projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix DSN Final-Recipient: field
[exim.git] / src / src / receive.c
CommitLineData
059ec3d9
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for receiving a message and setting up spool files. */
9
059ec3d9 10#include "exim.h"
9723f966 11#include <setjmp.h>
059ec3d9 12
6a8f9482
TK		 13#ifdef EXPERIMENTAL_DCC
14extern int dcc_ok;
15#endif
16
4840604e 17#ifdef EXPERIMENTAL_DMARC
c007c974 18# include "dmarc.h"
4840604e
TL		 19#endif /* EXPERIMENTAL_DMARC */
20
059ec3d9
PH		 21/*************************************************
22* Local static variables *
23*************************************************/
24
059ec3d9 25static int data_fd = -1;
41313d92 26static uschar *spool_name = US"";
059ec3d9 27
cff70eb1 28enum CH_STATE {LF_SEEN, MID_LINE, CR_SEEN};
059ec3d9 29
9723f966
JH		 30#ifdef HAVE_LOCAL_SCAN
31jmp_buf local_scan_env; /* error-handling context for local_scan */
32unsigned had_local_scan_crash;
33unsigned had_local_scan_timeout;
34#endif
35
059ec3d9
PH		 36
37/*************************************************
38* Non-SMTP character reading functions *
39*************************************************/
40
41/* These are the default functions that are set up in the variables such as
42receive_getc initially. They just call the standard functions, passing stdin as
43the file. (When SMTP input is occurring, different functions are used by
44changing the pointer variables.) */
45
46int
bd8fbe36 47stdin_getc(unsigned lim)
059ec3d9 48{
9723f966
JH		 49int c = getc(stdin);
50
51if (had_data_timeout)
52 {
53 fprintf(stderr, "exim: timed out while reading - message abandoned\n");
54 log_write(L_lost_incoming_connection,
55 LOG_MAIN, "timed out while reading local message");
56 receive_bomb_out(US"data-timeout", NULL); /* Does not return */
57 }
58if (had_data_sigint)
59 {
60 if (filter_test == FTEST_NONE)
61 {
62 fprintf(stderr, "\nexim: %s received - message abandoned\n",
63 had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
64 log_write(0, LOG_MAIN, "%s received while reading local message",
65 had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
66 }
67 receive_bomb_out(US"signal-exit", NULL); /* Does not return */
68 }
69return c;
059ec3d9
PH		 70}
71
72int
73stdin_ungetc(int c)
74{
75return ungetc(c, stdin);
76}
77
78int
79stdin_feof(void)
80{
81return feof(stdin);
82}
83
84int
85stdin_ferror(void)
86{
87return ferror(stdin);
88}
89
90
91
92
93/*************************************************
94* Check that a set sender is allowed *
95*************************************************/
96
97/* This function is called when a local caller sets an explicit sender address.
98It checks whether this is permitted, which it is for trusted callers.
99Otherwise, it must match the pattern(s) in untrusted_set_sender.
100
101Arguments: the proposed sender address
102Returns: TRUE for a trusted caller
103 TRUE if the address has been set, untrusted_set_sender has been
104 set, and the address matches something in the list
105 FALSE otherwise
106*/
107
108BOOL
109receive_check_set_sender(uschar *newsender)
110{
111uschar *qnewsender;
8768d548 112if (f.trusted_caller) return TRUE;
36d295f1
JH		 113if (!newsender || !untrusted_set_sender) return FALSE;
114qnewsender = Ustrchr(newsender, '@')
115 ? newsender : string_sprintf("%s@%s", newsender, qualify_domain_sender);
116return match_address_list_basic(qnewsender, CUSS &untrusted_set_sender, 0) == OK;
059ec3d9
PH		 117}
118
119
120
121
122/*************************************************
5cb8cbc6 123* Read space info for a partition *
059ec3d9
PH		 124*************************************************/
125
8e669ac1
PH		 126/* This function is called by receive_check_fs() below, and also by string
127expansion for variables such as $spool_space. The field names for the statvfs
5cb8cbc6
PH		 128structure are macros, because not all OS have F_FAVAIL and it seems tidier to
129have macros for F_BAVAIL and F_FILES as well. Some kinds of file system do not
130have inodes, and they return -1 for the number available.
059ec3d9 131
5cb8cbc6
PH		 132Later: It turns out that some file systems that do not have the concept of
133inodes return 0 rather than -1. Such systems should also return 0 for the total
8e669ac1 134number of inodes, so we require that to be greater than zero before returning
5cb8cbc6 135an inode count.
059ec3d9 136
5cb8cbc6
PH		 137Arguments:
138 isspool TRUE for spool partition, FALSE for log partition
139 inodeptr address of int to receive inode count; -1 if there isn't one
8e669ac1 140
5cb8cbc6 141Returns: available on-root space, in kilobytes
8e669ac1
PH		 142 -1 for log partition if there isn't one
143
144All values are -1 if the STATFS functions are not available.
059ec3d9
PH		 145*/
146
a45431fa 147int_eximarith_t
5cb8cbc6 148receive_statvfs(BOOL isspool, int *inodeptr)
059ec3d9
PH		 149{
150#ifdef HAVE_STATFS
059ec3d9 151struct STATVFS statbuf;
ddf1b11a 152struct stat dummy;
5cb8cbc6
PH		 153uschar *path;
154uschar *name;
155uschar buffer[1024];
059ec3d9 156
5cb8cbc6 157/* The spool directory must always exist. */
059ec3d9 158
5cb8cbc6 159if (isspool)
059ec3d9 160 {
8e669ac1
PH		 161 path = spool_directory;
162 name = US"spool";
163 }
164
059ec3d9
PH		 165/* Need to cut down the log file path to the directory, and to ignore any
166appearance of "syslog" in it. */
167
5cb8cbc6 168else
059ec3d9 169 {
059ec3d9 170 int sep = ':'; /* Not variable - outside scripts use */
55414b25 171 const uschar *p = log_file_path;
8e669ac1 172 name = US"log";
059ec3d9
PH		 173
174 /* An empty log_file_path means "use the default". This is the same as an
175 empty item in a list. */
176
177 if (*p == 0) p = US":";
55414b25
JH		 178 while ((path = string_nextinlist(&p, &sep, buffer, sizeof(buffer))))
179 if (Ustrcmp(path, "syslog") != 0)
180 break;
059ec3d9 181
5cb8cbc6
PH		 182 if (path == NULL) /* No log files */
183 {
8e669ac1
PH		 184 *inodeptr = -1;
185 return -1;
186 }
059ec3d9 187
8e669ac1
PH		 188 /* An empty string means use the default, which is in the spool directory.
189 But don't just use the spool directory, as it is possible that the log
5cb8cbc6 190 subdirectory has been symbolically linked elsewhere. */
059ec3d9 191
8e669ac1 192 if (path[0] == 0)
059ec3d9 193 {
5cb8cbc6
PH		 194 sprintf(CS buffer, CS"%s/log", CS spool_directory);
195 path = buffer;
8e669ac1
PH		 196 }
197 else
059ec3d9 198 {
8e669ac1 199 uschar *cp;
5cb8cbc6 200 if ((cp = Ustrrchr(path, '/')) != NULL) *cp = 0;
8e669ac1 201 }
5cb8cbc6 202 }
8e669ac1 203
8f128379 204/* We now have the path; do the business */
5cb8cbc6
PH		 205
206memset(&statbuf, 0, sizeof(statbuf));
207
208if (STATVFS(CS path, &statbuf) != 0)
ddf1b11a
JH		 209 if (stat(CS path, &dummy) == -1 && errno == ENOENT)
210 { /* Can happen on first run after installation */
211 *inodeptr = -1;
212 return -1;
213 }
214 else
215 {
216 log_write(0, LOG_MAIN|LOG_PANIC, "cannot accept message: failed to stat "
217 "%s directory %s: %s", name, path, strerror(errno));
218 smtp_closedown(US"spool or log directory problem");
9bfb7e1b 219 exim_exit(EXIT_FAILURE, NULL);
ddf1b11a 220 }
8e669ac1 221
5cb8cbc6
PH		 222*inodeptr = (statbuf.F_FILES > 0)? statbuf.F_FAVAIL : -1;
223
224/* Disks are getting huge. Take care with computing the size in kilobytes. */
8e669ac1 225
a45431fa 226return (int_eximarith_t)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0);
5cb8cbc6 227
ddf1b11a 228#else
5cb8cbc6
PH		 229/* Unable to find partition sizes in this environment. */
230
5cb8cbc6
PH		 231*inodeptr = -1;
232return -1;
233#endif
234}
235
059ec3d9 236
059ec3d9 237
5cb8cbc6
PH		 238
239/*************************************************
240* Check space on spool and log partitions *
241*************************************************/
242
243/* This function is called before accepting a message; if any thresholds are
244set, it checks them. If a message_size is supplied, it checks that there is
245enough space for that size plus the threshold - i.e. that the message won't
246reduce the space to the threshold. Not all OS have statvfs(); for those that
247don't, this function always returns TRUE. For some OS the old function and
248struct name statfs is used; that is handled by a macro, defined in exim.h.
249
250Arguments:
251 msg_size the (estimated) size of an incoming message
252
253Returns: FALSE if there isn't enough space, or if the information cannot
254 be obtained
255 TRUE if no check was done or there is enough space
256*/
257
258BOOL
259receive_check_fs(int msg_size)
260{
a45431fa
JH		 261int_eximarith_t space;
262int inodes;
5cb8cbc6
PH		 263
264if (check_spool_space > 0 || msg_size > 0 || check_spool_inodes > 0)
265 {
8e669ac1
PH		 266 space = receive_statvfs(TRUE, &inodes);
267
059ec3d9 268 DEBUG(D_receive)
7434882d 269 debug_printf("spool directory space = " PR_EXIM_ARITH "K inodes = %d "
a45431fa 270 "check_space = " PR_EXIM_ARITH "K inodes = %d msg_size = %d\n",
5cb8cbc6 271 space, inodes, check_spool_space, check_spool_inodes, msg_size);
8e669ac1
PH		 272
273 if ((space >= 0 && space < check_spool_space) ||
5cb8cbc6 274 (inodes >= 0 && inodes < check_spool_inodes))
8e669ac1 275 {
8c513105
JH		 276 log_write(0, LOG_MAIN, "spool directory space check failed: space="
277 PR_EXIM_ARITH " inodes=%d", space, inodes);
059ec3d9
PH		 278 return FALSE;
279 }
280 }
281
5cb8cbc6
PH		 282if (check_log_space > 0 || check_log_inodes > 0)
283 {
8e669ac1
PH		 284 space = receive_statvfs(FALSE, &inodes);
285
5cb8cbc6 286 DEBUG(D_receive)
7434882d 287 debug_printf("log directory space = " PR_EXIM_ARITH "K inodes = %d "
a45431fa 288 "check_space = " PR_EXIM_ARITH "K inodes = %d\n",
5cb8cbc6 289 space, inodes, check_log_space, check_log_inodes);
8e669ac1 290
7434882d
JH		 291 if ( space >= 0 && space < check_log_space
292 || inodes >= 0 && inodes < check_log_inodes)
8e669ac1 293 {
7434882d
JH		 294 log_write(0, LOG_MAIN, "log directory space check failed: space=" PR_EXIM_ARITH
295 " inodes=%d", space, inodes);
5cb8cbc6
PH		 296 return FALSE;
297 }
8e669ac1
PH		 298 }
299
059ec3d9
PH		 300return TRUE;
301}
302
303
304
305/*************************************************
306* Bomb out while reading a message *
307*************************************************/
308
309/* The common case of wanting to bomb out is if a SIGTERM or SIGINT is
310received, or if there is a timeout. A rarer case might be if the log files are
311screwed up and Exim can't open them to record a message's arrival. Handling
312that case is done by setting a flag to cause the log functions to call this
313function if there is an ultimate disaster. That is why it is globally
314accessible.
315
8f128379
PH		 316Arguments:
317 reason text reason to pass to the not-quit ACL
318 msg default SMTP response to give if in an SMTP session
059ec3d9
PH		 319Returns: it doesn't
320*/
321
322void
8f128379 323receive_bomb_out(uschar *reason, uschar *msg)
059ec3d9 324{
ead37e6c
PP		 325 static BOOL already_bombing_out;
326/* The smtp_notquit_exit() below can call ACLs which can trigger recursive
327timeouts, if someone has something slow in their quit ACL. Since the only
328things we should be doing are to close down cleanly ASAP, on the second
329pass we also close down stuff that might be opened again, before bypassing
330the ACL call and exiting. */
331
059ec3d9
PH		 332/* If spool_name is set, it contains the name of the data file that is being
333written. Unlink it before closing so that it cannot be picked up by a delivery
334process. Ensure that any header file is also removed. */
335
ead37e6c 336if (spool_name[0] != '\0')
059ec3d9
PH		 337 {
338 Uunlink(spool_name);
339 spool_name[Ustrlen(spool_name) - 1] = 'H';
340 Uunlink(spool_name);
ead37e6c 341 spool_name[0] = '\0';
059ec3d9
PH		 342 }
343
344/* Now close the file if it is open, either as a fd or a stream. */
345
1bd642c2 346if (spool_data_file)
ead37e6c 347 {
1bd642c2
JH		 348 (void)fclose(spool_data_file);
349 spool_data_file = NULL;
9723f966
JH		 350 }
351else if (data_fd >= 0)
352 {
ead37e6c
PP		 353 (void)close(data_fd);
354 data_fd = -1;
355 }
059ec3d9 356
8f128379
PH		 357/* Attempt to close down an SMTP connection tidily. For non-batched SMTP, call
358smtp_notquit_exit(), which runs the NOTQUIT ACL, if present, and handles the
359SMTP response. */
059ec3d9 360
ead37e6c 361if (!already_bombing_out)
059ec3d9 362 {
ead37e6c
PP		 363 already_bombing_out = TRUE;
364 if (smtp_input)
365 {
366 if (smtp_batched_input)
367 moan_smtp_batch(NULL, "421 %s - message abandoned", msg); /* No return */
368 smtp_notquit_exit(reason, US"421", US"%s %s - closing connection.",
369 smtp_active_hostname, msg);
370 }
059ec3d9
PH		 371 }
372
373/* Exit from the program (non-BSMTP cases) */
374
9bfb7e1b 375exim_exit(EXIT_FAILURE, NULL);
059ec3d9
PH		 376}
377
378
379/*************************************************
380* Data read timeout *
381*************************************************/
382
383/* Handler function for timeouts that occur while reading the data that
384comprises a message.
385
386Argument: the signal number
387Returns: nothing
388*/
389
390static void
391data_timeout_handler(int sig)
392{
9723f966 393had_data_timeout = sig;
059ec3d9
PH		 394}
395
396
397
9723f966 398#ifdef HAVE_LOCAL_SCAN
059ec3d9
PH		 399/*************************************************
400* local_scan() timeout *
401*************************************************/
402
403/* Handler function for timeouts that occur while running a local_scan()
9723f966
JH		 404function. Posix recommends against calling longjmp() from a signal-handler,
405but the GCC manual says you can so we will, and trust that it's better than
406calling probably non-signal-safe funxtions during logging from within the
407handler, even with other compilers.
408
409See also https://cwe.mitre.org/data/definitions/745.html which also lists
410it as unsafe.
411
412This is all because we have no control over what might be written for a
413local-scan function, so cannot sprinkle had-signal checks after each
414call-site. At least with the default "do-nothing" function we won't
415ever get here.
059ec3d9
PH		 416
417Argument: the signal number
418Returns: nothing
419*/
420
421static void
422local_scan_timeout_handler(int sig)
423{
9723f966
JH		 424had_local_scan_timeout = sig;
425siglongjmp(local_scan_env, 1);
059ec3d9
PH		 426}
427
428
429
430/*************************************************
431* local_scan() crashed *
432*************************************************/
433
434/* Handler function for signals that occur while running a local_scan()
435function.
436
437Argument: the signal number
438Returns: nothing
439*/
440
441static void
442local_scan_crash_handler(int sig)
443{
9723f966
JH		 444had_local_scan_crash = sig;
445siglongjmp(local_scan_env, 1);
059ec3d9
PH		 446}
447
9723f966
JH		 448#endif /*HAVE_LOCAL_SCAN*/
449
059ec3d9
PH		 450
451/*************************************************
452* SIGTERM or SIGINT received *
453*************************************************/
454
455/* Handler for SIGTERM or SIGINT signals that occur while reading the
456data that comprises a message.
457
458Argument: the signal number
459Returns: nothing
460*/
461
462static void
463data_sigterm_sigint_handler(int sig)
464{
9723f966 465had_data_sigint = sig;
059ec3d9
PH		 466}
467
468
469
470/*************************************************
471* Add new recipient to list *
472*************************************************/
473
474/* This function builds a list of recipient addresses in argc/argv
475format.
476
477Arguments:
478 recipient the next address to add to recipients_list
479 pno parent number for fixed aliases; -1 otherwise
480
481Returns: nothing
482*/
483
484void
485receive_add_recipient(uschar *recipient, int pno)
486{
487if (recipients_count >= recipients_list_max)
488 {
489 recipient_item *oldlist = recipients_list;
490 int oldmax = recipients_list_max;
ea97267c 491 recipients_list_max = recipients_list_max ? 2*recipients_list_max : 50;
059ec3d9
PH		 492 recipients_list = store_get(recipients_list_max * sizeof(recipient_item));
493 if (oldlist != NULL)
494 memcpy(recipients_list, oldlist, oldmax * sizeof(recipient_item));
495 }
496
497recipients_list[recipients_count].address = recipient;
498recipients_list[recipients_count].pno = pno;
8523533c
TK		 499#ifdef EXPERIMENTAL_BRIGHTMAIL
500recipients_list[recipients_count].bmi_optin = bmi_current_optin;
501/* reset optin string pointer for next recipient */
502bmi_current_optin = NULL;
503#endif
6c1c3d1d
WB		 504recipients_list[recipients_count].orcpt = NULL;
505recipients_list[recipients_count].dsn_flags = 0;
059ec3d9
PH		 506recipients_list[recipients_count++].errors_to = NULL;
507}
508
509
510
511
fd98a5c6
JH		 512/*************************************************
513* Send user response message *
514*************************************************/
61147df4 515
fd98a5c6
JH		 516/* This function is passed a default response code and a user message. It calls
517smtp_message_code() to check and possibly modify the response code, and then
518calls smtp_respond() to transmit the response. I put this into a function
519just to avoid a lot of repetition.
61147df4
PP		 520
521Arguments:
fd98a5c6
JH		 522 code the response code
523 user_msg the user message
524
525Returns: nothing
61147df4
PP		 526*/
527
8ccd00b1 528#ifndef DISABLE_PRDR
61147df4 529static void
fd98a5c6 530smtp_user_msg(uschar *code, uschar *user_msg)
61147df4 531{
fd98a5c6 532int len = 3;
4f6ae5c3 533smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
fd98a5c6 534smtp_respond(code, len, TRUE, user_msg);
61147df4
PP		 535}
536#endif
537
538
539
540
fd98a5c6 541
059ec3d9
PH		 542/*************************************************
543* Remove a recipient from the list *
544*************************************************/
545
546/* This function is provided for local_scan() to use.
547
548Argument:
549 recipient address to remove
550
551Returns: TRUE if it did remove something; FALSE otherwise
552*/
553
554BOOL
555receive_remove_recipient(uschar *recipient)
556{
059ec3d9
PH		 557DEBUG(D_receive) debug_printf("receive_remove_recipient(\"%s\") called\n",
558 recipient);
d7978c0f 559for (int count = 0; count < recipients_count; count++)
059ec3d9
PH		 560 if (Ustrcmp(recipients_list[count].address, recipient) == 0)
561 {
562 if ((--recipients_count - count) > 0)
563 memmove(recipients_list + count, recipients_list + count + 1,
54cdb463 564 (recipients_count - count)*sizeof(recipient_item));
059ec3d9
PH		 565 return TRUE;
566 }
059ec3d9
PH		 567return FALSE;
568}
569
570
571
572
573
3c55eef2
JH		 574/* Pause for a while waiting for input. If none received in that time,
575close the logfile, if we had one open; then if we wait for a long-running
576datasource (months, in one use-case) log rotation will not leave us holding
577the file copy. */
578
579static void
580log_close_chk(void)
581{
582if (!receive_timeout)
583 {
584 struct timeval t;
585 timesince(&t, &received_time);
586 if (t.tv_sec > 30*60)
587 mainlog_close();
588 else
589 {
590 fd_set r;
591 FD_ZERO(&r); FD_SET(0, &r);
592 t.tv_sec = 30*60 - t.tv_sec; t.tv_usec = 0;
593 if (select(1, &r, NULL, NULL, &t) == 0) mainlog_close();
594 }
595 }
596}
597
059ec3d9
PH		 598/*************************************************
599* Read data portion of a non-SMTP message *
600*************************************************/
601
602/* This function is called to read the remainder of a message (following the
603header) when the input is not from SMTP - we are receiving a local message on
604a standard input stream. The message is always terminated by EOF, and is also
605terminated by a dot on a line by itself if the flag dot_ends is TRUE. Split the
606two cases for maximum efficiency.
607
608Ensure that the body ends with a newline. This will naturally be the case when
609the termination is "\n.\n" but may not be otherwise. The RFC defines messages
610as "sequences of lines" - this of course strictly applies only to SMTP, but
611deliveries into BSD-type mailbox files also require it. Exim used to have a
612flag for doing this at delivery time, but as it was always set for all
613transports, I decided to simplify things by putting the check here instead.
614
615There is at least one MUA (dtmail) that sends CRLF via this interface, and
616other programs are known to do this as well. Exim used to have a option for
617dealing with this: in July 2003, after much discussion, the code has been
618changed to default to treat any of LF, CRLF, and bare CR as line terminators.
619
620However, for the case when a dot on a line by itself terminates a message, the
621only recognized terminating sequences before and after the dot are LF and CRLF.
622Otherwise, having read EOL . CR, you don't know whether to read another
623character or not.
624
625Internally, in messages stored in Exim's spool files, LF is used as the line
626terminator. Under the new regime, bare CRs will no longer appear in these
627files.
