Use enum { SEEN_LF, …} for ch_state(s)
[exim.git] / src / src / receive.c
CommitLineData
059ec3d9
PH
1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
d4e5e70b 5/* Copyright (c) University of Cambridge 1995 - 2017 */
059ec3d9
PH
6/* See the file NOTICE for conditions of use and distribution. */
7
8/* Code for receiving a message and setting up spool files. */
9
059ec3d9
PH
10#include "exim.h"
11
6a8f9482
TK
12#ifdef EXPERIMENTAL_DCC
13extern int dcc_ok;
14#endif
15
4840604e 16#ifdef EXPERIMENTAL_DMARC
c007c974 17# include "dmarc.h"
4840604e
TL
18#endif /* EXPERIMENTAL_DMARC */
19
059ec3d9
PH
20/*************************************************
21* Local static variables *
22*************************************************/
23
24static FILE *data_file = NULL;
25static int data_fd = -1;
41313d92 26static uschar *spool_name = US"";
059ec3d9 27
cff70eb1 28enum CH_STATE {LF_SEEN, MID_LINE, CR_SEEN};
059ec3d9
PH
29
30
31/*************************************************
32* Non-SMTP character reading functions *
33*************************************************/
34
35/* These are the default functions that are set up in the variables such as
36receive_getc initially. They just call the standard functions, passing stdin as
37the file. (When SMTP input is occurring, different functions are used by
38changing the pointer variables.) */
39
40int
bd8fbe36 41stdin_getc(unsigned lim)
059ec3d9
PH
42{
43return getc(stdin);
44}
45
46int
47stdin_ungetc(int c)
48{
49return ungetc(c, stdin);
50}
51
52int
53stdin_feof(void)
54{
55return feof(stdin);
56}
57
58int
59stdin_ferror(void)
60{
61return ferror(stdin);
62}
63
64
65
66
67/*************************************************
68* Check that a set sender is allowed *
69*************************************************/
70
71/* This function is called when a local caller sets an explicit sender address.
72It checks whether this is permitted, which it is for trusted callers.
73Otherwise, it must match the pattern(s) in untrusted_set_sender.
74
75Arguments: the proposed sender address
76Returns: TRUE for a trusted caller
77 TRUE if the address has been set, untrusted_set_sender has been
78 set, and the address matches something in the list
79 FALSE otherwise
80*/
81
82BOOL
83receive_check_set_sender(uschar *newsender)
84{
85uschar *qnewsender;
86if (trusted_caller) return TRUE;
87if (newsender == NULL || untrusted_set_sender == NULL) return FALSE;
88qnewsender = (Ustrchr(newsender, '@') != NULL)?
89 newsender : string_sprintf("%s@%s", newsender, qualify_domain_sender);
90return
55414b25 91 match_address_list(qnewsender, TRUE, TRUE, CUSS &untrusted_set_sender, NULL, -1,
059ec3d9
PH
92 0, NULL) == OK;
93}
94
95
96
97
98/*************************************************
5cb8cbc6 99* Read space info for a partition *
059ec3d9
PH
100*************************************************/
101
8e669ac1
PH
102/* This function is called by receive_check_fs() below, and also by string
103expansion for variables such as $spool_space. The field names for the statvfs
5cb8cbc6
PH
104structure are macros, because not all OS have F_FAVAIL and it seems tidier to
105have macros for F_BAVAIL and F_FILES as well. Some kinds of file system do not
106have inodes, and they return -1 for the number available.
059ec3d9 107
5cb8cbc6
PH
108Later: It turns out that some file systems that do not have the concept of
109inodes return 0 rather than -1. Such systems should also return 0 for the total
8e669ac1 110number of inodes, so we require that to be greater than zero before returning
5cb8cbc6 111an inode count.
059ec3d9 112
5cb8cbc6
PH
113Arguments:
114 isspool TRUE for spool partition, FALSE for log partition
115 inodeptr address of int to receive inode count; -1 if there isn't one
8e669ac1 116
5cb8cbc6 117Returns: available on-root space, in kilobytes
8e669ac1
PH
118 -1 for log partition if there isn't one
119
120All values are -1 if the STATFS functions are not available.
059ec3d9
PH
121*/
122
8e669ac1 123int
5cb8cbc6 124receive_statvfs(BOOL isspool, int *inodeptr)
059ec3d9
PH
125{
126#ifdef HAVE_STATFS
059ec3d9 127struct STATVFS statbuf;
ddf1b11a 128struct stat dummy;
5cb8cbc6
PH
129uschar *path;
130uschar *name;
131uschar buffer[1024];
059ec3d9 132
5cb8cbc6 133/* The spool directory must always exist. */
059ec3d9 134
5cb8cbc6 135if (isspool)
059ec3d9 136 {
8e669ac1
PH
137 path = spool_directory;
138 name = US"spool";
139 }
140
059ec3d9
PH
141/* Need to cut down the log file path to the directory, and to ignore any
142appearance of "syslog" in it. */
143
5cb8cbc6 144else
059ec3d9 145 {
059ec3d9 146 int sep = ':'; /* Not variable - outside scripts use */
55414b25 147 const uschar *p = log_file_path;
8e669ac1 148 name = US"log";
059ec3d9
PH
149
150 /* An empty log_file_path means "use the default". This is the same as an
151 empty item in a list. */
152
153 if (*p == 0) p = US":";
55414b25
JH
154 while ((path = string_nextinlist(&p, &sep, buffer, sizeof(buffer))))
155 if (Ustrcmp(path, "syslog") != 0)
156 break;
059ec3d9 157
5cb8cbc6
PH
158 if (path == NULL) /* No log files */
159 {
8e669ac1
PH
160 *inodeptr = -1;
161 return -1;
162 }
059ec3d9 163
8e669ac1
PH
164 /* An empty string means use the default, which is in the spool directory.
165 But don't just use the spool directory, as it is possible that the log
5cb8cbc6 166 subdirectory has been symbolically linked elsewhere. */
059ec3d9 167
8e669ac1 168 if (path[0] == 0)
059ec3d9 169 {
5cb8cbc6
PH
170 sprintf(CS buffer, CS"%s/log", CS spool_directory);
171 path = buffer;
8e669ac1
PH
172 }
173 else
059ec3d9 174 {
8e669ac1 175 uschar *cp;
5cb8cbc6 176 if ((cp = Ustrrchr(path, '/')) != NULL) *cp = 0;
8e669ac1 177 }
5cb8cbc6 178 }
8e669ac1 179
8f128379 180/* We now have the path; do the business */
5cb8cbc6
PH
181
182memset(&statbuf, 0, sizeof(statbuf));
183
184if (STATVFS(CS path, &statbuf) != 0)
ddf1b11a
JH
185 if (stat(CS path, &dummy) == -1 && errno == ENOENT)
186 { /* Can happen on first run after installation */
187 *inodeptr = -1;
188 return -1;
189 }
190 else
191 {
192 log_write(0, LOG_MAIN|LOG_PANIC, "cannot accept message: failed to stat "
193 "%s directory %s: %s", name, path, strerror(errno));
194 smtp_closedown(US"spool or log directory problem");
195 exim_exit(EXIT_FAILURE);
196 }
8e669ac1 197
5cb8cbc6
PH
198*inodeptr = (statbuf.F_FILES > 0)? statbuf.F_FAVAIL : -1;
199
200/* Disks are getting huge. Take care with computing the size in kilobytes. */
8e669ac1 201
5cb8cbc6
PH
202return (int)(((double)statbuf.F_BAVAIL * (double)statbuf.F_FRSIZE)/1024.0);
203
ddf1b11a 204#else
5cb8cbc6
PH
205/* Unable to find partition sizes in this environment. */
206
5cb8cbc6
PH
207*inodeptr = -1;
208return -1;
209#endif
210}
211
059ec3d9 212
059ec3d9 213
5cb8cbc6
PH
214
215/*************************************************
216* Check space on spool and log partitions *
217*************************************************/
218
219/* This function is called before accepting a message; if any thresholds are
220set, it checks them. If a message_size is supplied, it checks that there is
221enough space for that size plus the threshold - i.e. that the message won't
222reduce the space to the threshold. Not all OS have statvfs(); for those that
223don't, this function always returns TRUE. For some OS the old function and
224struct name statfs is used; that is handled by a macro, defined in exim.h.
225
226Arguments:
227 msg_size the (estimated) size of an incoming message
228
229Returns: FALSE if there isn't enough space, or if the information cannot
230 be obtained
231 TRUE if no check was done or there is enough space
232*/
233
234BOOL
235receive_check_fs(int msg_size)
236{
237int space, inodes;
238
239if (check_spool_space > 0 || msg_size > 0 || check_spool_inodes > 0)
240 {
8e669ac1
PH
241 space = receive_statvfs(TRUE, &inodes);
242
059ec3d9 243 DEBUG(D_receive)
5cb8cbc6
PH
244 debug_printf("spool directory space = %dK inodes = %d "
245 "check_space = %dK inodes = %d msg_size = %d\n",
246 space, inodes, check_spool_space, check_spool_inodes, msg_size);
8e669ac1
PH
247
248 if ((space >= 0 && space < check_spool_space) ||
5cb8cbc6 249 (inodes >= 0 && inodes < check_spool_inodes))
8e669ac1 250 {
5cb8cbc6
PH
251 log_write(0, LOG_MAIN, "spool directory space check failed: space=%d "
252 "inodes=%d", space, inodes);
059ec3d9
PH
253 return FALSE;
254 }
255 }
256
5cb8cbc6
PH
257if (check_log_space > 0 || check_log_inodes > 0)
258 {
8e669ac1
PH
259 space = receive_statvfs(FALSE, &inodes);
260
5cb8cbc6
PH
261 DEBUG(D_receive)
262 debug_printf("log directory space = %dK inodes = %d "
263 "check_space = %dK inodes = %d\n",
264 space, inodes, check_log_space, check_log_inodes);
8e669ac1
PH
265
266 if ((space >= 0 && space < check_log_space) ||
5cb8cbc6 267 (inodes >= 0 && inodes < check_log_inodes))
8e669ac1 268 {
5cb8cbc6
PH
269 log_write(0, LOG_MAIN, "log directory space check failed: space=%d "
270 "inodes=%d", space, inodes);
271 return FALSE;
272 }
8e669ac1
PH
273 }
274
059ec3d9
PH
275return TRUE;
276}
277
278
279
280/*************************************************
281* Bomb out while reading a message *
282*************************************************/
283
284/* The common case of wanting to bomb out is if a SIGTERM or SIGINT is
285received, or if there is a timeout. A rarer case might be if the log files are
286screwed up and Exim can't open them to record a message's arrival. Handling
287that case is done by setting a flag to cause the log functions to call this
288function if there is an ultimate disaster. That is why it is globally
289accessible.
290
8f128379
PH
291Arguments:
292 reason text reason to pass to the not-quit ACL
293 msg default SMTP response to give if in an SMTP session
059ec3d9
PH
294Returns: it doesn't
295*/
296
297void
8f128379 298receive_bomb_out(uschar *reason, uschar *msg)
059ec3d9 299{
ead37e6c
PP
300 static BOOL already_bombing_out;
301/* The smtp_notquit_exit() below can call ACLs which can trigger recursive
302timeouts, if someone has something slow in their quit ACL. Since the only
303things we should be doing are to close down cleanly ASAP, on the second
304pass we also close down stuff that might be opened again, before bypassing
305the ACL call and exiting. */
306
059ec3d9
PH
307/* If spool_name is set, it contains the name of the data file that is being
308written. Unlink it before closing so that it cannot be picked up by a delivery
309process. Ensure that any header file is also removed. */
310
ead37e6c 311if (spool_name[0] != '\0')
059ec3d9
PH
312 {
313 Uunlink(spool_name);
314 spool_name[Ustrlen(spool_name) - 1] = 'H';
315 Uunlink(spool_name);
ead37e6c 316 spool_name[0] = '\0';
059ec3d9
PH
317 }
318
319/* Now close the file if it is open, either as a fd or a stream. */
320
ead37e6c
PP
321if (data_file != NULL)
322 {
323 (void)fclose(data_file);
324 data_file = NULL;
325} else if (data_fd >= 0) {
326 (void)close(data_fd);
327 data_fd = -1;
328 }
059ec3d9 329
8f128379
PH
330/* Attempt to close down an SMTP connection tidily. For non-batched SMTP, call
331smtp_notquit_exit(), which runs the NOTQUIT ACL, if present, and handles the
332SMTP response. */
059ec3d9 333
ead37e6c 334if (!already_bombing_out)
059ec3d9 335 {
ead37e6c
PP
336 already_bombing_out = TRUE;
337 if (smtp_input)
338 {
339 if (smtp_batched_input)
340 moan_smtp_batch(NULL, "421 %s - message abandoned", msg); /* No return */
341 smtp_notquit_exit(reason, US"421", US"%s %s - closing connection.",
342 smtp_active_hostname, msg);
343 }
059ec3d9
PH
344 }
345
346/* Exit from the program (non-BSMTP cases) */
347
348exim_exit(EXIT_FAILURE);
349}
350
351
352/*************************************************
353* Data read timeout *
354*************************************************/
355
356/* Handler function for timeouts that occur while reading the data that
357comprises a message.
358
359Argument: the signal number
360Returns: nothing
361*/
362
363static void
364data_timeout_handler(int sig)
365{
366uschar *msg = NULL;
367
368sig = sig; /* Keep picky compilers happy */
369
370if (smtp_input)
371 {
372 msg = US"SMTP incoming data timeout";
373 log_write(L_lost_incoming_connection,
374 LOG_MAIN, "SMTP data timeout (message abandoned) on connection "
fed77020
PH
375 "from %s F=<%s>",
376 (sender_fullhost != NULL)? sender_fullhost : US"local process",
377 sender_address);
059ec3d9
PH
378 }
379else
380 {
381 fprintf(stderr, "exim: timed out while reading - message abandoned\n");
382 log_write(L_lost_incoming_connection,
383 LOG_MAIN, "timed out while reading local message");
384 }
385
8f128379 386receive_bomb_out(US"data-timeout", msg); /* Does not return */
059ec3d9
PH
387}
388
389
390
391/*************************************************
392* local_scan() timeout *
393*************************************************/
394
395/* Handler function for timeouts that occur while running a local_scan()
396function.
397
398Argument: the signal number
399Returns: nothing
400*/
401
402static void
403local_scan_timeout_handler(int sig)
404{
405sig = sig; /* Keep picky compilers happy */
406log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function timed out - "
407 "message temporarily rejected (size %d)", message_size);
8f128379
PH
408/* Does not return */
409receive_bomb_out(US"local-scan-timeout", US"local verification problem");
059ec3d9
PH
410}
411
412
413
414/*************************************************
415* local_scan() crashed *
416*************************************************/
417
418/* Handler function for signals that occur while running a local_scan()
419function.
420
421Argument: the signal number
422Returns: nothing
423*/
424
425static void
426local_scan_crash_handler(int sig)
427{
428log_write(0, LOG_MAIN|LOG_REJECT, "local_scan() function crashed with "
429 "signal %d - message temporarily rejected (size %d)", sig, message_size);
8f128379
PH
430/* Does not return */
431receive_bomb_out(US"local-scan-error", US"local verification problem");
059ec3d9
PH
432}
433
434
435/*************************************************
436* SIGTERM or SIGINT received *
437*************************************************/
438
439/* Handler for SIGTERM or SIGINT signals that occur while reading the
440data that comprises a message.
441
442Argument: the signal number
443Returns: nothing
444*/
445
446static void
447data_sigterm_sigint_handler(int sig)
448{
449uschar *msg = NULL;
450
451if (smtp_input)
452 {
453 msg = US"Service not available - SIGTERM or SIGINT received";
454 log_write(0, LOG_MAIN, "%s closed after %s", smtp_get_connection_info(),
455 (sig == SIGTERM)? "SIGTERM" : "SIGINT");
456 }
457else
458 {
f05da2e8 459 if (filter_test == FTEST_NONE)
059ec3d9
PH
460 {
461 fprintf(stderr, "\nexim: %s received - message abandoned\n",
462 (sig == SIGTERM)? "SIGTERM" : "SIGINT");
463 log_write(0, LOG_MAIN, "%s received while reading local message",
464 (sig == SIGTERM)? "SIGTERM" : "SIGINT");
465 }
466 }
467
8f128379 468receive_bomb_out(US"signal-exit", msg); /* Does not return */
059ec3d9
PH
469}
470
471
472
473/*************************************************
474* Add new recipient to list *
475*************************************************/
476
477/* This function builds a list of recipient addresses in argc/argv
478format.
479
480Arguments:
481 recipient the next address to add to recipients_list
482 pno parent number for fixed aliases; -1 otherwise
483
484Returns: nothing
485*/
486
487void
488receive_add_recipient(uschar *recipient, int pno)
489{
490if (recipients_count >= recipients_list_max)
491 {
492 recipient_item *oldlist = recipients_list;
493 int oldmax = recipients_list_max;
494 recipients_list_max = recipients_list_max? 2*recipients_list_max : 50;
495 recipients_list = store_get(recipients_list_max * sizeof(recipient_item));
496 if (oldlist != NULL)
497 memcpy(recipients_list, oldlist, oldmax * sizeof(recipient_item));
498 }
499
500recipients_list[recipients_count].address = recipient;
501recipients_list[recipients_count].pno = pno;
8523533c
TK
502#ifdef EXPERIMENTAL_BRIGHTMAIL
503recipients_list[recipients_count].bmi_optin = bmi_current_optin;
504/* reset optin string pointer for next recipient */
505bmi_current_optin = NULL;
506#endif
6c1c3d1d
WB
507recipients_list[recipients_count].orcpt = NULL;
508recipients_list[recipients_count].dsn_flags = 0;
059ec3d9
PH
509recipients_list[recipients_count++].errors_to = NULL;
510}
511
512
513
514
515/*************************************************
fd98a5c6
JH
516* Send user response message *
517*************************************************/
61147df4 518
fd98a5c6
JH
519/* This function is passed a default response code and a user message. It calls
520smtp_message_code() to check and possibly modify the response code, and then
521calls smtp_respond() to transmit the response. I put this into a function
522just to avoid a lot of repetition.
