Commit | Line | Data |
---|---|---|
d7d7b7b9 | 1 | /* $Cambridge: exim/src/src/spool_out.c,v 1.10 2006/02/07 11:19:00 ph10 Exp $ */ |
059ec3d9 PH |
2 | |
3 | /************************************************* | |
4 | * Exim - an Internet mail transport agent * | |
5 | *************************************************/ | |
6 | ||
d7d7b7b9 | 7 | /* Copyright (c) University of Cambridge 1995 - 2006 */ |
059ec3d9 PH |
8 | /* See the file NOTICE for conditions of use and distribution. */ |
9 | ||
10 | /* Functions for writing spool files, and moving them about. */ | |
11 | ||
12 | ||
13 | #include "exim.h" | |
14 | ||
15 | ||
16 | ||
17 | /************************************************* | |
18 | * Deal with header writing errors * | |
19 | *************************************************/ | |
20 | ||
21 | /* This function is called immediately after errors in writing the spool, with | |
22 | errno still set. It creates and error message, depending on the circumstances. | |
23 | If errmsg is NULL, it logs the message and panic-dies. Otherwise errmsg is set | |
24 | to point to the message, and -1 is returned. This function makes the code of | |
25 | spool_write_header() a bit neater. | |
26 | ||
27 | Arguments: | |
28 | where SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING | |
29 | errmsg where to put the message; NULL => panic-die | |
30 | s text to add to log string | |
31 | temp_name name of temp file to unlink | |
32 | f FILE to close, if not NULL | |
33 | ||
34 | Returns: -1 if errmsg is not NULL; otherwise doesn't return | |
35 | */ | |
36 | ||
37 | static int | |
38 | spool_write_error(int where, uschar **errmsg, uschar *s, uschar *temp_name, | |
39 | FILE *f) | |
40 | { | |
41 | uschar *msg = (where == SW_RECEIVING)? | |
42 | string_sprintf("spool file %s error while receiving from %s: %s", s, | |
43 | (sender_fullhost != NULL)? sender_fullhost : sender_ident, | |
44 | strerror(errno)) | |
45 | : | |
46 | string_sprintf("spool file %s error while %s: %s", s, | |
47 | (where == SW_DELIVERING)? "delivering" : "modifying", | |
48 | strerror(errno)); | |
49 | ||
50 | if (temp_name != NULL) Uunlink(temp_name); | |
f1e894f3 | 51 | if (f != NULL) (void)fclose(f); |
059ec3d9 PH |
52 | |
53 | if (errmsg == NULL) | |
54 | log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", msg); | |
55 | else | |
56 | *errmsg = msg; | |
57 | ||
58 | return -1; | |
59 | } | |
60 | ||
61 | ||
62 | ||
63 | /************************************************* | |
64 | * Open file under temporary name * | |
65 | *************************************************/ | |
66 | ||
67 | /* This is used for opening spool files under a temporary name, | |
68 | with a single attempt at deleting if they already exist. | |
69 | ||
70 | Argument: temporary name for spool header file | |
71 | Returns: file descriptor of open file, or < 0 on failure, with errno unchanged | |
72 | */ | |
73 | ||
74 | int | |
75 | spool_open_temp(uschar *temp_name) | |
76 | { | |
77 | int fd = Uopen(temp_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE); | |
78 | ||
79 | /* If the file already exists, something has gone wrong. This process may well | |
80 | have previously created the file if it is delivering more than one address, but | |
81 | it should have renamed it almost immediately. A file could, however, be left | |
82 | around as a result of a system crash, and by coincidence this process might | |
83 | have the same pid. We therefore have one go at unlinking it before giving up. | |
84 | */ | |
