recive smtp command
[exim.git] / src / src / receive.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for receiving a message and setting up spool files. */
9
059ec3d9
PH
10#include "exim.h"
11
6a8f9482
TK
12#ifdef EXPERIMENTAL_DCC
13extern int dcc_ok;
14#endif
15
4840604e 16#ifdef EXPERIMENTAL_DMARC
c007c974 17# include "dmarc.h"
4840604e
TL
18#endif /* EXPERIMENTAL_DMARC */
19
059ec3d9
PH
20/*************************************************
21* Local static variables *
22*************************************************/
23
24static FILE *data_file = NULL;
25static int data_fd = -1;
41313d92 26static uschar *spool_name = US"";
059ec3d9
PH
27
28
29
30/*************************************************
31* Non-SMTP character reading functions *
32*************************************************/
33
34/* These are the default functions that are set up in the variables such as
35receive_getc initially. They just call the standard functions, passing stdin as
36the file. (When SMTP input is occurring, different functions are used by
37changing the pointer variables.) */
38
39int
40stdin_getc(void)
41{
42return getc(stdin);
43}
44
45int
46stdin_ungetc(int c)
47{
48return ungetc(c, stdin);
49}
50
51int
52stdin_feof(void)
53{
54return feof(stdin);
55}
56
57int
58stdin_ferror(void)
59{
60return ferror(stdin);
61}
62
63
64
65
66/*************************************************
67* Check that a set sender is allowed *
68*************************************************/
69
70/* This function is called when a local caller sets an explicit sender address.
71It checks whether this is permitted, which it is for trusted callers.
72Otherwise, it must match the pattern(s) in untrusted_set_sender.
73
74Arguments: the proposed sender address
75Returns: TRUE for a trusted caller
76 TRUE if the address has been set, untrusted_set_sender has been
77 set, and the address matches something in the list
78 FALSE otherwise
79*/
80
81BOOL
82receive_check_set_sender(uschar *newsender)
83{
84uschar *qnewsender;
85if (trusted_caller) return TRUE;
86if (newsender == NULL || untrusted_set_sender == NULL) return FALSE;
87qnewsender = (Ustrchr(newsender, '@') != NULL)?
88 newsender : string_sprintf("%s@%s", newsender, qualify_domain_sender);
89return
55414b25 90 match_address_list(qnewsender, TRUE, TRUE, CUSS &untrusted_set_sender, NULL, -1,
059ec3d9
PH
91 0, NULL) == OK;
92}
93
94
95
96
97/*************************************************
5cb8cbc6 98* Read space info for a partition *
059ec3d9
PH
99*************************************************/
100
8e669ac1
PH
101/* This function is called by receive_check_fs() below, and also by string
102expansion for variables such as $spool_space. The field names for the statvfs
5cb8cbc6
PH
103structure are macros, because not all OS have F_FAVAIL and it seems tidier to
104have macros for F_BAVAIL and F_FILES as well. Some kinds of file system do not
105have inodes, and they return -1 for the number available.
059ec3d9 106
5cb8cbc6
PH
107Later: It turns out that some file systems that do not have the concept of
108inodes return 0 rather than -1. Such systems should also return 0 for the total
8e669ac1 109number of inodes, so we require that to be greater than zero before returning
5cb8cbc6 110an inode count.
059ec3d9 111
5cb8cbc6
PH
112Arguments:
113 isspool TRUE for spool partition, FALSE for log partition
114 inodeptr address of int to receive inode count; -1 if there isn't one
8e669ac1 115
5cb8cbc6 116Returns: available on-root space, in kilobytes
8e669ac1
PH
117 -1 for log partition if there isn't one
118
119All values are -1 if the STATFS functions are not available.
059ec3d9
PH
120*/
121
8e669ac1 122int
5cb8cbc6 123receive_statvfs(BOOL isspool, int *inodeptr)
059ec3d9
PH
124{
125#ifdef HAVE_STATFS
059ec3d9 126struct STATVFS statbuf;
5cb8cbc6
PH
127uschar *path;
128uschar *name;
129uschar buffer[1024];
059ec3d9 130
5cb8cbc6 131/* The spool directory must always exist. */
059ec3d9 132
5cb8cbc6 133if (isspool)
059ec3d9 134 {
8e669ac1
PH
135 path = spool_directory;
136 name = US"spool";
137 }
138
059ec3d9
PH
139/* Need to cut down the log file path to the directory, and to ignore any
140appearance of "syslog" in it. */
141
5cb8cbc6 142else
059ec3d9 143 {
059ec3d9 144 int sep = ':'; /* Not variable - outside scripts use */
55414b25 145 const uschar *p = log_file_path;
8e669ac1 146 name = US"log";
059ec3d9
PH
147
148 /* An empty log_file_path means "use the default". This is the same as an
149 empty item in a list. */
150
151 if (*p == 0) p = US":";
55414b25
JH
152 while ((path = string_nextinlist(&p, &sep, buffer, sizeof(buffer))))
153 if (Ustrcmp(path, "syslog") != 0)
154 break;
059ec3d9 155
5cb8cbc6
PH
156 if (path == NULL) /* No log files */
157 {
8e669ac1
PH
158 *inodeptr = -1;
159 return -1;
160 }
059ec3d9 161
8e669ac1
PH
162 /* An empty string means use the default, which is in the spool directory.
163 But don't just use the spool directory, as it is possible that the log
5cb8cbc6 164 subdirectory has been symbolically linked elsewhere. */
059ec3d9 165
8e669ac1 166 if (path[0] == 0)
059ec3d9 167 {
5cb8cbc6
PH
168 sprintf(CS buffer, CS"%s/log", CS spool_directory);
169 path = buffer;
8e669ac1
PH
170 }
171 else
059ec3d9 172 {
8e669ac1 173 uschar *cp;
5cb8cbc6 174 if ((cp = Ustrrchr(path, '/')) != NULL) *cp = 0;
8e669ac1 175 }
5cb8cbc6 176 }
8e669ac1 177
8f128379 178/* We now have the path; do the business */
5cb8cbc6
PH
179
180memset(&statbuf, 0, sizeof(statbuf));
181
182if (STATVFS(CS path, &statbuf) != 0)
183 {
184 log_write(0, LOG_MAIN|LOG_PANIC, "cannot accept message: failed to stat "
185 "%s directory %s: %s", name, spool_directory, strerror(errno));
186 smtp_closedown(US"spool or log directory problem");
187 exim_exit(EXIT_FAILURE);
188 }
8e669ac1 189
5cb8cbc6
PH
190*inodeptr = (statbuf.F_FILES > 0)? statbuf.F_FAVAIL : -1;
191
192/* Disks are getting huge. Take care with computing the size in kilobytes. */
8e669ac1 193
5cb8cbc6
PH
194return (int)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0);
195
196/* Unable to find partition sizes in this environment. */
197
198#else
199*inodeptr = -1;
200return -1;
201#endif
202}
203
059ec3d9 204
059ec3d9 205
5cb8cbc6
PH
206
207/*************************************************
208* Check space on spool and log partitions *
209*************************************************/
210
211/* This function is called before accepting a message; if any thresholds are
212set, it checks them. If a message_size is supplied, it checks that there is
213enough space for that size plus the threshold - i.e. that the message won't
214reduce the space to the threshold. Not all OS have statvfs(); for those that
215don't, this function always returns TRUE. For some OS the old function and
216struct name statfs is used; that is handled by a macro, defined in exim.h.
217
218Arguments:
219 msg_size the (estimated) size of an incoming message
220
221Returns: FALSE if there isn't enough space, or if the information cannot
222 be obtained
223 TRUE if no check was done or there is enough space
224*/
225
226BOOL
227receive_check_fs(int msg_size)
228{
229int space, inodes;
230
231if (check_spool_space > 0 || msg_size > 0 || check_spool_inodes > 0)
232 {
8e669ac1
PH
233 space = receive_statvfs(TRUE, &inodes);
234
059ec3d9 235 DEBUG(D_receive)
5cb8cbc6
PH
236 debug_printf("spool directory space = %dK inodes = %d "
237 "check_space = %dK inodes = %d msg_size = %d\n",
238 space, inodes, check_spool_space, check_spool_inodes, msg_size);
8e669ac1
PH
239
240 if ((space >= 0 && space < check_spool_space) ||
5cb8cbc6 241 (inodes >= 0 && inodes < check_spool_inodes))
8e669ac1 242 {
5cb8cbc6
PH
243 log_write(0, LOG_MAIN, "spool directory space check failed: space=%d "
244 "inodes=%d", space, inodes);
059ec3d9
PH
245 return FALSE;
246 }
247 }
248
5cb8cbc6
PH
249if (check_log_space > 0 || check_log_inodes > 0)
250 {
8e669ac1
PH
251 space = receive_statvfs(FALSE, &inodes);
252
5cb8cbc6
PH
253 DEBUG(D_receive)
254 debug_printf("log directory space = %dK inodes = %d "
255 "check_space = %dK inodes = %d\n",
256 space, inodes, check_log_space, check_log_inodes);
8e669ac1
PH
257
258 if ((space >= 0 && space < check_log_space) ||
5cb8cbc6 259 (inodes >= 0 && inodes < check_log_inodes))
8e669ac1 260 {
5cb8cbc6
PH
261 log_write(0, LOG_MAIN, "log directory space check failed: space=%d "
262 "inodes=%d", space, inodes);
263 return FALSE;
264 }
8e669ac1
PH
265 }
266
059ec3d9
PH
267return TRUE;
268}
269
270
271
272/*************************************************
273* Bomb out while reading a message *
274*************************************************/
275
276/* The common case of wanting to bomb out is if a SIGTERM or SIGINT is
277received, or if there is a timeout. A rarer case might be if the log files are
278screwed up and Exim can't open them to record a message's arrival. Handling
279that case is done by setting a flag to cause the log functions to call this
280function if there is an ultimate disaster. That is why it is globally
281accessible.
282
8f128379
PH
283Arguments:
284 reason text reason to pass to the not-quit ACL
285 msg default SMTP response to give if in an SMTP session
059ec3d9
PH
286Returns: it doesn't
287*/
288
289void
8f128379 290receive_bomb_out(uschar *reason, uschar *msg)
059ec3d9 291{
ead37e6c
PP
292 static BOOL already_bombing_out;
293/* The smtp_notquit_exit() below can call ACLs which can trigger recursive
294timeouts, if someone has something slow in their quit ACL. Since the only
295things we should be doing are to close down cleanly ASAP, on the second
296pass we also close down stuff that might be opened again, before bypassing
297the ACL call and exiting. */
298
059ec3d9
PH
299/* If spool_name is set, it contains the name of the data file that is being
300written. Unlink it before closing so that it cannot be picked up by a delivery
301process. Ensure that any header file is also removed. */
302
ead37e6c 303if (spool_name[0] != '\0')
059ec3d9
PH
304 {
305 Uunlink(spool_name);
306 spool_name[Ustrlen(spool_name) - 1] = 'H';
307 Uunlink(spool_name);
ead37e6c 308 spool_name[0] = '\0';
059ec3d9
PH
309 }
310
311/* Now close the file if it is open, either as a fd or a stream. */
312
ead37e6c
PP
313if (data_file != NULL)
314 {
315 (void)fclose(data_file);
316 data_file = NULL;
317} else if (data_fd >= 0) {
318 (void)close(data_fd);
319 data_fd = -1;
320 }
059ec3d9 321
8f128379
PH
322/* Attempt to close down an SMTP connection tidily. For non-batched SMTP, call
323smtp_notquit_exit(), which runs the NOTQUIT ACL, if present, and handles the
324SMTP response. */
059ec3d9 325
ead37e6c 326if (!already_bombing_out)
059ec3d9 327 {
ead37e6c
PP
328 already_bombing_out = TRUE;
329 if (smtp_input)
330 {
331 if (smtp_batched_input)
332 moan_smtp_batch(NULL, "421 %s - message abandoned", msg); /* No return */
333 smtp_notquit_exit(reason, US"421", US"%s %s - closing connection.",
334 smtp_active_hostname, msg);
335 }
059ec3d9
PH
336 }
337
338/* Exit from the program (non-BSMTP cases) */
339
340exim_exit(EXIT_FAILURE);
341}
342
343
344/*************************************************
345* Data read timeout *
346*************************************************/
347
348/* Handler function for timeouts that occur while reading the data that
349comprises a message.
350
351Argument: the signal number
352Returns: nothing
353*/
354
355static void
356data_timeout_handler(int sig)
357{
358uschar *msg = NULL;
359
360sig = sig; /* Keep picky compilers happy */
361
362if (smtp_input)
363 {
364 msg = US"SMTP incoming data timeout";
365 log_write(L_lost_incoming_connection,
366 LOG_MAIN, "SMTP data timeout (message abandoned) on connection "
fed77020
PH
367 "from %s F=<%s>",
368 (sender_fullhost != NULL)? sender_fullhost : US"local process",
369 sender_address);
059ec3d9
PH
370 }
371else
372 {
373 fprintf(stderr, "exim: timed out while reading - message abandoned\n");
374 log_write(L_lost_incoming_connection,
375 LOG_MAIN, "timed out while reading local message");
376 }
377
8f128379 378receive_bomb_out(US"data-timeout", msg); /* Does not return */
059ec3d9
PH
379}
380
381
382
383/*************************************************
384* local_scan() timeout *
385*************************************************/
386
387/* Handler function for timeouts that occur while running a local_scan()
388function.
389
390Argument: the signal number
391Returns: nothing
392*/
393
394static void
395local_scan_timeout_handler(int sig)
396{
397sig = sig; /* Keep picky compilers happy */
398log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - "
399 "message temporarily rejected (size %d)", message_size);
8f128379
PH
400/* Does not return */
401receive_bomb_out(US"local-scan-timeout", US"local verification problem");
059ec3d9
PH
402}
403
404
405
406/*************************************************
407* local_scan() crashed *
408*************************************************/
409
410/* Handler function for signals that occur while running a local_scan()
411function.
412
413Argument: the signal number
414Returns: nothing
415*/
416
417static void
418local_scan_crash_handler(int sig)
419{
420log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with "
421 "signal %d - message temporarily rejected (size %d)", sig, message_size);
8f128379
PH
422/* Does not return */
423receive_bomb_out(US"local-scan-error", US"local verification problem");
059ec3d9
PH
424}
425
426
427/*************************************************
428* SIGTERM or SIGINT received *
429*************************************************/
430
431/* Handler for SIGTERM or SIGINT signals that occur while reading the
432data that comprises a message.
433
434Argument: the signal number
435Returns: nothing
436*/
437
438static void
439data_sigterm_sigint_handler(int sig)
440{
441uschar *msg = NULL;
442
443if (smtp_input)
444 {
445 msg = US"Service not available - SIGTERM or SIGINT received";
446 log_write(0, LOG_MAIN, "%s closed after %s", smtp_get_connection_info(),
447 (sig == SIGTERM)? "SIGTERM" : "SIGINT");
448 }
449else
450 {
f05da2e8 451 if (filter_test == FTEST_NONE)
059ec3d9
PH
452 {
453 fprintf(stderr, "\nexim: %s received - message abandoned\n",
454 (sig == SIGTERM)? "SIGTERM" : "SIGINT");
455 log_write(0, LOG_MAIN, "%s received while reading local message",
456 (sig == SIGTERM)? "SIGTERM" : "SIGINT");
457 }
458 }
459
8f128379 460receive_bomb_out(US"signal-exit", msg); /* Does not return */
059ec3d9
PH
461}
462
463
464
465/*************************************************
466* Add new recipient to list *
467*************************************************/
468
469/* This function builds a list of recipient addresses in argc/argv
470format.
471
472Arguments:
473 recipient the next address to add to recipients_list
474 pno parent number for fixed aliases; -1 otherwise
475
476Returns: nothing
477*/
478
479void
480receive_add_recipient(uschar *recipient, int pno)
481{
482if (recipients_count >= recipients_list_max)
483 {
484 recipient_item *oldlist = recipients_list;
485 int oldmax = recipients_list_max;
486 recipients_list_max = recipients_list_max? 2*recipients_list_max : 50;
487 recipients_list = store_get(recipients_list_max * sizeof(recipient_item));
488 if (oldlist != NULL)
489 memcpy(recipients_list, oldlist, oldmax * sizeof(recipient_item));
490 }
491
492recipients_list[recipients_count].address = recipient;
493recipients_list[recipients_count].pno = pno;
8523533c
TK
494#ifdef EXPERIMENTAL_BRIGHTMAIL
495recipients_list[recipients_count].bmi_optin = bmi_current_optin;
496/* reset optin string pointer for next recipient */
497bmi_current_optin = NULL;
498#endif
6c1c3d1d
WB
499recipients_list[recipients_count].orcpt = NULL;
500recipients_list[recipients_count].dsn_flags = 0;
059ec3d9
PH
501recipients_list[recipients_count++].errors_to = NULL;
502}
503
504
505
506
507/*************************************************
fd98a5c6
JH
508* Send user response message *
509*************************************************/
61147df4 510
fd98a5c6
JH
511/* This function is passed a default response code and a user message. It calls
512smtp_message_code() to check and possibly modify the response code, and then
513calls smtp_respond() to transmit the response. I put this into a function
514just to avoid a lot of repetition.
61147df4
PP
515
516Arguments:
fd98a5c6
JH
517 code the response code
518 user_msg the user message
519
520Returns: nothing
61147df4
PP
521*/
522
8ccd00b1 523#ifndef DISABLE_PRDR
61147df4 524static void
fd98a5c6 525smtp_user_msg(uschar *code, uschar *user_msg)
61147df4 526{
fd98a5c6 527int len = 3;
4f6ae5c3 528smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
fd98a5c6 529smtp_respond(code, len, TRUE, user_msg);
61147df4
PP
530}
531#endif
532
533
534
535
fd98a5c6
JH
536
537/*************************************************
059ec3d9
PH
538* Remove a recipient from the list *
539*************************************************/
540
541/* This function is provided for local_scan() to use.
