[exim.git] / src / src / spool_out.c

/* $Cambridge: exim/src/src/spool_out.c,v 1.10 2006/02/07 11:19:00 ph10 Exp $ */

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) University of Cambridge 1995 - 2006 */
/* See the file NOTICE for conditions of use and distribution. */

/* Functions for writing spool files, and moving them about. */


#include "exim.h"


/*************************************************
*       Deal with header writing errors          *
*************************************************/

/* This function is called immediately after errors in writing the spool, with
errno still set. It creates and error message, depending on the circumstances.
If errmsg is NULL, it logs the message and panic-dies. Otherwise errmsg is set
to point to the message, and -1 is returned. This function makes the code of
spool_write_header() a bit neater.

Arguments:
   where      SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING
   errmsg     where to put the message; NULL => panic-die
   s          text to add to log string
   temp_name  name of temp file to unlink
   f          FILE to close, if not NULL

Returns:      -1 if errmsg is not NULL; otherwise doesn't return
*/

static int
spool_write_error(int where, uschar **errmsg, uschar *s, uschar *temp_name,
  FILE *f)
{
uschar *msg = (where == SW_RECEIVING)?
  string_sprintf("spool file %s error while receiving from %s: %s", s,
    (sender_fullhost != NULL)? sender_fullhost : sender_ident,
    strerror(errno))
  :
  string_sprintf("spool file %s error while %s: %s", s,
    (where == SW_DELIVERING)? "delivering" : "modifying",
    strerror(errno));

if (temp_name != NULL) Uunlink(temp_name);
if (f != NULL) (void)fclose(f);

if (errmsg == NULL)
  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", msg);
else
  *errmsg = msg;

return -1;
}


/*************************************************
*            Open file under temporary name      *
*************************************************/

/* This is used for opening spool files under a temporary name,
with a single attempt at deleting if they already exist.

Argument: temporary name for spool header file
Returns:  file descriptor of open file, or < 0 on failure, with errno unchanged
*/

int
spool_open_temp(uschar *temp_name)
{
int fd = Uopen(temp_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);

/* If the file already exists, something has gone wrong. This process may well
have previously created the file if it is delivering more than one address, but
it should have renamed it almost immediately. A file could, however, be left
around as a result of a system crash, and by coincidence this process might
have the same pid. We therefore have one go at unlinking it before giving up.
*/

if (fd < 0 && errno == EEXIST)
  {
  DEBUG(D_any) debug_printf("%s exists: unlinking\n", temp_name);
  Uunlink(temp_name);
  fd = Uopen(temp_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE);
  }

/* If the file has been opened, make sure the file's group is the Exim gid, and
double-check the mode because the group setting doesn't always get set
automatically. */

if (fd >= 0)
  {
  (void)fchown(fd, exim_uid, exim_gid);
  (void)fchmod(fd, SPOOL_MODE);
  }

return fd;
}


/*************************************************
*          Write the header spool file           *
*************************************************/

/* Returns the size of the file for success; zero for failure. The file is
written under a temporary name, and then renamed. It's done this way so that it
works with re-writing the file on message deferral as well as for the initial
write. Whenever this function is called, the data file for the message should
be open and locked, thus preventing any other exim process from working on this
message.

Argument:
  id      the message id
  where   SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING
  errmsg  where to put an error message; if NULL, panic-die on error

Returns:  the size of the header texts on success;
          negative on writing failure, unless errmsg == NULL
*/

int
spool_write_header(uschar *id, int where, uschar **errmsg)
{
int fd;
int i;
int size_correction;
FILE *f;
header_line *h;
struct stat statbuf;
uschar name[256];
uschar temp_name[256];

sprintf(CS temp_name, "%s/input/%s/hdr.%d", spool_directory, message_subdir,
  (int)getpid());
fd = spool_open_temp(temp_name);
if (fd < 0) return spool_write_error(where, errmsg, US"open", NULL, NULL);
f = fdopen(fd, "wb");
DEBUG(D_receive|D_deliver) debug_printf("Writing spool header file\n");

/* We now have an open file to which the header data is to be written. Start
with the file's leaf name, to make the file self-identifying. Continue with the
identity of the submitting user, followed by the sender's address. The sender's
address is enclosed in <> because it might be the null address. Then write the
received time and the number of warning messages that have been sent. */

fprintf(f, "%s-H\n", message_id);
fprintf(f, "%.63s %ld %ld\n", originator_login, (long int)originator_uid,
  (long int)originator_gid);
fprintf(f, "<%s>\n", sender_address);
fprintf(f, "%d %d\n", received_time, warning_count);