85 | ||
86 | if (fd < 0 && errno == EEXIST) | |
87 | { | |
88 | DEBUG(D_any) debug_printf("%s exists: unlinking\n", temp_name); | |
89 | Uunlink(temp_name); | |
90 | fd = Uopen(temp_name, O_RDWR|O_CREAT|O_EXCL, SPOOL_MODE); | |
91 | } | |
92 | ||
93 | /* If the file has been opened, make sure the file's group is the Exim gid, and | |
94 | double-check the mode because the group setting doesn't always get set | |
95 | automatically. */ | |
96 | ||
97 | if (fd >= 0) | |
98 | { | |
ff790e47 PH |
99 | (void)fchown(fd, exim_uid, exim_gid); |
100 | (void)fchmod(fd, SPOOL_MODE); | |
059ec3d9 PH |
101 | } |
102 | ||
103 | return fd; | |
104 | } | |
105 | ||
106 | ||
107 | ||
108 | /************************************************* | |
109 | * Write the header spool file * | |
110 | *************************************************/ | |
111 | ||
112 | /* Returns the size of the file for success; zero for failure. The file is | |
113 | written under a temporary name, and then renamed. It's done this way so that it | |
114 | works with re-writing the file on message deferral as well as for the initial | |
115 | write. Whenever this function is called, the data file for the message should | |
116 | be open and locked, thus preventing any other exim process from working on this | |
117 | message. | |
118 | ||
119 | Argument: | |
120 | id the message id | |
121 | where SW_RECEIVING, SW_DELIVERING, or SW_MODIFYING | |
122 | errmsg where to put an error message; if NULL, panic-die on error | |
123 | ||
124 | Returns: the size of the header texts on success; | |
125 | negative on writing failure, unless errmsg == NULL | |
126 | */ | |
127 | ||
128 | int | |
129 | spool_write_header(uschar *id, int where, uschar **errmsg) | |
130 | { | |
131 | int fd; | |
132 | int i; | |
133 | int size_correction; | |
134 | FILE *f; | |
135 | header_line *h; | |
136 | struct stat statbuf; | |
137 | uschar name[256]; | |
138 | uschar temp_name[256]; | |
139 | ||
140 | sprintf(CS temp_name, "%s/input/%s/hdr.%d", spool_directory, message_subdir, | |
141 | (int)getpid()); | |
142 | fd = spool_open_temp(temp_name); | |
143 | if (fd < 0) return spool_write_error(where, errmsg, US"open", NULL, NULL); | |
144 | f = fdopen(fd, "wb"); | |
145 | DEBUG(D_receive|D_deliver) debug_printf("Writing spool header file\n"); | |
146 | ||
147 | /* We now have an open file to which the header data is to be written. Start | |
148 | with the file's leaf name, to make the file self-identifying. Continue with the | |
149 | identity of the submitting user, followed by the sender's address. The sender's | |
150 | address is enclosed in <> because it might be the null address. Then write the | |
151 | received time and the number of warning messages that have been sent. */ | |
152 | ||
153 | fprintf(f, "%s-H\n", message_id); | |
154 | fprintf(f, "%.63s %ld %ld\n", originator_login, (long int)originator_uid, | |
155 | (long int)originator_gid); | |
156 | fprintf(f, "<%s>\n", sender_address); | |
157 | fprintf(f, "%d %d\n", received_time, warning_count); | |
158 | ||
159 | /* If there is information about a sending host, remember it. The HELO | |
160 | data can be set for local SMTP as well as remote. */ | |
161 | ||
162 | if (sender_helo_name != NULL) | |
163 | fprintf(f, "-helo_name %s\n", sender_helo_name); | |
164 | ||
165 | if (sender_host_address != NULL) | |
166 | { | |
167 | fprintf(f, "-host_address %s.%d\n", sender_host_address, sender_host_port); | |
168 | if (sender_host_name != NULL) | |