542
543Argument:
544 recipient address to remove
545
546Returns: TRUE if it did remove something; FALSE otherwise
547*/
548
549BOOL
550receive_remove_recipient(uschar *recipient)
551{
552int count;
553DEBUG(D_receive) debug_printf("receive_remove_recipient(\"%s\") called\n",
554 recipient);
555for (count = 0; count < recipients_count; count++)
556 {
557 if (Ustrcmp(recipients_list[count].address, recipient) == 0)
558 {
559 if ((--recipients_count - count) > 0)
560 memmove(recipients_list + count, recipients_list + count + 1,
54cdb463 561 (recipients_count - count)*sizeof(recipient_item));
059ec3d9
PH
562 return TRUE;
563 }
564 }
565return FALSE;
566}
567
568
569
570
571
572/*************************************************
573* Read data portion of a non-SMTP message *
574*************************************************/
575
576/* This function is called to read the remainder of a message (following the
577header) when the input is not from SMTP - we are receiving a local message on
578a standard input stream. The message is always terminated by EOF, and is also
579terminated by a dot on a line by itself if the flag dot_ends is TRUE. Split the
580two cases for maximum efficiency.
581
582Ensure that the body ends with a newline. This will naturally be the case when
583the termination is "\n.\n" but may not be otherwise. The RFC defines messages
584as "sequences of lines" - this of course strictly applies only to SMTP, but
585deliveries into BSD-type mailbox files also require it. Exim used to have a
586flag for doing this at delivery time, but as it was always set for all
587transports, I decided to simplify things by putting the check here instead.
588
589There is at least one MUA (dtmail) that sends CRLF via this interface, and
590other programs are known to do this as well. Exim used to have a option for
591dealing with this: in July 2003, after much discussion, the code has been
592changed to default to treat any of LF, CRLF, and bare CR as line terminators.
593
594However, for the case when a dot on a line by itself terminates a message, the
595only recognized terminating sequences before and after the dot are LF and CRLF.
596Otherwise, having read EOL . CR, you don't know whether to read another
597character or not.
598
599Internally, in messages stored in Exim's spool files, LF is used as the line
600terminator. Under the new regime, bare CRs will no longer appear in these
601files.
602
603Arguments:
604 fout a FILE to which to write the message
605
606Returns: One of the END_xxx values indicating why it stopped reading
607*/
608
609static int
610read_message_data(FILE *fout)
611{
612int ch_state;
613register int ch;
d677b2f2 614register int linelength = 0;
059ec3d9
PH
615
616/* Handle the case when only EOF terminates the message */
617
618if (!dot_ends)
619 {
620 register int last_ch = '\n';
621
80a47a2c 622 for (; (ch = (receive_getc)()) != EOF; last_ch = ch)
059ec3d9
PH
623 {
624 if (ch == 0) body_zerocount++;
625 if (last_ch == '\r' && ch != '\n')
626 {
d677b2f2
PH
627 if (linelength > max_received_linelength)
628 max_received_linelength = linelength;
629 linelength = 0;
059ec3d9
PH
630 if (fputc('\n', fout) == EOF) return END_WERROR;
631 message_size++;
632 body_linecount++;
633 }
634 if (ch == '\r') continue;
635
636 if (fputc(ch, fout) == EOF) return END_WERROR;
d677b2f2
PH
637 if (ch == '\n')
638 {
639 if (linelength > max_received_linelength)
640 max_received_linelength = linelength;
641 linelength = 0;
642 body_linecount++;
643 }
644 else linelength++;
059ec3d9
PH
645 if (++message_size > thismessage_size_limit) return END_SIZE;
646 }
647
648 if (last_ch != '\n')
649 {
d677b2f2
PH
650 if (linelength > max_received_linelength)
651 max_received_linelength = linelength;
059ec3d9
PH
652 if (fputc('\n', fout) == EOF) return END_WERROR;
653 message_size++;
654 body_linecount++;
655 }
656
657 return END_EOF;
658 }
659
660/* Handle the case when a dot on a line on its own, or EOF, terminates. */
661
662ch_state = 1;
663
80a47a2c 664while ((ch = (receive_getc)()) != EOF)
059ec3d9
PH
665 {
666 if (ch == 0) body_zerocount++;
667 switch (ch_state)
668 {
669 case 0: /* Normal state (previous char written) */
670 if (ch == '\n')
d677b2f2
PH
671 {
672 body_linecount++;
673 if (linelength > max_received_linelength)
674 max_received_linelength = linelength;
675 linelength = -1;
676 ch_state = 1;
677 }
059ec3d9
PH
678 else if (ch == '\r')
679 { ch_state = 2; continue; }
680 break;
681
682 case 1: /* After written "\n" */
683 if (ch == '.') { ch_state = 3; continue; }
6eb02f88 684 if (ch == '\r') { ch_state = 2; continue; }
d677b2f2 685 if (ch != '\n') ch_state = 0; else linelength = -1;
059ec3d9
PH
686 break;
687
688 case 2:
689 body_linecount++; /* After unwritten "\r" */
d677b2f2
PH
690 if (linelength > max_received_linelength)
691 max_received_linelength = linelength;
059ec3d9 692 if (ch == '\n')
d677b2f2
PH
693 {
694 ch_state = 1;
695 linelength = -1;
696 }
059ec3d9
PH
697 else
698 {
699 if (message_size++, fputc('\n', fout) == EOF) return END_WERROR;
700 if (ch == '\r') continue;
701 ch_state = 0;
d677b2f2 702 linelength = 0;
059ec3d9
PH
703 }
704 break;
705
706 case 3: /* After "\n." (\n written, dot not) */
707 if (ch == '\n') return END_DOT;
708 if (ch == '\r') { ch_state = 4; continue; }
709 message_size++;
d677b2f2 710 linelength++;
059ec3d9
PH
711 if (fputc('.', fout) == EOF) return END_WERROR;
712 ch_state = 0;
713 break;
714
715 case 4: /* After "\n.\r" (\n written, rest not) */
716 if (ch == '\n') return END_DOT;
717 message_size += 2;
718 body_linecount++;
719 if (fputs(".\n", fout) == EOF) return END_WERROR;
720 if (ch == '\r') { ch_state = 2; continue; }
721 ch_state = 0;
722 break;
723 }
724
d677b2f2 725 linelength++;
059ec3d9
PH
726 if (fputc(ch, fout) == EOF) return END_WERROR;
727 if (++message_size > thismessage_size_limit) return END_SIZE;
728 }
729
730/* Get here if EOF read. Unless we have just written "\n", we need to ensure
731the message ends with a newline, and we must also write any characters that
732were saved up while testing for an ending dot. */
733
734if (ch_state != 1)
735 {
736 static uschar *ends[] = { US"\n", NULL, US"\n", US".\n", US".\n" };
737 if (fputs(CS ends[ch_state], fout) == EOF) return END_WERROR;
738 message_size += Ustrlen(ends[ch_state]);
739 body_linecount++;
740 }
741
742return END_EOF;
743}
744
745
746
747
748/*************************************************
749* Read data portion of an SMTP message *
750*************************************************/
751
752/* This function is called to read the remainder of an SMTP message (after the
753headers), or to skip over it when an error has occurred. In this case, the
754output file is passed as NULL.
755
756If any line begins with a dot, that character is skipped. The input should only
757be successfully terminated by CR LF . CR LF unless it is local (non-network)
758SMTP, in which case the CRs are optional, but...
759
760FUDGE: It seems that sites on the net send out messages with just LF
761terminators, despite the warnings in the RFCs, and other MTAs handle this. So
762we make the CRs optional in all cases.
763
764July 2003: Bare CRs cause trouble. We now treat them as line terminators as
765well, so that there are no CRs in spooled messages. However, the message
766terminating dot is not recognized between two bare CRs.
767
768Arguments:
769 fout a FILE to which to write the message; NULL if skipping
770
771Returns: One of the END_xxx values indicating why it stopped reading
772*/
18481de3
JH
773/*XXX CHUNKING: maybe a variant routing specialised for BDAT, assuming
774string RFC compliance ie. CRLF always? We still have to strip the CR
775but we are not dealing with variant lunacy or looking for the end-dot */
059ec3d9
PH
776
777static int
778read_message_data_smtp(FILE *fout)
779{
780int ch_state = 0;
e4bdf652 781int ch;
1f5497b2 782register int linelength = 0;
059ec3d9 783
80a47a2c 784while ((ch = (receive_getc)()) != EOF)
059ec3d9
PH
785 {
786 if (ch == 0) body_zerocount++;
787 switch (ch_state)
788 {
789 case 0: /* After LF or CRLF */
790 if (ch == '.')
791 {
792 ch_state = 3;
793 continue; /* Don't ever write . after LF */
794 }
795 ch_state = 1;
796
797 /* Else fall through to handle as normal uschar. */
798
799 case 1: /* Normal state */
800 if (ch == '\n')
801 {
802 ch_state = 0;
803 body_linecount++;
1f5497b2
PH
804 if (linelength > max_received_linelength)
805 max_received_linelength = linelength;
806 linelength = -1;
059ec3d9
PH
807 }
808 else if (ch == '\r')
809 {
810 ch_state = 2;
811 continue;
812 }
813 break;
814
815 case 2: /* After (unwritten) CR */
816 body_linecount++;
1f5497b2
PH
817 if (linelength > max_received_linelength)
818 max_received_linelength = linelength;
819 linelength = -1;
059ec3d9
PH
820 if (ch == '\n')
821 {
822 ch_state = 0;
823 }
824 else
825 {
826 message_size++;
827 if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
e4bdf652 828 (void) cutthrough_put_nl();
059ec3d9
PH
829 if (ch != '\r') ch_state = 1; else continue;
830 }
831 break;
832
833 case 3: /* After [CR] LF . */
834 if (ch == '\n')
835 return END_DOT;
836 if (ch == '\r')
837 {
838 ch_state = 4;
839 continue;
840 }
1bc460a6
JH
841 /* The dot was removed at state 3. For a doubled dot, here, reinstate
842 it to cutthrough. The current ch, dot or not, is passed both to cutthrough
843 and to file below. */
844 if (ch == '.')
845 {
846 uschar c= ch;
847 (void) cutthrough_puts(&c, 1);
848 }
849 ch_state = 1;
059ec3d9
PH
850 break;
851
852 case 4: /* After [CR] LF . CR */
853 if (ch == '\n') return END_DOT;
854 message_size++;
855 body_linecount++;
856 if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
e4bdf652 857 (void) cutthrough_put_nl();
059ec3d9
PH
858 if (ch == '\r')
859 {
860 ch_state = 2;
861 continue;
862 }
863 ch_state = 1;
864 break;
865 }
866
867 /* Add the character to the spool file, unless skipping; then loop for the
868 next. */
869
870 message_size++;
1f5497b2 871 linelength++;
059ec3d9
PH
872 if (fout != NULL)
873 {
874 if (fputc(ch, fout) == EOF) return END_WERROR;
875 if (message_size > thismessage_size_limit) return END_SIZE;
876 }
e4bdf652
JH
877 if(ch == '\n')
878 (void) cutthrough_put_nl();
879 else
880 {
881 uschar c= ch;
882 (void) cutthrough_puts(&c, 1);
883 }
059ec3d9
PH
884 }
885
886/* Fall through here if EOF encountered. This indicates some kind of error,
887since a correct message is terminated by [CR] LF . [CR] LF. */
888
889return END_EOF;
890}
891
892
893
894
895/*************************************************
896* Swallow SMTP message *
897*************************************************/
898
899/* This function is called when there has been some kind of error while reading
900an SMTP message, and the remaining data may need to be swallowed. It is global
901because it is called from smtp_closedown() to shut down an incoming call
902tidily.
903
904Argument: a FILE from which to read the message
905Returns: nothing
906*/
907
908void
909receive_swallow_smtp(void)
910{
911if (message_ended >= END_NOTENDED)
912 message_ended = read_message_data_smtp(NULL);
913}
914
915
916
917/*************************************************
918* Handle lost SMTP connection *
919*************************************************/
920
921/* This function logs connection loss incidents and generates an appropriate
922SMTP response.
923
924Argument: additional data for the message
925Returns: the SMTP response
926*/
927
928static uschar *
929handle_lost_connection(uschar *s)
930{
931log_write(L_lost_incoming_connection | L_smtp_connection, LOG_MAIN,
932 "%s lost while reading message data%s", smtp_get_connection_info(), s);
933return US"421 Lost incoming connection";
934}
935
936
937
938
939/*************************************************
940* Handle a non-smtp reception error *
941*************************************************/
942
943/* This function is called for various errors during the reception of non-SMTP
944messages. It either sends a message to the sender of the problem message, or it
945writes to the standard error stream.
946
947Arguments:
948 errcode code for moan_to_sender(), identifying the error
949 text1 first message text, passed to moan_to_sender()
950 text2 second message text, used only for stderrr
951 error_rc code to pass to exim_exit if no problem
952 f FILE containing body of message (may be stdin)
953 hptr pointer to instore headers or NULL
954
955Returns: calls exim_exit(), which does not return
956*/
957
958static void
959give_local_error(int errcode, uschar *text1, uschar *text2, int error_rc,
960 FILE *f, header_line *hptr)
961{
962if (error_handling == ERRORS_SENDER)
963 {
964 error_block eblock;
965 eblock.next = NULL;
966 eblock.text1 = text1;
37f3dc43 967 eblock.text2 = US"";
059ec3d9
PH
968 if (!moan_to_sender(errcode, &eblock, hptr, f, FALSE))
969 error_rc = EXIT_FAILURE;
970 }
37f3dc43
JH
971else
972 fprintf(stderr, "exim: %s%s\n", text2, text1); /* Sic */
f1e894f3 973(void)fclose(f);
059ec3d9
PH
974exim_exit(error_rc);
975}
976
977
978
979/*************************************************
980* Add header lines set up by ACL *
981*************************************************/
982
850635b6
PH
983/* This function is called to add the header lines that were set up by
984statements in an ACL to the list of headers in memory. It is done in two stages
985like this, because when the ACL for RCPT is running, the other headers have not
986yet been received. This function is called twice; once just before running the
987DATA ACL, and once after. This is so that header lines added by MAIL or RCPT
988are visible to the DATA ACL.
059ec3d9
PH
989
990Originally these header lines were added at the end. Now there is support for
991three different places: top, bottom, and after the Received: header(s). There
992will always be at least one Received: header, even if it is marked deleted, and
993even if something else has been put in front of it.
994
995Arguments:
996 acl_name text to identify which ACL
997
998Returns: nothing
999*/
1000
1001static void
578d43dc 1002add_acl_headers(int where, uschar *acl_name)
059ec3d9
PH
1003{
1004header_line *h, *next;
1005header_line *last_received = NULL;
e7568d51 1006
578d43dc
JH
1007switch(where)
1008 {
1009 case ACL_WHERE_DKIM:
1010 case ACL_WHERE_MIME:
af4a1bca 1011 case ACL_WHERE_DATA:
5032d1cf 1012 if (cutthrough.fd >= 0 && (acl_removed_headers || acl_added_headers))
578d43dc
JH
1013 {
1014 log_write(0, LOG_MAIN|LOG_PANIC, "Header modification in data ACLs"
af4a1bca 1015 " will not take effect on cutthrough deliveries");
578d43dc
JH
1016 return;
1017 }
1018 }
1019
e7568d51
TL
1020if (acl_removed_headers != NULL)
1021 {
1022 DEBUG(D_receive|D_acl) debug_printf(">>Headers removed by %s ACL:\n", acl_name);
1023
4a142059 1024 for (h = header_list; h != NULL; h = h->next) if (h->type != htype_old)
e7568d51 1025 {
55414b25 1026 const uschar * list = acl_removed_headers;
e7568d51
TL
1027 int sep = ':'; /* This is specified as a colon-separated list */
1028 uschar *s;
1029 uschar buffer[128];
4a142059
JH
1030
1031 while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
1032 if (header_testname(h, s, Ustrlen(s), FALSE))
e7568d51
TL
1033 {
1034 h->type = htype_old;
1035 DEBUG(D_receive|D_acl) debug_printf(" %s", h->text);
1036 }
e7568d51
TL
1037 }
1038 acl_removed_headers = NULL;
1039 DEBUG(D_receive|D_acl) debug_printf(">>\n");
1040 }
059ec3d9 1041
71fafd95 1042if (acl_added_headers == NULL) return;
059ec3d9
PH
1043DEBUG(D_receive|D_acl) debug_printf(">>Headers added by %s ACL:\n", acl_name);
1044
71fafd95 1045for (h = acl_added_headers; h != NULL; h = next)
059ec3d9
PH
1046 {
1047 next = h->next;
1048
1049 switch(h->type)
1050 {
1051 case htype_add_top:
1052 h->next = header_list;
1053 header_list = h;
1054 DEBUG(D_receive|D_acl) debug_printf(" (at top)");
1055 break;
1056
1057 case htype_add_rec:
1058 if (last_received == NULL)
1059 {
1060 last_received = header_list;
1061 while (!header_testname(last_received, US"Received", 8, FALSE))
1062 last_received = last_received->next;
1063 while (last_received->next != NULL &&
1064 header_testname(last_received->next, US"Received", 8, FALSE))
1065 last_received = last_received->next;
1066 }
1067 h->next = last_received->next;
1068 last_received->next = h;
1069 DEBUG(D_receive|D_acl) debug_printf(" (after Received:)");
1070 break;
1071
8523533c
TK
1072 case htype_add_rfc:
1073 /* add header before any header which is NOT Received: or Resent- */
1074 last_received = header_list;
1075 while ( (last_received->next != NULL) &&
1076 ( (header_testname(last_received->next, US"Received", 8, FALSE)) ||
1077 (header_testname_incomplete(last_received->next, US"Resent-", 7, FALSE)) ) )
1078 last_received = last_received->next;
1079 /* last_received now points to the last Received: or Resent-* header
1080 in an uninterrupted chain of those header types (seen from the beginning
1081 of all headers. Our current header must follow it. */
1082 h->next = last_received->next;
1083 last_received->next = h;
8e669ac1 1084 DEBUG(D_receive|D_acl) debug_printf(" (before any non-Received: or Resent-*: header)");
8523533c
TK
1085 break;
1086
059ec3d9
PH
1087 default:
1088 h->next = NULL;
1089 header_last->next = h;
1090 break;
1091 }
1092
1093 if (h->next == NULL) header_last = h;
1094
1095 /* Check for one of the known header types (From:, To:, etc.) though in
1096 practice most added headers are going to be "other". Lower case
1097 identification letters are never stored with the header; they are used
1098 for existence tests when messages are received. So discard any lower case
1099 flag values. */
1100
1101 h->type = header_checkname(h, FALSE);
1102 if (h->type >= 'a') h->type = htype_other;
1103
1104 DEBUG(D_receive|D_acl) debug_printf(" %s", header_last->text);
1105 }
1106
71fafd95 1107acl_added_headers = NULL;
059ec3d9
PH
1108DEBUG(D_receive|D_acl) debug_printf(">>\n");
1109}
1110
1111
1112
1113/*************************************************
1114* Add host information for log line *
1115*************************************************/
1116
1117/* Called for acceptance and rejecting log lines. This adds information about
1118the calling host to a string that is being built dynamically.
