projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Use git to automatically create version.h
[exim.git] / src / src / transports / appendfile.c
CommitLineData
0756eb3c
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
0a49a7a4 5/* Copyright (c) University of Cambridge 1995 - 2009 */
0756eb3c
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8
9#include "../exim.h"
10#include "appendfile.h"
11
12#ifdef SUPPORT_MAILDIR
13#include "tf_maildir.h"
14#endif
15
16
17/* Encodings for mailbox formats, and their names. MBX format is actually
18supported only if SUPPORT_MBX is set. */
19
20enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
21
1ba28e2b 22static const char *mailbox_formats[] = {
0756eb3c
PH		 23 "unix", "mbx", "smail", "maildir", "mailstore" };
24
25
26/* Check warn threshold only if quota size set or not a percentage threshold
27 percentage check should only be done if quota > 0 */
28
29#define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \
30 (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
31
32
33/* Options specific to the appendfile transport. They must be in alphabetic
34order (note that "_" comes before the lower case letters). Some of them are
35stored in the publicly visible instance block - these are flagged with the
36opt_public flag. */
37
38optionlist appendfile_transport_options[] = {
39 { "*set_use_fcntl_lock",opt_bool | opt_hidden,
40 (void *)offsetof(appendfile_transport_options_block, set_use_fcntl) },
41 { "*set_use_flock_lock",opt_bool | opt_hidden,
42 (void *)offsetof(appendfile_transport_options_block, set_use_flock) },
43 { "*set_use_lockfile", opt_bool | opt_hidden,
44 (void *)offsetof(appendfile_transport_options_block, set_use_lockfile) },
45#ifdef SUPPORT_MBX
46 { "*set_use_mbx_lock", opt_bool | opt_hidden,
47 (void *)offsetof(appendfile_transport_options_block, set_use_mbx_lock) },
48#endif
49 { "allow_fifo", opt_bool,
50 (void *)offsetof(appendfile_transport_options_block, allow_fifo) },
51 { "allow_symlink", opt_bool,
52 (void *)offsetof(appendfile_transport_options_block, allow_symlink) },
53 { "batch_id", opt_stringptr | opt_public,
54 (void *)offsetof(transport_instance, batch_id) },
55 { "batch_max", opt_int | opt_public,
56 (void *)offsetof(transport_instance, batch_max) },
57 { "check_group", opt_bool,
58 (void *)offsetof(appendfile_transport_options_block, check_group) },
59 { "check_owner", opt_bool,
60 (void *)offsetof(appendfile_transport_options_block, check_owner) },
61 { "check_string", opt_stringptr,
62 (void *)offsetof(appendfile_transport_options_block, check_string) },
63 { "create_directory", opt_bool,
64 (void *)offsetof(appendfile_transport_options_block, create_directory) },
65 { "create_file", opt_stringptr,
66 (void *)offsetof(appendfile_transport_options_block, create_file_string) },
67 { "directory", opt_stringptr,
68 (void *)offsetof(appendfile_transport_options_block, dirname) },
69 { "directory_file", opt_stringptr,
70 (void *)offsetof(appendfile_transport_options_block, dirfilename) },
71 { "directory_mode", opt_octint,
72 (void *)offsetof(appendfile_transport_options_block, dirmode) },
73 { "escape_string", opt_stringptr,
74 (void *)offsetof(appendfile_transport_options_block, escape_string) },
75 { "file", opt_stringptr,
76 (void *)offsetof(appendfile_transport_options_block, filename) },
77 { "file_format", opt_stringptr,
78 (void *)offsetof(appendfile_transport_options_block, file_format) },
79 { "file_must_exist", opt_bool,
80 (void *)offsetof(appendfile_transport_options_block, file_must_exist) },
81 { "lock_fcntl_timeout", opt_time,
82 (void *)offsetof(appendfile_transport_options_block, lock_fcntl_timeout) },
83 { "lock_flock_timeout", opt_time,
84 (void *)offsetof(appendfile_transport_options_block, lock_flock_timeout) },
85 { "lock_interval", opt_time,
86 (void *)offsetof(appendfile_transport_options_block, lock_interval) },
87 { "lock_retries", opt_int,
88 (void *)offsetof(appendfile_transport_options_block, lock_retries) },
89 { "lockfile_mode", opt_octint,
90 (void *)offsetof(appendfile_transport_options_block, lockfile_mode) },
91 { "lockfile_timeout", opt_time,
92 (void *)offsetof(appendfile_transport_options_block, lockfile_timeout) },
93 { "mailbox_filecount", opt_stringptr,
94 (void *)offsetof(appendfile_transport_options_block, mailbox_filecount_string) },
95 { "mailbox_size", opt_stringptr,
96 (void *)offsetof(appendfile_transport_options_block, mailbox_size_string) },
97#ifdef SUPPORT_MAILDIR
98 { "maildir_format", opt_bool,
99 (void *)offsetof(appendfile_transport_options_block, maildir_format ) } ,
100 { "maildir_quota_directory_regex", opt_stringptr,
101 (void *)offsetof(appendfile_transport_options_block, maildir_dir_regex) },
102 { "maildir_retries", opt_int,
103 (void *)offsetof(appendfile_transport_options_block, maildir_retries) },
104 { "maildir_tag", opt_stringptr,
105 (void *)offsetof(appendfile_transport_options_block, maildir_tag) },
106 { "maildir_use_size_file", opt_bool,
107 (void *)offsetof(appendfile_transport_options_block, maildir_use_size_file ) } ,
d6629cdc
PH		 108 { "maildirfolder_create_regex", opt_stringptr,
109 (void *)offsetof(appendfile_transport_options_block, maildirfolder_create_regex ) },
0756eb3c
PH		 110#endif /* SUPPORT_MAILDIR */
111#ifdef SUPPORT_MAILSTORE
112 { "mailstore_format", opt_bool,
113 (void *)offsetof(appendfile_transport_options_block, mailstore_format ) },
114 { "mailstore_prefix", opt_stringptr,
115 (void *)offsetof(appendfile_transport_options_block, mailstore_prefix ) },
116 { "mailstore_suffix", opt_stringptr,
