in order to minimize the time we have it open. */
291
292filebuf = store_get(statbuf.st_size + 1);
293
294if (fread(filebuf, 1, statbuf.st_size, fwd) != statbuf.st_size)
295 {
296 *error = string_sprintf("error while reading %s: %s",
297 filename, strerror(errno));
298 goto ERROR_RETURN;
299 }
300filebuf[statbuf.st_size] = 0;
301
059ec3d9 302DEBUG(D_route)
b1c749bb 303 debug_printf(OFF_T_FMT " bytes read from %s\n", statbuf.st_size, filename);
059ec3d9 304
f1e894f3 305(void)fclose(fwd);
059ec3d9
PH
306return filebuf;
307
308/* Return an error: the string is already set up. */
309
310ERROR_RETURN:
311*yield = FF_ERROR;
f1e894f3 312(void)fclose(fwd);
059ec3d9
PH
313return NULL;
314}
315
316
317
318/*************************************************
319* Extract info from list or filter *
320*************************************************/
321
322/* This function calls the appropriate function to extract addresses from a
323forwarding list, or to run a filter file and get addresses from there.
324
325Arguments:
326 rdata the redirection block
327 options the options bits
328 include_directory restrain to this directory
329 sieve_vacation_directory passed to sieve_interpret
e4a89c47
PH
330 sieve_useraddress passed to sieve_interpret
331 sieve_subaddress passed to sieve_interpret
059ec3d9
PH
332 generated where to hang generated addresses
333 error for error messages
334 eblockp for details of skipped syntax errors
335 (NULL => no skip)
336 filtertype set to the filter type:
337 FILTER_FORWARD => a traditional .forward file
338 FILTER_EXIM => an Exim filter file
339 FILTER_SIEVE => a Sieve filter file
340 a system filter is always forced to be FILTER_EXIM
341
342Returns: a suitable return for rda_interpret()
343*/
344
345static int
346rda_extract(redirect_block *rdata, int options, uschar *include_directory,
e4a89c47
PH
347 uschar *sieve_vacation_directory, uschar *sieve_useraddress,
348 uschar *sieve_subaddress, address_item **generated, uschar **error,
059ec3d9
PH
349 error_block **eblockp, int *filtertype)
350{
351uschar *data;
352
353if (rdata->isfile)
354 {
355 int yield;
356 data = rda_get_file_contents(rdata, options, error, &yield);
357 if (data == NULL) return yield;
358 }
359else data = rdata->string;
360
361*filtertype = system_filtering? FILTER_EXIM : rda_is_filter(data);
362
363/* Filter interpretation is done by a general function that is also called from
364the filter testing option (-bf). There are two versions: one for Exim filtering
365and one for Sieve filtering. Several features of string expansion may be locked
366out at sites that don't trust users. This is done by setting flags in
367expand_forbid that the expander inspects. */
368
369if (*filtertype != FILTER_FORWARD)
370 {
371 int frc;
372 int old_expand_forbid = expand_forbid;
373
23c7ff99
PH
374 DEBUG(D_route) debug_printf("data is %s filter program\n",
375 (*filtertype == FILTER_EXIM)? "an Exim" : "a Sieve");
376
377 /* RDO_FILTER is an "allow" bit */
8e669ac1 378
059ec3d9
PH
379 if ((options & RDO_FILTER) == 0)
380 {
381 *error = US"filtering not enabled";
382 return FF_ERROR;
383 }
384
059ec3d9
PH
385 expand_forbid =
386 (expand_forbid & ~RDO_FILTER_EXPANSIONS) |
387 (options & RDO_FILTER_EXPANSIONS);
8e669ac1 388
23c7ff99 389 /* RDO_{EXIM,SIEVE}_FILTER are forbid bits */
8e669ac1 390
23c7ff99
PH
391 if (*filtertype == FILTER_EXIM)
392 {
393 if ((options & RDO_EXIM_FILTER) != 0)
394 {
395 *error = US"Exim filtering not enabled";
396 return FF_ERROR;
8e669ac1 397 }
23c7ff99 398 frc = filter_interpret(data, options, generated, error);
8e669ac1 399 }
23c7ff99
PH
400 else
401 {
402 if ((options & RDO_SIEVE_FILTER) != 0)
403 {
404 *error = US"Sieve filtering not enabled";
405 return FF_ERROR;
406 }
e4a89c47
PH
407 frc = sieve_interpret(data, options, sieve_vacation_directory,
408 sieve_useraddress, sieve_subaddress, generated, error);
8e669ac1 409 }
059ec3d9
PH
410
411 expand_forbid = old_expand_forbid;
412 return frc;
413 }
414
415/* Not a filter script */
416
417DEBUG(D_route) debug_printf("file is not a filter file\n");
418
419return parse_forward_list(data,
420 options, /* specials that are allowed */
421 generated, /* where to hang them */
422 error, /* for errors */
423 deliver_domain, /* to qualify \name */
424 include_directory, /* restrain to directory */
425 eblockp); /* for skipped syntax errors */
426}
427
428
429
430
431/*************************************************
432* Write string down pipe *
433*************************************************/
434
435/* This function is used for tranferring a string down a pipe between
436processes. If the pointer is NULL, a length of zero is written.