/* If there is information about a sending host, remember it. The HELO
data can be set for local SMTP as well as remote. */

if (sender_helo_name != NULL)
  fprintf(f, "-helo_name %s\n", sender_helo_name);

if (sender_host_address != NULL)
  {
  fprintf(f, "-host_address %s.%d\n", sender_host_address, sender_host_port);
  if (sender_host_name != NULL)
    fprintf(f, "-host_name %s\n", sender_host_name);
  if (sender_host_authenticated != NULL)
    fprintf(f, "-host_auth %s\n", sender_host_authenticated);
  }

/* Also about the interface a message came in on */

if (interface_address != NULL)
  fprintf(f, "-interface_address %s.%d\n", interface_address, interface_port);

if (smtp_active_hostname != primary_hostname)
  fprintf(f, "-active_hostname %s\n", smtp_active_hostname);

/* Likewise for any ident information; for local messages this is
likely to be the same as originator_login, but will be different if
the originator was root, forcing a different ident. */

if (sender_ident != NULL) fprintf(f, "-ident %s\n", sender_ident);

/* Ditto for the received protocol */

if (received_protocol != NULL)
  fprintf(f, "-received_protocol %s\n", received_protocol);

/* Preserve any ACL variables that are set. Because the values may contain
newlines, we use an explicit length. */

for (i = 0; i < ACL_CVARS; i++)
  {
  if (acl_var[i] != NULL)
    fprintf(f, "-aclc %d %d\n%s\n", i, Ustrlen(acl_var[i]), acl_var[i]);
  }

for (i = 0; i < ACL_MVARS; i++)
  {
  int j = i + ACL_CVARS;
  if (acl_var[j] != NULL)
    fprintf(f, "-aclm %d %d\n%s\n", i, Ustrlen(acl_var[j]), acl_var[j]);
  }

/* Now any other data that needs to be remembered. */

fprintf(f, "-body_linecount %d\n", body_linecount);

if (body_zerocount > 0) fprintf(f, "-body_zerocount %d\n", body_zerocount);

if (authenticated_id != NULL)
  fprintf(f, "-auth_id %s\n", authenticated_id);
if (authenticated_sender != NULL)
  fprintf(f, "-auth_sender %s\n", authenticated_sender);

if (allow_unqualified_recipient) fprintf(f, "-allow_unqualified_recipient\n");
if (allow_unqualified_sender) fprintf(f, "-allow_unqualified_sender\n");
if (deliver_firsttime) fprintf(f, "-deliver_firsttime\n");
if (deliver_freeze) fprintf(f, "-frozen %d\n", deliver_frozen_at);
if (dont_deliver) fprintf(f, "-N\n");
if (host_lookup_deferred) fprintf(f, "-host_lookup_deferred\n");
if (host_lookup_failed) fprintf(f, "-host_lookup_failed\n");
if (sender_local) fprintf(f, "-local\n");
if (local_error_message) fprintf(f, "-localerror\n");
if (local_scan_data != NULL) fprintf(f, "-local_scan %s\n", local_scan_data);
#ifdef WITH_CONTENT_SCAN
if (spam_score_int != NULL) fprintf(f,"-spam_score_int %s\n", spam_score_int);
#endif
if (deliver_manual_thaw) fprintf(f, "-manual_thaw\n");
if (sender_set_untrusted) fprintf(f, "-sender_set_untrusted\n");

#ifdef EXPERIMENTAL_BRIGHTMAIL
if (bmi_verdicts != NULL) fprintf(f, "-bmi_verdicts %s\n", bmi_verdicts);
#endif

#ifdef SUPPORT_TLS
if (tls_certificate_verified) fprintf(f, "-tls_certificate_verified\n");
if (tls_cipher != NULL) fprintf(f, "-tls_cipher %s\n", tls_cipher);
if (tls_peerdn != NULL) fprintf(f, "-tls_peerdn %s\n", tls_peerdn);
#endif

/* To complete the envelope, write out the tree of non-recipients, followed by
the list of recipients. These won't be disjoint the first time, when no
checking has been done. If a recipient is a "one-time" alias, it is followed by
a space and its parent address number (pno). */

tree_write(tree_nonrecipients, f);
fprintf(f, "%d\n", recipients_count);
for (i = 0; i < recipients_count; i++)
  {
  recipient_item *r = recipients_list + i;
  if (r->pno < 0 && r->errors_to == NULL)
    fprintf(f, "%s\n", r->address);
  else
    {
    uschar *errors_to = (r->errors_to == NULL)? US"" : r->errors_to;
    fprintf(f, "%s %s %d,%d#1\n", r->address, errors_to,
      Ustrlen(errors_to), r->pno);
    }
  }

/* Put a blank line before the headers */

fprintf(f, "\n");