61147df4
PP
523
524Arguments:
fd98a5c6
JH
525 code the response code
526 user_msg the user message
527
528Returns: nothing
61147df4
PP
529*/
530
8ccd00b1 531#ifndef DISABLE_PRDR
61147df4 532static void
fd98a5c6 533smtp_user_msg(uschar *code, uschar *user_msg)
61147df4 534{
fd98a5c6 535int len = 3;
4f6ae5c3 536smtp_message_code(&code, &len, &user_msg, NULL, TRUE);
fd98a5c6 537smtp_respond(code, len, TRUE, user_msg);
61147df4
PP
538}
539#endif
540
541
542
543
fd98a5c6
JH
544
545/*************************************************
059ec3d9
PH
546* Remove a recipient from the list *
547*************************************************/
548
549/* This function is provided for local_scan() to use.
550
551Argument:
552 recipient address to remove
553
554Returns: TRUE if it did remove something; FALSE otherwise
555*/
556
557BOOL
558receive_remove_recipient(uschar *recipient)
559{
560int count;
561DEBUG(D_receive) debug_printf("receive_remove_recipient(\"%s\") called\n",
562 recipient);
563for (count = 0; count < recipients_count; count++)
564 {
565 if (Ustrcmp(recipients_list[count].address, recipient) == 0)
566 {
567 if ((--recipients_count - count) > 0)
568 memmove(recipients_list + count, recipients_list + count + 1,
54cdb463 569 (recipients_count - count)*sizeof(recipient_item));
059ec3d9
PH
570 return TRUE;
571 }
572 }
573return FALSE;
574}
575
576
577
578
579
580/*************************************************
581* Read data portion of a non-SMTP message *
582*************************************************/
583
584/* This function is called to read the remainder of a message (following the
585header) when the input is not from SMTP - we are receiving a local message on
586a standard input stream. The message is always terminated by EOF, and is also
587terminated by a dot on a line by itself if the flag dot_ends is TRUE. Split the
588two cases for maximum efficiency.
589
590Ensure that the body ends with a newline. This will naturally be the case when
591the termination is "\n.\n" but may not be otherwise. The RFC defines messages
592as "sequences of lines" - this of course strictly applies only to SMTP, but
593deliveries into BSD-type mailbox files also require it. Exim used to have a
594flag for doing this at delivery time, but as it was always set for all
595transports, I decided to simplify things by putting the check here instead.
596
597There is at least one MUA (dtmail) that sends CRLF via this interface, and
598other programs are known to do this as well. Exim used to have a option for
599dealing with this: in July 2003, after much discussion, the code has been
600changed to default to treat any of LF, CRLF, and bare CR as line terminators.
601
602However, for the case when a dot on a line by itself terminates a message, the
603only recognized terminating sequences before and after the dot are LF and CRLF.
604Otherwise, having read EOL . CR, you don't know whether to read another
605character or not.
606
607Internally, in messages stored in Exim's spool files, LF is used as the line
608terminator. Under the new regime, bare CRs will no longer appear in these
609files.
610
611Arguments:
612 fout a FILE to which to write the message
613
614Returns: One of the END_xxx values indicating why it stopped reading
615*/
616
617static int
618read_message_data(FILE *fout)
619{
620int ch_state;
621register int ch;
d677b2f2 622register int linelength = 0;
059ec3d9
PH
623
624/* Handle the case when only EOF terminates the message */
625
626if (!dot_ends)
627 {
628 register int last_ch = '\n';
629
bd8fbe36 630 for (; (ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF; last_ch = ch)
059ec3d9
PH
631 {
632 if (ch == 0) body_zerocount++;
633 if (last_ch == '\r' && ch != '\n')
634 {
d677b2f2
PH
635 if (linelength > max_received_linelength)
636 max_received_linelength = linelength;
637 linelength = 0;
059ec3d9
PH
638 if (fputc('\n', fout) == EOF) return END_WERROR;
639 message_size++;
640 body_linecount++;
641 }
642 if (ch == '\r') continue;
643
644 if (fputc(ch, fout) == EOF) return END_WERROR;
d677b2f2
PH
645 if (ch == '\n')
646 {
647 if (linelength > max_received_linelength)
648 max_received_linelength = linelength;
649 linelength = 0;
650 body_linecount++;
651 }
652 else linelength++;
059ec3d9
PH
653 if (++message_size > thismessage_size_limit) return END_SIZE;
654 }
655
656 if (last_ch != '\n')
657 {
d677b2f2
PH
658 if (linelength > max_received_linelength)
659 max_received_linelength = linelength;
059ec3d9
PH
660 if (fputc('\n', fout) == EOF) return END_WERROR;
661 message_size++;
662 body_linecount++;
663 }
664
665 return END_EOF;
666 }
667
668/* Handle the case when a dot on a line on its own, or EOF, terminates. */
669
670ch_state = 1;
671
bd8fbe36 672while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
059ec3d9
PH
673 {
674 if (ch == 0) body_zerocount++;
675 switch (ch_state)
676 {
677 case 0: /* Normal state (previous char written) */
678 if (ch == '\n')
d677b2f2
PH
679 {
680 body_linecount++;
681 if (linelength > max_received_linelength)
682 max_received_linelength = linelength;
683 linelength = -1;
684 ch_state = 1;
685 }
059ec3d9
PH
686 else if (ch == '\r')
687 { ch_state = 2; continue; }
688 break;
689
690 case 1: /* After written "\n" */
691 if (ch == '.') { ch_state = 3; continue; }
6eb02f88 692 if (ch == '\r') { ch_state = 2; continue; }
3581f321
JH
693 if (ch == '\n') { body_linecount++; linelength = -1; }
694 else ch_state = 0;
059ec3d9
PH
695 break;
696
697 case 2:
698 body_linecount++; /* After unwritten "\r" */
d677b2f2
PH
699 if (linelength > max_received_linelength)
700 max_received_linelength = linelength;
059ec3d9 701 if (ch == '\n')
d677b2f2
PH
702 {
703 ch_state = 1;
704 linelength = -1;
705 }
059ec3d9
PH
706 else
707 {
708 if (message_size++, fputc('\n', fout) == EOF) return END_WERROR;
709 if (ch == '\r') continue;
710 ch_state = 0;
d677b2f2 711 linelength = 0;
059ec3d9
PH
712 }
713 break;
714
715 case 3: /* After "\n." (\n written, dot not) */
716 if (ch == '\n') return END_DOT;
717 if (ch == '\r') { ch_state = 4; continue; }
718 message_size++;
d677b2f2 719 linelength++;
059ec3d9
PH
720 if (fputc('.', fout) == EOF) return END_WERROR;
721 ch_state = 0;
722 break;
723
724 case 4: /* After "\n.\r" (\n written, rest not) */
725 if (ch == '\n') return END_DOT;
726 message_size += 2;
727 body_linecount++;
728 if (fputs(".\n", fout) == EOF) return END_WERROR;
729 if (ch == '\r') { ch_state = 2; continue; }
730 ch_state = 0;
731 break;
732 }
733
d677b2f2 734 linelength++;
059ec3d9
PH
735 if (fputc(ch, fout) == EOF) return END_WERROR;
736 if (++message_size > thismessage_size_limit) return END_SIZE;
737 }
738
739/* Get here if EOF read. Unless we have just written "\n", we need to ensure
740the message ends with a newline, and we must also write any characters that
741were saved up while testing for an ending dot. */
742
743if (ch_state != 1)
744 {
745 static uschar *ends[] = { US"\n", NULL, US"\n", US".\n", US".\n" };
746 if (fputs(CS ends[ch_state], fout) == EOF) return END_WERROR;
747 message_size += Ustrlen(ends[ch_state]);
748 body_linecount++;
749 }
750
751return END_EOF;
752}
753
754
755
756
757/*************************************************
758* Read data portion of an SMTP message *
759*************************************************/
760
761/* This function is called to read the remainder of an SMTP message (after the
762headers), or to skip over it when an error has occurred. In this case, the
763output file is passed as NULL.
764
765If any line begins with a dot, that character is skipped. The input should only
766be successfully terminated by CR LF . CR LF unless it is local (non-network)
767SMTP, in which case the CRs are optional, but...
768
769FUDGE: It seems that sites on the net send out messages with just LF
770terminators, despite the warnings in the RFCs, and other MTAs handle this. So
771we make the CRs optional in all cases.
772
773July 2003: Bare CRs cause trouble. We now treat them as line terminators as
774well, so that there are no CRs in spooled messages. However, the message
775terminating dot is not recognized between two bare CRs.
776
777Arguments:
778 fout a FILE to which to write the message; NULL if skipping
779
780Returns: One of the END_xxx values indicating why it stopped reading
781*/
782
783static int
784read_message_data_smtp(FILE *fout)
785{
786int ch_state = 0;
e4bdf652 787int ch;
7e3ce68e 788int linelength = 0;
059ec3d9 789
bd8fbe36 790while ((ch = (receive_getc)(GETC_BUFFER_UNLIMITED)) != EOF)
059ec3d9
PH
791 {
792 if (ch == 0) body_zerocount++;
793 switch (ch_state)
794 {
795 case 0: /* After LF or CRLF */
796 if (ch == '.')
797 {
798 ch_state = 3;
799 continue; /* Don't ever write . after LF */
800 }
801 ch_state = 1;
802
803 /* Else fall through to handle as normal uschar. */
804
805 case 1: /* Normal state */
806 if (ch == '\n')
807 {
808 ch_state = 0;
809 body_linecount++;
1f5497b2
PH
810 if (linelength > max_received_linelength)
811 max_received_linelength = linelength;
812 linelength = -1;
059ec3d9
PH
813 }
814 else if (ch == '\r')
815 {
816 ch_state = 2;
817 continue;
818 }
819 break;
820
821 case 2: /* After (unwritten) CR */
822 body_linecount++;
1f5497b2
PH
823 if (linelength > max_received_linelength)
824 max_received_linelength = linelength;
825 linelength = -1;
059ec3d9
PH
826 if (ch == '\n')
827 {
828 ch_state = 0;
829 }
830 else
831 {
832 message_size++;
833 if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
e4bdf652 834 (void) cutthrough_put_nl();
059ec3d9
PH
835 if (ch != '\r') ch_state = 1; else continue;
836 }
837 break;
838
839 case 3: /* After [CR] LF . */
840 if (ch == '\n')
841 return END_DOT;
842 if (ch == '\r')
843 {
844 ch_state = 4;
845 continue;
846 }
1bc460a6
JH
847 /* The dot was removed at state 3. For a doubled dot, here, reinstate
848 it to cutthrough. The current ch, dot or not, is passed both to cutthrough
849 and to file below. */
850 if (ch == '.')
851 {
852 uschar c= ch;
853 (void) cutthrough_puts(&c, 1);
854 }
855 ch_state = 1;
059ec3d9
PH
856 break;
857
858 case 4: /* After [CR] LF . CR */
859 if (ch == '\n') return END_DOT;
860 message_size++;
861 body_linecount++;
862 if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
e4bdf652 863 (void) cutthrough_put_nl();
059ec3d9
PH
864 if (ch == '\r')
865 {
866 ch_state = 2;
867 continue;
868 }
869 ch_state = 1;
870 break;
871 }
872
873 /* Add the character to the spool file, unless skipping; then loop for the
874 next. */
875
876 message_size++;
1f5497b2 877 linelength++;
7e3ce68e 878 if (fout)
059ec3d9
PH
879 {
880 if (fputc(ch, fout) == EOF) return END_WERROR;
881 if (message_size > thismessage_size_limit) return END_SIZE;
882 }
e4bdf652
JH
883 if(ch == '\n')
884 (void) cutthrough_put_nl();
885 else
886 {
7e3ce68e 887 uschar c = ch;
e4bdf652
JH
888 (void) cutthrough_puts(&c, 1);
889 }
059ec3d9
PH
890 }
891
892/* Fall through here if EOF encountered. This indicates some kind of error,
893since a correct message is terminated by [CR] LF . [CR] LF. */
894
895return END_EOF;
896}
897
898
899
900
7e3ce68e 901/* Variant of the above read_message_data_smtp() specialised for RFC 3030
1ebe15c3
JH
902CHUNKING. Accept input lines separated by either CRLF or CR or LF and write
903LF-delimited spoolfile. Until we have wireformat spoolfiles, we need the
904body_linecount accounting for proper re-expansion for the wire, so use
905a cut-down version of the state-machine above; we don't need to do leading-dot
906detection and unstuffing.
7e3ce68e
JH
907
908Arguments:
909 fout a FILE to which to write the message; NULL if skipping
910
911Returns: One of the END_xxx values indicating why it stopped reading
912*/
913
914static int
915read_message_bdat_smtp(FILE *fout)
916{
cff70eb1
HSHR
917int linelength = 0, ch;
918enum CH_STATE ch_state = LF_SEEN;
7e3ce68e 919
1ebe15c3 920for(;;)
7e3ce68e 921 {
1ebe15c3
JH
922 switch ((ch = (bdat_getc)(GETC_BUFFER_UNLIMITED)))
923 {
924 case EOF: return END_EOF;
925 case EOD: return END_DOT; /* normal exit */
926 case ERR: return END_PROTOCOL;
927 case '\0': body_zerocount++; break;
928 }
929 switch (ch_state)
930 {
cff70eb1
HSHR
931 case LF_SEEN: /* After LF or CRLF */
932 ch_state = MID_LINE;
1ebe15c3 933 /* fall through to handle as normal uschar. */
7e3ce68e 934
cff70eb1 935 case MID_LINE: /* Mid-line state */
1ebe15c3
JH
936 if (ch == '\n')
937 {
cff70eb1 938 ch_state = LF_SEEN;
1ebe15c3
JH
939 body_linecount++;
940 if (linelength > max_received_linelength)
941 max_received_linelength = linelength;
942 linelength = -1;
943 }
944 else if (ch == '\r')
945 {
cff70eb1 946 ch_state = CR_SEEN;
1ebe15c3
JH
947 continue; /* don't write CR */
948 }
949 break;
7e3ce68e 950
cff70eb1 951 case CR_SEEN: /* After (unwritten) CR */
1ebe15c3
JH
952 body_linecount++;
953 if (linelength > max_received_linelength)
954 max_received_linelength = linelength;
955 linelength = -1;
956 if (ch == '\n')
cff70eb1 957 ch_state = LF_SEEN;
1ebe15c3
JH
958 else
959 {
960 message_size++;
961 if (fout != NULL && fputc('\n', fout) == EOF) return END_WERROR;
962 (void) cutthrough_put_nl();
963 if (ch == '\r') continue; /* don't write CR */
cff70eb1 964 ch_state = MID_LINE;
1ebe15c3
JH
965 }
966 break;
967 }
968
969 /* Add the character to the spool file, unless skipping */
970
971 message_size++;
972 linelength++;
973 if (fout)
974 {
975 if (fputc(ch, fout) == EOF) return END_WERROR;
976 if (message_size > thismessage_size_limit) return END_SIZE;
977 }
978 if(ch == '\n')
979 (void) cutthrough_put_nl();
980 else
981 {
982 uschar c = ch;
983 (void) cutthrough_puts(&c, 1);
984 }
7e3ce68e
JH
985 }
986/*NOTREACHED*/
987}
988
989
990
991
059ec3d9
PH
992/*************************************************
993* Swallow SMTP message *
994*************************************************/
995
996/* This function is called when there has been some kind of error while reading
997an SMTP message, and the remaining data may need to be swallowed. It is global
998because it is called from smtp_closedown() to shut down an incoming call
999tidily.
1000
1001Argument: a FILE from which to read the message
1002Returns: nothing
1003*/
1004
1005void
1006receive_swallow_smtp(void)
1007{
7e3ce68e 1008/*XXX CHUNKING: not enough. read chunks until RSET? */
059ec3d9
PH
1009if (message_ended >= END_NOTENDED)
1010 message_ended = read_message_data_smtp(NULL);
1011}
1012
1013
1014
1015/*************************************************
1016* Handle lost SMTP connection *
1017*************************************************/
1018
1019/* This function logs connection loss incidents and generates an appropriate
1020SMTP response.
1021
1022Argument: additional data for the message
1023Returns: the SMTP response
1024*/
1025
1026static uschar *
1027handle_lost_connection(uschar *s)
1028{
1029log_write(L_lost_incoming_connection | L_smtp_connection, LOG_MAIN,
1030 "%s lost while reading message data%s", smtp_get_connection_info(), s);
eea0defe 1031smtp_notquit_exit(US"connection-lost", NULL, NULL);
059ec3d9
PH
1032return US"421 Lost incoming connection";
1033}
1034
1035
1036
1037
1038/*************************************************
1039* Handle a non-smtp reception error *
1040*************************************************/
1041
1042/* This function is called for various errors during the reception of non-SMTP
1043messages. It either sends a message to the sender of the problem message, or it
1044writes to the standard error stream.
1045
1046Arguments:
1047 errcode code for moan_to_sender(), identifying the error
1048 text1 first message text, passed to moan_to_sender()
1049 text2 second message text, used only for stderrr
1050 error_rc code to pass to exim_exit if no problem
1051 f FILE containing body of message (may be stdin)
1052 hptr pointer to instore headers or NULL
1053
1054Returns: calls exim_exit(), which does not return
1055*/
1056
1057static void
1058give_local_error(int errcode, uschar *text1, uschar *text2, int error_rc,
1059 FILE *f, header_line *hptr)
1060{
1061if (error_handling == ERRORS_SENDER)
1062 {
1063 error_block eblock;
1064 eblock.next = NULL;
1065 eblock.text1 = text1;
37f3dc43 1066 eblock.text2 = US"";
059ec3d9
PH
1067 if (!moan_to_sender(errcode, &eblock, hptr, f, FALSE))
1068 error_rc = EXIT_FAILURE;
1069 }
37f3dc43
JH
1070else
1071 fprintf(stderr, "exim: %s%s\n", text2, text1); /* Sic */
f1e894f3 1072(void)fclose(f);
059ec3d9
PH
1073exim_exit(error_rc);
1074}
1075
1076
1077
1078/*************************************************
1079* Add header lines set up by ACL *
1080*************************************************/
1081
850635b6
PH
1082/* This function is called to add the header lines that were set up by
1083statements in an ACL to the list of headers in memory. It is done in two stages
1084like this, because when the ACL for RCPT is running, the other headers have not
1085yet been received. This function is called twice; once just before running the
1086DATA ACL, and once after. This is so that header lines added by MAIL or RCPT
1087are visible to the DATA ACL.