628
629Arguments:
630 fout a FILE to which to write the message
631
632Returns: One of the END_xxx values indicating why it stopped reading
633*/
634
635static int
636read_message_data(FILE *fout)
637{
638int ch_state;
639register int ch;
d677b2f2 640register int linelength = 0;
059ec3d9
PH		 641
642/* Handle the case when only EOF terminates the message */
643
8768d548 644if (!f.dot_ends)
059ec3d9 645 {
3c55eef2 646 int last_ch = '\n';
059ec3d9 647
3c55eef2
JH		 648 for ( ;
649 log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF;
650 last_ch = ch)
059ec3d9
PH		 651 {
652 if (ch == 0) body_zerocount++;
653 if (last_ch == '\r' && ch != '\n')
654 {
d677b2f2
PH		 655 if (linelength > max_received_linelength)
656 max_received_linelength = linelength;
657 linelength = 0;
059ec3d9
PH		 658 if (fputc('\n', fout) == EOF) return END_WERROR;
659 message_size++;
660 body_linecount++;
661 }
662 if (ch == '\r') continue;
663
664 if (fputc(ch, fout) == EOF) return END_WERROR;
d677b2f2
PH		 665 if (ch == '\n')
666 {
667 if (linelength > max_received_linelength)
668 max_received_linelength = linelength;
669 linelength = 0;
670 body_linecount++;
671 }
672 else linelength++;
059ec3d9
PH		 673 if (++message_size > thismessage_size_limit) return END_SIZE;
674 }
675
676 if (last_ch != '\n')
677 {
d677b2f2
PH		 678 if (linelength > max_received_linelength)
679 max_received_linelength = linelength;
059ec3d9
PH		 680 if (fputc('\n', fout) == EOF) return END_WERROR;
681 message_size++;
682 body_linecount++;
683 }
684
685 return END_EOF;
686 }
687
688/* Handle the case when a dot on a line on its own, or EOF, terminates. */
689
690ch_state = 1;
691
3c55eef2 692while (log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
059ec3d9
PH		 693 {
694 if (ch == 0) body_zerocount++;
695 switch (ch_state)
696 {
697 case 0: /* Normal state (previous char written) */
698 if (ch == '\n')
d677b2f2
PH		 699 {
700 body_linecount++;
701 if (linelength > max_received_linelength)
702 max_received_linelength = linelength;
703 linelength = -1;
704 ch_state = 1;
705 }
059ec3d9
PH		 706 else if (ch == '\r')
707 { ch_state = 2; continue; }
708 break;
709
710 case 1: /* After written "\n" */
711 if (ch == '.') { ch_state = 3; continue; }
6eb02f88 712 if (ch == '\r') { ch_state = 2; continue; }
3581f321
JH		 713 if (ch == '\n') { body_linecount++; linelength = -1; }
714 else ch_state = 0;
059ec3d9
PH		 715 break;
716
717 case 2:
718 body_linecount++; /* After unwritten "\r" */
d677b2f2
PH		 719 if (linelength > max_received_linelength)
720 max_received_linelength = linelength;
059ec3d9 721 if (ch == '\n')
d677b2f2
PH		 722 {
723 ch_state = 1;
724 linelength = -1;
725 }
059ec3d9
PH		 726 else
727 {
728 if (message_size++, fputc('\n', fout) == EOF) return END_WERROR;
729 if (ch == '\r') continue;
730 ch_state = 0;
d677b2f2 731 linelength = 0;
059ec3d9
PH		 732 }
733 break;
734
735 case 3: /* After "\n." (\n written, dot not) */
736 if (ch == '\n') return END_DOT;
737 if (ch == '\r') { ch_state = 4; continue; }
738 message_size++;
d677b2f2 739 linelength++;
059ec3d9
PH		 740 if (fputc('.', fout) == EOF) return END_WERROR;
741 ch_state = 0;
742 break;
743
744 case 4: /* After "\n.\r" (\n written, rest not) */
745 if (ch == '\n') return END_DOT;
746 message_size += 2;
747 body_linecount++;
748 if (fputs(".\n", fout) == EOF) return END_WERROR;
749 if (ch == '\r') { ch_state = 2; continue; }
750 ch_state = 0;
751 break;
752 }
753
d677b2f2 754 linelength++;
059ec3d9
PH		 755 if (fputc(ch, fout) == EOF) return END_WERROR;
756 if (++message_size > thismessage_size_limit) return END_SIZE;
757 }
758
759/* Get here if EOF read. Unless we have just written "\n", we need to ensure
760the message ends with a newline, and we must also write any characters that
761were saved up while testing for an ending dot. */
762
763if (ch_state != 1)
764 {
765 static uschar *ends[] = { US"\n", NULL, US"\n", US".\n", US".\n" };
766 if (fputs(CS ends[ch_state], fout) == EOF) return END_WERROR;
767 message_size += Ustrlen(ends[ch_state]);
768 body_linecount++;
769 }
770
771return END_EOF;
772}
773
774
775
776
777/*************************************************
778* Read data portion of an SMTP message *
779*************************************************/
780
781/* This function is called to read the remainder of an SMTP message (after the
782headers), or to skip over it when an error has occurred. In this case, the
783output file is passed as NULL.
784
785If any line begins with a dot, that character is skipped. The input should only
786be successfully terminated by CR LF . CR LF unless it is local (non-network)
787SMTP, in which case the CRs are optional, but...
788
789FUDGE: It seems that sites on the net send out messages with just LF
790terminators, despite the warnings in the RFCs, and other MTAs handle this. So
791we make the CRs optional in all cases.
792
793July 2003: Bare CRs cause trouble. We now treat them as line terminators as
794well, so that there are no CRs in spooled messages. However, the message
795terminating dot is not recognized between two bare CRs.
796
797Arguments:
798 fout a FILE to which to write the message; NULL if skipping
799
800Returns: One of the END_xxx values indicating why it stopped reading
801*/
802
803static int
804read_message_data_smtp(FILE *fout)
805{
806int ch_state = 0;
e4bdf652 807int ch;
7e3ce68e 808int linelength = 0;
059ec3d9 809
bd8fbe36 810while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
059ec3d9
PH		 811 {
812 if (ch == 0) body_zerocount++;
813 switch (ch_state)
814 {
815 case 0: /* After LF or CRLF */
816 if (ch == '.')
817 {
818 ch_state = 3;
819 continue; /* Don't ever write . after LF */
820 }
821 ch_state = 1;
822
823 /* Else fall through to handle as normal uschar. */
824
825 case 1: /* Normal state */
826 if (ch == '\n')
827 {
828 ch_state = 0;
829 body_linecount++;
1f5497b2
PH		 830 if (linelength > max_received_linelength)
831 max_received_linelength = linelength;
832 linelength = -1;
059ec3d9
PH		 833 }
834 else if (ch == '\r')
835 {
836 ch_state = 2;
837 continue;
838 }
839 break;
840
841 case 2: /* After (unwritten) CR */
842 body_linecount++;
1f5497b2
PH		 843 if (linelength > max_received_linelength)
844 max_received_linelength = linelength;
845 linelength = -1;
059ec3d9
PH		 846 if (ch == '\n')
847 {
848 ch_state = 0;
849 }
850 else
851 {
852 message_size++;
853 if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
6851a9c5 854 cutthrough_data_put_nl();
059ec3d9
PH		 855 if (ch != '\r') ch_state = 1; else continue;
856 }
857 break;
858
859 case 3: /* After [CR] LF . */
860 if (ch == '\n')
861 return END_DOT;
862 if (ch == '\r')
863 {
864 ch_state = 4;
865 continue;
866 }
1bc460a6
JH		 867 /* The dot was removed at state 3. For a doubled dot, here, reinstate
868 it to cutthrough. The current ch, dot or not, is passed both to cutthrough
869 and to file below. */
870 if (ch == '.')
871 {
872 uschar c= ch;
6851a9c5 873 cutthrough_data_puts(&c, 1);
1bc460a6
JH		 874 }
875 ch_state = 1;
059ec3d9
PH		 876 break;
877
878 case 4: /* After [CR] LF . CR */
879 if (ch == '\n') return END_DOT;
880 message_size++;
881 body_linecount++;
882 if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
6851a9c5 883 cutthrough_data_put_nl();
059ec3d9
PH		 884 if (ch == '\r')
885 {
886 ch_state = 2;
887 continue;
888 }
889 ch_state = 1;
890 break;
891 }
892
893 /* Add the character to the spool file, unless skipping; then loop for the
894 next. */
895
896 message_size++;
1f5497b2 897 linelength++;
7e3ce68e 898 if (fout)
059ec3d9
PH		 899 {
900 if (fputc(ch, fout) == EOF) return END_WERROR;
901 if (message_size > thismessage_size_limit) return END_SIZE;
902 }
e4bdf652 903 if(ch == '\n')
6851a9c5 904 cutthrough_data_put_nl();
e4bdf652
JH		 905 else
906 {
7e3ce68e 907 uschar c = ch;
6851a9c5 908 cutthrough_data_puts(&c, 1);
e4bdf652 909 }
059ec3d9
PH		 910 }
911
912/* Fall through here if EOF encountered. This indicates some kind of error,
913since a correct message is terminated by [CR] LF . [CR] LF. */
914
915return END_EOF;
916}
917
918
919
920
7e3ce68e 921/* Variant of the above read_message_data_smtp() specialised for RFC 3030
1ebe15c3
JH		 922CHUNKING. Accept input lines separated by either CRLF or CR or LF and write
923LF-delimited spoolfile. Until we have wireformat spoolfiles, we need the
924body_linecount accounting for proper re-expansion for the wire, so use
925a cut-down version of the state-machine above; we don't need to do leading-dot
926detection and unstuffing.
7e3ce68e
JH		 927
928Arguments:
544dd905
PP		 929 fout a FILE to which to write the message; NULL if skipping;
930 must be open for both writing and reading.
7e3ce68e
JH		 931
932Returns: One of the END_xxx values indicating why it stopped reading
933*/
934
935static int
936read_message_bdat_smtp(FILE *fout)
937{
cff70eb1
HSHR		 938int linelength = 0, ch;
939enum CH_STATE ch_state = LF_SEEN;
d953610f 940BOOL fix_nl = FALSE;
7e3ce68e 941
1ebe15c3 942for(;;)
7e3ce68e 943 {
7d758a6a 944 switch ((ch = bdat_getc(GETC_BUFFER_UNLIMITED)))
1ebe15c3
JH		 945 {
946 case EOF: return END_EOF;
1ebe15c3 947 case ERR: return END_PROTOCOL;
d953610f
HSHR		 948 case EOD:
949 /* Nothing to get from the sender anymore. We check the last
950 character written to the spool.
951
952 RFC 3030 states, that BDAT chunks are normal text, terminated by CRLF.
953 If we would be strict, we would refuse such broken messages.
954 But we are liberal, so we fix it. It would be easy just to append
955 the "\n" to the spool.
956
957 But there are some more things (line counting, message size calculation and such),
958 that would need to be duplicated here. So we simply do some ungetc
959 trickery.
960 */
59d98039
JH		 961 if (fout)
962 {
963 if (fseek(fout, -1, SEEK_CUR) < 0) return END_PROTOCOL;
964 if (fgetc(fout) == '\n') return END_DOT;
965 }
d953610f
HSHR		 966
967 if (linelength == -1) /* \r already seen (see below) */
968 {
969 DEBUG(D_receive) debug_printf("Add missing LF\n");
970 bdat_ungetc('\n');
971 continue;
972 }
973 DEBUG(D_receive) debug_printf("Add missing CRLF\n");
974 bdat_ungetc('\r'); /* not even \r was seen */
975 fix_nl = TRUE;
976
977 continue;
1ebe15c3
JH		 978 case '\0': body_zerocount++; break;
979 }
980 switch (ch_state)
981 {
cff70eb1
HSHR		 982 case LF_SEEN: /* After LF or CRLF */
983 ch_state = MID_LINE;
1ebe15c3 984 /* fall through to handle as normal uschar. */
7e3ce68e 985
cff70eb1 986 case MID_LINE: /* Mid-line state */
1ebe15c3
JH		 987 if (ch == '\n')
988 {
cff70eb1 989 ch_state = LF_SEEN;
1ebe15c3
JH		 990 body_linecount++;
991 if (linelength > max_received_linelength)
992 max_received_linelength = linelength;
993 linelength = -1;
994 }
995 else if (ch == '\r')
996 {
cff70eb1 997 ch_state = CR_SEEN;
d953610f 998 if (fix_nl) bdat_ungetc('\n');
1ebe15c3
JH		 999 continue; /* don't write CR */
1000 }
1001 break;
7e3ce68e 1002
cff70eb1 1003 case CR_SEEN: /* After (unwritten) CR */
1ebe15c3
JH		 1004 body_linecount++;
1005 if (linelength > max_received_linelength)
1006 max_received_linelength = linelength;
1007 linelength = -1;
1008 if (ch == '\n')
cff70eb1 1009 ch_state = LF_SEEN;
1ebe15c3
JH		 1010 else
1011 {
1012 message_size++;
59d98039 1013 if (fout && fputc('\n', fout) == EOF) return END_WERROR;
6851a9c5 1014 cutthrough_data_put_nl();
1ebe15c3 1015 if (ch == '\r') continue; /* don't write CR */
cff70eb1 1016 ch_state = MID_LINE;
1ebe15c3
JH		 1017 }
1018 break;
1019 }
1020
1021 /* Add the character to the spool file, unless skipping */
1022
1023 message_size++;
1024 linelength++;
1025 if (fout)
1026 {
1027 if (fputc(ch, fout) == EOF) return END_WERROR;
1028 if (message_size > thismessage_size_limit) return END_SIZE;
1029 }
1030 if(ch == '\n')
6851a9c5 1031 cutthrough_data_put_nl();
1ebe15c3
JH		 1032 else
1033 {
1034 uschar c = ch;
6851a9c5 1035 cutthrough_data_puts(&c, 1);
1ebe15c3 1036 }
7e3ce68e
JH		 1037 }
1038/*NOTREACHED*/
1039}
1040
328c5688
JH		 1041static int
1042read_message_bdat_smtp_wire(FILE *fout)
1043{
1044int ch;
1045
1046/* Remember that this message uses wireformat. */
1047
d21bf202
JH		 1048DEBUG(D_receive) debug_printf("CHUNKING: %s\n",
1049 fout ? "writing spoolfile in wire format" : "flushing input");
8768d548 1050f.spool_file_wireformat = TRUE;
328c5688 1051
0d81dabc 1052for (;;)
328c5688 1053 {
0d81dabc
JH		 1054 if (chunking_data_left > 0)
1055 {
1056 unsigned len = MAX(chunking_data_left, thismessage_size_limit - message_size + 1);
1057 uschar * buf = bdat_getbuf(&len);
328c5688 1058
8b77d27a 1059 if (!buf) return END_EOF;
0d81dabc
JH		 1060 message_size += len;
1061 if (fout && fwrite(buf, len, 1, fout) != 1) return END_WERROR;
1062 }
1063 else switch (ch = bdat_getc(GETC_BUFFER_UNLIMITED))
1064 {
1065 case EOF: return END_EOF;
1066 case EOD: return END_DOT;
1067 case ERR: return END_PROTOCOL;
1068
1069 default:
1070 message_size++;
1071 /*XXX not done:
1072 linelength
1073 max_received_linelength
1074 body_linecount
1075 body_zerocount
1076 */
1077 if (fout && fputc(ch, fout) == EOF) return END_WERROR;
1078 break;
1079 }
1080 if (message_size > thismessage_size_limit) return END_SIZE;
328c5688
JH		 1081 }
1082/*NOTREACHED*/
1083}
1084
7e3ce68e
JH		 1085
1086
1087
059ec3d9
PH		 1088/*************************************************
1089* Swallow SMTP message *
1090*************************************************/
1091
1092/* This function is called when there has been some kind of error while reading
1093an SMTP message, and the remaining data may need to be swallowed. It is global
1094because it is called from smtp_closedown() to shut down an incoming call
1095tidily.
1096
1097Argument: a FILE from which to read the message
1098Returns: nothing
1099*/
1100
1101void
1102receive_swallow_smtp(void)
1103{
1104if (message_ended >= END_NOTENDED)
d21bf202
JH		 1105 message_ended = chunking_state <= CHUNKING_OFFERED
1106 ? read_message_data_smtp(NULL)
1107 : read_message_bdat_smtp_wire(NULL);
059ec3d9
PH		 1108}
1109
1110
1111
1112/*************************************************
1113* Handle lost SMTP connection *
1114*************************************************/
1115
1116/* This function logs connection loss incidents and generates an appropriate
1117SMTP response.
1118
1119Argument: additional data for the message
1120Returns: the SMTP response
1121*/
1122
1123static uschar *
1124handle_lost_connection(uschar *s)
1125{
1126log_write(L_lost_incoming_connection | L_smtp_connection, LOG_MAIN,
1127 "%s lost while reading message data%s", smtp_get_connection_info(), s);
eea0defe 1128smtp_notquit_exit(US"connection-lost", NULL, NULL);
059ec3d9
PH		 1129return US"421 Lost incoming connection";
1130}
1131
1132
1133
1134
1135/*************************************************
1136* Handle a non-smtp reception error *
1137*************************************************/
1138
1139/* This function is called for various errors during the reception of non-SMTP
1140messages. It either sends a message to the sender of the problem message, or it
1141writes to the standard error stream.
1142
1143Arguments:
1144 errcode code for moan_to_sender(), identifying the error
1145 text1 first message text, passed to moan_to_sender()
1146 text2 second message text, used only for stderrr
1147 error_rc code to pass to exim_exit if no problem
1148 f FILE containing body of message (may be stdin)
1149 hptr pointer to instore headers or NULL
1150
1151Returns: calls exim_exit(), which does not return
1152*/
1153
1154static void
1155give_local_error(int errcode, uschar *text1, uschar *text2, int error_rc,
1156 FILE *f, header_line *hptr)
1157{
1158if (error_handling == ERRORS_SENDER)
1159 {
1160 error_block eblock;
1161 eblock.next = NULL;
1162 eblock.text1 = text1;
37f3dc43 1163 eblock.text2 = US"";
059ec3d9
PH		 1164 if (!moan_to_sender(errcode, &eblock, hptr, f, FALSE))
1165 error_rc = EXIT_FAILURE;
1166 }
37f3dc43
JH		 1167else
1168 fprintf(stderr, "exim: %s%s\n", text2, text1); /* Sic */
f1e894f3 1169(void)fclose(f);
9bfb7e1b 1170exim_exit(error_rc, US"");
059ec3d9
PH		 1171}
1172
1173
1174
1175/*************************************************
1176* Add header lines set up by ACL *
1177*************************************************/
1178
850635b6
PH		 1179/* This function is called to add the header lines that were set up by
1180statements in an ACL to the list of headers in memory. It is done in two stages
1181like this, because when the ACL for RCPT is running, the other headers have not
1182yet been received. This function is called twice; once just before running the
1183DATA ACL, and once after. This is so that header lines added by MAIL or RCPT
1184are visible to the DATA ACL.
059ec3d9
PH		 1185
1186Originally these header lines were added at the end. Now there is support for
1187three different places: top, bottom, and after the Received: header(s). There
1188will always be at least one Received: header, even if it is marked deleted, and
1189even if something else has been put in front of it.
1190
1191Arguments:
1192 acl_name text to identify which ACL
1193
1194Returns: nothing
1195*/
1196
1197static void
578d43dc 1198add_acl_headers(int where, uschar *acl_name)
059ec3d9 1199{
059ec3d9 1200header_line *last_received = NULL;
e7568d51 1201
578d43dc
JH		 1202switch(where)
1203 {
1204 case ACL_WHERE_DKIM:
1205 case ACL_WHERE_MIME:
af4a1bca 1206 case ACL_WHERE_DATA:
74f1a423 1207 if ( cutthrough.cctx.sock >= 0 && cutthrough.delivery
57cc2785 1208 && (acl_removed_headers || acl_added_headers))
578d43dc
JH		 1209 {
1210 log_write(0, LOG_MAIN|LOG_PANIC, "Header modification in data ACLs"
af4a1bca 1211 " will not take effect on cutthrough deliveries");
578d43dc
JH		 1212 return;
1213 }
1214 }
1215
57cc2785 1216if (acl_removed_headers)
e7568d51 1217 {
e1d04f48 1218 DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers removed by %s ACL:\n", acl_name);
e7568d51 1219
d7978c0f 1220 for (header_line * h = header_list; h; h = h->next) if (h->type != htype_old)
e7568d51 1221 {
55414b25 1222 const uschar * list = acl_removed_headers;
e7568d51
TL		 1223 int sep = ':'; /* This is specified as a colon-separated list */
1224 uschar *s;
1225 uschar buffer[128];
4a142059
JH		 1226
1227 while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
1228 if (header_testname(h, s, Ustrlen(s), FALSE))
e7568d51
TL		 1229 {
1230 h->type = htype_old;
e1d04f48 1231 DEBUG(D_receive|D_acl) debug_printf_indent(" %s", h->text);
e7568d51 1232 }
e7568d51
TL		 1233 }
1234 acl_removed_headers = NULL;
e1d04f48 1235 DEBUG(D_receive|D_acl) debug_printf_indent(">>\n");
e7568d51 1236 }
059ec3d9 1237
57cc2785 1238if (!acl_added_headers) return;
e1d04f48 1239DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers added by %s ACL:\n", acl_name);
059ec3d9 1240
d7978c0f 1241for (header_line * h = acl_added_headers, * next; h; h = next)
059ec3d9
PH		 1242 {
1243 next = h->next;
1244
1245 switch(h->type)
1246 {
1247 case htype_add_top:
c674e7a4
JH		 1248 h->next = header_list;
1249 header_list = h;
1250 DEBUG(D_receive|D_acl) debug_printf_indent(" (at top)");
1251 break;
059ec3d9
PH		 1252
1253 case htype_add_rec:
c674e7a4
JH		 1254 if (!last_received)
1255 {
1256 last_received = header_list;
1257 while (!header_testname(last_received, US"Received", 8, FALSE))
1258 last_received = last_received->next;
1259 while (last_received->next &&
1260 header_testname(last_received->next, US"Received", 8, FALSE))
1261 last_received = last_received->next;
1262 }
1263 h->next = last_received->next;
1264 last_received->next = h;
1265 DEBUG(D_receive|D_acl) debug_printf_indent(" (after Received:)");
1266 break;
059ec3d9 1267
8523533c 1268 case htype_add_rfc:
c674e7a4
JH		 1269 /* add header before any header which is NOT Received: or Resent- */
1270 last_received = header_list;
1271 while ( last_received->next &&
1272 ( (header_testname(last_received->next, US"Received", 8, FALSE)) ||
1273 (header_testname_incomplete(last_received->next, US"Resent-", 7, FALSE)) ) )
1274 last_received = last_received->next;
1275 /* last_received now points to the last Received: or Resent-* header
1276 in an uninterrupted chain of those header types (seen from the beginning
1277 of all headers. Our current header must follow it. */
1278 h->next = last_received->next;
1279 last_received->next = h;
1280 DEBUG(D_receive|D_acl) debug_printf_indent(" (before any non-Received: or Resent-*: header)");
1281 break;
8523533c 1282
059ec3d9 1283 default:
c674e7a4
JH		 1284 h->next = NULL;
1285 header_last->next = h;
1286 DEBUG(D_receive|D_acl) debug_printf_indent(" ");
1287 break;
059ec3d9
PH		 1288 }
1289
c674e7a4 1290 if (!h->next) header_last = h;
059ec3d9
PH		 1291
1292 /* Check for one of the known header types (From:, To:, etc.) though in
1293 practice most added headers are going to be "other". Lower case
1294 identification letters are never stored with the header; they are used
1295 for existence tests when messages are received. So discard any lower case
1296 flag values. */
1297
1298 h->type = header_checkname(h, FALSE);
1299 if (h->type >= 'a') h->type = htype_other;
1300
c674e7a4 1301 DEBUG(D_receive|D_acl) debug_printf("%s", h->text);
059ec3d9
PH		 1302 }
1303
71fafd95 1304acl_added_headers = NULL;
e1d04f48 1305DEBUG(D_receive|D_acl) debug_printf_indent(">>\n");
059ec3d9
PH		 1306}
1307
1308
1309
1310/*************************************************
1311* Add host information for log line *
1312*************************************************/
1313
1314/* Called for acceptance and rejecting log lines. This adds information about
1315the calling host to a string that is being built dynamically.