117 (void *)offsetof(appendfile_transport_options_block, mailstore_suffix ) },
118#endif /* SUPPORT_MAILSTORE */
119#ifdef SUPPORT_MBX
120 { "mbx_format", opt_bool,
121 (void *)offsetof(appendfile_transport_options_block, mbx_format ) } ,
122#endif /* SUPPORT_MBX */
123 { "message_prefix", opt_stringptr,
124 (void *)offsetof(appendfile_transport_options_block, message_prefix) },
125 { "message_suffix", opt_stringptr,
126 (void *)offsetof(appendfile_transport_options_block, message_suffix) },
127 { "mode", opt_octint,
128 (void *)offsetof(appendfile_transport_options_block, mode) },
129 { "mode_fail_narrower",opt_bool,
130 (void *)offsetof(appendfile_transport_options_block, mode_fail_narrower) },
131 { "notify_comsat", opt_bool,
132 (void *)offsetof(appendfile_transport_options_block, notify_comsat) },
133 { "quota", opt_stringptr,
134 (void *)offsetof(appendfile_transport_options_block, quota) },
135 { "quota_directory", opt_stringptr,
136 (void *)offsetof(appendfile_transport_options_block, quota_directory) },
137 { "quota_filecount", opt_stringptr,
138 (void *)offsetof(appendfile_transport_options_block, quota_filecount) },
139 { "quota_is_inclusive", opt_bool,
140 (void *)offsetof(appendfile_transport_options_block, quota_is_inclusive) },
141 { "quota_size_regex", opt_stringptr,
142 (void *)offsetof(appendfile_transport_options_block, quota_size_regex) },
143 { "quota_warn_message", opt_stringptr | opt_public,
144 (void *)offsetof(transport_instance, warn_message) },
145 { "quota_warn_threshold", opt_stringptr,
146 (void *)offsetof(appendfile_transport_options_block, quota_warn_threshold) },
147 { "use_bsmtp", opt_bool,
148 (void *)offsetof(appendfile_transport_options_block, use_bsmtp) },
149 { "use_crlf", opt_bool,
150 (void *)offsetof(appendfile_transport_options_block, use_crlf) },
151 { "use_fcntl_lock", opt_bool_set,
152 (void *)offsetof(appendfile_transport_options_block, use_fcntl) },
153 { "use_flock_lock", opt_bool_set,
154 (void *)offsetof(appendfile_transport_options_block, use_flock) },
155 { "use_lockfile", opt_bool_set,
156 (void *)offsetof(appendfile_transport_options_block, use_lockfile) },
157#ifdef SUPPORT_MBX
158 { "use_mbx_lock", opt_bool_set,
159 (void *)offsetof(appendfile_transport_options_block, use_mbx_lock) },
160#endif /* SUPPORT_MBX */
161};
162
163/* Size of the options list. An extern variable has to be used so that its
164address can appear in the tables drtables.c. */
165
166int appendfile_transport_options_count =
167 sizeof(appendfile_transport_options)/sizeof(optionlist);
168
169/* Default private options block for the appendfile transport. */
170
171appendfile_transport_options_block appendfile_transport_option_defaults = {
172 NULL, /* filename */
173 NULL, /* dirname */
174 US"q${base62:$tod_epoch}-$inode", /* dirfilename */
175 NULL, /* message_prefix (default reset in init if not bsmtp) */
176 NULL, /* message_suffix (ditto) */
177 US"anywhere", /* create_file_string (string value for create_file) */
178 NULL, /* quota */
179 NULL, /* quota_directory */
180 NULL, /* quota_filecount */
181 NULL, /* quota_size_regex */
182 NULL, /* quota_warn_threshold */
183 NULL, /* mailbox_size_string */
184 NULL, /* mailbox_filecount_string */
185 US"^(?:cur|new|\\..*)$", /* maildir_dir_regex */
186 NULL, /* maildir_tag */
d6629cdc 187 NULL, /* maildirfolder_create_regex */
0756eb3c
PH		 188 NULL, /* mailstore_prefix */
189 NULL, /* mailstore_suffix */
190 NULL, /* check_string (default changed for non-bsmtp file)*/
191 NULL, /* escape_string (ditto) */
192 NULL, /* file_format */
0d7eb84a
PH		 193 0, /* quota_value */
194 0, /* quota_warn_threshold_value */
0756eb3c
PH		 195 -1, /* mailbox_size_value */
196 -1, /* mailbox_filecount_value */
0756eb3c 197 0, /* quota_filecount_value */
0756eb3c
PH		 198 APPENDFILE_MODE, /* mode */
199 APPENDFILE_DIRECTORY_MODE, /* dirmode */
200 APPENDFILE_LOCKFILE_MODE, /* lockfile_mode */
201 30*60, /* lockfile_timeout */
202 0, /* lock_fcntl_timeout */
203 0, /* lock_flock_timeout */
204 10, /* lock_retries */
205 3, /* lock_interval */
206 10, /* maildir_retries */
207 create_anywhere,/* create_file */
208 0, /* options */
209 FALSE, /* allow_fifo */
210 FALSE, /* allow_symlink */
211 FALSE, /* check_group */
212 TRUE, /* check_owner */
213 TRUE, /* create_directory */
214 FALSE, /* notify_comsat */
215 TRUE, /* use_lockfile */
216 FALSE, /* set_use_lockfile */
217 TRUE, /* use_fcntl */
218 FALSE, /* set_use_fcntl */
219 FALSE, /* use_flock */
220 FALSE, /* set_use_flock */
221 FALSE, /* use_mbx_lock */
222 FALSE, /* set_use_mbx_lock */
223 FALSE, /* use_bsmtp */
224 FALSE, /* use_crlf */
225 FALSE, /* file_must_exist */
226 TRUE, /* mode_fail_narrower */
227 FALSE, /* maildir_format */
228 FALSE, /* maildir_use_size_file */
229 FALSE, /* mailstore_format */
230 FALSE, /* mbx_format */
231 FALSE, /* quota_warn_threshold_is_percent */
232 TRUE /* quota_is_inclusive */
233};
234
235
236
237/*************************************************
238* Setup entry point *
239*************************************************/
240
241/* Called for each delivery in the privileged state, just before the uid/gid
242are changed and the main entry point is called. We use this function to
243expand any quota settings, so that it can access files that may not be readable
244by the user. It is also used to pick up external mailbox size information, if
245set.
246
247Arguments:
248 tblock points to the transport instance
249 addrlist addresses about to be delivered (not used)
250 dummy not used (doesn't pass back data)