059ec3d9
PH
1088
1089Originally these header lines were added at the end. Now there is support for
1090three different places: top, bottom, and after the Received: header(s). There
1091will always be at least one Received: header, even if it is marked deleted, and
1092even if something else has been put in front of it.
1093
1094Arguments:
1095 acl_name text to identify which ACL
1096
1097Returns: nothing
1098*/
1099
1100static void
578d43dc 1101add_acl_headers(int where, uschar *acl_name)
059ec3d9
PH
1102{
1103header_line *h, *next;
1104header_line *last_received = NULL;
e7568d51 1105
578d43dc
JH
1106switch(where)
1107 {
1108 case ACL_WHERE_DKIM:
1109 case ACL_WHERE_MIME:
af4a1bca 1110 case ACL_WHERE_DATA:
5032d1cf 1111 if (cutthrough.fd >= 0 && (acl_removed_headers || acl_added_headers))
578d43dc
JH
1112 {
1113 log_write(0, LOG_MAIN|LOG_PANIC, "Header modification in data ACLs"
af4a1bca 1114 " will not take effect on cutthrough deliveries");
578d43dc
JH
1115 return;
1116 }
1117 }
1118
e7568d51
TL
1119if (acl_removed_headers != NULL)
1120 {
e1d04f48 1121 DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers removed by %s ACL:\n", acl_name);
e7568d51 1122
4a142059 1123 for (h = header_list; h != NULL; h = h->next) if (h->type != htype_old)
e7568d51 1124 {
55414b25 1125 const uschar * list = acl_removed_headers;
e7568d51
TL
1126 int sep = ':'; /* This is specified as a colon-separated list */
1127 uschar *s;
1128 uschar buffer[128];
4a142059
JH
1129
1130 while ((s = string_nextinlist(&list, &sep, buffer, sizeof(buffer))))
1131 if (header_testname(h, s, Ustrlen(s), FALSE))
e7568d51
TL
1132 {
1133 h->type = htype_old;
e1d04f48 1134 DEBUG(D_receive|D_acl) debug_printf_indent(" %s", h->text);
e7568d51 1135 }
e7568d51
TL
1136 }
1137 acl_removed_headers = NULL;
e1d04f48 1138 DEBUG(D_receive|D_acl) debug_printf_indent(">>\n");
e7568d51 1139 }
059ec3d9 1140
71fafd95 1141if (acl_added_headers == NULL) return;
e1d04f48 1142DEBUG(D_receive|D_acl) debug_printf_indent(">>Headers added by %s ACL:\n", acl_name);
059ec3d9 1143
71fafd95 1144for (h = acl_added_headers; h != NULL; h = next)
059ec3d9
PH
1145 {
1146 next = h->next;
1147
1148 switch(h->type)
1149 {
1150 case htype_add_top:
1151 h->next = header_list;
1152 header_list = h;
e1d04f48 1153 DEBUG(D_receive|D_acl) debug_printf_indent(" (at top)");
059ec3d9
PH
1154 break;
1155
1156 case htype_add_rec:
1157 if (last_received == NULL)
1158 {
1159 last_received = header_list;
1160 while (!header_testname(last_received, US"Received", 8, FALSE))
1161 last_received = last_received->next;
1162 while (last_received->next != NULL &&
1163 header_testname(last_received->next, US"Received", 8, FALSE))
1164 last_received = last_received->next;
1165 }
1166 h->next = last_received->next;
1167 last_received->next = h;
e1d04f48 1168 DEBUG(D_receive|D_acl) debug_printf_indent(" (after Received:)");
059ec3d9
PH
1169 break;
1170
8523533c
TK
1171 case htype_add_rfc:
1172 /* add header before any header which is NOT Received: or Resent- */
1173 last_received = header_list;
1174 while ( (last_received->next != NULL) &&
1175 ( (header_testname(last_received->next, US"Received", 8, FALSE)) ||
1176 (header_testname_incomplete(last_received->next, US"Resent-", 7, FALSE)) ) )
1177 last_received = last_received->next;
1178 /* last_received now points to the last Received: or Resent-* header
1179 in an uninterrupted chain of those header types (seen from the beginning
1180 of all headers. Our current header must follow it. */
1181 h->next = last_received->next;
1182 last_received->next = h;
e1d04f48 1183 DEBUG(D_receive|D_acl) debug_printf_indent(" (before any non-Received: or Resent-*: header)");
8523533c
TK
1184 break;
1185
059ec3d9
PH
1186 default:
1187 h->next = NULL;
1188 header_last->next = h;
1189 break;
1190 }
1191
1192 if (h->next == NULL) header_last = h;
1193
1194 /* Check for one of the known header types (From:, To:, etc.) though in
1195 practice most added headers are going to be "other". Lower case
1196 identification letters are never stored with the header; they are used
1197 for existence tests when messages are received. So discard any lower case
1198 flag values. */
1199
1200 h->type = header_checkname(h, FALSE);
1201 if (h->type >= 'a') h->type = htype_other;
1202
e1d04f48 1203 DEBUG(D_receive|D_acl) debug_printf_indent(" %s", header_last->text);
059ec3d9
PH
1204 }
1205
71fafd95 1206acl_added_headers = NULL;
e1d04f48 1207DEBUG(D_receive|D_acl) debug_printf_indent(">>\n");
059ec3d9
PH
1208}
1209
1210
1211
1212/*************************************************
1213* Add host information for log line *
1214*************************************************/
1215
1216/* Called for acceptance and rejecting log lines. This adds information about
1217the calling host to a string that is being built dynamically.
1218
1219Arguments:
1220 s the dynamic string
1221 sizeptr points to the size variable
1222 ptrptr points to the pointer variable
1223
1224Returns: the extended string
1225*/
1226
1227static uschar *
fc16abb4 1228add_host_info_for_log(uschar * s, int * sizeptr, int * ptrptr)
059ec3d9 1229{
fc16abb4 1230if (sender_fullhost)
059ec3d9 1231 {
fc16abb4
JH
1232 if (LOGGING(dnssec) && sender_host_dnssec) /*XXX sender_helo_dnssec? */
1233 s = string_cat(s, sizeptr, ptrptr, US" DS");
059ec3d9 1234 s = string_append(s, sizeptr, ptrptr, 2, US" H=", sender_fullhost);
6c6d6e48 1235 if (LOGGING(incoming_interface) && interface_address != NULL)
059ec3d9 1236 {
fc16abb4
JH
1237 s = string_cat(s, sizeptr, ptrptr,
1238 string_sprintf(" I=[%s]:%d", interface_address, interface_port));
059ec3d9
PH
1239 }
1240 }
1241if (sender_ident != NULL)
1242 s = string_append(s, sizeptr, ptrptr, 2, US" U=", sender_ident);
1243if (received_protocol != NULL)
1244 s = string_append(s, sizeptr, ptrptr, 2, US" P=", received_protocol);
1245return s;
1246}
1247
1248
1249
63955bf2 1250#ifdef WITH_CONTENT_SCAN
059ec3d9
PH
1251
1252/*************************************************
54cdb463
PH
1253* Run the MIME ACL on a message *
1254*************************************************/
1255
1256/* This code is in a subroutine so that it can be used for both SMTP
1257and non-SMTP messages. It is called with a non-NULL ACL pointer.
1258
1259Arguments:
1260 acl The ACL to run (acl_smtp_mime or acl_not_smtp_mime)
1261 smtp_yield_ptr Set FALSE to kill messages after dropped connection
1262 smtp_reply_ptr Where SMTP reply is being built
1263 blackholed_by_ptr Where "blackholed by" message is being built
1264
1265Returns: TRUE to carry on; FALSE to abandon the message
1266*/
1267
1268static BOOL
1269run_mime_acl(uschar *acl, BOOL *smtp_yield_ptr, uschar **smtp_reply_ptr,
1270 uschar **blackholed_by_ptr)
1271{
1272FILE *mbox_file;
1273uschar rfc822_file_path[2048];
1274unsigned long mbox_size;
1275header_line *my_headerlist;
1276uschar *user_msg, *log_msg;
1277int mime_part_count_buffer = -1;
7156b1ef 1278int rc = OK;
54cdb463
PH
1279
1280memset(CS rfc822_file_path,0,2048);
1281
1282/* check if it is a MIME message */
1283my_headerlist = header_list;
4e88a19f
PH
1284while (my_headerlist != NULL)
1285 {
54cdb463 1286 /* skip deleted headers */
4e88a19f
PH
1287 if (my_headerlist->type == '*')
1288 {
54cdb463
PH
1289 my_headerlist = my_headerlist->next;
1290 continue;
4e88a19f
PH
1291 }
1292 if (strncmpic(my_headerlist->text, US"Content-Type:", 13) == 0)
1293 {
54cdb463
PH
1294 DEBUG(D_receive) debug_printf("Found Content-Type: header - executing acl_smtp_mime.\n");
1295 goto DO_MIME_ACL;
4e88a19f 1296 }
54cdb463 1297 my_headerlist = my_headerlist->next;
4e88a19f 1298 }
54cdb463
PH
1299
1300DEBUG(D_receive) debug_printf("No Content-Type: header - presumably not a MIME message.\n");
1301return TRUE;
1302
1303DO_MIME_ACL:
1304/* make sure the eml mbox file is spooled up */
8544e77a 1305mbox_file = spool_mbox(&mbox_size, NULL);
54cdb463
PH
1306if (mbox_file == NULL) {
1307 /* error while spooling */
1308 log_write(0, LOG_MAIN|LOG_PANIC,
1309 "acl_smtp_mime: error while creating mbox spool file, message temporarily rejected.");
1310 Uunlink(spool_name);
1311 unspool_mbox();
6f0c431a
PP
1312#ifdef EXPERIMENTAL_DCC
1313 dcc_ok = 0;
1314#endif
a5bd321b 1315 smtp_respond(US"451", 3, TRUE, US"temporary local problem");
54cdb463
PH
1316 message_id[0] = 0; /* Indicate no message accepted */
1317 *smtp_reply_ptr = US""; /* Indicate reply already sent */
1318 return FALSE; /* Indicate skip to end of receive function */
1319};
1320
1321mime_is_rfc822 = 0;
1322
1323MIME_ACL_CHECK:
1324mime_part_count = -1;
1325rc = mime_acl_check(acl, mbox_file, NULL, &user_msg, &log_msg);
f1e894f3 1326(void)fclose(mbox_file);
54cdb463 1327
4e88a19f
PH
1328if (Ustrlen(rfc822_file_path) > 0)
1329 {
54cdb463
PH
1330 mime_part_count = mime_part_count_buffer;
1331
4e88a19f
PH
1332 if (unlink(CS rfc822_file_path) == -1)
1333 {
54cdb463
PH
1334 log_write(0, LOG_PANIC,
1335 "acl_smtp_mime: can't unlink RFC822 spool file, skipping.");
1336 goto END_MIME_ACL;
4e88a19f
PH
1337 }
1338 }
54cdb463
PH
1339
1340/* check if we must check any message/rfc822 attachments */
4e88a19f
PH
1341if (rc == OK)
1342 {
54cdb463 1343 uschar temp_path[1024];
e8bc7fca
JH
1344 struct dirent * entry;
1345 DIR * tempdir;
54cdb463 1346
e8bc7fca
JH
1347 (void) string_format(temp_path, sizeof(temp_path), "%s/scan/%s",
1348 spool_directory, message_id);
54cdb463 1349
4e88a19f 1350 tempdir = opendir(CS temp_path);
e8bc7fca 1351 for (;;)
4e88a19f 1352 {
e8bc7fca
JH
1353 if (!(entry = readdir(tempdir)))
1354 break;
1355 if (strncmpic(US entry->d_name, US"__rfc822_", 9) == 0)
4e88a19f 1356 {
e8bc7fca
JH
1357 (void) string_format(rfc822_file_path, sizeof(rfc822_file_path),
1358 "%s/scan/%s/%s", spool_directory, message_id, entry->d_name);
e1d04f48 1359 DEBUG(D_receive) debug_printf("RFC822 attachment detected: running MIME ACL for '%s'\n",
e8bc7fca 1360 rfc822_file_path);
4e88a19f
PH
1361 break;
1362 }
e8bc7fca 1363 }
4e88a19f 1364 closedir(tempdir);
54cdb463 1365
e8bc7fca 1366 if (entry)
4e88a19f 1367 {
e8bc7fca 1368 if ((mbox_file = Ufopen(rfc822_file_path, "rb")))
4e88a19f 1369 {
e8bc7fca
JH
1370 /* set RFC822 expansion variable */
1371 mime_is_rfc822 = 1;
1372 mime_part_count_buffer = mime_part_count;
1373 goto MIME_ACL_CHECK;
4e88a19f 1374 }
e8bc7fca
JH
1375 log_write(0, LOG_PANIC,
1376 "acl_smtp_mime: can't open RFC822 spool file, skipping.");
1377 unlink(CS rfc822_file_path);
4e88a19f
PH
1378 }
1379 }
54cdb463
PH
1380
1381END_MIME_ACL:
578d43dc 1382add_acl_headers(ACL_WHERE_MIME, US"MIME");
54cdb463
PH
1383if (rc == DISCARD)
1384 {
1385 recipients_count = 0;
1386 *blackholed_by_ptr = US"MIME ACL";
1387 }
1388else if (rc != OK)
1389 {
1390 Uunlink(spool_name);
1391 unspool_mbox();
6f0c431a
PP
1392#ifdef EXPERIMENTAL_DCC
1393 dcc_ok = 0;
1394#endif
4f6ae5c3
JH
1395 if ( smtp_input
1396 && smtp_handle_acl_fail(ACL_WHERE_MIME, rc, user_msg, log_msg) != 0)
1397 {
85ffcba6 1398 *smtp_yield_ptr = FALSE; /* No more messages after dropped connection */
f4c1088b 1399 *smtp_reply_ptr = US""; /* Indicate reply already sent */
4f6ae5c3 1400 }
54cdb463
PH
1401 message_id[0] = 0; /* Indicate no message accepted */
1402 return FALSE; /* Cause skip to end of receive function */
4e88a19f 1403 }
54cdb463
PH
1404
1405return TRUE;
1406}
1407
63955bf2 1408#endif /* WITH_CONTENT_SCAN */
54cdb463
PH
1409
1410
e4bdf652
JH
1411
1412void
1413received_header_gen(void)
1414{
1415uschar *received;
1416uschar *timestamp;
1417header_line *received_header= header_list;
1418
1419timestamp = expand_string(US"${tod_full}");
1420if (recipients_count == 1) received_for = recipients_list[0].address;
1421received = expand_string(received_header_text);
1422received_for = NULL;
1423
d4ff61d1 1424if (!received)
e4bdf652
JH
1425 {
1426 if(spool_name[0] != 0)
1427 Uunlink(spool_name); /* Lose the data file */
1428 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
1429 "(received_header_text) failed: %s", string_printing(received_header_text),
1430 expand_string_message);
1431 }
1432
1433/* The first element on the header chain is reserved for the Received header,
1434so all we have to do is fill in the text pointer, and set the type. However, if
1435the result of the expansion is an empty string, we leave the header marked as
1436"old" so as to refrain from adding a Received header. */
1437
1438if (received[0] == 0)
1439 {
1440 received_header->text = string_sprintf("Received: ; %s\n", timestamp);
1441 received_header->type = htype_old;
1442 }
1443else
1444 {
1445 received_header->text = string_sprintf("%s; %s\n", received, timestamp);
1446 received_header->type = htype_received;
1447 }
1448
1449received_header->slen = Ustrlen(received_header->text);
1450
1451DEBUG(D_receive) debug_printf(">>Generated Received: header line\n%c %s",
1452 received_header->type, received_header->text);
1453}
1454
1455
1456
54cdb463 1457/*************************************************
059ec3d9
PH
1458* Receive message *
1459*************************************************/
1460
1461/* Receive a message on the given input, and put it into a pair of spool files.
1462Either a non-null list of recipients, or the extract flag will be true, or
1463both. The flag sender_local is true for locally generated messages. The flag
1464submission_mode is true if an ACL has obeyed "control = submission". The flag
8800895a 1465suppress_local_fixups is true if an ACL has obeyed "control =
f4ee74ac
PP
1466suppress_local_fixups" or -G was passed on the command-line.
1467The flag smtp_input is true if the message is to be
8800895a
PH
1468handled using SMTP conventions about termination and lines starting with dots.
1469For non-SMTP messages, dot_ends is true for dot-terminated messages.
059ec3d9
PH
1470
1471If a message was successfully read, message_id[0] will be non-zero.
1472
1473The general actions of this function are:
1474
1475 . Read the headers of the message (if any) into a chain of store
1476 blocks.
1477
1478 . If there is a "sender:" header and the message is locally originated,
69358f02
PH
1479 throw it away, unless the caller is trusted, or unless
1480 active_local_sender_retain is set - which can only happen if
1481 active_local_from_check is false.
059ec3d9
PH
1482
1483 . If recipients are to be extracted from the message, build the
1484 recipients list from the headers, removing any that were on the
1485 original recipients list (unless extract_addresses_remove_arguments is
1486 false), and at the same time, remove any bcc header that may be present.
1487
1488 . Get the spool file for the data, sort out its unique name, open
1489 and lock it (but don't give it the name yet).
1490
1491 . Generate a "Message-Id" header if the message doesn't have one, for
1492 locally-originated messages.
1493
1494 . Generate a "Received" header.
1495
1496 . Ensure the recipients list is fully qualified and rewritten if necessary.
1497
1498 . If there are any rewriting rules, apply them to the sender address
1499 and also to the headers.
1500
1501 . If there is no from: header, generate one, for locally-generated messages
1502 and messages in "submission mode" only.
1503
1504 . If the sender is local, check that from: is correct, and if not, generate
1505 a Sender: header, unless message comes from a trusted caller, or this
69358f02 1506 feature is disabled by active_local_from_check being false.
059ec3d9
PH
1507
1508 . If there is no "date" header, generate one, for locally-originated
1509 or submission mode messages only.