1119
1120Arguments:
1121 s the dynamic string
1122 sizeptr points to the size variable
1123 ptrptr points to the pointer variable
1124
1125Returns: the extended string
1126*/
1127
1128static uschar *
fc16abb4 1129add_host_info_for_log(uschar * s, int * sizeptr, int * ptrptr)
059ec3d9 1130{
fc16abb4 1131if (sender_fullhost)
059ec3d9 1132 {
fc16abb4
JH
1133 if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */
1134 s = string_cat(s, sizeptr, ptrptr, US" DS");
059ec3d9 1135 s = string_append(s, sizeptr, ptrptr, 2, US" H=", sender_fullhost);
6c6d6e48 1136 if (LOGGING(incoming_interface) && interface_address != NULL)
059ec3d9 1137 {
fc16abb4
JH
1138 s = string_cat(s, sizeptr, ptrptr,
1139 string_sprintf(" I=[%s]:%d", interface_address, interface_port));
059ec3d9
PH
1140 }
1141 }
1142if (sender_ident != NULL)
1143 s = string_append(s, sizeptr, ptrptr, 2, US" U=", sender_ident);
1144if (received_protocol != NULL)
1145 s = string_append(s, sizeptr, ptrptr, 2, US" P=", received_protocol);
1146return s;
1147}
1148
1149
1150
63955bf2 1151#ifdef WITH_CONTENT_SCAN
059ec3d9
PH
1152
1153/*************************************************
54cdb463
PH
1154* Run the MIME ACL on a message *
1155*************************************************/
1156
1157/* This code is in a subroutine so that it can be used for both SMTP
1158and non-SMTP messages. It is called with a non-NULL ACL pointer.
1159
1160Arguments:
1161 acl The ACL to run (acl_smtp_mime or acl_not_smtp_mime)
1162 smtp_yield_ptr Set FALSE to kill messages after dropped connection
1163 smtp_reply_ptr Where SMTP reply is being built
1164 blackholed_by_ptr Where "blackholed by" message is being built
1165
1166Returns: TRUE to carry on; FALSE to abandon the message
1167*/
1168
1169static BOOL
1170run_mime_acl(uschar *acl, BOOL *smtp_yield_ptr, uschar **smtp_reply_ptr,
1171 uschar **blackholed_by_ptr)
1172{
1173FILE *mbox_file;
1174uschar rfc822_file_path[2048];
1175unsigned long mbox_size;
1176header_line *my_headerlist;
1177uschar *user_msg, *log_msg;
1178int mime_part_count_buffer = -1;
7156b1ef 1179int rc = OK;
54cdb463
PH
1180
1181memset(CS rfc822_file_path,0,2048);
1182
1183/* check if it is a MIME message */
1184my_headerlist = header_list;
4e88a19f
PH
1185while (my_headerlist != NULL)
1186 {
54cdb463 1187 /* skip deleted headers */
4e88a19f
PH
1188 if (my_headerlist->type == '*')
1189 {
54cdb463
PH
1190 my_headerlist = my_headerlist->next;
1191 continue;
4e88a19f
PH
1192 }
1193 if (strncmpic(my_headerlist->text, US"Content-Type:", 13) == 0)
1194 {
54cdb463
PH
1195 DEBUG(D_receive) debug_printf("Found Content-Type: header - executing acl_smtp_mime.\n");
1196 goto DO_MIME_ACL;
4e88a19f 1197 }
54cdb463 1198 my_headerlist = my_headerlist->next;
4e88a19f 1199 }
54cdb463
PH
1200
1201DEBUG(D_receive) debug_printf("No Content-Type: header - presumably not a MIME message.\n");
1202return TRUE;
1203
1204DO_MIME_ACL:
1205/* make sure the eml mbox file is spooled up */
8544e77a 1206mbox_file = spool_mbox(&mbox_size, NULL);
54cdb463
PH
1207if (mbox_file == NULL) {
1208 /* error while spooling */
1209 log_write(0, LOG_MAIN|LOG_PANIC,
1210 "acl_smtp_mime: error while creating mbox spool file, message temporarily rejected.");
1211 Uunlink(spool_name);
1212 unspool_mbox();
6f0c431a
PP
1213#ifdef EXPERIMENTAL_DCC
1214 dcc_ok = 0;
1215#endif
a5bd321b 1216 smtp_respond(US"451", 3, TRUE, US"temporary local problem");
54cdb463
PH
1217 message_id[0] = 0; /* Indicate no message accepted */
1218 *smtp_reply_ptr = US""; /* Indicate reply already sent */
1219 return FALSE; /* Indicate skip to end of receive function */
1220};
1221
1222mime_is_rfc822 = 0;
1223
1224MIME_ACL_CHECK:
1225mime_part_count = -1;
1226rc = mime_acl_check(acl, mbox_file, NULL, &user_msg, &log_msg);
f1e894f3 1227(void)fclose(mbox_file);
54cdb463 1228
4e88a19f
PH
1229if (Ustrlen(rfc822_file_path) > 0)
1230 {
54cdb463
PH
1231 mime_part_count = mime_part_count_buffer;
1232
4e88a19f
PH
1233 if (unlink(CS rfc822_file_path) == -1)
1234 {
54cdb463
PH
1235 log_write(0, LOG_PANIC,
1236 "acl_smtp_mime: can't unlink RFC822 spool file, skipping.");
1237 goto END_MIME_ACL;
4e88a19f
PH
1238 }
1239 }
54cdb463
PH
1240
1241/* check if we must check any message/rfc822 attachments */
4e88a19f
PH
1242if (rc == OK)
1243 {
54cdb463 1244 uschar temp_path[1024];
e8bc7fca
JH
1245 struct dirent * entry;
1246 DIR * tempdir;
54cdb463 1247
e8bc7fca
JH
1248 (void) string_format(temp_path, sizeof(temp_path), "%s/scan/%s",
1249 spool_directory, message_id);
54cdb463 1250
4e88a19f 1251 tempdir = opendir(CS temp_path);
e8bc7fca 1252 for (;;)
4e88a19f 1253 {
e8bc7fca
JH
1254 if (!(entry = readdir(tempdir)))
1255 break;
1256 if (strncmpic(US entry->d_name, US"__rfc822_", 9) == 0)
4e88a19f 1257 {
e8bc7fca
JH
1258 (void) string_format(rfc822_file_path, sizeof(rfc822_file_path),
1259 "%s/scan/%s/%s", spool_directory, message_id, entry->d_name);
1260 debug_printf("RFC822 attachment detected: running MIME ACL for '%s'\n",
1261 rfc822_file_path);
4e88a19f
PH
1262 break;
1263 }
e8bc7fca 1264 }
4e88a19f 1265 closedir(tempdir);
54cdb463 1266
e8bc7fca 1267 if (entry)
4e88a19f 1268 {
e8bc7fca 1269 if ((mbox_file = Ufopen(rfc822_file_path, "rb")))
4e88a19f 1270 {
e8bc7fca
JH
1271 /* set RFC822 expansion variable */
1272 mime_is_rfc822 = 1;
1273 mime_part_count_buffer = mime_part_count;
1274 goto MIME_ACL_CHECK;
4e88a19f 1275 }
e8bc7fca
JH
1276 log_write(0, LOG_PANIC,
1277 "acl_smtp_mime: can't open RFC822 spool file, skipping.");
1278 unlink(CS rfc822_file_path);
4e88a19f
PH
1279 }
1280 }
54cdb463
PH
1281
1282END_MIME_ACL:
578d43dc 1283add_acl_headers(ACL_WHERE_MIME, US"MIME");
54cdb463
PH
1284if (rc == DISCARD)
1285 {
1286 recipients_count = 0;
1287 *blackholed_by_ptr = US"MIME ACL";
1288 }
1289else if (rc != OK)
1290 {
1291 Uunlink(spool_name);
1292 unspool_mbox();
6f0c431a
PP
1293#ifdef EXPERIMENTAL_DCC
1294 dcc_ok = 0;
1295#endif
4f6ae5c3
JH
1296 if ( smtp_input
1297 && smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0)
1298 {
85ffcba6 1299 *smtp_yield_ptr = FALSE; /* No more messages after dropped connection */
f4c1088b 1300 *smtp_reply_ptr = US""; /* Indicate reply already sent */
4f6ae5c3 1301 }
54cdb463
PH
1302 message_id[0] = 0; /* Indicate no message accepted */
1303 return FALSE; /* Cause skip to end of receive function */
4e88a19f 1304 }
54cdb463
PH
1305
1306return TRUE;
1307}
1308
63955bf2 1309#endif /* WITH_CONTENT_SCAN */
54cdb463
PH
1310
1311
e4bdf652
JH
1312
1313void
1314received_header_gen(void)
1315{
1316uschar *received;
1317uschar *timestamp;
1318header_line *received_header= header_list;
1319
1320timestamp = expand_string(US"${tod_full}");
1321if (recipients_count == 1) received_for = recipients_list[0].address;
1322received = expand_string(received_header_text);
1323received_for = NULL;
1324
d4ff61d1 1325if (!received)
e4bdf652
JH
1326 {
1327 if(spool_name[0] != 0)
1328 Uunlink(spool_name); /* Lose the data file */
1329 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
1330 "(received_header_text) failed: %s", string_printing(received_header_text),
1331 expand_string_message);
1332 }
1333
1334/* The first element on the header chain is reserved for the Received header,
1335so all we have to do is fill in the text pointer, and set the type. However, if
1336the result of the expansion is an empty string, we leave the header marked as
1337"old" so as to refrain from adding a Received header. */
1338
1339if (received[0] == 0)
1340 {
1341 received_header->text = string_sprintf("Received: ; %s\n", timestamp);
1342 received_header->type = htype_old;
1343 }
1344else
1345 {
1346 received_header->text = string_sprintf("%s; %s\n", received, timestamp);
1347 received_header->type = htype_received;
1348 }
1349
1350received_header->slen = Ustrlen(received_header->text);
1351
1352DEBUG(D_receive) debug_printf(">>Generated Received: header line\n%c %s",
1353 received_header->type, received_header->text);
1354}
1355
1356
1357
54cdb463 1358/*************************************************
059ec3d9
PH
1359* Receive message *
1360*************************************************/
1361
1362/* Receive a message on the given input, and put it into a pair of spool files.
1363Either a non-null list of recipients, or the extract flag will be true, or
1364both. The flag sender_local is true for locally generated messages. The flag
1365submission_mode is true if an ACL has obeyed "control = submission". The flag
8800895a 1366suppress_local_fixups is true if an ACL has obeyed "control =
f4ee74ac
PP
1367suppress_local_fixups" or -G was passed on the command-line.
1368The flag smtp_input is true if the message is to be
8800895a
PH
1369handled using SMTP conventions about termination and lines starting with dots.
1370For non-SMTP messages, dot_ends is true for dot-terminated messages.
059ec3d9
PH
1371
1372If a message was successfully read, message_id[0] will be non-zero.
1373
1374The general actions of this function are:
1375
1376 . Read the headers of the message (if any) into a chain of store
1377 blocks.
1378
1379 . If there is a "sender:" header and the message is locally originated,
69358f02
PH
1380 throw it away, unless the caller is trusted, or unless
1381 active_local_sender_retain is set - which can only happen if
1382 active_local_from_check is false.
059ec3d9
PH
1383
1384 . If recipients are to be extracted from the message, build the
1385 recipients list from the headers, removing any that were on the
1386 original recipients list (unless extract_addresses_remove_arguments is
1387 false), and at the same time, remove any bcc header that may be present.
1388
1389 . Get the spool file for the data, sort out its unique name, open
1390 and lock it (but don't give it the name yet).
1391
1392 . Generate a "Message-Id" header if the message doesn't have one, for
1393 locally-originated messages.
1394
1395 . Generate a "Received" header.
1396
1397 . Ensure the recipients list is fully qualified and rewritten if necessary.
1398
1399 . If there are any rewriting rules, apply them to the sender address
1400 and also to the headers.
1401
1402 . If there is no from: header, generate one, for locally-generated messages
1403 and messages in "submission mode" only.
1404
1405 . If the sender is local, check that from: is correct, and if not, generate
1406 a Sender: header, unless message comes from a trusted caller, or this
69358f02 1407 feature is disabled by active_local_from_check being false.
059ec3d9
PH
1408
1409 . If there is no "date" header, generate one, for locally-originated
1410 or submission mode messages only.
1411
1412 . Copy the rest of the input, or up to a terminating "." if in SMTP or
1413 dot_ends mode, to the data file. Leave it open, to hold the lock.
1414
1415 . Write the envelope and the headers to a new file.
1416
1417 . Set the name for the header file; close it.
1418
1419 . Set the name for the data file; close it.
1420
1421Because this function can potentially be called many times in a single
1422SMTP connection, all store should be got by store_get(), so that it will be
1423automatically retrieved after the message is accepted.
1424
1425FUDGE: It seems that sites on the net send out messages with just LF
1426terminators, despite the warnings in the RFCs, and other MTAs handle this. So
1427we make the CRs optional in all cases.
1428
1429July 2003: Bare CRs in messages, especially in header lines, cause trouble. A
1430new regime is now in place in which bare CRs in header lines are turned into LF
1431followed by a space, so as not to terminate the header line.
1432
1433February 2004: A bare LF in a header line in a message whose first line was
1434terminated by CRLF is treated in the same way as a bare CR.
1435
1436Arguments:
1437 extract_recip TRUE if recipients are to be extracted from the message's
1438 headers
1439
1440Returns: TRUE there are more messages to be read (SMTP input)
1441 FALSE there are no more messages to be read (non-SMTP input
1442 or SMTP connection collapsed, or other failure)
1443
1444When reading a message for filter testing, the returned value indicates
1445whether the headers (which is all that is read) were terminated by '.' or
1446not. */
1447
1448BOOL
1449receive_msg(BOOL extract_recip)
1450{
7156b1ef
NM
1451int i;
1452int rc = FAIL;
059ec3d9
PH
1453int msg_size = 0;
1454int process_info_len = Ustrlen(process_info);
1455int error_rc = (error_handling == ERRORS_SENDER)?