929ba01c
PH		 251 uid the uid that will be set (not used)
252 gid the gid that will be set (not used)
0756eb3c
PH		 253 errmsg where to put an error message
254
255Returns: OK, FAIL, or DEFER
256*/
257
258static int
259appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
929ba01c 260 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
0756eb3c
PH		 261{
262appendfile_transport_options_block *ob =
263 (appendfile_transport_options_block *)(tblock->options_block);
264uschar *q = ob->quota;
0d7eb84a 265double default_value = 0.0;
0756eb3c
PH		 266int i;
267
268addrlist = addrlist; /* Keep picky compilers happy */
269dummy = dummy;
929ba01c
PH		 270uid = uid;
271gid = gid;
0756eb3c
PH		 272
273/* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
274mailbox_filecount */
275
276for (i = 0; i < 5; i++)
277 {
0d7eb84a 278 double d;
21c28500 279 uschar *which = NULL;
0d7eb84a
PH		 280
281 if (q == NULL) d = default_value; else
0756eb3c 282 {
0756eb3c
PH		 283 uschar *rest;
284 uschar *s = expand_string(q);
285
286 if (s == NULL)
287 {
288 *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
289 "%s", q, tblock->name, expand_string_message);
290 return search_find_defer? DEFER : FAIL;
291 }
292
293 d = Ustrtod(s, &rest);
294
be22d70e 295 /* Handle following characters K, M, G, %, the latter being permitted
0756eb3c
PH		 296 for quota_warn_threshold only. A threshold with no quota setting is
297 just ignored. */
298
299 if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
300 else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
be22d70e 301 else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
0756eb3c
PH		 302 else if (*rest == '%' && i == 2)
303 {
304 if (ob->quota_value <= 0 && !ob->maildir_use_size_file) d = 0;
305 else if ((int)d < 0 || (int)d > 100)
306 {
307 *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
308 " for %s transport", (int)d, tblock->name);
309 return FAIL;
310 }
311 ob->quota_warn_threshold_is_percent = TRUE;
312 rest++;
313 }
314
315 while (isspace(*rest)) rest++;
316
317 if (*rest != 0)
318 {
319 *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
320 "in %s transport", s, q, tblock->name);
321 return FAIL;
322 }
0756eb3c
PH		 323 }
324
21c28500
PH		 325 /* Set each value, checking for possible overflow. */
326
0756eb3c
PH		 327 switch (i)
328 {
329 case 0:
21c28500 330 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) which = US"quota";
0d7eb84a 331 ob->quota_value = (off_t)d;
0756eb3c 332 q = ob->quota_filecount;
0756eb3c
PH		 333 break;
334
335 case 1:
21c28500 336 if (d >= 2.0*1024.0*1024.0*1024.0) which = US"quota_filecount";
0d7eb84a 337 ob->quota_filecount_value = (int)d;
0756eb3c 338 q = ob->quota_warn_threshold;
0756eb3c
PH		 339 break;
340
341 case 2:
21c28500
PH		 342 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
343 which = US"quota_warn_threshold";
0d7eb84a 344 ob->quota_warn_threshold_value = (off_t)d;
0756eb3c 345 q = ob->mailbox_size_string;
0d7eb84a 346 default_value = -1.0;
0756eb3c
PH		 347 break;
348
349 case 3:
21c28500
PH		 350 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
351 which = US"mailbox_size";;
0d7eb84a 352 ob->mailbox_size_value = (off_t)d;
0756eb3c 353 q = ob->mailbox_filecount_string;
0d7eb84a
PH		 354 break;
355
356 case 4:
21c28500 357 if (d >= 2.0*1024.0*1024.0*1024.0) which = US"mailbox_filecount";
0d7eb84a 358 ob->mailbox_filecount_value = (int)d;
0756eb3c
PH		 359 break;
360 }
21c28500
PH		 361
362 if (which != NULL)
363 {
364 *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
365 "%s transport", which, d, tblock->name);
366 return FAIL;
367 }
0756eb3c
PH		 368 }
369
370return OK;
371}
372
373
374
375/*************************************************
376* Initialization entry point *
377*************************************************/
378
379/* Called for each instance, after its options have been read, to
380enable consistency checks to be done, or anything else that needs
381to be set up. */
382
383void
384appendfile_transport_init(transport_instance *tblock)
385{
386appendfile_transport_options_block *ob =
387 (appendfile_transport_options_block *)(tblock->options_block);
388
389/* Set up the setup entry point, to be called in the privileged state */
390
391tblock->setup = appendfile_transport_setup;
392
393/* Lock_retries must be greater than zero */
394
395if (ob->lock_retries == 0) ob->lock_retries = 1;
396
397/* Only one of a file name or directory name must be given. */
398
399if (ob->filename != NULL && ob->dirname != NULL)
400 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
401 "only one of \"file\" or \"directory\" can be specified", tblock->name);
402
403/* If a file name was specified, neither quota_filecount nor quota_directory
404must be given. */
405
406if (ob->filename != NULL)
407 {
408 if (ob->quota_filecount != NULL)
409 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
410 "quota_filecount must not be set without \"directory\"", tblock->name);
411 if (ob->quota_directory != NULL)
412 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
413 "quota_directory must not be set without \"directory\"", tblock->name);
414 }
415
416/* The default locking depends on whether MBX is set or not. Change the
417built-in default if none of the lock options has been explicitly set. At least
418one form of locking is required in all cases, but mbx locking changes the
419meaning of fcntl and flock locking. */
420
421/* Not all operating systems provide flock(). For those that do, if flock is
422requested, the default for fcntl is FALSE. */
423