1316
1317Arguments:
1318 s the dynamic string
059ec3d9
PH		 1319
1320Returns: the extended string
1321*/
1322
acec9514
JH		 1323static gstring *
1324add_host_info_for_log(gstring * g)
059ec3d9 1325{
fc16abb4 1326if (sender_fullhost)
059ec3d9 1327 {
fc16abb4 1328 if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */
acec9514
JH		 1329 g = string_catn(g, US" DS", 3);
1330 g = string_append(g, 2, US" H=", sender_fullhost);
52f12a7c
JH		 1331 if (LOGGING(incoming_interface) && interface_address)
1332 g = string_fmt_append(g, " I=[%s]:%d", interface_address, interface_port);
059ec3d9 1333 }
8768d548 1334if (f.tcp_in_fastopen && !f.tcp_in_fastopen_logged)
a2673768 1335 {
ee8b8090 1336 g = string_catn(g, US" TFO*", f.tcp_in_fastopen_data ? 5 : 4);
8768d548 1337 f.tcp_in_fastopen_logged = TRUE;
a2673768
JH		 1338 }
1339if (sender_ident)
acec9514 1340 g = string_append(g, 2, US" U=", sender_ident);
a2673768 1341if (received_protocol)
acec9514 1342 g = string_append(g, 2, US" P=", received_protocol);
8768d548 1343if (LOGGING(pipelining) && f.smtp_in_pipelining_advertised)
ee8b8090
JH		 1344 {
1345 g = string_catn(g, US" L", 2);
4e48d56c 1346#ifdef SUPPORT_PIPE_CONNECT
ee8b8090
JH		 1347 if (f.smtp_in_early_pipe_used)
1348 g = string_catn(g, US"*", 1);
1349 else if (f.smtp_in_early_pipe_advertised)
1350 g = string_catn(g, US".", 1);
1351#endif
1352 if (!f.smtp_in_pipelining_used)
1353 g = string_catn(g, US"-", 1);
1354 }
acec9514 1355return g;
059ec3d9
PH		 1356}
1357
1358
1359
63955bf2 1360#ifdef WITH_CONTENT_SCAN
059ec3d9 1361
54cdb463
PH		 1362/*************************************************
1363* Run the MIME ACL on a message *
1364*************************************************/
1365
1366/* This code is in a subroutine so that it can be used for both SMTP
1367and non-SMTP messages. It is called with a non-NULL ACL pointer.
1368
1369Arguments:
1370 acl The ACL to run (acl_smtp_mime or acl_not_smtp_mime)
1371 smtp_yield_ptr Set FALSE to kill messages after dropped connection
1372 smtp_reply_ptr Where SMTP reply is being built
1373 blackholed_by_ptr Where "blackholed by" message is being built
1374
1375Returns: TRUE to carry on; FALSE to abandon the message
1376*/
1377
1378static BOOL
1379run_mime_acl(uschar *acl, BOOL *smtp_yield_ptr, uschar **smtp_reply_ptr,
1380 uschar **blackholed_by_ptr)
1381{
1382FILE *mbox_file;
5b6f7658 1383uschar * rfc822_file_path = NULL;
54cdb463 1384unsigned long mbox_size;
54cdb463
PH		 1385uschar *user_msg, *log_msg;
1386int mime_part_count_buffer = -1;
040721f2 1387uschar * mbox_filename;
7156b1ef 1388int rc = OK;
54cdb463 1389
54cdb463 1390/* check if it is a MIME message */
040721f2 1391
d7978c0f
JH		 1392for (header_line * my_headerlist = header_list; my_headerlist;
1393 my_headerlist = my_headerlist->next)
040721f2
JH		 1394 if ( my_headerlist->type != '*' /* skip deleted headers */
1395 && strncmpic(my_headerlist->text, US"Content-Type:", 13) == 0
1396 )
4e88a19f 1397 {
54cdb463
PH		 1398 DEBUG(D_receive) debug_printf("Found Content-Type: header - executing acl_smtp_mime.\n");
1399 goto DO_MIME_ACL;
4e88a19f 1400 }
54cdb463
PH		 1401
1402DEBUG(D_receive) debug_printf("No Content-Type: header - presumably not a MIME message.\n");
1403return TRUE;
1404
1405DO_MIME_ACL:
040721f2 1406
54cdb463 1407/* make sure the eml mbox file is spooled up */
040721f2
JH		 1408if (!(mbox_file = spool_mbox(&mbox_size, NULL, &mbox_filename)))
1409 { /* error while spooling */
54cdb463
PH		 1410 log_write(0, LOG_MAIN|LOG_PANIC,
1411 "acl_smtp_mime: error while creating mbox spool file, message temporarily rejected.");
1412 Uunlink(spool_name);
1413 unspool_mbox();
6f0c431a
PP		 1414#ifdef EXPERIMENTAL_DCC
1415 dcc_ok = 0;
1416#endif
a5bd321b 1417 smtp_respond(US"451", 3, TRUE, US"temporary local problem");
54cdb463
PH		 1418 message_id[0] = 0; /* Indicate no message accepted */
1419 *smtp_reply_ptr = US""; /* Indicate reply already sent */
1420 return FALSE; /* Indicate skip to end of receive function */
040721f2 1421 }
54cdb463
PH		 1422
1423mime_is_rfc822 = 0;
1424
1425MIME_ACL_CHECK:
1426mime_part_count = -1;
1427rc = mime_acl_check(acl, mbox_file, NULL, &user_msg, &log_msg);
f1e894f3 1428(void)fclose(mbox_file);
54cdb463 1429
5b6f7658 1430if (rfc822_file_path)
4e88a19f 1431 {
54cdb463
PH		 1432 mime_part_count = mime_part_count_buffer;
1433
4e88a19f
PH		 1434 if (unlink(CS rfc822_file_path) == -1)
1435 {
54cdb463
PH		 1436 log_write(0, LOG_PANIC,
1437 "acl_smtp_mime: can't unlink RFC822 spool file, skipping.");
5b6f7658 1438 goto END_MIME_ACL;
4e88a19f 1439 }
5b6f7658 1440 rfc822_file_path = NULL;
4e88a19f 1441 }
54cdb463
PH		 1442
1443/* check if we must check any message/rfc822 attachments */
4e88a19f
PH		 1444if (rc == OK)
1445 {
5b6f7658
JH		 1446 uschar * scandir = string_copyn(mbox_filename,
1447 Ustrrchr(mbox_filename, '/') - mbox_filename);
e8bc7fca
JH		 1448 struct dirent * entry;
1449 DIR * tempdir;
54cdb463 1450
5b6f7658 1451 for (tempdir = opendir(CS scandir); entry = readdir(tempdir); )
e8bc7fca 1452 if (strncmpic(US entry->d_name, US"__rfc822_", 9) == 0)
4e88a19f 1453 {
5b6f7658
JH		 1454 rfc822_file_path = string_sprintf("%s/%s", scandir, entry->d_name);
1455 DEBUG(D_receive)
1456 debug_printf("RFC822 attachment detected: running MIME ACL for '%s'\n",
1457 rfc822_file_path);
4e88a19f
PH		 1458 break;
1459 }
4e88a19f 1460 closedir(tempdir);
54cdb463 1461
5b6f7658 1462 if (rfc822_file_path)
4e88a19f 1463 {
e8bc7fca 1464 if ((mbox_file = Ufopen(rfc822_file_path, "rb")))
4e88a19f 1465 {
e8bc7fca
JH		 1466 /* set RFC822 expansion variable */
1467 mime_is_rfc822 = 1;
1468 mime_part_count_buffer = mime_part_count;
1469 goto MIME_ACL_CHECK;
4e88a19f 1470 }
e8bc7fca
JH		 1471 log_write(0, LOG_PANIC,
1472 "acl_smtp_mime: can't open RFC822 spool file, skipping.");
1473 unlink(CS rfc822_file_path);
4e88a19f
PH		 1474 }
1475 }
54cdb463
PH		 1476
1477END_MIME_ACL:
578d43dc 1478add_acl_headers(ACL_WHERE_MIME, US"MIME");
54cdb463
PH		 1479if (rc == DISCARD)
1480 {
1481 recipients_count = 0;
1482 *blackholed_by_ptr = US"MIME ACL";
1bd642c2 1483 cancel_cutthrough_connection(TRUE, US"mime acl discard");
54cdb463
PH		 1484 }
1485else if (rc != OK)
1486 {
1487 Uunlink(spool_name);
1bd642c2 1488 cancel_cutthrough_connection(TRUE, US"mime acl not ok");
54cdb463 1489 unspool_mbox();
6f0c431a
PP		 1490#ifdef EXPERIMENTAL_DCC
1491 dcc_ok = 0;
1492#endif
5b6f7658 1493 if (smtp_input)
4f6ae5c3 1494 {
5b6f7658
JH		 1495 if (smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0)
1496 *smtp_yield_ptr = FALSE; /* No more messages after dropped connection */
f4c1088b 1497 *smtp_reply_ptr = US""; /* Indicate reply already sent */
4f6ae5c3 1498 }
54cdb463
PH		 1499 message_id[0] = 0; /* Indicate no message accepted */
1500 return FALSE; /* Cause skip to end of receive function */
4e88a19f 1501 }
54cdb463
PH		 1502
1503return TRUE;
1504}
1505
63955bf2 1506#endif /* WITH_CONTENT_SCAN */
54cdb463
PH		 1507
1508
e4bdf652
JH		 1509
1510void
1511received_header_gen(void)
1512{
1513uschar *received;
1514uschar *timestamp;
1515header_line *received_header= header_list;
1516
1517timestamp = expand_string(US"${tod_full}");
1518if (recipients_count == 1) received_for = recipients_list[0].address;
1519received = expand_string(received_header_text);
1520received_for = NULL;
1521
d4ff61d1 1522if (!received)
e4bdf652
JH		 1523 {
1524 if(spool_name[0] != 0)
1525 Uunlink(spool_name); /* Lose the data file */
1526 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
1527 "(received_header_text) failed: %s", string_printing(received_header_text),
1528 expand_string_message);
1529 }
1530
1531/* The first element on the header chain is reserved for the Received header,
1532so all we have to do is fill in the text pointer, and set the type. However, if
1533the result of the expansion is an empty string, we leave the header marked as
1534"old" so as to refrain from adding a Received header. */
1535
1536if (received[0] == 0)
1537 {
1538 received_header->text = string_sprintf("Received: ; %s\n", timestamp);
1539 received_header->type = htype_old;
1540 }
1541else
1542 {
1543 received_header->text = string_sprintf("%s; %s\n", received, timestamp);
1544 received_header->type = htype_received;
1545 }
1546
1547received_header->slen = Ustrlen(received_header->text);
1548
1549DEBUG(D_receive) debug_printf(">>Generated Received: header line\n%c %s",
1550 received_header->type, received_header->text);
1551}
1552
1553
1554
059ec3d9
PH		 1555/*************************************************
1556* Receive message *
1557*************************************************/
1558
1559/* Receive a message on the given input, and put it into a pair of spool files.
1560Either a non-null list of recipients, or the extract flag will be true, or
1561both. The flag sender_local is true for locally generated messages. The flag
1562submission_mode is true if an ACL has obeyed "control = submission". The flag
8800895a 1563suppress_local_fixups is true if an ACL has obeyed "control =
f4ee74ac
PP		 1564suppress_local_fixups" or -G was passed on the command-line.
1565The flag smtp_input is true if the message is to be
8800895a
PH		 1566handled using SMTP conventions about termination and lines starting with dots.
1567For non-SMTP messages, dot_ends is true for dot-terminated messages.
059ec3d9
PH		 1568
1569If a message was successfully read, message_id[0] will be non-zero.
1570
1571The general actions of this function are:
1572
1573 . Read the headers of the message (if any) into a chain of store
1574 blocks.
1575
1576 . If there is a "sender:" header and the message is locally originated,
69358f02
PH		 1577 throw it away, unless the caller is trusted, or unless
1578 active_local_sender_retain is set - which can only happen if
1579 active_local_from_check is false.
059ec3d9
PH		 1580
1581 . If recipients are to be extracted from the message, build the
1582 recipients list from the headers, removing any that were on the
1583 original recipients list (unless extract_addresses_remove_arguments is
1584 false), and at the same time, remove any bcc header that may be present.
1585
1586 . Get the spool file for the data, sort out its unique name, open
1587 and lock it (but don't give it the name yet).
1588
1589 . Generate a "Message-Id" header if the message doesn't have one, for
1590 locally-originated messages.
1591
1592 . Generate a "Received" header.
1593
1594 . Ensure the recipients list is fully qualified and rewritten if necessary.
1595
1596 . If there are any rewriting rules, apply them to the sender address
1597 and also to the headers.
1598
1599 . If there is no from: header, generate one, for locally-generated messages
1600 and messages in "submission mode" only.
1601
1602 . If the sender is local, check that from: is correct, and if not, generate
1603 a Sender: header, unless message comes from a trusted caller, or this
69358f02 1604 feature is disabled by active_local_from_check being false.
059ec3d9
PH		 1605
1606 . If there is no "date" header, generate one, for locally-originated
1607 or submission mode messages only.
1608
1609 . Copy the rest of the input, or up to a terminating "." if in SMTP or
1610 dot_ends mode, to the data file. Leave it open, to hold the lock.
1611
1612 . Write the envelope and the headers to a new file.
1613
1614 . Set the name for the header file; close it.
1615
1616 . Set the name for the data file; close it.
1617
1618Because this function can potentially be called many times in a single
1619SMTP connection, all store should be got by store_get(), so that it will be
1620automatically retrieved after the message is accepted.
1621
1622FUDGE: It seems that sites on the net send out messages with just LF
1623terminators, despite the warnings in the RFCs, and other MTAs handle this. So
1624we make the CRs optional in all cases.
1625
1626July 2003: Bare CRs in messages, especially in header lines, cause trouble. A
1627new regime is now in place in which bare CRs in header lines are turned into LF
1628followed by a space, so as not to terminate the header line.
1629
1630February 2004: A bare LF in a header line in a message whose first line was
1631terminated by CRLF is treated in the same way as a bare CR.
1632
1633Arguments:
1634 extract_recip TRUE if recipients are to be extracted from the message's
1635 headers
1636
1637Returns: TRUE there are more messages to be read (SMTP input)
1638 FALSE there are no more messages to be read (non-SMTP input
1639 or SMTP connection collapsed, or other failure)
1640
1641When reading a message for filter testing, the returned value indicates
1642whether the headers (which is all that is read) were terminated by '.' or
1643not. */
1644
1645BOOL
1646receive_msg(BOOL extract_recip)
1647{
7156b1ef 1648int rc = FAIL;
059ec3d9
PH		 1649int msg_size = 0;
1650int process_info_len = Ustrlen(process_info);
d342446f
JH		 1651int error_rc = error_handling == ERRORS_SENDER
1652 ? errors_sender_rc : EXIT_FAILURE;
059ec3d9 1653int header_size = 256;
acec9514 1654int start, end, domain;
099afc4f 1655int id_resolution = 0;
059ec3d9 1656int had_zero = 0;
d677b2f2 1657int prevlines_length = 0;
059ec3d9 1658
cfbb0d24 1659int ptr = 0;
059ec3d9
PH		 1660
1661BOOL contains_resent_headers = FALSE;
1662BOOL extracted_ignored = FALSE;
1663BOOL first_line_ended_crlf = TRUE_UNSET;
1664BOOL smtp_yield = TRUE;
1665BOOL yield = FALSE;
1666
1667BOOL resents_exist = FALSE;
1668uschar *resent_prefix = US"";
1669uschar *blackholed_by = NULL;
04f7d5b9 1670uschar *blackhole_log_msg = US"";
c5430c20 1671enum {NOT_TRIED, TMP_REJ, PERM_REJ, ACCEPTED} cutthrough_done = NOT_TRIED;
059ec3d9
PH		 1672
1673flock_t lock_data;
1674error_block *bad_addresses = NULL;
1675
1676uschar *frozen_by = NULL;
1677uschar *queued_by = NULL;
1678
acec9514
JH		 1679uschar *errmsg;
1680gstring * g;
059ec3d9
PH		 1681struct stat statbuf;
1682
4e88a19f 1683/* Final message to give to SMTP caller, and messages from ACLs */
059ec3d9
PH		 1684
1685uschar *smtp_reply = NULL;
4e88a19f 1686uschar *user_msg, *log_msg;
059ec3d9
PH		 1687
1688/* Working header pointers */
1689
d7978c0f 1690header_line *next;
059ec3d9 1691
2cbb4081 1692/* Flags for noting the existence of certain headers (only one left) */
059ec3d9
PH		 1693
1694BOOL date_header_exists = FALSE;
1695
1696/* Pointers to receive the addresses of headers whose contents we need. */
1697
1698header_line *from_header = NULL;
1699header_line *subject_header = NULL;
1700header_line *msgid_header = NULL;
1701header_line *received_header;
049782c0 1702BOOL msgid_header_newly_created = FALSE;
059ec3d9 1703
4840604e
TL		 1704#ifdef EXPERIMENTAL_DMARC
1705int dmarc_up = 0;
1706#endif /* EXPERIMENTAL_DMARC */
1707
059ec3d9
PH		 1708/* Variables for use when building the Received: header. */
1709
059ec3d9
PH		 1710uschar *timestamp;
1711int tslen;
1712
9723f966 1713
059ec3d9
PH		 1714/* Release any open files that might have been cached while preparing to
1715accept the message - e.g. by verifying addresses - because reading a message
1716might take a fair bit of real time. */
1717
1718search_tidyup();
1719
e4bdf652
JH		 1720/* Extracting the recipient list from an input file is incompatible with
1721cutthrough delivery with the no-spool option. It shouldn't be possible
817d9f57 1722to set up the combination, but just in case kill any ongoing connection. */
e4bdf652 1723if (extract_recip || !smtp_input)
57cc2785 1724 cancel_cutthrough_connection(TRUE, US"not smtp input");
e4bdf652 1725
059ec3d9
PH		 1726/* Initialize the chain of headers by setting up a place-holder for Received:
1727header. Temporarily mark it as "old", i.e. not to be used. We keep header_last
1728pointing to the end of the chain to make adding headers simple. */
1729
1730received_header = header_list = header_last = store_get(sizeof(header_line));
1731header_list->next = NULL;
1732header_list->type = htype_old;
1733header_list->text = NULL;
1734header_list->slen = 0;
1735
1736/* Control block for the next header to be read. */
1737
1738next = store_get(sizeof(header_line));
1739next->text = store_get(header_size);
1740
1741/* Initialize message id to be null (indicating no message read), and the
1742header names list to be the normal list. Indicate there is no data file open
1743yet, initialize the size and warning count, and deal with no size limit. */
1744
1745message_id[0] = 0;
1bd642c2 1746spool_data_file = NULL;
059ec3d9 1747data_fd = -1;
41313d92 1748spool_name = US"";
059ec3d9
PH		 1749message_size = 0;
1750warning_count = 0;
d677b2f2 1751received_count = 1; /* For the one we will add */
059ec3d9
PH		 1752
1753if (thismessage_size_limit <= 0) thismessage_size_limit = INT_MAX;
1754
2e0c1448 1755/* While reading the message, the following counts are computed. */
059ec3d9 1756
d677b2f2
PH		 1757message_linecount = body_linecount = body_zerocount =
1758 max_received_linelength = 0;
059ec3d9 1759
80a47a2c 1760#ifndef DISABLE_DKIM
e983e85a
JH		 1761/* Call into DKIM to set up the context. In CHUNKING mode
1762we clear the dot-stuffing flag */
8768d548 1763if (smtp_input && !smtp_batched_input && !f.dkim_disable_verify)
e983e85a 1764 dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED);
fb2274d4
TK		 1765#endif
1766
4840604e
TL		 1767#ifdef EXPERIMENTAL_DMARC
1768/* initialize libopendmarc */
1769dmarc_up = dmarc_init();
1770#endif
1771
059ec3d9
PH		 1772/* Remember the time of reception. Exim uses time+pid for uniqueness of message
1773ids, and fractions of a second are required. See the comments that precede the
1774message id creation below. */
1775
1776(void)gettimeofday(&message_id_tv, NULL);
1777
1778/* For other uses of the received time we can operate with granularity of one
1779second, and for that we use the global variable received_time. This is for
306c6c77 1780things like ultimate message timeouts. */
059ec3d9 1781
32dfdf8b 1782received_time = message_id_tv;
059ec3d9
PH		 1783
1784/* If SMTP input, set the special handler for timeouts. The alarm() calls
1785happen in the smtp_getc() function when it refills its buffer. */
1786
9723f966
JH		 1787had_data_timeout = 0;
1788if (smtp_input)
1789 os_non_restarting_signal(SIGALRM, data_timeout_handler);
059ec3d9
PH		 1790
1791/* If not SMTP input, timeout happens only if configured, and we just set a
1792single timeout for the whole message. */
1793
1794else if (receive_timeout > 0)
1795 {
1796 os_non_restarting_signal(SIGALRM, data_timeout_handler);
c2a1bba0 1797 ALARM(receive_timeout);
059ec3d9
PH		 1798 }
1799
1800/* SIGTERM and SIGINT are caught always. */
1801
9723f966 1802had_data_sigint = 0;
059ec3d9
PH		 1803signal(SIGTERM, data_sigterm_sigint_handler);
1804signal(SIGINT, data_sigterm_sigint_handler);
1805
1806/* Header lines in messages are not supposed to be very long, though when
1807unfolded, to: and cc: headers can take up a lot of store. We must also cope
1808with the possibility of junk being thrown at us. Start by getting 256 bytes for
1809storing the header, and extend this as necessary using string_cat().
1810
1811To cope with total lunacies, impose an upper limit on the length of the header
1812section of the message, as otherwise the store will fill up. We must also cope
1813with the possibility of binary zeros in the data. Hence we cannot use fgets().
1814Folded header lines are joined into one string, leaving the '\n' characters
1815inside them, so that writing them out reproduces the input.
1816
1817Loop for each character of each header; the next structure for chaining the
1818header is set up already, with ptr the offset of the next character in
1819next->text. */
1820
1821for (;;)
1822 {
bd8fbe36 1823 int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH		 1824
1825 /* If we hit EOF on a SMTP connection, it's an error, since incoming
1826 SMTP must have a correct "." terminator. */
1827
1828 if (ch == EOF && smtp_input /* && !smtp_batched_input */)
1829 {
1830 smtp_reply = handle_lost_connection(US" (header)");
1831 smtp_yield = FALSE;
1832 goto TIDYUP; /* Skip to end of function */
1833 }
1834
1835 /* See if we are at the current header's size limit - there must be at least
1836 four bytes left. This allows for the new character plus a zero, plus two for
1837 extra insertions when we are playing games with dots and carriage returns. If
1838 we are at the limit, extend the text buffer. This could have been done
1839 automatically using string_cat() but because this is a tightish loop storing
1840 only one character at a time, we choose to do it inline. Normally
1841 store_extend() will be able to extend the block; only at the end of a big
1842 store block will a copy be needed. To handle the case of very long headers
1843 (and sometimes lunatic messages can have ones that are 100s of K long) we
1844 call store_release() for strings that have been copied - if the string is at
1845 the start of a block (and therefore the only thing in it, because we aren't
4e6ae623
JH		 1846 doing any other gets), the block gets freed. We can only do this release if
1847 there were no allocations since the once that we want to free. */
059ec3d9
PH		 1848
1849 if (ptr >= header_size - 4)
1850 {
1851 int oldsize = header_size;
56ac062a
JH		 1852
1853 if (header_size >= INT_MAX/2)
1854 goto OVERSIZE;
059ec3d9 1855 header_size *= 2;
56ac062a 1856
059ec3d9 1857 if (!store_extend(next->text, oldsize, header_size))
459fca58 1858 next->text = store_newblock(next->text, header_size, ptr);
059ec3d9
PH		 1859 }
1860
1861 /* Cope with receiving a binary zero. There is dispute about whether
1862 these should be allowed in RFC 822 messages. The middle view is that they
1863 should not be allowed in headers, at least. Exim takes this attitude at
1864 the moment. We can't just stomp on them here, because we don't know that
1865 this line is a header yet. Set a flag to cause scanning later. */
1866
1867 if (ch == 0) had_zero++;
1868
1869 /* Test for termination. Lines in remote SMTP are terminated by CRLF, while
1870 those from data files use just LF. Treat LF in local SMTP input as a
1871 terminator too. Treat EOF as a line terminator always. */
1872
1873 if (ch == EOF) goto EOL;
1874
1875 /* FUDGE: There are sites out there that don't send CRs before their LFs, and
1876 other MTAs accept this. We are therefore forced into this "liberalisation"
1877 too, so we accept LF as a line terminator whatever the source of the message.