1456 errors_sender_rc : EXIT_FAILURE;
1457int header_size = 256;
1458int start, end, domain, size, sptr;
1459int id_resolution;
1460int had_zero = 0;
d677b2f2 1461int prevlines_length = 0;
059ec3d9
PH
1462
1463register int ptr = 0;
1464
1465BOOL contains_resent_headers = FALSE;
1466BOOL extracted_ignored = FALSE;
1467BOOL first_line_ended_crlf = TRUE_UNSET;
1468BOOL smtp_yield = TRUE;
1469BOOL yield = FALSE;
1470
1471BOOL resents_exist = FALSE;
1472uschar *resent_prefix = US"";
1473uschar *blackholed_by = NULL;
04f7d5b9 1474uschar *blackhole_log_msg = US"";
c5430c20 1475enum {NOT_TRIED, TMP_REJ, PERM_REJ, ACCEPTED} cutthrough_done = NOT_TRIED;
059ec3d9
PH
1476
1477flock_t lock_data;
1478error_block *bad_addresses = NULL;
1479
1480uschar *frozen_by = NULL;
1481uschar *queued_by = NULL;
1482
1483uschar *errmsg, *s;
1484struct stat statbuf;
1485
4e88a19f 1486/* Final message to give to SMTP caller, and messages from ACLs */
059ec3d9
PH
1487
1488uschar *smtp_reply = NULL;
4e88a19f 1489uschar *user_msg, *log_msg;
059ec3d9
PH
1490
1491/* Working header pointers */
1492
1493header_line *h, *next;
1494
2cbb4081 1495/* Flags for noting the existence of certain headers (only one left) */
059ec3d9
PH
1496
1497BOOL date_header_exists = FALSE;
1498
1499/* Pointers to receive the addresses of headers whose contents we need. */
1500
1501header_line *from_header = NULL;
1502header_line *subject_header = NULL;
1503header_line *msgid_header = NULL;
1504header_line *received_header;
1505
4840604e
TL
1506#ifdef EXPERIMENTAL_DMARC
1507int dmarc_up = 0;
1508#endif /* EXPERIMENTAL_DMARC */
1509
059ec3d9
PH
1510/* Variables for use when building the Received: header. */
1511
059ec3d9
PH
1512uschar *timestamp;
1513int tslen;
1514
1515/* Release any open files that might have been cached while preparing to
1516accept the message - e.g. by verifying addresses - because reading a message
1517might take a fair bit of real time. */
1518
1519search_tidyup();
1520
e4bdf652
JH
1521/* Extracting the recipient list from an input file is incompatible with
1522cutthrough delivery with the no-spool option. It shouldn't be possible
817d9f57 1523to set up the combination, but just in case kill any ongoing connection. */
e4bdf652 1524if (extract_recip || !smtp_input)
2e5b33cd 1525 cancel_cutthrough_connection("not smtp input");
e4bdf652 1526
059ec3d9
PH
1527/* Initialize the chain of headers by setting up a place-holder for Received:
1528header. Temporarily mark it as "old", i.e. not to be used. We keep header_last
1529pointing to the end of the chain to make adding headers simple. */
1530
1531received_header = header_list = header_last = store_get(sizeof(header_line));
1532header_list->next = NULL;
1533header_list->type = htype_old;
1534header_list->text = NULL;
1535header_list->slen = 0;
1536
1537/* Control block for the next header to be read. */
1538
1539next = store_get(sizeof(header_line));
1540next->text = store_get(header_size);
1541
1542/* Initialize message id to be null (indicating no message read), and the
1543header names list to be the normal list. Indicate there is no data file open
1544yet, initialize the size and warning count, and deal with no size limit. */
1545
1546message_id[0] = 0;
1547data_file = NULL;
1548data_fd = -1;
41313d92 1549spool_name = US"";
059ec3d9
PH
1550message_size = 0;
1551warning_count = 0;
d677b2f2 1552received_count = 1; /* For the one we will add */
059ec3d9
PH
1553
1554if (thismessage_size_limit <= 0) thismessage_size_limit = INT_MAX;
1555
2e0c1448 1556/* While reading the message, the following counts are computed. */
059ec3d9 1557
d677b2f2
PH
1558message_linecount = body_linecount = body_zerocount =
1559 max_received_linelength = 0;
059ec3d9 1560
80a47a2c
TK
1561#ifndef DISABLE_DKIM
1562/* Call into DKIM to set up the context. */
1563if (smtp_input && !smtp_batched_input && !dkim_disable_verify) dkim_exim_verify_init();
fb2274d4
TK
1564#endif
1565
4840604e
TL
1566#ifdef EXPERIMENTAL_DMARC
1567/* initialize libopendmarc */
1568dmarc_up = dmarc_init();
1569#endif
1570
059ec3d9
PH
1571/* Remember the time of reception. Exim uses time+pid for uniqueness of message
1572ids, and fractions of a second are required. See the comments that precede the
1573message id creation below. */
1574
1575(void)gettimeofday(&message_id_tv, NULL);
1576
1577/* For other uses of the received time we can operate with granularity of one
1578second, and for that we use the global variable received_time. This is for
1579things like ultimate message timeouts. */
1580
1581received_time = message_id_tv.tv_sec;
1582
1583/* If SMTP input, set the special handler for timeouts. The alarm() calls
1584happen in the smtp_getc() function when it refills its buffer. */
1585
1586if (smtp_input) os_non_restarting_signal(SIGALRM, data_timeout_handler);
1587
1588/* If not SMTP input, timeout happens only if configured, and we just set a
1589single timeout for the whole message. */
1590
1591else if (receive_timeout > 0)
1592 {
1593 os_non_restarting_signal(SIGALRM, data_timeout_handler);
1594 alarm(receive_timeout);
1595 }
1596
1597/* SIGTERM and SIGINT are caught always. */
1598
1599signal(SIGTERM, data_sigterm_sigint_handler);
1600signal(SIGINT, data_sigterm_sigint_handler);
1601
1602/* Header lines in messages are not supposed to be very long, though when
1603unfolded, to: and cc: headers can take up a lot of store. We must also cope
1604with the possibility of junk being thrown at us. Start by getting 256 bytes for
1605storing the header, and extend this as necessary using string_cat().
1606
1607To cope with total lunacies, impose an upper limit on the length of the header
1608section of the message, as otherwise the store will fill up. We must also cope
1609with the possibility of binary zeros in the data. Hence we cannot use fgets().
1610Folded header lines are joined into one string, leaving the '\n' characters
1611inside them, so that writing them out reproduces the input.
1612
1613Loop for each character of each header; the next structure for chaining the
1614header is set up already, with ptr the offset of the next character in
1615next->text. */
1616
1617for (;;)
1618 {
18481de3 1619/*XXX CHUNKING: account for BDAT size & last, and do more chunks as needed */
80a47a2c 1620 int ch = (receive_getc)();
059ec3d9
PH
1621
1622 /* If we hit EOF on a SMTP connection, it's an error, since incoming
1623 SMTP must have a correct "." terminator. */
1624
1625 if (ch == EOF && smtp_input /* && !smtp_batched_input */)
1626 {
1627 smtp_reply = handle_lost_connection(US" (header)");
1628 smtp_yield = FALSE;
1629 goto TIDYUP; /* Skip to end of function */
1630 }
1631
1632 /* See if we are at the current header's size limit - there must be at least
1633 four bytes left. This allows for the new character plus a zero, plus two for
1634 extra insertions when we are playing games with dots and carriage returns. If
1635 we are at the limit, extend the text buffer. This could have been done
1636 automatically using string_cat() but because this is a tightish loop storing
1637 only one character at a time, we choose to do it inline. Normally
1638 store_extend() will be able to extend the block; only at the end of a big
1639 store block will a copy be needed. To handle the case of very long headers
1640 (and sometimes lunatic messages can have ones that are 100s of K long) we
1641 call store_release() for strings that have been copied - if the string is at
1642 the start of a block (and therefore the only thing in it, because we aren't
1643 doing any other gets), the block gets freed. We can only do this because we
1644 know there are no other calls to store_get() going on. */
1645
1646 if (ptr >= header_size - 4)
1647 {
1648 int oldsize = header_size;
1649 /* header_size += 256; */
1650 header_size *= 2;
1651 if (!store_extend(next->text, oldsize, header_size))
1652 {
1653 uschar *newtext = store_get(header_size);
1654 memcpy(newtext, next->text, ptr);
1655 store_release(next->text);
1656 next->text = newtext;
1657 }
1658 }
1659
1660 /* Cope with receiving a binary zero. There is dispute about whether
1661 these should be allowed in RFC 822 messages. The middle view is that they
1662 should not be allowed in headers, at least. Exim takes this attitude at
1663 the moment. We can't just stomp on them here, because we don't know that
1664 this line is a header yet. Set a flag to cause scanning later. */
1665
1666 if (ch == 0) had_zero++;
1667
1668 /* Test for termination. Lines in remote SMTP are terminated by CRLF, while
1669 those from data files use just LF. Treat LF in local SMTP input as a
1670 terminator too. Treat EOF as a line terminator always. */
1671
1672 if (ch == EOF) goto EOL;
1673
1674 /* FUDGE: There are sites out there that don't send CRs before their LFs, and
1675 other MTAs accept this. We are therefore forced into this "liberalisation"
1676 too, so we accept LF as a line terminator whatever the source of the message.
1677 However, if the first line of the message ended with a CRLF, we treat a bare
1678 LF specially by inserting a white space after it to ensure that the header
1679 line is not terminated. */
1680
1681 if (ch == '\n')
1682 {
1683 if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = FALSE;
80a47a2c 1684 else if (first_line_ended_crlf) receive_ungetc(' ');
059ec3d9
PH
1685 goto EOL;
1686 }
1687
1688 /* This is not the end of the line. If this is SMTP input and this is
1689 the first character in the line and it is a "." character, ignore it.
1690 This implements the dot-doubling rule, though header lines starting with
1691 dots aren't exactly common. They are legal in RFC 822, though. If the
1692 following is CRLF or LF, this is the line that that terminates the
1693 entire message. We set message_ended to indicate this has happened (to
1694 prevent further reading), and break out of the loop, having freed the
1695 empty header, and set next = NULL to indicate no data line. */
1696
1697 if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
1698 {
80a47a2c 1699 ch = (receive_getc)();
059ec3d9
PH
1700 if (ch == '\r')
1701 {
80a47a2c 1702 ch = (receive_getc)();
059ec3d9
PH
1703 if (ch != '\n')
1704 {
80a47a2c 1705 receive_ungetc(ch);
059ec3d9
PH
1706 ch = '\r'; /* Revert to CR */
1707 }
1708 }
1709 if (ch == '\n')
1710 {
1711 message_ended = END_DOT;
1712 store_reset(next);
1713 next = NULL;
1714 break; /* End character-reading loop */
1715 }
1716
1717 /* For non-SMTP input, the dot at the start of the line was really a data
1718 character. What is now in ch is the following character. We guaranteed
1719 enough space for this above. */
1720
1721 if (!smtp_input)
1722 {
1723 next->text[ptr++] = '.';
1724 message_size++;
1725 }
1726 }
1727
1728 /* If CR is immediately followed by LF, end the line, ignoring the CR, and
1729 remember this case if this is the first line ending. */
1730
1731 if (ch == '\r')
1732 {
80a47a2c 1733 ch = (receive_getc)();
059ec3d9
PH
1734 if (ch == '\n')
1735 {
1736 if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
1737 goto EOL;
1738 }
1739
1740 /* Otherwise, put back the character after CR, and turn the bare CR
1741 into LF SP. */
1742
80a47a2c 1743 ch = (receive_ungetc)(ch);
059ec3d9
PH
1744 next->text[ptr++] = '\n';
1745 message_size++;
1746 ch = ' ';
1747 }
1748
1749 /* We have a data character for the header line. */
1750
1751 next->text[ptr++] = ch; /* Add to buffer */
1752 message_size++; /* Total message size so far */
1753
1754 /* Handle failure due to a humungously long header section. The >= allows
1755 for the terminating \n. Add what we have so far onto the headers list so
1756 that it gets reflected in any error message, and back up the just-read
1757 character. */
1758
1759 if (message_size >= header_maxsize)
1760 {
1761 next->text[ptr] = 0;
1762 next->slen = ptr;
1763 next->type = htype_other;
1764 next->next = NULL;
1765 header_last->next = next;
1766 header_last = next;
1767
1768 log_write(0, LOG_MAIN, "ridiculously long message header received from "
1769 "%s (more than %d characters): message abandoned",
1770 sender_host_unknown? sender_ident : sender_fullhost, header_maxsize);
1771
1772 if (smtp_input)
1773 {
1774 smtp_reply = US"552 Message header is ridiculously long";
1775 receive_swallow_smtp();
1776 goto TIDYUP; /* Skip to end of function */
1777 }
1778
1779 else
1780 {
1781 give_local_error(ERRMESS_VLONGHEADER,
1782 string_sprintf("message header longer than %d characters received: "
1783 "message not accepted", header_maxsize), US"", error_rc, stdin,
1784 header_list->next);
1785 /* Does not return */
1786 }
1787 }
1788
1789 continue; /* With next input character */
1790
1791 /* End of header line reached */
1792
1793 EOL:
2e0c1448
PH
1794
1795 /* Keep track of lines for BSMTP errors and overall message_linecount. */
1796
1797 receive_linecount++;
1798 message_linecount++;
059ec3d9 1799
d677b2f2
PH
1800 /* Keep track of maximum line length */
1801
1802 if (ptr - prevlines_length > max_received_linelength)
1803 max_received_linelength = ptr - prevlines_length;
1804 prevlines_length = ptr + 1;
1805
059ec3d9
PH
1806 /* Now put in the terminating newline. There is always space for
1807 at least two more characters. */
1808
1809 next->text[ptr++] = '\n';
1810 message_size++;
1811
1812 /* A blank line signals the end of the headers; release the unwanted
1813 space and set next to NULL to indicate this. */
1814
1815 if (ptr == 1)
1816 {
1817 store_reset(next);
1818 next = NULL;
1819 break;
1820 }
1821
1822 /* There is data in the line; see if the next input character is a
1823 whitespace character. If it is, we have a continuation of this header line.
1824 There is always space for at least one character at this point. */
1825
1826 if (ch != EOF)
1827 {
80a47a2c 1828 int nextch = (receive_getc)();
059ec3d9
PH
1829 if (nextch == ' ' || nextch == '\t')
1830 {
1831 next->text[ptr++] = nextch;
1832 message_size++;
1833 continue; /* Iterate the loop */
1834 }
80a47a2c 1835 else if (nextch != EOF) (receive_ungetc)(nextch); /* For next time */
059ec3d9
PH
1836 else ch = EOF; /* Cause main loop to exit at end */
1837 }
1838
1839 /* We have got to the real line end. Terminate the string and release store
1840 beyond it. If it turns out to be a real header, internal binary zeros will
1841 be squashed later. */
1842
1843 next->text[ptr] = 0;
1844 next->slen = ptr;
1845 store_reset(next->text + ptr + 1);
1846
1847 /* Check the running total size against the overall message size limit. We
1848 don't expect to fail here, but if the overall limit is set less than MESSAGE_
1849 MAXSIZE and a big header is sent, we want to catch it. Just stop reading
1850 headers - the code to read the body will then also hit the buffer. */
1851
1852 if (message_size > thismessage_size_limit) break;
1853
1854 /* A line that is not syntactically correct for a header also marks
1855 the end of the headers. In this case, we leave next containing the
1856 first data line. This might actually be several lines because of the
1857 continuation logic applied above, but that doesn't matter.
1858
1859 It turns out that smail, and presumably sendmail, accept leading lines
1860 of the form
1861
1862 From ph10 Fri Jan 5 12:35 GMT 1996
1863
1864 in messages. The "mail" command on Solaris 2 sends such lines. I cannot
1865 find any documentation of this, but for compatibility it had better be
1866 accepted. Exim restricts it to the case of non-smtp messages, and
1867 treats it as an alternative to the -f command line option. Thus it is
1868 ignored except for trusted users or filter testing. Otherwise it is taken
1869 as the sender address, unless -f was used (sendmail compatibility).
1870
1871 It further turns out that some UUCPs generate the From_line in a different
1872 format, e.g.
1873
1874 From ph10 Fri, 7 Jan 97 14:00:00 GMT
1875
1876 The regex for matching these things is now capable of recognizing both
1877 formats (including 2- and 4-digit years in the latter). In fact, the regex
1878 is now configurable, as is the expansion string to fish out the sender.
1879
1880 Even further on it has been discovered that some broken clients send
1881 these lines in SMTP messages. There is now an option to ignore them from
1882 specified hosts or networks. Sigh. */
1883
1884 if (header_last == header_list &&
1885 (!smtp_input
1886 ||
1887 (sender_host_address != NULL &&
1888 verify_check_host(&ignore_fromline_hosts) == OK)
1889 ||
1890 (sender_host_address == NULL && ignore_fromline_local)
1891 ) &&
1892 regex_match_and_setup(regex_From, next->text, 0, -1))
1893 {
1894 if (!sender_address_forced)
1895 {
1896 uschar *uucp_sender = expand_string(uucp_from_sender);
1897 if (uucp_sender == NULL)
1898 {
1899 log_write(0, LOG_MAIN|LOG_PANIC,
1900 "expansion of \"%s\" failed after matching "
1901 "\"From \" line: %s", uucp_from_sender, expand_string_message);
1902 }
1903 else
1904 {
1905 int start, end, domain;
1906 uschar *errmess;
1907 uschar *newsender = parse_extract_address(uucp_sender, &errmess,
1908 &start, &end, &domain, TRUE);
1909 if (newsender != NULL)
1910 {
1911 if (domain == 0 && newsender[0] != 0)
1912 newsender = rewrite_address_qualify(newsender, FALSE);
1913
f05da2e8 1914 if (filter_test != FTEST_NONE || receive_check_set_sender(newsender))
059ec3d9
PH
1915 {
1916 sender_address = newsender;
1917
f05da2e8 1918 if (trusted_caller || filter_test != FTEST_NONE)
059ec3d9
PH
1919 {
1920 authenticated_sender = NULL;
1921 originator_name = US"";
1922 sender_local = FALSE;
1923 }
1924
f05da2e8 1925 if (filter_test != FTEST_NONE)
059ec3d9
PH
1926 printf("Sender taken from \"From \" line\n");
1927 }
1928 }
1929 }
1930 }
1931 }
1932
1933 /* Not a leading "From " line. Check to see if it is a valid header line.
1934 Header names may contain any non-control characters except space and colon,
1935 amazingly. */
1936
1937 else
1938 {
1939 uschar *p = next->text;
1940
1941 /* If not a valid header line, break from the header reading loop, leaving
1942 next != NULL, indicating that it holds the first line of the body. */
1943
1944 if (isspace(*p)) break;
1945 while (mac_isgraph(*p) && *p != ':') p++;
1946 while (isspace(*p)) p++;
1947 if (*p != ':')
1948 {
1949 body_zerocount = had_zero;
1950 break;
1951 }
1952
1953 /* We have a valid header line. If there were any binary zeroes in
1954 the line, stomp on them here. */
1955
1956 if (had_zero > 0)
1957 for (p = next->text; p < next->text + ptr; p++) if (*p == 0) *p = '?';
1958
1959 /* It is perfectly legal to have an empty continuation line
1960 at the end of a header, but it is confusing to humans
1961 looking at such messages, since it looks like a blank line.