424if (ob->use_flock)
425 {
426 #ifdef NO_FLOCK
427 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
428 "flock() support was not available in the operating system when this "
429 "binary was built", tblock->name);
430 #endif /* NO_FLOCK */
431 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
432 }
433
434#ifdef SUPPORT_MBX
435if (ob->mbx_format)
436 {
437 if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
438 !ob->set_use_mbx_lock)
439 {
440 ob->use_lockfile = ob->use_flock = FALSE;
441 ob->use_mbx_lock = ob->use_fcntl = TRUE;
442 }
443 else if (ob->use_mbx_lock)
444 {
445 if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
446 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
447 if (!ob->set_use_flock) ob->use_flock = FALSE;
448 if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
449 }
450 }
451#endif /* SUPPORT_MBX */
452
453if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
454 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
455 "no locking configured", tblock->name);
456
457/* Unset timeouts for non-used locking types */
458
459if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
460if (!ob->use_flock) ob->lock_flock_timeout = 0;
461
462/* If a directory name was specified, only one of maildir or mailstore may be
463specified, and if quota_filecount or quota_directory is given, quota must
464be set. */
465
466if (ob->dirname != NULL)
467 {
468 if (ob->maildir_format && ob->mailstore_format)
469 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
470 "only one of maildir and mailstore may be specified", tblock->name);
471 if (ob->quota_filecount != NULL && ob->quota == NULL)
472 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
473 "quota must be set if quota_filecount is set", tblock->name);
474 if (ob->quota_directory != NULL && ob->quota == NULL)
475 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
476 "quota must be set if quota_directory is set", tblock->name);
477 }
478
479/* If a fixed uid field is set, then a gid field must also be set. */
480
481if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL)
482 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
483 "user set without group for the %s transport", tblock->name);
484
485/* If "create_file" is set, check that a valid option is given, and set the
486integer variable. */
487
488if (ob->create_file_string != NULL)
489 {
490 int value = 0;
491 if (Ustrcmp(ob->create_file_string, "anywhere") == 0) value = create_anywhere;
492 else if (Ustrcmp(ob->create_file_string, "belowhome") == 0) value =
493 create_belowhome;
494 else if (Ustrcmp(ob->create_file_string, "inhome") == 0)
495 value = create_inhome;
496 else
497 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
498 "invalid value given for \"file_create\" for the %s transport: %s",
499 tblock->name, ob->create_file_string);
500 ob->create_file = value;
501 }
502
503/* If quota_warn_threshold is set, set up default for warn_message. It may
504not be used if the actual threshold for a given delivery ends up as zero,
505of if it's given as a percentage and there's no quota setting. */
506
507if (ob->quota_warn_threshold != NULL)
508 {
509 if (tblock->warn_message == NULL) tblock->warn_message = US
510 "To: $local_part@$domain\n"
511 "Subject: Your mailbox\n\n"
512 "This message is automatically created by mail delivery software (Exim).\n\n"
513 "The size of your mailbox has exceeded a warning threshold that is\n"
514 "set by the system administrator.\n";
515 }
516
517/* If batch SMTP is set, force the check and escape strings, and arrange that
518headers are also escaped. */
519
520if (ob->use_bsmtp)
521 {
522 ob->check_string = US".";
523 ob->escape_string = US"..";
524 ob->options |= topt_escape_headers;
525 }
526
527/* If not batch SMTP, not maildir, not mailstore, and directory is not set,
528insert default values for for the affixes and the check/escape strings. */
529
530else if (ob->dirname == NULL && !ob->maildir_format && !ob->mailstore_format)
531 {
532 if (ob->message_prefix == NULL) ob->message_prefix =
533 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
534 if (ob->message_suffix == NULL) ob->message_suffix = US"\n";
535 if (ob->check_string == NULL) ob->check_string = US"From ";
536 if (ob->escape_string == NULL) ob->escape_string = US">From ";
537
538 }
539
540/* Set up the bitwise options for transport_write_message from the various
541driver options. Only one of body_only and headers_only can be set. */
542
543ob->options |=
544 (tblock->body_only? topt_no_headers : 0) |
545 (tblock->headers_only? topt_no_body : 0) |
546 (tblock->return_path_add? topt_add_return_path : 0) |
547 (tblock->delivery_date_add? topt_add_delivery_date : 0) |
548 (tblock->envelope_to_add? topt_add_envelope_to : 0) |
549 ((ob->use_crlf || ob->mbx_format)? topt_use_crlf : 0);
550}
551
552
553
554/*************************************************
555* Notify comsat *
556*************************************************/
557
558/* The comsat daemon is the thing that provides asynchronous notification of
559the arrival of local messages, if requested by the user by "biff y". It is a
560BSD thing that uses a TCP/IP protocol for communication. A message consisting
561of the text "user@offset" must be sent, where offset is the place in the
562mailbox where new mail starts. There is no scope for telling it which file to
563look at, which makes it a less than useful if mail is being delivered into a
564non-standard place such as the user's home directory. In fact, it doesn't seem
565to pay much attention to the offset.