437
438Arguments:
439 fd the pipe
440 s the string
441
442Returns: nothing
443*/
444
445static void
446rda_write_string(int fd, uschar *s)
447{
448int len = (s == NULL)? 0 : Ustrlen(s) + 1;
f1e894f3
PH
449(void)write(fd, &len, sizeof(int));
450if (s != NULL) (void)write(fd, s, len);
059ec3d9
PH
451}
452
453
454
455/*************************************************
456* Read string from pipe *
457*************************************************/
458
459/* This function is used for receiving a string from a pipe.
460
461Arguments:
462 fd the pipe
463 sp where to put the string
464
465Returns: FALSE if data missing
466*/
467
468static BOOL
469rda_read_string(int fd, uschar **sp)
470{
471int len;
472
473if (read(fd, &len, sizeof(int)) != sizeof(int)) return FALSE;
474if (len == 0) *sp = NULL; else
475 {
476 *sp = store_get(len);
477 if (read(fd, *sp, len) != len) return FALSE;
478 }
479return TRUE;
480}
481
482
483
484/*************************************************
485* Interpret forward list or filter *
486*************************************************/
487
488/* This function is passed a forward list string (unexpanded) or the name of a
489file (unexpanded) whose contents are the forwarding list. The list may in fact
490be a filter program if it starts with "#Exim filter" or "#Sieve filter". Other
491types of filter, with different inital tag strings, may be introduced in due
492course.
493
494The job of the function is to process the forwarding list or filter. It is
495pulled out into this separate function, because it is used for system filter
496files as well as from the redirect router.
497
498If the function is given a uid/gid, it runs a subprocess that passes the
499results back via a pipe. This provides security for things like :include:s in
500users' .forward files, and "logwrite" calls in users' filter files. A
501sub-process is NOT used when:
502
503 . No uid/gid is provided
504 . The input is a string which is not a filter string, and does not contain
505 :include:
506 . The input is a file whose non-existence can be detected in the main
507 process (which is usually running as root).
508
509Arguments:
510 rdata redirect data (file + constraints, or data string)
511 options options to pass to the extraction functions,
512 plus ENOTDIR and EACCES handling bits
513 include_directory restrain :include: to this directory
514 sieve_vacation_directory directory passed to sieve_interpret()
e4a89c47
PH
515 sieve_useraddress passed to sieve_interpret
516 sieve_subaddress passed to sieve_interpret
059ec3d9
PH
517 ugid uid/gid to run under - if NULL, no change
518 generated where to hang generated addresses, initially NULL
519 error pointer for error message
520 eblockp for skipped syntax errors; NULL if no skipping
521 filtertype set to the type of file:
522 FILTER_FORWARD => traditional .forward file
523 FILTER_EXIM => an Exim filter file
524 FILTER_SIEVE => a Sieve filter file
525 a system filter is always forced to be FILTER_EXIM
526 rname router name for error messages in the format
527 "xxx router" or "system filter"
528
529Returns: values from extraction function, or FF_NONEXIST:
530 FF_DELIVERED success, a significant action was taken
531 FF_NOTDELIVERED success, no significant action
532 FF_BLACKHOLE :blackhole:
533 FF_DEFER defer requested
534 FF_FAIL fail requested
535 FF_INCLUDEFAIL some problem with :include:
536 FF_FREEZE freeze requested
537 FF_ERROR there was a problem
538 FF_NONEXIST the file does not exist
539*/
540
541int
542rda_interpret(redirect_block *rdata, int options, uschar *include_directory,
e4a89c47
PH
543 uschar *sieve_vacation_directory, uschar *sieve_useraddress,