1510
1511 . Copy the rest of the input, or up to a terminating "." if in SMTP or
1512 dot_ends mode, to the data file. Leave it open, to hold the lock.
1513
1514 . Write the envelope and the headers to a new file.
1515
1516 . Set the name for the header file; close it.
1517
1518 . Set the name for the data file; close it.
1519
1520Because this function can potentially be called many times in a single
1521SMTP connection, all store should be got by store_get(), so that it will be
1522automatically retrieved after the message is accepted.
1523
1524FUDGE: It seems that sites on the net send out messages with just LF
1525terminators, despite the warnings in the RFCs, and other MTAs handle this. So
1526we make the CRs optional in all cases.
1527
1528July 2003: Bare CRs in messages, especially in header lines, cause trouble. A
1529new regime is now in place in which bare CRs in header lines are turned into LF
1530followed by a space, so as not to terminate the header line.
1531
1532February 2004: A bare LF in a header line in a message whose first line was
1533terminated by CRLF is treated in the same way as a bare CR.
1534
1535Arguments:
1536 extract_recip TRUE if recipients are to be extracted from the message's
1537 headers
1538
1539Returns: TRUE there are more messages to be read (SMTP input)
1540 FALSE there are no more messages to be read (non-SMTP input
1541 or SMTP connection collapsed, or other failure)
1542
1543When reading a message for filter testing, the returned value indicates
1544whether the headers (which is all that is read) were terminated by '.' or
1545not. */
1546
1547BOOL
1548receive_msg(BOOL extract_recip)
1549{
7156b1ef
NM
1550int i;
1551int rc = FAIL;
059ec3d9
PH
1552int msg_size = 0;
1553int process_info_len = Ustrlen(process_info);
1554int error_rc = (error_handling == ERRORS_SENDER)?
1555 errors_sender_rc : EXIT_FAILURE;
1556int header_size = 256;
1557int start, end, domain, size, sptr;
1558int id_resolution;
1559int had_zero = 0;
d677b2f2 1560int prevlines_length = 0;
059ec3d9
PH
1561
1562register int ptr = 0;
1563
1564BOOL contains_resent_headers = FALSE;
1565BOOL extracted_ignored = FALSE;
1566BOOL first_line_ended_crlf = TRUE_UNSET;
1567BOOL smtp_yield = TRUE;
1568BOOL yield = FALSE;
1569
1570BOOL resents_exist = FALSE;
1571uschar *resent_prefix = US"";
1572uschar *blackholed_by = NULL;
04f7d5b9 1573uschar *blackhole_log_msg = US"";
c5430c20 1574enum {NOT_TRIED, TMP_REJ, PERM_REJ, ACCEPTED} cutthrough_done = NOT_TRIED;
059ec3d9
PH
1575
1576flock_t lock_data;
1577error_block *bad_addresses = NULL;
1578
1579uschar *frozen_by = NULL;
1580uschar *queued_by = NULL;
1581
1582uschar *errmsg, *s;
1583struct stat statbuf;
1584
4e88a19f 1585/* Final message to give to SMTP caller, and messages from ACLs */
059ec3d9
PH
1586
1587uschar *smtp_reply = NULL;
4e88a19f 1588uschar *user_msg, *log_msg;
059ec3d9
PH
1589
1590/* Working header pointers */
1591
1592header_line *h, *next;
1593
2cbb4081 1594/* Flags for noting the existence of certain headers (only one left) */
059ec3d9
PH
1595
1596BOOL date_header_exists = FALSE;
1597
1598/* Pointers to receive the addresses of headers whose contents we need. */
1599
1600header_line *from_header = NULL;
1601header_line *subject_header = NULL;
1602header_line *msgid_header = NULL;
1603header_line *received_header;
1604
4840604e
TL
1605#ifdef EXPERIMENTAL_DMARC
1606int dmarc_up = 0;
1607#endif /* EXPERIMENTAL_DMARC */
1608
059ec3d9
PH
1609/* Variables for use when building the Received: header. */
1610
059ec3d9
PH
1611uschar *timestamp;
1612int tslen;
1613
1614/* Release any open files that might have been cached while preparing to
1615accept the message - e.g. by verifying addresses - because reading a message
1616might take a fair bit of real time. */
1617
1618search_tidyup();
1619
e4bdf652
JH
1620/* Extracting the recipient list from an input file is incompatible with
1621cutthrough delivery with the no-spool option. It shouldn't be possible
817d9f57 1622to set up the combination, but just in case kill any ongoing connection. */
e4bdf652 1623if (extract_recip || !smtp_input)
2e5b33cd 1624 cancel_cutthrough_connection("not smtp input");
e4bdf652 1625
059ec3d9
PH
1626/* Initialize the chain of headers by setting up a place-holder for Received:
1627header. Temporarily mark it as "old", i.e. not to be used. We keep header_last
1628pointing to the end of the chain to make adding headers simple. */
1629
1630received_header = header_list = header_last = store_get(sizeof(header_line));
1631header_list->next = NULL;
1632header_list->type = htype_old;
1633header_list->text = NULL;
1634header_list->slen = 0;
1635
1636/* Control block for the next header to be read. */
1637
1638next = store_get(sizeof(header_line));
1639next->text = store_get(header_size);
1640
1641/* Initialize message id to be null (indicating no message read), and the
1642header names list to be the normal list. Indicate there is no data file open
1643yet, initialize the size and warning count, and deal with no size limit. */
1644
1645message_id[0] = 0;
1646data_file = NULL;
1647data_fd = -1;
41313d92 1648spool_name = US"";
059ec3d9
PH
1649message_size = 0;
1650warning_count = 0;
d677b2f2 1651received_count = 1; /* For the one we will add */
059ec3d9
PH
1652
1653if (thismessage_size_limit <= 0) thismessage_size_limit = INT_MAX;
1654
2e0c1448 1655/* While reading the message, the following counts are computed. */
059ec3d9 1656
d677b2f2
PH
1657message_linecount = body_linecount = body_zerocount =
1658 max_received_linelength = 0;
059ec3d9 1659
80a47a2c 1660#ifndef DISABLE_DKIM
e983e85a
JH
1661/* Call into DKIM to set up the context. In CHUNKING mode
1662we clear the dot-stuffing flag */
1663if (smtp_input && !smtp_batched_input && !dkim_disable_verify)
1664 dkim_exim_verify_init(chunking_state <= CHUNKING_OFFERED);
fb2274d4
TK
1665#endif
1666
4840604e
TL
1667#ifdef EXPERIMENTAL_DMARC
1668/* initialize libopendmarc */
1669dmarc_up = dmarc_init();
1670#endif
1671
059ec3d9
PH
1672/* Remember the time of reception. Exim uses time+pid for uniqueness of message
1673ids, and fractions of a second are required. See the comments that precede the
1674message id creation below. */
1675
1676(void)gettimeofday(&message_id_tv, NULL);
1677
1678/* For other uses of the received time we can operate with granularity of one
1679second, and for that we use the global variable received_time. This is for
1680things like ultimate message timeouts. */
1681
1682received_time = message_id_tv.tv_sec;
1683
1684/* If SMTP input, set the special handler for timeouts. The alarm() calls
1685happen in the smtp_getc() function when it refills its buffer. */
1686
1687if (smtp_input) os_non_restarting_signal(SIGALRM, data_timeout_handler);
1688
1689/* If not SMTP input, timeout happens only if configured, and we just set a
1690single timeout for the whole message. */
1691
1692else if (receive_timeout > 0)
1693 {
1694 os_non_restarting_signal(SIGALRM, data_timeout_handler);
1695 alarm(receive_timeout);
1696 }
1697
1698/* SIGTERM and SIGINT are caught always. */
1699
1700signal(SIGTERM, data_sigterm_sigint_handler);
1701signal(SIGINT, data_sigterm_sigint_handler);
1702
1703/* Header lines in messages are not supposed to be very long, though when
1704unfolded, to: and cc: headers can take up a lot of store. We must also cope
1705with the possibility of junk being thrown at us. Start by getting 256 bytes for
1706storing the header, and extend this as necessary using string_cat().
1707
1708To cope with total lunacies, impose an upper limit on the length of the header
1709section of the message, as otherwise the store will fill up. We must also cope
1710with the possibility of binary zeros in the data. Hence we cannot use fgets().
1711Folded header lines are joined into one string, leaving the '\n' characters
1712inside them, so that writing them out reproduces the input.
1713
1714Loop for each character of each header; the next structure for chaining the
1715header is set up already, with ptr the offset of the next character in
1716next->text. */
1717
1718for (;;)
1719 {
bd8fbe36 1720 int ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
1721
1722 /* If we hit EOF on a SMTP connection, it's an error, since incoming
1723 SMTP must have a correct "." terminator. */
1724
1725 if (ch == EOF && smtp_input /* && !smtp_batched_input */)
1726 {
1727 smtp_reply = handle_lost_connection(US" (header)");
1728 smtp_yield = FALSE;
1729 goto TIDYUP; /* Skip to end of function */
1730 }
1731
1732 /* See if we are at the current header's size limit - there must be at least
1733 four bytes left. This allows for the new character plus a zero, plus two for
1734 extra insertions when we are playing games with dots and carriage returns. If
1735 we are at the limit, extend the text buffer. This could have been done
1736 automatically using string_cat() but because this is a tightish loop storing
1737 only one character at a time, we choose to do it inline. Normally
1738 store_extend() will be able to extend the block; only at the end of a big
1739 store block will a copy be needed. To handle the case of very long headers
1740 (and sometimes lunatic messages can have ones that are 100s of K long) we
1741 call store_release() for strings that have been copied - if the string is at
1742 the start of a block (and therefore the only thing in it, because we aren't
1743 doing any other gets), the block gets freed. We can only do this because we
1744 know there are no other calls to store_get() going on. */
1745
1746 if (ptr >= header_size - 4)
1747 {
1748 int oldsize = header_size;
1749 /* header_size += 256; */
1750 header_size *= 2;
1751 if (!store_extend(next->text, oldsize, header_size))
1752 {
1753 uschar *newtext = store_get(header_size);
1754 memcpy(newtext, next->text, ptr);
1755 store_release(next->text);
1756 next->text = newtext;
1757 }
1758 }
1759
1760 /* Cope with receiving a binary zero. There is dispute about whether
1761 these should be allowed in RFC 822 messages. The middle view is that they
1762 should not be allowed in headers, at least. Exim takes this attitude at
1763 the moment. We can't just stomp on them here, because we don't know that
1764 this line is a header yet. Set a flag to cause scanning later. */
1765
1766 if (ch == 0) had_zero++;
1767
1768 /* Test for termination. Lines in remote SMTP are terminated by CRLF, while
1769 those from data files use just LF. Treat LF in local SMTP input as a
1770 terminator too. Treat EOF as a line terminator always. */
1771
1772 if (ch == EOF) goto EOL;
1773
1774 /* FUDGE: There are sites out there that don't send CRs before their LFs, and
1775 other MTAs accept this. We are therefore forced into this "liberalisation"
1776 too, so we accept LF as a line terminator whatever the source of the message.
1777 However, if the first line of the message ended with a CRLF, we treat a bare
1778 LF specially by inserting a white space after it to ensure that the header
1779 line is not terminated. */
1780
1781 if (ch == '\n')
1782 {
1783 if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = FALSE;
80a47a2c 1784 else if (first_line_ended_crlf) receive_ungetc(' ');
059ec3d9
PH
1785 goto EOL;
1786 }
1787
1788 /* This is not the end of the line. If this is SMTP input and this is
1789 the first character in the line and it is a "." character, ignore it.
1790 This implements the dot-doubling rule, though header lines starting with
1791 dots aren't exactly common. They are legal in RFC 822, though. If the
1792 following is CRLF or LF, this is the line that that terminates the
1793 entire message. We set message_ended to indicate this has happened (to
1794 prevent further reading), and break out of the loop, having freed the
1795 empty header, and set next = NULL to indicate no data line. */
1796
1797 if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
1798 {
bd8fbe36 1799 ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
1800 if (ch == '\r')
1801 {
bd8fbe36 1802 ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
1803 if (ch != '\n')
1804 {
80a47a2c 1805 receive_ungetc(ch);
059ec3d9
PH
1806 ch = '\r'; /* Revert to CR */
1807 }
1808 }
1809 if (ch == '\n')
1810 {
1811 message_ended = END_DOT;
1812 store_reset(next);
1813 next = NULL;
1814 break; /* End character-reading loop */
1815 }
1816
1817 /* For non-SMTP input, the dot at the start of the line was really a data
1818 character. What is now in ch is the following character. We guaranteed
1819 enough space for this above. */
1820
1821 if (!smtp_input)
1822 {
1823 next->text[ptr++] = '.';
1824 message_size++;
1825 }
1826 }
1827
1828 /* If CR is immediately followed by LF, end the line, ignoring the CR, and
1829 remember this case if this is the first line ending. */
1830
1831 if (ch == '\r')
1832 {
bd8fbe36 1833 ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
1834 if (ch == '\n')
1835 {
1836 if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
1837 goto EOL;
1838 }
1839
1840 /* Otherwise, put back the character after CR, and turn the bare CR
1841 into LF SP. */
1842
80a47a2c 1843 ch = (receive_ungetc)(ch);
059ec3d9
PH
1844 next->text[ptr++] = '\n';
1845 message_size++;
1846 ch = ' ';
1847 }
1848
1849 /* We have a data character for the header line. */
1850
1851 next->text[ptr++] = ch; /* Add to buffer */
1852 message_size++; /* Total message size so far */
1853
1854 /* Handle failure due to a humungously long header section. The >= allows
1855 for the terminating \n. Add what we have so far onto the headers list so
1856 that it gets reflected in any error message, and back up the just-read
1857 character. */
1858
1859 if (message_size >= header_maxsize)
1860 {
1861 next->text[ptr] = 0;
1862 next->slen = ptr;
1863 next->type = htype_other;
1864 next->next = NULL;
1865 header_last->next = next;
1866 header_last = next;
1867
1868 log_write(0, LOG_MAIN, "ridiculously long message header received from "
1869 "%s (more than %d characters): message abandoned",
1870 sender_host_unknown? sender_ident : sender_fullhost, header_maxsize);
1871
1872 if (smtp_input)
1873 {
1874 smtp_reply = US"552 Message header is ridiculously long";
1875 receive_swallow_smtp();
1876 goto TIDYUP; /* Skip to end of function */
1877 }
1878
1879 else
1880 {
1881 give_local_error(ERRMESS_VLONGHEADER,
1882 string_sprintf("message header longer than %d characters received: "
1883 "message not accepted", header_maxsize), US"", error_rc, stdin,
1884 header_list->next);
1885 /* Does not return */
1886 }
1887 }
1888
1889 continue; /* With next input character */
1890
1891 /* End of header line reached */
1892
1893 EOL:
2e0c1448
PH
1894
1895 /* Keep track of lines for BSMTP errors and overall message_linecount. */
1896
1897 receive_linecount++;
1898 message_linecount++;
059ec3d9 1899
d677b2f2
PH
1900 /* Keep track of maximum line length */
1901
1902 if (ptr - prevlines_length > max_received_linelength)
1903 max_received_linelength = ptr - prevlines_length;
1904 prevlines_length = ptr + 1;
1905
059ec3d9
PH
1906 /* Now put in the terminating newline. There is always space for
1907 at least two more characters. */
1908
1909 next->text[ptr++] = '\n';
1910 message_size++;
1911
1912 /* A blank line signals the end of the headers; release the unwanted
1913 space and set next to NULL to indicate this. */
1914
1915 if (ptr == 1)
1916 {
1917 store_reset(next);
1918 next = NULL;
1919 break;
1920 }
1921
1922 /* There is data in the line; see if the next input character is a
1923 whitespace character. If it is, we have a continuation of this header line.
1924 There is always space for at least one character at this point. */
1925
1926 if (ch != EOF)
1927 {
bd8fbe36 1928 int nextch = (receive_getc)(GETC_BUFFER_UNLIMITED);
059ec3d9
PH
1929 if (nextch == ' ' || nextch == '\t')
1930 {
1931 next->text[ptr++] = nextch;
1932 message_size++;
1933 continue; /* Iterate the loop */
1934 }
80a47a2c 1935 else if (nextch != EOF) (receive_ungetc)(nextch); /* For next time */
059ec3d9
PH
1936 else ch = EOF; /* Cause main loop to exit at end */
1937 }
1938
1939 /* We have got to the real line end. Terminate the string and release store
1940 beyond it. If it turns out to be a real header, internal binary zeros will
1941 be squashed later. */
1942
1943 next->text[ptr] = 0;
1944 next->slen = ptr;
1945 store_reset(next->text + ptr + 1);
1946
1947 /* Check the running total size against the overall message size limit. We
1948 don't expect to fail here, but if the overall limit is set less than MESSAGE_
1949 MAXSIZE and a big header is sent, we want to catch it. Just stop reading
1950 headers - the code to read the body will then also hit the buffer. */
1951
1952 if (message_size > thismessage_size_limit) break;
1953
1954 /* A line that is not syntactically correct for a header also marks
1955 the end of the headers. In this case, we leave next containing the
1956 first data line. This might actually be several lines because of the
1957 continuation logic applied above, but that doesn't matter.
1958
1959 It turns out that smail, and presumably sendmail, accept leading lines
1960 of the form
1961
1962 From ph10 Fri Jan 5 12:35 GMT 1996
1963
1964 in messages. The "mail" command on Solaris 2 sends such lines. I cannot
1965 find any documentation of this, but for compatibility it had better be
1966 accepted. Exim restricts it to the case of non-smtp messages, and
1967 treats it as an alternative to the -f command line option. Thus it is
1968 ignored except for trusted users or filter testing. Otherwise it is taken
1969 as the sender address, unless -f was used (sendmail compatibility).
1970
1971 It further turns out that some UUCPs generate the From_line in a different
1972 format, e.g.
1973
1974 From ph10 Fri, 7 Jan 97 14:00:00 GMT
1975
1976 The regex for matching these things is now capable of recognizing both
1977 formats (including 2- and 4-digit years in the latter). In fact, the regex
1978 is now configurable, as is the expansion string to fish out the sender.
