DMARC: default dmarc_tld_file to unset. Bug 2494
[exim.git] / src / src / receive.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
f9ba5e22 5/* Copyright (c) University of Cambridge 1995 - 2018 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for receiving a message and setting up spool files. */
9
059ec3d9 10#include "exim.h"
9723f966 11#include <setjmp.h>
059ec3d9 12
6a8f9482
TK
13#ifdef EXPERIMENTAL_DCC
14extern int dcc_ok;
15#endif
16
1a2e76e1 17#ifdef SUPPORT_DMARC
c007c974 18# include "dmarc.h"
1a2e76e1 19#endif
4840604e 20
059ec3d9
PH
21/*************************************************
22* Local static variables *
23*************************************************/
24
059ec3d9 25static int data_fd = -1;
41313d92 26static uschar *spool_name = US"";
059ec3d9 27
cff70eb1 28enum CH_STATE {LF_SEEN, MID_LINE, CR_SEEN};
059ec3d9 29
9723f966
JH
30#ifdef HAVE_LOCAL_SCAN
31jmp_buf local_scan_env; /* error-handling context for local_scan */
32unsigned had_local_scan_crash;
33unsigned had_local_scan_timeout;
34#endif
35
059ec3d9
PH
36
37/*************************************************
38* Non-SMTP character reading functions *
39*************************************************/
40
41/* These are the default functions that are set up in the variables such as
42receive_getc initially. They just call the standard functions, passing stdin as
43the file. (When SMTP input is occurring, different functions are used by
44changing the pointer variables.) */
45
46int
bd8fbe36 47stdin_getc(unsigned lim)
059ec3d9 48{
9723f966
JH
49int c = getc(stdin);
50
51if (had_data_timeout)
52 {
53 fprintf(stderr, "exim: timed out while reading - message abandoned\n");
54 log_write(L_lost_incoming_connection,
55 LOG_MAIN, "timed out while reading local message");
56 receive_bomb_out(US"data-timeout", NULL); /* Does not return */
57 }
58if (had_data_sigint)
59 {
60 if (filter_test == FTEST_NONE)
61 {
62 fprintf(stderr, "\nexim: %s received - message abandoned\n",
63 had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
64 log_write(0, LOG_MAIN, "%s received while reading local message",
65 had_data_sigint == SIGTERM ? "SIGTERM" : "SIGINT");
66 }
67 receive_bomb_out(US"signal-exit", NULL); /* Does not return */
68 }
69return c;
059ec3d9
PH
70}
71
72int
73stdin_ungetc(int c)
74{
75return ungetc(c, stdin);
76}
77
78int
79stdin_feof(void)
80{
81return feof(stdin);
82}
83
84int
85stdin_ferror(void)
86{
87return ferror(stdin);
88}
89
90
91
92
93/*************************************************
94* Check that a set sender is allowed *
95*************************************************/
96
97/* This function is called when a local caller sets an explicit sender address.
98It checks whether this is permitted, which it is for trusted callers.
99Otherwise, it must match the pattern(s) in untrusted_set_sender.
100
101Arguments: the proposed sender address
102Returns: TRUE for a trusted caller
103 TRUE if the address has been set, untrusted_set_sender has been
104 set, and the address matches something in the list
105 FALSE otherwise
106*/
107
108BOOL
109receive_check_set_sender(uschar *newsender)
110{
111uschar *qnewsender;
8768d548 112if (f.trusted_caller) return TRUE;
36d295f1
JH
113if (!newsender || !untrusted_set_sender) return FALSE;
114qnewsender = Ustrchr(newsender, '@')
115 ? newsender : string_sprintf("%s@%s", newsender, qualify_domain_sender);
116return match_address_list_basic(qnewsender, CUSS &untrusted_set_sender, 0) == OK;
059ec3d9
PH
117}
118
119
120
121
122/*************************************************
5cb8cbc6 123* Read space info for a partition *
059ec3d9
PH
124*************************************************/
125
8e669ac1
PH
126/* This function is called by receive_check_fs() below, and also by string
127expansion for variables such as $spool_space. The field names for the statvfs
5cb8cbc6
PH
128structure are macros, because not all OS have F_FAVAIL and it seems tidier to
129have macros for F_BAVAIL and F_FILES as well. Some kinds of file system do not
130have inodes, and they return -1 for the number available.
059ec3d9 131
5cb8cbc6
PH
132Later: It turns out that some file systems that do not have the concept of
133inodes return 0 rather than -1. Such systems should also return 0 for the total
8e669ac1 134number of inodes, so we require that to be greater than zero before returning
5cb8cbc6 135an inode count.
059ec3d9 136
5cb8cbc6
PH
137Arguments:
138 isspool TRUE for spool partition, FALSE for log partition
139 inodeptr address of int to receive inode count; -1 if there isn't one
8e669ac1 140
5cb8cbc6 141Returns: available on-root space, in kilobytes
8e669ac1
PH
142 -1 for log partition if there isn't one
143
144All values are -1 if the STATFS functions are not available.
059ec3d9
PH
145*/
146
a45431fa 147int_eximarith_t
5cb8cbc6 148receive_statvfs(BOOL isspool, int *inodeptr)
059ec3d9
PH
149{
150#ifdef HAVE_STATFS
059ec3d9 151struct STATVFS statbuf;
ddf1b11a 152struct stat dummy;
5cb8cbc6
PH
153uschar *path;
154uschar *name;
155uschar buffer[1024];
059ec3d9 156
5cb8cbc6 157/* The spool directory must always exist. */
059ec3d9 158
5cb8cbc6 159if (isspool)
059ec3d9 160 {
8e669ac1
PH
161 path = spool_directory;
162 name = US"spool";
163 }
164
059ec3d9
PH
165/* Need to cut down the log file path to the directory, and to ignore any
166appearance of "syslog" in it. */
167
5cb8cbc6 168else
059ec3d9 169 {
059ec3d9 170 int sep = ':'; /* Not variable - outside scripts use */
55414b25 171 const uschar *p = log_file_path;
8e669ac1 172 name = US"log";
059ec3d9
PH
173
174 /* An empty log_file_path means "use the default". This is the same as an
175 empty item in a list. */
176
177 if (*p == 0) p = US":";
55414b25
JH
178 while ((path = string_nextinlist(&p, &sep, buffer, sizeof(buffer))))
179 if (Ustrcmp(path, "syslog") != 0)
180 break;
059ec3d9 181
5cb8cbc6
PH
182 if (path == NULL) /* No log files */
183 {
8e669ac1
PH
184 *inodeptr = -1;
185 return -1;
186 }
059ec3d9 187
8e669ac1
PH
188 /* An empty string means use the default, which is in the spool directory.
189 But don't just use the spool directory, as it is possible that the log
5cb8cbc6 190 subdirectory has been symbolically linked elsewhere. */
059ec3d9 191
8e669ac1 192 if (path[0] == 0)
059ec3d9 193 {
5cb8cbc6
PH
194 sprintf(CS buffer, CS"%s/log", CS spool_directory);
195 path = buffer;
8e669ac1
PH
196 }
197 else
059ec3d9 198 {
8e669ac1 199 uschar *cp;
5cb8cbc6 200 if ((cp = Ustrrchr(path, '/')) != NULL) *cp = 0;
8e669ac1 201 }
5cb8cbc6 202 }
8e669ac1 203
8f128379 204/* We now have the path; do the business */
5cb8cbc6
PH
205
206memset(&statbuf, 0, sizeof(statbuf));
207
208if (STATVFS(CS path, &statbuf) != 0)
ddf1b11a
JH
209 if (stat(CS path, &dummy) == -1 && errno == ENOENT)
210 { /* Can happen on first run after installation */
211 *inodeptr = -1;
212 return -1;
213 }
214 else
215 {
216 log_write(0, LOG_MAIN|LOG_PANIC, "cannot accept message: failed to stat "
217 "%s directory %s: %s", name, path, strerror(errno));
218 smtp_closedown(US"spool or log directory problem");
9bfb7e1b 219 exim_exit(EXIT_FAILURE, NULL);
ddf1b11a 220 }
8e669ac1 221
5cb8cbc6
PH
222*inodeptr = (statbuf.F_FILES > 0)? statbuf.F_FAVAIL : -1;
223
224/* Disks are getting huge. Take care with computing the size in kilobytes. */
8e669ac1 225
a45431fa 226return (int_eximarith_t)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0);
5cb8cbc6 227
ddf1b11a 228#else
5cb8cbc6
PH
229/* Unable to find partition sizes in this environment. */
230
5cb8cbc6
PH
231*inodeptr = -1;
232return -1;
233#endif
234}
235
059ec3d9 236
059ec3d9 237
5cb8cbc6
PH
238
239/*************************************************
240* Check space on spool and log partitions *
241*************************************************/
242
243/* This function is called before accepting a message; if any thresholds are
244set, it checks them. If a message_size is supplied, it checks that there is
245enough space for that size plus the threshold - i.e. that the message won't
246reduce the space to the threshold. Not all OS have statvfs(); for those that
247don't, this function always returns TRUE. For some OS the old function and
248struct name statfs is used; that is handled by a macro, defined in exim.h.
249
250Arguments:
251 msg_size the (estimated) size of an incoming message
252
253Returns: FALSE if there isn't enough space, or if the information cannot
254 be obtained
255 TRUE if no check was done or there is enough space
256*/
257
258BOOL
259receive_check_fs(int msg_size)
260{
a45431fa
JH
261int_eximarith_t space;
262int inodes;
5cb8cbc6
PH
263
264if (check_spool_space > 0 || msg_size > 0 || check_spool_inodes > 0)
265 {
8e669ac1
PH
266 space = receive_statvfs(TRUE, &inodes);
267
059ec3d9 268 DEBUG(D_receive)
7434882d 269 debug_printf("spool directory space = " PR_EXIM_ARITH "K inodes = %d "
a45431fa 270 "check_space = " PR_EXIM_ARITH "K inodes = %d msg_size = %d\n",
5cb8cbc6 271 space, inodes, check_spool_space, check_spool_inodes, msg_size);
8e669ac1
PH
272
273 if ((space >= 0 && space < check_spool_space) ||
5cb8cbc6 274 (inodes >= 0 && inodes < check_spool_inodes))
8e669ac1 275 {
8c513105
JH
276 log_write(0, LOG_MAIN, "spool directory space check failed: space="
277 PR_EXIM_ARITH " inodes=%d", space, inodes);
059ec3d9
PH
278 return FALSE;
279 }
280 }
281
5cb8cbc6
PH
282if (check_log_space > 0 || check_log_inodes > 0)
283 {
8e669ac1
PH
284 space = receive_statvfs(FALSE, &inodes);
285
5cb8cbc6 286 DEBUG(D_receive)
7434882d 287 debug_printf("log directory space = " PR_EXIM_ARITH "K inodes = %d "
a45431fa 288 "check_space = " PR_EXIM_ARITH "K inodes = %d\n",
5cb8cbc6 289 space, inodes, check_log_space, check_log_inodes);
8e669ac1 290
7434882d
JH
291 if ( space >= 0 && space < check_log_space
292 || inodes >= 0 && inodes < check_log_inodes)
8e669ac1 293 {
7434882d
JH
294 log_write(0, LOG_MAIN, "log directory space check failed: space=" PR_EXIM_ARITH
295 " inodes=%d", space, inodes);
5cb8cbc6
PH
296 return FALSE;
297 }
8e669ac1
PH
298 }
299
059ec3d9
PH
300return TRUE;
301}
302
303
304
305/*************************************************
306* Bomb out while reading a message *
307*************************************************/
308
309/* The common case of wanting to bomb out is if a SIGTERM or SIGINT is
310received, or if there is a timeout. A rarer case might be if the log files are
311screwed up and Exim can't open them to record a message's arrival. Handling
312that case is done by setting a flag to cause the log functions to call this
313function if there is an ultimate disaster. That is why it is globally
314accessible.
315
8f128379
PH
316Arguments:
317 reason text reason to pass to the not-quit ACL
318 msg default SMTP response to give if in an SMTP session
059ec3d9
PH
319Returns: it doesn't
320*/
321
322void
8f128379 323receive_bomb_out(uschar *reason, uschar *msg)
059ec3d9 324{
ead37e6c
PP
325 static BOOL already_bombing_out;
326/* The smtp_notquit_exit() below can call ACLs which can trigger recursive
327timeouts, if someone has something slow in their quit ACL. Since the only
328things we should be doing are to close down cleanly ASAP, on the second
329pass we also close down stuff that might be opened again, before bypassing
330the ACL call and exiting. */
331
059ec3d9
PH
332/* If spool_name is set, it contains the name of the data file that is being
333written. Unlink it before closing so that it cannot be picked up by a delivery
334process. Ensure that any header file is also removed. */
335
ead37e6c 336if (spool_name[0] != '\0')
059ec3d9
PH
337 {
338 Uunlink(spool_name);
339 spool_name[Ustrlen(spool_name) - 1] = 'H';
340 Uunlink(spool_name);
ead37e6c 341 spool_name[0] = '\0';
059ec3d9
PH
342 }
343
344/* Now close the file if it is open, either as a fd or a stream. */
345
1bd642c2 346if (spool_data_file)
ead37e6c 347 {
1bd642c2
JH
348 (void)fclose(spool_data_file);
349 spool_data_file = NULL;
9723f966
JH
350 }
351else if (data_fd >= 0)
352 {
ead37e6c
PP
353 (void)close(data_fd);
354 data_fd = -1;
355 }
059ec3d9 356
8f128379
PH
357/* Attempt to close down an SMTP connection tidily. For non-batched SMTP, call
358smtp_notquit_exit(), which runs the NOTQUIT ACL, if present, and handles the
359SMTP response. */
059ec3d9 360
ead37e6c 361if (!already_bombing_out)
059ec3d9 362 {
ead37e6c
PP
363 already_bombing_out = TRUE;
364 if (smtp_input)
365 {
366 if (smtp_batched_input)
367 moan_smtp_batch(NULL, "421 %s - message abandoned", msg); /* No return */
368 smtp_notquit_exit(reason, US"421", US"%s %s - closing connection.",
369 smtp_active_hostname, msg);
370 }
059ec3d9
PH
371 }
372
373/* Exit from the program (non-BSMTP cases) */
374
9bfb7e1b 375exim_exit(EXIT_FAILURE, NULL);
059ec3d9
PH
376}
377
378
379/*************************************************
380* Data read timeout *
381*************************************************/
382
383/* Handler function for timeouts that occur while reading the data that
384comprises a message.
385
386Argument: the signal number
387Returns: nothing
388*/
389
390static void
391data_timeout_handler(int sig)
392{
9723f966 393had_data_timeout = sig;
059ec3d9
PH
394}
395
396
397
9723f966 398#ifdef HAVE_LOCAL_SCAN
059ec3d9
PH
399/*************************************************
400* local_scan() timeout *
401*************************************************/
402
403/* Handler function for timeouts that occur while running a local_scan()
9723f966
JH
404function. Posix recommends against calling longjmp() from a signal-handler,
405but the GCC manual says you can so we will, and trust that it's better than
406calling probably non-signal-safe funxtions during logging from within the
407handler, even with other compilers.
408
409See also https://cwe.mitre.org/data/definitions/745.html which also lists
410it as unsafe.
411
412This is all because we have no control over what might be written for a
413local-scan function, so cannot sprinkle had-signal checks after each
414call-site. At least with the default "do-nothing" function we won't
415ever get here.
059ec3d9
PH
416
417Argument: the signal number
418Returns: nothing
419*/
420
421static void
422local_scan_timeout_handler(int sig)
423{
9723f966
JH
424had_local_scan_timeout = sig;
425siglongjmp(local_scan_env, 1);
059ec3d9
PH
426}
427
428
429
430/*************************************************
431* local_scan() crashed *
432*************************************************/
433
434/* Handler function for signals that occur while running a local_scan()
435function.
436
437Argument: the signal number
438Returns: nothing
439*/
440
441static void
442local_scan_crash_handler(int sig)
443{
9723f966
JH
444had_local_scan_crash = sig;
445siglongjmp(local_scan_env, 1);
059ec3d9
PH
446}
447
9723f966
JH
448#endif /*HAVE_LOCAL_SCAN*/
449
059ec3d9
PH
450
451/*************************************************
452* SIGTERM or SIGINT received *
453*************************************************/
454
455/* Handler for SIGTERM or SIGINT signals that occur while reading the
456data that comprises a message.
457
458Argument: the signal number
459Returns: nothing
460*/
461
462static void
463data_sigterm_sigint_handler(int sig)
464{
9723f966 465had_data_sigint = sig;
059ec3d9
PH
466}
467
468
469
470/*************************************************
471* Add new recipient to list *
472*************************************************/
473
474/* This function builds a list of recipient addresses in argc/argv
475format.
476
477Arguments:
478 recipient the next address to add to recipients_list
479 pno parent number for fixed aliases; -1 otherwise
480
481Returns: nothing
482*/
483
484void
485receive_add_recipient(uschar *recipient, int pno)
486{
487if (recipients_count >= recipients_list_max)
488 {
489 recipient_item *oldlist = recipients_list;
490 int oldmax = recipients_list_max;
ea97267c 491 recipients_list_max = recipients_list_max ? 2*recipients_list_max : 50;
f3ebb786 492 recipients_list = store_get(recipients_list_max * sizeof(recipient_item), FALSE);
059ec3d9
PH
493 if (oldlist != NULL)
494 memcpy(recipients_list, oldlist, oldmax * sizeof(recipient_item));
495 }
496
497recipients_list[recipients_count].address = recipient;
498recipients_list[recipients_count].pno = pno;
8523533c
TK
499#ifdef EXPERIMENTAL_BRIGHTMAIL
500recipients_list[recipients_count].bmi_optin = bmi_current_optin;
501/* reset optin string pointer for next recipient */
502bmi_current_optin = NULL;
503#endif
6c1c3d1d
WB
504recipients_list[recipients_count].orcpt = NULL;
505recipients_list[recipients_count].dsn_flags = 0;
059ec3d9
PH
506recipients_list[recipients_count++].errors_to = NULL;
507}
508
509
510
511
512/*************************************************
fd98a5c6
JH
513* Send user response message *
514*************************************************/
61147df4 515
fd98a5c6
JH
516/* This function is passed a default response code and a user message. It calls
517smtp_message_code() to check and possibly modify the response code, and then
518calls smtp_respond() to transmit the response. I put this into a function
519just to avoid a lot of repetition.