544 uschar *sieve_subaddress, ugid_block *ugid, address_item **generated,
059ec3d9
PH
545 uschar **error, error_block **eblockp, int *filtertype, uschar *rname)
546{
547int fd, rc, pfd[2];
548int yield, status;
549BOOL had_disaster = FALSE;
550pid_t pid;
551uschar *data;
552uschar *readerror = US"";
553void (*oldsignal)(int);
554
555DEBUG(D_route) debug_printf("rda_interpret (%s): %s\n",
556 (rdata->isfile)? "file" : "string", rdata->string);
557
558/* Do the expansions of the file name or data first, while still privileged. */
559
560data = expand_string(rdata->string);
561if (data == NULL)
562 {
563 if (expand_string_forcedfail) return FF_NOTDELIVERED;
564 *error = string_sprintf("failed to expand \"%s\": %s", rdata->string,
565 expand_string_message);
566 return FF_ERROR;
567 }
568rdata->string = data;
569
570DEBUG(D_route) debug_printf("expanded: %s\n", data);
571
572if (rdata->isfile && data[0] != '/')
573 {
574 *error = string_sprintf("\"%s\" is not an absolute path", data);
575 return FF_ERROR;
576 }
577
578/* If no uid/gid are supplied, or if we have a data string which does not start
579with #Exim filter or #Sieve filter, and does not contain :include:, do all the
580work in this process. Note that for a system filter, we always have a file, so
581the work is done in this process only if no user is supplied. */
582
583if (!ugid->uid_set || /* Either there's no uid, or */
584 (!rdata->isfile && /* We've got the data, and */
585 rda_is_filter(data) == FILTER_FORWARD && /* It's not a filter script, */
586 Ustrstr(data, ":include:") == NULL)) /* and there's no :include: */
587 {
588 return rda_extract(rdata, options, include_directory,
e4a89c47
PH
589 sieve_vacation_directory, sieve_useraddress, sieve_subaddress,
590 generated, error, eblockp, filtertype);
059ec3d9
PH
591 }
592
593/* We need to run the processing code in a sub-process. However, if we can
594determine the non-existence of a file first, we can decline without having to
595create the sub-process. */
596
597if (rdata->isfile && rda_exists(data, error) == FILE_NOT_EXIST)
598 return FF_NONEXIST;
599
600/* If the file does exist, or we can't tell (non-root mounted NFS directory)
601we have to create the subprocess to do everything as the given user. The
602results of processing are passed back via a pipe. */
603
604if (pipe(pfd) != 0)
605 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "creation of pipe for filter or "
606 ":include: failed for %s: %s", rname, strerror(errno));
607
608/* Ensure that SIGCHLD is set to SIG_DFL before forking, so that the child
609process can be waited for. We sometimes get here with it set otherwise. Save
af46795e
PH
610the old state for resetting on the wait. Ensure that all cached resources are
611freed so that the subprocess starts with a clean slate and doesn't interfere
612with the parent process. */
059ec3d9
PH
613
614oldsignal = signal(SIGCHLD, SIG_DFL);
af46795e
PH
615search_tidyup();
616
059ec3d9
PH
617if ((pid = fork()) == 0)
618 {
619 header_line *waslast = header_last; /* Save last header */
620
621 fd = pfd[pipe_write];
f1e894f3 622 (void)close(pfd[pipe_read]);
059ec3d9
PH
623 exim_setugid(ugid->uid, ugid->gid, FALSE, rname);
624
625 /* Addresses can get rewritten in filters; if we are not root or the exim
626 user (and we probably are not), turn off rewrite logging, because we cannot
627 write to the log now. */
628
629 if (ugid->uid != root_uid && ugid->uid != exim_uid)
630 {
631 DEBUG(D_rewrite) debug_printf("turned off address rewrite logging (not "
632 "root or exim in this process)\n");
633 log_write_selector &= ~L_address_rewrite;
634 }
635
636 /* Now do the business */