1962 Reduce confusion by removing redundant white space at the
1963 end. We know that there is at least one printing character
1964 (the ':' tested for above) so there is no danger of running
1965 off the end. */
1966
1967 p = next->text + ptr - 2;
1968 for (;;)
1969 {
1970 while (*p == ' ' || *p == '\t') p--;
1971 if (*p != '\n') break;
1972 ptr = (p--) - next->text + 1;
1973 message_size -= next->slen - ptr;
1974 next->text[ptr] = 0;
1975 next->slen = ptr;
1976 }
1977
1978 /* Add the header to the chain */
1979
1980 next->type = htype_other;
1981 next->next = NULL;
1982 header_last->next = next;
1983 header_last = next;
1984
1985 /* Check the limit for individual line lengths. This comes after adding to
1986 the chain so that the failing line is reflected if a bounce is generated
1987 (for a local message). */
1988
1989 if (header_line_maxsize > 0 && next->slen > header_line_maxsize)
1990 {
1991 log_write(0, LOG_MAIN, "overlong message header line received from "
1992 "%s (more than %d characters): message abandoned",
1993 sender_host_unknown? sender_ident : sender_fullhost,
1994 header_line_maxsize);
1995
1996 if (smtp_input)
1997 {
1998 smtp_reply = US"552 A message header line is too long";
1999 receive_swallow_smtp();
2000 goto TIDYUP; /* Skip to end of function */
2001 }
2002
2003 else
2004 {
2005 give_local_error(ERRMESS_VLONGHDRLINE,
2006 string_sprintf("message header line longer than %d characters "
2007 "received: message not accepted", header_line_maxsize), US"",
2008 error_rc, stdin, header_list->next);
2009 /* Does not return */
2010 }
2011 }
2012
2013 /* Note if any resent- fields exist. */
2014
2015 if (!resents_exist && strncmpic(next->text, US"resent-", 7) == 0)
2016 {
2017 resents_exist = TRUE;
2018 resent_prefix = US"Resent-";
2019 }
2020 }
2021
2022 /* The line has been handled. If we have hit EOF, break out of the loop,
2023 indicating no pending data line. */
2024
2025 if (ch == EOF) { next = NULL; break; }
2026
2027 /* Set up for the next header */
2028
2029 header_size = 256;
2030 next = store_get(sizeof(header_line));
2031 next->text = store_get(header_size);
2032 ptr = 0;
2033 had_zero = 0;
d677b2f2 2034 prevlines_length = 0;
059ec3d9
PH
2035 } /* Continue, starting to read the next header */
2036
2037/* At this point, we have read all the headers into a data structure in main
2038store. The first header is still the dummy placeholder for the Received: header
2039we are going to generate a bit later on. If next != NULL, it contains the first
2040data line - which terminated the headers before reaching a blank line (not the
2041normal case). */
2042
2043DEBUG(D_receive)
2044 {
2045 debug_printf(">>Headers received:\n");
2046 for (h = header_list->next; h != NULL; h = h->next)
2047 debug_printf("%s", h->text);
2048 debug_printf("\n");
2049 }
2050
2051/* End of file on any SMTP connection is an error. If an incoming SMTP call
2052is dropped immediately after valid headers, the next thing we will see is EOF.
2053We must test for this specially, as further down the reading of the data is
2054skipped if already at EOF. */
2055
2056if (smtp_input && (receive_feof)())
2057 {
2058 smtp_reply = handle_lost_connection(US" (after header)");
2059 smtp_yield = FALSE;
2060 goto TIDYUP; /* Skip to end of function */
2061 }
2062
2063/* If this is a filter test run and no headers were read, output a warning
2064in case there is a mistake in the test message. */
2065
f05da2e8 2066if (filter_test != FTEST_NONE && header_list->next == NULL)
059ec3d9
PH
2067 printf("Warning: no message headers read\n");
2068
2069
2070/* Scan the headers to identify them. Some are merely marked for later
2071processing; some are dealt with here. */
2072
2073for (h = header_list->next; h != NULL; h = h->next)
2074 {
2075 BOOL is_resent = strncmpic(h->text, US"resent-", 7) == 0;
2076 if (is_resent) contains_resent_headers = TRUE;
2077
2078 switch (header_checkname(h, is_resent))
2079 {
059ec3d9 2080 case htype_bcc:
2cbb4081 2081 h->type = htype_bcc; /* Both Bcc: and Resent-Bcc: */
059ec3d9
PH
2082 break;
2083
059ec3d9 2084 case htype_cc:
2cbb4081 2085 h->type = htype_cc; /* Both Cc: and Resent-Cc: */
059ec3d9
PH
2086 break;
2087
2088 /* Record whether a Date: or Resent-Date: header exists, as appropriate. */
2089
2090 case htype_date:
4c69d561 2091 if (!resents_exist || is_resent) date_header_exists = TRUE;
059ec3d9
PH
2092 break;
2093
2094 /* Same comments as about Return-Path: below. */
2095
2096 case htype_delivery_date:
2097 if (delivery_date_remove) h->type = htype_old;
2098 break;
2099
2100 /* Same comments as about Return-Path: below. */
2101
2102 case htype_envelope_to:
2103 if (envelope_to_remove) h->type = htype_old;
2104 break;
2105
2106 /* Mark all "From:" headers so they get rewritten. Save the one that is to
2107 be used for Sender: checking. For Sendmail compatibility, if the "From:"
2108 header consists of just the login id of the user who called Exim, rewrite
2109 it with the gecos field first. Apply this rule to Resent-From: if there
2110 are resent- fields. */
2111
2112 case htype_from:
2113 h->type = htype_from;
2114 if (!resents_exist || is_resent)
2115 {
2116 from_header = h;
2117 if (!smtp_input)
2118 {
5de8faa3 2119 int len;
059ec3d9
PH
2120 uschar *s = Ustrchr(h->text, ':') + 1;
2121 while (isspace(*s)) s++;
5de8faa3 2122 len = h->slen - (s - h->text) - 1;
e0fccd1d
TF
2123 if (Ustrlen(originator_login) == len &&
2124 strncmpic(s, originator_login, len) == 0)
059ec3d9
PH
2125 {
2126 uschar *name = is_resent? US"Resent-From" : US"From";
2127 header_add(htype_from, "%s: %s <%s@%s>\n", name, originator_name,
2128 originator_login, qualify_domain_sender);
2129 from_header = header_last;
2130 h->type = htype_old;
2131 DEBUG(D_receive|D_rewrite)
2132 debug_printf("rewrote \"%s:\" header using gecos\n", name);
2133 }
2134 }
2135 }
2136 break;
2137
2138 /* Identify the Message-id: header for generating "in-reply-to" in the
2139 autoreply transport. For incoming logging, save any resent- value. In both
2140 cases, take just the first of any multiples. */
2141
2142 case htype_id:
2143 if (msgid_header == NULL && (!resents_exist || is_resent))
2144 {
2145 msgid_header = h;
2146 h->type = htype_id;
2147 }
2148 break;
2149
2150 /* Flag all Received: headers */
2151
2152 case htype_received:
2153 h->type = htype_received;
2154 received_count++;
2155 break;
2156
2157 /* "Reply-to:" is just noted (there is no resent-reply-to field) */
2158
2159 case htype_reply_to:
2160 h->type = htype_reply_to;
2161 break;
2162
2163 /* The Return-path: header is supposed to be added to messages when
2164 they leave the SMTP system. We shouldn't receive messages that already
2165 contain Return-path. However, since Exim generates Return-path: on
2166 local delivery, resent messages may well contain it. We therefore
2167 provide an option (which defaults on) to remove any Return-path: headers
2168 on input. Removal actually means flagging as "old", which prevents the
2169 header being transmitted with the message. */
2170
2171 case htype_return_path:
2172 if (return_path_remove) h->type = htype_old;
2173
2174 /* If we are testing a mail filter file, use the value of the
2175 Return-Path: header to set up the return_path variable, which is not
2176 otherwise set. However, remove any <> that surround the address
2177 because the variable doesn't have these. */
2178
f05da2e8 2179 if (filter_test != FTEST_NONE)
059ec3d9
PH
2180 {
2181 uschar *start = h->text + 12;
2182 uschar *end = start + Ustrlen(start);
2183 while (isspace(*start)) start++;
2184 while (end > start && isspace(end[-1])) end--;
2185 if (*start == '<' && end[-1] == '>')
2186 {
2187 start++;
2188 end--;
2189 }
2190 return_path = string_copyn(start, end - start);
2191 printf("Return-path taken from \"Return-path:\" header line\n");
2192 }
2193 break;
2194
2195 /* If there is a "Sender:" header and the message is locally originated,
8800895a
PH
2196 and from an untrusted caller and suppress_local_fixups is not set, or if we
2197 are in submission mode for a remote message, mark it "old" so that it will
2198 not be transmitted with the message, unless active_local_sender_retain is
2199 set. (This can only be true if active_local_from_check is false.) If there
2200 are any resent- headers in the message, apply this rule to Resent-Sender:
2201 instead of Sender:. Messages with multiple resent- header sets cannot be
2202 tidily handled. (For this reason, at least one MUA - Pine - turns old
2203 resent- headers into X-resent- headers when resending, leaving just one
2204 set.) */
059ec3d9
PH
2205
2206 case htype_sender:
69358f02 2207 h->type = ((!active_local_sender_retain &&
8800895a
PH
2208 (
2209 (sender_local && !trusted_caller && !suppress_local_fixups)
2210 || submission_mode
2211 )
059ec3d9
PH
2212 ) &&
2213 (!resents_exist||is_resent))?
2214 htype_old : htype_sender;
2215 break;
2216
2217 /* Remember the Subject: header for logging. There is no Resent-Subject */
2218
2219 case htype_subject:
2220 subject_header = h;
2221 break;
2222
2223 /* "To:" gets flagged, and the existence of a recipient header is noted,
2224 whether it's resent- or not. */
2225
2226 case htype_to:
2227 h->type = htype_to;
2228 /****
2229 to_or_cc_header_exists = TRUE;
2230 ****/
2231 break;
2232 }
2233 }
2234
2235/* Extract recipients from the headers if that is required (the -t option).
2236Note that this is documented as being done *before* any address rewriting takes
2237place. There are two possibilities:
2238
2239(1) According to sendmail documentation for Solaris, IRIX, and HP-UX, any
2240recipients already listed are to be REMOVED from the message. Smail 3 works
2241like this. We need to build a non-recipients tree for that list, because in
2242subsequent processing this data is held in a tree and that's what the
2243spool_write_header() function expects. Make sure that non-recipient addresses
2244are fully qualified and rewritten if necessary.
2245
2246(2) According to other sendmail documentation, -t ADDS extracted recipients to
2247those in the command line arguments (and it is rumoured some other MTAs do
2248this). Therefore, there is an option to make Exim behave this way.
2249
2250*** Notes on "Resent-" header lines ***
2251
2252The presence of resent-headers in the message makes -t horribly ambiguous.
2253Experiments with sendmail showed that it uses recipients for all resent-
2254headers, totally ignoring the concept of "sets of resent- headers" as described
2255in RFC 2822 section 3.6.6. Sendmail also amalgamates them into a single set
2256with all the addresses in one instance of each header.
2257
2258This seems to me not to be at all sensible. Before release 4.20, Exim 4 gave an
2259error for -t if there were resent- headers in the message. However, after a
2260discussion on the mailing list, I've learned that there are MUAs that use
2261resent- headers with -t, and also that the stuff about sets of resent- headers
2262and their ordering in RFC 2822 is generally ignored. An MUA that submits a
2263message with -t and resent- header lines makes sure that only *its* resent-
2264headers are present; previous ones are often renamed as X-resent- for example.
2265
2266Consequently, Exim has been changed so that, if any resent- header lines are
2267present, the recipients are taken from all of the appropriate resent- lines,
2268and not from the ordinary To:, Cc:, etc. */
2269
2270if (extract_recip)
2271 {
2272 int rcount = 0;
2273 error_block **bnext = &bad_addresses;
2274
2275 if (extract_addresses_remove_arguments)
2276 {
2277 while (recipients_count-- > 0)
2278 {
2279 uschar *s = rewrite_address(recipients_list[recipients_count].address,
2280 TRUE, TRUE, global_rewrite_rules, rewrite_existflags);
2281 tree_add_nonrecipient(s);
2282 }
2283 recipients_list = NULL;
2284 recipients_count = recipients_list_max = 0;
2285 }
2286
059ec3d9
PH
2287 /* Now scan the headers */
2288
2289 for (h = header_list->next; h != NULL; h = h->next)
2290 {
2291 if ((h->type == htype_to || h->type == htype_cc || h->type == htype_bcc) &&
2292 (!contains_resent_headers || strncmpic(h->text, US"resent-", 7) == 0))
2293 {
2294 uschar *s = Ustrchr(h->text, ':') + 1;
2295 while (isspace(*s)) s++;
2296
1eccaa59
PH
2297 parse_allow_group = TRUE; /* Allow address group syntax */
2298
059ec3d9
PH
2299 while (*s != 0)
2300 {
2301 uschar *ss = parse_find_address_end(s, FALSE);
2302 uschar *recipient, *errmess, *p, *pp;
2303 int start, end, domain;
2304
2305 /* Check on maximum */
2306
2307 if (recipients_max > 0 && ++rcount > recipients_max)
2308 {
2309 give_local_error(ERRMESS_TOOMANYRECIP, US"too many recipients",
2310 US"message rejected: ", error_rc, stdin, NULL);
2311 /* Does not return */
2312 }
2313
2314 /* Make a copy of the address, and remove any internal newlines. These
2315 may be present as a result of continuations of the header line. The
2316 white space that follows the newline must not be removed - it is part
2317 of the header. */
2318
2319 pp = recipient = store_get(ss - s + 1);
2320 for (p = s; p < ss; p++) if (*p != '\n') *pp++ = *p;
2321 *pp = 0;
250b6871 2322
8c5d388a 2323#ifdef SUPPORT_I18N
250b6871
JH
2324 {
2325 BOOL b = allow_utf8_domains;
2326 allow_utf8_domains = TRUE;
2327#endif
059ec3d9
PH
2328 recipient = parse_extract_address(recipient, &errmess, &start, &end,
2329 &domain, FALSE);
2330
8c5d388a 2331#ifdef SUPPORT_I18N
250b6871
JH
2332 if (string_is_utf8(recipient))
2333 message_smtputf8 = TRUE;
2334 else
2335 allow_utf8_domains = b;
2336 }
2337#endif
2338
059ec3d9
PH
2339 /* Keep a list of all the bad addresses so we can send a single
2340 error message at the end. However, an empty address is not an error;
2341 just ignore it. This can come from an empty group list like
2342
2343 To: Recipients of list:;
2344
2345 If there are no recipients at all, an error will occur later. */
2346
2347 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
2348 {
2349 int len = Ustrlen(s);
2350 error_block *b = store_get(sizeof(error_block));
2351 while (len > 0 && isspace(s[len-1])) len--;
2352 b->next = NULL;
2353 b->text1 = string_printing(string_copyn(s, len));
2354 b->text2 = errmess;
2355 *bnext = b;
2356 bnext = &(b->next);
2357 }
2358
2359 /* If the recipient is already in the nonrecipients tree, it must
2360 have appeared on the command line with the option extract_addresses_
2361 remove_arguments set. Do not add it to the recipients, and keep a note
2362 that this has happened, in order to give a better error if there are
2363 no recipients left. */
2364
2365 else if (recipient != NULL)
2366 {
2367 if (tree_search(tree_nonrecipients, recipient) == NULL)
2368 receive_add_recipient(recipient, -1);
2369 else
2370 extracted_ignored = TRUE;
2371 }
2372
2373 /* Move on past this address */
2374
2375 s = ss + (*ss? 1:0);
2376 while (isspace(*s)) s++;
1eccaa59
PH
2377 } /* Next address */
2378
2379 parse_allow_group = FALSE; /* Reset group syntax flags */
2380 parse_found_group = FALSE;
059ec3d9
PH
2381
2382 /* If this was the bcc: header, mark it "old", which means it
2383 will be kept on the spool, but not transmitted as part of the
2384 message. */
2385
2cbb4081 2386 if (h->type == htype_bcc) h->type = htype_old;
059ec3d9
PH
2387 } /* For appropriate header line */
2388 } /* For each header line */
2389
059ec3d9
PH
2390 }
2391
2392/* Now build the unique message id. This has changed several times over the
2393lifetime of Exim. This description was rewritten for Exim 4.14 (February 2003).
2394Retaining all the history in the comment has become too unwieldy - read
2395previous release sources if you want it.
2396
2397The message ID has 3 parts: tttttt-pppppp-ss. Each part is a number in base 62.
2398The first part is the current time, in seconds. The second part is the current
2399pid. Both are large enough to hold 32-bit numbers in base 62. The third part
2400can hold a number in the range 0-3843. It used to be a computed sequence
2401number, but is now the fractional component of the current time in units of
24021/2000 of a second (i.e. a value in the range 0-1999). After a message has been
2403received, Exim ensures that the timer has ticked at the appropriate level
2404before proceeding, to avoid duplication if the pid happened to be re-used
2405within the same time period. It seems likely that most messages will take at
2406least half a millisecond to be received, so no delay will normally be
2407necessary. At least for some time...
2408
2409There is a modification when localhost_number is set. Formerly this was allowed
2410to be as large as 255. Now it is restricted to the range 0-16, and the final
2411component of the message id becomes (localhost_number * 200) + fractional time
2412in units of 1/200 of a second (i.e. a value in the range 0-3399).
2413
2414Some not-really-Unix operating systems use case-insensitive file names (Darwin,
2415Cygwin). For these, we have to use base 36 instead of base 62. Luckily, this
2416still allows the tttttt field to hold a large enough number to last for some
2417more decades, and the final two-digit field can hold numbers up to 1295, which
2418is enough for milliseconds (instead of 1/2000 of a second).
2419
2420However, the pppppp field cannot hold a 32-bit pid, but it can hold a 31-bit
2421pid, so it is probably safe because pids have to be positive. The
2422localhost_number is restricted to 0-10 for these hosts, and when it is set, the
2423final field becomes (localhost_number * 100) + fractional time in centiseconds.
2424
2425Note that string_base62() returns its data in a static storage block, so it
2426must be copied before calling string_base62() again. It always returns exactly
24276 characters.
2428
2429There doesn't seem to be anything in the RFC which requires a message id to
2430start with a letter, but Smail was changed to ensure this. The external form of
2431the message id (as supplied by string expansion) therefore starts with an
2432additional leading 'E'. The spool file names do not include this leading
2433letter and it is not used internally.