1979
1980 Even further on it has been discovered that some broken clients send
1981 these lines in SMTP messages. There is now an option to ignore them from
1982 specified hosts or networks. Sigh. */
1983
1984 if (header_last == header_list &&
1985 (!smtp_input
1986 ||
1987 (sender_host_address != NULL &&
1988 verify_check_host(&ignore_fromline_hosts) == OK)
1989 ||
1990 (sender_host_address == NULL && ignore_fromline_local)
1991 ) &&
1992 regex_match_and_setup(regex_From, next->text, 0, -1))
1993 {
1994 if (!sender_address_forced)
1995 {
1996 uschar *uucp_sender = expand_string(uucp_from_sender);
1997 if (uucp_sender == NULL)
1998 {
1999 log_write(0, LOG_MAIN|LOG_PANIC,
2000 "expansion of \"%s\" failed after matching "
2001 "\"From \" line: %s", uucp_from_sender, expand_string_message);
2002 }
2003 else
2004 {
2005 int start, end, domain;
2006 uschar *errmess;
2007 uschar *newsender = parse_extract_address(uucp_sender, &errmess,
2008 &start, &end, &domain, TRUE);
2009 if (newsender != NULL)
2010 {
2011 if (domain == 0 && newsender[0] != 0)
2012 newsender = rewrite_address_qualify(newsender, FALSE);
2013
f05da2e8 2014 if (filter_test != FTEST_NONE || receive_check_set_sender(newsender))
059ec3d9
PH
2015 {
2016 sender_address = newsender;
2017
f05da2e8 2018 if (trusted_caller || filter_test != FTEST_NONE)
059ec3d9
PH
2019 {
2020 authenticated_sender = NULL;
2021 originator_name = US"";
2022 sender_local = FALSE;
2023 }
2024
f05da2e8 2025 if (filter_test != FTEST_NONE)
059ec3d9
PH
2026 printf("Sender taken from \"From \" line\n");
2027 }
2028 }
2029 }
2030 }
2031 }
2032
2033 /* Not a leading "From " line. Check to see if it is a valid header line.
2034 Header names may contain any non-control characters except space and colon,
2035 amazingly. */
2036
2037 else
2038 {
2039 uschar *p = next->text;
2040
2041 /* If not a valid header line, break from the header reading loop, leaving
2042 next != NULL, indicating that it holds the first line of the body. */
2043
2044 if (isspace(*p)) break;
2045 while (mac_isgraph(*p) && *p != ':') p++;
2046 while (isspace(*p)) p++;
2047 if (*p != ':')
2048 {
2049 body_zerocount = had_zero;
2050 break;
2051 }
2052
2053 /* We have a valid header line. If there were any binary zeroes in
2054 the line, stomp on them here. */
2055
2056 if (had_zero > 0)
2057 for (p = next->text; p < next->text + ptr; p++) if (*p == 0) *p = '?';
2058
2059 /* It is perfectly legal to have an empty continuation line
2060 at the end of a header, but it is confusing to humans
2061 looking at such messages, since it looks like a blank line.
2062 Reduce confusion by removing redundant white space at the
2063 end. We know that there is at least one printing character
2064 (the ':' tested for above) so there is no danger of running
2065 off the end. */
2066
2067 p = next->text + ptr - 2;
2068 for (;;)
2069 {
2070 while (*p == ' ' || *p == '\t') p--;
2071 if (*p != '\n') break;
2072 ptr = (p--) - next->text + 1;
2073 message_size -= next->slen - ptr;
2074 next->text[ptr] = 0;
2075 next->slen = ptr;
2076 }
2077
2078 /* Add the header to the chain */
2079
2080 next->type = htype_other;
2081 next->next = NULL;
2082 header_last->next = next;
2083 header_last = next;
2084
2085 /* Check the limit for individual line lengths. This comes after adding to
2086 the chain so that the failing line is reflected if a bounce is generated
2087 (for a local message). */
2088
2089 if (header_line_maxsize > 0 && next->slen > header_line_maxsize)
2090 {
2091 log_write(0, LOG_MAIN, "overlong message header line received from "
2092 "%s (more than %d characters): message abandoned",
2093 sender_host_unknown? sender_ident : sender_fullhost,
2094 header_line_maxsize);
2095
2096 if (smtp_input)
2097 {
2098 smtp_reply = US"552 A message header line is too long";
2099 receive_swallow_smtp();
2100 goto TIDYUP; /* Skip to end of function */
2101 }
2102
2103 else
2104 {
2105 give_local_error(ERRMESS_VLONGHDRLINE,
2106 string_sprintf("message header line longer than %d characters "
2107 "received: message not accepted", header_line_maxsize), US"",
2108 error_rc, stdin, header_list->next);
2109 /* Does not return */
2110 }
2111 }
2112
2113 /* Note if any resent- fields exist. */
2114
2115 if (!resents_exist && strncmpic(next->text, US"resent-", 7) == 0)
2116 {
2117 resents_exist = TRUE;
2118 resent_prefix = US"Resent-";
2119 }
2120 }
2121
1ebe15c3
JH
2122 /* Reject CHUNKING messages that do not CRLF their first header line */
2123
2124 if (!first_line_ended_crlf && chunking_state > CHUNKING_OFFERED)
2125 {
2126 log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
2127 "Non-CRLF-terminated header, under CHUNKING: message abandoned",
2128 sender_address,
2129 sender_fullhost ? " H=" : "", sender_fullhost ? sender_fullhost : US"",
2130 sender_ident ? " U=" : "", sender_ident ? sender_ident : US"");
2131 smtp_printf("552 Message header not CRLF terminated\r\n");
2132 bdat_flush_data();
2133 smtp_reply = US"";
2134 goto TIDYUP; /* Skip to end of function */
2135 }
2136
059ec3d9
PH
2137 /* The line has been handled. If we have hit EOF, break out of the loop,
2138 indicating no pending data line. */
2139
2140 if (ch == EOF) { next = NULL; break; }
2141
2142 /* Set up for the next header */
2143
2144 header_size = 256;
2145 next = store_get(sizeof(header_line));
2146 next->text = store_get(header_size);
2147 ptr = 0;
2148 had_zero = 0;
d677b2f2 2149 prevlines_length = 0;
059ec3d9
PH
2150 } /* Continue, starting to read the next header */
2151
2152/* At this point, we have read all the headers into a data structure in main
2153store. The first header is still the dummy placeholder for the Received: header
2154we are going to generate a bit later on. If next != NULL, it contains the first
2155data line - which terminated the headers before reaching a blank line (not the
2156normal case). */
2157
2158DEBUG(D_receive)
2159 {
2160 debug_printf(">>Headers received:\n");
1ebe15c3 2161 for (h = header_list->next; h; h = h->next)
059ec3d9
PH
2162 debug_printf("%s", h->text);
2163 debug_printf("\n");
2164 }
2165
2166/* End of file on any SMTP connection is an error. If an incoming SMTP call
2167is dropped immediately after valid headers, the next thing we will see is EOF.
2168We must test for this specially, as further down the reading of the data is
2169skipped if already at EOF. */
2170
2171if (smtp_input && (receive_feof)())
2172 {
2173 smtp_reply = handle_lost_connection(US" (after header)");
2174 smtp_yield = FALSE;
2175 goto TIDYUP; /* Skip to end of function */
2176 }
2177
2178/* If this is a filter test run and no headers were read, output a warning
2179in case there is a mistake in the test message. */
2180
f05da2e8 2181if (filter_test != FTEST_NONE && header_list->next == NULL)
059ec3d9
PH
2182 printf("Warning: no message headers read\n");
2183
2184
2185/* Scan the headers to identify them. Some are merely marked for later
2186processing; some are dealt with here. */
2187
1ebe15c3 2188for (h = header_list->next; h; h = h->next)
059ec3d9
PH
2189 {
2190 BOOL is_resent = strncmpic(h->text, US"resent-", 7) == 0;
2191 if (is_resent) contains_resent_headers = TRUE;
2192
2193 switch (header_checkname(h, is_resent))
2194 {
059ec3d9 2195 case htype_bcc:
2cbb4081 2196 h->type = htype_bcc; /* Both Bcc: and Resent-Bcc: */
059ec3d9
PH
2197 break;
2198
059ec3d9 2199 case htype_cc:
2cbb4081 2200 h->type = htype_cc; /* Both Cc: and Resent-Cc: */
059ec3d9
PH
2201 break;
2202
2203 /* Record whether a Date: or Resent-Date: header exists, as appropriate. */
2204
2205 case htype_date:
4c69d561 2206 if (!resents_exist || is_resent) date_header_exists = TRUE;
059ec3d9
PH
2207 break;
2208
2209 /* Same comments as about Return-Path: below. */
2210
2211 case htype_delivery_date:
2212 if (delivery_date_remove) h->type = htype_old;
2213 break;
2214
2215 /* Same comments as about Return-Path: below. */
2216
2217 case htype_envelope_to:
2218 if (envelope_to_remove) h->type = htype_old;
2219 break;
2220
2221 /* Mark all "From:" headers so they get rewritten. Save the one that is to
2222 be used for Sender: checking. For Sendmail compatibility, if the "From:"
2223 header consists of just the login id of the user who called Exim, rewrite
2224 it with the gecos field first. Apply this rule to Resent-From: if there
2225 are resent- fields. */
2226
2227 case htype_from:
2228 h->type = htype_from;
2229 if (!resents_exist || is_resent)
2230 {
2231 from_header = h;
2232 if (!smtp_input)
2233 {
5de8faa3 2234 int len;
059ec3d9
PH
2235 uschar *s = Ustrchr(h->text, ':') + 1;
2236 while (isspace(*s)) s++;
5de8faa3 2237 len = h->slen - (s - h->text) - 1;
e0fccd1d
TF
2238 if (Ustrlen(originator_login) == len &&
2239 strncmpic(s, originator_login, len) == 0)
059ec3d9
PH
2240 {
2241 uschar *name = is_resent? US"Resent-From" : US"From";
2242 header_add(htype_from, "%s: %s <%s@%s>\n", name, originator_name,
2243 originator_login, qualify_domain_sender);
2244 from_header = header_last;
2245 h->type = htype_old;
2246 DEBUG(D_receive|D_rewrite)
2247 debug_printf("rewrote \"%s:\" header using gecos\n", name);
2248 }
2249 }
2250 }
2251 break;
2252
2253 /* Identify the Message-id: header for generating "in-reply-to" in the
2254 autoreply transport. For incoming logging, save any resent- value. In both
2255 cases, take just the first of any multiples. */
2256
2257 case htype_id:
2258 if (msgid_header == NULL && (!resents_exist || is_resent))
2259 {
2260 msgid_header = h;
2261 h->type = htype_id;
2262 }
2263 break;
2264
2265 /* Flag all Received: headers */
2266
2267 case htype_received:
2268 h->type = htype_received;
2269 received_count++;
2270 break;
2271
2272 /* "Reply-to:" is just noted (there is no resent-reply-to field) */
2273
2274 case htype_reply_to:
2275 h->type = htype_reply_to;
2276 break;
2277
2278 /* The Return-path: header is supposed to be added to messages when
2279 they leave the SMTP system. We shouldn't receive messages that already
2280 contain Return-path. However, since Exim generates Return-path: on
2281 local delivery, resent messages may well contain it. We therefore
2282 provide an option (which defaults on) to remove any Return-path: headers
2283 on input. Removal actually means flagging as "old", which prevents the
2284 header being transmitted with the message. */
2285
2286 case htype_return_path:
2287 if (return_path_remove) h->type = htype_old;
2288
2289 /* If we are testing a mail filter file, use the value of the
2290 Return-Path: header to set up the return_path variable, which is not
2291 otherwise set. However, remove any <> that surround the address
2292 because the variable doesn't have these. */
2293
f05da2e8 2294 if (filter_test != FTEST_NONE)
059ec3d9
PH
2295 {
2296 uschar *start = h->text + 12;
2297 uschar *end = start + Ustrlen(start);
2298 while (isspace(*start)) start++;
2299 while (end > start && isspace(end[-1])) end--;
2300 if (*start == '<' && end[-1] == '>')
2301 {
2302 start++;
2303 end--;
2304 }
2305 return_path = string_copyn(start, end - start);
2306 printf("Return-path taken from \"Return-path:\" header line\n");
2307 }
2308 break;
2309
2310 /* If there is a "Sender:" header and the message is locally originated,
8800895a
PH
2311 and from an untrusted caller and suppress_local_fixups is not set, or if we
2312 are in submission mode for a remote message, mark it "old" so that it will
2313 not be transmitted with the message, unless active_local_sender_retain is
2314 set. (This can only be true if active_local_from_check is false.) If there
2315 are any resent- headers in the message, apply this rule to Resent-Sender:
2316 instead of Sender:. Messages with multiple resent- header sets cannot be
2317 tidily handled. (For this reason, at least one MUA - Pine - turns old
2318 resent- headers into X-resent- headers when resending, leaving just one
2319 set.) */
059ec3d9
PH
2320
2321 case htype_sender:
69358f02 2322 h->type = ((!active_local_sender_retain &&
8800895a
PH
2323 (
2324 (sender_local && !trusted_caller && !suppress_local_fixups)
2325 || submission_mode
2326 )
059ec3d9
PH
2327 ) &&
2328 (!resents_exist||is_resent))?
2329 htype_old : htype_sender;
2330 break;
2331
2332 /* Remember the Subject: header for logging. There is no Resent-Subject */
2333
2334 case htype_subject:
2335 subject_header = h;
2336 break;
2337
2338 /* "To:" gets flagged, and the existence of a recipient header is noted,
2339 whether it's resent- or not. */
2340
2341 case htype_to:
2342 h->type = htype_to;
2343 /****
2344 to_or_cc_header_exists = TRUE;
2345 ****/
2346 break;
2347 }
2348 }
2349
2350/* Extract recipients from the headers if that is required (the -t option).
2351Note that this is documented as being done *before* any address rewriting takes
2352place. There are two possibilities:
2353
2354(1) According to sendmail documentation for Solaris, IRIX, and HP-UX, any
2355recipients already listed are to be REMOVED from the message. Smail 3 works
2356like this. We need to build a non-recipients tree for that list, because in
2357subsequent processing this data is held in a tree and that's what the
2358spool_write_header() function expects. Make sure that non-recipient addresses
2359are fully qualified and rewritten if necessary.
2360
2361(2) According to other sendmail documentation, -t ADDS extracted recipients to
2362those in the command line arguments (and it is rumoured some other MTAs do
2363this). Therefore, there is an option to make Exim behave this way.
2364
2365*** Notes on "Resent-" header lines ***
2366
2367The presence of resent-headers in the message makes -t horribly ambiguous.
2368Experiments with sendmail showed that it uses recipients for all resent-
2369headers, totally ignoring the concept of "sets of resent- headers" as described
2370in RFC 2822 section 3.6.6. Sendmail also amalgamates them into a single set
2371with all the addresses in one instance of each header.
2372
2373This seems to me not to be at all sensible. Before release 4.20, Exim 4 gave an
2374error for -t if there were resent- headers in the message. However, after a
2375discussion on the mailing list, I've learned that there are MUAs that use
2376resent- headers with -t, and also that the stuff about sets of resent- headers
2377and their ordering in RFC 2822 is generally ignored. An MUA that submits a
2378message with -t and resent- header lines makes sure that only *its* resent-
2379headers are present; previous ones are often renamed as X-resent- for example.
2380
2381Consequently, Exim has been changed so that, if any resent- header lines are
2382present, the recipients are taken from all of the appropriate resent- lines,
2383and not from the ordinary To:, Cc:, etc. */
2384
2385if (extract_recip)
2386 {
2387 int rcount = 0;
2388 error_block **bnext = &bad_addresses;
2389
2390 if (extract_addresses_remove_arguments)
2391 {
2392 while (recipients_count-- > 0)
2393 {
2394 uschar *s = rewrite_address(recipients_list[recipients_count].address,
2395 TRUE, TRUE, global_rewrite_rules, rewrite_existflags);
2396 tree_add_nonrecipient(s);
2397 }
2398 recipients_list = NULL;
2399 recipients_count = recipients_list_max = 0;
2400 }
2401
059ec3d9
PH
2402 /* Now scan the headers */
2403
1ebe15c3 2404 for (h = header_list->next; h; h = h->next)
059ec3d9
PH
2405 {
2406 if ((h->type == htype_to || h->type == htype_cc || h->type == htype_bcc) &&
2407 (!contains_resent_headers || strncmpic(h->text, US"resent-", 7) == 0))
2408 {
2409 uschar *s = Ustrchr(h->text, ':') + 1;
2410 while (isspace(*s)) s++;
2411
1eccaa59
PH
2412 parse_allow_group = TRUE; /* Allow address group syntax */
2413
059ec3d9
PH
2414 while (*s != 0)
2415 {
2416 uschar *ss = parse_find_address_end(s, FALSE);
2417 uschar *recipient, *errmess, *p, *pp;
2418 int start, end, domain;
2419
2420 /* Check on maximum */
2421
2422 if (recipients_max > 0 && ++rcount > recipients_max)
2423 {
2424 give_local_error(ERRMESS_TOOMANYRECIP, US"too many recipients",
2425 US"message rejected: ", error_rc, stdin, NULL);
2426 /* Does not return */
2427 }
2428
2429 /* Make a copy of the address, and remove any internal newlines. These
2430 may be present as a result of continuations of the header line. The
2431 white space that follows the newline must not be removed - it is part
2432 of the header. */
2433
2434 pp = recipient = store_get(ss - s + 1);
2435 for (p = s; p < ss; p++) if (*p != '\n') *pp++ = *p;
2436 *pp = 0;
250b6871 2437
8c5d388a 2438#ifdef SUPPORT_I18N
250b6871
JH
2439 {
2440 BOOL b = allow_utf8_domains;
2441 allow_utf8_domains = TRUE;
2442#endif
059ec3d9
PH
2443 recipient = parse_extract_address(recipient, &errmess, &start, &end,
2444 &domain, FALSE);
2445
8c5d388a 2446#ifdef SUPPORT_I18N
250b6871
JH
2447 if (string_is_utf8(recipient))
2448 message_smtputf8 = TRUE;
2449 else
2450 allow_utf8_domains = b;
2451 }
2452#endif
2453
059ec3d9
PH
2454 /* Keep a list of all the bad addresses so we can send a single
2455 error message at the end. However, an empty address is not an error;
2456 just ignore it. This can come from an empty group list like
2457
2458 To: Recipients of list:;
2459
2460 If there are no recipients at all, an error will occur later. */
2461
2462 if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
2463 {
2464 int len = Ustrlen(s);
2465 error_block *b = store_get(sizeof(error_block));
2466 while (len > 0 && isspace(s[len-1])) len--;
2467 b->next = NULL;
2468 b->text1 = string_printing(string_copyn(s, len));
2469 b->text2 = errmess;
2470 *bnext = b;
2471 bnext = &(b->next);
2472 }
2473
2474 /* If the recipient is already in the nonrecipients tree, it must
2475 have appeared on the command line with the option extract_addresses_
2476 remove_arguments set. Do not add it to the recipients, and keep a note
2477 that this has happened, in order to give a better error if there are
2478 no recipients left. */
2479
2480 else if (recipient != NULL)
2481 {
2482 if (tree_search(tree_nonrecipients, recipient) == NULL)
2483 receive_add_recipient(recipient, -1);
2484 else
2485 extracted_ignored = TRUE;
2486 }
2487
2488 /* Move on past this address */
2489
2490 s = ss + (*ss? 1:0);
2491 while (isspace(*s)) s++;
1eccaa59
PH
2492 } /* Next address */
2493
2494 parse_allow_group = FALSE; /* Reset group syntax flags */
2495 parse_found_group = FALSE;
059ec3d9
PH
2496
2497 /* If this was the bcc: header, mark it "old", which means it
2498 will be kept on the spool, but not transmitted as part of the
2499 message. */
2500
2cbb4081 2501 if (h->type == htype_bcc) h->type = htype_old;
059ec3d9
PH
2502 } /* For appropriate header line */
2503 } /* For each header line */
2504
059ec3d9
PH
2505 }
2506
2507/* Now build the unique message id. This has changed several times over the
2508lifetime of Exim. This description was rewritten for Exim 4.14 (February 2003).