637
638 yield = rda_extract(rdata, options, include_directory,
e4a89c47
PH
639 sieve_vacation_directory, sieve_useraddress, sieve_subaddress, generated,
640 error, eblockp, filtertype);
059ec3d9
PH
641
642 /* Pass back whether it was a filter, and the return code and any overall
643 error text via the pipe. */
644
f1e894f3
PH
645 (void)write(fd, filtertype, sizeof(int));
646 (void)write(fd, &yield, sizeof(int));
059ec3d9
PH
647 rda_write_string(fd, *error);
648
649 /* Pass back the contents of any syntax error blocks if we have a pointer */
650
651 if (eblockp != NULL)
652 {
653 error_block *ep;
654 for (ep = *eblockp; ep != NULL; ep = ep->next)
655 {
656 rda_write_string(fd, ep->text1);
657 rda_write_string(fd, ep->text2);
658 }
659 rda_write_string(fd, NULL); /* Indicates end of eblocks */
660 }
661
662 /* If this is a system filter, we have to pass back the numbers of any
663 original header lines that were removed, and then any header lines that were
664 added but not subsequently removed. */
665
666 if (system_filtering)
667 {
668 int i = 0;
669 header_line *h;
670 for (h = header_list; h != waslast->next; i++, h = h->next)
671 {
f1e894f3 672 if (h->type == htype_old) (void)write(fd, &i, sizeof(i));
059ec3d9
PH
673 }
674 i = -1;
f1e894f3 675 (void)write(fd, &i, sizeof(i));
059ec3d9
PH
676
677 while (waslast != header_last)
678 {
679 waslast = waslast->next;
680 if (waslast->type != htype_old)
681 {
682 rda_write_string(fd, waslast->text);
f1e894f3 683 (void)write(fd, &(waslast->type), sizeof(waslast->type));
059ec3d9
PH
684 }
685 }
686 rda_write_string(fd, NULL); /* Indicates end of added headers */
687 }
688
689 /* Write the contents of the $n variables */
690
f1e894f3 691 (void)write(fd, filter_n, sizeof(filter_n));
059ec3d9
PH
692
693 /* If the result was DELIVERED or NOTDELIVERED, we pass back the generated
694 addresses, and their associated information, through the pipe. This is
695 just tedious, but it seems to be the only safe way. We do this also for
696 FAIL and FREEZE, because a filter is allowed to set up deliveries that
697 are honoured before freezing or failing. */
698
699 if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
700 yield == FF_FAIL || yield == FF_FREEZE)
701 {
702 address_item *addr;
703 for (addr = *generated; addr != NULL; addr = addr->next)
704 {
705 int reply_options = 0;
706
707 rda_write_string(fd, addr->address);
f1e894f3
PH
708 (void)write(fd, &(addr->mode), sizeof(addr->mode));
709 (void)write(fd, &(addr->flags), sizeof(addr->flags));
059ec3d9
PH
710 rda_write_string(fd, addr->p.errors_address);
711
712 if (addr->pipe_expandn != NULL)
713 {
714 uschar **pp;
715 for (pp = addr->pipe_expandn; *pp != NULL; pp++)
716 rda_write_string(fd, *pp);
717 }
718 rda_write_string(fd, NULL);
719
720 if (addr->reply == NULL)
f1e894f3 721 (void)write(fd, &reply_options, sizeof(int)); /* 0 means no reply */
059ec3d9
PH
722 else
723 {
724 reply_options |= REPLY_EXISTS;
725 if (addr->reply->file_expand) reply_options |= REPLY_EXPAND;
726 if (addr->reply->return_message) reply_options |= REPLY_RETURN;
f1e894f3
PH
727 (void)write(fd, &reply_options, sizeof(int));
728 (void)write(fd, &(addr->reply->expand_forbid), sizeof(int));
729 (void)write(fd, &(addr->reply->once_repeat), sizeof(time_t));
059ec3d9
PH
730 rda_write_string(fd, addr->reply->to);
731 rda_write_string(fd, addr->reply->cc);
732 rda_write_string(fd, addr->reply->bcc);
733 rda_write_string(fd, addr->reply->from);
734 rda_write_string(fd, addr->reply->reply_to);
735 rda_write_string(fd, addr->reply->subject);
736 rda_write_string(fd, addr->reply->headers);
737 rda_write_string(fd, addr->reply->text);