1878 However, if the first line of the message ended with a CRLF, we treat a bare
1879 LF specially by inserting a white space after it to ensure that the header
1880 line is not terminated. */
1881
1882 if (ch == '\n')
1883 {
1884 if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = FALSE;
80a47a2c 1885 else if (first_line_ended_crlf) receive_ungetc(' ');
059ec3d9
PH		 1886 goto EOL;
1887 }
1888
1889 /* This is not the end of the line. If this is SMTP input and this is
1890 the first character in the line and it is a "." character, ignore it.
1891 This implements the dot-doubling rule, though header lines starting with
1892 dots aren't exactly common. They are legal in RFC 822, though. If the
1893 following is CRLF or LF, this is the line that that terminates the
1894 entire message. We set message_ended to indicate this has happened (to
1895 prevent further reading), and break out of the loop, having freed the
1896 empty header, and set next = NULL to indicate no data line. */
1897
8768d548 1898 if (ptr == 0 && ch == '.' && f.dot_ends)
059ec3d9 1899 {
bd8fbe36 1900 ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH		 1901 if (ch == '\r')
1902 {
bd8fbe36 1903 ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH		 1904 if (ch != '\n')
1905 {
80a47a2c 1906 receive_ungetc(ch);
059ec3d9
PH		 1907 ch = '\r'; /* Revert to CR */
1908 }
1909 }
1910 if (ch == '\n')
1911 {
1912 message_ended = END_DOT;
1913 store_reset(next);
1914 next = NULL;
1915 break; /* End character-reading loop */
1916 }
1917
1918 /* For non-SMTP input, the dot at the start of the line was really a data
1919 character. What is now in ch is the following character. We guaranteed
1920 enough space for this above. */
1921
1922 if (!smtp_input)
1923 {
1924 next->text[ptr++] = '.';
1925 message_size++;
1926 }
1927 }
1928
1929 /* If CR is immediately followed by LF, end the line, ignoring the CR, and
1930 remember this case if this is the first line ending. */
1931
1932 if (ch == '\r')
1933 {
bd8fbe36 1934 ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH		 1935 if (ch == '\n')
1936 {
1937 if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
1938 goto EOL;
1939 }
1940
1941 /* Otherwise, put back the character after CR, and turn the bare CR
1942 into LF SP. */
1943
80a47a2c 1944 ch = (receive_ungetc)(ch);
059ec3d9
PH		 1945 next->text[ptr++] = '\n';
1946 message_size++;
1947 ch = ' ';
1948 }
1949
1950 /* We have a data character for the header line. */
1951
1952 next->text[ptr++] = ch; /* Add to buffer */
1953 message_size++; /* Total message size so far */
1954
1955 /* Handle failure due to a humungously long header section. The >= allows
1956 for the terminating \n. Add what we have so far onto the headers list so
1957 that it gets reflected in any error message, and back up the just-read
1958 character. */
1959
1960 if (message_size >= header_maxsize)
1961 {
56ac062a 1962OVERSIZE:
059ec3d9
PH		 1963 next->text[ptr] = 0;
1964 next->slen = ptr;
1965 next->type = htype_other;
1966 next->next = NULL;
1967 header_last->next = next;
1968 header_last = next;
1969
1970 log_write(0, LOG_MAIN, "ridiculously long message header received from "
1971 "%s (more than %d characters): message abandoned",
8768d548 1972 f.sender_host_unknown ? sender_ident : sender_fullhost, header_maxsize);
059ec3d9
PH		 1973
1974 if (smtp_input)
1975 {
1976 smtp_reply = US"552 Message header is ridiculously long";
1977 receive_swallow_smtp();
1978 goto TIDYUP; /* Skip to end of function */
1979 }
1980
1981 else
1982 {
1983 give_local_error(ERRMESS_VLONGHEADER,
1984 string_sprintf("message header longer than %d characters received: "
1985 "message not accepted", header_maxsize), US"", error_rc, stdin,
1986 header_list->next);
1987 /* Does not return */
1988 }
1989 }
1990
1991 continue; /* With next input character */
1992
1993 /* End of header line reached */
1994
1995 EOL:
2e0c1448
PH		 1996
1997 /* Keep track of lines for BSMTP errors and overall message_linecount. */
1998
1999 receive_linecount++;
2000 message_linecount++;
059ec3d9 2001
d677b2f2
PH		 2002 /* Keep track of maximum line length */
2003
2004 if (ptr - prevlines_length > max_received_linelength)
2005 max_received_linelength = ptr - prevlines_length;
2006 prevlines_length = ptr + 1;
2007
059ec3d9
PH		 2008 /* Now put in the terminating newline. There is always space for
2009 at least two more characters. */
2010
2011 next->text[ptr++] = '\n';
2012 message_size++;
2013
2014 /* A blank line signals the end of the headers; release the unwanted
2015 space and set next to NULL to indicate this. */
2016
2017 if (ptr == 1)
2018 {
2019 store_reset(next);
2020 next = NULL;
2021 break;
2022 }
2023
2024 /* There is data in the line; see if the next input character is a
2025 whitespace character. If it is, we have a continuation of this header line.
2026 There is always space for at least one character at this point. */
2027
2028 if (ch != EOF)
2029 {
bd8fbe36 2030 int nextch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH		 2031 if (nextch == ' ' || nextch == '\t')
2032 {
2033 next->text[ptr++] = nextch;
56ac062a
JH		 2034 if (++message_size >= header_maxsize)
2035 goto OVERSIZE;
059ec3d9
PH		 2036 continue; /* Iterate the loop */
2037 }
80a47a2c 2038 else if (nextch != EOF) (receive_ungetc)(nextch); /* For next time */
059ec3d9
PH		 2039 else ch = EOF; /* Cause main loop to exit at end */
2040 }
2041
2042 /* We have got to the real line end. Terminate the string and release store
2043 beyond it. If it turns out to be a real header, internal binary zeros will
2044 be squashed later. */
2045
2046 next->text[ptr] = 0;
2047 next->slen = ptr;
2048 store_reset(next->text + ptr + 1);
2049
2050 /* Check the running total size against the overall message size limit. We
2051 don't expect to fail here, but if the overall limit is set less than MESSAGE_
2052 MAXSIZE and a big header is sent, we want to catch it. Just stop reading
2053 headers - the code to read the body will then also hit the buffer. */
2054
2055 if (message_size > thismessage_size_limit) break;
2056
2057 /* A line that is not syntactically correct for a header also marks
2058 the end of the headers. In this case, we leave next containing the
2059 first data line. This might actually be several lines because of the
2060 continuation logic applied above, but that doesn't matter.
2061
2062 It turns out that smail, and presumably sendmail, accept leading lines
2063 of the form
2064
2065 From ph10 Fri Jan 5 12:35 GMT 1996
2066
2067 in messages. The "mail" command on Solaris 2 sends such lines. I cannot
2068 find any documentation of this, but for compatibility it had better be
2069 accepted. Exim restricts it to the case of non-smtp messages, and
2070 treats it as an alternative to the -f command line option. Thus it is
2071 ignored except for trusted users or filter testing. Otherwise it is taken
2072 as the sender address, unless -f was used (sendmail compatibility).
2073
2074 It further turns out that some UUCPs generate the From_line in a different
2075 format, e.g.
2076
2077 From ph10 Fri, 7 Jan 97 14:00:00 GMT
2078
2079 The regex for matching these things is now capable of recognizing both
2080 formats (including 2- and 4-digit years in the latter). In fact, the regex
2081 is now configurable, as is the expansion string to fish out the sender.
2082
2083 Even further on it has been discovered that some broken clients send
2084 these lines in SMTP messages. There is now an option to ignore them from
2085 specified hosts or networks. Sigh. */
2086
d21bf202
JH		 2087 if ( header_last == header_list
2088 && ( !smtp_input
2089 || ( sender_host_address
2090 && verify_check_host(&ignore_fromline_hosts) == OK
2091 )
2092 || (!sender_host_address && ignore_fromline_local)
2093 )
2094 && regex_match_and_setup(regex_From, next->text, 0, -1)
2095 )
059ec3d9 2096 {
8768d548 2097 if (!f.sender_address_forced)
059ec3d9
PH		 2098 {
2099 uschar *uucp_sender = expand_string(uucp_from_sender);
d21bf202 2100 if (!uucp_sender)
059ec3d9
PH		 2101 log_write(0, LOG_MAIN|LOG_PANIC,
2102 "expansion of \"%s\" failed after matching "
2103 "\"From \" line: %s", uucp_from_sender, expand_string_message);
059ec3d9
PH		 2104 else
2105 {
2106 int start, end, domain;
2107 uschar *errmess;
2108 uschar *newsender = parse_extract_address(uucp_sender, &errmess,
2109 &start, &end, &domain, TRUE);
d21bf202 2110 if (newsender)
059ec3d9
PH		 2111 {
2112 if (domain == 0 && newsender[0] != 0)
2113 newsender = rewrite_address_qualify(newsender, FALSE);
2114
f05da2e8 2115 if (filter_test != FTEST_NONE || receive_check_set_sender(newsender))
059ec3d9
PH		 2116 {
2117 sender_address = newsender;
2118
8768d548 2119 if (f.trusted_caller || filter_test != FTEST_NONE)
059ec3d9
PH		 2120 {
2121 authenticated_sender = NULL;
2122 originator_name = US"";
8768d548 2123 f.sender_local = FALSE;
059ec3d9
PH		 2124 }
2125
f05da2e8 2126 if (filter_test != FTEST_NONE)
059ec3d9
PH		 2127 printf("Sender taken from \"From \" line\n");
2128 }
2129 }
2130 }
2131 }
2132 }
2133
2134 /* Not a leading "From " line. Check to see if it is a valid header line.
2135 Header names may contain any non-control characters except space and colon,
2136 amazingly. */
2137
2138 else
2139 {
2140 uschar *p = next->text;
2141
2142 /* If not a valid header line, break from the header reading loop, leaving
2143 next != NULL, indicating that it holds the first line of the body. */
2144
2145 if (isspace(*p)) break;
2146 while (mac_isgraph(*p) && *p != ':') p++;
2147 while (isspace(*p)) p++;
2148 if (*p != ':')
2149 {
2150 body_zerocount = had_zero;
2151 break;
2152 }
2153
2154 /* We have a valid header line. If there were any binary zeroes in
2155 the line, stomp on them here. */
2156
2157 if (had_zero > 0)
d7978c0f
JH		 2158 for (uschar * p = next->text; p < next->text + ptr; p++) if (*p == 0)
2159 *p = '?';
059ec3d9
PH		 2160
2161 /* It is perfectly legal to have an empty continuation line
2162 at the end of a header, but it is confusing to humans
2163 looking at such messages, since it looks like a blank line.
2164 Reduce confusion by removing redundant white space at the
2165 end. We know that there is at least one printing character
2166 (the ':' tested for above) so there is no danger of running
2167 off the end. */
2168
2169 p = next->text + ptr - 2;
2170 for (;;)
2171 {
2172 while (*p == ' ' || *p == '\t') p--;
2173 if (*p != '\n') break;
2174 ptr = (p--) - next->text + 1;
2175 message_size -= next->slen - ptr;
2176 next->text[ptr] = 0;
2177 next->slen = ptr;
2178 }
2179
2180 /* Add the header to the chain */
2181
2182 next->type = htype_other;
2183 next->next = NULL;
2184 header_last->next = next;
2185 header_last = next;
2186
2187 /* Check the limit for individual line lengths. This comes after adding to
2188 the chain so that the failing line is reflected if a bounce is generated
2189 (for a local message). */
2190
2191 if (header_line_maxsize > 0 && next->slen > header_line_maxsize)
2192 {
2193 log_write(0, LOG_MAIN, "overlong message header line received from "
2194 "%s (more than %d characters): message abandoned",
8768d548 2195 f.sender_host_unknown ? sender_ident : sender_fullhost,
059ec3d9
PH		 2196 header_line_maxsize);
2197
2198 if (smtp_input)
2199 {
2200 smtp_reply = US"552 A message header line is too long";
2201 receive_swallow_smtp();
2202 goto TIDYUP; /* Skip to end of function */
2203 }
2204
2205 else
059ec3d9
PH		 2206 give_local_error(ERRMESS_VLONGHDRLINE,
2207 string_sprintf("message header line longer than %d characters "
2208 "received: message not accepted", header_line_maxsize), US"",
2209 error_rc, stdin, header_list->next);
2210 /* Does not return */
059ec3d9
PH		 2211 }
2212
2213 /* Note if any resent- fields exist. */
2214
2215 if (!resents_exist && strncmpic(next->text, US"resent-", 7) == 0)
2216 {
2217 resents_exist = TRUE;
2218 resent_prefix = US"Resent-";
2219 }
2220 }
2221
1ebe15c3
JH		 2222 /* Reject CHUNKING messages that do not CRLF their first header line */
2223
2224 if (!first_line_ended_crlf && chunking_state > CHUNKING_OFFERED)
2225 {
2226 log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
2227 "Non-CRLF-terminated header, under CHUNKING: message abandoned",
2228 sender_address,
2229 sender_fullhost ? " H=" : "", sender_fullhost ? sender_fullhost : US"",
2230 sender_ident ? " U=" : "", sender_ident ? sender_ident : US"");
925ac8e4 2231 smtp_printf("552 Message header not CRLF terminated\r\n", FALSE);
1ebe15c3
JH		 2232 bdat_flush_data();
2233 smtp_reply = US"";
2234 goto TIDYUP; /* Skip to end of function */
2235 }
2236
059ec3d9
PH		 2237 /* The line has been handled. If we have hit EOF, break out of the loop,
2238 indicating no pending data line. */
2239
2240 if (ch == EOF) { next = NULL; break; }
2241
2242 /* Set up for the next header */
2243
2244 header_size = 256;
2245 next = store_get(sizeof(header_line));
2246 next->text = store_get(header_size);
2247 ptr = 0;
2248 had_zero = 0;
d677b2f2 2249 prevlines_length = 0;
059ec3d9
PH		 2250 } /* Continue, starting to read the next header */
2251
2252/* At this point, we have read all the headers into a data structure in main
2253store. The first header is still the dummy placeholder for the Received: header
2254we are going to generate a bit later on. If next != NULL, it contains the first
2255data line - which terminated the headers before reaching a blank line (not the
2256normal case). */
2257
2258DEBUG(D_receive)
2259 {
2260 debug_printf(">>Headers received:\n");
d7978c0f 2261 for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH		 2262 debug_printf("%s", h->text);
2263 debug_printf("\n");
2264 }
2265
2266/* End of file on any SMTP connection is an error. If an incoming SMTP call
2267is dropped immediately after valid headers, the next thing we will see is EOF.
2268We must test for this specially, as further down the reading of the data is
2269skipped if already at EOF. */
2270
2271if (smtp_input && (receive_feof)())
2272 {
2273 smtp_reply = handle_lost_connection(US" (after header)");
2274 smtp_yield = FALSE;
2275 goto TIDYUP; /* Skip to end of function */
2276 }
2277
2278/* If this is a filter test run and no headers were read, output a warning
2279in case there is a mistake in the test message. */
2280
f05da2e8 2281if (filter_test != FTEST_NONE && header_list->next == NULL)
059ec3d9
PH		 2282 printf("Warning: no message headers read\n");
2283
2284
2285/* Scan the headers to identify them. Some are merely marked for later
2286processing; some are dealt with here. */
2287
d7978c0f 2288for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH		 2289 {
2290 BOOL is_resent = strncmpic(h->text, US"resent-", 7) == 0;
2291 if (is_resent) contains_resent_headers = TRUE;
2292
2293 switch (header_checkname(h, is_resent))
2294 {
059ec3d9 2295 case htype_bcc:
c674e7a4
JH		 2296 h->type = htype_bcc; /* Both Bcc: and Resent-Bcc: */
2297 break;
059ec3d9 2298
059ec3d9 2299 case htype_cc:
c674e7a4
JH		 2300 h->type = htype_cc; /* Both Cc: and Resent-Cc: */
2301 break;
059ec3d9 2302
c674e7a4 2303 /* Record whether a Date: or Resent-Date: header exists, as appropriate. */
059ec3d9
PH		 2304
2305 case htype_date:
c674e7a4
JH		 2306 if (!resents_exist || is_resent) date_header_exists = TRUE;
2307 break;
059ec3d9 2308
c674e7a4 2309 /* Same comments as about Return-Path: below. */
059ec3d9
PH		 2310
2311 case htype_delivery_date:
c674e7a4
JH		 2312 if (delivery_date_remove) h->type = htype_old;
2313 break;
059ec3d9 2314
c674e7a4 2315 /* Same comments as about Return-Path: below. */
059ec3d9
PH		 2316
2317 case htype_envelope_to:
c674e7a4
JH		 2318 if (envelope_to_remove) h->type = htype_old;
2319 break;
059ec3d9 2320
c674e7a4
JH		 2321 /* Mark all "From:" headers so they get rewritten. Save the one that is to
2322 be used for Sender: checking. For Sendmail compatibility, if the "From:"
2323 header consists of just the login id of the user who called Exim, rewrite
2324 it with the gecos field first. Apply this rule to Resent-From: if there
2325 are resent- fields. */
059ec3d9
PH		 2326
2327 case htype_from:
c674e7a4
JH		 2328 h->type = htype_from;
2329 if (!resents_exist || is_resent)
2330 {
2331 from_header = h;
2332 if (!smtp_input)
2333 {
2334 int len;
2335 uschar *s = Ustrchr(h->text, ':') + 1;
2336 while (isspace(*s)) s++;
2337 len = h->slen - (s - h->text) - 1;
2338 if (Ustrlen(originator_login) == len &&
2339 strncmpic(s, originator_login, len) == 0)
2340 {
2341 uschar *name = is_resent? US"Resent-From" : US"From";
2342 header_add(htype_from, "%s: %s <%s@%s>\n", name, originator_name,
2343 originator_login, qualify_domain_sender);
2344 from_header = header_last;
2345 h->type = htype_old;
2346 DEBUG(D_receive|D_rewrite)
2347 debug_printf("rewrote \"%s:\" header using gecos\n", name);
2348 }
2349 }
2350 }
2351 break;
059ec3d9 2352
c674e7a4
JH		 2353 /* Identify the Message-id: header for generating "in-reply-to" in the
2354 autoreply transport. For incoming logging, save any resent- value. In both
2355 cases, take just the first of any multiples. */
059ec3d9
PH		 2356
2357 case htype_id:
c674e7a4
JH		 2358 if (!msgid_header && (!resents_exist || is_resent))
2359 {
2360 msgid_header = h;
2361 h->type = htype_id;
2362 }
2363 break;
059ec3d9 2364
c674e7a4 2365 /* Flag all Received: headers */
059ec3d9
PH		 2366
2367 case htype_received:
c674e7a4
JH		 2368 h->type = htype_received;
2369 received_count++;
2370 break;
059ec3d9 2371
c674e7a4 2372 /* "Reply-to:" is just noted (there is no resent-reply-to field) */
059ec3d9
PH		 2373
2374 case htype_reply_to:
c674e7a4
JH		 2375 h->type = htype_reply_to;
2376 break;
059ec3d9 2377
c674e7a4
JH		 2378 /* The Return-path: header is supposed to be added to messages when
2379 they leave the SMTP system. We shouldn't receive messages that already
2380 contain Return-path. However, since Exim generates Return-path: on
2381 local delivery, resent messages may well contain it. We therefore
2382 provide an option (which defaults on) to remove any Return-path: headers
2383 on input. Removal actually means flagging as "old", which prevents the
2384 header being transmitted with the message. */
059ec3d9
PH		 2385
2386 case htype_return_path:
c674e7a4 2387 if (return_path_remove) h->type = htype_old;
059ec3d9 2388
c674e7a4
JH		 2389 /* If we are testing a mail filter file, use the value of the
2390 Return-Path: header to set up the return_path variable, which is not
2391 otherwise set. However, remove any <> that surround the address
2392 because the variable doesn't have these. */
059ec3d9 2393
c674e7a4
JH		 2394 if (filter_test != FTEST_NONE)
2395 {
2396 uschar *start = h->text + 12;
2397 uschar *end = start + Ustrlen(start);
2398 while (isspace(*start)) start++;
2399 while (end > start && isspace(end[-1])) end--;
2400 if (*start == '<' && end[-1] == '>')
2401 {
2402 start++;
2403 end--;
2404 }
2405 return_path = string_copyn(start, end - start);
2406 printf("Return-path taken from \"Return-path:\" header line\n");
2407 }
2408 break;
059ec3d9
PH		 2409
2410 /* If there is a "Sender:" header and the message is locally originated,
8800895a
PH		 2411 and from an untrusted caller and suppress_local_fixups is not set, or if we
2412 are in submission mode for a remote message, mark it "old" so that it will
2413 not be transmitted with the message, unless active_local_sender_retain is
2414 set. (This can only be true if active_local_from_check is false.) If there
2415 are any resent- headers in the message, apply this rule to Resent-Sender:
2416 instead of Sender:. Messages with multiple resent- header sets cannot be
2417 tidily handled. (For this reason, at least one MUA - Pine - turns old
2418 resent- headers into X-resent- headers when resending, leaving just one
2419 set.) */
059ec3d9
PH		 2420
2421 case htype_sender:
8768d548
JH		 2422 h->type = !f.active_local_sender_retain
2423 && ( f.sender_local && !f.trusted_caller && !f.suppress_local_fixups
2424 || f.submission_mode
c674e7a4
JH		 2425 )
2426 && (!resents_exist || is_resent)
2427 ? htype_old : htype_sender;
2428 break;
059ec3d9 2429
c674e7a4 2430 /* Remember the Subject: header for logging. There is no Resent-Subject */
059ec3d9
PH		 2431
2432 case htype_subject:
c674e7a4
JH		 2433 subject_header = h;
2434 break;
059ec3d9 2435
c674e7a4
JH		 2436 /* "To:" gets flagged, and the existence of a recipient header is noted,
2437 whether it's resent- or not. */
059ec3d9
PH		 2438
2439 case htype_to:
c674e7a4
JH		 2440 h->type = htype_to;
2441 /****
2442 to_or_cc_header_exists = TRUE;
2443 ****/
2444 break;
059ec3d9
PH		 2445 }
2446 }
2447
2448/* Extract recipients from the headers if that is required (the -t option).