61147df4
PP
520
521Arguments:
fd98a5c6
JH
522 code the response code
523 user_msg the user message
524
525Returns: nothing
61147df4
PP
526*/
527
8ccd00b1 528#ifndef DISABLE_PRDR
61147df4 529static void
fd98a5c6 530smtp_user_msg(uschar *code, uschar *user_msg)
61147df4 531{
fd98a5c6 532int len = 3;
4f6ae5c3 533smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
fd98a5c6 534smtp_respond(code, len, TRUE, user_msg);
61147df4
PP
535}
536#endif
537
538
539
540
fd98a5c6
JH
541
542/*************************************************
059ec3d9
PH
543* Remove a recipient from the list *
544*************************************************/
545
546/* This function is provided for local_scan() to use.
547
548Argument:
549 recipient address to remove
550
551Returns: TRUE if it did remove something; FALSE otherwise
552*/
553
554BOOL
555receive_remove_recipient(uschar *recipient)
556{
059ec3d9
PH
557DEBUG(D_receive) debug_printf("receive_remove_recipient(\"%s\") called\n",
558 recipient);
d7978c0f 559for (int count = 0; count < recipients_count; count++)
059ec3d9
PH
560 if (Ustrcmp(recipients_list[count].address, recipient) == 0)
561 {
562 if ((--recipients_count - count) > 0)
563 memmove(recipients_list + count, recipients_list + count + 1,
54cdb463 564 (recipients_count - count)*sizeof(recipient_item));
059ec3d9
PH
565 return TRUE;
566 }
059ec3d9
PH
567return FALSE;
568}
569
570
571
572
573
3c55eef2
JH
574/* Pause for a while waiting for input. If none received in that time,
575close the logfile, if we had one open; then if we wait for a long-running
576datasource (months, in one use-case) log rotation will not leave us holding
577the file copy. */
578
579static void
580log_close_chk(void)
581{
582if (!receive_timeout)
583 {
584 struct timeval t;
585 timesince(&t, &received_time);
586 if (t.tv_sec > 30*60)
587 mainlog_close();
588 else
589 {
590 fd_set r;
591 FD_ZERO(&r); FD_SET(0, &r);
592 t.tv_sec = 30*60 - t.tv_sec; t.tv_usec = 0;
593 if (select(1, &r, NULL, NULL, &t) == 0) mainlog_close();
594 }
595 }
596}
597
059ec3d9
PH
598/*************************************************
599* Read data portion of a non-SMTP message *
600*************************************************/
601
602/* This function is called to read the remainder of a message (following the
603header) when the input is not from SMTP - we are receiving a local message on
604a standard input stream. The message is always terminated by EOF, and is also
605terminated by a dot on a line by itself if the flag dot_ends is TRUE. Split the
606two cases for maximum efficiency.
607
608Ensure that the body ends with a newline. This will naturally be the case when
609the termination is "\n.\n" but may not be otherwise. The RFC defines messages
610as "sequences of lines" - this of course strictly applies only to SMTP, but
611deliveries into BSD-type mailbox files also require it. Exim used to have a
612flag for doing this at delivery time, but as it was always set for all
613transports, I decided to simplify things by putting the check here instead.
614
615There is at least one MUA (dtmail) that sends CRLF via this interface, and
616other programs are known to do this as well. Exim used to have a option for
617dealing with this: in July 2003, after much discussion, the code has been
618changed to default to treat any of LF, CRLF, and bare CR as line terminators.
619
620However, for the case when a dot on a line by itself terminates a message, the
621only recognized terminating sequences before and after the dot are LF and CRLF.
622Otherwise, having read EOL . CR, you don't know whether to read another
623character or not.
624
625Internally, in messages stored in Exim's spool files, LF is used as the line
626terminator. Under the new regime, bare CRs will no longer appear in these
627files.
628
629Arguments:
630 fout a FILE to which to write the message
631
632Returns: One of the END_xxx values indicating why it stopped reading
633*/
634
635static int
636read_message_data(FILE *fout)
637{
638int ch_state;
639register int ch;
d677b2f2 640register int linelength = 0;
059ec3d9
PH
641
642/* Handle the case when only EOF terminates the message */
643
8768d548 644if (!f.dot_ends)
059ec3d9 645 {
3c55eef2 646 int last_ch = '\n';
059ec3d9 647
3c55eef2
JH
648 for ( ;
649 log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF;
650 last_ch = ch)
059ec3d9
PH
651 {
652 if (ch == 0) body_zerocount++;
653 if (last_ch == '\r' && ch != '\n')
654 {
d677b2f2
PH
655 if (linelength > max_received_linelength)
656 max_received_linelength = linelength;
657 linelength = 0;
059ec3d9
PH
658 if (fputc('\n', fout) == EOF) return END_WERROR;
659 message_size++;
660 body_linecount++;
661 }
662 if (ch == '\r') continue;
663
664 if (fputc(ch, fout) == EOF) return END_WERROR;
d677b2f2
PH
665 if (ch == '\n')
666 {
667 if (linelength > max_received_linelength)
668 max_received_linelength = linelength;
669 linelength = 0;
670 body_linecount++;
671 }
672 else linelength++;
059ec3d9
PH
673 if (++message_size > thismessage_size_limit) return END_SIZE;
674 }
675
676 if (last_ch != '\n')
677 {
d677b2f2
PH
678 if (linelength > max_received_linelength)
679 max_received_linelength = linelength;
059ec3d9
PH
680 if (fputc('\n', fout) == EOF) return END_WERROR;
681 message_size++;
682 body_linecount++;
683 }
684
685 return END_EOF;
686 }
687
688/* Handle the case when a dot on a line on its own, or EOF, terminates. */
689
690ch_state = 1;
691
3c55eef2 692while (log_close_chk(), (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
059ec3d9
PH
693 {
694 if (ch == 0) body_zerocount++;
695 switch (ch_state)
696 {
697 case 0: /* Normal state (previous char written) */
698 if (ch == '\n')
d677b2f2
PH
699 {
700 body_linecount++;
701 if (linelength > max_received_linelength)
702 max_received_linelength = linelength;
703 linelength = -1;
704 ch_state = 1;
705 }
059ec3d9
PH
706 else if (ch == '\r')
707 { ch_state = 2; continue; }
708 break;
709
710 case 1: /* After written "\n" */
711 if (ch == '.') { ch_state = 3; continue; }
6eb02f88 712 if (ch == '\r') { ch_state = 2; continue; }
3581f321
JH
713 if (ch == '\n') { body_linecount++; linelength = -1; }
714 else ch_state = 0;
059ec3d9
PH
715 break;
716
717 case 2:
718 body_linecount++; /* After unwritten "\r" */
d677b2f2
PH
719 if (linelength > max_received_linelength)
720 max_received_linelength = linelength;
059ec3d9 721 if (ch == '\n')
d677b2f2
PH
722 {
723 ch_state = 1;
724 linelength = -1;
725 }
059ec3d9
PH
726 else
727 {
728 if (message_size++, fputc('\n', fout) == EOF) return END_WERROR;
729 if (ch == '\r') continue;
730 ch_state = 0;
d677b2f2 731 linelength = 0;
059ec3d9
PH
732 }
733 break;
734
735 case 3: /* After "\n." (\n written, dot not) */
736 if (ch == '\n') return END_DOT;
737 if (ch == '\r') { ch_state = 4; continue; }
738 message_size++;
d677b2f2 739 linelength++;
059ec3d9
PH
740 if (fputc('.', fout) == EOF) return END_WERROR;
741 ch_state = 0;
742 break;
743
744 case 4: /* After "\n.\r" (\n written, rest not) */
745 if (ch == '\n') return END_DOT;
746 message_size += 2;
747 body_linecount++;
748 if (fputs(".\n", fout) == EOF) return END_WERROR;
749 if (ch == '\r') { ch_state = 2; continue; }
750 ch_state = 0;
751 break;
752 }
753
d677b2f2 754 linelength++;
059ec3d9
PH
755 if (fputc(ch, fout) == EOF) return END_WERROR;
756 if (++message_size > thismessage_size_limit) return END_SIZE;
757 }
758
759/* Get here if EOF read. Unless we have just written "\n", we need to ensure
760the message ends with a newline, and we must also write any characters that
761were saved up while testing for an ending dot. */
762
763if (ch_state != 1)
764 {
765 static uschar *ends[] = { US"\n", NULL, US"\n", US".\n", US".\n" };
766 if (fputs(CS ends[ch_state], fout) == EOF) return END_WERROR;
767 message_size += Ustrlen(ends[ch_state]);
768 body_linecount++;
769 }
770
771return END_EOF;
772}
773
774
775
776
777/*************************************************
778* Read data portion of an SMTP message *
779*************************************************/
780
781/* This function is called to read the remainder of an SMTP message (after the
782headers), or to skip over it when an error has occurred. In this case, the
783output file is passed as NULL.
784
785If any line begins with a dot, that character is skipped. The input should only
786be successfully terminated by CR LF . CR LF unless it is local (non-network)
787SMTP, in which case the CRs are optional, but...
788
789FUDGE: It seems that sites on the net send out messages with just LF
790terminators, despite the warnings in the RFCs, and other MTAs handle this. So
791we make the CRs optional in all cases.
792
793July 2003: Bare CRs cause trouble. We now treat them as line terminators as
794well, so that there are no CRs in spooled messages. However, the message
795terminating dot is not recognized between two bare CRs.
796
797Arguments:
798 fout a FILE to which to write the message; NULL if skipping
799
800Returns: One of the END_xxx values indicating why it stopped reading
801*/
802
803static int
804read_message_data_smtp(FILE *fout)
805{
806int ch_state = 0;
e4bdf652 807int ch;
7e3ce68e 808int linelength = 0;
059ec3d9 809
bd8fbe36 810while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
059ec3d9
PH
811 {
812 if (ch == 0) body_zerocount++;
813 switch (ch_state)
814 {
815 case 0: /* After LF or CRLF */
816 if (ch == '.')
817 {
818 ch_state = 3;
819 continue; /* Don't ever write . after LF */
820 }
821 ch_state = 1;
822
823 /* Else fall through to handle as normal uschar. */
824
825 case 1: /* Normal state */
826 if (ch == '\n')
827 {
828 ch_state = 0;
829 body_linecount++;
1f5497b2
PH
830 if (linelength > max_received_linelength)
831 max_received_linelength = linelength;
832 linelength = -1;
059ec3d9
PH
833 }
834 else if (ch == '\r')
835 {
836 ch_state = 2;
837 continue;
838 }
839 break;
840
841 case 2: /* After (unwritten) CR */
842 body_linecount++;
1f5497b2
PH
843 if (linelength > max_received_linelength)
844 max_received_linelength = linelength;
845 linelength = -1;
059ec3d9
PH
846 if (ch == '\n')
847 {
848 ch_state = 0;
849 }
850 else
851 {
852 message_size++;
853 if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
6851a9c5 854 cutthrough_data_put_nl();
059ec3d9
PH
855 if (ch != '\r') ch_state = 1; else continue;
856 }
857 break;
858
859 case 3: /* After [CR] LF . */
860 if (ch == '\n')
861 return END_DOT;
862 if (ch == '\r')
863 {
864 ch_state = 4;
865 continue;
866 }
1bc460a6
JH
867 /* The dot was removed at state 3. For a doubled dot, here, reinstate
868 it to cutthrough. The current ch, dot or not, is passed both to cutthrough
869 and to file below. */
870 if (ch == '.')
871 {
872 uschar c= ch;
6851a9c5 873 cutthrough_data_puts(&c, 1);
1bc460a6
JH
874 }
875 ch_state = 1;
059ec3d9
PH
876 break;
877
878 case 4: /* After [CR] LF . CR */
879 if (ch == '\n') return END_DOT;
880 message_size++;
881 body_linecount++;
882 if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
6851a9c5 883 cutthrough_data_put_nl();
059ec3d9
PH
884 if (ch == '\r')
885 {
886 ch_state = 2;
887 continue;
888 }
889 ch_state = 1;
890 break;
891 }
892
893 /* Add the character to the spool file, unless skipping; then loop for the
894 next. */
895
896 message_size++;
1f5497b2 897 linelength++;
7e3ce68e 898 if (fout)
059ec3d9
PH
899 {
900 if (fputc(ch, fout) == EOF) return END_WERROR;
901 if (message_size > thismessage_size_limit) return END_SIZE;
902 }
e4bdf652 903 if(ch == '\n')
6851a9c5 904 cutthrough_data_put_nl();
e4bdf652
JH
905 else
906 {
7e3ce68e 907 uschar c = ch;
6851a9c5 908 cutthrough_data_puts(&c, 1);
e4bdf652 909 }
059ec3d9
PH
910 }
911
912/* Fall through here if EOF encountered. This indicates some kind of error,
913since a correct message is terminated by [CR] LF . [CR] LF. */
914
915return END_EOF;
916}
917
918
919
920
7e3ce68e 921/* Variant of the above read_message_data_smtp() specialised for RFC 3030
1ebe15c3
JH
922CHUNKING. Accept input lines separated by either CRLF or CR or LF and write
923LF-delimited spoolfile. Until we have wireformat spoolfiles, we need the
924body_linecount accounting for proper re-expansion for the wire, so use
925a cut-down version of the state-machine above; we don't need to do leading-dot
926detection and unstuffing.
7e3ce68e
JH
927
928Arguments:
544dd905
PP
929 fout a FILE to which to write the message; NULL if skipping;
930 must be open for both writing and reading.
7e3ce68e
JH
931
932Returns: One of the END_xxx values indicating why it stopped reading
933*/
934
935static int
936read_message_bdat_smtp(FILE *fout)
937{
cff70eb1
HSHR
938int linelength = 0, ch;
939enum CH_STATE ch_state = LF_SEEN;
d953610f 940BOOL fix_nl = FALSE;
7e3ce68e 941
1ebe15c3 942for(;;)
7e3ce68e 943 {
7d758a6a 944 switch ((ch = bdat_getc(GETC_BUFFER_UNLIMITED)))
1ebe15c3
JH
945 {
946 case EOF: return END_EOF;
1ebe15c3 947 case ERR: return END_PROTOCOL;
d953610f
HSHR
948 case EOD:
949 /* Nothing to get from the sender anymore. We check the last
950 character written to the spool.
951
952 RFC 3030 states, that BDAT chunks are normal text, terminated by CRLF.
953 If we would be strict, we would refuse such broken messages.
954 But we are liberal, so we fix it. It would be easy just to append
955 the "\n" to the spool.
956
957 But there are some more things (line counting, message size calculation and such),
958 that would need to be duplicated here. So we simply do some ungetc
959 trickery.