2509Retaining all the history in the comment has become too unwieldy - read
2510previous release sources if you want it.
2511
2512The message ID has 3 parts: tttttt-pppppp-ss. Each part is a number in base 62.
2513The first part is the current time, in seconds. The second part is the current
2514pid. Both are large enough to hold 32-bit numbers in base 62. The third part
2515can hold a number in the range 0-3843. It used to be a computed sequence
2516number, but is now the fractional component of the current time in units of
25171/2000 of a second (i.e. a value in the range 0-1999). After a message has been
2518received, Exim ensures that the timer has ticked at the appropriate level
2519before proceeding, to avoid duplication if the pid happened to be re-used
2520within the same time period. It seems likely that most messages will take at
2521least half a millisecond to be received, so no delay will normally be
2522necessary. At least for some time...
2523
2524There is a modification when localhost_number is set. Formerly this was allowed
2525to be as large as 255. Now it is restricted to the range 0-16, and the final
2526component of the message id becomes (localhost_number * 200) + fractional time
2527in units of 1/200 of a second (i.e. a value in the range 0-3399).
2528
2529Some not-really-Unix operating systems use case-insensitive file names (Darwin,
2530Cygwin). For these, we have to use base 36 instead of base 62. Luckily, this
2531still allows the tttttt field to hold a large enough number to last for some
2532more decades, and the final two-digit field can hold numbers up to 1295, which
2533is enough for milliseconds (instead of 1/2000 of a second).
2534
2535However, the pppppp field cannot hold a 32-bit pid, but it can hold a 31-bit
2536pid, so it is probably safe because pids have to be positive. The
2537localhost_number is restricted to 0-10 for these hosts, and when it is set, the
2538final field becomes (localhost_number * 100) + fractional time in centiseconds.
2539
2540Note that string_base62() returns its data in a static storage block, so it
2541must be copied before calling string_base62() again. It always returns exactly
25426 characters.
2543
2544There doesn't seem to be anything in the RFC which requires a message id to
2545start with a letter, but Smail was changed to ensure this. The external form of
2546the message id (as supplied by string expansion) therefore starts with an
2547additional leading 'E'. The spool file names do not include this leading
2548letter and it is not used internally.
2549
2550NOTE: If ever the format of message ids is changed, the regular expression for
2551checking that a string is in this format must be updated in a corresponding
2552way. It appears in the initializing code in exim.c. The macro MESSAGE_ID_LENGTH
2553must also be changed to reflect the correct string length. Then, of course,
2554other programs that rely on the message id format will need updating too. */
2555
2556Ustrncpy(message_id, string_base62((long int)(message_id_tv.tv_sec)), 6);
2557message_id[6] = '-';
2558Ustrncpy(message_id + 7, string_base62((long int)getpid()), 6);
2559
2560/* Deal with the case where the host number is set. The value of the number was
2561checked when it was read, to ensure it isn't too big. The timing granularity is
2562left in id_resolution so that an appropriate wait can be done after receiving
2563the message, if necessary (we hope it won't be). */
2564
2565if (host_number_string != NULL)
2566 {
2567 id_resolution = (BASE_62 == 62)? 5000 : 10000;
2568 sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
2569 string_base62((long int)(
2570 host_number * (1000000/id_resolution) +
2571 message_id_tv.tv_usec/id_resolution)) + 4);
2572 }
2573
2574/* Host number not set: final field is just the fractional time at an
2575appropriate resolution. */
2576
2577else
2578 {
2579 id_resolution = (BASE_62 == 62)? 500 : 1000;
2580 sprintf(CS(message_id + MESSAGE_ID_LENGTH - 3), "-%2s",
2581 string_base62((long int)(message_id_tv.tv_usec/id_resolution)) + 4);
2582 }
2583
2584/* Add the current message id onto the current process info string if
2585it will fit. */
2586
2587(void)string_format(process_info + process_info_len,
2588 PROCESS_INFO_SIZE - process_info_len, " id=%s", message_id);
2589
2590/* If we are using multiple input directories, set up the one for this message
2591to be the least significant base-62 digit of the time of arrival. Otherwise
2592ensure that it is an empty string. */
2593
a2da3176 2594message_subdir[0] = split_spool_directory ? message_id[5] : 0;
059ec3d9
PH
2595
2596/* Now that we have the message-id, if there is no message-id: header, generate
8800895a
PH
2597one, but only for local (without suppress_local_fixups) or submission mode
2598messages. This can be user-configured if required, but we had better flatten
2599any illegal characters therein. */
059ec3d9 2600
8800895a
PH
2601if (msgid_header == NULL &&
2602 ((sender_host_address == NULL && !suppress_local_fixups)
2603 || submission_mode))
059ec3d9
PH
2604 {
2605 uschar *p;
2606 uschar *id_text = US"";
2607 uschar *id_domain = primary_hostname;
2608
2609 /* Permit only letters, digits, dots, and hyphens in the domain */
2610
2611 if (message_id_domain != NULL)
2612 {
2613 uschar *new_id_domain = expand_string(message_id_domain);
2614 if (new_id_domain == NULL)
2615 {
2616 if (!expand_string_forcedfail)
2617 log_write(0, LOG_MAIN|LOG_PANIC,
2618 "expansion of \"%s\" (message_id_header_domain) "
2619 "failed: %s", message_id_domain, expand_string_message);
2620 }
2621 else if (*new_id_domain != 0)
2622 {
2623 id_domain = new_id_domain;
2624 for (p = id_domain; *p != 0; p++)
2625 if (!isalnum(*p) && *p != '.') *p = '-'; /* No need to test '-' ! */
2626 }
2627 }
2628
2629 /* Permit all characters except controls and RFC 2822 specials in the
2630 additional text part. */
2631
2632 if (message_id_text != NULL)
2633 {
2634 uschar *new_id_text = expand_string(message_id_text);
2635 if (new_id_text == NULL)
2636 {
2637 if (!expand_string_forcedfail)
2638 log_write(0, LOG_MAIN|LOG_PANIC,
2639 "expansion of \"%s\" (message_id_header_text) "
2640 "failed: %s", message_id_text, expand_string_message);
2641 }
2642 else if (*new_id_text != 0)
2643 {
2644 id_text = new_id_text;
2645 for (p = id_text; *p != 0; p++)
2646 if (mac_iscntrl_or_special(*p)) *p = '-';
2647 }
2648 }
2649
e7e680d6
PP
2650 /* Add the header line
2651 * Resent-* headers are prepended, per RFC 5322 3.6.6. Non-Resent-* are
2652 * appended, to preserve classical expectations of header ordering. */
059ec3d9 2653
e7e680d6 2654 header_add_at_position(!resents_exist, NULL, FALSE, htype_id,
5eb690a1
NM
2655 "%sMessage-Id: <%s%s%s@%s>\n", resent_prefix, message_id_external,
2656 (*id_text == 0)? "" : ".", id_text, id_domain);
059ec3d9
PH
2657 }
2658
2659/* If we are to log recipients, keep a copy of the raw ones before any possible
2660rewriting. Must copy the count, because later ACLs and the local_scan()
2661function may mess with the real recipients. */
2662
6c6d6e48 2663if (LOGGING(received_recipients))
059ec3d9
PH
2664 {
2665 raw_recipients = store_get(recipients_count * sizeof(uschar *));
2666 for (i = 0; i < recipients_count; i++)
2667 raw_recipients[i] = string_copy(recipients_list[i].address);
2668 raw_recipients_count = recipients_count;
2669 }
2670
2671/* Ensure the recipients list is fully qualified and rewritten. Unqualified
2672recipients will get here only if the conditions were right (allow_unqualified_
2673recipient is TRUE). */
2674
2675for (i = 0; i < recipients_count; i++)
2676 recipients_list[i].address =
2677 rewrite_address(recipients_list[i].address, TRUE, TRUE,
2678 global_rewrite_rules, rewrite_existflags);
2679
8800895a
PH
2680/* If there is no From: header, generate one for local (without
2681suppress_local_fixups) or submission_mode messages. If there is no sender
2682address, but the sender is local or this is a local delivery error, use the
2683originator login. This shouldn't happen for genuine bounces, but might happen
2684for autoreplies. The addition of From: must be done *before* checking for the
2685possible addition of a Sender: header, because untrusted_set_sender allows an
2686untrusted user to set anything in the envelope (which might then get info
2687From:) but we still want to ensure a valid Sender: if it is required. */
2688
2689if (from_header == NULL &&
2690 ((sender_host_address == NULL && !suppress_local_fixups)
2691 || submission_mode))
059ec3d9 2692 {
2fe1a124
PH
2693 uschar *oname = US"";
2694
2695 /* Use the originator_name if this is a locally submitted message and the
2696 caller is not trusted. For trusted callers, use it only if -F was used to
2697 force its value or if we have a non-SMTP message for which -f was not used
2698 to set the sender. */
2699
2700 if (sender_host_address == NULL)
2701 {
2702 if (!trusted_caller || sender_name_forced ||
2703 (!smtp_input && !sender_address_forced))
2704 oname = originator_name;
2705 }
2706
2707 /* For non-locally submitted messages, the only time we use the originator
2708 name is when it was forced by the /name= option on control=submission. */
2709
2710 else
2711 {
2712 if (submission_name != NULL) oname = submission_name;
2713 }
2714
059ec3d9
PH
2715 /* Envelope sender is empty */
2716
2717 if (sender_address[0] == 0)
2718 {
87ba3f5f
PH
2719 uschar *fromstart, *fromend;
2720
2721 fromstart = string_sprintf("%sFrom: %s%s", resent_prefix,
2fe1a124
PH
2722 oname, (oname[0] == 0)? "" : " <");
2723 fromend = (oname[0] == 0)? US"" : US">";
87ba3f5f 2724
059ec3d9
PH
2725 if (sender_local || local_error_message)
2726 {
87ba3f5f
PH
2727 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2728 local_part_quote(originator_login), qualify_domain_sender,
2729 fromend);
059ec3d9
PH
2730 }
2731 else if (submission_mode && authenticated_id != NULL)
2732 {
2733 if (submission_domain == NULL)
2734 {
87ba3f5f
PH
2735 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2736 local_part_quote(authenticated_id), qualify_domain_sender,
2737 fromend);
059ec3d9
PH
2738 }
2739 else if (submission_domain[0] == 0) /* empty => whole address set */
2740 {
87ba3f5f
PH
2741 header_add(htype_from, "%s%s%s\n", fromstart, authenticated_id,
2742 fromend);
059ec3d9
PH
2743 }
2744 else
2745 {
87ba3f5f
PH
2746 header_add(htype_from, "%s%s@%s%s\n", fromstart,
2747 local_part_quote(authenticated_id), submission_domain,
2748 fromend);
059ec3d9
PH
2749 }
2750 from_header = header_last; /* To get it checked for Sender: */
2751 }
2752 }
2753
2754 /* There is a non-null envelope sender. Build the header using the original
2755 sender address, before any rewriting that might have been done while
2756 verifying it. */
2757
2758 else
2759 {
87ba3f5f 2760 header_add(htype_from, "%sFrom: %s%s%s%s\n", resent_prefix,
2fe1a124
PH
2761 oname,
2762 (oname[0] == 0)? "" : " <",
87ba3f5f
PH
2763 (sender_address_unrewritten == NULL)?
2764 sender_address : sender_address_unrewritten,
2fe1a124 2765 (oname[0] == 0)? "" : ">");
059ec3d9
PH
2766
2767 from_header = header_last; /* To get it checked for Sender: */
2768 }
2769 }
2770
2771
8800895a
PH
2772/* If the sender is local (without suppress_local_fixups), or if we are in
2773submission mode and there is an authenticated_id, check that an existing From:
2774is correct, and if not, generate a Sender: header, unless disabled. Any
2775previously-existing Sender: header was removed above. Note that sender_local,
2776as well as being TRUE if the caller of exim is not trusted, is also true if a
2777trusted caller did not supply a -f argument for non-smtp input. To allow
2778trusted callers to forge From: without supplying -f, we have to test explicitly
2779here. If the From: header contains more than one address, then the call to
2780parse_extract_address fails, and a Sender: header is inserted, as required. */
059ec3d9
PH
2781
2782if (from_header != NULL &&
69358f02 2783 (active_local_from_check &&
8800895a 2784 ((sender_local && !trusted_caller && !suppress_local_fixups) ||
69358f02 2785 (submission_mode && authenticated_id != NULL))
059ec3d9
PH
2786 ))
2787 {
2788 BOOL make_sender = TRUE;
2789 int start, end, domain;
2790 uschar *errmess;
2791 uschar *from_address =
2792 parse_extract_address(Ustrchr(from_header->text, ':') + 1, &errmess,
2793 &start, &end, &domain, FALSE);
2794 uschar *generated_sender_address;
2795
2796 if (submission_mode)
2797 {
2798 if (submission_domain == NULL)
2799 {
2800 generated_sender_address = string_sprintf("%s@%s",
2801 local_part_quote(authenticated_id), qualify_domain_sender);
2802 }
2803 else if (submission_domain[0] == 0) /* empty => full address */
2804 {
2805 generated_sender_address = string_sprintf("%s",
2806 authenticated_id);
2807 }
2808 else
2809 {
2810 generated_sender_address = string_sprintf("%s@%s",
2811 local_part_quote(authenticated_id), submission_domain);
2812 }
2813 }
2814 else
2815 generated_sender_address = string_sprintf("%s@%s",
2816 local_part_quote(originator_login), qualify_domain_sender);
2817
2818 /* Remove permitted prefixes and suffixes from the local part of the From:
2819 address before doing the comparison with the generated sender. */
2820
2821 if (from_address != NULL)
2822 {
2823 int slen;
2824 uschar *at = (domain == 0)? NULL : from_address + domain - 1;
2825
2826 if (at != NULL) *at = 0;
2827 from_address += route_check_prefix(from_address, local_from_prefix);
2828 slen = route_check_suffix(from_address, local_from_suffix);
2829 if (slen > 0)
2830 {
2831 memmove(from_address+slen, from_address, Ustrlen(from_address)-slen);
2832 from_address += slen;
2833 }
2834 if (at != NULL) *at = '@';
2835
2836 if (strcmpic(generated_sender_address, from_address) == 0 ||
2837 (domain == 0 && strcmpic(from_address, originator_login) == 0))
2838 make_sender = FALSE;
2839 }
2840
2841 /* We have to cause the Sender header to be rewritten if there are
2842 appropriate rewriting rules. */
2843
2844 if (make_sender)
2845 {
2fe1a124 2846 if (submission_mode && submission_name == NULL)
059ec3d9
PH
2847 header_add(htype_sender, "%sSender: %s\n", resent_prefix,
2848 generated_sender_address);
2849 else
2850 header_add(htype_sender, "%sSender: %s <%s>\n",
2fe1a124
PH
2851 resent_prefix,
2852 submission_mode? submission_name : originator_name,
2853 generated_sender_address);
059ec3d9 2854 }
87ba3f5f
PH
2855
2856 /* Ensure that a non-null envelope sender address corresponds to the
2857 submission mode sender address. */
2858
2859 if (submission_mode && sender_address[0] != 0)
2860 {
2861 if (sender_address_unrewritten == NULL)
2862 sender_address_unrewritten = sender_address;
2863 sender_address = generated_sender_address;
089793a4
TF
2864 if (Ustrcmp(sender_address_unrewritten, generated_sender_address) != 0)
2865 log_write(L_address_rewrite, LOG_MAIN,
2866 "\"%s\" from env-from rewritten as \"%s\" by submission mode",
2867 sender_address_unrewritten, generated_sender_address);
87ba3f5f 2868 }
059ec3d9
PH
2869 }
2870
059ec3d9
PH
2871/* If there are any rewriting rules, apply them to the sender address, unless
2872it has already been rewritten as part of verification for SMTP input. */
2873
2874if (global_rewrite_rules != NULL && sender_address_unrewritten == NULL &&
2875 sender_address[0] != 0)
2876 {
2877 sender_address = rewrite_address(sender_address, FALSE, TRUE,
2878 global_rewrite_rules, rewrite_existflags);
2879 DEBUG(D_receive|D_rewrite)
2880 debug_printf("rewritten sender = %s\n", sender_address);
2881 }
2882
2883
2884/* The headers must be run through rewrite_header(), because it ensures that
2885addresses are fully qualified, as well as applying any rewriting rules that may
2886exist.