2449Note that this is documented as being done *before* any address rewriting takes
2450place. There are two possibilities:
2451
2452(1) According to sendmail documentation for Solaris, IRIX, and HP-UX, any
2453recipients already listed are to be REMOVED from the message. Smail 3 works
2454like this. We need to build a non-recipients tree for that list, because in
2455subsequent processing this data is held in a tree and that's what the
2456spool_write_header() function expects. Make sure that non-recipient addresses
2457are fully qualified and rewritten if necessary.
2458
2459(2) According to other sendmail documentation, -t ADDS extracted recipients to
2460those in the command line arguments (and it is rumoured some other MTAs do
2461this). Therefore, there is an option to make Exim behave this way.
2462
2463*** Notes on "Resent-" header lines ***
2464
2465The presence of resent-headers in the message makes -t horribly ambiguous.
2466Experiments with sendmail showed that it uses recipients for all resent-
2467headers, totally ignoring the concept of "sets of resent- headers" as described
2468in RFC 2822 section 3.6.6. Sendmail also amalgamates them into a single set
2469with all the addresses in one instance of each header.
2470
2471This seems to me not to be at all sensible. Before release 4.20, Exim 4 gave an
2472error for -t if there were resent- headers in the message. However, after a
2473discussion on the mailing list, I've learned that there are MUAs that use
2474resent- headers with -t, and also that the stuff about sets of resent- headers
2475and their ordering in RFC 2822 is generally ignored. An MUA that submits a
2476message with -t and resent- header lines makes sure that only *its* resent-
2477headers are present; previous ones are often renamed as X-resent- for example.
2478
2479Consequently, Exim has been changed so that, if any resent- header lines are
2480present, the recipients are taken from all of the appropriate resent- lines,
2481and not from the ordinary To:, Cc:, etc. */
2482
2483if (extract_recip)
2484 {
2485 int rcount = 0;
2486 error_block **bnext = &bad_addresses;
2487
2488 if (extract_addresses_remove_arguments)
2489 {
2490 while (recipients_count-- > 0)
2491 {
2492 uschar *s = rewrite_address(recipients_list[recipients_count].address,
2493 TRUE, TRUE, global_rewrite_rules, rewrite_existflags);
2494 tree_add_nonrecipient(s);
2495 }
2496 recipients_list = NULL;
2497 recipients_count = recipients_list_max = 0;
2498 }
2499
059ec3d9
PH		 2500 /* Now scan the headers */
2501
d7978c0f 2502 for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH		 2503 {
2504 if ((h->type == htype_to || h->type == htype_cc || h->type == htype_bcc) &&
2505 (!contains_resent_headers || strncmpic(h->text, US"resent-", 7) == 0))
2506 {
2507 uschar *s = Ustrchr(h->text, ':') + 1;
2508 while (isspace(*s)) s++;
2509
8768d548 2510 f.parse_allow_group = TRUE; /* Allow address group syntax */
1eccaa59 2511
059ec3d9
PH		 2512 while (*s != 0)
2513 {
2514 uschar *ss = parse_find_address_end(s, FALSE);
d7978c0f 2515 uschar *recipient, *errmess, *pp;
059ec3d9
PH		 2516 int start, end, domain;
2517
2518 /* Check on maximum */
2519
2520 if (recipients_max > 0 && ++rcount > recipients_max)
059ec3d9
PH		 2521 give_local_error(ERRMESS_TOOMANYRECIP, US"too many recipients",
2522 US"message rejected: ", error_rc, stdin, NULL);
2523 /* Does not return */
059ec3d9
PH		 2524
2525 /* Make a copy of the address, and remove any internal newlines. These
2526 may be present as a result of continuations of the header line. The
2527 white space that follows the newline must not be removed - it is part
2528 of the header. */
2529
2530 pp = recipient = store_get(ss - s + 1);
d7978c0f 2531 for (uschar * p = s; p < ss; p++) if (*p != '\n') *pp++ = *p;
059ec3d9 2532 *pp = 0;
250b6871 2533
8c5d388a 2534#ifdef SUPPORT_I18N
250b6871
JH		 2535 {
2536 BOOL b = allow_utf8_domains;
2537 allow_utf8_domains = TRUE;
2538#endif
059ec3d9
PH		 2539 recipient = parse_extract_address(recipient, &errmess, &start, &end,
2540 &domain, FALSE);
2541
8c5d388a 2542#ifdef SUPPORT_I18N
250b6871
JH		 2543 if (string_is_utf8(recipient))
2544 message_smtputf8 = TRUE;
2545 else
2546 allow_utf8_domains = b;
2547 }
2548#endif
2549
059ec3d9
PH		 2550 /* Keep a list of all the bad addresses so we can send a single
2551 error message at the end. However, an empty address is not an error;
2552 just ignore it. This can come from an empty group list like
2553
2554 To: Recipients of list:;
2555
2556 If there are no recipients at all, an error will occur later. */
2557
2558 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
2559 {
2560 int len = Ustrlen(s);
2561 error_block *b = store_get(sizeof(error_block));
2562 while (len > 0 && isspace(s[len-1])) len--;
2563 b->next = NULL;
2564 b->text1 = string_printing(string_copyn(s, len));
2565 b->text2 = errmess;
2566 *bnext = b;
2567 bnext = &(b->next);
2568 }
2569
2570 /* If the recipient is already in the nonrecipients tree, it must
2571 have appeared on the command line with the option extract_addresses_
2572 remove_arguments set. Do not add it to the recipients, and keep a note
2573 that this has happened, in order to give a better error if there are
2574 no recipients left. */
2575
2576 else if (recipient != NULL)
2577 {
2578 if (tree_search(tree_nonrecipients, recipient) == NULL)
2579 receive_add_recipient(recipient, -1);
2580 else
2581 extracted_ignored = TRUE;
2582 }
2583
2584 /* Move on past this address */
2585
2586 s = ss + (*ss? 1:0);
2587 while (isspace(*s)) s++;
1eccaa59
PH		 2588 } /* Next address */
2589
8768d548
JH		 2590 f.parse_allow_group = FALSE; /* Reset group syntax flags */
2591 f.parse_found_group = FALSE;
059ec3d9
PH		 2592
2593 /* If this was the bcc: header, mark it "old", which means it
2594 will be kept on the spool, but not transmitted as part of the
2595 message. */
2596
2cbb4081 2597 if (h->type == htype_bcc) h->type = htype_old;
059ec3d9
PH		 2598 } /* For appropriate header line */
2599 } /* For each header line */
2600
059ec3d9
PH		 2601 }
2602
2603/* Now build the unique message id. This has changed several times over the
2604lifetime of Exim. This description was rewritten for Exim 4.14 (February 2003).
2605Retaining all the history in the comment has become too unwieldy - read
2606previous release sources if you want it.
2607
2608The message ID has 3 parts: tttttt-pppppp-ss. Each part is a number in base 62.
2609The first part is the current time, in seconds. The second part is the current
2610pid. Both are large enough to hold 32-bit numbers in base 62. The third part
2611can hold a number in the range 0-3843. It used to be a computed sequence
2612number, but is now the fractional component of the current time in units of
26131/2000 of a second (i.e. a value in the range 0-1999). After a message has been
2614received, Exim ensures that the timer has ticked at the appropriate level
2615before proceeding, to avoid duplication if the pid happened to be re-used
2616within the same time period. It seems likely that most messages will take at
2617least half a millisecond to be received, so no delay will normally be
2618necessary. At least for some time...
2619
2620There is a modification when localhost_number is set. Formerly this was allowed
2621to be as large as 255. Now it is restricted to the range 0-16, and the final
2622component of the message id becomes (localhost_number * 200) + fractional time
2623in units of 1/200 of a second (i.e. a value in the range 0-3399).
2624
2625Some not-really-Unix operating systems use case-insensitive file names (Darwin,
2626Cygwin). For these, we have to use base 36 instead of base 62. Luckily, this
2627still allows the tttttt field to hold a large enough number to last for some
2628more decades, and the final two-digit field can hold numbers up to 1295, which
2629is enough for milliseconds (instead of 1/2000 of a second).
2630
2631However, the pppppp field cannot hold a 32-bit pid, but it can hold a 31-bit
2632pid, so it is probably safe because pids have to be positive. The
2633localhost_number is restricted to 0-10 for these hosts, and when it is set, the
2634final field becomes (localhost_number * 100) + fractional time in centiseconds.
2635
2636Note that string_base62() returns its data in a static storage block, so it
2637must be copied before calling string_base62() again. It always returns exactly
26386 characters.
2639
2640There doesn't seem to be anything in the RFC which requires a message id to
2641start with a letter, but Smail was changed to ensure this. The external form of
2642the message id (as supplied by string expansion) therefore starts with an
2643additional leading 'E'. The spool file names do not include this leading
2644letter and it is not used internally.
2645
2646NOTE: If ever the format of message ids is changed, the regular expression for
2647checking that a string is in this format must be updated in a corresponding
2648way. It appears in the initializing code in exim.c. The macro MESSAGE_ID_LENGTH
2540f2f8
JH		 2649must also be changed to reflect the correct string length. The queue-sort code
2650needs to know the layout. Then, of course, other programs that rely on the
2651message id format will need updating too. */
059ec3d9
PH		 2652
2653Ustrncpy(message_id, string_base62((long int)(message_id_tv.tv_sec)), 6);
2654message_id[6] = '-';
2655Ustrncpy(message_id + 7, string_base62((long int)getpid()), 6);
2656
2657/* Deal with the case where the host number is set. The value of the number was
2658checked when it was read, to ensure it isn't too big. The timing granularity is
2659left in id_resolution so that an appropriate wait can be done after receiving
2660the message, if necessary (we hope it won't be). */
2661
306c6c77 2662if (host_number_string)
059ec3d9 2663 {
099afc4f 2664 id_resolution = BASE_62 == 62 ? 5000 : 10000;
059ec3d9
PH		 2665 sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
2666 string_base62((long int)(
2667 host_number * (1000000/id_resolution) +
2668 message_id_tv.tv_usec/id_resolution)) + 4);
2669 }
2670
2671/* Host number not set: final field is just the fractional time at an
2672appropriate resolution. */
2673
2674else
2675 {
099afc4f 2676 id_resolution = BASE_62 == 62 ? 500 : 1000;
059ec3d9
PH		 2677 sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
2678 string_base62((long int)(message_id_tv.tv_usec/id_resolution)) + 4);
2679 }
2680
2681/* Add the current message id onto the current process info string if
2682it will fit. */
2683
2684(void)string_format(process_info + process_info_len,
2685 PROCESS_INFO_SIZE - process_info_len, " id=%s", message_id);
2686
2687/* If we are using multiple input directories, set up the one for this message
2688to be the least significant base-62 digit of the time of arrival. Otherwise
2689ensure that it is an empty string. */
2690
a2da3176 2691message_subdir[0] = split_spool_directory ? message_id[5] : 0;
059ec3d9
PH		 2692
2693/* Now that we have the message-id, if there is no message-id: header, generate
8800895a
PH		 2694one, but only for local (without suppress_local_fixups) or submission mode
2695messages. This can be user-configured if required, but we had better flatten
2696any illegal characters therein. */
059ec3d9 2697
306c6c77 2698if ( !msgid_header
8768d548 2699 && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
059ec3d9 2700 {
059ec3d9
PH		 2701 uschar *id_text = US"";
2702 uschar *id_domain = primary_hostname;
049782c0 2703 header_line * h;
059ec3d9
PH		 2704
2705 /* Permit only letters, digits, dots, and hyphens in the domain */
2706
306c6c77 2707 if (message_id_domain)
059ec3d9
PH		 2708 {
2709 uschar *new_id_domain = expand_string(message_id_domain);
306c6c77 2710 if (!new_id_domain)
059ec3d9 2711 {
8768d548 2712 if (!f.expand_string_forcedfail)
059ec3d9
PH		 2713 log_write(0, LOG_MAIN|LOG_PANIC,
2714 "expansion of \"%s\" (message_id_header_domain) "
2715 "failed: %s", message_id_domain, expand_string_message);
2716 }
306c6c77 2717 else if (*new_id_domain)
059ec3d9
PH		 2718 {
2719 id_domain = new_id_domain;
d7978c0f 2720 for (uschar * p = id_domain; *p; p++)
059ec3d9
PH		 2721 if (!isalnum(*p) && *p != '.') *p = '-'; /* No need to test '-' ! */
2722 }
2723 }
2724
2725 /* Permit all characters except controls and RFC 2822 specials in the
2726 additional text part. */
2727
306c6c77 2728 if (message_id_text)
059ec3d9
PH		 2729 {
2730 uschar *new_id_text = expand_string(message_id_text);
306c6c77 2731 if (!new_id_text)
059ec3d9 2732 {
8768d548 2733 if (!f.expand_string_forcedfail)
059ec3d9
PH		 2734 log_write(0, LOG_MAIN|LOG_PANIC,
2735 "expansion of \"%s\" (message_id_header_text) "
2736 "failed: %s", message_id_text, expand_string_message);
2737 }
306c6c77 2738 else if (*new_id_text)
059ec3d9
PH		 2739 {
2740 id_text = new_id_text;
d7978c0f 2741 for (uschar * p = id_text; *p; p++) if (mac_iscntrl_or_special(*p)) *p = '-';
059ec3d9
PH		 2742 }
2743 }
2744
049782c0
JH		 2745 /* Add the header line.
2746 Resent-* headers are prepended, per RFC 5322 3.6.6. Non-Resent-* are
2747 appended, to preserve classical expectations of header ordering. */
059ec3d9 2748
049782c0 2749 h = header_add_at_position_internal(!resents_exist, NULL, FALSE, htype_id,
5eb690a1 2750 "%sMessage-Id: <%s%s%s@%s>\n", resent_prefix, message_id_external,
049782c0
JH		 2751 *id_text == 0 ? "" : ".", id_text, id_domain);
2752
2753 /* Arrange for newly-created Message-Id to be logged */
2754
2755 if (!resents_exist)
2756 {
2757 msgid_header_newly_created = TRUE;
2758 msgid_header = h;
2759 }
059ec3d9
PH		 2760 }
2761
2762/* If we are to log recipients, keep a copy of the raw ones before any possible
2763rewriting. Must copy the count, because later ACLs and the local_scan()
2764function may mess with the real recipients. */
2765
6c6d6e48 2766if (LOGGING(received_recipients))
059ec3d9
PH		 2767 {
2768 raw_recipients = store_get(recipients_count * sizeof(uschar *));
d7978c0f 2769 for (int i = 0; i < recipients_count; i++)
059ec3d9
PH		 2770 raw_recipients[i] = string_copy(recipients_list[i].address);
2771 raw_recipients_count = recipients_count;
2772 }
2773
2774/* Ensure the recipients list is fully qualified and rewritten. Unqualified
2775recipients will get here only if the conditions were right (allow_unqualified_
2776recipient is TRUE). */
2777
d7978c0f 2778for (int i = 0; i < recipients_count; i++)
059ec3d9
PH		 2779 recipients_list[i].address =
2780 rewrite_address(recipients_list[i].address, TRUE, TRUE,
2781 global_rewrite_rules, rewrite_existflags);
2782
8800895a
PH		 2783/* If there is no From: header, generate one for local (without
2784suppress_local_fixups) or submission_mode messages. If there is no sender
2785address, but the sender is local or this is a local delivery error, use the
2786originator login. This shouldn't happen for genuine bounces, but might happen
2787for autoreplies. The addition of From: must be done *before* checking for the
2788possible addition of a Sender: header, because untrusted_set_sender allows an
2789untrusted user to set anything in the envelope (which might then get info
2790From:) but we still want to ensure a valid Sender: if it is required. */
2791
306c6c77 2792if ( !from_header
8768d548 2793 && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
059ec3d9 2794 {
2fe1a124
PH		 2795 uschar *oname = US"";
2796
2797 /* Use the originator_name if this is a locally submitted message and the
2798 caller is not trusted. For trusted callers, use it only if -F was used to
2799 force its value or if we have a non-SMTP message for which -f was not used
2800 to set the sender. */
2801
306c6c77 2802 if (!sender_host_address)
2fe1a124 2803 {
8768d548
JH		 2804 if (!f.trusted_caller || f.sender_name_forced ||
2805 (!smtp_input && !f.sender_address_forced))
2fe1a124
PH		 2806 oname = originator_name;
2807 }
2808
2809 /* For non-locally submitted messages, the only time we use the originator
2810 name is when it was forced by the /name= option on control=submission. */
2811
306c6c77 2812 else if (submission_name) oname = submission_name;
2fe1a124 2813
059ec3d9
PH		 2814 /* Envelope sender is empty */
2815
306c6c77 2816 if (!*sender_address)
059ec3d9 2817 {
87ba3f5f
PH		 2818 uschar *fromstart, *fromend;
2819
306c6c77
JH		 2820 fromstart = string_sprintf("%sFrom: %s%s",
2821 resent_prefix, oname, *oname ? " <" : "");
2822 fromend = *oname ? US">" : US"";
87ba3f5f 2823
8768d548 2824 if (f.sender_local || f.local_error_message)
87ba3f5f
PH		 2825 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2826 local_part_quote(originator_login), qualify_domain_sender,
2827 fromend);
306c6c77 2828
8768d548 2829 else if (f.submission_mode && authenticated_id)
059ec3d9 2830 {
306c6c77 2831 if (!submission_domain)
87ba3f5f
PH		 2832 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2833 local_part_quote(authenticated_id), qualify_domain_sender,
2834 fromend);
306c6c77
JH		 2835
2836 else if (!*submission_domain) /* empty => whole address set */
87ba3f5f
PH		 2837 header_add(htype_from, "%s%s%s\n", fromstart, authenticated_id,
2838 fromend);
306c6c77 2839
059ec3d9 2840 else
87ba3f5f 2841 header_add(htype_from, "%s%s@%s%s\n", fromstart,
306c6c77
JH		 2842 local_part_quote(authenticated_id), submission_domain, fromend);
2843
059ec3d9
PH		 2844 from_header = header_last; /* To get it checked for Sender: */
2845 }
2846 }
2847
2848 /* There is a non-null envelope sender. Build the header using the original
2849 sender address, before any rewriting that might have been done while
2850 verifying it. */
2851
2852 else
2853 {
87ba3f5f 2854 header_add(htype_from, "%sFrom: %s%s%s%s\n", resent_prefix,
2fe1a124 2855 oname,
306c6c77
JH		 2856 *oname ? " <" : "",
2857 sender_address_unrewritten ? sender_address_unrewritten : sender_address,
2858 *oname ? ">" : "");
059ec3d9
PH		 2859
2860 from_header = header_last; /* To get it checked for Sender: */
2861 }
2862 }
2863
2864
8800895a
PH		 2865/* If the sender is local (without suppress_local_fixups), or if we are in
2866submission mode and there is an authenticated_id, check that an existing From:
2867is correct, and if not, generate a Sender: header, unless disabled. Any
2868previously-existing Sender: header was removed above. Note that sender_local,
2869as well as being TRUE if the caller of exim is not trusted, is also true if a
2870trusted caller did not supply a -f argument for non-smtp input. To allow
2871trusted callers to forge From: without supplying -f, we have to test explicitly
2872here. If the From: header contains more than one address, then the call to
2873parse_extract_address fails, and a Sender: header is inserted, as required. */
059ec3d9 2874
306c6c77 2875if ( from_header
8768d548
JH		 2876 && ( f.active_local_from_check
2877 && ( f.sender_local && !f.trusted_caller && !f.suppress_local_fixups
2878 || f.submission_mode && authenticated_id
306c6c77 2879 ) ) )
059ec3d9
PH		 2880 {
2881 BOOL make_sender = TRUE;
2882 int start, end, domain;
2883 uschar *errmess;
2884 uschar *from_address =
2885 parse_extract_address(Ustrchr(from_header->text, ':') + 1, &errmess,
2886 &start, &end, &domain, FALSE);
2887 uschar *generated_sender_address;
2888
8768d548 2889 generated_sender_address = f.submission_mode
306c6c77
JH		 2890 ? !submission_domain
2891 ? string_sprintf("%s@%s",
2892 local_part_quote(authenticated_id), qualify_domain_sender)
2893 : !*submission_domain /* empty => full address */
2894 ? string_sprintf("%s", authenticated_id)
2895 : string_sprintf("%s@%s",
2896 local_part_quote(authenticated_id), submission_domain)
2897 : string_sprintf("%s@%s",
2898 local_part_quote(originator_login), qualify_domain_sender);
059ec3d9
PH		 2899
2900 /* Remove permitted prefixes and suffixes from the local part of the From:
2901 address before doing the comparison with the generated sender. */
2902
306c6c77 2903 if (from_address)
059ec3d9
PH		 2904 {
2905 int slen;
306c6c77 2906 uschar *at = domain ? from_address + domain - 1 : NULL;
059ec3d9 2907
306c6c77 2908 if (at) *at = 0;
059ec3d9
PH		 2909 from_address += route_check_prefix(from_address, local_from_prefix);
2910 slen = route_check_suffix(from_address, local_from_suffix);
2911 if (slen > 0)
2912 {
2913 memmove(from_address+slen, from_address, Ustrlen(from_address)-slen);
2914 from_address += slen;
2915 }
306c6c77 2916 if (at) *at = '@';
059ec3d9 2917
306c6c77
JH		 2918 if ( strcmpic(generated_sender_address, from_address) == 0
2919 || (!domain && strcmpic(from_address, originator_login) == 0))
059ec3d9
PH		 2920 make_sender = FALSE;
2921 }
2922
2923 /* We have to cause the Sender header to be rewritten if there are
2924 appropriate rewriting rules. */
2925
2926 if (make_sender)
8768d548 2927 if (f.submission_mode && !submission_name)
059ec3d9
PH		 2928 header_add(htype_sender, "%sSender: %s\n", resent_prefix,
2929 generated_sender_address);
2930 else
2931 header_add(htype_sender, "%sSender: %s <%s>\n",
2fe1a124 2932 resent_prefix,
8768d548 2933 f.submission_mode ? submission_name : originator_name,
2fe1a124 2934 generated_sender_address);
87ba3f5f
PH		 2935
2936 /* Ensure that a non-null envelope sender address corresponds to the
2937 submission mode sender address. */
2938
8768d548 2939 if (f.submission_mode && *sender_address)
87ba3f5f 2940 {
306c6c77 2941 if (!sender_address_unrewritten)
87ba3f5f
PH		 2942 sender_address_unrewritten = sender_address;
2943 sender_address = generated_sender_address;
089793a4
TF		 2944 if (Ustrcmp(sender_address_unrewritten, generated_sender_address) != 0)
2945 log_write(L_address_rewrite, LOG_MAIN,
2946 "\"%s\" from env-from rewritten as \"%s\" by submission mode",
2947 sender_address_unrewritten, generated_sender_address);
87ba3f5f 2948 }
059ec3d9
PH		 2949 }
2950
059ec3d9
PH		 2951/* If there are any rewriting rules, apply them to the sender address, unless
2952it has already been rewritten as part of verification for SMTP input. */
2953
306c6c77 2954if (global_rewrite_rules && !sender_address_unrewritten && *sender_address)
059ec3d9
PH		 2955 {
2956 sender_address = rewrite_address(sender_address, FALSE, TRUE,
2957 global_rewrite_rules, rewrite_existflags);
2958 DEBUG(D_receive|D_rewrite)
2959 debug_printf("rewritten sender = %s\n", sender_address);
2960 }
2961
2962
2963/* The headers must be run through rewrite_header(), because it ensures that
2964addresses are fully qualified, as well as applying any rewriting rules that may
2965exist.