960 */
59d98039
JH
961 if (fout)
962 {
963 if (fseek(fout, -1, SEEK_CUR) < 0) return END_PROTOCOL;
964 if (fgetc(fout) == '\n') return END_DOT;
965 }
d953610f
HSHR
966
967 if (linelength == -1) /* \r already seen (see below) */
968 {
969 DEBUG(D_receive) debug_printf("Add missing LF\n");
970 bdat_ungetc('\n');
971 continue;
972 }
973 DEBUG(D_receive) debug_printf("Add missing CRLF\n");
974 bdat_ungetc('\r'); /* not even \r was seen */
975 fix_nl = TRUE;
976
977 continue;
1ebe15c3
JH
978 case '\0': body_zerocount++; break;
979 }
980 switch (ch_state)
981 {
cff70eb1
HSHR
982 case LF_SEEN: /* After LF or CRLF */
983 ch_state = MID_LINE;
1ebe15c3 984 /* fall through to handle as normal uschar. */
7e3ce68e 985
cff70eb1 986 case MID_LINE: /* Mid-line state */
1ebe15c3
JH
987 if (ch == '\n')
988 {
cff70eb1 989 ch_state = LF_SEEN;
1ebe15c3
JH
990 body_linecount++;
991 if (linelength > max_received_linelength)
992 max_received_linelength = linelength;
993 linelength = -1;
994 }
995 else if (ch == '\r')
996 {
cff70eb1 997 ch_state = CR_SEEN;
d953610f 998 if (fix_nl) bdat_ungetc('\n');
1ebe15c3
JH
999 continue; /* don't write CR */
1000 }
1001 break;
7e3ce68e 1002
cff70eb1 1003 case CR_SEEN: /* After (unwritten) CR */
1ebe15c3
JH
1004 body_linecount++;
1005 if (linelength > max_received_linelength)
1006 max_received_linelength = linelength;
1007 linelength = -1;
1008 if (ch == '\n')
cff70eb1 1009 ch_state = LF_SEEN;
1ebe15c3
JH
1010 else
1011 {
1012 message_size++;
59d98039 1013 if (fout && fputc('\n', fout) == EOF) return END_WERROR;
6851a9c5 1014 cutthrough_data_put_nl();
1ebe15c3 1015 if (ch == '\r') continue; /* don't write CR */
cff70eb1 1016 ch_state = MID_LINE;
1ebe15c3
JH
1017 }
1018 break;
1019 }
1020
1021 /* Add the character to the spool file, unless skipping */
1022
1023 message_size++;
1024 linelength++;
1025 if (fout)
1026 {
1027 if (fputc(ch, fout) == EOF) return END_WERROR;
1028 if (message_size > thismessage_size_limit) return END_SIZE;
1029 }
1030 if(ch == '\n')
6851a9c5 1031 cutthrough_data_put_nl();
1ebe15c3
JH
1032 else
1033 {
1034 uschar c = ch;
6851a9c5 1035 cutthrough_data_puts(&c, 1);
1ebe15c3 1036 }
7e3ce68e
JH
1037 }
1038/*NOTREACHED*/
1039}
1040
328c5688
JH
1041static int
1042read_message_bdat_smtp_wire(FILE *fout)
1043{
1044int ch;
1045
1046/* Remember that this message uses wireformat. */
1047
d21bf202
JH
1048DEBUG(D_receive) debug_printf("CHUNKING: %s\n",
1049 fout ? "writing spoolfile in wire format" : "flushing input");
8768d548 1050f.spool_file_wireformat = TRUE;
328c5688 1051
0d81dabc 1052for (;;)
328c5688 1053 {
0d81dabc
JH
1054 if (chunking_data_left > 0)
1055 {
1056 unsigned len = MAX(chunking_data_left, thismessage_size_limit - message_size + 1);
1057 uschar * buf = bdat_getbuf(&len);
328c5688 1058
8b77d27a 1059 if (!buf) return END_EOF;
0d81dabc
JH
1060 message_size += len;
1061 if (fout && fwrite(buf, len, 1, fout) != 1) return END_WERROR;
1062 }
1063 else switch (ch = bdat_getc(GETC_BUFFER_UNLIMITED))
1064 {
1065 case EOF: return END_EOF;
1066 case EOD: return END_DOT;
1067 case ERR: return END_PROTOCOL;
1068
1069 default:
1070 message_size++;
1071 /*XXX not done:
1072 linelength
1073 max_received_linelength
1074 body_linecount
1075 body_zerocount
1076 */
1077 if (fout && fputc(ch, fout) == EOF) return END_WERROR;
1078 break;
1079 }
1080 if (message_size > thismessage_size_limit) return END_SIZE;
328c5688
JH
1081 }
1082/*NOTREACHED*/
1083}
1084
7e3ce68e
JH
1085
1086
1087
059ec3d9
PH
1088/*************************************************
1089* Swallow SMTP message *
1090*************************************************/
1091
1092/* This function is called when there has been some kind of error while reading
1093an SMTP message, and the remaining data may need to be swallowed. It is global
1094because it is called from smtp_closedown() to shut down an incoming call
1095tidily.
1096
1097Argument: a FILE from which to read the message
1098Returns: nothing
1099*/
1100
1101void
1102receive_swallow_smtp(void)
1103{
1104if (message_ended >= END_NOTENDED)
d21bf202
JH
1105 message_ended = chunking_state <= CHUNKING_OFFERED
1106 ? read_message_data_smtp(NULL)
1107 : read_message_bdat_smtp_wire(NULL);
059ec3d9
PH
1108}
1109
1110
1111
1112/*************************************************
1113* Handle lost SMTP connection *
1114*************************************************/
1115
1116/* This function logs connection loss incidents and generates an appropriate
1117SMTP response.
1118
1119Argument: additional data for the message
1120Returns: the SMTP response
1121*/
1122
1123static uschar *
1124handle_lost_connection(uschar *s)
1125{
1126log_write(L_lost_incoming_connection | L_smtp_connection, LOG_MAIN,
1127 "%s lost while reading message data%s", smtp_get_connection_info(), s);
eea0defe 1128smtp_notquit_exit(US"connection-lost", NULL, NULL);
059ec3d9
PH
1129return US"421 Lost incoming connection";
1130}
1131
1132
1133
1134
1135/*************************************************
1136* Handle a non-smtp reception error *
1137*************************************************/
1138
1139/* This function is called for various errors during the reception of non-SMTP
1140messages. It either sends a message to the sender of the problem message, or it
1141writes to the standard error stream.
1142
1143Arguments:
1144 errcode code for moan_to_sender(), identifying the error
1145 text1 first message text, passed to moan_to_sender()
1146 text2 second message text, used only for stderrr
1147 error_rc code to pass to exim_exit if no problem
1148 f FILE containing body of message (may be stdin)
1149 hptr pointer to instore headers or NULL
1150
1151Returns: calls exim_exit(), which does not return
1152*/
1153
1154static void
1155give_local_error(int errcode, uschar *text1, uschar *text2, int error_rc,
1156 FILE *f, header_line *hptr)
1157{
1158if (error_handling == ERRORS_SENDER)
1159 {
1160 error_block eblock;
1161 eblock.next = NULL;
1162 eblock.text1 = text1;
37f3dc43 1163 eblock.text2 = US"";
059ec3d9
PH
1164 if (!moan_to_sender(errcode, &eblock, hptr, f, FALSE))
1165 error_rc = EXIT_FAILURE;
1166 }
37f3dc43
JH
1167else
1168 fprintf(stderr, "exim: %s%s\n", text2, text1); /* Sic */
f1e894f3 1169(void)fclose(f);
9bfb7e1b 1170exim_exit(error_rc, US"");
059ec3d9
PH
1171}
1172
1173
1174
1175/*************************************************
1176* Add header lines set up by ACL *
1177*************************************************/
1178
850635b6
PH
1179/* This function is called to add the header lines that were set up by
1180statements in an ACL to the list of headers in memory. It is done in two stages
1181like this, because when the ACL for RCPT is running, the other headers have not
1182yet been received. This function is called twice; once just before running the
1183DATA ACL, and once after. This is so that header lines added by MAIL or RCPT
1184are visible to the DATA ACL.
059ec3d9
PH
1185
1186Originally these header lines were added at the end. Now there is support for
1187three different places: top, bottom, and after the Received: header(s). There
1188will always be at least one Received: header, even if it is marked deleted, and
1189even if something else has been put in front of it.
1190
1191Arguments:
1192 acl_name text to identify which ACL
1193
1194Returns: nothing
1195*/
1196
1197static void
578d43dc 1198add_acl_headers(int where, uschar *acl_name)
059ec3d9 1199{
059ec3d9 1200header_line *last_received = NULL;
e7568d51 1201
578d43dc
JH
1202switch(where)
1203 {
1204 case ACL_WHERE_DKIM:
1205 case ACL_WHERE_MIME:
af4a1bca 1206 case ACL_WHERE_DATA:
74f1a423 1207 if ( cutthrough.cctx.sock >= 0 && cutthrough.delivery
57cc2785 1208 && (acl_removed_headers || acl_added_headers))
578d43dc
JH
1209 {
1210 log_write(0, LOG_MAIN|LOG_PANIC, "Header modification in data ACLs"
af4a1bca 1211 " will not take effect on cutthrough deliveries");
578d43dc
JH
1212 return;
1213 }
1214 }
1215
57cc2785 1216if (acl_removed_headers)
e7568d51 1217 {
e1d04f48 1218 DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers removed by %s ACL:\n", acl_name);
e7568d51 1219
d7978c0f 1220 for (header_line * h = header_list; h; h = h->next) if (h->type != htype_old)
e7568d51 1221 {
55414b25 1222 const uschar * list = acl_removed_headers;
e7568d51
TL
1223 int sep = ':'; /* This is specified as a colon-separated list */
1224 uschar *s;
1225 uschar buffer[128];
4a142059
JH
1226
1227 while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
1228 if (header_testname(h, s, Ustrlen(s), FALSE))
e7568d51
TL
1229 {
1230 h->type = htype_old;
e1d04f48 1231 DEBUG(D_receive|D_acl) debug_printf_indent(" %s", h->text);
e7568d51 1232 }
e7568d51
TL
1233 }
1234 acl_removed_headers = NULL;
e1d04f48 1235 DEBUG(D_receive|D_acl) debug_printf_indent(">>\n");
e7568d51 1236 }
059ec3d9 1237
57cc2785 1238if (!acl_added_headers) return;
e1d04f48 1239DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers added by %s ACL:\n", acl_name);
059ec3d9 1240
d7978c0f 1241for (header_line * h = acl_added_headers, * next; h; h = next)
059ec3d9
PH
1242 {
1243 next = h->next;
1244
1245 switch(h->type)
1246 {
1247 case htype_add_top:
c674e7a4
JH
1248 h->next = header_list;
1249 header_list = h;
1250 DEBUG(D_receive|D_acl) debug_printf_indent(" (at top)");
1251 break;
059ec3d9
PH
1252
1253 case htype_add_rec:
c674e7a4
JH
1254 if (!last_received)
1255 {
1256 last_received = header_list;
1257 while (!header_testname(last_received, US"Received", 8, FALSE))
1258 last_received = last_received->next;
1259 while (last_received->next &&
1260 header_testname(last_received->next, US"Received", 8, FALSE))
1261 last_received = last_received->next;
1262 }
1263 h->next = last_received->next;
1264 last_received->next = h;
1265 DEBUG(D_receive|D_acl) debug_printf_indent(" (after Received:)");
1266 break;
059ec3d9 1267
8523533c 1268 case htype_add_rfc:
c674e7a4
JH
1269 /* add header before any header which is NOT Received: or Resent- */
1270 last_received = header_list;
1271 while ( last_received->next &&
1272 ( (header_testname(last_received->next, US"Received", 8, FALSE)) ||
1273 (header_testname_incomplete(last_received->next, US"Resent-", 7, FALSE)) ) )
1274 last_received = last_received->next;
1275 /* last_received now points to the last Received: or Resent-* header
1276 in an uninterrupted chain of those header types (seen from the beginning
1277 of all headers. Our current header must follow it. */
1278 h->next = last_received->next;
1279 last_received->next = h;
1280 DEBUG(D_receive|D_acl) debug_printf_indent(" (before any non-Received: or Resent-*: header)");
1281 break;
8523533c 1282
059ec3d9 1283 default:
c674e7a4
JH
1284 h->next = NULL;
1285 header_last->next = h;
1286 DEBUG(D_receive|D_acl) debug_printf_indent(" ");
1287 break;
059ec3d9
PH
1288 }
1289
c674e7a4 1290 if (!h->next) header_last = h;
059ec3d9
PH
1291
1292 /* Check for one of the known header types (From:, To:, etc.) though in
1293 practice most added headers are going to be "other". Lower case
1294 identification letters are never stored with the header; they are used
1295 for existence tests when messages are received. So discard any lower case
1296 flag values. */
1297
1298 h->type = header_checkname(h, FALSE);
1299 if (h->type >= 'a') h->type = htype_other;
1300
c674e7a4 1301 DEBUG(D_receive|D_acl) debug_printf("%s", h->text);
059ec3d9
PH
1302 }
1303
71fafd95 1304acl_added_headers = NULL;
e1d04f48 1305DEBUG(D_receive|D_acl) debug_printf_indent(">>\n");
059ec3d9
PH
1306}
1307
1308
1309
1310/*************************************************
1311* Add host information for log line *
1312*************************************************/
1313
1314/* Called for acceptance and rejecting log lines. This adds information about
1315the calling host to a string that is being built dynamically.
1316
1317Arguments:
1318 s the dynamic string
059ec3d9
PH
1319
1320Returns: the extended string
1321*/
1322
acec9514
JH
1323static gstring *
1324add_host_info_for_log(gstring * g)
059ec3d9 1325{
fc16abb4 1326if (sender_fullhost)
059ec3d9 1327 {
fc16abb4 1328 if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */
acec9514
JH
1329 g = string_catn(g, US" DS", 3);
1330 g = string_append(g, 2, US" H=", sender_fullhost);
52f12a7c
JH
1331 if (LOGGING(incoming_interface) && interface_address)
1332 g = string_fmt_append(g, " I=[%s]:%d", interface_address, interface_port);
059ec3d9 1333 }
8768d548 1334if (f.tcp_in_fastopen && !f.tcp_in_fastopen_logged)
a2673768 1335 {
ee8b8090 1336 g = string_catn(g, US" TFO*", f.tcp_in_fastopen_data ? 5 : 4);
8768d548 1337 f.tcp_in_fastopen_logged = TRUE;
a2673768
JH
1338 }
1339if (sender_ident)
acec9514 1340 g = string_append(g, 2, US" U=", sender_ident);
a2673768 1341if (received_protocol)
acec9514 1342 g = string_append(g, 2, US" P=", received_protocol);
8768d548 1343if (LOGGING(pipelining) && f.smtp_in_pipelining_advertised)
ee8b8090
JH
1344 {
1345 g = string_catn(g, US" L", 2);
81344b40 1346#ifndef DISABLE_PIPE_CONNECT
ee8b8090
JH
1347 if (f.smtp_in_early_pipe_used)
1348 g = string_catn(g, US"*", 1);
1349 else if (f.smtp_in_early_pipe_advertised)
1350 g = string_catn(g, US".", 1);
1351#endif
1352 if (!f.smtp_in_pipelining_used)
1353 g = string_catn(g, US"-", 1);
1354 }
acec9514 1355return g;
059ec3d9
PH
1356}
1357
1358
1359
63955bf2 1360#ifdef WITH_CONTENT_SCAN
059ec3d9
PH
1361
1362/*************************************************
54cdb463
PH
1363* Run the MIME ACL on a message *
1364*************************************************/
1365
1366/* This code is in a subroutine so that it can be used for both SMTP
1367and non-SMTP messages. It is called with a non-NULL ACL pointer.
1368
1369Arguments:
1370 acl The ACL to run (acl_smtp_mime or acl_not_smtp_mime)
1371 smtp_yield_ptr Set FALSE to kill messages after dropped connection
1372 smtp_reply_ptr Where SMTP reply is being built
1373 blackholed_by_ptr Where "blackholed by" message is being built
1374
1375Returns: TRUE to carry on; FALSE to abandon the message
1376*/
1377
1378static BOOL
1379run_mime_acl(uschar *acl, BOOL *smtp_yield_ptr, uschar **smtp_reply_ptr,
1380 uschar **blackholed_by_ptr)
1381{
1382FILE *mbox_file;
5b6f7658 1383uschar * rfc822_file_path = NULL;
54cdb463 1384unsigned long mbox_size;
54cdb463
PH
1385uschar *user_msg, *log_msg;
1386int mime_part_count_buffer = -1;
040721f2 1387uschar * mbox_filename;
7156b1ef 1388int rc = OK;
54cdb463 1389
54cdb463 1390/* check if it is a MIME message */
040721f2 1391
d7978c0f
JH
1392for (header_line * my_headerlist = header_list; my_headerlist;
1393 my_headerlist = my_headerlist->next)
040721f2
JH
1394 if ( my_headerlist->type != '*' /* skip deleted headers */
1395 && strncmpic(my_headerlist->text, US"Content-Type:", 13) == 0
1396 )
4e88a19f 1397 {
54cdb463
PH
1398 DEBUG(D_receive) debug_printf("Found Content-Type: header - executing acl_smtp_mime.\n");
1399 goto DO_MIME_ACL;
4e88a19f 1400 }
54cdb463
PH
1401
1402DEBUG(D_receive) debug_printf("No Content-Type: header - presumably not a MIME message.\n");
1403return TRUE;
1404
1405DO_MIME_ACL:
040721f2 1406
54cdb463 1407/* make sure the eml mbox file is spooled up */
040721f2
JH
1408if (!(mbox_file = spool_mbox(&mbox_size, NULL, &mbox_filename)))
1409 { /* error while spooling */
54cdb463
PH
1410 log_write(0, LOG_MAIN|LOG_PANIC,
1411 "acl_smtp_mime: error while creating mbox spool file, message temporarily rejected.");
1412 Uunlink(spool_name);
1413 unspool_mbox();
6f0c431a
PP
1414#ifdef EXPERIMENTAL_DCC
1415 dcc_ok = 0;
1416#endif
a5bd321b 1417 smtp_respond(US"451", 3, TRUE, US"temporary local problem");
54cdb463
PH
1418 message_id[0] = 0; /* Indicate no message accepted */
1419 *smtp_reply_ptr = US""; /* Indicate reply already sent */
1420 return FALSE; /* Indicate skip to end of receive function */
040721f2 1421 }
54cdb463
PH
1422
1423mime_is_rfc822 = 0;
1424
1425MIME_ACL_CHECK:
1426mime_part_count = -1;
1427rc = mime_acl_check(acl, mbox_file, NULL, &user_msg, &log_msg);
f1e894f3 1428(void)fclose(mbox_file);
54cdb463 1429
5b6f7658 1430if (rfc822_file_path)
4e88a19f 1431 {
54cdb463
PH
1432 mime_part_count = mime_part_count_buffer;
1433
4e88a19f
PH
1434 if (unlink(CS rfc822_file_path) == -1)
1435 {
54cdb463
PH
1436 log_write(0, LOG_PANIC,
1437 "acl_smtp_mime: can't unlink RFC822 spool file, skipping.");
5b6f7658 1438 goto END_MIME_ACL;
4e88a19f 1439 }
5b6f7658 1440 rfc822_file_path = NULL;
4e88a19f 1441 }
54cdb463
PH
1442
1443/* check if we must check any message/rfc822 attachments */
4e88a19f
PH
1444if (rc == OK)
1445 {
5b6f7658
JH
1446 uschar * scandir = string_copyn(mbox_filename,
1447 Ustrrchr(mbox_filename, '/') - mbox_filename);
e8bc7fca
JH
1448 struct dirent * entry;
1449 DIR * tempdir;
54cdb463 1450
5b6f7658 1451 for (tempdir = opendir(CS scandir); entry = readdir(tempdir); )
e8bc7fca 1452 if (strncmpic(US entry->d_name, US"__rfc822_", 9) == 0)
4e88a19f 1453 {
5b6f7658
JH
1454 rfc822_file_path = string_sprintf("%s/%s", scandir, entry->d_name);
1455 DEBUG(D_receive)
1456 debug_printf("RFC822 attachment detected: running MIME ACL for '%s'\n",
1457 rfc822_file_path);
4e88a19f
PH
1458 break;
1459 }
4e88a19f 1460 closedir(tempdir);
54cdb463 1461
5b6f7658 1462 if (rfc822_file_path)
4e88a19f 1463 {
e8bc7fca 1464 if ((mbox_file = Ufopen(rfc822_file_path, "rb")))
4e88a19f 1465 {
e8bc7fca
JH
1466 /* set RFC822 expansion variable */
1467 mime_is_rfc822 = 1;
1468 mime_part_count_buffer = mime_part_count;
1469 goto MIME_ACL_CHECK;
4e88a19f 1470 }
e8bc7fca
JH
1471 log_write(0, LOG_PANIC,
1472 "acl_smtp_mime: can't open RFC822 spool file, skipping.");
1473 unlink(CS rfc822_file_path);
4e88a19f
PH
1474 }
1475 }
54cdb463
PH
1476
1477END_MIME_ACL:
578d43dc 1478add_acl_headers(ACL_WHERE_MIME, US"MIME");
54cdb463
PH
1479if (rc == DISCARD)
1480 {
1481 recipients_count = 0;
1482 *blackholed_by_ptr = US"MIME ACL";
1bd642c2 1483 cancel_cutthrough_connection(TRUE, US"mime acl discard");
54cdb463
PH
1484 }
1485else if (rc != OK)
1486 {
1487 Uunlink(spool_name);
1bd642c2 1488 cancel_cutthrough_connection(TRUE, US"mime acl not ok");
54cdb463 1489 unspool_mbox();
6f0c431a
PP
1490#ifdef EXPERIMENTAL_DCC
1491 dcc_ok = 0;
1492#endif
5b6f7658 1493 if (smtp_input)
4f6ae5c3 1494 {
5b6f7658
JH
1495 if (smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0)
1496 *smtp_yield_ptr = FALSE; /* No more messages after dropped connection */
f4c1088b 1497 *smtp_reply_ptr = US""; /* Indicate reply already sent */
4f6ae5c3 1498 }
54cdb463
PH
1499 message_id[0] = 0; /* Indicate no message accepted */
1500 return FALSE; /* Cause skip to end of receive function */
4e88a19f 1501 }
54cdb463
PH
1502
1503return TRUE;
1504}
1505
63955bf2 1506#endif /* WITH_CONTENT_SCAN */
54cdb463
PH
1507
1508
e4bdf652
JH
1509
1510void
1511received_header_gen(void)
1512{
1513uschar *received;
1514uschar *timestamp;
1515header_line *received_header= header_list;
1516
1517timestamp = expand_string(US"${tod_full}");
1518if (recipients_count == 1) received_for = recipients_list[0].address;
1519received = expand_string(received_header_text);
1520received_for = NULL;
1521
d4ff61d1 1522if (!received)
e4bdf652
JH
1523 {
1524 if(spool_name[0] != 0)
1525 Uunlink(spool_name); /* Lose the data file */
1526 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
1527 "(received_header_text) failed: %s", string_printing(received_header_text),
1528 expand_string_message);
1529 }
1530
1531/* The first element on the header chain is reserved for the Received header,
1532so all we have to do is fill in the text pointer, and set the type. However, if
1533the result of the expansion is an empty string, we leave the header marked as
1534"old" so as to refrain from adding a Received header. */
1535
1536if (received[0] == 0)
1537 {
1538 received_header->text = string_sprintf("Received: ; %s\n", timestamp);
1539 received_header->type = htype_old;
1540 }
1541else
1542 {
1543 received_header->text = string_sprintf("%s; %s\n", received, timestamp);
1544 received_header->type = htype_received;
1545 }
1546
1547received_header->slen = Ustrlen(received_header->text);
1548
1549DEBUG(D_receive) debug_printf(">>Generated Received: header line\n%c %s",
1550 received_header->type, received_header->text);
1551}
1552
1553
1554
54cdb463 1555/*************************************************
059ec3d9
PH
1556* Receive message *
1557*************************************************/
1558
1559/* Receive a message on the given input, and put it into a pair of spool files.