169 | fprintf(f, "-host_name %s\n", sender_host_name); | |
170 | if (sender_host_authenticated != NULL) | |
171 | fprintf(f, "-host_auth %s\n", sender_host_authenticated); | |
172 | } | |
173 | ||
174 | /* Also about the interface a message came in on */ | |
175 | ||
176 | if (interface_address != NULL) | |
177 | fprintf(f, "-interface_address %s.%d\n", interface_address, interface_port); | |
8e669ac1 | 178 | |
1f5b4c3d | 179 | if (smtp_active_hostname != primary_hostname) |
8e669ac1 | 180 | fprintf(f, "-active_hostname %s\n", smtp_active_hostname); |
059ec3d9 PH |
181 | |
182 | /* Likewise for any ident information; for local messages this is | |
183 | likely to be the same as originator_login, but will be different if | |
184 | the originator was root, forcing a different ident. */ | |
185 | ||
186 | if (sender_ident != NULL) fprintf(f, "-ident %s\n", sender_ident); | |
187 | ||
188 | /* Ditto for the received protocol */ | |
189 | ||
190 | if (received_protocol != NULL) | |
191 | fprintf(f, "-received_protocol %s\n", received_protocol); | |
192 | ||
193 | /* Preserve any ACL variables that are set. Because the values may contain | |
194 | newlines, we use an explicit length. */ | |
195 | ||
47ca6d6c | 196 | for (i = 0; i < ACL_CVARS; i++) |
059ec3d9 PH |
197 | { |
198 | if (acl_var[i] != NULL) | |
47ca6d6c PH |
199 | fprintf(f, "-aclc %d %d\n%s\n", i, Ustrlen(acl_var[i]), acl_var[i]); |
200 | } | |
201 | ||
202 | for (i = 0; i < ACL_MVARS; i++) | |
203 | { | |
204 | int j = i + ACL_CVARS; | |
205 | if (acl_var[j] != NULL) | |
206 | fprintf(f, "-aclm %d %d\n%s\n", i, Ustrlen(acl_var[j]), acl_var[j]); | |
059ec3d9 PH |
207 | } |
208 | ||
209 | /* Now any other data that needs to be remembered. */ | |
210 | ||
211 | fprintf(f, "-body_linecount %d\n", body_linecount); | |
212 | ||
213 | if (body_zerocount > 0) fprintf(f, "-body_zerocount %d\n", body_zerocount); | |
214 | ||
215 | if (authenticated_id != NULL) | |
216 | fprintf(f, "-auth_id %s\n", authenticated_id); | |
217 | if (authenticated_sender != NULL) | |
218 | fprintf(f, "-auth_sender %s\n", authenticated_sender); | |
219 | ||
220 | if (allow_unqualified_recipient) fprintf(f, "-allow_unqualified_recipient\n"); | |
221 | if (allow_unqualified_sender) fprintf(f, "-allow_unqualified_sender\n"); | |
222 | if (deliver_firsttime) fprintf(f, "-deliver_firsttime\n"); | |
223 | if (deliver_freeze) fprintf(f, "-frozen %d\n", deliver_frozen_at); | |
224 | if (dont_deliver) fprintf(f, "-N\n"); | |
b08b24c8 | 225 | if (host_lookup_deferred) fprintf(f, "-host_lookup_deferred\n"); |
059ec3d9 PH |
226 | if (host_lookup_failed) fprintf(f, "-host_lookup_failed\n"); |
227 | if (sender_local) fprintf(f, "-local\n"); | |
228 | if (local_error_message) fprintf(f, "-localerror\n"); | |
229 | if (local_scan_data != NULL) fprintf(f, "-local_scan %s\n", local_scan_data); | |
8523533c TK |
230 | #ifdef WITH_CONTENT_SCAN |
231 | if (spam_score_int != NULL) fprintf(f,"-spam_score_int %s\n", spam_score_int); | |
232 | #endif | |
059ec3d9 PH |
233 | if (deliver_manual_thaw) fprintf(f, "-manual_thaw\n"); |
234 | if (sender_set_untrusted) fprintf(f, "-sender_set_untrusted\n"); | |
235 | ||
8523533c TK |
236 | #ifdef EXPERIMENTAL_BRIGHTMAIL |
237 | if (bmi_verdicts != NULL) fprintf(f, "-bmi_verdicts %s\n", bmi_verdicts); | |
238 | #endif | |
239 | ||
059ec3d9 PH |
240 | #ifdef SUPPORT_TLS |
241 | if (tls_certificate_verified) fprintf(f, "-tls_certificate_verified\n"); | |
242 | if (tls_cipher != NULL) fprintf(f, "-tls_cipher %s\n", tls_cipher); | |