566
567Arguments:
568 user user name
569 offset offset in mailbox
570
571Returns: nothing
572*/
573
574static void
0d7eb84a 575notify_comsat(uschar *user, off_t offset)
0756eb3c
PH		 576{
577struct servent *sp;
578host_item host;
579host_item *h;
580uschar buffer[256];
581
582DEBUG(D_transport) debug_printf("notify_comsat called\n");
583
b1c749bb 584sprintf(CS buffer, "%.200s@" OFF_T_FMT "\n", user, offset);
0756eb3c
PH		 585
586if ((sp = getservbyname("biff", "udp")) == NULL)
587 {
588 DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
589 return;
590 }
591
592host.name = US"localhost";
593host.next = NULL;
594
595
596/* This code is all set up to look up "localhost" and use all its addresses
597until one succeeds. However, it appears that at least on some systems, comsat
598doesn't listen on the ::1 address. So for the moment, just force the address to
599be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
322050c2 600can be changed. (But actually, comsat is probably dying out anyway.) */
0756eb3c
PH		 601
602/******
322050c2 603if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
0756eb3c
PH		 604 {
605 DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
606 return;
607 }
608******/
609
610host.address = US"127.0.0.1";
611
612
613for (h = &host; h != NULL; h = h->next)
614 {
615 int sock, rc;
616 int host_af = (Ustrchr(h->address, ':') != NULL)? AF_INET6 : AF_INET;
617
618 DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
619
620 sock = ip_socket(SOCK_DGRAM, host_af);
621 if (sock < 0) continue;
622
623 /* Connect never fails for a UDP socket, so don't set a timeout. */
624
625 (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0);
626 rc = send(sock, buffer, Ustrlen(buffer) + 1, 0);
f1e894f3 627 (void)close(sock);
0756eb3c
PH		 628
629 if (rc >= 0) break;
630 DEBUG(D_transport)
631 debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
632 h->address);
633 }
634}
635
636
637
638/*************************************************
639* Check the format of a file *
640*************************************************/
641
642/* This function is called when file_format is set, to check that an existing
643file has the right format. The format string contains text/transport pairs. The
644string matching is literal. we just read big_buffer_size bytes, because this is
645all about the first few bytes of a file.
646
647Arguments:
648 cfd the open file
649 tblock the transport block
650 addr the address block - for inserting error data
651
652Returns: pointer to the required transport, or NULL
653*/
654
655transport_instance *
656check_file_format(int cfd, transport_instance *tblock, address_item *addr)
657{
658uschar *format =
659 ((appendfile_transport_options_block *)(tblock->options_block))->file_format;
660uschar data[256];
661int len = read(cfd, data, sizeof(data));
662int sep = 0;
663uschar *s;
664
665DEBUG(D_transport) debug_printf("checking file format\n");
666
667/* An empty file matches the current transport */
668
669if (len == 0) return tblock;
670
671/* Search the formats for a match */
672
673while ((s = string_nextinlist(&format,&sep,big_buffer,big_buffer_size))!= NULL)
674 {
675 int slen = Ustrlen(s);
676 BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
677 uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
678 if (match)
679 {
680 transport_instance *tt;
681 for (tt = transports; tt != NULL; tt = tt->next)
682 if (Ustrcmp(tp, tt->name) == 0)
683 {
684 DEBUG(D_transport)
685 debug_printf("file format -> %s transport\n", tt->name);
686 return tt;
687 }
688 addr->basic_errno = ERRNO_BADTRANSPORT;
689 addr->message = string_sprintf("%s transport (for %.*s format) not found",
690 tp, slen, data);
691 return NULL;
692 }
693 }
694
695/* Failed to find a match */
696
697addr->basic_errno = ERRNO_FORMATUNKNOWN;
698addr->message = US"mailbox file format unrecognized";
699return NULL;
700}
701
702
703
704
705/*************************************************
706* Check directory's files for quota *
707*************************************************/
708
709/* This function is called if quota is set for one of the delivery modes that
710delivers into a specific directory. It scans the directory and stats all the
711files in order to get a total size and count. This is an expensive thing to do,
712but some people are prepared to bear the cost. Alternatively, if size_regex is
713set, it is used as a regex to try to extract the size from the file name, a
714strategy that some people use on maildir files on systems where the users have
715no shell access.