1560Either a non-null list of recipients, or the extract flag will be true, or
1561both. The flag sender_local is true for locally generated messages. The flag
1562submission_mode is true if an ACL has obeyed "control = submission". The flag
8800895a 1563suppress_local_fixups is true if an ACL has obeyed "control =
f4ee74ac
PP
1564suppress_local_fixups" or -G was passed on the command-line.
1565The flag smtp_input is true if the message is to be
8800895a
PH
1566handled using SMTP conventions about termination and lines starting with dots.
1567For non-SMTP messages, dot_ends is true for dot-terminated messages.
059ec3d9
PH
1568
1569If a message was successfully read, message_id[0] will be non-zero.
1570
1571The general actions of this function are:
1572
1573 . Read the headers of the message (if any) into a chain of store
1574 blocks.
1575
1576 . If there is a "sender:" header and the message is locally originated,
69358f02
PH
1577 throw it away, unless the caller is trusted, or unless
1578 active_local_sender_retain is set - which can only happen if
1579 active_local_from_check is false.
059ec3d9
PH
1580
1581 . If recipients are to be extracted from the message, build the
1582 recipients list from the headers, removing any that were on the
1583 original recipients list (unless extract_addresses_remove_arguments is
1584 false), and at the same time, remove any bcc header that may be present.
1585
1586 . Get the spool file for the data, sort out its unique name, open
1587 and lock it (but don't give it the name yet).
1588
1589 . Generate a "Message-Id" header if the message doesn't have one, for
1590 locally-originated messages.
1591
1592 . Generate a "Received" header.
1593
1594 . Ensure the recipients list is fully qualified and rewritten if necessary.
1595
1596 . If there are any rewriting rules, apply them to the sender address
1597 and also to the headers.
1598
1599 . If there is no from: header, generate one, for locally-generated messages
1600 and messages in "submission mode" only.
1601
1602 . If the sender is local, check that from: is correct, and if not, generate
1603 a Sender: header, unless message comes from a trusted caller, or this
69358f02 1604 feature is disabled by active_local_from_check being false.
059ec3d9
PH
1605
1606 . If there is no "date" header, generate one, for locally-originated
1607 or submission mode messages only.
1608
1609 . Copy the rest of the input, or up to a terminating "." if in SMTP or
1610 dot_ends mode, to the data file. Leave it open, to hold the lock.
1611
1612 . Write the envelope and the headers to a new file.
1613
1614 . Set the name for the header file; close it.
1615
1616 . Set the name for the data file; close it.
1617
1618Because this function can potentially be called many times in a single
1619SMTP connection, all store should be got by store_get(), so that it will be
1620automatically retrieved after the message is accepted.
1621
1622FUDGE: It seems that sites on the net send out messages with just LF
1623terminators, despite the warnings in the RFCs, and other MTAs handle this. So
1624we make the CRs optional in all cases.
1625
1626July 2003: Bare CRs in messages, especially in header lines, cause trouble. A
1627new regime is now in place in which bare CRs in header lines are turned into LF
1628followed by a space, so as not to terminate the header line.
1629
1630February 2004: A bare LF in a header line in a message whose first line was
1631terminated by CRLF is treated in the same way as a bare CR.
1632
1633Arguments:
1634 extract_recip TRUE if recipients are to be extracted from the message's
1635 headers
1636
1637Returns: TRUE there are more messages to be read (SMTP input)
1638 FALSE there are no more messages to be read (non-SMTP input
1639 or SMTP connection collapsed, or other failure)
1640
1641When reading a message for filter testing, the returned value indicates
1642whether the headers (which is all that is read) were terminated by '.' or
1643not. */
1644
1645BOOL
1646receive_msg(BOOL extract_recip)
1647{
7156b1ef 1648int rc = FAIL;
059ec3d9
PH
1649int msg_size = 0;
1650int process_info_len = Ustrlen(process_info);
d342446f
JH
1651int error_rc = error_handling == ERRORS_SENDER
1652 ? errors_sender_rc : EXIT_FAILURE;
059ec3d9 1653int header_size = 256;
acec9514 1654int start, end, domain;
099afc4f 1655int id_resolution = 0;
059ec3d9 1656int had_zero = 0;
d677b2f2 1657int prevlines_length = 0;
059ec3d9 1658
cfbb0d24 1659int ptr = 0;
059ec3d9
PH
1660
1661BOOL contains_resent_headers = FALSE;
1662BOOL extracted_ignored = FALSE;
1663BOOL first_line_ended_crlf = TRUE_UNSET;
1664BOOL smtp_yield = TRUE;
1665BOOL yield = FALSE;
1666
1667BOOL resents_exist = FALSE;
1668uschar *resent_prefix = US"";
1669uschar *blackholed_by = NULL;
04f7d5b9 1670uschar *blackhole_log_msg = US"";
c5430c20 1671enum {NOT_TRIED, TMP_REJ, PERM_REJ, ACCEPTED} cutthrough_done = NOT_TRIED;
059ec3d9
PH
1672
1673flock_t lock_data;
1674error_block *bad_addresses = NULL;
1675
1676uschar *frozen_by = NULL;
1677uschar *queued_by = NULL;
1678
acec9514 1679uschar *errmsg;
f3ebb786 1680rmark rcvd_log_reset_point;
acec9514 1681gstring * g;
059ec3d9
PH
1682struct stat statbuf;
1683
4e88a19f 1684/* Final message to give to SMTP caller, and messages from ACLs */
059ec3d9
PH
1685
1686uschar *smtp_reply = NULL;
4e88a19f 1687uschar *user_msg, *log_msg;
059ec3d9
PH
1688
1689/* Working header pointers */
1690
f3ebb786 1691rmark reset_point;
d7978c0f 1692header_line *next;
059ec3d9 1693
2cbb4081 1694/* Flags for noting the existence of certain headers (only one left) */
059ec3d9
PH
1695
1696BOOL date_header_exists = FALSE;
1697
1698/* Pointers to receive the addresses of headers whose contents we need. */
1699
1700header_line *from_header = NULL;
1701header_line *subject_header = NULL;
1702header_line *msgid_header = NULL;
1703header_line *received_header;
049782c0 1704BOOL msgid_header_newly_created = FALSE;
059ec3d9
PH
1705
1706/* Variables for use when building the Received: header. */
1707
059ec3d9
PH
1708uschar *timestamp;
1709int tslen;
1710
9723f966 1711
059ec3d9
PH
1712/* Release any open files that might have been cached while preparing to
1713accept the message - e.g. by verifying addresses - because reading a message
1714might take a fair bit of real time. */
1715
1716search_tidyup();
1717
e4bdf652
JH
1718/* Extracting the recipient list from an input file is incompatible with
1719cutthrough delivery with the no-spool option. It shouldn't be possible
817d9f57 1720to set up the combination, but just in case kill any ongoing connection. */
e4bdf652 1721if (extract_recip || !smtp_input)
57cc2785 1722 cancel_cutthrough_connection(TRUE, US"not smtp input");
e4bdf652 1723
059ec3d9
PH
1724/* Initialize the chain of headers by setting up a place-holder for Received:
1725header. Temporarily mark it as "old", i.e. not to be used. We keep header_last
1726pointing to the end of the chain to make adding headers simple. */
1727
f3ebb786 1728received_header = header_list = header_last = store_get(sizeof(header_line), FALSE);
059ec3d9
PH
1729header_list->next = NULL;
1730header_list->type = htype_old;
1731header_list->text = NULL;
1732header_list->slen = 0;
1733
1734/* Control block for the next header to be read. */
1735
f3ebb786
JH
1736reset_point = store_mark();
1737next = store_get(sizeof(header_line), FALSE); /* not tainted */
1738next->text = store_get(header_size, TRUE); /* tainted */
059ec3d9
PH
1739
1740/* Initialize message id to be null (indicating no message read), and the
1741header names list to be the normal list. Indicate there is no data file open
1742yet, initialize the size and warning count, and deal with no size limit. */
1743
1744message_id[0] = 0;
1bd642c2 1745spool_data_file = NULL;
059ec3d9 1746data_fd = -1;
41313d92 1747spool_name = US"";
059ec3d9
PH
1748message_size = 0;
1749warning_count = 0;
d677b2f2 1750received_count = 1; /* For the one we will add */
059ec3d9
PH
1751
1752if (thismessage_size_limit <= 0) thismessage_size_limit = INT_MAX;
1753
2e0c1448 1754/* While reading the message, the following counts are computed. */
059ec3d9 1755
d677b2f2
PH
1756message_linecount = body_linecount = body_zerocount =
1757 max_received_linelength = 0;
059ec3d9 1758
80a47a2c 1759#ifndef DISABLE_DKIM
e983e85a
JH
1760/* Call into DKIM to set up the context. In CHUNKING mode
1761we clear the dot-stuffing flag */
8768d548 1762if (smtp_input && !smtp_batched_input && !f.dkim_disable_verify)
e983e85a 1763 dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED);
fb2274d4
TK
1764#endif
1765
1a2e76e1 1766#ifdef SUPPORT_DMARC
39fdec3c 1767if (sender_host_address) dmarc_init(); /* initialize libopendmarc */
4840604e
TL
1768#endif
1769
059ec3d9
PH
1770/* Remember the time of reception. Exim uses time+pid for uniqueness of message
1771ids, and fractions of a second are required. See the comments that precede the
1772message id creation below. */
1773
1774(void)gettimeofday(&message_id_tv, NULL);
1775
1776/* For other uses of the received time we can operate with granularity of one
1777second, and for that we use the global variable received_time. This is for
306c6c77 1778things like ultimate message timeouts. */
059ec3d9 1779
32dfdf8b 1780received_time = message_id_tv;
059ec3d9
PH
1781
1782/* If SMTP input, set the special handler for timeouts. The alarm() calls
1783happen in the smtp_getc() function when it refills its buffer. */
1784
9723f966
JH
1785had_data_timeout = 0;
1786if (smtp_input)
1787 os_non_restarting_signal(SIGALRM, data_timeout_handler);
059ec3d9
PH
1788
1789/* If not SMTP input, timeout happens only if configured, and we just set a
1790single timeout for the whole message. */
1791
1792else if (receive_timeout > 0)
1793 {
1794 os_non_restarting_signal(SIGALRM, data_timeout_handler);
c2a1bba0 1795 ALARM(receive_timeout);
059ec3d9
PH
1796 }
1797
1798/* SIGTERM and SIGINT are caught always. */
1799
9723f966 1800had_data_sigint = 0;
059ec3d9
PH
1801signal(SIGTERM, data_sigterm_sigint_handler);
1802signal(SIGINT, data_sigterm_sigint_handler);
1803
1804/* Header lines in messages are not supposed to be very long, though when
1805unfolded, to: and cc: headers can take up a lot of store. We must also cope
1806with the possibility of junk being thrown at us. Start by getting 256 bytes for
1807storing the header, and extend this as necessary using string_cat().
1808
1809To cope with total lunacies, impose an upper limit on the length of the header
1810section of the message, as otherwise the store will fill up. We must also cope
1811with the possibility of binary zeros in the data. Hence we cannot use fgets().
1812Folded header lines are joined into one string, leaving the '\n' characters
1813inside them, so that writing them out reproduces the input.
1814
1815Loop for each character of each header; the next structure for chaining the
1816header is set up already, with ptr the offset of the next character in
1817next->text. */
1818
1819for (;;)
1820 {
bd8fbe36 1821 int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
1822
1823 /* If we hit EOF on a SMTP connection, it's an error, since incoming
1824 SMTP must have a correct "." terminator. */
1825
1826 if (ch == EOF && smtp_input /* && !smtp_batched_input */)
1827 {
1828 smtp_reply = handle_lost_connection(US" (header)");
1829 smtp_yield = FALSE;
1830 goto TIDYUP; /* Skip to end of function */
1831 }
1832
1833 /* See if we are at the current header's size limit - there must be at least
1834 four bytes left. This allows for the new character plus a zero, plus two for
1835 extra insertions when we are playing games with dots and carriage returns. If
1836 we are at the limit, extend the text buffer. This could have been done
1837 automatically using string_cat() but because this is a tightish loop storing
1838 only one character at a time, we choose to do it inline. Normally
1839 store_extend() will be able to extend the block; only at the end of a big
1840 store block will a copy be needed. To handle the case of very long headers
1841 (and sometimes lunatic messages can have ones that are 100s of K long) we
1842 call store_release() for strings that have been copied - if the string is at
1843 the start of a block (and therefore the only thing in it, because we aren't
4e6ae623
JH
1844 doing any other gets), the block gets freed. We can only do this release if
1845 there were no allocations since the once that we want to free. */
059ec3d9
PH
1846
1847 if (ptr >= header_size - 4)
1848 {
1849 int oldsize = header_size;
56ac062a
JH
1850
1851 if (header_size >= INT_MAX/2)
1852 goto OVERSIZE;
059ec3d9 1853 header_size *= 2;
56ac062a 1854
f3ebb786
JH
1855 /* The data came from the message, so is tainted. */
1856
1857 if (!store_extend(next->text, TRUE, oldsize, header_size))
1858 next->text = store_newblock(next->text, TRUE, header_size, ptr);
059ec3d9
PH
1859 }
1860
1861 /* Cope with receiving a binary zero. There is dispute about whether
1862 these should be allowed in RFC 822 messages. The middle view is that they
1863 should not be allowed in headers, at least. Exim takes this attitude at
1864 the moment. We can't just stomp on them here, because we don't know that
1865 this line is a header yet. Set a flag to cause scanning later. */
1866
1867 if (ch == 0) had_zero++;
1868
1869 /* Test for termination. Lines in remote SMTP are terminated by CRLF, while
1870 those from data files use just LF. Treat LF in local SMTP input as a
1871 terminator too. Treat EOF as a line terminator always. */
1872
1873 if (ch == EOF) goto EOL;
1874
1875 /* FUDGE: There are sites out there that don't send CRs before their LFs, and
1876 other MTAs accept this. We are therefore forced into this "liberalisation"
1877 too, so we accept LF as a line terminator whatever the source of the message.