243 | if (tls_peerdn != NULL) fprintf(f, "-tls_peerdn %s\n", tls_peerdn); | |
244 | #endif | |
245 | ||
246 | /* To complete the envelope, write out the tree of non-recipients, followed by | |
247 | the list of recipients. These won't be disjoint the first time, when no | |
248 | checking has been done. If a recipient is a "one-time" alias, it is followed by | |
249 | a space and its parent address number (pno). */ | |
250 | ||
251 | tree_write(tree_nonrecipients, f); | |
252 | fprintf(f, "%d\n", recipients_count); | |
253 | for (i = 0; i < recipients_count; i++) | |
254 | { | |
255 | recipient_item *r = recipients_list + i; | |
256 | if (r->pno < 0 && r->errors_to == NULL) | |
257 | fprintf(f, "%s\n", r->address); | |
258 | else | |
259 | { | |
260 | uschar *errors_to = (r->errors_to == NULL)? US"" : r->errors_to; | |
261 | fprintf(f, "%s %s %d,%d#1\n", r->address, errors_to, | |
262 | Ustrlen(errors_to), r->pno); | |
263 | } | |
264 | } | |
265 | ||
266 | /* Put a blank line before the headers */ | |
267 | ||
268 | fprintf(f, "\n"); | |
269 | ||
270 | /* Save the size of the file so far so we can subtract it from the final length | |
271 | to get the actual size of the headers. */ | |
272 | ||
273 | fflush(f); | |
274 | fstat(fd, &statbuf); | |
275 | size_correction = statbuf.st_size; | |
276 | ||
277 | /* Finally, write out the message's headers. To make it easier to read them | |
278 | in again, precede each one with the count of its length. Make the count fixed | |
279 | length to aid human eyes when debugging and arrange for it not be included in | |
280 | the size. It is followed by a space for normal headers, a flagging letter for | |
281 | various other headers, or an asterisk for old headers that have been rewritten. | |
282 | These are saved as a record for debugging. Don't included them in the message's | |
283 | size. */ | |
284 | ||
285 | for (h = header_list; h != NULL; h = h->next) | |
286 | { | |
287 | fprintf(f, "%03d%c %s", h->slen, h->type, h->text); | |
288 | size_correction += 5; | |
289 | if (h->type == '*') size_correction += h->slen; | |
290 | } | |
291 | ||
292 | /* Flush and check for any errors while writing */ | |
293 | ||
294 | if (fflush(f) != 0 || ferror(f)) | |
295 | return spool_write_error(where, errmsg, US"write", temp_name, f); | |
296 | ||
297 | /* Force the file's contents to be written to disk. Note that fflush() | |
298 | just pushes it out of C, and fclose() doesn't guarantee to do the write | |
299 | either. That's just the way Unix works... */ | |
300 | ||
301 | if (fsync(fileno(f)) < 0) | |
302 | return spool_write_error(where, errmsg, US"sync", temp_name, f); | |
303 | ||
304 | /* Get the size of the file, and close it. */ | |
305 | ||
306 | fstat(fd, &statbuf); | |
307 | if (fclose(f) != 0) | |
308 | return spool_write_error(where, errmsg, US"close", temp_name, NULL); | |
309 | ||
310 | /* Rename the file to its correct name, thereby replacing any previous | |
311 | incarnation. */ | |
312 | ||
313 | sprintf(CS name, "%s/input/%s/%s-H", spool_directory, message_subdir, id); | |
314 | ||
315 | if (Urename(temp_name, name) < 0) | |
316 | return spool_write_error(where, errmsg, US"rename", temp_name, NULL); | |
317 | ||
318 | /* Linux (and maybe other OS?) does not automatically sync a directory after | |
319 | an operation like rename. We therefore have to do it forcibly ourselves in | |
320 | these cases, to make sure the file is actually accessible on disk, as opposed | |
321 | to just the data being accessible from a file in lost+found. Linux also has | |