716
717The function is global, because it is also called from tf_maildir.c for maildir
718folders (which should contain only regular files).
719
720Note: Any problems can be written to debugging output, but cannot be written to
721the log, because we are running as an unprivileged user here.
722
723Arguments:
724 dirname the name of the directory
725 countptr where to add the file count (because this function recurses)
726 regex a compiled regex to get the size from a name
727
728Returns: the sum of the sizes of the stattable files
729 zero if the directory cannot be opened
730*/
731
0d7eb84a 732off_t
0756eb3c
PH		 733check_dir_size(uschar *dirname, int *countptr, const pcre *regex)
734{
735DIR *dir;
0d7eb84a 736off_t sum = 0;
0756eb3c
PH		 737int count = *countptr;
738struct dirent *ent;
739struct stat statbuf;
740
741dir = opendir(CS dirname);
742if (dir == NULL) return 0;
743
744while ((ent = readdir(dir)) != NULL)
745 {
746 uschar *name = US ent->d_name;
747 uschar buffer[1024];
748
749 if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
750
751 count++;
752
753 /* If there's a regex, try to find the size using it */
754
755 if (regex != NULL)
756 {
757 int ovector[6];
758 if (pcre_exec(regex, NULL, CS name, Ustrlen(name), 0, 0, ovector,6) >= 2)
759 {
760 uschar *endptr;
0d7eb84a 761 off_t size = (off_t)Ustrtod(name + ovector[2], &endptr);
0756eb3c
PH		 762 if (endptr == name + ovector[3])
763 {
764 sum += size;
765 DEBUG(D_transport)
b1c749bb
PH		 766 debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
767 size);
0756eb3c
PH		 768 continue;
769 }
770 }
771 DEBUG(D_transport)
772 debug_printf("check_dir_size: regex did not match %s\n", name);
773 }
774
775 /* No regex or no match for the regex, or captured non-digits */
776
777 if (!string_format(buffer, sizeof(buffer), "%s/%s", dirname, name))
778 {
779 DEBUG(D_transport)
780 debug_printf("check_dir_size: name too long: dir=%s name=%s\n", dirname,
781 name);
782 continue;
783 }
784
785 if (Ustat(buffer, &statbuf) < 0)
786 {
787 DEBUG(D_transport)
788 debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, buffer,
789 strerror(errno));
790 continue;
791 }
792
793 if ((statbuf.st_mode & S_IFMT) == S_IFREG)
794 sum += statbuf.st_size;
795 else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
796 sum += check_dir_size(buffer, &count, regex);
797 }
798
799closedir(dir);
800DEBUG(D_transport)
b1c749bb
PH		 801 debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
802 sum, count);
0d7eb84a 803
0756eb3c
PH		 804*countptr = count;
805return sum;
806}
807
808
809
810
811/*************************************************
812* Apply a lock to a file descriptor *
813*************************************************/
814
815/* This function applies a lock to a file descriptor, using a blocking or
816non-blocking lock, depending on the timeout value. It can apply either or
817both of a fcntl() and a flock() lock. However, not all OS support flock();
818for those that don't, the use_flock option cannot be set.
819
820Arguments:
821 fd the file descriptor
822 fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in
823 fcntl() format); the flock() type is deduced if needed
824 dofcntl do fcntl() locking
825 fcntltime non-zero to use blocking fcntl()
826 doflock do flock() locking
827 flocktime non-zero to use blocking flock()
828
829Returns: yield of the fcntl() or flock() call, with errno preserved;
830 sigalrm_seen set if there has been a timeout
831*/
832
833static int
834apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
835 int flocktime)
836{
837int yield = 0;
838int save_errno;
839struct flock lock_data;
840lock_data.l_type = fcntltype;
841lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
842
843sigalrm_seen = FALSE;
844
845if (dofcntl)
846 {
847 if (fcntltime > 0)
848 {
849 alarm(fcntltime);
850 yield = fcntl(fd, F_SETLKW, &lock_data);
851 save_errno = errno;
852 alarm(0);
853 errno = save_errno;
854 }
855 else yield = fcntl(fd, F_SETLK, &lock_data);
856 }
857
858#ifndef NO_FLOCK
859if (doflock && (yield >= 0))
860 {
861 int flocktype = (fcntltype == F_WRLCK)? LOCK_EX : LOCK_SH;
862 if (flocktime > 0)
863 {
864 alarm(flocktime);
865 yield = flock(fd, flocktype);
866 save_errno = errno;
867 alarm(0);
868 errno = save_errno;
869 }
870 else yield = flock(fd, flocktype | LOCK_NB);
871 }
872#endif /* NO_FLOCK */
873
874return yield;
875}
876
877
878
879
880#ifdef SUPPORT_MBX
881/*************************************************
882* Copy message into MBX mailbox *
883*************************************************/
884
885/* This function is called when a message intended for a MBX mailbox has been
886written to a temporary file. We can now get the size of the message and then
887copy it in MBX format to the mailbox.