1878 However, if the first line of the message ended with a CRLF, we treat a bare
1879 LF specially by inserting a white space after it to ensure that the header
1880 line is not terminated. */
1881
1882 if (ch == '\n')
1883 {
1884 if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = FALSE;
80a47a2c 1885 else if (first_line_ended_crlf) receive_ungetc(' ');
059ec3d9
PH
1886 goto EOL;
1887 }
1888
1889 /* This is not the end of the line. If this is SMTP input and this is
1890 the first character in the line and it is a "." character, ignore it.
1891 This implements the dot-doubling rule, though header lines starting with
1892 dots aren't exactly common. They are legal in RFC 822, though. If the
1893 following is CRLF or LF, this is the line that that terminates the
1894 entire message. We set message_ended to indicate this has happened (to
1895 prevent further reading), and break out of the loop, having freed the
1896 empty header, and set next = NULL to indicate no data line. */
1897
8768d548 1898 if (ptr == 0 && ch == '.' && f.dot_ends)
059ec3d9 1899 {
bd8fbe36 1900 ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
1901 if (ch == '\r')
1902 {
bd8fbe36 1903 ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
1904 if (ch != '\n')
1905 {
80a47a2c 1906 receive_ungetc(ch);
059ec3d9
PH
1907 ch = '\r'; /* Revert to CR */
1908 }
1909 }
1910 if (ch == '\n')
1911 {
1912 message_ended = END_DOT;
f3ebb786 1913 reset_point = store_reset(reset_point);
059ec3d9
PH
1914 next = NULL;
1915 break; /* End character-reading loop */
1916 }
1917
1918 /* For non-SMTP input, the dot at the start of the line was really a data
1919 character. What is now in ch is the following character. We guaranteed
1920 enough space for this above. */
1921
1922 if (!smtp_input)
1923 {
1924 next->text[ptr++] = '.';
1925 message_size++;
1926 }
1927 }
1928
1929 /* If CR is immediately followed by LF, end the line, ignoring the CR, and
1930 remember this case if this is the first line ending. */
1931
1932 if (ch == '\r')
1933 {
bd8fbe36 1934 ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
1935 if (ch == '\n')
1936 {
1937 if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
1938 goto EOL;
1939 }
1940
1941 /* Otherwise, put back the character after CR, and turn the bare CR
1942 into LF SP. */
1943
80a47a2c 1944 ch = (receive_ungetc)(ch);
059ec3d9
PH
1945 next->text[ptr++] = '\n';
1946 message_size++;
1947 ch = ' ';
1948 }
1949
1950 /* We have a data character for the header line. */
1951
1952 next->text[ptr++] = ch; /* Add to buffer */
1953 message_size++; /* Total message size so far */
1954
1955 /* Handle failure due to a humungously long header section. The >= allows
1956 for the terminating \n. Add what we have so far onto the headers list so
1957 that it gets reflected in any error message, and back up the just-read
1958 character. */
1959
1960 if (message_size >= header_maxsize)
1961 {
56ac062a 1962OVERSIZE:
059ec3d9
PH
1963 next->text[ptr] = 0;
1964 next->slen = ptr;
1965 next->type = htype_other;
1966 next->next = NULL;
1967 header_last->next = next;
1968 header_last = next;
1969
1970 log_write(0, LOG_MAIN, "ridiculously long message header received from "
1971 "%s (more than %d characters): message abandoned",
8768d548 1972 f.sender_host_unknown ? sender_ident : sender_fullhost, header_maxsize);
059ec3d9
PH
1973
1974 if (smtp_input)
1975 {
1976 smtp_reply = US"552 Message header is ridiculously long";
1977 receive_swallow_smtp();
1978 goto TIDYUP; /* Skip to end of function */
1979 }
1980
1981 else
1982 {
1983 give_local_error(ERRMESS_VLONGHEADER,
1984 string_sprintf("message header longer than %d characters received: "
1985 "message not accepted", header_maxsize), US"", error_rc, stdin,
1986 header_list->next);
1987 /* Does not return */
1988 }
1989 }
1990
1991 continue; /* With next input character */
1992
1993 /* End of header line reached */
1994
1995 EOL:
2e0c1448
PH
1996
1997 /* Keep track of lines for BSMTP errors and overall message_linecount. */
1998
1999 receive_linecount++;
2000 message_linecount++;
059ec3d9 2001
d677b2f2
PH
2002 /* Keep track of maximum line length */
2003
2004 if (ptr - prevlines_length > max_received_linelength)
2005 max_received_linelength = ptr - prevlines_length;
2006 prevlines_length = ptr + 1;
2007
059ec3d9
PH
2008 /* Now put in the terminating newline. There is always space for
2009 at least two more characters. */
2010
2011 next->text[ptr++] = '\n';
2012 message_size++;
2013
2014 /* A blank line signals the end of the headers; release the unwanted
2015 space and set next to NULL to indicate this. */
2016
2017 if (ptr == 1)
2018 {
f3ebb786 2019 reset_point = store_reset(reset_point);
059ec3d9
PH
2020 next = NULL;
2021 break;
2022 }
2023
2024 /* There is data in the line; see if the next input character is a
2025 whitespace character. If it is, we have a continuation of this header line.
2026 There is always space for at least one character at this point. */
2027
2028 if (ch != EOF)
2029 {
bd8fbe36 2030 int nextch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
2031 if (nextch == ' ' || nextch == '\t')
2032 {
2033 next->text[ptr++] = nextch;
56ac062a
JH
2034 if (++message_size >= header_maxsize)
2035 goto OVERSIZE;
059ec3d9
PH
2036 continue; /* Iterate the loop */
2037 }
80a47a2c 2038 else if (nextch != EOF) (receive_ungetc)(nextch); /* For next time */
059ec3d9
PH
2039 else ch = EOF; /* Cause main loop to exit at end */
2040 }
2041
2042 /* We have got to the real line end. Terminate the string and release store
2043 beyond it. If it turns out to be a real header, internal binary zeros will
2044 be squashed later. */
2045
2046 next->text[ptr] = 0;
2047 next->slen = ptr;
f3ebb786 2048 store_release_above(next->text + ptr + 1);
059ec3d9
PH
2049
2050 /* Check the running total size against the overall message size limit. We
2051 don't expect to fail here, but if the overall limit is set less than MESSAGE_
2052 MAXSIZE and a big header is sent, we want to catch it. Just stop reading
2053 headers - the code to read the body will then also hit the buffer. */
2054
2055 if (message_size > thismessage_size_limit) break;
2056
2057 /* A line that is not syntactically correct for a header also marks
2058 the end of the headers. In this case, we leave next containing the
2059 first data line. This might actually be several lines because of the
2060 continuation logic applied above, but that doesn't matter.
2061
2062 It turns out that smail, and presumably sendmail, accept leading lines
2063 of the form
2064
2065 From ph10 Fri Jan 5 12:35 GMT 1996
2066
2067 in messages. The "mail" command on Solaris 2 sends such lines. I cannot
2068 find any documentation of this, but for compatibility it had better be
2069 accepted. Exim restricts it to the case of non-smtp messages, and
2070 treats it as an alternative to the -f command line option. Thus it is
2071 ignored except for trusted users or filter testing. Otherwise it is taken
2072 as the sender address, unless -f was used (sendmail compatibility).
2073
2074 It further turns out that some UUCPs generate the From_line in a different
2075 format, e.g.
2076
2077 From ph10 Fri, 7 Jan 97 14:00:00 GMT
2078
2079 The regex for matching these things is now capable of recognizing both
2080 formats (including 2- and 4-digit years in the latter). In fact, the regex
2081 is now configurable, as is the expansion string to fish out the sender.
2082
2083 Even further on it has been discovered that some broken clients send
2084 these lines in SMTP messages. There is now an option to ignore them from
2085 specified hosts or networks. Sigh. */
2086
d21bf202
JH
2087 if ( header_last == header_list
2088 && ( !smtp_input
2089 || ( sender_host_address
2090 && verify_check_host(&ignore_fromline_hosts) == OK
2091 )
2092 || (!sender_host_address && ignore_fromline_local)
2093 )
2094 && regex_match_and_setup(regex_From, next->text, 0, -1)
2095 )
059ec3d9 2096 {
8768d548 2097 if (!f.sender_address_forced)
059ec3d9
PH
2098 {
2099 uschar *uucp_sender = expand_string(uucp_from_sender);
d21bf202 2100 if (!uucp_sender)
059ec3d9
PH
2101 log_write(0, LOG_MAIN|LOG_PANIC,
2102 "expansion of \"%s\" failed after matching "
2103 "\"From \" line: %s", uucp_from_sender, expand_string_message);
059ec3d9
PH
2104 else
2105 {
2106 int start, end, domain;
2107 uschar *errmess;
2108 uschar *newsender = parse_extract_address(uucp_sender, &errmess,
2109 &start, &end, &domain, TRUE);
d21bf202 2110 if (newsender)
059ec3d9
PH
2111 {
2112 if (domain == 0 && newsender[0] != 0)
2113 newsender = rewrite_address_qualify(newsender, FALSE);
2114
f05da2e8 2115 if (filter_test != FTEST_NONE || receive_check_set_sender(newsender))
059ec3d9
PH
2116 {
2117 sender_address = newsender;
2118
8768d548 2119 if (f.trusted_caller || filter_test != FTEST_NONE)
059ec3d9
PH
2120 {
2121 authenticated_sender = NULL;
2122 originator_name = US"";
8768d548 2123 f.sender_local = FALSE;
059ec3d9
PH
2124 }
2125
f05da2e8 2126 if (filter_test != FTEST_NONE)
059ec3d9
PH
2127 printf("Sender taken from \"From \" line\n");
2128 }
2129 }
2130 }
2131 }
2132 }
2133
2134 /* Not a leading "From " line. Check to see if it is a valid header line.
2135 Header names may contain any non-control characters except space and colon,
2136 amazingly. */
2137
2138 else
2139 {
2140 uschar *p = next->text;
2141
2142 /* If not a valid header line, break from the header reading loop, leaving
2143 next != NULL, indicating that it holds the first line of the body. */
2144
2145 if (isspace(*p)) break;
2146 while (mac_isgraph(*p) && *p != ':') p++;
2147 while (isspace(*p)) p++;
2148 if (*p != ':')
2149 {
2150 body_zerocount = had_zero;
2151 break;
2152 }
2153
2154 /* We have a valid header line. If there were any binary zeroes in
2155 the line, stomp on them here. */
2156
2157 if (had_zero > 0)
d7978c0f
JH
2158 for (uschar * p = next->text; p < next->text + ptr; p++) if (*p == 0)
2159 *p = '?';
059ec3d9
PH
2160
2161 /* It is perfectly legal to have an empty continuation line
2162 at the end of a header, but it is confusing to humans
2163 looking at such messages, since it looks like a blank line.
2164 Reduce confusion by removing redundant white space at the
2165 end. We know that there is at least one printing character
2166 (the ':' tested for above) so there is no danger of running
2167 off the end. */
2168
2169 p = next->text + ptr - 2;
2170 for (;;)
2171 {
2172 while (*p == ' ' || *p == '\t') p--;
2173 if (*p != '\n') break;
2174 ptr = (p--) - next->text + 1;
2175 message_size -= next->slen - ptr;
2176 next->text[ptr] = 0;
2177 next->slen = ptr;
2178 }
2179
2180 /* Add the header to the chain */
2181
2182 next->type = htype_other;
2183 next->next = NULL;
2184 header_last->next = next;
2185 header_last = next;
2186
2187 /* Check the limit for individual line lengths. This comes after adding to
2188 the chain so that the failing line is reflected if a bounce is generated
2189 (for a local message). */
2190
2191 if (header_line_maxsize > 0 && next->slen > header_line_maxsize)
2192 {
2193 log_write(0, LOG_MAIN, "overlong message header line received from "
2194 "%s (more than %d characters): message abandoned",
8768d548 2195 f.sender_host_unknown ? sender_ident : sender_fullhost,
059ec3d9
PH
2196 header_line_maxsize);
2197
2198 if (smtp_input)
2199 {
2200 smtp_reply = US"552 A message header line is too long";
2201 receive_swallow_smtp();
2202 goto TIDYUP; /* Skip to end of function */
2203 }
2204
2205 else
059ec3d9
PH
2206 give_local_error(ERRMESS_VLONGHDRLINE,
2207 string_sprintf("message header line longer than %d characters "
2208 "received: message not accepted", header_line_maxsize), US"",
2209 error_rc, stdin, header_list->next);
2210 /* Does not return */
059ec3d9
PH
2211 }
2212
2213 /* Note if any resent- fields exist. */
2214
2215 if (!resents_exist && strncmpic(next->text, US"resent-", 7) == 0)
2216 {
2217 resents_exist = TRUE;
2218 resent_prefix = US"Resent-";
2219 }
2220 }
2221
1ebe15c3
JH
2222 /* Reject CHUNKING messages that do not CRLF their first header line */
2223
2224 if (!first_line_ended_crlf && chunking_state > CHUNKING_OFFERED)
2225 {
2226 log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
2227 "Non-CRLF-terminated header, under CHUNKING: message abandoned",
2228 sender_address,
2229 sender_fullhost ? " H=" : "", sender_fullhost ? sender_fullhost : US"",
2230 sender_ident ? " U=" : "", sender_ident ? sender_ident : US"");
925ac8e4 2231 smtp_printf("552 Message header not CRLF terminated\r\n", FALSE);
1ebe15c3
JH
2232 bdat_flush_data();
2233 smtp_reply = US"";
2234 goto TIDYUP; /* Skip to end of function */
2235 }
2236
059ec3d9
PH
2237 /* The line has been handled. If we have hit EOF, break out of the loop,
2238 indicating no pending data line. */
2239
2240 if (ch == EOF) { next = NULL; break; }
2241
2242 /* Set up for the next header */
2243
f3ebb786 2244 reset_point = store_mark();
059ec3d9 2245 header_size = 256;
f3ebb786
JH
2246 next = store_get(sizeof(header_line), FALSE);
2247 next->text = store_get(header_size, TRUE);
059ec3d9
PH
2248 ptr = 0;
2249 had_zero = 0;
d677b2f2 2250 prevlines_length = 0;
059ec3d9
PH
2251 } /* Continue, starting to read the next header */
2252
2253/* At this point, we have read all the headers into a data structure in main
2254store. The first header is still the dummy placeholder for the Received: header
2255we are going to generate a bit later on. If next != NULL, it contains the first
2256data line - which terminated the headers before reaching a blank line (not the
2257normal case). */
2258
2259DEBUG(D_receive)
2260 {
2261 debug_printf(">>Headers received:\n");
d7978c0f 2262 for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH
2263 debug_printf("%s", h->text);
2264 debug_printf("\n");
2265 }
2266
2267/* End of file on any SMTP connection is an error. If an incoming SMTP call
2268is dropped immediately after valid headers, the next thing we will see is EOF.