/* Save the size of the file so far so we can subtract it from the final length
to get the actual size of the headers. */

fflush(f);
fstat(fd, &statbuf);
size_correction = statbuf.st_size;

/* Finally, write out the message's headers. To make it easier to read them
in again, precede each one with the count of its length. Make the count fixed
length to aid human eyes when debugging and arrange for it not be included in
the size. It is followed by a space for normal headers, a flagging letter for
various other headers, or an asterisk for old headers that have been rewritten.
These are saved as a record for debugging. Don't included them in the message's
size. */

for (h = header_list; h != NULL; h = h->next)
  {
  fprintf(f, "%03d%c %s", h->slen, h->type, h->text);
  size_correction += 5;
  if (h->type == '*') size_correction += h->slen;
  }

/* Flush and check for any errors while writing */

if (fflush(f) != 0 || ferror(f))
  return spool_write_error(where, errmsg, US"write", temp_name, f);

/* Force the file's contents to be written to disk. Note that fflush()
just pushes it out of C, and fclose() doesn't guarantee to do the write
either. That's just the way Unix works... */

if (fsync(fileno(f)) < 0)
  return spool_write_error(where, errmsg, US"sync", temp_name, f);

/* Get the size of the file, and close it. */

fstat(fd, &statbuf);
if (fclose(f) != 0)
  return spool_write_error(where, errmsg, US"close", temp_name, NULL);

/* Rename the file to its correct name, thereby replacing any previous
incarnation. */

sprintf(CS name, "%s/input/%s/%s-H", spool_directory, message_subdir, id);

if (Urename(temp_name, name) < 0)
  return spool_write_error(where, errmsg, US"rename", temp_name, NULL);

/* Linux (and maybe other OS?) does not automatically sync a directory after
an operation like rename. We therefore have to do it forcibly ourselves in
these cases, to make sure the file is actually accessible on disk, as opposed
to just the data being accessible from a file in lost+found. Linux also has
O_DIRECTORY, for opening a directory.

However, it turns out that some file systems (some versions of NFS?) do not
support directory syncing. It seems safe enough to ignore EINVAL to cope with
these cases. One hack on top of another... but that's life. */

#ifdef NEED_SYNC_DIRECTORY

sprintf(CS temp_name, "%s/input/%s/.", spool_directory, message_subdir);

#ifndef O_DIRECTORY
#define O_DIRECTORY 0
#endif

if ((fd = Uopen(temp_name, O_RDONLY|O_DIRECTORY, 0)) < 0)
  return spool_write_error(where, errmsg, US"directory open", name, NULL);

if (fsync(fd) < 0 && errno != EINVAL)
  return spool_write_error(where, errmsg, US"directory sync", name, NULL);

if (close(fd) < 0)
  return spool_write_error(where, errmsg, US"directory close", name, NULL);

#endif  /* NEED_SYNC_DIRECTORY */

/* Return the number of characters in the headers, which is the file size, less
the prelimary stuff, less the additional count fields on the headers. */

DEBUG(D_receive) debug_printf("Size of headers = %d\n",
  (int)(statbuf.st_size - size_correction));

return statbuf.st_size - size_correction;
}


#ifdef SUPPORT_MOVE_FROZEN_MESSAGES

/************************************************
*              Make a hard link                 *
************************************************/

/* Used by spool_move_message() below. Note re the use of sprintf(): the value
of spool_directory is checked to ensure that it is less than 200 characters at
start-up time.

Arguments:
  dir        base directory name
  subdir     subdirectory name
  id         message id
  suffix     suffix to add to id
  from       source directory prefix
  to         destination directory prefix
  noentok    if TRUE, absence of file is not an error

Returns:     TRUE if all went well
             FALSE, having panic logged if not
*/

static BOOL
make_link(uschar *dir, uschar *subdir, uschar *id, uschar *suffix, uschar *from,
  uschar *to, BOOL noentok)
{
uschar f[256], t[256];
sprintf(CS f, "%s/%s%s/%s/%s%s", spool_directory, from, dir, subdir, id, suffix);
sprintf(CS t, "%s/%s%s/%s/%s%s", spool_directory, to, dir, subdir, id, suffix);
if (Ulink(f, t) < 0 && (!noentok || errno != ENOENT))
  {
  log_write(0, LOG_MAIN|LOG_PANIC, "link(\"%s\", \"%s\") failed while moving "
    "message: %s", f, t, strerror(errno));
  return FALSE;
  }
return TRUE;
}


/************************************************
*                Break a link                   *
************************************************/

/* Used by spool_move_message() below. Note re the use of sprintf(): the value
of spool_directory is checked to ensure that it is less than 200 characters at
start-up time.