322 | O_DIRECTORY, for opening a directory. | |
323 | ||
324 | However, it turns out that some file systems (some versions of NFS?) do not | |
325 | support directory syncing. It seems safe enough to ignore EINVAL to cope with | |
326 | these cases. One hack on top of another... but that's life. */ | |
327 | ||
328 | #ifdef NEED_SYNC_DIRECTORY | |
329 | ||
330 | sprintf(CS temp_name, "%s/input/%s/.", spool_directory, message_subdir); | |
331 | ||
332 | #ifndef O_DIRECTORY | |
333 | #define O_DIRECTORY 0 | |
334 | #endif | |
335 | ||
336 | if ((fd = Uopen(temp_name, O_RDONLY|O_DIRECTORY, 0)) < 0) | |
337 | return spool_write_error(where, errmsg, US"directory open", name, NULL); | |
338 | ||
339 | if (fsync(fd) < 0 && errno != EINVAL) | |
340 | return spool_write_error(where, errmsg, US"directory sync", name, NULL); | |
341 | ||
342 | if (close(fd) < 0) | |
343 | return spool_write_error(where, errmsg, US"directory close", name, NULL); | |
344 | ||
345 | #endif /* NEED_SYNC_DIRECTORY */ | |
346 | ||
347 | /* Return the number of characters in the headers, which is the file size, less | |
348 | the prelimary stuff, less the additional count fields on the headers. */ | |
349 | ||
350 | DEBUG(D_receive) debug_printf("Size of headers = %d\n", | |
351 | (int)(statbuf.st_size - size_correction)); | |
352 | ||
353 | return statbuf.st_size - size_correction; | |
354 | } | |
355 | ||
356 | ||
357 | #ifdef SUPPORT_MOVE_FROZEN_MESSAGES | |
358 | ||
359 | /************************************************ | |
360 | * Make a hard link * | |
361 | ************************************************/ | |
362 | ||
363 | /* Used by spool_move_message() below. Note re the use of sprintf(): the value | |
364 | of spool_directory is checked to ensure that it is less than 200 characters at | |
365 | start-up time. | |
366 | ||
367 | Arguments: | |
368 | dir base directory name | |
369 | subdir subdirectory name | |
370 | id message id | |
371 | suffix suffix to add to id | |
372 | from source directory prefix | |
373 | to destination directory prefix | |
374 | noentok if TRUE, absence of file is not an error | |
375 | ||
376 | Returns: TRUE if all went well | |
377 | FALSE, having panic logged if not | |
378 | */ | |
379 | ||
380 | static BOOL | |
381 | make_link(uschar *dir, uschar *subdir, uschar *id, uschar *suffix, uschar *from, | |
382 | uschar *to, BOOL noentok) | |
383 | { | |
384 | uschar f[256], t[256]; | |
385 | sprintf(CS f, "%s/%s%s/%s/%s%s", spool_directory, from, dir, subdir, id, suffix); | |
386 | sprintf(CS t, "%s/%s%s/%s/%s%s", spool_directory, to, dir, subdir, id, suffix); | |
387 | if (Ulink(f, t) < 0 && (!noentok || errno != ENOENT)) | |
388 | { | |
389 | log_write(0, LOG_MAIN|LOG_PANIC, "link(\"%s\", \"%s\") failed while moving " | |
390 | "message: %s", f, t, strerror(errno)); | |
391 | return FALSE; | |
392 | } | |
393 | return TRUE; | |
394 | } | |
395 | ||
396 | ||
397 | ||
398 | /************************************************ | |
399 | * Break a link * | |
400 | ************************************************/ | |
401 | ||
402 | /* Used by spool_move_message() below. Note re the use of sprintf(): the value | |
403 | of spool_directory is checked to ensure that it is less than 200 characters at | |
404 | start-up time. | |
405 | ||
406 | Arguments: | |
407 | dir base directory name | |
408 | subdir subdirectory name | |
409 | id message id | |
410 | suffix suffix to add to id | |
411 | from source directory prefix | |