2269We must test for this specially, as further down the reading of the data is
2270skipped if already at EOF. */
2271
2272if (smtp_input && (receive_feof)())
2273 {
2274 smtp_reply = handle_lost_connection(US" (after header)");
2275 smtp_yield = FALSE;
2276 goto TIDYUP; /* Skip to end of function */
2277 }
2278
2279/* If this is a filter test run and no headers were read, output a warning
2280in case there is a mistake in the test message. */
2281
f05da2e8 2282if (filter_test != FTEST_NONE && header_list->next == NULL)
059ec3d9
PH
2283 printf("Warning: no message headers read\n");
2284
2285
2286/* Scan the headers to identify them. Some are merely marked for later
2287processing; some are dealt with here. */
2288
d7978c0f 2289for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH
2290 {
2291 BOOL is_resent = strncmpic(h->text, US"resent-", 7) == 0;
2292 if (is_resent) contains_resent_headers = TRUE;
2293
2294 switch (header_checkname(h, is_resent))
2295 {
059ec3d9 2296 case htype_bcc:
c674e7a4
JH
2297 h->type = htype_bcc; /* Both Bcc: and Resent-Bcc: */
2298 break;
059ec3d9 2299
059ec3d9 2300 case htype_cc:
c674e7a4
JH
2301 h->type = htype_cc; /* Both Cc: and Resent-Cc: */
2302 break;
059ec3d9 2303
c674e7a4 2304 /* Record whether a Date: or Resent-Date: header exists, as appropriate. */
059ec3d9
PH
2305
2306 case htype_date:
c674e7a4
JH
2307 if (!resents_exist || is_resent) date_header_exists = TRUE;
2308 break;
059ec3d9 2309
c674e7a4 2310 /* Same comments as about Return-Path: below. */
059ec3d9
PH
2311
2312 case htype_delivery_date:
c674e7a4
JH
2313 if (delivery_date_remove) h->type = htype_old;
2314 break;
059ec3d9 2315
c674e7a4 2316 /* Same comments as about Return-Path: below. */
059ec3d9
PH
2317
2318 case htype_envelope_to:
c674e7a4
JH
2319 if (envelope_to_remove) h->type = htype_old;
2320 break;
059ec3d9 2321
c674e7a4
JH
2322 /* Mark all "From:" headers so they get rewritten. Save the one that is to
2323 be used for Sender: checking. For Sendmail compatibility, if the "From:"
2324 header consists of just the login id of the user who called Exim, rewrite
2325 it with the gecos field first. Apply this rule to Resent-From: if there
2326 are resent- fields. */
059ec3d9
PH
2327
2328 case htype_from:
c674e7a4
JH
2329 h->type = htype_from;
2330 if (!resents_exist || is_resent)
2331 {
2332 from_header = h;
2333 if (!smtp_input)
2334 {
2335 int len;
2336 uschar *s = Ustrchr(h->text, ':') + 1;
2337 while (isspace(*s)) s++;
2338 len = h->slen - (s - h->text) - 1;
2339 if (Ustrlen(originator_login) == len &&
2340 strncmpic(s, originator_login, len) == 0)
2341 {
2342 uschar *name = is_resent? US"Resent-From" : US"From";
2343 header_add(htype_from, "%s: %s <%s@%s>\n", name, originator_name,
2344 originator_login, qualify_domain_sender);
2345 from_header = header_last;
2346 h->type = htype_old;
2347 DEBUG(D_receive|D_rewrite)
2348 debug_printf("rewrote \"%s:\" header using gecos\n", name);
2349 }
2350 }
2351 }
2352 break;
059ec3d9 2353
c674e7a4
JH
2354 /* Identify the Message-id: header for generating "in-reply-to" in the
2355 autoreply transport. For incoming logging, save any resent- value. In both
2356 cases, take just the first of any multiples. */
059ec3d9
PH
2357
2358 case htype_id:
c674e7a4
JH
2359 if (!msgid_header && (!resents_exist || is_resent))
2360 {
2361 msgid_header = h;
2362 h->type = htype_id;
2363 }
2364 break;
059ec3d9 2365
c674e7a4 2366 /* Flag all Received: headers */
059ec3d9
PH
2367
2368 case htype_received:
c674e7a4
JH
2369 h->type = htype_received;
2370 received_count++;
2371 break;
059ec3d9 2372
c674e7a4 2373 /* "Reply-to:" is just noted (there is no resent-reply-to field) */
059ec3d9
PH
2374
2375 case htype_reply_to:
c674e7a4
JH
2376 h->type = htype_reply_to;
2377 break;
059ec3d9 2378
c674e7a4
JH
2379 /* The Return-path: header is supposed to be added to messages when
2380 they leave the SMTP system. We shouldn't receive messages that already
2381 contain Return-path. However, since Exim generates Return-path: on
2382 local delivery, resent messages may well contain it. We therefore
2383 provide an option (which defaults on) to remove any Return-path: headers
2384 on input. Removal actually means flagging as "old", which prevents the
2385 header being transmitted with the message. */
059ec3d9
PH
2386
2387 case htype_return_path:
c674e7a4 2388 if (return_path_remove) h->type = htype_old;
059ec3d9 2389
c674e7a4
JH
2390 /* If we are testing a mail filter file, use the value of the
2391 Return-Path: header to set up the return_path variable, which is not
2392 otherwise set. However, remove any <> that surround the address
2393 because the variable doesn't have these. */
059ec3d9 2394
c674e7a4
JH
2395 if (filter_test != FTEST_NONE)
2396 {
2397 uschar *start = h->text + 12;
2398 uschar *end = start + Ustrlen(start);
2399 while (isspace(*start)) start++;
2400 while (end > start && isspace(end[-1])) end--;
2401 if (*start == '<' && end[-1] == '>')
2402 {
2403 start++;
2404 end--;
2405 }
2406 return_path = string_copyn(start, end - start);
2407 printf("Return-path taken from \"Return-path:\" header line\n");
2408 }
2409 break;
059ec3d9
PH
2410
2411 /* If there is a "Sender:" header and the message is locally originated,
8800895a
PH
2412 and from an untrusted caller and suppress_local_fixups is not set, or if we
2413 are in submission mode for a remote message, mark it "old" so that it will
2414 not be transmitted with the message, unless active_local_sender_retain is
2415 set. (This can only be true if active_local_from_check is false.) If there
2416 are any resent- headers in the message, apply this rule to Resent-Sender:
2417 instead of Sender:. Messages with multiple resent- header sets cannot be
2418 tidily handled. (For this reason, at least one MUA - Pine - turns old
2419 resent- headers into X-resent- headers when resending, leaving just one
2420 set.) */
059ec3d9
PH
2421
2422 case htype_sender:
8768d548
JH
2423 h->type = !f.active_local_sender_retain
2424 && ( f.sender_local && !f.trusted_caller && !f.suppress_local_fixups
2425 || f.submission_mode
c674e7a4
JH
2426 )
2427 && (!resents_exist || is_resent)
2428 ? htype_old : htype_sender;
2429 break;
059ec3d9 2430
c674e7a4 2431 /* Remember the Subject: header for logging. There is no Resent-Subject */
059ec3d9
PH
2432
2433 case htype_subject:
c674e7a4
JH
2434 subject_header = h;
2435 break;
059ec3d9 2436
c674e7a4
JH
2437 /* "To:" gets flagged, and the existence of a recipient header is noted,
2438 whether it's resent- or not. */
059ec3d9
PH
2439
2440 case htype_to:
c674e7a4
JH
2441 h->type = htype_to;
2442 /****
2443 to_or_cc_header_exists = TRUE;
2444 ****/
2445 break;
059ec3d9
PH
2446 }
2447 }
2448
2449/* Extract recipients from the headers if that is required (the -t option).
2450Note that this is documented as being done *before* any address rewriting takes
2451place. There are two possibilities:
2452
2453(1) According to sendmail documentation for Solaris, IRIX, and HP-UX, any
2454recipients already listed are to be REMOVED from the message. Smail 3 works
2455like this. We need to build a non-recipients tree for that list, because in
2456subsequent processing this data is held in a tree and that's what the
2457spool_write_header() function expects. Make sure that non-recipient addresses
2458are fully qualified and rewritten if necessary.
2459
2460(2) According to other sendmail documentation, -t ADDS extracted recipients to
2461those in the command line arguments (and it is rumoured some other MTAs do
2462this). Therefore, there is an option to make Exim behave this way.
2463
2464*** Notes on "Resent-" header lines ***
2465
2466The presence of resent-headers in the message makes -t horribly ambiguous.
2467Experiments with sendmail showed that it uses recipients for all resent-
2468headers, totally ignoring the concept of "sets of resent- headers" as described
2469in RFC 2822 section 3.6.6. Sendmail also amalgamates them into a single set
2470with all the addresses in one instance of each header.
2471
2472This seems to me not to be at all sensible. Before release 4.20, Exim 4 gave an
2473error for -t if there were resent- headers in the message. However, after a
2474discussion on the mailing list, I've learned that there are MUAs that use
2475resent- headers with -t, and also that the stuff about sets of resent- headers
2476and their ordering in RFC 2822 is generally ignored. An MUA that submits a
2477message with -t and resent- header lines makes sure that only *its* resent-
2478headers are present; previous ones are often renamed as X-resent- for example.
2479
2480Consequently, Exim has been changed so that, if any resent- header lines are
2481present, the recipients are taken from all of the appropriate resent- lines,
2482and not from the ordinary To:, Cc:, etc. */
2483
2484if (extract_recip)
2485 {
2486 int rcount = 0;
2487 error_block **bnext = &bad_addresses;
2488
2489 if (extract_addresses_remove_arguments)
2490 {
2491 while (recipients_count-- > 0)
2492 {
2493 uschar *s = rewrite_address(recipients_list[recipients_count].address,
2494 TRUE, TRUE, global_rewrite_rules, rewrite_existflags);
2495 tree_add_nonrecipient(s);
2496 }
2497 recipients_list = NULL;
2498 recipients_count = recipients_list_max = 0;
2499 }
2500
059ec3d9
PH
2501 /* Now scan the headers */
2502
d7978c0f 2503 for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH
2504 {
2505 if ((h->type == htype_to || h->type == htype_cc || h->type == htype_bcc) &&
2506 (!contains_resent_headers || strncmpic(h->text, US"resent-", 7) == 0))
2507 {
2508 uschar *s = Ustrchr(h->text, ':') + 1;
2509 while (isspace(*s)) s++;
2510
8768d548 2511 f.parse_allow_group = TRUE; /* Allow address group syntax */
1eccaa59 2512
059ec3d9
PH
2513 while (*s != 0)
2514 {
2515 uschar *ss = parse_find_address_end(s, FALSE);
d7978c0f 2516 uschar *recipient, *errmess, *pp;
059ec3d9
PH
2517 int start, end, domain;
2518
2519 /* Check on maximum */
2520
2521 if (recipients_max > 0 && ++rcount > recipients_max)
059ec3d9
PH
2522 give_local_error(ERRMESS_TOOMANYRECIP, US"too many recipients",
2523 US"message rejected: ", error_rc, stdin, NULL);
2524 /* Does not return */
059ec3d9
PH
2525
2526 /* Make a copy of the address, and remove any internal newlines. These
2527 may be present as a result of continuations of the header line. The
2528 white space that follows the newline must not be removed - it is part
2529 of the header. */
2530
f3ebb786 2531 pp = recipient = store_get(ss - s + 1, is_tainted(s));
d7978c0f 2532 for (uschar * p = s; p < ss; p++) if (*p != '\n') *pp++ = *p;
059ec3d9 2533 *pp = 0;
250b6871 2534
8c5d388a 2535#ifdef SUPPORT_I18N
250b6871
JH
2536 {
2537 BOOL b = allow_utf8_domains;
2538 allow_utf8_domains = TRUE;
2539#endif
059ec3d9
PH
2540 recipient = parse_extract_address(recipient, &errmess, &start, &end,
2541 &domain, FALSE);
2542
8c5d388a 2543#ifdef SUPPORT_I18N
250b6871
JH
2544 if (string_is_utf8(recipient))
2545 message_smtputf8 = TRUE;
2546 else
2547 allow_utf8_domains = b;
2548 }
2549#endif
2550
059ec3d9
PH
2551 /* Keep a list of all the bad addresses so we can send a single
2552 error message at the end. However, an empty address is not an error;
2553 just ignore it. This can come from an empty group list like
2554
2555 To: Recipients of list:;
2556
2557 If there are no recipients at all, an error will occur later. */
2558
2559 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
2560 {
2561 int len = Ustrlen(s);
f3ebb786 2562 error_block *b = store_get(sizeof(error_block), FALSE);
059ec3d9
PH
2563 while (len > 0 && isspace(s[len-1])) len--;
2564 b->next = NULL;
2565 b->text1 = string_printing(string_copyn(s, len));
2566 b->text2 = errmess;
2567 *bnext = b;
2568 bnext = &(b->next);
2569 }
2570
2571 /* If the recipient is already in the nonrecipients tree, it must
2572 have appeared on the command line with the option extract_addresses_
2573 remove_arguments set. Do not add it to the recipients, and keep a note
2574 that this has happened, in order to give a better error if there are
2575 no recipients left. */
2576
2577 else if (recipient != NULL)
2578 {
2579 if (tree_search(tree_nonrecipients, recipient) == NULL)
2580 receive_add_recipient(recipient, -1);
2581 else
2582 extracted_ignored = TRUE;
2583 }
2584
2585 /* Move on past this address */
2586
2587 s = ss + (*ss? 1:0);
2588 while (isspace(*s)) s++;
1eccaa59
PH
2589 } /* Next address */
2590
8768d548
JH
2591 f.parse_allow_group = FALSE; /* Reset group syntax flags */
2592 f.parse_found_group = FALSE;
059ec3d9
PH
2593
2594 /* If this was the bcc: header, mark it "old", which means it
2595 will be kept on the spool, but not transmitted as part of the
2596 message. */
2597
2cbb4081 2598 if (h->type == htype_bcc) h->type = htype_old;
059ec3d9
PH
2599 } /* For appropriate header line */
2600 } /* For each header line */
2601
059ec3d9
PH
2602 }
2603
2604/* Now build the unique message id. This has changed several times over the
2605lifetime of Exim. This description was rewritten for Exim 4.14 (February 2003).
2606Retaining all the history in the comment has become too unwieldy - read
2607previous release sources if you want it.
2608
2609The message ID has 3 parts: tttttt-pppppp-ss. Each part is a number in base 62.
2610The first part is the current time, in seconds. The second part is the current
2611pid. Both are large enough to hold 32-bit numbers in base 62. The third part
2612can hold a number in the range 0-3843. It used to be a computed sequence
2613number, but is now the fractional component of the current time in units of
26141/2000 of a second (i.e. a value in the range 0-1999). After a message has been
2615received, Exim ensures that the timer has ticked at the appropriate level
2616before proceeding, to avoid duplication if the pid happened to be re-used
2617within the same time period. It seems likely that most messages will take at
2618least half a millisecond to be received, so no delay will normally be
2619necessary. At least for some time...
2620
2621There is a modification when localhost_number is set. Formerly this was allowed
2622to be as large as 255. Now it is restricted to the range 0-16, and the final
2623component of the message id becomes (localhost_number * 200) + fractional time
2624in units of 1/200 of a second (i.e. a value in the range 0-3399).
2625
2626Some not-really-Unix operating systems use case-insensitive file names (Darwin,
2627Cygwin). For these, we have to use base 36 instead of base 62. Luckily, this
2628still allows the tttttt field to hold a large enough number to last for some
2629more decades, and the final two-digit field can hold numbers up to 1295, which
2630is enough for milliseconds (instead of 1/2000 of a second).
2631
2632However, the pppppp field cannot hold a 32-bit pid, but it can hold a 31-bit
2633pid, so it is probably safe because pids have to be positive. The
2634localhost_number is restricted to 0-10 for these hosts, and when it is set, the
2635final field becomes (localhost_number * 100) + fractional time in centiseconds.
2636
2637Note that string_base62() returns its data in a static storage block, so it
2638must be copied before calling string_base62() again. It always returns exactly
26396 characters.
2640
2641There doesn't seem to be anything in the RFC which requires a message id to
2642start with a letter, but Smail was changed to ensure this. The external form of
2643the message id (as supplied by string expansion) therefore starts with an
2644additional leading 'E'. The spool file names do not include this leading
2645letter and it is not used internally.
2646
2647NOTE: If ever the format of message ids is changed, the regular expression for
2648checking that a string is in this format must be updated in a corresponding
2649way. It appears in the initializing code in exim.c. The macro MESSAGE_ID_LENGTH
2540f2f8
JH
2650must also be changed to reflect the correct string length. The queue-sort code
2651needs to know the layout. Then, of course, other programs that rely on the
2652message id format will need updating too. */
059ec3d9
PH
2653
2654Ustrncpy(message_id, string_base62((long int)(message_id_tv.tv_sec)), 6);
2655message_id[6] = '-';
2656Ustrncpy(message_id + 7, string_base62((long int)getpid()), 6);
2657
2658/* Deal with the case where the host number is set. The value of the number was
2659checked when it was read, to ensure it isn't too big. The timing granularity is
2660left in id_resolution so that an appropriate wait can be done after receiving
2661the message, if necessary (we hope it won't be). */
2662
306c6c77 2663if (host_number_string)
059ec3d9 2664 {
099afc4f 2665 id_resolution = BASE_62 == 62 ? 5000 : 10000;
059ec3d9
PH
2666 sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
2667 string_base62((long int)(
2668 host_number * (1000000/id_resolution) +
2669 message_id_tv.tv_usec/id_resolution)) + 4);
2670 }
2671
2672/* Host number not set: final field is just the fractional time at an
2673appropriate resolution. */
2674
2675else
2676 {
099afc4f 2677 id_resolution = BASE_62 == 62 ? 500 : 1000;
059ec3d9
PH
2678 sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
2679 string_base62((long int)(message_id_tv.tv_usec/id_resolution)) + 4);
2680 }
2681
2682/* Add the current message id onto the current process info string if
2683it will fit. */
2684
2685(void)string_format(process_info + process_info_len,
2686 PROCESS_INFO_SIZE - process_info_len, " id=%s", message_id);
2687
2688/* If we are using multiple input directories, set up the one for this message
2689to be the least significant base-62 digit of the time of arrival. Otherwise
2690ensure that it is an empty string. */
2691
59a93276 2692set_subdir_str(message_subdir, message_id, 0);
059ec3d9
PH
2693
2694/* Now that we have the message-id, if there is no message-id: header, generate
8800895a
PH
2695one, but only for local (without suppress_local_fixups) or submission mode
2696messages. This can be user-configured if required, but we had better flatten
2697any illegal characters therein. */
059ec3d9 2698
306c6c77 2699if ( !msgid_header
8768d548 2700 && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
059ec3d9 2701 {
059ec3d9
PH
2702 uschar *id_text = US"";
2703 uschar *id_domain = primary_hostname;
049782c0 2704 header_line * h;
059ec3d9
PH
2705
2706 /* Permit only letters, digits, dots, and hyphens in the domain */
2707
306c6c77 2708 if (message_id_domain)
059ec3d9
PH
2709 {
2710 uschar *new_id_domain = expand_string(message_id_domain);
306c6c77 2711 if (!new_id_domain)
059ec3d9 2712 {
8768d548 2713 if (!f.expand_string_forcedfail)
059ec3d9
PH
2714 log_write(0, LOG_MAIN|LOG_PANIC,
2715 "expansion of \"%s\" (message_id_header_domain) "
2716 "failed: %s", message_id_domain, expand_string_message);
2717 }
306c6c77 2718 else if (*new_id_domain)
059ec3d9
PH
2719 {
2720 id_domain = new_id_domain;
d7978c0f 2721 for (uschar * p = id_domain; *p; p++)
059ec3d9
PH
2722 if (!isalnum(*p) && *p != '.') *p = '-'; /* No need to test '-' ! */
2723 }
2724 }
2725
2726 /* Permit all characters except controls and RFC 2822 specials in the
2727 additional text part. */
2728
306c6c77 2729 if (message_id_text)
059ec3d9
PH
2730 {
2731 uschar *new_id_text = expand_string(message_id_text);
306c6c77 2732 if (!new_id_text)
059ec3d9 2733 {
8768d548 2734 if (!f.expand_string_forcedfail)
059ec3d9
PH
2735 log_write(0, LOG_MAIN|LOG_PANIC,
2736 "expansion of \"%s\" (message_id_header_text) "
2737 "failed: %s", message_id_text, expand_string_message);
2738 }
306c6c77 2739 else if (*new_id_text)
059ec3d9
PH
2740 {
2741 id_text = new_id_text;
d7978c0f 2742 for (uschar * p = id_text; *p; p++) if (mac_iscntrl_or_special(*p)) *p = '-';
059ec3d9
PH
2743 }
2744 }
2745
049782c0
JH
2746 /* Add the header line.