2434
2435NOTE: If ever the format of message ids is changed, the regular expression for
2436checking that a string is in this format must be updated in a corresponding
2437way. It appears in the initializing code in exim.c. The macro MESSAGE_ID_LENGTH
2438must also be changed to reflect the correct string length. Then, of course,
2439other programs that rely on the message id format will need updating too. */
2440
2441Ustrncpy(message_id, string_base62((long int)(message_id_tv.tv_sec)), 6);
2442message_id[6] = '-';
2443Ustrncpy(message_id + 7, string_base62((long int)getpid()), 6);
2444
2445/* Deal with the case where the host number is set. The value of the number was
2446checked when it was read, to ensure it isn't too big. The timing granularity is
2447left in id_resolution so that an appropriate wait can be done after receiving
2448the message, if necessary (we hope it won't be). */
2449
2450if (host_number_string != NULL)
2451 {
2452 id_resolution = (BASE_62 == 62)? 5000 : 10000;
2453 sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
2454 string_base62((long int)(
2455 host_number * (1000000/id_resolution) +
2456 message_id_tv.tv_usec/id_resolution)) + 4);
2457 }
2458
2459/* Host number not set: final field is just the fractional time at an
2460appropriate resolution. */
2461
2462else
2463 {
2464 id_resolution = (BASE_62 == 62)? 500 : 1000;
2465 sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
2466 string_base62((long int)(message_id_tv.tv_usec/id_resolution)) + 4);
2467 }
2468
2469/* Add the current message id onto the current process info string if
2470it will fit. */
2471
2472(void)string_format(process_info + process_info_len,
2473 PROCESS_INFO_SIZE - process_info_len, " id=%s", message_id);
2474
2475/* If we are using multiple input directories, set up the one for this message
2476to be the least significant base-62 digit of the time of arrival. Otherwise
2477ensure that it is an empty string. */
2478
a2da3176 2479message_subdir[0] = split_spool_directory ? message_id[5] : 0;
059ec3d9
PH
2480
2481/* Now that we have the message-id, if there is no message-id: header, generate
8800895a
PH
2482one, but only for local (without suppress_local_fixups) or submission mode
2483messages. This can be user-configured if required, but we had better flatten
2484any illegal characters therein. */
059ec3d9 2485
8800895a
PH
2486if (msgid_header == NULL &&
2487 ((sender_host_address == NULL && !suppress_local_fixups)
2488 || submission_mode))
059ec3d9
PH
2489 {
2490 uschar *p;
2491 uschar *id_text = US"";
2492 uschar *id_domain = primary_hostname;
2493
2494 /* Permit only letters, digits, dots, and hyphens in the domain */
2495
2496 if (message_id_domain != NULL)
2497 {
2498 uschar *new_id_domain = expand_string(message_id_domain);
2499 if (new_id_domain == NULL)
2500 {
2501 if (!expand_string_forcedfail)
2502 log_write(0, LOG_MAIN|LOG_PANIC,
2503 "expansion of \"%s\" (message_id_header_domain) "
2504 "failed: %s", message_id_domain, expand_string_message);
2505 }
2506 else if (*new_id_domain != 0)
2507 {
2508 id_domain = new_id_domain;
2509 for (p = id_domain; *p != 0; p++)
2510 if (!isalnum(*p) && *p != '.') *p = '-'; /* No need to test '-' ! */
2511 }
2512 }
2513
2514 /* Permit all characters except controls and RFC 2822 specials in the
2515 additional text part. */
2516
2517 if (message_id_text != NULL)
2518 {
2519 uschar *new_id_text = expand_string(message_id_text);
2520 if (new_id_text == NULL)
2521 {
2522 if (!expand_string_forcedfail)
2523 log_write(0, LOG_MAIN|LOG_PANIC,
2524 "expansion of \"%s\" (message_id_header_text) "
2525 "failed: %s", message_id_text, expand_string_message);
2526 }
2527 else if (*new_id_text != 0)
2528 {
2529 id_text = new_id_text;
2530 for (p = id_text; *p != 0; p++)
2531 if (mac_iscntrl_or_special(*p)) *p = '-';
2532 }
2533 }
2534
e7e680d6
PP
2535 /* Add the header line
2536 * Resent-* headers are prepended, per RFC 5322 3.6.6. Non-Resent-* are
2537 * appended, to preserve classical expectations of header ordering. */
059ec3d9 2538
e7e680d6 2539 header_add_at_position(!resents_exist, NULL, FALSE, htype_id,
5eb690a1
NM
2540 "%sMessage-Id: <%s%s%s@%s>\n", resent_prefix, message_id_external,
2541 (*id_text == 0)? "" : ".", id_text, id_domain);
059ec3d9
PH
2542 }
2543
2544/* If we are to log recipients, keep a copy of the raw ones before any possible
2545rewriting. Must copy the count, because later ACLs and the local_scan()
2546function may mess with the real recipients. */
2547
6c6d6e48 2548if (LOGGING(received_recipients))
059ec3d9
PH
2549 {
2550 raw_recipients = store_get(recipients_count * sizeof(uschar *));
2551 for (i = 0; i < recipients_count; i++)
2552 raw_recipients[i] = string_copy(recipients_list[i].address);
2553 raw_recipients_count = recipients_count;
2554 }
2555
2556/* Ensure the recipients list is fully qualified and rewritten. Unqualified
2557recipients will get here only if the conditions were right (allow_unqualified_
2558recipient is TRUE). */
2559
2560for (i = 0; i < recipients_count; i++)
2561 recipients_list[i].address =
2562 rewrite_address(recipients_list[i].address, TRUE, TRUE,
2563 global_rewrite_rules, rewrite_existflags);
2564
8800895a
PH
2565/* If there is no From: header, generate one for local (without
2566suppress_local_fixups) or submission_mode messages. If there is no sender
2567address, but the sender is local or this is a local delivery error, use the
2568originator login. This shouldn't happen for genuine bounces, but might happen
2569for autoreplies. The addition of From: must be done *before* checking for the
2570possible addition of a Sender: header, because untrusted_set_sender allows an
2571untrusted user to set anything in the envelope (which might then get info
2572From:) but we still want to ensure a valid Sender: if it is required. */
2573
2574if (from_header == NULL &&
2575 ((sender_host_address == NULL && !suppress_local_fixups)
2576 || submission_mode))
059ec3d9 2577 {
2fe1a124
PH
2578 uschar *oname = US"";
2579
2580 /* Use the originator_name if this is a locally submitted message and the
2581 caller is not trusted. For trusted callers, use it only if -F was used to
2582 force its value or if we have a non-SMTP message for which -f was not used
2583 to set the sender. */
2584
2585 if (sender_host_address == NULL)
2586 {
2587 if (!trusted_caller || sender_name_forced ||
2588 (!smtp_input && !sender_address_forced))
2589 oname = originator_name;
2590 }
2591
2592 /* For non-locally submitted messages, the only time we use the originator
2593 name is when it was forced by the /name= option on control=submission. */
2594
2595 else
2596 {
2597 if (submission_name != NULL) oname = submission_name;
2598 }
2599
059ec3d9
PH
2600 /* Envelope sender is empty */
2601
2602 if (sender_address[0] == 0)
2603 {
87ba3f5f
PH
2604 uschar *fromstart, *fromend;
2605
2606 fromstart = string_sprintf("%sFrom: %s%s", resent_prefix,
2fe1a124
PH
2607 oname, (oname[0] == 0)? "" : " <");
2608 fromend = (oname[0] == 0)? US"" : US">";
87ba3f5f 2609
059ec3d9
PH
2610 if (sender_local || local_error_message)
2611 {
87ba3f5f
PH
2612 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2613 local_part_quote(originator_login), qualify_domain_sender,
2614 fromend);
059ec3d9
PH
2615 }
2616 else if (submission_mode && authenticated_id != NULL)
2617 {
2618 if (submission_domain == NULL)
2619 {
87ba3f5f
PH
2620 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2621 local_part_quote(authenticated_id), qualify_domain_sender,
2622 fromend);
059ec3d9
PH
2623 }
2624 else if (submission_domain[0] == 0) /* empty => whole address set */
2625 {
87ba3f5f
PH
2626 header_add(htype_from, "%s%s%s\n", fromstart, authenticated_id,
2627 fromend);
059ec3d9
PH
2628 }
2629 else
2630 {
87ba3f5f
PH
2631 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2632 local_part_quote(authenticated_id), submission_domain,
2633 fromend);
059ec3d9
PH
2634 }
2635 from_header = header_last; /* To get it checked for Sender: */
2636 }
2637 }
2638
2639 /* There is a non-null envelope sender. Build the header using the original
2640 sender address, before any rewriting that might have been done while
2641 verifying it. */
2642
2643 else
2644 {
87ba3f5f 2645 header_add(htype_from, "%sFrom: %s%s%s%s\n", resent_prefix,
2fe1a124
PH
2646 oname,
2647 (oname[0] == 0)? "" : " <",
87ba3f5f
PH
2648 (sender_address_unrewritten == NULL)?
2649 sender_address : sender_address_unrewritten,
2fe1a124 2650 (oname[0] == 0)? "" : ">");
059ec3d9
PH
2651
2652 from_header = header_last; /* To get it checked for Sender: */
2653 }
2654 }
2655
2656
8800895a
PH
2657/* If the sender is local (without suppress_local_fixups), or if we are in
2658submission mode and there is an authenticated_id, check that an existing From:
2659is correct, and if not, generate a Sender: header, unless disabled. Any
2660previously-existing Sender: header was removed above. Note that sender_local,
2661as well as being TRUE if the caller of exim is not trusted, is also true if a
2662trusted caller did not supply a -f argument for non-smtp input. To allow
2663trusted callers to forge From: without supplying -f, we have to test explicitly
2664here. If the From: header contains more than one address, then the call to
2665parse_extract_address fails, and a Sender: header is inserted, as required. */
059ec3d9
PH
2666
2667if (from_header != NULL &&
69358f02 2668 (active_local_from_check &&
8800895a 2669 ((sender_local && !trusted_caller && !suppress_local_fixups) ||
69358f02 2670 (submission_mode && authenticated_id != NULL))
059ec3d9
PH
2671 ))
2672 {
2673 BOOL make_sender = TRUE;
2674 int start, end, domain;
2675 uschar *errmess;
2676 uschar *from_address =
2677 parse_extract_address(Ustrchr(from_header->text, ':') + 1, &errmess,
2678 &start, &end, &domain, FALSE);
2679 uschar *generated_sender_address;
2680
2681 if (submission_mode)
2682 {
2683 if (submission_domain == NULL)
2684 {
2685 generated_sender_address = string_sprintf("%s@%s",
2686 local_part_quote(authenticated_id), qualify_domain_sender);
2687 }
2688 else if (submission_domain[0] == 0) /* empty => full address */
2689 {
2690 generated_sender_address = string_sprintf("%s",
2691 authenticated_id);
2692 }
2693 else
2694 {
2695 generated_sender_address = string_sprintf("%s@%s",
2696 local_part_quote(authenticated_id), submission_domain);
2697 }
2698 }
2699 else
2700 generated_sender_address = string_sprintf("%s@%s",
2701 local_part_quote(originator_login), qualify_domain_sender);
2702
2703 /* Remove permitted prefixes and suffixes from the local part of the From:
2704 address before doing the comparison with the generated sender. */
2705
2706 if (from_address != NULL)
2707 {
2708 int slen;
2709 uschar *at = (domain == 0)? NULL : from_address + domain - 1;
2710
2711 if (at != NULL) *at = 0;
2712 from_address += route_check_prefix(from_address, local_from_prefix);
2713 slen = route_check_suffix(from_address, local_from_suffix);
2714 if (slen > 0)
2715 {
2716 memmove(from_address+slen, from_address, Ustrlen(from_address)-slen);
2717 from_address += slen;
2718 }
2719 if (at != NULL) *at = '@';
2720
2721 if (strcmpic(generated_sender_address, from_address) == 0 ||
2722 (domain == 0 && strcmpic(from_address, originator_login) == 0))
2723 make_sender = FALSE;
2724 }
2725
2726 /* We have to cause the Sender header to be rewritten if there are
2727 appropriate rewriting rules. */
2728
2729 if (make_sender)
2730 {
2fe1a124 2731 if (submission_mode && submission_name == NULL)
059ec3d9
PH
2732 header_add(htype_sender, "%sSender: %s\n", resent_prefix,
2733 generated_sender_address);
2734 else
2735 header_add(htype_sender, "%sSender: %s <%s>\n",
2fe1a124
PH
2736 resent_prefix,
2737 submission_mode? submission_name : originator_name,
2738 generated_sender_address);
059ec3d9 2739 }
87ba3f5f
PH
2740
2741 /* Ensure that a non-null envelope sender address corresponds to the
2742 submission mode sender address. */
2743
2744 if (submission_mode && sender_address[0] != 0)
2745 {
2746 if (sender_address_unrewritten == NULL)
2747 sender_address_unrewritten = sender_address;
2748 sender_address = generated_sender_address;
089793a4
TF
2749 if (Ustrcmp(sender_address_unrewritten, generated_sender_address) != 0)
2750 log_write(L_address_rewrite, LOG_MAIN,
2751 "\"%s\" from env-from rewritten as \"%s\" by submission mode",
2752 sender_address_unrewritten, generated_sender_address);
87ba3f5f 2753 }
059ec3d9
PH
2754 }
2755
059ec3d9
PH
2756/* If there are any rewriting rules, apply them to the sender address, unless
2757it has already been rewritten as part of verification for SMTP input. */
2758
2759if (global_rewrite_rules != NULL && sender_address_unrewritten == NULL &&
2760 sender_address[0] != 0)
2761 {
2762 sender_address = rewrite_address(sender_address, FALSE, TRUE,
2763 global_rewrite_rules, rewrite_existflags);
2764 DEBUG(D_receive|D_rewrite)
2765 debug_printf("rewritten sender = %s\n", sender_address);
2766 }
2767
2768
2769/* The headers must be run through rewrite_header(), because it ensures that
2770addresses are fully qualified, as well as applying any rewriting rules that may
2771exist.
2772
2773Qualification of header addresses in a message from a remote host happens only
2774if the host is in sender_unqualified_hosts or recipient_unqualified hosts, as
2775appropriate. For local messages, qualification always happens, unless -bnq is
2776used to explicitly suppress it. No rewriting is done for an unqualified address
2777that is left untouched.
2778
2779We start at the second header, skipping our own Received:. This rewriting is
2780documented as happening *after* recipient addresses are taken from the headers
2781by the -t command line option. An added Sender: gets rewritten here. */
2782
2783for (h = header_list->next; h != NULL; h = h->next)
2784 {
2785 header_line *newh = rewrite_header(h, NULL, NULL, global_rewrite_rules,
2786 rewrite_existflags, TRUE);
2787 if (newh != NULL) h = newh;
2788 }
2789
2790
2791/* An RFC 822 (sic) message is not legal unless it has at least one of "to",
2cbb4081 2792"cc", or "bcc". Note that although the minimal examples in RFC 822 show just
059ec3d9
PH
2793"to" or "bcc", the full syntax spec allows "cc" as well. If any resent- header
2794exists, this applies to the set of resent- headers rather than the normal set.
2795
2cbb4081
PH
2796The requirement for a recipient header has been removed in RFC 2822. At this
2797point in the code, earlier versions of Exim added a To: header for locally
2798submitted messages, and an empty Bcc: header for others. In the light of the
2799changes in RFC 2822, this was dropped in November 2003. */
059ec3d9 2800
059ec3d9
PH
2801
2802/* If there is no date header, generate one if the message originates locally
8800895a
PH
2803(i.e. not over TCP/IP) and suppress_local_fixups is not set, or if the
2804submission mode flag is set. Messages without Date: are not valid, but it seems
e7e680d6
PP
2805to be more confusing if Exim adds one to all remotely-originated messages.
2806As per Message-Id, we prepend if resending, else append.
2807*/
059ec3d9 2808
8800895a
PH
2809if (!date_header_exists &&
2810 ((sender_host_address == NULL && !suppress_local_fixups)
2811 || submission_mode))
e7e680d6
PP
2812 header_add_at_position(!resents_exist, NULL, FALSE, htype_other,
2813 "%sDate: %s\n", resent_prefix, tod_stamp(tod_full));
059ec3d9
PH
2814
2815search_tidyup(); /* Free any cached resources */
2816
2817/* Show the complete set of headers if debugging. Note that the first one (the
2818new Received:) has not yet been set. */
2819
2820DEBUG(D_receive)
2821 {
2822 debug_printf(">>Headers after rewriting and local additions:\n");
2823 for (h = header_list->next; h != NULL; h = h->next)
2824 debug_printf("%c %s", h->type, h->text);
2825 debug_printf("\n");
2826 }
2827
2828/* The headers are now complete in store. If we are running in filter
2829testing mode, that is all this function does. Return TRUE if the message
2830ended with a dot. */
2831
f05da2e8 2832if (filter_test != FTEST_NONE)
059ec3d9
PH
2833 {
2834 process_info[process_info_len] = 0;
2835 return message_ended == END_DOT;
2836 }
2837
18481de3 2838/*XXX CHUNKING: need to cancel cutthrough under BDAT, for now */
817d9f57 2839/* Cutthrough delivery:
5032d1cf
JH
2840We have to create the Received header now rather than at the end of reception,
2841so the timestamp behaviour is a change to the normal case.
2842XXX Ensure this gets documented XXX.