888
889Arguments:
890 to_fd fd to write to (the real mailbox)
891 from_fd fd to read from (the temporary file)
892 saved_size current size of mailbox
893
894Returns: OK if all went well, DEFER otherwise, with errno preserved
895 the number of bytes written are added to transport_count
896 by virtue of calling transport_write_block()
897*/
898
899/* Values taken from c-client */
900
901#define MBX_HDRSIZE 2048
902#define MBX_NUSERFLAGS 30
903
904static int
0d7eb84a 905copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
0756eb3c 906{
0d7eb84a
PH		 907int used;
908off_t size;
0756eb3c
PH		 909struct stat statbuf;
910
911/* If the current mailbox size is zero, write a header block */
912
913if (saved_size == 0)
914 {
915 int i;
916 uschar *s;
917 memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
918 sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
919 (long int)time(NULL));
920 for (i = 0; i < MBX_NUSERFLAGS; i++)
921 sprintf (CS(s += Ustrlen(s)), "\015\012");
922 if (!transport_write_block (to_fd, deliver_out_buffer, MBX_HDRSIZE))
923 return DEFER;
924 }
925
926DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
927
928/* Now construct the message's header from the time and the RFC822 file
929size, including CRLFs, which is the size of the input (temporary) file. */
930
931if (fstat(from_fd, &statbuf) < 0) return DEFER;
932size = statbuf.st_size;
933
b1c749bb
PH		 934sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
935 tod_stamp(tod_mbx), size, 0L, 0, 0);
0756eb3c
PH		 936used = Ustrlen(deliver_out_buffer);
937
938/* Rewind the temporary file, and copy it over in chunks. */
939
940lseek(from_fd, 0 , SEEK_SET);
941
942while (size > 0)
943 {
944 int len = read(from_fd, deliver_out_buffer + used,
945 DELIVER_OUT_BUFFER_SIZE - used);
946 if (len <= 0)
947 {
948 if (len == 0) errno = ERRNO_MBXLENGTH;
949 return DEFER;
950 }
951 if (!transport_write_block(to_fd, deliver_out_buffer, used + len))
952 return DEFER;
953 size -= len;
954 used = 0;
955 }
956
957return OK;
958}
959#endif /* SUPPORT_MBX */
960
961
962
963/*************************************************
964* Check creation is permitted *
965*************************************************/
966
967/* This function checks whether a given file name is permitted to be created,
968as controlled by the create_file option. If no home directory is set, however,
969we can't do any tests.
970
971Arguments:
972 filename the file name
973 create_file the ob->create_file option
974
975Returns: TRUE if creation is permitted
976*/
977
978static BOOL
979check_creation(uschar *filename, int create_file)
980{
981BOOL yield = TRUE;
982
983if (deliver_home != NULL && create_file != create_anywhere)
984 {
985 int len = Ustrlen(deliver_home);
986 uschar *file = filename;
987
988 while (file[0] == '/' && file[1] == '/') file++;
989 if (Ustrncmp(file, deliver_home, len) != 0 || file[len] != '/' ||
990 ( Ustrchr(file+len+2, '/') != NULL &&
991 (
992 create_file != create_belowhome ||
993 Ustrstr(file+len, "/../") != NULL
994 )
995 )
996 ) yield = FALSE;
997
998 /* If yield is TRUE, the file name starts with the home directory, and does
999 not contain any instances of "/../" in the "belowhome" case. However, it may
1000 still contain symbolic links. We can check for this by making use of
1001 realpath(), which most Unixes seem to have (but make it possible to cut this
1002 out). We can't just use realpath() on the whole file name, because we know
1003 the file itself doesn't exist, and intermediate directories may also not
1004 exist. What we want to know is the real path of the longest existing part of
1005 the path. That must match the home directory's beginning, whichever is the
1006 shorter. */
1007
1008 #ifndef NO_REALPATH
1009 if (yield && create_file == create_belowhome)
1010 {
1011 uschar *slash, *next;
1012 uschar *rp = NULL;
1013 for (slash = Ustrrchr(file, '/'); /* There is known to be one */
1014 rp == NULL && slash > file; /* Stop if reached beginning */
1015 slash = next)
1016 {
1017 *slash = 0;
1018 rp = US realpath(CS file, CS big_buffer);
1019 next = Ustrrchr(file, '/');
1020 *slash = '/';
1021 }
1022
1023 /* If rp == NULL it means that none of the relevant directories exist.
1024 This is not a problem here - it means that no symbolic links can exist,
1025 which is all we are worried about. Otherwise, we must compare it
1026 against the start of the home directory. However, that may itself
1027 contain symbolic links, so we have to "realpath" it as well, if
1028 possible. */
1029
1030 if (rp != NULL)
1031 {
1032 uschar hdbuffer[PATH_MAX+1];
1033 uschar *rph = deliver_home;
1034 int rlen = Ustrlen(big_buffer);
1035
1036 rp = US realpath(CS deliver_home, CS hdbuffer);
1037 if (rp != NULL)
1038 {
1039 rph = hdbuffer;
1040 len = Ustrlen(rph);
1041 }
1042
1043 if (rlen > len) rlen = len;
1044 if (Ustrncmp(rph, big_buffer, rlen) != 0)
1045 {
1046 yield = FALSE;
1047 DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
1048 big_buffer, deliver_home);
1049 }
1050 }
1051 }
1052 #endif /* NO_REALPATH */
1053 }
1054
1055return yield;
1056}
1057
1058
1059
1060/*************************************************
1061* Main entry point *
1062*************************************************/
1063
1064/* See local README for general interface details. This transport always
1065returns FALSE, indicating that the status which has been placed in the first
1066address should be copied to any other addresses in a batch.