Arguments:
  dir        base directory name
  subdir     subdirectory name
  id         message id
  suffix     suffix to add to id
  from       source directory prefix
  noentok    if TRUE, absence of file is not an error

Returns:     TRUE if all went well
             FALSE, having panic logged if not
*/

static BOOL
break_link(uschar *dir, uschar *subdir, uschar *id, uschar *suffix, uschar *from,
  BOOL noentok)
{
uschar f[256];
sprintf(CS f, "%s/%s%s/%s/%s%s", spool_directory, from, dir, subdir, id, suffix);
if (Uunlink(f) < 0 && (!noentok || errno != ENOENT))
  {
  log_write(0, LOG_MAIN|LOG_PANIC, "unlink(\"%s\") failed while moving "
    "message: %s", f, strerror(errno));
  return FALSE;
  }
return TRUE;
}


/************************************************
*            Move message files                 *
************************************************/

/* Move the files for a message (-H, -D, and msglog) from one directory (or
hierarchy) to another. It is assume that there is no -J file in existence when
this is done. At present, this is used only when move_frozen_messages is set,
so compile it only when that support is configured.

Arguments:
  id          the id of the message to be delivered
  subdir      the subdirectory name, or an empty string
  from        a prefix for "input" or "msglog" for where the message is now
  to          a prefix for "input" or "msglog" for where the message is to go

Returns:      TRUE if all is well
              FALSE if not, with error logged in panic and main logs
*/

BOOL
spool_move_message(uschar *id, uschar *subdir, uschar *from, uschar *to)
{
/* Create any output directories that do not exist. */

sprintf(CS big_buffer, "%sinput/%s", to, subdir);
(void)directory_make(spool_directory, big_buffer, INPUT_DIRECTORY_MODE, TRUE);
sprintf(CS big_buffer, "%smsglog/%s", to, subdir);
(void)directory_make(spool_directory, big_buffer, INPUT_DIRECTORY_MODE, TRUE);

/* Move the message by first creating new hard links for all the files, and
then removing the old links. When moving messages onto the main spool, the -H
file should be set up last, because that's the one that tells Exim there is a
message to be delivered, so we create its new link last and remove its old link
first. Programs that look at the alternate directories should follow the same
rule of waiting for a -H file before doing anything. When moving messsages off
the mail spool, the -D file should be open and locked at the time, thus keeping
Exim's hands off. */

if (!make_link(US"msglog", subdir, id, US"", from, to, TRUE) ||
    !make_link(US"input",  subdir, id, US"-D", from, to, FALSE) ||
    !make_link(US"input",  subdir, id, US"-H", from, to, FALSE))
  return FALSE;

if (!break_link(US"input",  subdir, id, US"-H", from, FALSE) ||
    !break_link(US"input",  subdir, id, US"-D", from, FALSE) ||
    !break_link(US"msglog", subdir, id, US"", from, TRUE))
  return FALSE;

log_write(0, LOG_MAIN, "moved from %sinput, %smsglog to %sinput, %smsglog",
   from, from, to, to);