2843Having created it, send the headers to the destination. */
2844if (cutthrough.fd >= 0)
e4bdf652 2845 {
817d9f57
JH
2846 if (received_count > received_headers_max)
2847 {
2e5b33cd 2848 cancel_cutthrough_connection("too many headers");
817d9f57
JH
2849 if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
2850 log_write(0, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
2851 "Too many \"Received\" headers",
2852 sender_address,
2853 (sender_fullhost == NULL)? "" : " H=",
2854 (sender_fullhost == NULL)? US"" : sender_fullhost,
2855 (sender_ident == NULL)? "" : " U=",
2856 (sender_ident == NULL)? US"" : sender_ident);
2857 message_id[0] = 0; /* Indicate no message accepted */
2858 smtp_reply = US"550 Too many \"Received\" headers - suspected mail loop";
2859 goto TIDYUP; /* Skip to end of function */
2860 }
e4bdf652 2861 received_header_gen();
578d43dc 2862 add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
e4bdf652
JH
2863 (void) cutthrough_headers_send();
2864 }
61147df4 2865
e4bdf652 2866
059ec3d9
PH
2867/* Open a new spool file for the data portion of the message. We need
2868to access it both via a file descriptor and a stream. Try to make the
41313d92 2869directory if it isn't there. */
059ec3d9 2870
41313d92 2871spool_name = spool_fname(US"input", message_subdir, message_id, US"-D");
a2da3176
JH
2872DEBUG(D_receive) debug_printf("Data file name: %s\n", spool_name);
2873
2874if ((data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE)) < 0)
059ec3d9
PH
2875 {
2876 if (errno == ENOENT)
2877 {
0971ec06 2878 (void) directory_make(spool_directory,
41313d92
JH
2879 spool_sname(US"input", message_subdir),
2880 INPUT_DIRECTORY_MODE, TRUE);
059ec3d9
PH
2881 data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
2882 }
2883 if (data_fd < 0)
2884 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to create spool file %s: %s",
2885 spool_name, strerror(errno));
2886 }
2887
2888/* Make sure the file's group is the Exim gid, and double-check the mode
2889because the group setting doesn't always get set automatically. */
2890
1ac6b2e7
JH
2891if (fchown(data_fd, exim_uid, exim_gid))
2892 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2893 "Failed setting ownership on spool file %s: %s",
2894 spool_name, strerror(errno));
ff790e47 2895(void)fchmod(data_fd, SPOOL_MODE);
059ec3d9
PH
2896
2897/* We now have data file open. Build a stream for it and lock it. We lock only
2898the first line of the file (containing the message ID) because otherwise there
2899are problems when Exim is run under Cygwin (I'm told). See comments in
2900spool_in.c, where the same locking is done. */
2901
2902data_file = fdopen(data_fd, "w+");
2903lock_data.l_type = F_WRLCK;
2904lock_data.l_whence = SEEK_SET;
2905lock_data.l_start = 0;
2906lock_data.l_len = SPOOL_DATA_START_OFFSET;
2907
2908if (fcntl(data_fd, F_SETLK, &lock_data) < 0)
2909 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Cannot lock %s (%d): %s", spool_name,
2910 errno, strerror(errno));
2911
2912/* We have an open, locked data file. Write the message id to it to make it
2913self-identifying. Then read the remainder of the input of this message and
2914write it to the data file. If the variable next != NULL, it contains the first
2915data line (which was read as a header but then turned out not to have the right
2916format); write it (remembering that it might contain binary zeros). The result
2917of fwrite() isn't inspected; instead we call ferror() below. */
2918
2919fprintf(data_file, "%s-D\n", message_id);
2920if (next != NULL)
2921 {
2922 uschar *s = next->text;
2923 int len = next->slen;
1ac6b2e7 2924 len = fwrite(s, 1, len, data_file); len = len; /* compiler quietening */
059ec3d9
PH
2925 body_linecount++; /* Assumes only 1 line */
2926 }
2927
2928/* Note that we might already be at end of file, or the logical end of file
2929(indicated by '.'), or might have encountered an error while writing the
2930message id or "next" line. */
2931
2932if (!ferror(data_file) && !(receive_feof)() && message_ended != END_DOT)
2933 {
2934 if (smtp_input)
2935 {
18481de3 2936/*XXX CHUNKING: main data read, for message body */
059ec3d9
PH
2937 message_ended = read_message_data_smtp(data_file);
2938 receive_linecount++; /* The terminating "." line */
2939 }
2940 else message_ended = read_message_data(data_file);
2941
2942 receive_linecount += body_linecount; /* For BSMTP errors mainly */
2e0c1448 2943 message_linecount += body_linecount;
059ec3d9
PH
2944
2945 /* Handle premature termination of SMTP */
2946
2947 if (smtp_input && message_ended == END_EOF)
2948 {
2949 Uunlink(spool_name); /* Lose data file when closed */
2e5b33cd 2950 cancel_cutthrough_connection("sender closed connection");
059ec3d9
PH
2951 message_id[0] = 0; /* Indicate no message accepted */
2952 smtp_reply = handle_lost_connection(US"");
2953 smtp_yield = FALSE;
2954 goto TIDYUP; /* Skip to end of function */
2955 }
2956
2957 /* Handle message that is too big. Don't use host_or_ident() in the log
2958 message; we want to see the ident value even for non-remote messages. */
2959
2960 if (message_ended == END_SIZE)
2961 {
2962 Uunlink(spool_name); /* Lose the data file when closed */
2e5b33cd 2963 cancel_cutthrough_connection("mail too big");
059ec3d9
PH
2964 if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
2965
2966 log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
2967 "message too big: read=%d max=%d",
2968 sender_address,
2969 (sender_fullhost == NULL)? "" : " H=",
2970 (sender_fullhost == NULL)? US"" : sender_fullhost,
2971 (sender_ident == NULL)? "" : " U=",
2972 (sender_ident == NULL)? US"" : sender_ident,
2973 message_size,
2974 thismessage_size_limit);
2975
2976 if (smtp_input)
2977 {
2978 smtp_reply = US"552 Message size exceeds maximum permitted";
2979 message_id[0] = 0; /* Indicate no message accepted */
2980 goto TIDYUP; /* Skip to end of function */
2981 }
2982 else
2983 {
2984 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
2985 give_local_error(ERRMESS_TOOBIG,
2986 string_sprintf("message too big (max=%d)", thismessage_size_limit),
2987 US"message rejected: ", error_rc, data_file, header_list);
2988 /* Does not return */
2989 }
2990 }
2991 }
2992
2993/* Restore the standard SIGALRM handler for any subsequent processing. (For
2994example, there may be some expansion in an ACL that uses a timer.) */
2995
2996os_non_restarting_signal(SIGALRM, sigalrm_handler);
2997
2998/* The message body has now been read into the data file. Call fflush() to
2999empty the buffers in C, and then call fsync() to get the data written out onto
3000the disk, as fflush() doesn't do this (or at least, it isn't documented as
3001having to do this). If there was an I/O error on either input or output,
3002attempt to send an error message, and unlink the spool file. For non-SMTP input
3003we can then give up. Note that for SMTP input we must swallow the remainder of
3004the input in cases of output errors, since the far end doesn't expect to see
3005anything until the terminating dot line is sent. */
3006
3007if (fflush(data_file) == EOF || ferror(data_file) ||
54fc8428 3008 EXIMfsync(fileno(data_file)) < 0 || (receive_ferror)())
059ec3d9
PH
3009 {
3010 uschar *msg_errno = US strerror(errno);
3011 BOOL input_error = (receive_ferror)() != 0;
3012 uschar *msg = string_sprintf("%s error (%s) while receiving message from %s",
3013 input_error? "Input read" : "Spool write",
3014 msg_errno,
3015 (sender_fullhost != NULL)? sender_fullhost : sender_ident);
3016
3017 log_write(0, LOG_MAIN, "Message abandoned: %s", msg);
3018 Uunlink(spool_name); /* Lose the data file */
2e5b33cd 3019 cancel_cutthrough_connection("error writing spoolfile");
059ec3d9
PH
3020
3021 if (smtp_input)
3022 {
3023 if (input_error)
3024 smtp_reply = US"451 Error while reading input data";
3025 else
3026 {
3027 smtp_reply = US"451 Error while writing spool file";
3028 receive_swallow_smtp();
3029 }
3030 message_id[0] = 0; /* Indicate no message accepted */
3031 goto TIDYUP; /* Skip to end of function */
3032 }
3033
3034 else
3035 {
3036 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3037 give_local_error(ERRMESS_IOERR, msg, US"", error_rc, data_file,
3038 header_list);
3039 /* Does not return */
3040 }
3041 }
3042
3043
3044/* No I/O errors were encountered while writing the data file. */
3045
3046DEBUG(D_receive) debug_printf("Data file written for message %s\n", message_id);
3047
3048
3049/* If there were any bad addresses extracted by -t, or there were no recipients
3050left after -t, send a message to the sender of this message, or write it to
3051stderr if the error handling option is set that way. Note that there may
3052legitimately be no recipients for an SMTP message if they have all been removed
3053by "discard".
3054
3055We need to rewind the data file in order to read it. In the case of no
3056recipients or stderr error writing, throw the data file away afterwards, and
3057exit. (This can't be SMTP, which always ensures there's at least one
3058syntactically good recipient address.) */
3059
3060if (extract_recip && (bad_addresses != NULL || recipients_count == 0))
3061 {
3062 DEBUG(D_receive)
3063 {
3064 if (recipients_count == 0) debug_printf("*** No recipients\n");
3065 if (bad_addresses != NULL)
3066 {
3067 error_block *eblock = bad_addresses;
3068 debug_printf("*** Bad address(es)\n");
3069 while (eblock != NULL)
3070 {
3071 debug_printf(" %s: %s\n", eblock->text1, eblock->text2);
3072 eblock = eblock->next;
3073 }
3074 }
3075 }
3076
3077 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3078
3079 /* If configured to send errors to the sender, but this fails, force
3080 a failure error code. We use a special one for no recipients so that it
3081 can be detected by the autoreply transport. Otherwise error_rc is set to
3082 errors_sender_rc, which is EXIT_FAILURE unless -oee was given, in which case
3083 it is EXIT_SUCCESS. */
3084
3085 if (error_handling == ERRORS_SENDER)
3086 {
3087 if (!moan_to_sender(
3088 (bad_addresses == NULL)?
3089 (extracted_ignored? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS) :
3090 (recipients_list == NULL)? ERRMESS_BADNOADDRESS : ERRMESS_BADADDRESS,
3091 bad_addresses, header_list, data_file, FALSE))
3092 error_rc = (bad_addresses == NULL)? EXIT_NORECIPIENTS : EXIT_FAILURE;
3093 }
3094 else
3095 {
3096 if (bad_addresses == NULL)
3097 {
3098 if (extracted_ignored)
3099 fprintf(stderr, "exim: all -t recipients overridden by command line\n");
3100 else
3101 fprintf(stderr, "exim: no recipients in message\n");
3102 }
3103 else
3104 {
3105 fprintf(stderr, "exim: invalid address%s",
3106 (bad_addresses->next == NULL)? ":" : "es:\n");
3107 while (bad_addresses != NULL)
3108 {
3109 fprintf(stderr, " %s: %s\n", bad_addresses->text1,
3110 bad_addresses->text2);
3111 bad_addresses = bad_addresses->next;
3112 }
3113 }
3114 }
3115
3116 if (recipients_count == 0 || error_handling == ERRORS_STDERR)
3117 {
3118 Uunlink(spool_name);
f1e894f3 3119 (void)fclose(data_file);
059ec3d9
PH
3120 exim_exit(error_rc);
3121 }
3122 }
3123
3124/* Data file successfully written. Generate text for the Received: header by
3125expanding the configured string, and adding a timestamp. By leaving this
3126operation till now, we ensure that the timestamp is the time that message
3127reception was completed. However, this is deliberately done before calling the
3128data ACL and local_scan().
3129
3130This Received: header may therefore be inspected by the data ACL and by code in
3131the local_scan() function. When they have run, we update the timestamp to be
3132the final time of reception.
3133
3134If there is just one recipient, set up its value in the $received_for variable
3135for use when we generate the Received: header.
3136
3137Note: the checking for too many Received: headers is handled by the delivery
3138code. */
e4bdf652 3139/*XXX eventually add excess Received: check for cutthrough case back when classifying them */
059ec3d9 3140
e4bdf652 3141if (received_header->text == NULL) /* Non-cutthrough case */
059ec3d9 3142 {
e4bdf652 3143 received_header_gen();
059ec3d9 3144
e4bdf652 3145 /* Set the value of message_body_size for the DATA ACL and for local_scan() */
059ec3d9 3146
e4bdf652
JH
3147 message_body_size = (fstat(data_fd, &statbuf) == 0)?
3148 statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
059ec3d9 3149
e4bdf652
JH
3150 /* If an ACL from any RCPT commands set up any warning headers to add, do so
3151 now, before running the DATA ACL. */
059ec3d9 3152
578d43dc 3153 add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
e4bdf652 3154 }
817d9f57 3155else
e4bdf652
JH
3156 message_body_size = (fstat(data_fd, &statbuf) == 0)?
3157 statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
059ec3d9
PH
3158
3159/* If an ACL is specified for checking things at this stage of reception of a
3160message, run it, unless all the recipients were removed by "discard" in earlier
3161ACLs. That is the only case in which recipients_count can be zero at this
3162stage. Set deliver_datafile to point to the data file so that $message_body and
3163$message_body_end can be extracted if needed. Allow $recipients in expansions.
3164*/
3165
3166deliver_datafile = data_fd;
4e88a19f 3167user_msg = NULL;
059ec3d9 3168
0e20aff9
MH
3169enable_dollar_recipients = TRUE;
3170
059ec3d9
PH
3171if (recipients_count == 0)
3172 {
3173 blackholed_by = recipients_discarded? US"MAIL ACL" : US"RCPT ACL";
3174 }
3175else
3176 {
059ec3d9
PH
3177 /* Handle interactive SMTP messages */
3178
3179 if (smtp_input && !smtp_batched_input)
3180 {
8523533c 3181
80a47a2c
TK
3182#ifndef DISABLE_DKIM
3183 if (!dkim_disable_verify)
3184 {
3185 /* Finish verification, this will log individual signature results to
3186 the mainlog */
3187 dkim_exim_verify_finish();
3188
3189 /* Check if we must run the DKIM ACL */
3190 if ((acl_smtp_dkim != NULL) &&
3191 (dkim_verify_signers != NULL) &&
3192 (dkim_verify_signers[0] != '\0'))
3193 {
3194 uschar *dkim_verify_signers_expanded =
3195 expand_string(dkim_verify_signers);
3196 if (dkim_verify_signers_expanded == NULL)
3197 {
3198 log_write(0, LOG_MAIN|LOG_PANIC,
3199 "expansion of dkim_verify_signers option failed: %s",
3200 expand_string_message);
3201 }
3202 else
3203 {
3204 int sep = 0;
55414b25 3205 const uschar *ptr = dkim_verify_signers_expanded;
80a47a2c 3206 uschar *item = NULL;
9e5d6b55
TK
3207 uschar *seen_items = NULL;
3208 int seen_items_size = 0;
3209 int seen_items_offset = 0;
80a47a2c 3210 uschar itembuf[256];
9122af94
TK
3211 /* Default to OK when no items are present */
3212 rc = OK;
80a47a2c
TK
3213 while ((item = string_nextinlist(&ptr, &sep,
3214 itembuf,
5032d1cf 3215 sizeof(itembuf))))
80a47a2c 3216 {
6119d1ea
TK
3217 /* Prevent running ACL for an empty item */
3218 if (!item || (item[0] == '\0')) continue;
5032d1cf
JH
3219
3220 /* Only run ACL once for each domain or identity,
3221 no matter how often it appears in the expanded list. */
3222 if (seen_items)
6119d1ea 3223 {
ae9094bf
TK
3224 uschar *seen_item = NULL;
3225 uschar seen_item_buf[256];
55414b25 3226 const uschar *seen_items_list = seen_items;
5032d1cf 3227 BOOL seen_this_item = FALSE;
61147df4 3228
ae9094bf
TK
3229 while ((seen_item = string_nextinlist(&seen_items_list, &sep,
3230 seen_item_buf,
5032d1cf
JH
3231 sizeof(seen_item_buf))))
3232 if (Ustrcmp(seen_item,item) == 0)
3233 {
3234 seen_this_item = TRUE;
3235 break;
3236 }
3237
3238 if (seen_this_item)
6119d1ea
TK
3239 {
3240 DEBUG(D_receive)
5032d1cf
JH
3241 debug_printf("acl_smtp_dkim: skipping signer %s, "
3242 "already seen\n", item);
6119d1ea
TK
3243 continue;
3244 }
61147df4 3245
5032d1cf
JH
3246 seen_items = string_append(seen_items, &seen_items_size,
3247 &seen_items_offset, 1, ":");
6119d1ea
TK
3248 }
3249
5032d1cf
JH
3250 seen_items = string_append(seen_items, &seen_items_size,
3251 &seen_items_offset, 1, item);
4a73449b 3252 seen_items[seen_items_offset] = '\0';
6119d1ea
TK
3253
3254 DEBUG(D_receive)
5032d1cf
JH
3255 debug_printf("calling acl_smtp_dkim for dkim_cur_signer=%s\n",
3256 item);
6119d1ea 3257
80a47a2c 3258 dkim_exim_acl_setup(item);
5032d1cf
JH