2887
2888Qualification of header addresses in a message from a remote host happens only
2889if the host is in sender_unqualified_hosts or recipient_unqualified hosts, as
2890appropriate. For local messages, qualification always happens, unless -bnq is
2891used to explicitly suppress it. No rewriting is done for an unqualified address
2892that is left untouched.
2893
2894We start at the second header, skipping our own Received:. This rewriting is
2895documented as happening *after* recipient addresses are taken from the headers
2896by the -t command line option. An added Sender: gets rewritten here. */
2897
1ebe15c3 2898for (h = header_list->next; h; h = h->next)
059ec3d9
PH
2899 {
2900 header_line *newh = rewrite_header(h, NULL, NULL, global_rewrite_rules,
2901 rewrite_existflags, TRUE);
1ebe15c3 2902 if (newh) h = newh;
059ec3d9
PH
2903 }
2904
2905
2906/* An RFC 822 (sic) message is not legal unless it has at least one of "to",
2cbb4081 2907"cc", or "bcc". Note that although the minimal examples in RFC 822 show just
059ec3d9
PH
2908"to" or "bcc", the full syntax spec allows "cc" as well. If any resent- header
2909exists, this applies to the set of resent- headers rather than the normal set.
2910
2cbb4081
PH
2911The requirement for a recipient header has been removed in RFC 2822. At this
2912point in the code, earlier versions of Exim added a To: header for locally
2913submitted messages, and an empty Bcc: header for others. In the light of the
2914changes in RFC 2822, this was dropped in November 2003. */
059ec3d9 2915
059ec3d9
PH
2916
2917/* If there is no date header, generate one if the message originates locally
8800895a
PH
2918(i.e. not over TCP/IP) and suppress_local_fixups is not set, or if the
2919submission mode flag is set. Messages without Date: are not valid, but it seems
e7e680d6
PP
2920to be more confusing if Exim adds one to all remotely-originated messages.
2921As per Message-Id, we prepend if resending, else append.
2922*/
059ec3d9 2923
8800895a
PH
2924if (!date_header_exists &&
2925 ((sender_host_address == NULL && !suppress_local_fixups)
2926 || submission_mode))
e7e680d6
PP
2927 header_add_at_position(!resents_exist, NULL, FALSE, htype_other,
2928 "%sDate: %s\n", resent_prefix, tod_stamp(tod_full));
059ec3d9
PH
2929
2930search_tidyup(); /* Free any cached resources */
2931
2932/* Show the complete set of headers if debugging. Note that the first one (the
2933new Received:) has not yet been set. */
2934
2935DEBUG(D_receive)
2936 {
2937 debug_printf(">>Headers after rewriting and local additions:\n");
2938 for (h = header_list->next; h != NULL; h = h->next)
2939 debug_printf("%c %s", h->type, h->text);
2940 debug_printf("\n");
2941 }
2942
2943/* The headers are now complete in store. If we are running in filter
2944testing mode, that is all this function does. Return TRUE if the message
2945ended with a dot. */
2946
f05da2e8 2947if (filter_test != FTEST_NONE)
059ec3d9
PH
2948 {
2949 process_info[process_info_len] = 0;
2950 return message_ended == END_DOT;
2951 }
2952
7e3ce68e
JH
2953/*XXX CHUNKING: need to cancel cutthrough under BDAT, for now. In future,
2954think more if it could be handled. Cannot do onward CHUNKING unless
2955inbound is, but inbound chunking ought to be ok with outbound plain.
2956Could we do onward CHUNKING given inbound CHUNKING?
2957*/
2958if (chunking_state > CHUNKING_OFFERED)
2959 cancel_cutthrough_connection("chunking active");
2960
817d9f57 2961/* Cutthrough delivery:
5032d1cf
JH
2962We have to create the Received header now rather than at the end of reception,
2963so the timestamp behaviour is a change to the normal case.
2964XXX Ensure this gets documented XXX.
2965Having created it, send the headers to the destination. */
2966if (cutthrough.fd >= 0)
e4bdf652 2967 {
817d9f57
JH
2968 if (received_count > received_headers_max)
2969 {
2e5b33cd 2970 cancel_cutthrough_connection("too many headers");
817d9f57
JH
2971 if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
2972 log_write(0, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
2973 "Too many \"Received\" headers",
2974 sender_address,
2975 (sender_fullhost == NULL)? "" : " H=",
2976 (sender_fullhost == NULL)? US"" : sender_fullhost,
2977 (sender_ident == NULL)? "" : " U=",
2978 (sender_ident == NULL)? US"" : sender_ident);
2979 message_id[0] = 0; /* Indicate no message accepted */
2980 smtp_reply = US"550 Too many \"Received\" headers - suspected mail loop";
2981 goto TIDYUP; /* Skip to end of function */
2982 }
e4bdf652 2983 received_header_gen();
578d43dc 2984 add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
e4bdf652
JH
2985 (void) cutthrough_headers_send();
2986 }
61147df4 2987
e4bdf652 2988
059ec3d9
PH
2989/* Open a new spool file for the data portion of the message. We need
2990to access it both via a file descriptor and a stream. Try to make the
41313d92 2991directory if it isn't there. */
059ec3d9 2992
41313d92 2993spool_name = spool_fname(US"input", message_subdir, message_id, US"-D");
a2da3176
JH
2994DEBUG(D_receive) debug_printf("Data file name: %s\n", spool_name);
2995
2996if ((data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE)) < 0)
059ec3d9
PH
2997 {
2998 if (errno == ENOENT)
2999 {
0971ec06 3000 (void) directory_make(spool_directory,
41313d92
JH
3001 spool_sname(US"input", message_subdir),
3002 INPUT_DIRECTORY_MODE, TRUE);
059ec3d9
PH
3003 data_fd = Uopen(spool_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
3004 }
3005 if (data_fd < 0)
3006 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to create spool file %s: %s",
3007 spool_name, strerror(errno));
3008 }
3009
3010/* Make sure the file's group is the Exim gid, and double-check the mode
3011because the group setting doesn't always get set automatically. */
3012
1ac6b2e7
JH
3013if (fchown(data_fd, exim_uid, exim_gid))
3014 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3015 "Failed setting ownership on spool file %s: %s",
3016 spool_name, strerror(errno));
ff790e47 3017(void)fchmod(data_fd, SPOOL_MODE);
059ec3d9
PH
3018
3019/* We now have data file open. Build a stream for it and lock it. We lock only
3020the first line of the file (containing the message ID) because otherwise there
3021are problems when Exim is run under Cygwin (I'm told). See comments in
3022spool_in.c, where the same locking is done. */
3023
3024data_file = fdopen(data_fd, "w+");
3025lock_data.l_type = F_WRLCK;
3026lock_data.l_whence = SEEK_SET;
3027lock_data.l_start = 0;
3028lock_data.l_len = SPOOL_DATA_START_OFFSET;
3029
3030if (fcntl(data_fd, F_SETLK, &lock_data) < 0)
3031 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Cannot lock %s (%d): %s", spool_name,
3032 errno, strerror(errno));
3033
3034/* We have an open, locked data file. Write the message id to it to make it
3035self-identifying. Then read the remainder of the input of this message and
3036write it to the data file. If the variable next != NULL, it contains the first
3037data line (which was read as a header but then turned out not to have the right
3038format); write it (remembering that it might contain binary zeros). The result
3039of fwrite() isn't inspected; instead we call ferror() below. */
3040
3041fprintf(data_file, "%s-D\n", message_id);
3042if (next != NULL)
3043 {
3044 uschar *s = next->text;
3045 int len = next->slen;
1ac6b2e7 3046 len = fwrite(s, 1, len, data_file); len = len; /* compiler quietening */
059ec3d9
PH
3047 body_linecount++; /* Assumes only 1 line */
3048 }
3049
3050/* Note that we might already be at end of file, or the logical end of file
3051(indicated by '.'), or might have encountered an error while writing the
3052message id or "next" line. */
3053
3054if (!ferror(data_file) && !(receive_feof)() && message_ended != END_DOT)
3055 {
3056 if (smtp_input)
3057 {
7e3ce68e
JH
3058 message_ended = chunking_state > CHUNKING_OFFERED
3059 ? read_message_bdat_smtp(data_file)
3060 : read_message_data_smtp(data_file);
059ec3d9
PH
3061 receive_linecount++; /* The terminating "." line */
3062 }
3063 else message_ended = read_message_data(data_file);
3064
3065 receive_linecount += body_linecount; /* For BSMTP errors mainly */
2e0c1448 3066 message_linecount += body_linecount;
059ec3d9 3067
7e3ce68e 3068 switch (message_ended)
059ec3d9 3069 {
7e3ce68e 3070 /* Handle premature termination of SMTP */
059ec3d9 3071
7e3ce68e
JH
3072 case END_EOF:
3073 if (smtp_input)
3074 {
3075 Uunlink(spool_name); /* Lose data file when closed */
3076 cancel_cutthrough_connection("sender closed connection");
3077 message_id[0] = 0; /* Indicate no message accepted */
3078 smtp_reply = handle_lost_connection(US"");
3079 smtp_yield = FALSE;
3080 goto TIDYUP; /* Skip to end of function */
3081 }
3082 break;
059ec3d9 3083
7e3ce68e
JH
3084 /* Handle message that is too big. Don't use host_or_ident() in the log
3085 message; we want to see the ident value even for non-remote messages. */
059ec3d9 3086
7e3ce68e
JH
3087 case END_SIZE:
3088 Uunlink(spool_name); /* Lose the data file when closed */
3089 cancel_cutthrough_connection("mail too big");
3090 if (smtp_input) receive_swallow_smtp(); /* Swallow incoming SMTP */
059ec3d9 3091
7e3ce68e
JH
3092 log_write(L_size_reject, LOG_MAIN|LOG_REJECT, "rejected from <%s>%s%s%s%s: "
3093 "message too big: read=%d max=%d",
3094 sender_address,
3095 (sender_fullhost == NULL)? "" : " H=",
3096 (sender_fullhost == NULL)? US"" : sender_fullhost,
3097 (sender_ident == NULL)? "" : " U=",
3098 (sender_ident == NULL)? US"" : sender_ident,
3099 message_size,
3100 thismessage_size_limit);
3101
3102 if (smtp_input)
3103 {
3104 smtp_reply = US"552 Message size exceeds maximum permitted";
3105 message_id[0] = 0; /* Indicate no message accepted */
3106 goto TIDYUP; /* Skip to end of function */
3107 }
3108 else
3109 {
3110 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3111 give_local_error(ERRMESS_TOOBIG,
3112 string_sprintf("message too big (max=%d)", thismessage_size_limit),
3113 US"message rejected: ", error_rc, data_file, header_list);
3114 /* Does not return */
3115 }
3116 break;
3117
3118 /* Handle bad BDAT protocol sequence */
3119
3120 case END_PROTOCOL:
3121 Uunlink(spool_name); /* Lose the data file when closed */
3122 cancel_cutthrough_connection("sender protocol error");
3123 smtp_reply = US""; /* Response already sent */
3124 message_id[0] = 0; /* Indicate no message accepted */
3125 goto TIDYUP; /* Skip to end of function */
059ec3d9
PH
3126 }
3127 }
3128
3129/* Restore the standard SIGALRM handler for any subsequent processing. (For
3130example, there may be some expansion in an ACL that uses a timer.) */
3131
3132os_non_restarting_signal(SIGALRM, sigalrm_handler);
3133
3134/* The message body has now been read into the data file. Call fflush() to
3135empty the buffers in C, and then call fsync() to get the data written out onto
3136the disk, as fflush() doesn't do this (or at least, it isn't documented as
3137having to do this). If there was an I/O error on either input or output,
3138attempt to send an error message, and unlink the spool file. For non-SMTP input
3139we can then give up. Note that for SMTP input we must swallow the remainder of
3140the input in cases of output errors, since the far end doesn't expect to see
3141anything until the terminating dot line is sent. */
3142
3143if (fflush(data_file) == EOF || ferror(data_file) ||
54fc8428 3144 EXIMfsync(fileno(data_file)) < 0 || (receive_ferror)())
059ec3d9
PH
3145 {
3146 uschar *msg_errno = US strerror(errno);
3147 BOOL input_error = (receive_ferror)() != 0;
3148 uschar *msg = string_sprintf("%s error (%s) while receiving message from %s",
3149 input_error? "Input read" : "Spool write",
3150 msg_errno,
3151 (sender_fullhost != NULL)? sender_fullhost : sender_ident);
3152
3153 log_write(0, LOG_MAIN, "Message abandoned: %s", msg);
3154 Uunlink(spool_name); /* Lose the data file */
2e5b33cd 3155 cancel_cutthrough_connection("error writing spoolfile");
059ec3d9
PH
3156
3157 if (smtp_input)
3158 {
3159 if (input_error)
3160 smtp_reply = US"451 Error while reading input data";
3161 else
3162 {
3163 smtp_reply = US"451 Error while writing spool file";
3164 receive_swallow_smtp();
3165 }
3166 message_id[0] = 0; /* Indicate no message accepted */
3167 goto TIDYUP; /* Skip to end of function */
3168 }
3169
3170 else
3171 {
3172 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3173 give_local_error(ERRMESS_IOERR, msg, US"", error_rc, data_file,
3174 header_list);
3175 /* Does not return */
3176 }
3177 }
3178
3179
3180/* No I/O errors were encountered while writing the data file. */
3181
3182DEBUG(D_receive) debug_printf("Data file written for message %s\n", message_id);
3183
3184
3185/* If there were any bad addresses extracted by -t, or there were no recipients
3186left after -t, send a message to the sender of this message, or write it to
3187stderr if the error handling option is set that way. Note that there may
3188legitimately be no recipients for an SMTP message if they have all been removed
3189by "discard".
3190
3191We need to rewind the data file in order to read it. In the case of no
3192recipients or stderr error writing, throw the data file away afterwards, and
3193exit. (This can't be SMTP, which always ensures there's at least one
3194syntactically good recipient address.) */
3195
3196if (extract_recip && (bad_addresses != NULL || recipients_count == 0))
3197 {
3198 DEBUG(D_receive)
3199 {
3200 if (recipients_count == 0) debug_printf("*** No recipients\n");
3201 if (bad_addresses != NULL)
3202 {
3203 error_block *eblock = bad_addresses;
3204 debug_printf("*** Bad address(es)\n");
3205 while (eblock != NULL)
3206 {
3207 debug_printf(" %s: %s\n", eblock->text1, eblock->text2);
3208 eblock = eblock->next;
3209 }
3210 }
3211 }
3212
3213 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3214
3215 /* If configured to send errors to the sender, but this fails, force
3216 a failure error code. We use a special one for no recipients so that it
3217 can be detected by the autoreply transport. Otherwise error_rc is set to
3218 errors_sender_rc, which is EXIT_FAILURE unless -oee was given, in which case
3219 it is EXIT_SUCCESS. */
3220
3221 if (error_handling == ERRORS_SENDER)
3222 {
3223 if (!moan_to_sender(
3224 (bad_addresses == NULL)?
3225 (extracted_ignored? ERRMESS_IGADDRESS : ERRMESS_NOADDRESS) :
3226 (recipients_list == NULL)? ERRMESS_BADNOADDRESS : ERRMESS_BADADDRESS,
3227 bad_addresses, header_list, data_file, FALSE))
3228 error_rc = (bad_addresses == NULL)? EXIT_NORECIPIENTS : EXIT_FAILURE;
3229 }
3230 else
3231 {
3232 if (bad_addresses == NULL)
3233 {
3234 if (extracted_ignored)
3235 fprintf(stderr, "exim: all -t recipients overridden by command line\n");
3236 else
3237 fprintf(stderr, "exim: no recipients in message\n");
3238 }
3239 else
3240 {
3241 fprintf(stderr, "exim: invalid address%s",
3242 (bad_addresses->next == NULL)? ":" : "es:\n");
3243 while (bad_addresses != NULL)
3244 {
3245 fprintf(stderr, " %s: %s\n", bad_addresses->text1,
3246 bad_addresses->text2);
3247 bad_addresses = bad_addresses->next;
3248 }
3249 }
3250 }
3251
3252 if (recipients_count == 0 || error_handling == ERRORS_STDERR)
3253 {
3254 Uunlink(spool_name);
f1e894f3 3255 (void)fclose(data_file);
059ec3d9
PH
3256 exim_exit(error_rc);
3257 }
3258 }
3259
3260/* Data file successfully written. Generate text for the Received: header by
3261expanding the configured string, and adding a timestamp. By leaving this
3262operation till now, we ensure that the timestamp is the time that message
3263reception was completed. However, this is deliberately done before calling the
3264data ACL and local_scan().
3265
3266This Received: header may therefore be inspected by the data ACL and by code in
3267the local_scan() function. When they have run, we update the timestamp to be
3268the final time of reception.
3269
3270If there is just one recipient, set up its value in the $received_for variable
3271for use when we generate the Received: header.
3272
3273Note: the checking for too many Received: headers is handled by the delivery
3274code. */
e4bdf652 3275/*XXX eventually add excess Received: check for cutthrough case back when classifying them */
059ec3d9 3276
e4bdf652 3277if (received_header->text == NULL) /* Non-cutthrough case */
059ec3d9 3278 {
e4bdf652 3279 received_header_gen();
059ec3d9 3280
e4bdf652 3281 /* Set the value of message_body_size for the DATA ACL and for local_scan() */
059ec3d9 3282
e4bdf652
JH
3283 message_body_size = (fstat(data_fd, &statbuf) == 0)?
3284 statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
059ec3d9 3285
e4bdf652
JH
3286 /* If an ACL from any RCPT commands set up any warning headers to add, do so
3287 now, before running the DATA ACL. */
059ec3d9 3288
578d43dc 3289 add_acl_headers(ACL_WHERE_RCPT, US"MAIL or RCPT");
e4bdf652 3290 }
817d9f57 3291else
e4bdf652
JH
3292 message_body_size = (fstat(data_fd, &statbuf) == 0)?