412 | noentok if TRUE, absence of file is not an error | |
413 | ||
414 | Returns: TRUE if all went well | |
415 | FALSE, having panic logged if not | |
416 | */ | |
417 | ||
418 | static BOOL | |
419 | break_link(uschar *dir, uschar *subdir, uschar *id, uschar *suffix, uschar *from, | |
420 | BOOL noentok) | |
421 | { | |
422 | uschar f[256]; | |
423 | sprintf(CS f, "%s/%s%s/%s/%s%s", spool_directory, from, dir, subdir, id, suffix); | |
424 | if (Uunlink(f) < 0 && (!noentok || errno != ENOENT)) | |
425 | { | |
426 | log_write(0, LOG_MAIN|LOG_PANIC, "unlink(\"%s\") failed while moving " | |
427 | "message: %s", f, strerror(errno)); | |
428 | return FALSE; | |
429 | } | |
430 | return TRUE; | |
431 | } | |
432 | ||
433 | ||
434 | ||
435 | /************************************************ | |
436 | * Move message files * | |
437 | ************************************************/ | |
438 | ||
439 | /* Move the files for a message (-H, -D, and msglog) from one directory (or | |
440 | hierarchy) to another. It is assume that there is no -J file in existence when | |
441 | this is done. At present, this is used only when move_frozen_messages is set, | |
442 | so compile it only when that support is configured. | |
443 | ||
444 | Arguments: | |
445 | id the id of the message to be delivered | |
446 | subdir the subdirectory name, or an empty string | |
447 | from a prefix for "input" or "msglog" for where the message is now | |
448 | to a prefix for "input" or "msglog" for where the message is to go | |
449 | ||
450 | Returns: TRUE if all is well | |
451 | FALSE if not, with error logged in panic and main logs | |
452 | */ | |
453 | ||
454 | BOOL | |
455 | spool_move_message(uschar *id, uschar *subdir, uschar *from, uschar *to) | |
456 | { | |
457 | /* Create any output directories that do not exist. */ | |
458 | ||
459 | sprintf(CS big_buffer, "%sinput/%s", to, subdir); | |
460 | (void)directory_make(spool_directory, big_buffer, INPUT_DIRECTORY_MODE, TRUE); | |
461 | sprintf(CS big_buffer, "%smsglog/%s", to, subdir); | |
462 | (void)directory_make(spool_directory, big_buffer, INPUT_DIRECTORY_MODE, TRUE); | |
463 | ||
464 | /* Move the message by first creating new hard links for all the files, and | |
465 | then removing the old links. When moving messages onto the main spool, the -H | |
466 | file should be set up last, because that's the one that tells Exim there is a | |
467 | message to be delivered, so we create its new link last and remove its old link | |
468 | first. Programs that look at the alternate directories should follow the same | |
469 | rule of waiting for a -H file before doing anything. When moving messsages off | |
470 | the mail spool, the -D file should be open and locked at the time, thus keeping | |
471 | Exim's hands off. */ | |
472 | ||
473 | if (!make_link(US"msglog", subdir, id, US"", from, to, TRUE) || | |
474 | !make_link(US"input", subdir, id, US"-D", from, to, FALSE) || | |
475 | !make_link(US"input", subdir, id, US"-H", from, to, FALSE)) | |
476 | return FALSE; | |
477 | ||
478 | if (!break_link(US"input", subdir, id, US"-H", from, FALSE) || | |
479 | !break_link(US"input", subdir, id, US"-D", from, FALSE) || | |
480 | !break_link(US"msglog", subdir, id, US"", from, TRUE)) | |
481 | return FALSE; | |
482 | ||
483 | log_write(0, LOG_MAIN, "moved from %sinput, %smsglog to %sinput, %smsglog", | |
484 | from, from, to, to); | |
485 | ||
486 | return TRUE; | |
487 | } | |
488 | ||
489 | #endif | |
490 | ||
491 | /* End of spool_out.c */ |