738 rda_write_string(fd, addr->reply->file);
739 rda_write_string(fd, addr->reply->logfile);
740 rda_write_string(fd, addr->reply->oncelog);
741 }
742 }
743
744 rda_write_string(fd, NULL); /* Marks end of addresses */
745 }
746
af46795e
PH
747 /* OK, this process is now done. Free any cached resources. Must use _exit()
748 and not exit() !! */
059ec3d9 749
f1e894f3 750 (void)close(fd);
af46795e 751 search_tidyup();
059ec3d9
PH
752 _exit(0);
753 }
754
755/* Back in the main process: panic if the fork did not succeed. */
756
757if (pid < 0)
758 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for %s", rname);
759
760/* Read the pipe to get the data from the filter/forward. Our copy of the
761writing end must be closed first, as otherwise read() won't return zero on an
762empty pipe. Afterwards, close the reading end. */
763
f1e894f3 764(void)close(pfd[pipe_write]);
059ec3d9
PH
765
766/* Read initial data, including yield and contents of *error */
767
768fd = pfd[pipe_read];
769if (read(fd, filtertype, sizeof(int)) != sizeof(int) ||
770 read(fd, &yield, sizeof(int)) != sizeof(int) ||
771 !rda_read_string(fd, error)) goto DISASTER;
772
71d073ca
PH
773/* In the test harness, give the subprocess time to finish off and write
774any debugging output. */
775
776if (running_in_test_harness) millisleep(250);
777
059ec3d9
PH
778DEBUG(D_route)
779 debug_printf("rda_interpret: subprocess yield=%d error=%s\n", yield, *error);
780
781/* Read the contents of any syntax error blocks if we have a pointer */
782
783if (eblockp != NULL)
784 {
785 uschar *s;
786 error_block *e;
787 error_block **p = eblockp;
788 for (;;)
789 {
790 if (!rda_read_string(fd, &s)) goto DISASTER;
791 if (s == NULL) break;
792 e = store_get(sizeof(error_block));
793 e->next = NULL;
794 e->text1 = s;
795 if (!rda_read_string(fd, &s)) goto DISASTER;
796 e->text2 = s;
797 *p = e;
798 p = &(e->next);
799 }
800 }
801
802/* If this is a system filter, read the identify of any original header lines
803that were removed, and then read data for any new ones that were added. */
804
805if (system_filtering)
806 {
807 int hn = 0;
808 header_line *h = header_list;
809
810 for (;;)
811 {
812 int n;
813 if (read(fd, &n, sizeof(int)) != sizeof(int)) goto DISASTER;
814 if (n < 0) break;
815 while (hn < n)
816 {
817 hn++;
818 h = h->next;
819 if (h == NULL) goto DISASTER_NO_HEADER;
820 }
821 h->type = htype_old;
822 }
823
824 for (;;)
825 {
826 uschar *s;
827 int type;
828 if (!rda_read_string(fd, &s)) goto DISASTER;
829 if (s == NULL) break;
830 if (read(fd, &type, sizeof(type)) != sizeof(type)) goto DISASTER;
831 header_add(type, "%s", s);
832 }
833 }
834
835/* Read the values of the $n variables */
836
837if (read(fd, filter_n, sizeof(filter_n)) != sizeof(filter_n)) goto DISASTER;
838
839/* If the yield is DELIVERED, NOTDELIVERED, FAIL, or FREEZE there may follow
840addresses and data to go with them. Keep them in the same order in the
841generated chain. */
842
843if (yield == FF_DELIVERED || yield == FF_NOTDELIVERED ||
844 yield == FF_FAIL || yield == FF_FREEZE)
845 {
846 address_item **nextp = generated;
847
848 for (;;)
849 {
850 int i, reply_options;
851 address_item *addr;
852 uschar *recipient;
853 uschar *expandn[EXPAND_MAXN + 2];
854
855 /* First string is the address; NULL => end of addresses */
856
857 if (!rda_read_string(fd, &recipient)) goto DISASTER;
858 if (recipient == NULL) break;
859
860 /* Hang on the end of the chain */
861
862 addr = deliver_make_addr(recipient, FALSE);
863 *nextp = addr;
864 nextp = &(addr->next);
865
866 /* Next comes the mode and the flags fields */
867