2966
2967Qualification of header addresses in a message from a remote host happens only
2968if the host is in sender_unqualified_hosts or recipient_unqualified hosts, as
2969appropriate. For local messages, qualification always happens, unless -bnq is
2970used to explicitly suppress it. No rewriting is done for an unqualified address
2971that is left untouched.
2972
2973We start at the second header, skipping our own Received:. This rewriting is
2974documented as happening *after* recipient addresses are taken from the headers
2975by the -t command line option. An added Sender: gets rewritten here. */
2976
d7978c0f 2977for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH		 2978 {
2979 header_line *newh = rewrite_header(h, NULL, NULL, global_rewrite_rules,
2980 rewrite_existflags, TRUE);
1ebe15c3 2981 if (newh) h = newh;
059ec3d9
PH		 2982 }
2983
2984
2985/* An RFC 822 (sic) message is not legal unless it has at least one of "to",
2cbb4081 2986"cc", or "bcc". Note that although the minimal examples in RFC 822 show just
059ec3d9
PH		 2987"to" or "bcc", the full syntax spec allows "cc" as well. If any resent- header
2988exists, this applies to the set of resent- headers rather than the normal set.
2989
2cbb4081
PH		 2990The requirement for a recipient header has been removed in RFC 2822. At this
2991point in the code, earlier versions of Exim added a To: header for locally
2992submitted messages, and an empty Bcc: header for others. In the light of the
2993changes in RFC 2822, this was dropped in November 2003. */
059ec3d9 2994
059ec3d9
PH		 2995
2996/* If there is no date header, generate one if the message originates locally
8800895a
PH		 2997(i.e. not over TCP/IP) and suppress_local_fixups is not set, or if the
2998submission mode flag is set. Messages without Date: are not valid, but it seems
e7e680d6
PP		 2999to be more confusing if Exim adds one to all remotely-originated messages.
3000As per Message-Id, we prepend if resending, else append.
3001*/
059ec3d9 3002
306c6c77 3003if ( !date_header_exists
8768d548 3004 && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
e7e680d6
PP		 3005 header_add_at_position(!resents_exist, NULL, FALSE, htype_other,
3006 "%sDate: %s\n", resent_prefix, tod_stamp(tod_full));
059ec3d9
PH		 3007
3008search_tidyup(); /* Free any cached resources */
3009
3010/* Show the complete set of headers if debugging. Note that the first one (the
3011new Received:) has not yet been set. */
3012
3013DEBUG(D_receive)
3014 {
3015 debug_printf(">>Headers after rewriting and local additions:\n");
d7978c0f 3016 for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH		 3017 debug_printf("%c %s", h->type, h->text);
3018 debug_printf("\n");
3019 }
3020
3021/* The headers are now complete in store. If we are running in filter
3022testing mode, that is all this function does. Return TRUE if the message
3023ended with a dot. */
3024
f05da2e8 3025if (filter_test != FTEST_NONE)
059ec3d9
PH		 3026 {
3027 process_info[process_info_len] = 0;
3028 return message_ended == END_DOT;
3029 }
3030
7e3ce68e
JH		 3031/*XXX CHUNKING: need to cancel cutthrough under BDAT, for now. In future,
3032think more if it could be handled. Cannot do onward CHUNKING unless
3033inbound is, but inbound chunking ought to be ok with outbound plain.
3034Could we do onward CHUNKING given inbound CHUNKING?
3035*/
3036if (chunking_state > CHUNKING_OFFERED)
57cc2785 3037 cancel_cutthrough_connection(FALSE, US"chunking active");
7e3ce68e 3038
817d9f57 3039/* Cutthrough delivery:
5032d1cf
JH		 3040We have to create the Received header now rather than at the end of reception,
3041so the timestamp behaviour is a change to the normal case.
5032d1cf 3042Having created it, send the headers to the destination. */
57cc2785 3043
74f1a423 3044if (cutthrough.cctx.sock >= 0 && cutthrough.delivery)
e4bdf652 3045 {
817d9f57
JH		 3046 if (received_count > received_headers_max)
3047 {
57cc2785 3048 cancel_cutthrough_connection(TRUE, US"too many headers");
817d9f57
JH		 3049 if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
3050 log_write(0, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
3051 "Too many \"Received\" headers",
3052 sender_address,
57cc2785
JH		 3053 sender_fullhost ? "H=" : "", sender_fullhost ? sender_fullhost : US"",
3054 sender_ident ? "U=" : "", sender_ident ? sender_ident : US"");
817d9f57
JH		 3055 message_id[0] = 0; /* Indicate no message accepted */
3056 smtp_reply = US"550 Too many \"Received\" headers - suspected mail loop";
3057 goto TIDYUP; /* Skip to end of function */
3058 }
e4bdf652 3059 received_header_gen();
578d43dc 3060 add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
e4bdf652
JH		 3061 (void) cutthrough_headers_send();
3062 }
61147df4 3063
e4bdf652 3064
059ec3d9
PH		 3065/* Open a new spool file for the data portion of the message. We need
3066to access it both via a file descriptor and a stream. Try to make the
41313d92 3067directory if it isn't there. */
059ec3d9 3068
41313d92 3069spool_name = spool_fname(US"input", message_subdir, message_id, US"-D");
a2da3176
JH		 3070DEBUG(D_receive) debug_printf("Data file name: %s\n", spool_name);
3071
3072if ((data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE)) < 0)
059ec3d9
PH		 3073 {
3074 if (errno == ENOENT)
3075 {
0971ec06 3076 (void) directory_make(spool_directory,
41313d92
JH		 3077 spool_sname(US"input", message_subdir),
3078 INPUT_DIRECTORY_MODE, TRUE);
059ec3d9
PH		 3079 data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
3080 }
3081 if (data_fd < 0)
3082 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to create spool file %s: %s",
3083 spool_name, strerror(errno));
3084 }
3085
3086/* Make sure the file's group is the Exim gid, and double-check the mode
3087because the group setting doesn't always get set automatically. */
3088
b66fecb4 3089if (0 != exim_fchown(data_fd, exim_uid, exim_gid, spool_name))
1ac6b2e7
JH		 3090 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3091 "Failed setting ownership on spool file %s: %s",
3092 spool_name, strerror(errno));
ff790e47 3093(void)fchmod(data_fd, SPOOL_MODE);
059ec3d9
PH		 3094
3095/* We now have data file open. Build a stream for it and lock it. We lock only
3096the first line of the file (containing the message ID) because otherwise there
3097are problems when Exim is run under Cygwin (I'm told). See comments in
3098spool_in.c, where the same locking is done. */
3099
1bd642c2 3100spool_data_file = fdopen(data_fd, "w+");
059ec3d9
PH		 3101lock_data.l_type = F_WRLCK;
3102lock_data.l_whence = SEEK_SET;
3103lock_data.l_start = 0;
3104lock_data.l_len = SPOOL_DATA_START_OFFSET;
3105
3106if (fcntl(data_fd, F_SETLK, &lock_data) < 0)
3107 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Cannot lock %s (%d): %s", spool_name,
3108 errno, strerror(errno));
3109
3110/* We have an open, locked data file. Write the message id to it to make it
3111self-identifying. Then read the remainder of the input of this message and
3112write it to the data file. If the variable next != NULL, it contains the first
3113data line (which was read as a header but then turned out not to have the right
3114format); write it (remembering that it might contain binary zeros). The result
3115of fwrite() isn't inspected; instead we call ferror() below. */
3116
1bd642c2 3117fprintf(spool_data_file, "%s-D\n", message_id);
306c6c77 3118if (next)
059ec3d9
PH		 3119 {
3120 uschar *s = next->text;
3121 int len = next->slen;
1bd642c2 3122 if (fwrite(s, 1, len, spool_data_file) == len) /* "if" for compiler quietening */
cfbb0d24 3123 body_linecount++; /* Assumes only 1 line */
059ec3d9
PH		 3124 }
3125
3126/* Note that we might already be at end of file, or the logical end of file
3127(indicated by '.'), or might have encountered an error while writing the
3128message id or "next" line. */
3129
1bd642c2 3130if (!ferror(spool_data_file) && !(receive_feof)() && message_ended != END_DOT)
059ec3d9
PH		 3131 {
3132 if (smtp_input)
3133 {
328c5688 3134 message_ended = chunking_state <= CHUNKING_OFFERED
1bd642c2 3135 ? read_message_data_smtp(spool_data_file)
328c5688 3136 : spool_wireformat
1bd642c2
JH		 3137 ? read_message_bdat_smtp_wire(spool_data_file)
3138 : read_message_bdat_smtp(spool_data_file);
059ec3d9
PH		 3139 receive_linecount++; /* The terminating "." line */
3140 }
cfbb0d24 3141 else
1bd642c2 3142 message_ended = read_message_data(spool_data_file);
059ec3d9
PH		 3143
3144 receive_linecount += body_linecount; /* For BSMTP errors mainly */
2e0c1448 3145 message_linecount += body_linecount;
059ec3d9 3146
7e3ce68e 3147 switch (message_ended)
059ec3d9 3148 {
7e3ce68e 3149 /* Handle premature termination of SMTP */
059ec3d9 3150
7e3ce68e
JH		 3151 case END_EOF:
3152 if (smtp_input)
3153 {
3154 Uunlink(spool_name); /* Lose data file when closed */
57cc2785 3155 cancel_cutthrough_connection(TRUE, US"sender closed connection");
7e3ce68e
JH		 3156 message_id[0] = 0; /* Indicate no message accepted */
3157 smtp_reply = handle_lost_connection(US"");
3158 smtp_yield = FALSE;
3159 goto TIDYUP; /* Skip to end of function */
3160 }
3161 break;
059ec3d9 3162
7e3ce68e
JH		 3163 /* Handle message that is too big. Don't use host_or_ident() in the log
3164 message; we want to see the ident value even for non-remote messages. */
059ec3d9 3165
7e3ce68e
JH		 3166 case END_SIZE:
3167 Uunlink(spool_name); /* Lose the data file when closed */
57cc2785 3168 cancel_cutthrough_connection(TRUE, US"mail too big");
7e3ce68e 3169 if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
059ec3d9 3170
7e3ce68e
JH		 3171 log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
3172 "message too big: read=%d max=%d",
3173 sender_address,
306c6c77
JH		 3174 sender_fullhost ? " H=" : "",
3175 sender_fullhost ? sender_fullhost : US"",
3176 sender_ident ? " U=" : "",
3177 sender_ident ? sender_ident : US"",
7e3ce68e
JH		 3178 message_size,
3179 thismessage_size_limit);
3180
3181 if (smtp_input)
3182 {
3183 smtp_reply = US"552 Message size exceeds maximum permitted";
3184 message_id[0] = 0; /* Indicate no message accepted */
3185 goto TIDYUP; /* Skip to end of function */
3186 }
3187 else
3188 {
1bd642c2 3189 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
7e3ce68e
JH		 3190 give_local_error(ERRMESS_TOOBIG,
3191 string_sprintf("message too big (max=%d)", thismessage_size_limit),
1bd642c2 3192 US"message rejected: ", error_rc, spool_data_file, header_list);
7e3ce68e
JH		 3193 /* Does not return */
3194 }
3195 break;
3196
3197 /* Handle bad BDAT protocol sequence */
3198
3199 case END_PROTOCOL:
3200 Uunlink(spool_name); /* Lose the data file when closed */
57cc2785 3201 cancel_cutthrough_connection(TRUE, US"sender protocol error");
7e3ce68e
JH		 3202 smtp_reply = US""; /* Response already sent */
3203 message_id[0] = 0; /* Indicate no message accepted */
3204 goto TIDYUP; /* Skip to end of function */
059ec3d9
PH		 3205 }
3206 }
3207
3208/* Restore the standard SIGALRM handler for any subsequent processing. (For
3209example, there may be some expansion in an ACL that uses a timer.) */
3210
3211os_non_restarting_signal(SIGALRM, sigalrm_handler);
3212
3213/* The message body has now been read into the data file. Call fflush() to
3214empty the buffers in C, and then call fsync() to get the data written out onto
3215the disk, as fflush() doesn't do this (or at least, it isn't documented as
3216having to do this). If there was an I/O error on either input or output,
3217attempt to send an error message, and unlink the spool file. For non-SMTP input
3218we can then give up. Note that for SMTP input we must swallow the remainder of
3219the input in cases of output errors, since the far end doesn't expect to see
3220anything until the terminating dot line is sent. */
3221
1bd642c2
JH		 3222if (fflush(spool_data_file) == EOF || ferror(spool_data_file) ||
3223 EXIMfsync(fileno(spool_data_file)) < 0 || (receive_ferror)())
059ec3d9
PH		 3224 {
3225 uschar *msg_errno = US strerror(errno);
3226 BOOL input_error = (receive_ferror)() != 0;
3227 uschar *msg = string_sprintf("%s error (%s) while receiving message from %s",
3228 input_error? "Input read" : "Spool write",
3229 msg_errno,
306c6c77 3230 sender_fullhost ? sender_fullhost : sender_ident);
059ec3d9
PH		 3231
3232 log_write(0, LOG_MAIN, "Message abandoned: %s", msg);
3233 Uunlink(spool_name); /* Lose the data file */
57cc2785 3234 cancel_cutthrough_connection(TRUE, US"error writing spoolfile");
059ec3d9
PH		 3235
3236 if (smtp_input)
3237 {
3238 if (input_error)
3239 smtp_reply = US"451 Error while reading input data";
3240 else
3241 {
3242 smtp_reply = US"451 Error while writing spool file";
3243 receive_swallow_smtp();
3244 }
3245 message_id[0] = 0; /* Indicate no message accepted */
3246 goto TIDYUP; /* Skip to end of function */
3247 }
3248
3249 else
3250 {
1bd642c2
JH		 3251 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3252 give_local_error(ERRMESS_IOERR, msg, US"", error_rc, spool_data_file,
059ec3d9
PH		 3253 header_list);
3254 /* Does not return */
3255 }
3256 }
3257
3258
3259/* No I/O errors were encountered while writing the data file. */
3260
3261DEBUG(D_receive) debug_printf("Data file written for message %s\n", message_id);
306c6c77 3262if (LOGGING(receive_time)) timesince(&received_time_taken, &received_time);
059ec3d9
PH		 3263
3264
3265/* If there were any bad addresses extracted by -t, or there were no recipients
3266left after -t, send a message to the sender of this message, or write it to
3267stderr if the error handling option is set that way. Note that there may
3268legitimately be no recipients for an SMTP message if they have all been removed
3269by "discard".
3270
3271We need to rewind the data file in order to read it. In the case of no
3272recipients or stderr error writing, throw the data file away afterwards, and
3273exit. (This can't be SMTP, which always ensures there's at least one
3274syntactically good recipient address.) */
3275
306c6c77 3276if (extract_recip && (bad_addresses || recipients_count == 0))
059ec3d9
PH		 3277 {
3278 DEBUG(D_receive)
3279 {
3280 if (recipients_count == 0) debug_printf("*** No recipients\n");
306c6c77 3281 if (bad_addresses)
059ec3d9 3282 {
059ec3d9 3283 debug_printf("*** Bad address(es)\n");
d7978c0f 3284 for (error_block * eblock = bad_addresses; eblock; eblock = eblock->next)
059ec3d9 3285 debug_printf(" %s: %s\n", eblock->text1, eblock->text2);
059ec3d9
PH		 3286 }
3287 }
3288
569a8b23
JH		 3289 log_write(0, LOG_MAIN|LOG_PANIC, "%s %s found in headers",
3290 message_id, bad_addresses ? "bad addresses" : "no recipients");
3291
1bd642c2 3292 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
059ec3d9
PH		 3293
3294 /* If configured to send errors to the sender, but this fails, force
3295 a failure error code. We use a special one for no recipients so that it
3296 can be detected by the autoreply transport. Otherwise error_rc is set to
3297 errors_sender_rc, which is EXIT_FAILURE unless -oee was given, in which case
3298 it is EXIT_SUCCESS. */
3299
3300 if (error_handling == ERRORS_SENDER)
3301 {
3302 if (!moan_to_sender(
569a8b23
JH		 3303 bad_addresses
3304 ? recipients_list ? ERRMESS_BADADDRESS : ERRMESS_BADNOADDRESS
3305 : extracted_ignored ? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS,
3306 bad_addresses, header_list, spool_data_file, FALSE
3307 ) )
3308 error_rc = bad_addresses ? EXIT_FAILURE : EXIT_NORECIPIENTS;
059ec3d9
PH		 3309 }
3310 else
3311 {
306c6c77 3312 if (!bad_addresses)
059ec3d9
PH		 3313 if (extracted_ignored)
3314 fprintf(stderr, "exim: all -t recipients overridden by command line\n");
3315 else
3316 fprintf(stderr, "exim: no recipients in message\n");
059ec3d9
PH		 3317 else
3318 {
3319 fprintf(stderr, "exim: invalid address%s",
cfbb0d24
JH		 3320 bad_addresses->next ? "es:\n" : ":");
3321 for ( ; bad_addresses; bad_addresses = bad_addresses->next)
059ec3d9
PH		 3322 fprintf(stderr, " %s: %s\n", bad_addresses->text1,
3323 bad_addresses->text2);
059ec3d9
PH		 3324 }
3325 }
3326
3327 if (recipients_count == 0 || error_handling == ERRORS_STDERR)
3328 {
3329 Uunlink(spool_name);
1bd642c2 3330 (void)fclose(spool_data_file);
9bfb7e1b 3331 exim_exit(error_rc, US"receiving");
059ec3d9
PH		 3332 }
3333 }
3334
3335/* Data file successfully written. Generate text for the Received: header by
3336expanding the configured string, and adding a timestamp. By leaving this
3337operation till now, we ensure that the timestamp is the time that message
3338reception was completed. However, this is deliberately done before calling the
3339data ACL and local_scan().
3340
3341This Received: header may therefore be inspected by the data ACL and by code in
3342the local_scan() function. When they have run, we update the timestamp to be
3343the final time of reception.
3344
3345If there is just one recipient, set up its value in the $received_for variable
3346for use when we generate the Received: header.
3347
3348Note: the checking for too many Received: headers is handled by the delivery
3349code. */
e4bdf652 3350/*XXX eventually add excess Received: check for cutthrough case back when classifying them */
059ec3d9 3351
306c6c77 3352if (!received_header->text) /* Non-cutthrough case */
059ec3d9 3353 {
e4bdf652 3354 received_header_gen();
059ec3d9 3355
e4bdf652 3356 /* Set the value of message_body_size for the DATA ACL and for local_scan() */
059ec3d9 3357
e4bdf652
JH		 3358 message_body_size = (fstat(data_fd, &statbuf) == 0)?
3359 statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
059ec3d9 3360
e4bdf652
JH		 3361 /* If an ACL from any RCPT commands set up any warning headers to add, do so
3362 now, before running the DATA ACL. */
059ec3d9 3363
578d43dc 3364 add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
e4bdf652 3365 }
817d9f57 3366else
e4bdf652
JH		 3367 message_body_size = (fstat(data_fd, &statbuf) == 0)?
3368 statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
059ec3d9
PH		 3369
3370/* If an ACL is specified for checking things at this stage of reception of a
3371message, run it, unless all the recipients were removed by "discard" in earlier
3372ACLs. That is the only case in which recipients_count can be zero at this
3373stage. Set deliver_datafile to point to the data file so that $message_body and
3374$message_body_end can be extracted if needed. Allow $recipients in expansions.