3293 statbuf.st_size - SPOOL_DATA_START_OFFSET : -1;
059ec3d9
PH
3294
3295/* If an ACL is specified for checking things at this stage of reception of a
3296message, run it, unless all the recipients were removed by "discard" in earlier
3297ACLs. That is the only case in which recipients_count can be zero at this
3298stage. Set deliver_datafile to point to the data file so that $message_body and
3299$message_body_end can be extracted if needed. Allow $recipients in expansions.
3300*/
3301
3302deliver_datafile = data_fd;
4e88a19f 3303user_msg = NULL;
059ec3d9 3304
0e20aff9
MH
3305enable_dollar_recipients = TRUE;
3306
059ec3d9 3307if (recipients_count == 0)
7e3ce68e
JH
3308 blackholed_by = recipients_discarded ? US"MAIL ACL" : US"RCPT ACL";
3309
059ec3d9
PH
3310else
3311 {
059ec3d9
PH
3312 /* Handle interactive SMTP messages */
3313
3314 if (smtp_input && !smtp_batched_input)
3315 {
8523533c 3316
80a47a2c
TK
3317#ifndef DISABLE_DKIM
3318 if (!dkim_disable_verify)
3319 {
3320 /* Finish verification, this will log individual signature results to
3321 the mainlog */
3322 dkim_exim_verify_finish();
3323
3324 /* Check if we must run the DKIM ACL */
7e3ce68e 3325 if (acl_smtp_dkim && dkim_verify_signers && *dkim_verify_signers)
80a47a2c
TK
3326 {
3327 uschar *dkim_verify_signers_expanded =
3328 expand_string(dkim_verify_signers);
7e3ce68e 3329 if (!dkim_verify_signers_expanded)
80a47a2c
TK
3330 log_write(0, LOG_MAIN|LOG_PANIC,
3331 "expansion of dkim_verify_signers option failed: %s",
3332 expand_string_message);
7e3ce68e 3333
80a47a2c
TK
3334 else
3335 {
3336 int sep = 0;
55414b25 3337 const uschar *ptr = dkim_verify_signers_expanded;
80a47a2c 3338 uschar *item = NULL;
9e5d6b55
TK
3339 uschar *seen_items = NULL;
3340 int seen_items_size = 0;
3341 int seen_items_offset = 0;
9122af94
TK
3342 /* Default to OK when no items are present */
3343 rc = OK;
7e3ce68e 3344 while ((item = string_nextinlist(&ptr, &sep, NULL, 0)))
80a47a2c 3345 {
6119d1ea 3346 /* Prevent running ACL for an empty item */
7e3ce68e 3347 if (!item || !*item) continue;
5032d1cf
JH
3348
3349 /* Only run ACL once for each domain or identity,
3350 no matter how often it appears in the expanded list. */
3351 if (seen_items)
6119d1ea 3352 {
ae9094bf 3353 uschar *seen_item = NULL;
55414b25 3354 const uschar *seen_items_list = seen_items;
5032d1cf 3355 BOOL seen_this_item = FALSE;
61147df4 3356
ae9094bf 3357 while ((seen_item = string_nextinlist(&seen_items_list, &sep,
7e3ce68e 3358 NULL, 0)))
5032d1cf
JH
3359 if (Ustrcmp(seen_item,item) == 0)
3360 {
3361 seen_this_item = TRUE;
3362 break;
3363 }
3364
3365 if (seen_this_item)
6119d1ea
TK
3366 {
3367 DEBUG(D_receive)
5032d1cf
JH
3368 debug_printf("acl_smtp_dkim: skipping signer %s, "
3369 "already seen\n", item);
6119d1ea
TK
3370 continue;
3371 }
61147df4 3372
5032d1cf
JH
3373 seen_items = string_append(seen_items, &seen_items_size,
3374 &seen_items_offset, 1, ":");
6119d1ea
TK
3375 }
3376
5032d1cf
JH
3377 seen_items = string_append(seen_items, &seen_items_size,
3378 &seen_items_offset, 1, item);
4a73449b 3379 seen_items[seen_items_offset] = '\0';
6119d1ea
TK
3380
3381 DEBUG(D_receive)
5032d1cf
JH
3382 debug_printf("calling acl_smtp_dkim for dkim_cur_signer=%s\n",
3383 item);
6119d1ea 3384
80a47a2c 3385 dkim_exim_acl_setup(item);
5032d1cf
JH
3386 rc = acl_check(ACL_WHERE_DKIM, NULL, acl_smtp_dkim,
3387 &user_msg, &log_msg);
6119d1ea
TK
3388
3389 if (rc != OK)
5032d1cf
JH
3390 {
3391 DEBUG(D_receive)
3392 debug_printf("acl_smtp_dkim: acl_check returned %d on %s, "
3393 "skipping remaining items\n", rc, item);
3394 cancel_cutthrough_connection("dkim acl not ok");
3395 break;
3396 }
80a47a2c 3397 }
578d43dc 3398 add_acl_headers(ACL_WHERE_DKIM, US"DKIM");
80a47a2c
TK
3399 if (rc == DISCARD)
3400 {
3401 recipients_count = 0;
3402 blackholed_by = US"DKIM ACL";
3403 if (log_msg != NULL)
3404 blackhole_log_msg = string_sprintf(": %s", log_msg);
3405 }
3406 else if (rc != OK)
3407 {
3408 Uunlink(spool_name);
3409 if (smtp_handle_acl_fail(ACL_WHERE_DKIM, rc, user_msg, log_msg) != 0)
85ffcba6 3410 smtp_yield = FALSE; /* No more messages after dropped connection */
80a47a2c
TK
3411 smtp_reply = US""; /* Indicate reply already sent */
3412 message_id[0] = 0; /* Indicate no message accepted */
3413 goto TIDYUP; /* Skip to end of function */
3414 }
3415 }
3416 }
3417 }
4a8ce2d8 3418#endif /* DISABLE_DKIM */
fb2274d4 3419
8523533c 3420#ifdef WITH_CONTENT_SCAN
80a47a2c
TK
3421 if (recipients_count > 0 &&
3422 acl_smtp_mime != NULL &&
54cdb463
PH
3423 !run_mime_acl(acl_smtp_mime, &smtp_yield, &smtp_reply, &blackholed_by))
3424 goto TIDYUP;
8523533c
TK
3425#endif /* WITH_CONTENT_SCAN */
3426
4840604e
TL
3427#ifdef EXPERIMENTAL_DMARC
3428 dmarc_up = dmarc_store_data(from_header);
3429#endif /* EXPERIMENTAL_DMARC */
3430
8ccd00b1
JH
3431#ifndef DISABLE_PRDR
3432 if (prdr_requested && recipients_count > 1 && acl_smtp_data_prdr)
fd98a5c6
JH
3433 {
3434 unsigned int c;
3435 int all_pass = OK;
3436 int all_fail = FAIL;
3437
3438 smtp_printf("353 PRDR content analysis beginning\r\n");
3439 /* Loop through recipients, responses must be in same order received */
3440 for (c = 0; recipients_count > c; c++)
3441 {
3442 uschar * addr= recipients_list[c].address;
3443 uschar * msg= US"PRDR R=<%s> %s";
3444 uschar * code;
3445 DEBUG(D_receive)
3446 debug_printf("PRDR processing recipient %s (%d of %d)\n",
3447 addr, c+1, recipients_count);
3448 rc = acl_check(ACL_WHERE_PRDR, addr,
3449 acl_smtp_data_prdr, &user_msg, &log_msg);
3450
3451 /* If any recipient rejected content, indicate it in final message */
3452 all_pass |= rc;
3453 /* If all recipients rejected, indicate in final message */
3454 all_fail &= rc;
3455
3456 switch (rc)
3457 {
3458 case OK: case DISCARD: code = US"250"; break;
3459 case DEFER: code = US"450"; break;
3460 default: code = US"550"; break;
3461 }
3462 if (user_msg != NULL)
3463 smtp_user_msg(code, user_msg);
3464 else
3465 {
3466 switch (rc)
3467 {
3468 case OK: case DISCARD:
3469 msg = string_sprintf(CS msg, addr, "acceptance"); break;
3470 case DEFER:
3471 msg = string_sprintf(CS msg, addr, "temporary refusal"); break;
3472 default:
3473 msg = string_sprintf(CS msg, addr, "refusal"); break;
3474 }
3475 smtp_user_msg(code, msg);
3476 }
3477 if (log_msg) log_write(0, LOG_MAIN, "PRDR %s %s", addr, log_msg);
3478 else if (user_msg) log_write(0, LOG_MAIN, "PRDR %s %s", addr, user_msg);
112b6a93 3479 else log_write(0, LOG_MAIN, "%s", CS msg);
fd98a5c6
JH
3480
3481 if (rc != OK) { receive_remove_recipient(addr); c--; }
3482 }
3483 /* Set up final message, used if data acl gives OK */
3484 smtp_reply = string_sprintf("%s id=%s message %s",
3485 all_fail == FAIL ? US"550" : US"250",
3486 message_id,
3487 all_fail == FAIL
3488 ? US"rejected for all recipients"
3489 : all_pass == OK
3490 ? US"accepted"
3491 : US"accepted for some recipients");
3492 if (recipients_count == 0)
3493 {
3494 message_id[0] = 0; /* Indicate no message accepted */
3495 goto TIDYUP;
3496 }
3497 }
3498 else
3499 prdr_requested = FALSE;
8ccd00b1 3500#endif /* !DISABLE_PRDR */
fd98a5c6 3501
54cdb463
PH
3502 /* Check the recipients count again, as the MIME ACL might have changed
3503 them. */
8523533c 3504
059ec3d9
PH
3505 if (acl_smtp_data != NULL && recipients_count > 0)
3506 {
059ec3d9 3507 rc = acl_check(ACL_WHERE_DATA, NULL, acl_smtp_data, &user_msg, &log_msg);
578d43dc 3508 add_acl_headers(ACL_WHERE_DATA, US"DATA");
059ec3d9
PH
3509 if (rc == DISCARD)
3510 {
3511 recipients_count = 0;
3512 blackholed_by = US"DATA ACL";
8e669ac1
PH
3513 if (log_msg != NULL)
3514 blackhole_log_msg = string_sprintf(": %s", log_msg);
2e5b33cd 3515 cancel_cutthrough_connection("data acl discard");
059ec3d9
PH
3516 }
3517 else if (rc != OK)
3518 {
3519 Uunlink(spool_name);
2e5b33cd 3520 cancel_cutthrough_connection("data acl not ok");
8523533c
TK
3521#ifdef WITH_CONTENT_SCAN
3522 unspool_mbox();
3523#endif
6f0c431a
PP
3524#ifdef EXPERIMENTAL_DCC
3525 dcc_ok = 0;
3526#endif
059ec3d9 3527 if (smtp_handle_acl_fail(ACL_WHERE_DATA, rc, user_msg, log_msg) != 0)
85ffcba6 3528 smtp_yield = FALSE; /* No more messages after dropped connection */
059ec3d9
PH
3529 smtp_reply = US""; /* Indicate reply already sent */
3530 message_id[0] = 0; /* Indicate no message accepted */
3531 goto TIDYUP; /* Skip to end of function */
3532 }
3533 }
3534 }
3535
3536 /* Handle non-SMTP and batch SMTP (i.e. non-interactive) messages. Note that
3537 we cannot take different actions for permanent and temporary rejections. */
3538
54cdb463 3539 else
059ec3d9 3540 {
54cdb463
PH
3541
3542#ifdef WITH_CONTENT_SCAN
3543 if (acl_not_smtp_mime != NULL &&
3544 !run_mime_acl(acl_not_smtp_mime, &smtp_yield, &smtp_reply,
3545 &blackholed_by))
3546 goto TIDYUP;
3547#endif /* WITH_CONTENT_SCAN */
3548
3549 if (acl_not_smtp != NULL)
059ec3d9 3550 {
54cdb463
PH
3551 uschar *user_msg, *log_msg;
3552 rc = acl_check(ACL_WHERE_NOTSMTP, NULL, acl_not_smtp, &user_msg, &log_msg);
3553 if (rc == DISCARD)
059ec3d9 3554 {
54cdb463
PH
3555 recipients_count = 0;
3556 blackholed_by = US"non-SMTP ACL";
3557 if (log_msg != NULL)
3558 blackhole_log_msg = string_sprintf(": %s", log_msg);
059ec3d9 3559 }
54cdb463 3560 else if (rc != OK)
059ec3d9 3561 {
54cdb463
PH
3562 Uunlink(spool_name);
3563#ifdef WITH_CONTENT_SCAN
3564 unspool_mbox();
3565#endif
6f0c431a
PP
3566#ifdef EXPERIMENTAL_DCC
3567 dcc_ok = 0;
3568#endif
6ea85e9a
PH
3569 /* The ACL can specify where rejections are to be logged, possibly
3570 nowhere. The default is main and reject logs. */
3571
3572 if (log_reject_target != 0)
3573 log_write(0, log_reject_target, "F=<%s> rejected by non-SMTP ACL: %s",
3574 sender_address, log_msg);
3575
54cdb463
PH
3576 if (user_msg == NULL) user_msg = US"local configuration problem";
3577 if (smtp_batched_input)
3578 {
3579 moan_smtp_batch(NULL, "%d %s", 550, user_msg);
3580 /* Does not return */
3581 }
3582 else
3583 {
3584 fseek(data_file, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3585 give_local_error(ERRMESS_LOCAL_ACL, user_msg,
3586 US"message rejected by non-SMTP ACL: ", error_rc, data_file,
3587 header_list);
3588 /* Does not return */
3589 }
059ec3d9 3590 }
578d43dc 3591 add_acl_headers(ACL_WHERE_NOTSMTP, US"non-SMTP");
059ec3d9 3592 }
059ec3d9
PH
3593 }
3594
54cdb463
PH
3595 /* The applicable ACLs have been run */
3596
059ec3d9
PH
3597 if (deliver_freeze) frozen_by = US"ACL"; /* for later logging */
3598 if (queue_only_policy) queued_by = US"ACL";
059ec3d9
PH
3599 }
3600
8523533c
TK
3601#ifdef WITH_CONTENT_SCAN
3602unspool_mbox();
3603#endif
3604
6a8f9482
TK
3605#ifdef EXPERIMENTAL_DCC
3606dcc_ok = 0;
3607#endif
3608
3609
059ec3d9
PH
3610/* The final check on the message is to run the scan_local() function. The
3611version supplied with Exim always accepts, but this is a hook for sysadmins to
3612supply their own checking code. The local_scan() function is run even when all
3613the recipients have been discarded. */
3614
3615lseek(data_fd, (long int)SPOOL_DATA_START_OFFSET, SEEK_SET);
3616
3617/* Arrange to catch crashes in local_scan(), so that the -D file gets
3618deleted, and the incident gets logged. */
3619
3620os_non_restarting_signal(SIGSEGV, local_scan_crash_handler);
3621os_non_restarting_signal(SIGFPE, local_scan_crash_handler);
3622os_non_restarting_signal(SIGILL, local_scan_crash_handler);
3623os_non_restarting_signal(SIGBUS, local_scan_crash_handler);
3624
3625DEBUG(D_receive) debug_printf("calling local_scan(); timeout=%d\n",
3626 local_scan_timeout);
3627local_scan_data = NULL;
3628
3629os_non_restarting_signal(SIGALRM, local_scan_timeout_handler);
3630if (local_scan_timeout > 0) alarm(local_scan_timeout);
3631rc = local_scan(data_fd, &local_scan_data);
3632alarm(0);
3633os_non_restarting_signal(SIGALRM, sigalrm_handler);
3634
0e20aff9
MH
3635enable_dollar_recipients = FALSE;
3636
059ec3d9
PH
3637store_pool = POOL_MAIN; /* In case changed */
3638DEBUG(D_receive) debug_printf("local_scan() returned %d %s\n", rc,
3639 local_scan_data);
3640
3641os_non_restarting_signal(SIGSEGV, SIG_DFL);
3642os_non_restarting_signal(SIGFPE, SIG_DFL);
3643os_non_restarting_signal(SIGILL, SIG_DFL);
3644os_non_restarting_signal(SIGBUS, SIG_DFL);
3645
3646/* The length check is paranoia against some runaway code, and also because
3647(for a success return) lines in the spool file are read into big_buffer. */
3648
3649if (local_scan_data != NULL)
3650 {
3651 int len = Ustrlen(local_scan_data);
3652 if (len > LOCAL_SCAN_MAX_RETURN) len = LOCAL_SCAN_MAX_RETURN;
3653 local_scan_data = string_copyn(local_scan_data, len);
3654 }
3655
3656if (rc == LOCAL_SCAN_ACCEPT_FREEZE)
3657 {
58eb016e 3658 if (!deliver_freeze) /* ACL might have already frozen */
059ec3d9
PH
3659 {
3660 deliver_freeze = TRUE;
3661 deliver_frozen_at = time(NULL);
3662 frozen_by = US"local_scan()";
3663 }
3664 rc = LOCAL_SCAN_ACCEPT;
3665 }
3666else if (rc == LOCAL_SCAN_ACCEPT_QUEUE)
3667 {
3668 if (!queue_only_policy) /* ACL might have already queued */
3669 {
3670 queue_only_policy = TRUE;
3671 queued_by = US"local_scan()";
3672 }
3673 rc = LOCAL_SCAN_ACCEPT;
3674 }
3675
3676/* Message accepted: remove newlines in local_scan_data because otherwise
3677the spool file gets corrupted. Ensure that all recipients are qualified. */
3678
3679if (rc == LOCAL_SCAN_ACCEPT)
3680 {
3681 if (local_scan_data != NULL)
3682 {
3683 uschar *s;
3684 for (s = local_scan_data; *s != 0; s++) if (*s == '\n') *s = ' ';
3685 }
3686 for (i = 0; i < recipients_count; i++)
3687 {
3688 recipient_item *r = recipients_list + i;
3689 r->address = rewrite_address_qualify(r->address, TRUE);
3690 if (r->errors_to != NULL)
3691 r->errors_to = rewrite_address_qualify(r->errors_to, TRUE);
3692 }
3693 if (recipients_count == 0 && blackholed_by == NULL)
3694 blackholed_by = US"local_scan";
3695 }
3696
3697/* Message rejected: newlines permitted in local_scan_data to generate
3698multiline SMTP responses. */
3699
3700else
3701 {
3702 uschar *istemp = US"";
3703 uschar *s = NULL;
a5bd321b