2747 Resent-* headers are prepended, per RFC 5322 3.6.6. Non-Resent-* are
2748 appended, to preserve classical expectations of header ordering. */
059ec3d9 2749
049782c0 2750 h = header_add_at_position_internal(!resents_exist, NULL, FALSE, htype_id,
5eb690a1 2751 "%sMessage-Id: <%s%s%s@%s>\n", resent_prefix, message_id_external,
049782c0
JH
2752 *id_text == 0 ? "" : ".", id_text, id_domain);
2753
2754 /* Arrange for newly-created Message-Id to be logged */
2755
2756 if (!resents_exist)
2757 {
2758 msgid_header_newly_created = TRUE;
2759 msgid_header = h;
2760 }
059ec3d9
PH
2761 }
2762
2763/* If we are to log recipients, keep a copy of the raw ones before any possible
2764rewriting. Must copy the count, because later ACLs and the local_scan()
2765function may mess with the real recipients. */
2766
6c6d6e48 2767if (LOGGING(received_recipients))
059ec3d9 2768 {
f3ebb786 2769 raw_recipients = store_get(recipients_count * sizeof(uschar *), FALSE);
d7978c0f 2770 for (int i = 0; i < recipients_count; i++)
059ec3d9
PH
2771 raw_recipients[i] = string_copy(recipients_list[i].address);
2772 raw_recipients_count = recipients_count;
2773 }
2774
2775/* Ensure the recipients list is fully qualified and rewritten. Unqualified
2776recipients will get here only if the conditions were right (allow_unqualified_
2777recipient is TRUE). */
2778
d7978c0f 2779for (int i = 0; i < recipients_count; i++)
059ec3d9
PH
2780 recipients_list[i].address =
2781 rewrite_address(recipients_list[i].address, TRUE, TRUE,
2782 global_rewrite_rules, rewrite_existflags);
2783
8800895a
PH
2784/* If there is no From: header, generate one for local (without
2785suppress_local_fixups) or submission_mode messages. If there is no sender
2786address, but the sender is local or this is a local delivery error, use the
2787originator login. This shouldn't happen for genuine bounces, but might happen
2788for autoreplies. The addition of From: must be done *before* checking for the
2789possible addition of a Sender: header, because untrusted_set_sender allows an
2790untrusted user to set anything in the envelope (which might then get info
2791From:) but we still want to ensure a valid Sender: if it is required. */
2792
306c6c77 2793if ( !from_header
8768d548 2794 && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
059ec3d9 2795 {
2fe1a124
PH
2796 uschar *oname = US"";
2797
2798 /* Use the originator_name if this is a locally submitted message and the
2799 caller is not trusted. For trusted callers, use it only if -F was used to
2800 force its value or if we have a non-SMTP message for which -f was not used
2801 to set the sender. */
2802
306c6c77 2803 if (!sender_host_address)
2fe1a124 2804 {
8768d548
JH
2805 if (!f.trusted_caller || f.sender_name_forced ||
2806 (!smtp_input && !f.sender_address_forced))
2fe1a124
PH
2807 oname = originator_name;
2808 }
2809
2810 /* For non-locally submitted messages, the only time we use the originator
2811 name is when it was forced by the /name= option on control=submission. */
2812
306c6c77 2813 else if (submission_name) oname = submission_name;
2fe1a124 2814
059ec3d9
PH
2815 /* Envelope sender is empty */
2816
306c6c77 2817 if (!*sender_address)
059ec3d9 2818 {
87ba3f5f
PH
2819 uschar *fromstart, *fromend;
2820
306c6c77
JH
2821 fromstart = string_sprintf("%sFrom: %s%s",
2822 resent_prefix, oname, *oname ? " <" : "");
2823 fromend = *oname ? US">" : US"";
87ba3f5f 2824
8768d548 2825 if (f.sender_local || f.local_error_message)
87ba3f5f
PH
2826 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2827 local_part_quote(originator_login), qualify_domain_sender,
2828 fromend);
306c6c77 2829
8768d548 2830 else if (f.submission_mode && authenticated_id)
059ec3d9 2831 {
306c6c77 2832 if (!submission_domain)
87ba3f5f
PH
2833 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2834 local_part_quote(authenticated_id), qualify_domain_sender,
2835 fromend);
306c6c77
JH
2836
2837 else if (!*submission_domain) /* empty => whole address set */
87ba3f5f
PH
2838 header_add(htype_from, "%s%s%s\n", fromstart, authenticated_id,
2839 fromend);
306c6c77 2840
059ec3d9 2841 else
87ba3f5f 2842 header_add(htype_from, "%s%s@%s%s\n", fromstart,
306c6c77
JH
2843 local_part_quote(authenticated_id), submission_domain, fromend);
2844
059ec3d9
PH
2845 from_header = header_last; /* To get it checked for Sender: */
2846 }
2847 }
2848
2849 /* There is a non-null envelope sender. Build the header using the original
2850 sender address, before any rewriting that might have been done while
2851 verifying it. */
2852
2853 else
2854 {
87ba3f5f 2855 header_add(htype_from, "%sFrom: %s%s%s%s\n", resent_prefix,
2fe1a124 2856 oname,
306c6c77
JH
2857 *oname ? " <" : "",
2858 sender_address_unrewritten ? sender_address_unrewritten : sender_address,
2859 *oname ? ">" : "");
059ec3d9
PH
2860
2861 from_header = header_last; /* To get it checked for Sender: */
2862 }
2863 }
2864
2865
8800895a
PH
2866/* If the sender is local (without suppress_local_fixups), or if we are in
2867submission mode and there is an authenticated_id, check that an existing From:
2868is correct, and if not, generate a Sender: header, unless disabled. Any
2869previously-existing Sender: header was removed above. Note that sender_local,
2870as well as being TRUE if the caller of exim is not trusted, is also true if a
2871trusted caller did not supply a -f argument for non-smtp input. To allow
2872trusted callers to forge From: without supplying -f, we have to test explicitly
2873here. If the From: header contains more than one address, then the call to
2874parse_extract_address fails, and a Sender: header is inserted, as required. */
059ec3d9 2875
306c6c77 2876if ( from_header
8768d548
JH
2877 && ( f.active_local_from_check
2878 && ( f.sender_local && !f.trusted_caller && !f.suppress_local_fixups
2879 || f.submission_mode && authenticated_id
306c6c77 2880 ) ) )
059ec3d9
PH
2881 {
2882 BOOL make_sender = TRUE;
2883 int start, end, domain;
2884 uschar *errmess;
2885 uschar *from_address =
2886 parse_extract_address(Ustrchr(from_header->text, ':') + 1, &errmess,
2887 &start, &end, &domain, FALSE);
2888 uschar *generated_sender_address;
2889
8768d548 2890 generated_sender_address = f.submission_mode
306c6c77
JH
2891 ? !submission_domain
2892 ? string_sprintf("%s@%s",
2893 local_part_quote(authenticated_id), qualify_domain_sender)
2894 : !*submission_domain /* empty => full address */
2895 ? string_sprintf("%s", authenticated_id)
2896 : string_sprintf("%s@%s",
2897 local_part_quote(authenticated_id), submission_domain)
2898 : string_sprintf("%s@%s",
2899 local_part_quote(originator_login), qualify_domain_sender);
059ec3d9
PH
2900
2901 /* Remove permitted prefixes and suffixes from the local part of the From:
2902 address before doing the comparison with the generated sender. */
2903
306c6c77 2904 if (from_address)
059ec3d9
PH
2905 {
2906 int slen;
306c6c77 2907 uschar *at = domain ? from_address + domain - 1 : NULL;
059ec3d9 2908
306c6c77 2909 if (at) *at = 0;
059ec3d9
PH
2910 from_address += route_check_prefix(from_address, local_from_prefix);
2911 slen = route_check_suffix(from_address, local_from_suffix);
2912 if (slen > 0)
2913 {
2914 memmove(from_address+slen, from_address, Ustrlen(from_address)-slen);
2915 from_address += slen;
2916 }
306c6c77 2917 if (at) *at = '@';
059ec3d9 2918
306c6c77
JH
2919 if ( strcmpic(generated_sender_address, from_address) == 0
2920 || (!domain && strcmpic(from_address, originator_login) == 0))
059ec3d9
PH
2921 make_sender = FALSE;
2922 }
2923
2924 /* We have to cause the Sender header to be rewritten if there are
2925 appropriate rewriting rules. */
2926
2927 if (make_sender)
8768d548 2928 if (f.submission_mode && !submission_name)
059ec3d9
PH
2929 header_add(htype_sender, "%sSender: %s\n", resent_prefix,
2930 generated_sender_address);
2931 else
2932 header_add(htype_sender, "%sSender: %s <%s>\n",
2fe1a124 2933 resent_prefix,
8768d548 2934 f.submission_mode ? submission_name : originator_name,
2fe1a124 2935 generated_sender_address);
87ba3f5f
PH
2936
2937 /* Ensure that a non-null envelope sender address corresponds to the
2938 submission mode sender address. */
2939
8768d548 2940 if (f.submission_mode && *sender_address)
87ba3f5f 2941 {
306c6c77 2942 if (!sender_address_unrewritten)
87ba3f5f
PH
2943 sender_address_unrewritten = sender_address;
2944 sender_address = generated_sender_address;
089793a4
TF
2945 if (Ustrcmp(sender_address_unrewritten, generated_sender_address) != 0)
2946 log_write(L_address_rewrite, LOG_MAIN,
2947 "\"%s\" from env-from rewritten as \"%s\" by submission mode",
2948 sender_address_unrewritten, generated_sender_address);
87ba3f5f 2949 }
059ec3d9
PH
2950 }
2951
059ec3d9
PH
2952/* If there are any rewriting rules, apply them to the sender address, unless
2953it has already been rewritten as part of verification for SMTP input. */
2954
306c6c77 2955if (global_rewrite_rules && !sender_address_unrewritten && *sender_address)
059ec3d9
PH
2956 {
2957 sender_address = rewrite_address(sender_address, FALSE, TRUE,
2958 global_rewrite_rules, rewrite_existflags);
2959 DEBUG(D_receive|D_rewrite)
2960 debug_printf("rewritten sender = %s\n", sender_address);
2961 }
2962
2963
2964/* The headers must be run through rewrite_header(), because it ensures that
2965addresses are fully qualified, as well as applying any rewriting rules that may
2966exist.
2967
2968Qualification of header addresses in a message from a remote host happens only
2969if the host is in sender_unqualified_hosts or recipient_unqualified hosts, as
2970appropriate. For local messages, qualification always happens, unless -bnq is
2971used to explicitly suppress it. No rewriting is done for an unqualified address
2972that is left untouched.
2973
2974We start at the second header, skipping our own Received:. This rewriting is
2975documented as happening *after* recipient addresses are taken from the headers
2976by the -t command line option. An added Sender: gets rewritten here. */
2977
d7978c0f 2978for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH
2979 {
2980 header_line *newh = rewrite_header(h, NULL, NULL, global_rewrite_rules,
2981 rewrite_existflags, TRUE);
1ebe15c3 2982 if (newh) h = newh;
059ec3d9
PH
2983 }
2984
2985
2986/* An RFC 822 (sic) message is not legal unless it has at least one of "to",
2cbb4081 2987"cc", or "bcc". Note that although the minimal examples in RFC 822 show just
059ec3d9
PH
2988"to" or "bcc", the full syntax spec allows "cc" as well. If any resent- header
2989exists, this applies to the set of resent- headers rather than the normal set.
2990
2cbb4081
PH
2991The requirement for a recipient header has been removed in RFC 2822. At this
2992point in the code, earlier versions of Exim added a To: header for locally
2993submitted messages, and an empty Bcc: header for others. In the light of the
2994changes in RFC 2822, this was dropped in November 2003. */
059ec3d9 2995
059ec3d9
PH
2996
2997/* If there is no date header, generate one if the message originates locally
8800895a
PH
2998(i.e. not over TCP/IP) and suppress_local_fixups is not set, or if the
2999submission mode flag is set. Messages without Date: are not valid, but it seems
e7e680d6
PP
3000to be more confusing if Exim adds one to all remotely-originated messages.
3001As per Message-Id, we prepend if resending, else append.
3002*/
059ec3d9 3003
306c6c77 3004if ( !date_header_exists
8768d548 3005 && ((!sender_host_address && !f.suppress_local_fixups) || f.submission_mode))
e7e680d6
PP
3006 header_add_at_position(!resents_exist, NULL, FALSE, htype_other,
3007 "%sDate: %s\n", resent_prefix, tod_stamp(tod_full));
059ec3d9
PH
3008
3009search_tidyup(); /* Free any cached resources */
3010
3011/* Show the complete set of headers if debugging. Note that the first one (the
3012new Received:) has not yet been set. */
3013
3014DEBUG(D_receive)
3015 {
3016 debug_printf(">>Headers after rewriting and local additions:\n");
d7978c0f 3017 for (header_line * h = header_list->next; h; h = h->next)
059ec3d9
PH
3018 debug_printf("%c %s", h->type, h->text);
3019 debug_printf("\n");
3020 }
3021
3022/* The headers are now complete in store. If we are running in filter
3023testing mode, that is all this function does. Return TRUE if the message
3024ended with a dot. */
3025
f05da2e8 3026if (filter_test != FTEST_NONE)
059ec3d9
PH
3027 {
3028 process_info[process_info_len] = 0;
3029 return message_ended == END_DOT;
3030 }
3031
7e3ce68e
JH
3032/*XXX CHUNKING: need to cancel cutthrough under BDAT, for now. In future,
3033think more if it could be handled. Cannot do onward CHUNKING unless
3034inbound is, but inbound chunking ought to be ok with outbound plain.
3035Could we do onward CHUNKING given inbound CHUNKING?
3036*/
3037if (chunking_state > CHUNKING_OFFERED)
57cc2785 3038 cancel_cutthrough_connection(FALSE, US"chunking active");
7e3ce68e 3039
817d9f57 3040/* Cutthrough delivery:
5032d1cf
JH
3041We have to create the Received header now rather than at the end of reception,
3042so the timestamp behaviour is a change to the normal case.