3375*/
3376
3377deliver_datafile = data_fd;
4e88a19f 3378user_msg = NULL;
059ec3d9 3379
8768d548 3380f.enable_dollar_recipients = TRUE;
0e20aff9 3381
059ec3d9 3382if (recipients_count == 0)
8768d548 3383 blackholed_by = f.recipients_discarded ? US"MAIL ACL" : US"RCPT ACL";
7e3ce68e 3384
059ec3d9
PH		 3385else
3386 {
059ec3d9
PH		 3387 /* Handle interactive SMTP messages */
3388
3389 if (smtp_input && !smtp_batched_input)
3390 {
8523533c 3391
80a47a2c 3392#ifndef DISABLE_DKIM
8768d548 3393 if (!f.dkim_disable_verify)
80a47a2c 3394 {
cc55f420 3395 /* Finish verification */
80a47a2c
TK		 3396 dkim_exim_verify_finish();
3397
3398 /* Check if we must run the DKIM ACL */
7e3ce68e 3399 if (acl_smtp_dkim && dkim_verify_signers && *dkim_verify_signers)
80a47a2c 3400 {
cc55f420 3401 uschar * dkim_verify_signers_expanded =
80a47a2c 3402 expand_string(dkim_verify_signers);
cc55f420
JH		 3403 gstring * results = NULL;
3404 int signer_sep = 0;
3405 const uschar * ptr;
3406 uschar * item;
3407 gstring * seen_items = NULL;
3408 int old_pool = store_pool;
3409
3410 store_pool = POOL_PERM; /* Allow created variables to live to data ACL */
3411
3412 if (!(ptr = dkim_verify_signers_expanded))
80a47a2c
TK		 3413 log_write(0, LOG_MAIN|LOG_PANIC,
3414 "expansion of dkim_verify_signers option failed: %s",
3415 expand_string_message);
7e3ce68e 3416
cc55f420
JH		 3417 /* Default to OK when no items are present */
3418 rc = OK;
3419 while ((item = string_nextinlist(&ptr, &signer_sep, NULL, 0)))
3420 {
3421 /* Prevent running ACL for an empty item */
3422 if (!item || !*item) continue;
3423
3424 /* Only run ACL once for each domain or identity,
3425 no matter how often it appears in the expanded list. */
3426 if (seen_items)
3427 {
3428 uschar * seen_item;
3429 const uschar * seen_items_list = string_from_gstring(seen_items);
3430 int seen_sep = ':';
3431 BOOL seen_this_item = FALSE;
3432
3433 while ((seen_item = string_nextinlist(&seen_items_list, &seen_sep,
3434 NULL, 0)))
3435 if (Ustrcmp(seen_item,item) == 0)
3436 {
3437 seen_this_item = TRUE;
3438 break;
3439 }
3440
3441 if (seen_this_item)
5032d1cf
JH		 3442 {
3443 DEBUG(D_receive)
cc55f420
JH		 3444 debug_printf("acl_smtp_dkim: skipping signer %s, "
3445 "already seen\n", item);
3446 continue;
5032d1cf 3447 }
cc55f420 3448
b2bcdd35 3449 seen_items = string_catn(seen_items, US":", 1);
cc55f420 3450 }
cc55f420
JH		 3451 seen_items = string_cat(seen_items, item);
3452
18067c75 3453 rc = dkim_exim_acl_run(item, &results, &user_msg, &log_msg);
cc55f420
JH		 3454 if (rc != OK)
3455 {
3456 DEBUG(D_receive)
3457 debug_printf("acl_smtp_dkim: acl_check returned %d on %s, "
3458 "skipping remaining items\n", rc, item);
3459 cancel_cutthrough_connection(TRUE, US"dkim acl not ok");
3460 break;
3461 }
3462 }
3463 dkim_verify_status = string_from_gstring(results);
3464 store_pool = old_pool;
3465 add_acl_headers(ACL_WHERE_DKIM, US"DKIM");
3466 if (rc == DISCARD)
3467 {
3468 recipients_count = 0;
3469 blackholed_by = US"DKIM ACL";
3470 if (log_msg)
3471 blackhole_log_msg = string_sprintf(": %s", log_msg);
3472 }
3473 else if (rc != OK)
3474 {
3475 Uunlink(spool_name);
3476 if (smtp_handle_acl_fail(ACL_WHERE_DKIM, rc, user_msg, log_msg) != 0)
3477 smtp_yield = FALSE; /* No more messages after dropped connection */
3478 smtp_reply = US""; /* Indicate reply already sent */
3479 message_id[0] = 0; /* Indicate no message accepted */
3480 goto TIDYUP; /* Skip to end of function */
3481 }
80a47a2c 3482 }
a79d8834
JH		 3483 else
3484 dkim_exim_verify_log_all();
80a47a2c 3485 }
4a8ce2d8 3486#endif /* DISABLE_DKIM */
fb2274d4 3487
8523533c 3488#ifdef WITH_CONTENT_SCAN
5b6f7658
JH		 3489 if ( recipients_count > 0
3490 && acl_smtp_mime
3491 && !run_mime_acl(acl_smtp_mime, &smtp_yield, &smtp_reply, &blackholed_by)
3492 )
54cdb463 3493 goto TIDYUP;
8523533c
TK		 3494#endif /* WITH_CONTENT_SCAN */
3495
4840604e
TL		 3496#ifdef EXPERIMENTAL_DMARC
3497 dmarc_up = dmarc_store_data(from_header);
3498#endif /* EXPERIMENTAL_DMARC */
3499
8ccd00b1
JH		 3500#ifndef DISABLE_PRDR
3501 if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr)
fd98a5c6 3502 {
fd98a5c6
JH		 3503 int all_pass = OK;
3504 int all_fail = FAIL;
3505
925ac8e4 3506 smtp_printf("353 PRDR content analysis beginning\r\n", TRUE);
fd98a5c6 3507 /* Loop through recipients, responses must be in same order received */
d7978c0f 3508 for (unsigned int c = 0; recipients_count > c; c++)
fd98a5c6
JH		 3509 {
3510 uschar * addr= recipients_list[c].address;
3511 uschar * msg= US"PRDR R=<%s> %s";
3512 uschar * code;
3513 DEBUG(D_receive)
3514 debug_printf("PRDR processing recipient %s (%d of %d)\n",
3515 addr, c+1, recipients_count);
3516 rc = acl_check(ACL_WHERE_PRDR, addr,
3517 acl_smtp_data_prdr, &user_msg, &log_msg);
3518
3519 /* If any recipient rejected content, indicate it in final message */
3520 all_pass |= rc;
3521 /* If all recipients rejected, indicate in final message */
3522 all_fail &= rc;
3523
3524 switch (rc)
3525 {
3526 case OK: case DISCARD: code = US"250"; break;
3527 case DEFER: code = US"450"; break;
3528 default: code = US"550"; break;
3529 }
3530 if (user_msg != NULL)
3531 smtp_user_msg(code, user_msg);
3532 else
3533 {
3534 switch (rc)
3535 {
3536 case OK: case DISCARD:
3537 msg = string_sprintf(CS msg, addr, "acceptance"); break;
3538 case DEFER:
3539 msg = string_sprintf(CS msg, addr, "temporary refusal"); break;
3540 default:
3541 msg = string_sprintf(CS msg, addr, "refusal"); break;
3542 }
3543 smtp_user_msg(code, msg);
3544 }
3545 if (log_msg) log_write(0, LOG_MAIN, "PRDR %s %s", addr, log_msg);
3546 else if (user_msg) log_write(0, LOG_MAIN, "PRDR %s %s", addr, user_msg);
112b6a93 3547 else log_write(0, LOG_MAIN, "%s", CS msg);
fd98a5c6
JH		 3548
3549 if (rc != OK) { receive_remove_recipient(addr); c--; }
3550 }
3551 /* Set up final message, used if data acl gives OK */
3552 smtp_reply = string_sprintf("%s id=%s message %s",
3553 all_fail == FAIL ? US"550" : US"250",
3554 message_id,
3555 all_fail == FAIL
3556 ? US"rejected for all recipients"
3557 : all_pass == OK
3558 ? US"accepted"
3559 : US"accepted for some recipients");
3560 if (recipients_count == 0)
3561 {
3562 message_id[0] = 0; /* Indicate no message accepted */
3563 goto TIDYUP;
3564 }
3565 }
3566 else
3567 prdr_requested = FALSE;
8ccd00b1 3568#endif /* !DISABLE_PRDR */
fd98a5c6 3569
54cdb463
PH		 3570 /* Check the recipients count again, as the MIME ACL might have changed
3571 them. */
8523533c 3572
059ec3d9
PH		 3573 if (acl_smtp_data != NULL && recipients_count > 0)
3574 {
059ec3d9 3575 rc = acl_check(ACL_WHERE_DATA, NULL, acl_smtp_data, &user_msg, &log_msg);
578d43dc 3576 add_acl_headers(ACL_WHERE_DATA, US"DATA");
059ec3d9
PH		 3577 if (rc == DISCARD)
3578 {
3579 recipients_count = 0;
3580 blackholed_by = US"DATA ACL";
57cc2785 3581 if (log_msg)
8e669ac1 3582 blackhole_log_msg = string_sprintf(": %s", log_msg);
57cc2785 3583 cancel_cutthrough_connection(TRUE, US"data acl discard");
059ec3d9
PH		 3584 }
3585 else if (rc != OK)
3586 {
3587 Uunlink(spool_name);
57cc2785 3588 cancel_cutthrough_connection(TRUE, US"data acl not ok");
8523533c
TK		 3589#ifdef WITH_CONTENT_SCAN
3590 unspool_mbox();
6f0c431a
PP		 3591#endif
3592#ifdef EXPERIMENTAL_DCC
3593 dcc_ok = 0;
8523533c 3594#endif
059ec3d9 3595 if (smtp_handle_acl_fail(ACL_WHERE_DATA, rc, user_msg, log_msg) != 0)
85ffcba6 3596 smtp_yield = FALSE; /* No more messages after dropped connection */
059ec3d9
PH		 3597 smtp_reply = US""; /* Indicate reply already sent */
3598 message_id[0] = 0; /* Indicate no message accepted */
3599 goto TIDYUP; /* Skip to end of function */
3600 }
3601 }
3602 }
3603
3604 /* Handle non-SMTP and batch SMTP (i.e. non-interactive) messages. Note that
3605 we cannot take different actions for permanent and temporary rejections. */
3606
54cdb463 3607 else
059ec3d9 3608 {
54cdb463
PH		 3609
3610#ifdef WITH_CONTENT_SCAN
5b6f7658
JH		 3611 if ( acl_not_smtp_mime
3612 && !run_mime_acl(acl_not_smtp_mime, &smtp_yield, &smtp_reply,
3613 &blackholed_by)
3614 )
54cdb463
PH		 3615 goto TIDYUP;
3616#endif /* WITH_CONTENT_SCAN */
3617
40394cc1 3618 if (acl_not_smtp)
059ec3d9 3619 {
54cdb463 3620 uschar *user_msg, *log_msg;
8768d548 3621 f.authentication_local = TRUE;
54cdb463
PH		 3622 rc = acl_check(ACL_WHERE_NOTSMTP, NULL, acl_not_smtp, &user_msg, &log_msg);
3623 if (rc == DISCARD)
059ec3d9 3624 {
54cdb463
PH		 3625 recipients_count = 0;
3626 blackholed_by = US"non-SMTP ACL";
40394cc1 3627 if (log_msg)
54cdb463 3628 blackhole_log_msg = string_sprintf(": %s", log_msg);
059ec3d9 3629 }
54cdb463 3630 else if (rc != OK)
059ec3d9 3631 {
54cdb463
PH		 3632 Uunlink(spool_name);
3633#ifdef WITH_CONTENT_SCAN
3634 unspool_mbox();
6f0c431a
PP		 3635#endif
3636#ifdef EXPERIMENTAL_DCC
3637 dcc_ok = 0;
54cdb463 3638#endif
6ea85e9a
PH		 3639 /* The ACL can specify where rejections are to be logged, possibly
3640 nowhere. The default is main and reject logs. */
3641
40394cc1 3642 if (log_reject_target)
6ea85e9a
PH		 3643 log_write(0, log_reject_target, "F=<%s> rejected by non-SMTP ACL: %s",
3644 sender_address, log_msg);
3645
40394cc1 3646 if (!user_msg) user_msg = US"local configuration problem";
54cdb463 3647 if (smtp_batched_input)
54cdb463
PH		 3648 moan_smtp_batch(NULL, "%d %s", 550, user_msg);
3649 /* Does not return */
54cdb463
PH		 3650 else
3651 {
1bd642c2 3652 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
54cdb463 3653 give_local_error(ERRMESS_LOCAL_ACL, user_msg,
1bd642c2 3654 US"message rejected by non-SMTP ACL: ", error_rc, spool_data_file,
54cdb463
PH		 3655 header_list);
3656 /* Does not return */
3657 }
059ec3d9 3658 }
578d43dc 3659 add_acl_headers(ACL_WHERE_NOTSMTP, US"non-SMTP");
059ec3d9 3660 }
059ec3d9
PH		 3661 }
3662
54cdb463
PH		 3663 /* The applicable ACLs have been run */
3664
8768d548
JH		 3665 if (f.deliver_freeze) frozen_by = US"ACL"; /* for later logging */
3666 if (f.queue_only_policy) queued_by = US"ACL";
059ec3d9
PH		 3667 }
3668
8523533c
TK		 3669#ifdef WITH_CONTENT_SCAN
3670unspool_mbox();
3671#endif
3672
6a8f9482
TK		 3673#ifdef EXPERIMENTAL_DCC
3674dcc_ok = 0;
3675#endif
3676
3677
9723f966 3678#ifdef HAVE_LOCAL_SCAN
059ec3d9
PH		 3679/* The final check on the message is to run the scan_local() function. The
3680version supplied with Exim always accepts, but this is a hook for sysadmins to
3681supply their own checking code. The local_scan() function is run even when all
3682the recipients have been discarded. */
3683
3684lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3685
3686/* Arrange to catch crashes in local_scan(), so that the -D file gets
3687deleted, and the incident gets logged. */
3688
9723f966
JH		 3689if (sigsetjmp(local_scan_env, 1) == 0)
3690 {
3691 had_local_scan_crash = 0;
3692 os_non_restarting_signal(SIGSEGV, local_scan_crash_handler);
3693 os_non_restarting_signal(SIGFPE, local_scan_crash_handler);
3694 os_non_restarting_signal(SIGILL, local_scan_crash_handler);
3695 os_non_restarting_signal(SIGBUS, local_scan_crash_handler);
3696
3697 DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n",
3698 local_scan_timeout);
3699 local_scan_data = NULL;
3700
3701 had_local_scan_timeout = 0;
3702 os_non_restarting_signal(SIGALRM, local_scan_timeout_handler);
c2a1bba0 3703 if (local_scan_timeout > 0) ALARM(local_scan_timeout);
9723f966 3704 rc = local_scan(data_fd, &local_scan_data);
c2a1bba0 3705 ALARM_CLR(0);
9723f966
JH		 3706 os_non_restarting_signal(SIGALRM, sigalrm_handler);
3707
8768d548 3708 f.enable_dollar_recipients = FALSE;
9723f966
JH		 3709
3710 store_pool = POOL_MAIN; /* In case changed */
3711 DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc,
3712 local_scan_data);
3713
3714 os_non_restarting_signal(SIGSEGV, SIG_DFL);
3715 os_non_restarting_signal(SIGFPE, SIG_DFL);
3716 os_non_restarting_signal(SIGILL, SIG_DFL);
3717 os_non_restarting_signal(SIGBUS, SIG_DFL);
3718 }
3719else
3720 {
3721 if (had_local_scan_crash)
3722 {
3723 log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with "
3724 "signal %d - message temporarily rejected (size %d)",
3725 had_local_scan_crash, message_size);
9723f966 3726 receive_bomb_out(US"local-scan-error", US"local verification problem");
cfbb0d24 3727 /* Does not return */
9723f966
JH		 3728 }
3729 if (had_local_scan_timeout)
3730 {
3731 log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - "
3732 "message temporarily rejected (size %d)", message_size);
9723f966 3733 receive_bomb_out(US"local-scan-timeout", US"local verification problem");
cfbb0d24 3734 /* Does not return */
9723f966
JH		 3735 }
3736 }
059ec3d9
PH		 3737
3738/* The length check is paranoia against some runaway code, and also because
3739(for a success return) lines in the spool file are read into big_buffer. */
3740
9723f966 3741if (local_scan_data)
059ec3d9
PH		 3742 {
3743 int len = Ustrlen(local_scan_data);
3744 if (len > LOCAL_SCAN_MAX_RETURN) len = LOCAL_SCAN_MAX_RETURN;
3745 local_scan_data = string_copyn(local_scan_data, len);
3746 }
3747
3748if (rc == LOCAL_SCAN_ACCEPT_FREEZE)
3749 {
8768d548 3750 if (!f.deliver_freeze) /* ACL might have already frozen */
059ec3d9 3751 {
8768d548 3752 f.deliver_freeze = TRUE;
059ec3d9
PH		 3753 deliver_frozen_at = time(NULL);
3754 frozen_by = US"local_scan()";
3755 }
3756 rc = LOCAL_SCAN_ACCEPT;
3757 }
3758else if (rc == LOCAL_SCAN_ACCEPT_QUEUE)
3759 {
8768d548 3760 if (!f.queue_only_policy) /* ACL might have already queued */
059ec3d9 3761 {
8768d548 3762 f.queue_only_policy = TRUE;
059ec3d9
PH		 3763 queued_by = US"local_scan()";
3764 }
3765 rc = LOCAL_SCAN_ACCEPT;
3766 }
3767
3768/* Message accepted: remove newlines in local_scan_data because otherwise
3769the spool file gets corrupted. Ensure that all recipients are qualified. */
3770
3771if (rc == LOCAL_SCAN_ACCEPT)
3772 {
9723f966 3773 if (local_scan_data)
d7978c0f
JH		 3774 for (uschar * s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' ';
3775 for (int i = 0; i < recipients_count; i++)
059ec3d9
PH		 3776 {
3777 recipient_item *r = recipients_list + i;
3778 r->address = rewrite_address_qualify(r->address, TRUE);
d7978c0f 3779 if (r->errors_to)
059ec3d9
PH		 3780 r->errors_to = rewrite_address_qualify(r->errors_to, TRUE);
3781 }
d7978c0f 3782 if (recipients_count == 0 && !blackholed_by)
059ec3d9
PH		 3783 blackholed_by = US"local_scan";
3784 }
3785
3786/* Message rejected: newlines permitted in local_scan_data to generate
3787multiline SMTP responses. */
3788
3789else
3790 {
3791 uschar *istemp = US"";
a5bd321b 3792 uschar *smtp_code;
acec9514 3793 gstring * g;
059ec3d9
PH		 3794
3795 errmsg = local_scan_data;
3796
3797 Uunlink(spool_name); /* Cancel this message */
3798 switch(rc)
3799 {
3800 default:
b2bcdd35
JH		 3801 log_write(0, LOG_MAIN, "invalid return %d from local_scan(). Temporary "
3802 "rejection given", rc);
3803 goto TEMPREJECT;
059ec3d9
PH		 3804
3805 case LOCAL_SCAN_REJECT_NOLOGHDR:
b2bcdd35
JH		 3806 BIT_CLEAR(log_selector, log_selector_size, Li_rejected_header);
3807 /* Fall through */
059ec3d9
PH		 3808
3809 case LOCAL_SCAN_REJECT:
b2bcdd35
JH		 3810 smtp_code = US"550";
3811 if (!errmsg) errmsg = US"Administrative prohibition";
3812 break;
059ec3d9
PH		 3813
3814 case LOCAL_SCAN_TEMPREJECT_NOLOGHDR:
b2bcdd35
JH		 3815 BIT_CLEAR(log_selector, log_selector_size, Li_rejected_header);
3816 /* Fall through */
059ec3d9
PH		 3817
3818 case LOCAL_SCAN_TEMPREJECT:
3819 TEMPREJECT:
b2bcdd35
JH		 3820 smtp_code = US"451";
3821 if (!errmsg) errmsg = US"Temporary local problem";
3822 istemp = US"temporarily ";
3823 break;
059ec3d9
PH		 3824 }
3825
298f557c 3826 g = string_append(NULL, 2, US"F=",
acec9514
JH		 3827 sender_address[0] == 0 ? US"<>" : sender_address);
3828 g = add_host_info_for_log(g);
059ec3d9
PH		 3829
3830 log_write(0, LOG_MAIN|LOG_REJECT, "%s %srejected by local_scan(): %.256s",
acec9514 3831 string_from_gstring(g), istemp, string_printing(errmsg));
059ec3d9
PH		 3832
3833 if (smtp_input)
3834 {
3835 if (!smtp_batched_input)
3836 {
a5bd321b 3837 smtp_respond(smtp_code, 3, TRUE, errmsg);
059ec3d9
PH		 3838 message_id[0] = 0; /* Indicate no message accepted */
3839 smtp_reply = US""; /* Indicate reply already sent */
3840 goto TIDYUP; /* Skip to end of function */
3841 }
3842 else
a5bd321b 3843 moan_smtp_batch(NULL, "%s %s", smtp_code, errmsg);
059ec3d9 3844 /* Does not return */
059ec3d9
PH		 3845 }
3846 else
3847 {
1bd642c2 3848 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
059ec3d9 3849 give_local_error(ERRMESS_LOCAL_SCAN, errmsg,
1bd642c2 3850 US"message rejected by local scan code: ", error_rc, spool_data_file,
059ec3d9
PH		 3851 header_list);
3852 /* Does not return */
3853 }
3854 }
3855
3856/* Reset signal handlers to ignore signals that previously would have caused
3857the message to be abandoned. */
3858
3859signal(SIGTERM, SIG_IGN);
3860signal(SIGINT, SIG_IGN);
9723f966 3861#endif /* HAVE_LOCAL_SCAN */
059ec3d9 3862
e4bdf652 3863
059ec3d9
PH		 3864/* Ensure the first time flag is set in the newly-received message. */
3865
8768d548 3866f.deliver_firsttime = TRUE;
059ec3d9 3867
8523533c 3868#ifdef EXPERIMENTAL_BRIGHTMAIL
a2da3176
JH		 3869if (bmi_run == 1)
3870 { /* rewind data file */
8523533c
TK		 3871 lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3872 bmi_verdicts = bmi_process_message(header_list, data_fd);
a2da3176 3873 }
8523533c
TK		 3874#endif
3875
4c04137d 3876/* Update the timestamp in our Received: header to account for any time taken by
059ec3d9
PH		 3877an ACL or by local_scan(). The new time is the time that all reception
3878processing is complete. */
3879
3880timestamp = expand_string(US"${tod_full}");
3881tslen = Ustrlen(timestamp);
3882
3883memcpy(received_header->text + received_header->slen - tslen - 1,
3884 timestamp, tslen);
3885
3886/* In MUA wrapper mode, ignore queueing actions set by ACL or local_scan() */
3887
3888if (mua_wrapper)
3889 {
8768d548
JH		 3890 f.deliver_freeze = FALSE;
3891 f.queue_only_policy = FALSE;
059ec3d9
PH		 3892 }
3893
3894/* Keep the data file open until we have written the header file, in order to
3895hold onto the lock. In a -bh run, or if the message is to be blackholed, we
3896don't write the header file, and we unlink the data file. If writing the header
3897file fails, we have failed to accept this message. */
3898
cfbb0d24 3899if (host_checking || blackholed_by)
059ec3d9 3900 {
059ec3d9
PH		 3901 Uunlink(spool_name);
3902 msg_size = 0; /* Compute size for log line */
d7978c0f 3903 for (header_line * h = header_list; h; h = h->next)
059ec3d9
PH		 3904 if (h->type != '*') msg_size += h->slen;
3905 }
3906
3907/* Write the -H file */
3908
3909else
059ec3d9
PH		 3910 if ((msg_size = spool_write_header(message_id, SW_RECEIVING, &errmsg)) < 0)
3911 {
3912 log_write(0, LOG_MAIN, "Message abandoned: %s", errmsg);
3913 Uunlink(spool_name); /* Lose the data file */
3914
3915 if (smtp_input)
3916 {
3917 smtp_reply = US"451 Error in writing spool file";
3918 message_id[0] = 0; /* Indicate no message accepted */
3919 goto TIDYUP;
3920 }
3921 else
3922 {
1bd642c2
JH		 3923 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3924 give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, spool_data_file,
059ec3d9
PH		 3925 header_list);
3926 /* Does not return */
3927 }
3928 }
059ec3d9
PH		 3929
3930
3931/* The message has now been successfully received. */
3932
3933receive_messagecount++;
3934
059ec3d9
PH		 3935/* Add data size to written header size. We do not count the initial file name
3936that is in the file, but we do add one extra for the notional blank line that
3937precedes the data. This total differs from message_size in that it include the
3938added Received: header and any other headers that got created locally. */
3939
1bd642c2 3940if (fflush(spool_data_file))
cfbb0d24
JH		 3941 {
3942 errmsg = string_sprintf("Spool write error: %s", strerror(errno));
3943 log_write(0, LOG_MAIN, "%s\n", errmsg);
3944 Uunlink(spool_name); /* Lose the data file */
3945
3946 if (smtp_input)
3947 {
3948 smtp_reply = US"451 Error in writing spool file";
3949 message_id[0] = 0; /* Indicate no message accepted */
3950 goto TIDYUP;
3951 }
3952 else
3953 {
1bd642c2
JH		 3954 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3955 give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, spool_data_file,
cfbb0d24
JH		 3956 header_list);
3957 /* Does not return */
3958 }
3959 }
059ec3d9
PH		 3960fstat(data_fd, &statbuf);
3961
3962msg_size += statbuf.st_size - SPOOL_DATA_START_OFFSET + 1;
3963
3964/* Generate a "message received" log entry. We do this by building up a dynamic
cfbb0d24 3965string as required. We log the arrival of a new message while the
059ec3d9
PH		 3966file is still locked, just in case the machine is *really* fast, and delivers
3967it first! Include any message id that is in the message - since the syntax of a
4c04137d 3968message id is actually an addr-spec, we can use the parse routine to canonicalize
059ec3d9
PH		 3969it. */
3970
acec9514 3971g = string_get(256);
059ec3d9 3972
acec9514 3973g = string_append(g, 2,
27b9e5f4
JH		 3974 fake_response == FAIL ? US"(= " : US"<= ",
3975 sender_address[0] == 0 ? US"<>" : sender_address);
3976if (message_reference)
acec9514 3977 g = string_append(g, 2, US" R=", message_reference);
059ec3d9 3978
acec9514 3979g = add_host_info_for_log(g);
059ec3d9 3980
01603eec 3981#ifndef DISABLE_TLS
6c6d6e48 3982if (LOGGING(tls_cipher) && tls_in.cipher)
b10c87b3 3983 {
acec9514 3984 g = string_append(g, 2, US" X=", tls_in.cipher);
b10c87b3
JH		 3985# ifdef EXPERIMENTAL_TLS_RESUME
3986 if (LOGGING(tls_resumption) && tls_in.resumption & RESUME_USED)
3987 g = string_catn(g, US"*", 1);
3988# endif
3989 }
6c6d6e48 3990if (LOGGING(tls_certificate_verified) && tls_in.cipher)
acec9514 3991 g = string_append(g, 2, US" CV=", tls_in.certificate_verified ? "yes":"no");
6c6d6e48 3992if (LOGGING(tls_peerdn) && tls_in.peerdn)
acec9514 3993 g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\"");
6c6d6e48 3994if (LOGGING(tls_sni) && tls_in.sni)
acec9514 3995 g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\"");
3f0945ff 3996#endif
059ec3d9 3997
8ccd00b1 3998if (sender_host_authenticated)
059ec3d9 3999 {
acec9514 4000 g = string_append(g, 2, US" A=", sender_host_authenticated);
27b9e5f4 4001 if (authenticated_id)
c8e2fc1e 4002 {
acec9514 4003 g = string_append(g, 2, US":", authenticated_id);
27b9e5f4 4004 if (LOGGING(smtp_mailauth) && authenticated_sender)
acec9514 4005 g = string_append(g, 2, US":", authenticated_sender);
c8e2fc1e 4006 }
059ec3d9
PH		 4007 }
4008
8ccd00b1 4009#ifndef DISABLE_PRDR
fd98a5c6 4010if (prdr_requested)
acec9514 4011 g = string_catn(g, US" PRDR", 5);
fd98a5c6 4012#endif
8ccd00b1 4013
cee5f132 4014#ifdef SUPPORT_PROXY
6c6d6e48 4015if (proxy_session && LOGGING(proxy))
acec9514 4016 g = string_append(g, 2, US" PRX=", proxy_local_address);
a3c86431 4017#endif
fd98a5c6 4018
7e3ce68e 4019if (chunking_state > CHUNKING_OFFERED)
acec9514 4020 g = string_catn(g, US" K", 2);
7e3ce68e 4021
059ec3d9 4022sprintf(CS big_buffer, "%d", msg_size);
acec9514 4023g = string_append(g, 2, US" S=", big_buffer);
059ec3d9 4024
3c0a92dc
JH		 4025/* log 8BITMIME mode announced in MAIL_FROM
4026 0 ... no BODY= used
4027 7 ... 7BIT
4028 8 ... 8BITMIME */
6c6d6e48 4029if (LOGGING(8bitmime))
c8e2fc1e 4030 {
3c0a92dc 4031 sprintf(CS big_buffer, "%d", body_8bitmime);
acec9514 4032 g = string_append(g, 2, US" M8S=", big_buffer);
c8e2fc1e 4033 }
3c0a92dc 4034
2c47372f
JH		 4035#ifndef DISABLE_DKIM
4036if (LOGGING(dkim) && dkim_verify_overall)
4037 g = string_append(g, 2, US" DKIM=", dkim_verify_overall);
617d3932
JH		 4038# ifdef EXPERIMENTAL_ARC
4039if (LOGGING(dkim) && arc_state && Ustrcmp(arc_state, "pass") == 0)
4040 g = string_catn(g, US" ARC", 4);
4041# endif
2c47372f
JH		 4042#endif
4043
306c6c77
JH		 4044if (LOGGING(receive_time))
4045 g = string_append(g, 2, US" RT=", string_timediff(&received_time_taken));
4046
afa6d3ad 4047if (*queue_name)
acec9514 4048 g = string_append(g, 2, US" Q=", queue_name);
afa6d3ad 4049
059ec3d9
PH		 4050/* If an addr-spec in a message-id contains a quoted string, it can contain
4051any characters except " \ and CR and so in particular it can contain NL!