3259 rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim,
3260 &user_msg, &log_msg);
6119d1ea
TK
3261
3262 if (rc != OK)
5032d1cf
JH
3263 {
3264 DEBUG(D_receive)
3265 debug_printf("acl_smtp_dkim: acl_check returned %d on %s, "
3266 "skipping remaining items\n", rc, item);
3267 cancel_cutthrough_connection("dkim acl not ok");
3268 break;
3269 }
80a47a2c 3270 }
578d43dc 3271 add_acl_headers(ACL_WHERE_DKIM, US"DKIM");
80a47a2c
TK
3272 if (rc == DISCARD)
3273 {
3274 recipients_count = 0;
3275 blackholed_by = US"DKIM ACL";
3276 if (log_msg != NULL)
3277 blackhole_log_msg = string_sprintf(": %s", log_msg);
3278 }
3279 else if (rc != OK)
3280 {
3281 Uunlink(spool_name);
3282 if (smtp_handle_acl_fail(ACL_WHERE_DKIM, rc, user_msg, log_msg) != 0)
85ffcba6 3283 smtp_yield = FALSE; /* No more messages after dropped connection */
80a47a2c
TK
3284 smtp_reply = US""; /* Indicate reply already sent */
3285 message_id[0] = 0; /* Indicate no message accepted */
3286 goto TIDYUP; /* Skip to end of function */
3287 }
3288 }
3289 }
3290 }
4a8ce2d8 3291#endif /* DISABLE_DKIM */
fb2274d4 3292
8523533c 3293#ifdef WITH_CONTENT_SCAN
80a47a2c
TK
3294 if (recipients_count > 0 &&
3295 acl_smtp_mime != NULL &&
54cdb463
PH
3296 !run_mime_acl(acl_smtp_mime, &smtp_yield, &smtp_reply, &blackholed_by))
3297 goto TIDYUP;
8523533c
TK
3298#endif /* WITH_CONTENT_SCAN */
3299
4840604e
TL
3300#ifdef EXPERIMENTAL_DMARC
3301 dmarc_up = dmarc_store_data(from_header);
3302#endif /* EXPERIMENTAL_DMARC */
3303
8ccd00b1
JH
3304#ifndef DISABLE_PRDR
3305 if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr)
fd98a5c6
JH
3306 {
3307 unsigned int c;
3308 int all_pass = OK;
3309 int all_fail = FAIL;
3310
3311 smtp_printf("353 PRDR content analysis beginning\r\n");
3312 /* Loop through recipients, responses must be in same order received */
3313 for (c = 0; recipients_count > c; c++)
3314 {
3315 uschar * addr= recipients_list[c].address;
3316 uschar * msg= US"PRDR R=<%s> %s";
3317 uschar * code;
3318 DEBUG(D_receive)
3319 debug_printf("PRDR processing recipient %s (%d of %d)\n",
3320 addr, c+1, recipients_count);
3321 rc = acl_check(ACL_WHERE_PRDR, addr,
3322 acl_smtp_data_prdr, &user_msg, &log_msg);
3323
3324 /* If any recipient rejected content, indicate it in final message */
3325 all_pass |= rc;
3326 /* If all recipients rejected, indicate in final message */
3327 all_fail &= rc;
3328
3329 switch (rc)
3330 {
3331 case OK: case DISCARD: code = US"250"; break;
3332 case DEFER: code = US"450"; break;
3333 default: code = US"550"; break;
3334 }
3335 if (user_msg != NULL)
3336 smtp_user_msg(code, user_msg);
3337 else
3338 {
3339 switch (rc)
3340 {
3341 case OK: case DISCARD:
3342 msg = string_sprintf(CS msg, addr, "acceptance"); break;
3343 case DEFER:
3344 msg = string_sprintf(CS msg, addr, "temporary refusal"); break;
3345 default:
3346 msg = string_sprintf(CS msg, addr, "refusal"); break;
3347 }
3348 smtp_user_msg(code, msg);
3349 }
3350 if (log_msg) log_write(0, LOG_MAIN, "PRDR %s %s", addr, log_msg);
3351 else if (user_msg) log_write(0, LOG_MAIN, "PRDR %s %s", addr, user_msg);
112b6a93 3352 else log_write(0, LOG_MAIN, "%s", CS msg);
fd98a5c6
JH
3353
3354 if (rc != OK) { receive_remove_recipient(addr); c--; }
3355 }
3356 /* Set up final message, used if data acl gives OK */
3357 smtp_reply = string_sprintf("%s id=%s message %s",
3358 all_fail == FAIL ? US"550" : US"250",
3359 message_id,
3360 all_fail == FAIL
3361 ? US"rejected for all recipients"
3362 : all_pass == OK
3363 ? US"accepted"
3364 : US"accepted for some recipients");
3365 if (recipients_count == 0)
3366 {
3367 message_id[0] = 0; /* Indicate no message accepted */
3368 goto TIDYUP;
3369 }
3370 }
3371 else
3372 prdr_requested = FALSE;
8ccd00b1 3373#endif /* !DISABLE_PRDR */
fd98a5c6 3374
54cdb463
PH
3375 /* Check the recipients count again, as the MIME ACL might have changed
3376 them. */
8523533c 3377
059ec3d9
PH
3378 if (acl_smtp_data != NULL && recipients_count > 0)
3379 {
059ec3d9 3380 rc = acl_check(ACL_WHERE_DATA, NULL, acl_smtp_data, &user_msg, &log_msg);
578d43dc 3381 add_acl_headers(ACL_WHERE_DATA, US"DATA");
059ec3d9
PH
3382 if (rc == DISCARD)
3383 {
3384 recipients_count = 0;
3385 blackholed_by = US"DATA ACL";
8e669ac1
PH
3386 if (log_msg != NULL)
3387 blackhole_log_msg = string_sprintf(": %s", log_msg);
2e5b33cd 3388 cancel_cutthrough_connection("data acl discard");
059ec3d9
PH
3389 }
3390 else if (rc != OK)
3391 {
3392 Uunlink(spool_name);
2e5b33cd 3393 cancel_cutthrough_connection("data acl not ok");
8523533c
TK
3394#ifdef WITH_CONTENT_SCAN
3395 unspool_mbox();
3396#endif
6f0c431a
PP
3397#ifdef EXPERIMENTAL_DCC
3398 dcc_ok = 0;
3399#endif
059ec3d9 3400 if (smtp_handle_acl_fail(ACL_WHERE_DATA, rc, user_msg, log_msg) != 0)
85ffcba6 3401 smtp_yield = FALSE; /* No more messages after dropped connection */
059ec3d9
PH
3402 smtp_reply = US""; /* Indicate reply already sent */
3403 message_id[0] = 0; /* Indicate no message accepted */
3404 goto TIDYUP; /* Skip to end of function */
3405 }
3406 }
3407 }
3408
3409 /* Handle non-SMTP and batch SMTP (i.e. non-interactive) messages. Note that
3410 we cannot take different actions for permanent and temporary rejections. */
3411
54cdb463 3412 else
059ec3d9 3413 {
54cdb463
PH
3414
3415#ifdef WITH_CONTENT_SCAN
3416 if (acl_not_smtp_mime != NULL &&
3417 !run_mime_acl(acl_not_smtp_mime, &smtp_yield, &smtp_reply,
3418 &blackholed_by))
3419 goto TIDYUP;
3420#endif /* WITH_CONTENT_SCAN */
3421
3422 if (acl_not_smtp != NULL)
059ec3d9 3423 {
54cdb463
PH
3424 uschar *user_msg, *log_msg;
3425 rc = acl_check(ACL_WHERE_NOTSMTP, NULL, acl_not_smtp, &user_msg, &log_msg);
3426 if (rc == DISCARD)
059ec3d9 3427 {
54cdb463
PH
3428 recipients_count = 0;
3429 blackholed_by = US"non-SMTP ACL";
3430 if (log_msg != NULL)
3431 blackhole_log_msg = string_sprintf(": %s", log_msg);
059ec3d9 3432 }
54cdb463 3433 else if (rc != OK)
059ec3d9 3434 {
54cdb463
PH
3435 Uunlink(spool_name);
3436#ifdef WITH_CONTENT_SCAN
3437 unspool_mbox();
3438#endif
6f0c431a
PP
3439#ifdef EXPERIMENTAL_DCC
3440 dcc_ok = 0;
3441#endif
6ea85e9a
PH
3442 /* The ACL can specify where rejections are to be logged, possibly
3443 nowhere. The default is main and reject logs. */
3444
3445 if (log_reject_target != 0)
3446 log_write(0, log_reject_target, "F=<%s> rejected by non-SMTP ACL: %s",
3447 sender_address, log_msg);
3448
54cdb463
PH
3449 if (user_msg == NULL) user_msg = US"local configuration problem";
3450 if (smtp_batched_input)
3451 {
3452 moan_smtp_batch(NULL, "%d %s", 550, user_msg);
3453 /* Does not return */
3454 }
3455 else
3456 {
3457 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3458 give_local_error(ERRMESS_LOCAL_ACL, user_msg,
3459 US"message rejected by non-SMTP ACL: ", error_rc, data_file,
3460 header_list);
3461 /* Does not return */
3462 }
059ec3d9 3463 }
578d43dc 3464 add_acl_headers(ACL_WHERE_NOTSMTP, US"non-SMTP");
059ec3d9 3465 }
059ec3d9
PH
3466 }
3467
54cdb463
PH
3468 /* The applicable ACLs have been run */
3469
059ec3d9
PH
3470 if (deliver_freeze) frozen_by = US"ACL"; /* for later logging */
3471 if (queue_only_policy) queued_by = US"ACL";
059ec3d9
PH
3472 }
3473
8523533c
TK
3474#ifdef WITH_CONTENT_SCAN
3475unspool_mbox();
3476#endif
3477
6a8f9482
TK
3478#ifdef EXPERIMENTAL_DCC
3479dcc_ok = 0;
3480#endif
3481
3482
059ec3d9
PH
3483/* The final check on the message is to run the scan_local() function. The
3484version supplied with Exim always accepts, but this is a hook for sysadmins to
3485supply their own checking code. The local_scan() function is run even when all
3486the recipients have been discarded. */
3487
3488lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3489
3490/* Arrange to catch crashes in local_scan(), so that the -D file gets
3491deleted, and the incident gets logged. */
3492
3493os_non_restarting_signal(SIGSEGV, local_scan_crash_handler);
3494os_non_restarting_signal(SIGFPE, local_scan_crash_handler);
3495os_non_restarting_signal(SIGILL, local_scan_crash_handler);
3496os_non_restarting_signal(SIGBUS, local_scan_crash_handler);
3497
3498DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n",
3499 local_scan_timeout);
3500local_scan_data = NULL;
3501
3502os_non_restarting_signal(SIGALRM, local_scan_timeout_handler);
3503if (local_scan_timeout > 0) alarm(local_scan_timeout);
3504rc = local_scan(data_fd, &local_scan_data);
3505alarm(0);
3506os_non_restarting_signal(SIGALRM, sigalrm_handler);
3507
0e20aff9
MH
3508enable_dollar_recipients = FALSE;
3509
059ec3d9
PH
3510store_pool = POOL_MAIN; /* In case changed */
3511DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc,
3512 local_scan_data);
3513
3514os_non_restarting_signal(SIGSEGV, SIG_DFL);
3515os_non_restarting_signal(SIGFPE, SIG_DFL);
3516os_non_restarting_signal(SIGILL, SIG_DFL);
3517os_non_restarting_signal(SIGBUS, SIG_DFL);
3518
3519/* The length check is paranoia against some runaway code, and also because
3520(for a success return) lines in the spool file are read into big_buffer. */
3521
3522if (local_scan_data != NULL)
3523 {
3524 int len = Ustrlen(local_scan_data);
3525 if (len > LOCAL_SCAN_MAX_RETURN) len = LOCAL_SCAN_MAX_RETURN;
3526 local_scan_data = string_copyn(local_scan_data, len);
3527 }
3528
3529if (rc == LOCAL_SCAN_ACCEPT_FREEZE)
3530 {
58eb016e 3531 if (!deliver_freeze) /* ACL might have already frozen */
059ec3d9
PH
3532 {
3533 deliver_freeze = TRUE;
3534 deliver_frozen_at = time(NULL);
3535 frozen_by = US"local_scan()";
3536 }
3537 rc = LOCAL_SCAN_ACCEPT;
3538 }
3539else if (rc == LOCAL_SCAN_ACCEPT_QUEUE)
3540 {
3541 if (!queue_only_policy) /* ACL might have already queued */
3542 {
3543 queue_only_policy = TRUE;
3544 queued_by = US"local_scan()";
3545 }
3546 rc = LOCAL_SCAN_ACCEPT;
3547 }
3548
3549/* Message accepted: remove newlines in local_scan_data because otherwise
3550the spool file gets corrupted. Ensure that all recipients are qualified. */
3551
3552if (rc == LOCAL_SCAN_ACCEPT)
3553 {
3554 if (local_scan_data != NULL)
3555 {
3556 uschar *s;
3557 for (s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' ';
3558 }
3559 for (i = 0; i < recipients_count; i++)
3560 {
3561 recipient_item *r = recipients_list + i;
3562 r->address = rewrite_address_qualify(r->address, TRUE);
3563 if (r->errors_to != NULL)
3564 r->errors_to = rewrite_address_qualify(r->errors_to, TRUE);
3565 }
3566 if (recipients_count == 0 && blackholed_by == NULL)
3567 blackholed_by = US"local_scan";
3568 }
3569
3570/* Message rejected: newlines permitted in local_scan_data to generate
3571multiline SMTP responses. */
3572
3573else
3574 {
3575 uschar *istemp = US"";
3576 uschar *s = NULL;
a5bd321b 3577 uschar *smtp_code;
059ec3d9
PH
3578 int size = 0;
3579 int sptr = 0;
059ec3d9
PH
3580
3581 errmsg = local_scan_data;
3582
3583 Uunlink(spool_name); /* Cancel this message */
3584 switch(rc)
3585 {
3586 default:
3587 log_write(0, LOG_MAIN, "invalid return %d from local_scan(). Temporary "
3588 "rejection given", rc);
3589 goto TEMPREJECT;
3590
3591 case LOCAL_SCAN_REJECT_NOLOGHDR:
6c6d6e48 3592 BIT_CLEAR(log_selector, log_selector_size, Li_rejected_header);
059ec3d9
PH
3593 /* Fall through */
3594
3595 case LOCAL_SCAN_REJECT:
a5bd321b 3596 smtp_code = US"550";
059ec3d9
PH
3597 if (errmsg == NULL) errmsg = US"Administrative prohibition";
3598 break;
3599
3600 case LOCAL_SCAN_TEMPREJECT_NOLOGHDR:
6c6d6e48 3601 BIT_CLEAR(log_selector, log_selector_size, Li_rejected_header);
059ec3d9
PH
3602 /* Fall through */
3603
3604 case LOCAL_SCAN_TEMPREJECT:
3605 TEMPREJECT:
a5bd321b 3606 smtp_code = US"451";
059ec3d9
PH
3607 if (errmsg == NULL) errmsg = US"Temporary local problem";
3608 istemp = US"temporarily ";
3609 break;
3610 }
3611
3612 s = string_append(s, &size, &sptr, 2, US"F=",
3613 (sender_address[0] == 0)? US"<>" : sender_address);
3614 s = add_host_info_for_log(s, &size, &sptr);
3615 s[sptr] = 0;
3616
3617 log_write(0, LOG_MAIN|LOG_REJECT, "%s %srejected by local_scan(): %.256s",
3618 s, istemp, string_printing(errmsg));
3619
3620 if (smtp_input)
3621 {
3622 if (!smtp_batched_input)
3623 {
a5bd321b 3624 smtp_respond(smtp_code, 3, TRUE, errmsg);
059ec3d9
PH
3625 message_id[0] = 0; /* Indicate no message accepted */
3626 smtp_reply = US""; /* Indicate reply already sent */
3627 goto TIDYUP; /* Skip to end of function */
3628 }
3629 else
3630 {
a5bd321b 3631 moan_smtp_batch(NULL, "%s %s", smtp_code, errmsg);
059ec3d9
PH
3632 /* Does not return */
3633 }
3634 }
3635 else
3636 {
3637 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3638 give_local_error(ERRMESS_LOCAL_SCAN, errmsg,
3639 US"message rejected by local scan code: ", error_rc, data_file,
3640 header_list);
3641 /* Does not return */
3642 }
3643 }
3644
3645/* Reset signal handlers to ignore signals that previously would have caused
3646the message to be abandoned. */
3647
3648signal(SIGTERM, SIG_IGN);
3649signal(SIGINT, SIG_IGN);
3650
e4bdf652 3651
059ec3d9
PH
3652/* Ensure the first time flag is set in the newly-received message. */
3653
3654deliver_firsttime = TRUE;
3655
8523533c 3656#ifdef EXPERIMENTAL_BRIGHTMAIL
a2da3176
JH
3657if (bmi_run == 1)
3658 { /* rewind data file */
8523533c
TK
3659 lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3660 bmi_verdicts = bmi_process_message(header_list, data_fd);
a2da3176 3661 }
8523533c
TK
3662#endif
3663
059ec3d9
PH
3664/* Update the timstamp in our Received: header to account for any time taken by
3665an ACL or by local_scan(). The new time is the time that all reception
3666processing is complete. */
3667
3668timestamp = expand_string(US"${tod_full}");
3669tslen = Ustrlen(timestamp);
3670
3671memcpy(received_header->text + received_header->slen - tslen - 1,
3672 timestamp, tslen);
3673
3674/* In MUA wrapper mode, ignore queueing actions set by ACL or local_scan() */
3675
3676if (mua_wrapper)
3677 {
3678 deliver_freeze = FALSE;
3679 queue_only_policy = FALSE;
3680 }
3681
3682/* Keep the data file open until we have written the header file, in order to
3683hold onto the lock. In a -bh run, or if the message is to be blackholed, we
3684don't write the header file, and we unlink the data file. If writing the header
3685file fails, we have failed to accept this message. */
3686
3687if (host_checking || blackholed_by != NULL)
3688 {
3689 header_line *h;
3690 Uunlink(spool_name);
3691 msg_size = 0; /* Compute size for log line */
3692 for (h = header_list; h != NULL; h = h->next)
3693 if (h->type != '*') msg_size += h->slen;
3694 }
3695
3696/* Write the -H file */
3697
3698else
059ec3d9
PH
3699 if ((msg_size = spool_write_header(message_id, SW_RECEIVING, &errmsg)) < 0)
3700 {
3701 log_write(0, LOG_MAIN, "Message abandoned: %s", errmsg);
3702 Uunlink(spool_name); /* Lose the data file */
3703
3704 if (smtp_input)
3705 {
3706 smtp_reply = US"451 Error in writing spool file";
3707 message_id[0] = 0; /* Indicate no message accepted */
3708 goto TIDYUP;
3709 }
3710 else
3711 {
3712 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3713 give_local_error(ERRMESS_IOERR, errmsg, US"", error_rc, data_file,
3714 header_list);
3715 /* Does not return */
3716 }
3717 }
059ec3d9
PH
3718
3719
3720/* The message has now been successfully received. */
3721
3722receive_messagecount++;
3723
3724/* In SMTP sessions we may receive several in one connection. After each one,
3725we wait for the clock to tick at the level of message-id granularity. This is
3726so that the combination of time+pid is unique, even on systems where the pid
3727can be re-used within our time interval. We can't shorten the interval without
3728re-designing the message-id. See comments above where the message id is
3729created. This is Something For The Future. */
3730
3731message_id_tv.tv_usec = (message_id_tv.tv_usec/id_resolution) * id_resolution;
3732exim_wait_tick(&message_id_tv, id_resolution);
3733
3734/* Add data size to written header size. We do not count the initial file name
3735that is in the file, but we do add one extra for the notional blank line that
3736precedes the data. This total differs from message_size in that it include the
3737added Received: header and any other headers that got created locally. */
3738
3739fflush(data_file);
3740fstat(data_fd, &statbuf);