868 if (read(fd, &(addr->mode), sizeof(addr->mode)) != sizeof(addr->mode) ||
869 read(fd, &(addr->flags), sizeof(addr->flags)) != sizeof(addr->flags) ||
870 !rda_read_string(fd, &(addr->p.errors_address))) goto DISASTER;
871
872 /* Next comes a possible setting for $thisaddress and any numerical
873 variables for pipe expansion, terminated by a NULL string. The maximum
874 number of numericals is EXPAND_MAXN. Note that we put filter_thisaddress
875 into the zeroth item in the vector - this is sorted out inside the pipe
876 transport. */
877
878 for (i = 0; i < EXPAND_MAXN + 1; i++)
879 {
880 uschar *temp;
881 if (!rda_read_string(fd, &temp)) goto DISASTER;
882 if (i == 0) filter_thisaddress = temp; /* Just in case */
883 expandn[i] = temp;
884 if (temp == NULL) break;
885 }
886
887 if (i > 0)
888 {
889 addr->pipe_expandn = store_get((i+1) * sizeof(uschar **));
890 addr->pipe_expandn[i] = NULL;
891 while (--i >= 0) addr->pipe_expandn[i] = expandn[i];
892 }
893
894 /* Then an int containing reply options; zero => no reply data. */
895
896 if (read(fd, &reply_options, sizeof(int)) != sizeof(int)) goto DISASTER;
897 if ((reply_options & REPLY_EXISTS) != 0)
898 {
899 addr->reply = store_get(sizeof(reply_item));
900
901 addr->reply->file_expand = (reply_options & REPLY_EXPAND) != 0;
902 addr->reply->return_message = (reply_options & REPLY_RETURN) != 0;
903
904 if (read(fd,&(addr->reply->expand_forbid),sizeof(int)) !=
905 sizeof(int) ||
906 read(fd,&(addr->reply->once_repeat),sizeof(time_t)) !=
907 sizeof(time_t) ||
908 !rda_read_string(fd, &(addr->reply->to)) ||
909 !rda_read_string(fd, &(addr->reply->cc)) ||
910 !rda_read_string(fd, &(addr->reply->bcc)) ||
911 !rda_read_string(fd, &(addr->reply->from)) ||
912 !rda_read_string(fd, &(addr->reply->reply_to)) ||
913 !rda_read_string(fd, &(addr->reply->subject)) ||
914 !rda_read_string(fd, &(addr->reply->headers)) ||
915 !rda_read_string(fd, &(addr->reply->text)) ||
916 !rda_read_string(fd, &(addr->reply->file)) ||
917 !rda_read_string(fd, &(addr->reply->logfile)) ||
918 !rda_read_string(fd, &(addr->reply->oncelog)))
919 goto DISASTER;
920 }
921 }
922 }
923
924/* All data has been transferred from the sub-process. Reap it, close the
925reading end of the pipe, and we are done. */
926
927WAIT_EXIT:
928while ((rc = wait(&status)) != pid)
929 {
930 if (rc < 0 && errno == ECHILD) /* Process has vanished */
931 {
932 log_write(0, LOG_MAIN, "redirection process %d vanished unexpectedly", pid);
933 goto FINAL_EXIT;
934 }
935 }
936
937if (had_disaster)
938 {
939 *error = string_sprintf("internal problem in %s: failure to transfer "
940 "data from subprocess: status=%04x%s%s%s", rname,
941 status, readerror,
942 (*error == NULL)? US"" : US": error=",
943 (*error == NULL)? US"" : *error);
944 log_write(0, LOG_MAIN|LOG_PANIC, "%s", *error);
945 }
946else if (status != 0)
947 {
948 log_write(0, LOG_MAIN|LOG_PANIC, "internal problem in %s: unexpected status "
949 "%04x from redirect subprocess (but data correctly received)", rname,
950 status);
951 }
952
953FINAL_EXIT:
f1e894f3 954(void)close(fd);
059ec3d9
PH
955signal(SIGCHLD, oldsignal); /* restore */
956return yield;
957
958
959/* Come here if the data indicates removal of a header that we can't find */
960
961DISASTER_NO_HEADER:
962readerror = US" readerror=bad header identifier";
963had_disaster = TRUE;
964yield = FF_ERROR;
965goto WAIT_EXIT;
966
967/* Come here is there's a shambles in transferring the data over the pipe. The
968value of errno should still be set. */
969
970DISASTER:
971readerror = string_sprintf(" readerror='%s'", strerror(errno));
972had_disaster = TRUE;
973yield = FF_ERROR;
974goto WAIT_EXIT;
975}
976
977/* End of rda.c */