5032d1cf 3043Having created it, send the headers to the destination. */
57cc2785 3044
74f1a423 3045if (cutthrough.cctx.sock >= 0 && cutthrough.delivery)
e4bdf652 3046 {
817d9f57
JH
3047 if (received_count > received_headers_max)
3048 {
57cc2785 3049 cancel_cutthrough_connection(TRUE, US"too many headers");
817d9f57
JH
3050 if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
3051 log_write(0, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
3052 "Too many \"Received\" headers",
3053 sender_address,
57cc2785
JH
3054 sender_fullhost ? "H=" : "", sender_fullhost ? sender_fullhost : US"",
3055 sender_ident ? "U=" : "", sender_ident ? sender_ident : US"");
817d9f57
JH
3056 message_id[0] = 0; /* Indicate no message accepted */
3057 smtp_reply = US"550 Too many \"Received\" headers - suspected mail loop";
3058 goto TIDYUP; /* Skip to end of function */
3059 }
e4bdf652 3060 received_header_gen();
578d43dc 3061 add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
e4bdf652
JH
3062 (void) cutthrough_headers_send();
3063 }
61147df4 3064
e4bdf652 3065
059ec3d9
PH
3066/* Open a new spool file for the data portion of the message. We need
3067to access it both via a file descriptor and a stream. Try to make the
41313d92 3068directory if it isn't there. */
059ec3d9 3069
41313d92 3070spool_name = spool_fname(US"input", message_subdir, message_id, US"-D");
a2da3176
JH
3071DEBUG(D_receive) debug_printf("Data file name: %s\n", spool_name);
3072
3073if ((data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE)) < 0)
059ec3d9
PH
3074 {
3075 if (errno == ENOENT)
3076 {
0971ec06 3077 (void) directory_make(spool_directory,
41313d92
JH
3078 spool_sname(US"input", message_subdir),
3079 INPUT_DIRECTORY_MODE, TRUE);
059ec3d9
PH
3080 data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
3081 }
3082 if (data_fd < 0)
3083 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to create spool file %s: %s",
3084 spool_name, strerror(errno));
3085 }
3086
3087/* Make sure the file's group is the Exim gid, and double-check the mode
3088because the group setting doesn't always get set automatically. */
3089
b66fecb4 3090if (0 != exim_fchown(data_fd, exim_uid, exim_gid, spool_name))
1ac6b2e7
JH
3091 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3092 "Failed setting ownership on spool file %s: %s",
3093 spool_name, strerror(errno));
ff790e47 3094(void)fchmod(data_fd, SPOOL_MODE);
059ec3d9
PH
3095
3096/* We now have data file open. Build a stream for it and lock it. We lock only
3097the first line of the file (containing the message ID) because otherwise there
3098are problems when Exim is run under Cygwin (I'm told). See comments in
3099spool_in.c, where the same locking is done. */
3100
1bd642c2 3101spool_data_file = fdopen(data_fd, "w+");
059ec3d9
PH
3102lock_data.l_type = F_WRLCK;
3103lock_data.l_whence = SEEK_SET;
3104lock_data.l_start = 0;
3105lock_data.l_len = SPOOL_DATA_START_OFFSET;
3106
3107if (fcntl(data_fd, F_SETLK, &lock_data) < 0)
3108 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Cannot lock %s (%d): %s", spool_name,
3109 errno, strerror(errno));
3110
3111/* We have an open, locked data file. Write the message id to it to make it
3112self-identifying. Then read the remainder of the input of this message and
3113write it to the data file. If the variable next != NULL, it contains the first
3114data line (which was read as a header but then turned out not to have the right
3115format); write it (remembering that it might contain binary zeros). The result
3116of fwrite() isn't inspected; instead we call ferror() below. */
3117
1bd642c2 3118fprintf(spool_data_file, "%s-D\n", message_id);
306c6c77 3119if (next)
059ec3d9
PH
3120 {
3121 uschar *s = next->text;
3122 int len = next->slen;
1bd642c2 3123 if (fwrite(s, 1, len, spool_data_file) == len) /* "if" for compiler quietening */
cfbb0d24 3124 body_linecount++; /* Assumes only 1 line */
059ec3d9
PH
3125 }
3126
3127/* Note that we might already be at end of file, or the logical end of file
3128(indicated by '.'), or might have encountered an error while writing the
3129message id or "next" line. */
3130
1bd642c2 3131if (!ferror(spool_data_file) && !(receive_feof)() && message_ended != END_DOT)
059ec3d9
PH
3132 {
3133 if (smtp_input)
3134 {
328c5688 3135 message_ended = chunking_state <= CHUNKING_OFFERED
1bd642c2 3136 ? read_message_data_smtp(spool_data_file)
328c5688 3137 : spool_wireformat
1bd642c2
JH
3138 ? read_message_bdat_smtp_wire(spool_data_file)
3139 : read_message_bdat_smtp(spool_data_file);
059ec3d9
PH
3140 receive_linecount++; /* The terminating "." line */
3141 }
cfbb0d24 3142 else
1bd642c2 3143 message_ended = read_message_data(spool_data_file);
059ec3d9
PH
3144
3145 receive_linecount += body_linecount; /* For BSMTP errors mainly */
2e0c1448 3146 message_linecount += body_linecount;
059ec3d9 3147
7e3ce68e 3148 switch (message_ended)
059ec3d9 3149 {
7e3ce68e 3150 /* Handle premature termination of SMTP */
059ec3d9 3151
7e3ce68e
JH
3152 case END_EOF:
3153 if (smtp_input)
3154 {
3155 Uunlink(spool_name); /* Lose data file when closed */
57cc2785 3156 cancel_cutthrough_connection(TRUE, US"sender closed connection");
7e3ce68e
JH
3157 message_id[0] = 0; /* Indicate no message accepted */
3158 smtp_reply = handle_lost_connection(US"");
3159 smtp_yield = FALSE;
3160 goto TIDYUP; /* Skip to end of function */
3161 }
3162 break;
059ec3d9 3163
7e3ce68e
JH
3164 /* Handle message that is too big. Don't use host_or_ident() in the log
3165 message; we want to see the ident value even for non-remote messages. */
059ec3d9 3166
7e3ce68e
JH
3167 case END_SIZE:
3168 Uunlink(spool_name); /* Lose the data file when closed */
57cc2785 3169 cancel_cutthrough_connection(TRUE, US"mail too big");
7e3ce68e 3170 if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
059ec3d9 3171
7e3ce68e
JH
3172 log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
3173 "message too big: read=%d max=%d",
3174 sender_address,
306c6c77
JH
3175 sender_fullhost ? " H=" : "",
3176 sender_fullhost ? sender_fullhost : US"",
3177 sender_ident ? " U=" : "",
3178 sender_ident ? sender_ident : US"",
7e3ce68e
JH
3179 message_size,
3180 thismessage_size_limit);
3181
3182 if (smtp_input)
3183 {
3184 smtp_reply = US"552 Message size exceeds maximum permitted";
3185 message_id[0] = 0; /* Indicate no message accepted */
3186 goto TIDYUP; /* Skip to end of function */
3187 }
3188 else
3189 {
1bd642c2 3190 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
7e3ce68e
JH
3191 give_local_error(ERRMESS_TOOBIG,
3192 string_sprintf("message too big (max=%d)", thismessage_size_limit),
1bd642c2 3193 US"message rejected: ", error_rc, spool_data_file, header_list);
7e3ce68e
JH
3194 /* Does not return */
3195 }
3196 break;
3197
3198 /* Handle bad BDAT protocol sequence */
3199
3200 case END_PROTOCOL:
3201 Uunlink(spool_name); /* Lose the data file when closed */
57cc2785 3202 cancel_cutthrough_connection(TRUE, US"sender protocol error");
7e3ce68e
JH
3203 smtp_reply = US""; /* Response already sent */
3204 message_id[0] = 0; /* Indicate no message accepted */
3205 goto TIDYUP; /* Skip to end of function */
059ec3d9
PH
3206 }
3207 }
3208
3209/* Restore the standard SIGALRM handler for any subsequent processing. (For
3210example, there may be some expansion in an ACL that uses a timer.) */
3211
3212os_non_restarting_signal(SIGALRM, sigalrm_handler);
3213
3214/* The message body has now been read into the data file. Call fflush() to
3215empty the buffers in C, and then call fsync() to get the data written out onto
3216the disk, as fflush() doesn't do this (or at least, it isn't documented as
3217having to do this). If there was an I/O error on either input or output,
3218attempt to send an error message, and unlink the spool file. For non-SMTP input
3219we can then give up. Note that for SMTP input we must swallow the remainder of
3220the input in cases of output errors, since the far end doesn't expect to see
3221anything until the terminating dot line is sent. */
3222
1bd642c2
JH
3223if (fflush(spool_data_file) == EOF || ferror(spool_data_file) ||
3224 EXIMfsync(fileno(spool_data_file)) < 0 || (receive_ferror)())
059ec3d9
PH
3225 {
3226 uschar *msg_errno = US strerror(errno);
3227 BOOL input_error = (receive_ferror)() != 0;
3228 uschar *msg = string_sprintf("%s error (%s) while receiving message from %s",
3229 input_error? "Input read" : "Spool write",
3230 msg_errno,
306c6c77 3231 sender_fullhost ? sender_fullhost : sender_ident);
059ec3d9
PH
3232
3233 log_write(0, LOG_MAIN, "Message abandoned: %s", msg);
3234 Uunlink(spool_name); /* Lose the data file */
57cc2785 3235 cancel_cutthrough_connection(TRUE, US"error writing spoolfile");
059ec3d9
PH
3236
3237 if (smtp_input)
3238 {
3239 if (input_error)
3240 smtp_reply = US"451 Error while reading input data";
3241 else
3242 {
3243 smtp_reply = US"451 Error while writing spool file";
3244 receive_swallow_smtp();
3245 }
3246 message_id[0] = 0; /* Indicate no message accepted */
3247 goto TIDYUP; /* Skip to end of function */
3248 }
3249
3250 else
3251 {
1bd642c2
JH
3252 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3253 give_local_error(ERRMESS_IOERR, msg, US"", error_rc, spool_data_file,
059ec3d9
PH
3254 header_list);
3255 /* Does not return */
3256 }
3257 }
3258
3259
3260/* No I/O errors were encountered while writing the data file. */
3261
3262DEBUG(D_receive) debug_printf("Data file written for message %s\n", message_id);
306c6c77 3263if (LOGGING(receive_time)) timesince(&received_time_taken, &received_time);
059ec3d9
PH
3264
3265
3266/* If there were any bad addresses extracted by -t, or there were no recipients
3267left after -t, send a message to the sender of this message, or write it to
3268stderr if the error handling option is set that way. Note that there may
3269legitimately be no recipients for an SMTP message if they have all been removed
3270by "discard".
3271
3272We need to rewind the data file in order to read it. In the case of no
3273recipients or stderr error writing, throw the data file away afterwards, and
3274exit. (This can't be SMTP, which always ensures there's at least one
3275syntactically good recipient address.) */
3276
306c6c77 3277if (extract_recip && (bad_addresses || recipients_count == 0))
059ec3d9
PH
3278 {
3279 DEBUG(D_receive)
3280 {
3281 if (recipients_count == 0) debug_printf("*** No recipients\n");
306c6c77 3282 if (bad_addresses)
059ec3d9 3283 {
059ec3d9 3284 debug_printf("*** Bad address(es)\n");
d7978c0f 3285 for (error_block * eblock = bad_addresses; eblock; eblock = eblock->next)
059ec3d9 3286 debug_printf(" %s: %s\n", eblock->text1, eblock->text2);
059ec3d9
PH
3287 }
3288 }
3289
569a8b23
JH
3290 log_write(0, LOG_MAIN|LOG_PANIC, "%s %s found in headers",
3291 message_id, bad_addresses ? "bad addresses" : "no recipients");
3292
1bd642c2 3293 fseek(spool_data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
059ec3d9
PH
3294
3295 /* If configured to send errors to the sender, but this fails, force
3296 a failure error code. We use a special one for no recipients so that it
3297 can be detected by the autoreply transport. Otherwise error_rc is set to
3298 errors_sender_rc, which is EXIT_FAILURE unless -oee was given, in which case
3299 it is EXIT_SUCCESS. */
3300
3301 if (error_handling == ERRORS_SENDER)
3302 {
3303 if (!moan_to_sender(
569a8b23
JH
3304 bad_addresses
3305 ? recipients_list ? ERRMESS_BADADDRESS : ERRMESS_BADNOADDRESS
3306 : extracted_ignored ? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS,
3307 bad_addresses, header_list, spool_data_file, FALSE
3308 ) )
3309 error_rc = bad_addresses ? EXIT_FAILURE : EXIT_NORECIPIENTS;
059ec3d9
PH
3310 }
3311 else
3312 {
306c6c77 3313 if (!bad_addresses)
059ec3d9
PH
3314 if (extracted_ignored)
3315 fprintf(stderr, "exim: all -t recipients overridden by command line\n");
3316 else
3317 fprintf(stderr, "exim: no recipients in message\n");
059ec3d9
PH
3318 else
3319 {
3320 fprintf(stderr, "exim: invalid address%s",
cfbb0d24
JH
3321 bad_addresses->next ? "es:\n" : ":");
3322 for ( ; bad_addresses; bad_addresses = bad_addresses->next)
059ec3d9
PH
3323 fprintf(stderr, " %s: %s\n", bad_addresses->text1,
3324 bad_addresses->text2);
059ec3d9
PH
3325 }
3326 }
3327
3328 if (recipients_count == 0 || error_handling == ERRORS_STDERR)
3329 {
3330 Uunlink(spool_name);
1bd642c2 3331 (void)fclose(spool_data_file);
9bfb7e1b 3332 exim_exit(error_rc, US"receiving");
059ec3d9
PH
3333 }
3334 }
3335
3336/* Data file successfully written. Generate text for the Received: header by
3337expanding the configured string, and adding a timestamp. By leaving this
3338operation till now, we ensure that the timestamp is the time that message
3339reception was completed. However, this is deliberately done before calling the
3340data ACL and local_scan().
3341
3342This Received: header may therefore be inspected by the data ACL and by code in
3343the local_scan() function. When they have run, we update the timestamp to be
3344the final time of reception.
3345
3346If there is just one recipient, set up its value in the $received_for variable
3347for use when we generate the Received: header.
3348
3349Note: the checking for too many Received: headers is handled by the delivery
3350code. */
e4bdf652 3351/*XXX eventually add excess Received: check for cutthrough case back when classifying them */
059ec3d9 3352
306c6c77 3353if (!received_header->text) /* Non-cutthrough case */
059ec3d9 3354 {
e4bdf652 3355 received_header_gen();
059ec3d9 3356
e4bdf652 3357 /* Set the value of message_body_size for the DATA ACL and for local_scan() */
059ec3d9 3358
e4bdf652
JH
3359 message_body_size = (fstat(data_fd, &statbuf) == 0)?
3360 statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
059ec3d9 3361
e4bdf652
JH
3362 /* If an ACL from any RCPT commands set up any warning headers to add, do so
3363 now, before running the DATA ACL. */
059ec3d9 3364
578d43dc 3365 add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
e4bdf652 3366 }
817d9f57 3367else
e4bdf652
JH
3368 message_body_size = (fstat(data_fd, &statbuf) == 0)?
3369 statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
059ec3d9
PH
3370
3371/* If an ACL is specified for checking things at this stage of reception of a
3372message, run it, unless all the recipients were removed by "discard" in earlier
3373ACLs. That is the only case in which recipients_count can be zero at this
3374stage. Set deliver_datafile to point to the data file so that $message_body and
3375$message_body_end can be extracted if needed. Allow $recipients in expansions.
3376*/
3377
3378deliver_datafile = data_fd;
4e88a19f 3379user_msg = NULL;
059ec3d9 3380
8768d548 3381f.enable_dollar_recipients = TRUE;
0e20aff9 3382
059ec3d9 3383if (recipients_count == 0)
8768d548 3384 blackholed_by = f.recipients_discarded ? US"MAIL ACL" : US"RCPT ACL";
7e3ce68e 3385
059ec3d9
PH
3386else
3387 {
059ec3d9
PH
3388 /* Handle interactive SMTP messages */
3389
3390 if (smtp_input && !smtp_batched_input)
3391 {
8523533c 3392
80a47a2c 3393#ifndef DISABLE_DKIM
8768d548 3394 if (!f.dkim_disable_verify)
80a47a2c 3395 {
cc55f420 3396 /* Finish verification */
80a47a2c
TK
3397 dkim_exim_verify_finish();
3398
3399 /* Check if we must run the DKIM ACL */
7e3ce68e 3400 if (acl_smtp_dkim && dkim_verify_signers && *dkim_verify_signers)
80a47a2c 3401 {
cc55f420 3402 uschar * dkim_verify_signers_expanded =
80a47a2c 3403 expand_string(dkim_verify_signers);
cc55f420
JH
3404 gstring * results = NULL;
3405 int signer_sep = 0;
3406 const uschar * ptr;
3407 uschar * item;
3408 gstring * seen_items = NULL;
3409 int old_pool = store_pool;
3410
3411 store_pool = POOL_PERM; /* Allow created variables to live to data ACL */
3412
3413 if (!(ptr = dkim_verify_signers_expanded))
80a47a2c
TK
3414 log_write(0, LOG_MAIN|LOG_PANIC,
3415 "expansion of dkim_verify_signers option failed: %s",
3416 expand_string_message);
7e3ce68e 3417
cc55f420
JH
3418 /* Default to OK when no items are present */
3419 rc = OK;
3420 while ((item = string_nextinlist(&ptr, &signer_sep, NULL, 0)))
3421 {
3422 /* Prevent running ACL for an empty item */
3423 if (!item || !*item) continue;
3424
3425 /* Only run ACL once for each domain or identity,
3426 no matter how often it appears in the expanded list. */
3427 if (seen_items)
3428 {
3429 uschar * seen_item;
3430 const uschar * seen_items_list = string_from_gstring(seen_items);
3431 int seen_sep = ':';
3432 BOOL seen_this_item = FALSE;
3433
3434 while ((seen_item = string_nextinlist(&seen_items_list, &seen_sep,
3435 NULL, 0)))
3436 if (Ustrcmp(seen_item,item) == 0)
3437 {
3438 seen_this_item = TRUE;
3439 break;
3440 }
3441
3442 if (seen_this_item)
5032d1cf
JH
3443 {
3444 DEBUG(D_receive)
cc55f420
JH
3445 debug_printf("acl_smtp_dkim: skipping signer %s, "
3446 "already seen\n", item);
3447 continue;
5032d1cf 3448 }
cc55f420 3449
b2bcdd35 3450 seen_items = string_catn(seen_items, US":", 1);
cc55f420 3451 }
cc55f420
JH
3452 seen_items = string_cat(seen_items, item);
3453
18067c75 3454 rc = dkim_exim_acl_run(item, &results, &user_msg, &log_msg);
cc55f420
JH
3455 if (rc != OK)
3456 {
3457 DEBUG(D_receive)
3458 debug_printf("acl_smtp_dkim: acl_check returned %d on %s, "
3459 "skipping remaining items\n", rc, item);
3460 cancel_cutthrough_connection(TRUE, US"dkim acl not ok");
3461 break;
3462 }
3463 }
3464 dkim_verify_status = string_from_gstring(results);
3465 store_pool = old_pool;
3466 add_acl_headers(ACL_WHERE_DKIM, US"DKIM");
3467 if (rc == DISCARD)
3468 {
3469 recipients_count = 0;
3470 blackholed_by = US"DKIM ACL";
3471 if (log_msg)
3472 blackhole_log_msg = string_sprintf(": %s", log_msg);
3473 }
3474 else if (rc != OK)
3475 {
3476 Uunlink(spool_name);
3477 if (smtp_handle_acl_fail(ACL_WHERE_DKIM, rc, user_msg, log_msg) != 0)
3478 smtp_yield = FALSE; /* No more messages after dropped connection */
3479 smtp_reply = US""; /* Indicate reply already sent */
3480 message_id[0] = 0; /* Indicate no message accepted */
3481 goto TIDYUP; /* Skip to end of function */
3482 }
80a47a2c 3483 }
a79d8834
JH
3484 else
3485 dkim_exim_verify_log_all();
80a47a2c 3486 }
4a8ce2d8 3487#endif /* DISABLE_DKIM */
fb2274d4 3488
8523533c 3489#ifdef WITH_CONTENT_SCAN
5b6f7658
JH
3490 if ( recipients_count > 0
3491 && acl_smtp_mime
3492 && !run_mime_acl(acl_smtp_mime, &smtp_yield, &smtp_reply, &blackholed_by)
3493 )
54cdb463 3494 goto TIDYUP;
8523533c
TK
3495#endif /* WITH_CONTENT_SCAN */
3496