return TRUE;
}

#endif

/* End of spool_out.c */
Commit	Line	Data
d7d7b7b9	1	/* $Cambridge: exim/src/src/spool_out.c,v 1.10 2006/02/07 11:19:00 ph10 Exp $ */
059ec3d9 PH	2
	3	/*************************************************
	4	* Exim - an Internet mail transport agent *
	5	*************************************************/
	6
d7d7b7b9	7	/* Copyright (c) University of Cambridge 1995 - 2006 */
059ec3d9 PH	8	/* See the file NOTICE for conditions of use and distribution. */
	9
	10	/* Functions for writing spool files, and moving them about. */
	11
	12
	13	#include "exim.h"
	14
	15
	16
	17	/*************************************************
	18	* Deal with header writing errors *
	19	*************************************************/
	20
	21	/* This function is called immediately after errors in writing the spool, with
	22	errno still set. It creates and error message, depending on the circumstances.
	23	If errmsg is NULL, it logs the message and panic-dies. Otherwise errmsg is set
	24	to point to the message, and -1 is returned. This function makes the code of
	25	spool_write_header() a bit neater.
	26
	27	Arguments:
	28	where SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING
	29	errmsg where to put the message; NULL => panic-die
	30	s text to add to log string
	31	temp_name name of temp file to unlink
	32	f FILE to close, if not NULL
	33
	34	Returns: -1 if errmsg is not NULL; otherwise doesn't return
	35	*/
	36
	37	static int
	38	spool_write_error(int where, uschar *errmsg, uschar s, uschar *temp_name,
	39	FILE *f)
	40	{
	41	uschar *msg = (where == SW_RECEIVING)?
	42	string_sprintf("spool file %s error while receiving from %s: %s", s,
	43	(sender_fullhost != NULL)? sender_fullhost : sender_ident,
	44	strerror(errno))
	45	:
	46	string_sprintf("spool file %s error while %s: %s", s,
	47	(where == SW_DELIVERING)? "delivering" : "modifying",
	48	strerror(errno));
	49
	50	if (temp_name != NULL) Uunlink(temp_name);
f1e894f3	51	if (f != NULL) (void)fclose(f);
059ec3d9 PH	52
	53	if (errmsg == NULL)
	54	log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "%s", msg);
	55	else
	56	*errmsg = msg;
	57
	58	return -1;
	59	}
	60
	61
	62
	63	/*************************************************
	64	* Open file under temporary name *
	65	*************************************************/
	66
	67	/* This is used for opening spool files under a temporary name,
	68	with a single attempt at deleting if they already exist.
	69
	70	Argument: temporary name for spool header file
	71	Returns: file descriptor of open file, or < 0 on failure, with errno unchanged
	72	*/
	73
	74	int
	75	spool_open_temp(uschar *temp_name)
	76	{
	77	int fd = Uopen(temp_name, O_RDWR\|O_CREAT\|O_EXCL, SPOOL_MODE);
	78
	79	/* If the file already exists, something has gone wrong. This process may well
	80	have previously created the file if it is delivering more than one address, but
	81	it should have renamed it almost immediately. A file could, however, be left
	82	around as a result of a system crash, and by coincidence this process might
	83	have the same pid. We therefore have one go at unlinking it before giving up.
	84	*/
	85
	86	if (fd < 0 && errno == EEXIST)
	87	{
	88	DEBUG(D_any) debug_printf("%s exists: unlinking\n", temp_name);
	89	Uunlink(temp_name);
	90	fd = Uopen(temp_name, O_RDWR\|O_CREAT\|O_EXCL, SPOOL_MODE);
	91	}
	92
	93	/* If the file has been opened, make sure the file's group is the Exim gid, and
	94	double-check the mode because the group setting doesn't always get set
	95	automatically. */
	96
	97	if (fd >= 0)
	98	{
ff790e47 PH	99	(void)fchown(fd, exim_uid, exim_gid);
ff790e47 PH	100	(void)fchmod(fd, SPOOL_MODE);
059ec3d9 PH	101	}
	102
	103	return fd;
	104	}
	105
	106
	107
	108	/*************************************************
	109	* Write the header spool file *
	110	*************************************************/
	111
	112	/* Returns the size of the file for success; zero for failure. The file is
	113	written under a temporary name, and then renamed. It's done this way so that it
	114	works with re-writing the file on message deferral as well as for the initial
	115	write. Whenever this function is called, the data file for the message should
	116	be open and locked, thus preventing any other exim process from working on this
	117	message.
	118
	119	Argument:
	120	id the message id
	121	where SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING
	122	errmsg where to put an error message; if NULL, panic-die on error
	123
	124	Returns: the size of the header texts on success;
	125	negative on writing failure, unless errmsg == NULL
	126	*/
	127
	128	int
	129	spool_write_header(uschar id, int where, uschar *errmsg)