4052Therefore, make sure we use a printing-characters only version for the log.
4053Also, allow for domain literals in the message id. */
4054
049782c0
JH		 4055if ( LOGGING(msg_id) && msgid_header
4056 && (LOGGING(msg_id_created) || !msgid_header_newly_created)
4057 )
059ec3d9 4058 {
049782c0 4059 uschar * old_id;
059ec3d9
PH		 4060 BOOL save_allow_domain_literals = allow_domain_literals;
4061 allow_domain_literals = TRUE;
4062 old_id = parse_extract_address(Ustrchr(msgid_header->text, ':') + 1,
4063 &errmsg, &start, &end, &domain, FALSE);
4064 allow_domain_literals = save_allow_domain_literals;
049782c0
JH		 4065 if (old_id)
4066 g = string_append(g, 2,
4067 msgid_header_newly_created ? US" id*=" : US" id=",
4068 string_printing(old_id));
059ec3d9
PH		 4069 }
4070
4071/* If subject logging is turned on, create suitable printing-character
4072text. By expanding $h_subject: we make use of the MIME decoding. */
4073
306c6c77 4074if (LOGGING(subject) && subject_header)
059ec3d9 4075 {
059ec3d9
PH		 4076 uschar *p = big_buffer;
4077 uschar *ss = expand_string(US"$h_subject:");
4078
4079 /* Backslash-quote any double quotes or backslashes so as to make a
4080 a C-like string, and turn any non-printers into escape sequences. */
4081
4082 *p++ = '\"';
d7978c0f 4083 if (*ss != 0) for (int i = 0; i < 100 && ss[i] != 0; i++)
059ec3d9
PH		 4084 {
4085 if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\';
4086 *p++ = ss[i];
4087 }
4088 *p++ = '\"';
4089 *p = 0;
acec9514 4090 g = string_append(g, 2, US" T=", string_printing(big_buffer));
059ec3d9
PH		 4091 }
4092
4093/* Terminate the string: string_cat() and string_append() leave room, but do
4094not put the zero in. */
4095
acec9514 4096(void) string_from_gstring(g);
059ec3d9 4097
059ec3d9
PH		 4098/* Create a message log file if message logs are being used and this message is
4099not blackholed. Write the reception stuff to it. We used to leave message log
e4bdf652 4100creation until the first delivery, but this has proved confusing for some
059ec3d9
PH		 4101people. */
4102
acec9514 4103if (message_logs && !blackholed_by)
059ec3d9
PH		 4104 {
4105 int fd;
cfbb0d24 4106 uschar * m_name = spool_fname(US"msglog", message_subdir, message_id, US"");
b66fecb4 4107
cfbb0d24 4108 if ( (fd = Uopen(m_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE)) < 0
a2da3176
JH		 4109 && errno == ENOENT
4110 )
059ec3d9 4111 {
41313d92
JH		 4112 (void)directory_make(spool_directory,
4113 spool_sname(US"msglog", message_subdir),
4114 MSGLOG_DIRECTORY_MODE, TRUE);
cfbb0d24 4115 fd = Uopen(m_name, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE);
059ec3d9
PH		 4116 }
4117
4118 if (fd < 0)
059ec3d9 4119 log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open message log %s: %s",
cfbb0d24 4120 m_name, strerror(errno));
059ec3d9
PH		 4121 else
4122 {
4123 FILE *message_log = fdopen(fd, "a");
cfbb0d24 4124 if (!message_log)
059ec3d9
PH		 4125 {
4126 log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't fdopen message log %s: %s",
cfbb0d24 4127 m_name, strerror(errno));
f1e894f3 4128 (void)close(fd);
059ec3d9
PH		 4129 }
4130 else
4131 {
4132 uschar *now = tod_stamp(tod_log);
acec9514 4133 fprintf(message_log, "%s Received from %s\n", now, g->s+3);
8768d548 4134 if (f.deliver_freeze) fprintf(message_log, "%s frozen by %s\n", now,
059ec3d9 4135 frozen_by);
8768d548 4136 if (f.queue_only_policy) fprintf(message_log,
e8012beb
JH		 4137 "%s no immediate delivery: queued%s%s by %s\n", now,
4138 *queue_name ? " in " : "", *queue_name ? CS queue_name : "",
4139 queued_by);
f1e894f3 4140 (void)fclose(message_log);
059ec3d9
PH		 4141 }
4142 }
4143 }
4144
58eb016e
PH		 4145/* Everything has now been done for a successful message except logging its
4146arrival, and outputting an SMTP response. While writing to the log, set a flag
4147to cause a call to receive_bomb_out() if the log cannot be opened. */
4148
8768d548 4149f.receive_call_bombout = TRUE;
58eb016e 4150
563b63fa
PH		 4151/* Before sending an SMTP response in a TCP/IP session, we check to see if the
4152connection has gone away. This can only be done if there is no unconsumed input
4153waiting in the local input buffer. We can test for this by calling
4154receive_smtp_buffered(). RFC 2920 (pipelining) explicitly allows for additional
4155input to be sent following the final dot, so the presence of following input is
4156not an error.
58eb016e 4157
563b63fa
PH		 4158If the connection is still present, but there is no unread input for the
4159socket, the result of a select() call will be zero. If, however, the connection
4160has gone away, or if there is pending input, the result of select() will be
4161non-zero. The two cases can be distinguished by trying to read the next input
4162character. If we succeed, we can unread it so that it remains in the local
4163buffer for handling later. If not, the connection has been lost.
58eb016e 4164
563b63fa
PH		 4165Of course, since TCP/IP is asynchronous, there is always a chance that the
4166connection will vanish between the time of this test and the sending of the
4167response, but the chance of this happening should be small. */
4168
8768d548 4169if (smtp_input && sender_host_address && !f.sender_host_notsocket &&
563b63fa 4170 !receive_smtp_buffered())
58eb016e
PH		 4171 {
4172 struct timeval tv;
4173 fd_set select_check;
4174 FD_ZERO(&select_check);
4175 FD_SET(fileno(smtp_in), &select_check);
4176 tv.tv_sec = 0;
4177 tv.tv_usec = 0;
4178
563b63fa 4179 if (select(fileno(smtp_in) + 1, &select_check, NULL, NULL, &tv) != 0)
58eb016e 4180 {
bd8fbe36 4181 int c = (receive_getc)(GETC_BUFFER_UNLIMITED);
80a47a2c 4182 if (c != EOF) (receive_ungetc)(c); else
58eb016e 4183 {
eea0defe 4184 smtp_notquit_exit(US"connection-lost", NULL, NULL);
563b63fa
PH		 4185 smtp_reply = US""; /* No attempt to send a response */
4186 smtp_yield = FALSE; /* Nothing more on this connection */
58eb016e 4187
563b63fa 4188 /* Re-use the log line workspace */
58eb016e 4189
acec9514
JH		 4190 g->ptr = 0;
4191 g = string_cat(g, US"SMTP connection lost after final dot");
4192 g = add_host_info_for_log(g);
4193 log_write(0, LOG_MAIN, "%s", string_from_gstring(g));
58eb016e 4194
563b63fa 4195 /* Delete the files for this aborted message. */
58eb016e 4196
cfbb0d24 4197 Uunlink(spool_name);
41313d92
JH		 4198 Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H"));
4199 Uunlink(spool_fname(US"msglog", message_subdir, message_id, US""));
58eb016e 4200
563b63fa
PH		 4201 goto TIDYUP;
4202 }
58eb016e
PH		 4203 }
4204 }
4205
4206/* The connection has not gone away; we really are going to take responsibility
4207for this message. */
4208
817d9f57 4209/* Cutthrough - had sender last-dot; assume we've sent (or bufferred) all
e4bdf652
JH		 4210 data onward by now.
4211
817d9f57 4212 Send dot onward. If accepted, wipe the spooled files, log as delivered and accept
e4bdf652 4213 the sender's dot (below).
4c04137d 4214 If rejected: copy response to sender, wipe the spooled files, log appropriately.
ff5929e3
JH		 4215 If temp-reject: normally accept to sender, keep the spooled file - unless defer=pass
4216 in which case pass temp-reject back to initiator and dump the files.
e4bdf652
JH		 4217
4218 Having the normal spool files lets us do data-filtering, and store/forward on temp-reject.
817d9f57
JH		 4219
4220 XXX We do not handle queue-only, freezing, or blackholes.
e4bdf652 4221*/
74f1a423 4222if(cutthrough.cctx.sock >= 0 && cutthrough.delivery)
e4bdf652 4223 {
57cc2785 4224 uschar * msg = cutthrough_finaldot(); /* Ask the target system to accept the message */
817d9f57 4225 /* Logging was done in finaldot() */
e4bdf652 4226 switch(msg[0])
817d9f57
JH		 4227 {
4228 case '2': /* Accept. Do the same to the source; dump any spoolfiles. */
b784ce7f 4229 cutthrough_done = ACCEPTED;
817d9f57 4230 break; /* message_id needed for SMTP accept below */
61147df4 4231
ff5929e3
JH		 4232 case '4': /* Temp-reject. Keep spoolfiles and accept, unless defer-pass mode.
4233 ... for which, pass back the exact error */
4234 if (cutthrough.defer_pass) smtp_reply = string_copy_malloc(msg);
c85476e9
JH		 4235 cutthrough_done = TMP_REJ; /* Avoid the usual immediate delivery attempt */
4236 break; /* message_id needed for SMTP accept below */
ff5929e3 4237
817d9f57 4238 default: /* Unknown response, or error. Treat as temp-reject. */
c85476e9 4239 if (cutthrough.defer_pass) smtp_reply = US"450 Onward transmission not accepted";
b784ce7f 4240 cutthrough_done = TMP_REJ; /* Avoid the usual immediate delivery attempt */
817d9f57 4241 break; /* message_id needed for SMTP accept below */
61147df4 4242
817d9f57 4243 case '5': /* Perm-reject. Do the same to the source. Dump any spoolfiles */
ff5929e3 4244 smtp_reply = string_copy_malloc(msg); /* Pass on the exact error */
b784ce7f 4245 cutthrough_done = PERM_REJ;
817d9f57
JH		 4246 break;
4247 }
e4bdf652 4248 }
58eb016e 4249
8ccd00b1
JH		 4250#ifndef DISABLE_PRDR
4251if(!smtp_reply || prdr_requested)
4252#else
4253if(!smtp_reply)
fd98a5c6 4254#endif
e4bdf652
JH		 4255 {
4256 log_write(0, LOG_MAIN |
cfbb0d24
JH		 4257 (LOGGING(received_recipients) ? LOG_RECIPIENTS : 0) |
4258 (LOGGING(received_sender) ? LOG_SENDER : 0),
acec9514 4259 "%s", g->s);
e4bdf652
JH		 4260
4261 /* Log any control actions taken by an ACL or local_scan(). */
58eb016e 4262
8768d548
JH		 4263 if (f.deliver_freeze) log_write(0, LOG_MAIN, "frozen by %s", frozen_by);
4264 if (f.queue_only_policy) log_write(L_delay_delivery, LOG_MAIN,
e8012beb 4265 "no immediate delivery: queued%s%s by %s",
b66fecb4 4266 *queue_name ? " in " : "", *queue_name ? CS queue_name : "",
e8012beb 4267 queued_by);
e4bdf652 4268 }
8768d548 4269f.receive_call_bombout = FALSE;
58eb016e 4270
acec9514 4271store_reset(g); /* The store for the main log message can be reused */
059ec3d9
PH		 4272
4273/* If the message is frozen, and freeze_tell is set, do the telling. */
4274
8768d548 4275if (f.deliver_freeze && freeze_tell && freeze_tell[0])
059ec3d9
PH		 4276 moan_tell_someone(freeze_tell, NULL, US"Message frozen on arrival",
4277 "Message %s was frozen on arrival by %s.\nThe sender is <%s>.\n",
4278 message_id, frozen_by, sender_address);
059ec3d9
PH		 4279
4280
4281/* Either a message has been successfully received and written to the two spool
4282files, or an error in writing the spool has occurred for an SMTP message, or
cfbb0d24
JH		 4283an SMTP message has been rejected for policy reasons, or a message was passed on
4284by cutthrough delivery. (For a non-SMTP message we will have already given up
4285because there's no point in carrying on!) For non-cutthrough we must now close
4286(and thereby unlock) the data file. In the successful case, this leaves the
4287message on the spool, ready for delivery. In the error case, the spool file will
4288be deleted. Then tidy up store, interact with an SMTP call if necessary, and
4289return.
4290
4291For cutthrough we hold the data file locked until we have deleted it, otherwise
4292a queue-runner could grab it in the window.
059ec3d9
PH		 4293
4294A fflush() was done earlier in the expectation that any write errors on the
4295data file will be flushed(!) out thereby. Nevertheless, it is theoretically
4296possible for fclose() to fail - but what to do? What has happened to the lock
cfbb0d24
JH		 4297if this happens? We can at least log it; if it is observed on some platform
4298then we can think about properly declaring the message not-received. */
059ec3d9 4299
e4bdf652 4300
059ec3d9 4301TIDYUP:
099afc4f
JH		 4302/* In SMTP sessions we may receive several messages in one connection. After
4303each one, we wait for the clock to tick at the level of message-id granularity.
4304This is so that the combination of time+pid is unique, even on systems where the
4305pid can be re-used within our time interval. We can't shorten the interval
4306without re-designing the message-id. See comments above where the message id is
4307created. This is Something For The Future.
4308Do this wait any time we have created a message-id, even if we rejected the
4309message. This gives unique IDs for logging done by ACLs. */
4310
4311if (id_resolution != 0)
4312 {
4313 message_id_tv.tv_usec = (message_id_tv.tv_usec/id_resolution) * id_resolution;
4314 exim_wait_tick(&message_id_tv, id_resolution);
4315 id_resolution = 0;
4316 }
4317
4318
cfbb0d24 4319process_info[process_info_len] = 0; /* Remove message id */
1bd642c2
JH		 4320if (spool_data_file && cutthrough_done == NOT_TRIED)
4321 {
4322 if (fclose(spool_data_file)) /* Frees the lock */
cfbb0d24
JH		 4323 log_write(0, LOG_MAIN|LOG_PANIC,
4324 "spoolfile error on close: %s", strerror(errno));
1bd642c2
JH		 4325 spool_data_file = NULL;
4326 }
059ec3d9
PH		 4327
4328/* Now reset signal handlers to their defaults */
4329
4330signal(SIGTERM, SIG_DFL);
4331signal(SIGINT, SIG_DFL);
4332
4333/* Tell an SMTP caller the state of play, and arrange to return the SMTP return
4334value, which defaults TRUE - meaning there may be more incoming messages from
4335this connection. For non-SMTP callers (where there is only ever one message),
4336the default is FALSE. */
4337
4338if (smtp_input)
4339 {
4340 yield = smtp_yield;
4341
4342 /* Handle interactive SMTP callers. After several kinds of error, smtp_reply
58eb016e
PH		 4343 is set to the response that should be sent. When it is NULL, we generate
4344 default responses. After an ACL error or local_scan() error, the response has
4345 already been sent, and smtp_reply is an empty string to indicate this. */
059ec3d9
PH		 4346
4347 if (!smtp_batched_input)
4348 {
27b9e5f4 4349 if (!smtp_reply)
059ec3d9 4350 {
29aba418 4351 if (fake_response != OK)
27b9e5f4
JH		 4352 smtp_respond(fake_response == DEFER ? US"450" : US"550",
4353 3, TRUE, fake_response_text);
4e88a19f
PH		 4354
4355 /* An OK response is required; use "message" text if present. */
4356
27b9e5f4 4357 else if (user_msg)
4e88a19f
PH		 4358 {
4359 uschar *code = US"250";
4360 int len = 3;
4f6ae5c3 4361 smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
4e88a19f
PH		 4362 smtp_respond(code, len, TRUE, user_msg);
4363 }
4364
4365 /* Default OK response */
4366
7e3ce68e
JH		 4367 else if (chunking_state > CHUNKING_OFFERED)
4368 {
925ac8e4 4369 smtp_printf("250- %u byte chunk, total %d\r\n250 OK id=%s\r\n", FALSE,
7e3ce68e
JH		 4370 chunking_datasize, message_size+message_linecount, message_id);
4371 chunking_state = CHUNKING_OFFERED;
4372 }
8e669ac1 4373 else
925ac8e4 4374 smtp_printf("250 OK id=%s\r\n", FALSE, message_id);
7e3ce68e 4375
059ec3d9
PH		 4376 if (host_checking)
4377 fprintf(stdout,
4378 "\n**** SMTP testing: that is not a real message id!\n\n");
4379 }
4e88a19f 4380
58eb016e 4381 /* smtp_reply is set non-empty */
4e88a19f 4382
8523533c 4383 else if (smtp_reply[0] != 0)
cfbb0d24
JH		 4384 if (fake_response != OK && smtp_reply[0] == '2')
4385 smtp_respond(fake_response == DEFER ? US"450" : US"550", 3, TRUE,
a5bd321b 4386 fake_response_text);
8e669ac1 4387 else
925ac8e4 4388 smtp_printf("%.1024s\r\n", FALSE, smtp_reply);
e4bdf652 4389
817d9f57
JH		 4390 switch (cutthrough_done)
4391 {
ff5929e3
JH		 4392 case ACCEPTED:
4393 log_write(0, LOG_MAIN, "Completed");/* Delivery was done */
41313d92 4394 case PERM_REJ:
ff5929e3 4395 /* Delete spool files */
cfbb0d24 4396 Uunlink(spool_name);
ff5929e3
JH		 4397 Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H"));
4398 Uunlink(spool_fname(US"msglog", message_subdir, message_id, US""));
ff5929e3
JH		 4399 break;
4400
4401 case TMP_REJ:
4402 if (cutthrough.defer_pass)
4403 {
cfbb0d24 4404 Uunlink(spool_name);
ff5929e3
JH		 4405 Uunlink(spool_fname(US"input", message_subdir, message_id, US"-H"));
4406 Uunlink(spool_fname(US"msglog", message_subdir, message_id, US""));
4407 }
ff5929e3
JH		 4408 default:
4409 break;
e4bdf652 4410 }
57cc2785
JH		 4411 if (cutthrough_done != NOT_TRIED)
4412 {
1bd642c2
JH		 4413 if (spool_data_file)
4414 {
4415 (void) fclose(spool_data_file); /* Frees the lock; do not care if error */
4416 spool_data_file = NULL;
4417 }
57cc2785
JH		 4418 message_id[0] = 0; /* Prevent a delivery from starting */
4419 cutthrough.delivery = cutthrough.callout_hold_only = FALSE;
4420 cutthrough.defer_pass = FALSE;
4421 }
059ec3d9
PH		 4422 }
4423
4424 /* For batched SMTP, generate an error message on failure, and do
4425 nothing on success. The function moan_smtp_batch() does not return -
4426 it exits from the program with a non-zero return code. */
4427
27b9e5f4
JH		 4428 else if (smtp_reply)
4429 moan_smtp_batch(NULL, "%s", smtp_reply);
059ec3d9
PH		 4430 }
4431
4432
4433/* If blackholing, we can immediately log this message's sad fate. The data
4434file has already been unlinked, and the header file was never written to disk.
4435We must now indicate that nothing was received, to prevent a delivery from
4436starting. */
4437
27b9e5f4 4438if (blackholed_by)
059ec3d9 4439 {
9723f966
JH		 4440 const uschar *detail =
4441#ifdef HAVE_LOCAL_SCAN
4442 local_scan_data ? string_printing(local_scan_data) :
4443#endif
4444 string_sprintf("(%s discarded recipients)", blackholed_by);
04f7d5b9 4445 log_write(0, LOG_MAIN, "=> blackhole %s%s", detail, blackhole_log_msg);
059ec3d9
PH		 4446 log_write(0, LOG_MAIN, "Completed");
4447 message_id[0] = 0;
4448 }
4449
4450/* Reset headers so that logging of rejects for a subsequent message doesn't
4451include them. It is also important to set header_last = NULL before exiting
4452from this function, as this prevents certain rewrites that might happen during
4453subsequent verifying (of another incoming message) from trying to add headers
4454when they shouldn't. */
4455
4456header_list = header_last = NULL;
4457
4458return yield; /* TRUE if more messages (SMTP only) */
4459}
4460
4461/* End of receive.c */
Unnamed repository; edit this file 'description' to name the repository.