	130	{
	131	int fd;
	132	int i;
	133	int size_correction;
	134	FILE *f;
	135	header_line *h;
	136	struct stat statbuf;
	137	uschar name[256];
	138	uschar temp_name[256];
	139
	140	sprintf(CS temp_name, "%s/input/%s/hdr.%d", spool_directory, message_subdir,
	141	(int)getpid());
	142	fd = spool_open_temp(temp_name);
	143	if (fd < 0) return spool_write_error(where, errmsg, US"open", NULL, NULL);
	144	f = fdopen(fd, "wb");
	145	DEBUG(D_receive\|D_deliver) debug_printf("Writing spool header file\n");
	146
	147	/* We now have an open file to which the header data is to be written. Start
	148	with the file's leaf name, to make the file self-identifying. Continue with the
	149	identity of the submitting user, followed by the sender's address. The sender's
	150	address is enclosed in <> because it might be the null address. Then write the
	151	received time and the number of warning messages that have been sent. */
	152
	153	fprintf(f, "%s-H\n", message_id);
	154	fprintf(f, "%.63s %ld %ld\n", originator_login, (long int)originator_uid,
	155	(long int)originator_gid);
	156	fprintf(f, "<%s>\n", sender_address);
	157	fprintf(f, "%d %d\n", received_time, warning_count);
	158
	159	/* If there is information about a sending host, remember it. The HELO
	160	data can be set for local SMTP as well as remote. */
	161
	162	if (sender_helo_name != NULL)
	163	fprintf(f, "-helo_name %s\n", sender_helo_name);
	164
165	if (sender_host_address != NULL)
166	{
167	fprintf(f, "-host_address %s.%d\n", sender_host_address, sender_host_port);
168	if (sender_host_name != NULL)
169	fprintf(f, "-host_name %s\n", sender_host_name);
170	if (sender_host_authenticated != NULL)
171	fprintf(f, "-host_auth %s\n", sender_host_authenticated);
172	}
173
174	/* Also about the interface a message came in on */
175
176	if (interface_address != NULL)
177	fprintf(f, "-interface_address %s.%d\n", interface_address, interface_port);
8e669ac1	178
1f5b4c3d	179	if (smtp_active_hostname != primary_hostname)
8e669ac1	180	fprintf(f, "-active_hostname %s\n", smtp_active_hostname);
059ec3d9 PH	181
	182	/* Likewise for any ident information; for local messages this is
	183	likely to be the same as originator_login, but will be different if
	184	the originator was root, forcing a different ident. */
	185
	186	if (sender_ident != NULL) fprintf(f, "-ident %s\n", sender_ident);
	187
	188	/* Ditto for the received protocol */
	189
	190	if (received_protocol != NULL)
	191	fprintf(f, "-received_protocol %s\n", received_protocol);
	192
	193	/* Preserve any ACL variables that are set. Because the values may contain
	194	newlines, we use an explicit length. */
	195
47ca6d6c	196	for (i = 0; i < ACL_CVARS; i++)
059ec3d9 PH	197	{
059ec3d9 PH	198	if (acl_var[i] != NULL)
47ca6d6c PH	199	fprintf(f, "-aclc %d %d\n%s\n", i, Ustrlen(acl_var[i]), acl_var[i]);
	200	}
	201
	202	for (i = 0; i < ACL_MVARS; i++)
	203	{
	204	int j = i + ACL_CVARS;
	205	if (acl_var[j] != NULL)
	206	fprintf(f, "-aclm %d %d\n%s\n", i, Ustrlen(acl_var[j]), acl_var[j]);
059ec3d9 PH	207	}
	208
	209	/* Now any other data that needs to be remembered. */
	210
	211	fprintf(f, "-body_linecount %d\n", body_linecount);
	212
	213	if (body_zerocount > 0) fprintf(f, "-body_zerocount %d\n", body_zerocount);
	214
	215	if (authenticated_id != NULL)
	216	fprintf(f, "-auth_id %s\n", authenticated_id);
	217	if (authenticated_sender != NULL)
	218	fprintf(f, "-auth_sender %s\n", authenticated_sender);
	219
	220	if (allow_unqualified_recipient) fprintf(f, "-allow_unqualified_recipient\n");
	221	if (allow_unqualified_sender) fprintf(f, "-allow_unqualified_sender\n");
	222	if (deliver_firsttime) fprintf(f, "-deliver_firsttime\n");
	223	if (deliver_freeze) fprintf(f, "-frozen %d\n", deliver_frozen_at);
	224	if (dont_deliver) fprintf(f, "-N\n");
b08b24c8	225	if (host_lookup_deferred) fprintf(f, "-host_lookup_deferred\n");
059ec3d9 PH	226	if (host_lookup_failed) fprintf(f, "-host_lookup_failed\n");
	227	if (sender_local) fprintf(f, "-local\n");
	228	if (local_error_message) fprintf(f, "-localerror\n");
	229	if (local_scan_data != NULL) fprintf(f, "-local_scan %s\n", local_scan_data);
8523533c TK	230	#ifdef WITH_CONTENT_SCAN
	231	if (spam_score_int != NULL) fprintf(f,"-spam_score_int %s\n", spam_score_int);
	232	#endif
059ec3d9 PH	233	if (deliver_manual_thaw) fprintf(f, "-manual_thaw\n");
	234	if (sender_set_untrusted) fprintf(f, "-sender_set_untrusted\n");
	235
8523533c TK	236	#ifdef EXPERIMENTAL_BRIGHTMAIL
	237	if (bmi_verdicts != NULL) fprintf(f, "-bmi_verdicts %s\n", bmi_verdicts);
	238	#endif
	239
059ec3d9 PH	240	#ifdef SUPPORT_TLS
	241	if (tls_certificate_verified) fprintf(f, "-tls_certificate_verified\n");
	242	if (tls_cipher != NULL) fprintf(f, "-tls_cipher %s\n", tls_cipher);
	243	if (tls_peerdn != NULL) fprintf(f, "-tls_peerdn %s\n", tls_peerdn);
	244	#endif
	245
	246	/* To complete the envelope, write out the tree of non-recipients, followed by
	247	the list of recipients. These won't be disjoint the first time, when no
	248	checking has been done. If a recipient is a "one-time" alias, it is followed by
	249	a space and its parent address number (pno). */
	250
	251	tree_write(tree_nonrecipients, f);
	252	fprintf(f, "%d\n", recipients_count);
	253	for (i = 0; i < recipients_count; i++)
	254	{
	255	recipient_item *r = recipients_list + i;
	256	if (r->pno < 0 && r->errors_to == NULL)
	257	fprintf(f, "%s\n", r->address);
	258	else
	259	{
	260	uschar *errors_to = (r->errors_to == NULL)? US"" : r->errors_to;
	261	fprintf(f, "%s %s %d,%d#1\n", r->address, errors_to,
	262	Ustrlen(errors_to), r->pno);
	263	}
	264	}
	265
	266	/* Put a blank line before the headers */
	267
	268	fprintf(f, "\n");
	269
	270	/* Save the size of the file so far so we can subtract it from the final length
	271	to get the actual size of the headers. */
	272
	273	fflush(f);
	274	fstat(fd, &statbuf);
	275	size_correction = statbuf.st_size;
	276
	277	/* Finally, write out the message's headers. To make it easier to read them
	278	in again, precede each one with the count of its length. Make the count fixed
	279	length to aid human eyes when debugging and arrange for it not be included in
	280	the size. It is followed by a space for normal headers, a flagging letter for
	281	various other headers, or an asterisk for old headers that have been rewritten.
	282	These are saved as a record for debugging. Don't included them in the message's
	283	size. */
	284
	285	for (h = header_list; h != NULL; h = h->next)
	286	{
	287	fprintf(f, "%03d%c %s", h->slen, h->type, h->text);
	288	size_correction += 5;
	289	if (h->type == '*') size_correction += h->slen;
	290	}
	291
	292	/* Flush and check for any errors while writing */
	293
	294	if (fflush(f) != 0 \|\| ferror(f))
	295	return spool_write_error(where, errmsg, US"write", temp_name, f);
	296
	297	/* Force the file's contents to be written to disk. Note that fflush()
	298	just pushes it out of C, and fclose() doesn't guarantee to do the write
	299	either. That's just the way Unix works... */
	300
	301	if (fsync(fileno(f)) < 0)
	302	return spool_write_error(where, errmsg, US"sync", temp_name, f);
	303
304	/* Get the size of the file, and close it. */
305
306	fstat(fd, &statbuf);
307	if (fclose(f) != 0)
308	return spool_write_error(where, errmsg, US"close", temp_name, NULL);
309
310	/* Rename the file to its correct name, thereby replacing any previous
311	incarnation. */
312
313	sprintf(CS name, "%s/input/%s/%s-H", spool_directory, message_subdir, id);
314
315	if (Urename(temp_name, name) < 0)
316	return spool_write_error(where, errmsg, US"rename", temp_name, NULL);
317
318	/* Linux (and maybe other OS?) does not automatically sync a directory after
319	an operation like rename. We therefore have to do it forcibly ourselves in
320	these cases, to make sure the file is actually accessible on disk, as opposed
321	to just the data being accessible from a file in lost+found. Linux also has
322	O_DIRECTORY, for opening a directory.
323
324	However, it turns out that some file systems (some versions of NFS?) do not
325	support directory syncing. It seems safe enough to ignore EINVAL to cope with
326	these cases. One hack on top of another... but that's life. */
327
328	#ifdef NEED_SYNC_DIRECTORY
329
330	sprintf(CS temp_name, "%s/input/%s/.", spool_directory, message_subdir);
331
332	#ifndef O_DIRECTORY
333	#define O_DIRECTORY 0
334	#endif
335
336	if ((fd = Uopen(temp_name, O_RDONLY\|O_DIRECTORY, 0)) < 0)
337	return spool_write_error(where, errmsg, US"directory open", name, NULL);
338
339	if (fsync(fd) < 0 && errno != EINVAL)
340	return spool_write_error(where, errmsg, US"directory sync", name, NULL);
341
342	if (close(fd) < 0)
343	return spool_write_error(where, errmsg, US"directory close", name, NULL);
344
345	#endif /* NEED_SYNC_DIRECTORY */
346
347	/* Return the number of characters in the headers, which is the file size, less
348	the prelimary stuff, less the additional count fields on the headers. */
349
350	DEBUG(D_receive) debug_printf("Size of headers = %d\n",
351	(int)(statbuf.st_size - size_correction));
352
353	return statbuf.st_size - size_correction;
354	}
355
356
357	#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
358
359	/************************************************
360	* Make a hard link *
361	************************************************/
362
363	/* Used by spool_move_message() below. Note re the use of sprintf(): the value
364	of spool_directory is checked to ensure that it is less than 200 characters at
365	start-up time.
366
367	Arguments:
368	dir base directory name
369	subdir subdirectory name
370	id message id
371	suffix suffix to add to id
372	from source directory prefix
373	to destination directory prefix
374	noentok if TRUE, absence of file is not an error
375
376	Returns: TRUE if all went well
377	FALSE, having panic logged if not
378	*/
379
380	static BOOL
381	make_link(uschar dir, uschar subdir, uschar id, uschar suffix, uschar *from,
382	uschar *to, BOOL noentok)
383	{
384	uschar f[256], t[256];
385	sprintf(CS f, "%s/%s%s/%s/%s%s", spool_directory, from, dir, subdir, id, suffix);
386	sprintf(CS t, "%s/%s%s/%s/%s%s", spool_directory, to, dir, subdir, id, suffix);
387	if (Ulink(f, t) < 0 && (!noentok \|\| errno != ENOENT))
388	{
389	log_write(0, LOG_MAIN\|LOG_PANIC, "link(\"%s\", \"%s\") failed while moving "
390	"message: %s", f, t, strerror(errno));
391	return FALSE;
392	}
393	return TRUE;
394	}
395
396
397
398	/************************************************
399	* Break a link *
400	************************************************/
401
402	/* Used by spool_move_message() below. Note re the use of sprintf(): the value
403	of spool_directory is checked to ensure that it is less than 200 characters at
404	start-up time.
405
406	Arguments:
407	dir base directory name
408	subdir subdirectory name
409	id message id
410	suffix suffix to add to id
411	from source directory prefix
412	noentok if TRUE, absence of file is not an error
413
414	Returns: TRUE if all went well
415	FALSE, having panic logged if not
416	*/
417
418	static BOOL
419	break_link(uschar dir, uschar subdir, uschar id, uschar suffix, uschar *from,
420	BOOL noentok)
421	{
422	uschar f[256];
423	sprintf(CS f, "%s/%s%s/%s/%s%s", spool_directory, from, dir, subdir, id, suffix);
424	if (Uunlink(f) < 0 && (!noentok \|\| errno != ENOENT))
425	{
426	log_write(0, LOG_MAIN\|LOG_PANIC, "unlink(\"%s\") failed while moving "
427	"message: %s", f, strerror(errno));
428	return FALSE;
429	}
430	return TRUE;
431	}
432
433
434
435	/************************************************
436	* Move message files *
437	************************************************/
438
439	/* Move the files for a message (-H, -D, and msglog) from one directory (or
440	hierarchy) to another. It is assume that there is no -J file in existence when
441	this is done. At present, this is used only when move_frozen_messages is set,
442	so compile it only when that support is configured.
443
444	Arguments:
445	id the id of the message to be delivered
446	subdir the subdirectory name, or an empty string
447	from a prefix for "input" or "msglog" for where the message is now
448	to a prefix for "input" or "msglog" for where the message is to go
449
450	Returns: TRUE if all is well
451	FALSE if not, with error logged in panic and main logs
452	*/
453
454	BOOL
455	spool_move_message(uschar id, uschar subdir, uschar from, uschar to)
456	{
457	/* Create any output directories that do not exist. */
458
459	sprintf(CS big_buffer, "%sinput/%s", to, subdir);
460	(void)directory_make(spool_directory, big_buffer, INPUT_DIRECTORY_MODE, TRUE);
461	sprintf(CS big_buffer, "%smsglog/%s", to, subdir);
462	(void)directory_make(spool_directory, big_buffer, INPUT_DIRECTORY_MODE, TRUE);
463
464	/* Move the message by first creating new hard links for all the files, and
465	then removing the old links. When moving messages onto the main spool, the -H
466	file should be set up last, because that's the one that tells Exim there is a
467	message to be delivered, so we create its new link last and remove its old link
468	first. Programs that look at the alternate directories should follow the same
469	rule of waiting for a -H file before doing anything. When moving messsages off
470	the mail spool, the -D file should be open and locked at the time, thus keeping
471	Exim's hands off. */
472
473	if (!make_link(US"msglog", subdir, id, US"", from, to, TRUE) \|\|
474	!make_link(US"input", subdir, id, US"-D", from, to, FALSE) \|\|
475	!make_link(US"input", subdir, id, US"-H", from, to, FALSE))
476	return FALSE;
477
478	if (!break_link(US"input", subdir, id, US"-H", from, FALSE) \|\|
479	!break_link(US"input", subdir, id, US"-D", from, FALSE) \|\|
480	!break_link(US"msglog", subdir, id, US"", from, TRUE))
481	return FALSE;
482
483	log_write(0, LOG_MAIN, "moved from %sinput, %smsglog to %sinput, %smsglog",
484	from, from, to, to);
485
486	return TRUE;
487	}
488
489	#endif
490
491	/* End of spool_out.c */