1067
1068Appendfile delivery is tricky and has led to various security problems in other
1069mailers. The logic used here is therefore laid out in some detail. When this
1070function is called, we are running in a subprocess which has had its gid and
1071uid set to the appropriate values. Therefore, we cannot write directly to the
1072exim logs. Any errors must be handled by setting appropriate return codes.
1073Note that the default setting for addr->transport_return is DEFER, so it need
1074not be set unless some other value is required.
1075
1076The code below calls geteuid() rather than getuid() to get the current uid
1077because in weird configurations not running setuid root there may be a
1078difference. In the standard configuration, where setuid() has been used in the
1079delivery process, there will be no difference between the uid and the euid.
1080
1081(1) If the af_file flag is set, this is a delivery to a file after .forward or
1082 alias expansion. Otherwise, there must be a configured file name or
1083 directory name.
1084
1085The following items apply in the case when a file name (as opposed to a
1086directory name) is given, that is, when appending to a single file:
1087
1088(2f) Expand the file name.
1089
1090(3f) If the file name is /dev/null, return success (optimization).
1091
1092(4f) If the file_format options is set, open the file for reading, and check
1093 that the bytes at the start of the file match one of the given strings.
1094 If the check indicates a transport other than the current one should be
1095 used, pass control to that other transport. Otherwise continue. An empty
1096 or non-existent file matches the current transport. The file is closed
1097 after the check.
1098
1099(5f) If a lock file is required, create it (see extensive separate comments
1100 below about the algorithm for doing this). It is important to do this
1101 before opening the mailbox if NFS is in use.
1102
1103(6f) Stat the file, using lstat() rather than stat(), in order to pick up
1104 details of any symbolic link.
1105
1106(7f) If the file already exists:
1107
1108 Check the owner and group if necessary, and defer if they are wrong.
1109
1110 If it is a symbolic link AND the allow_symlink option is set (NOT the
1111 default), go back to (6f) but this time use stat() instead of lstat().
1112
1113 If it's not a regular file (or FIFO when permitted), defer delivery.
1114
1115 Check permissions. If the required permissions are *less* than the
1116 existing ones, or supplied by the address (often by the user via filter),
1117 chmod() the file. Otherwise, defer.
1118
1119 Save the inode number.
1120
1121 Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
1122
1123 If open fails because the file does not exist, go to (6f); on any other
1124 failure, defer.
1125
1126 Check the inode number hasn't changed - I realize this isn't perfect (an
1127 inode can be reused) but it's cheap and will catch some of the races.
1128
1129 Check it's still a regular file (or FIFO if permitted).
1130
1131 Check that the owner and permissions haven't changed.
1132
1133 If file_format is set, check that the file still matches the format for
1134 the current transport. If not, defer delivery.
1135
1136(8f) If file does not exist initially:
1137
1138 Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
1139 this is via a symbolic link (only possible if allow_symlinks is set), in
1140 which case don't use O_EXCL, as it dosn't work.
1141
1142 If open fails because the file already exists, go to (6f). To avoid
1143 looping for ever in a situation where the file is continuously being
1144 created and deleted, all of this happens inside a loop that operates
1145 lock_retries times and includes the fcntl and flock locking. If the
1146 loop completes without the file getting opened, defer and request
1147 freezing, because something really weird is happening.
1148
1149 If open fails for any other reason, defer for subsequent delivery except
1150 when this is a file delivery resulting from an alias or forward expansion
1151 and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
1152 most likely a user rather than a configuration error.
1153
1154(9f) We now have the file checked and open for writing. If so configured, lock
1155 it using fcntl, flock, or MBX locking rules. If this fails, close the file
1156 and goto (6f), up to lock_retries times, after sleeping for a while. If it
1157 still fails, give up and defer delivery.
1158
1159(10f)Save the access time (for subsequent restoration) and the size of the
1160 file, for comsat and for re-setting if delivery fails in the middle -
1161 e.g. for quota exceeded.
1162
1163The following items apply in the case when a directory name is given:
1164
1165(2d) Create a new file in the directory using a temporary name, by opening for
1166 writing and with O_CREAT. If maildir format is being used, the file
1167 is created in a temporary subdirectory with a prescribed name. If
1168 mailstore format is being used, the envelope file is first created with a
1169 temporary name, then the data file.
1170
1171The following items apply in all cases:
1172
1173(11) We now have the file open for writing, and locked if it was given as a
1174 file name. Write the message and flush the file, unless there is a setting
1175 of the local quota option, in which case we can check for its excession
1176 without doing any writing.
1177
1178 In the case of MBX format mailboxes, the message is first written to a
1179 temporary file, in order to get its correct length. This is then copied to
1180 the real file, preceded by an MBX header.
1181
1182 If there is a quota error on writing, defer the address. Timeout logic
1183 will determine for how long retries are attempted. We restore the mailbox
1184 to its original length if it's a single file. There doesn't seem to be a
1185 uniform error code for quota excession (it even differs between SunOS4
1186 and some versions of SunOS5) so a system-dependent macro called
1187 ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
1188 compile time.
1189
1190 For any other error (most commonly disk full), do the same.
1191
1192The following applies after appending to a file:
1193
1194(12f)Restore the atime; notify_comsat if required; close the file (which
1195 unlocks it if it was locked). Delete the lock file if it exists.
1196
1197The following applies after writing a unique file in a directory:
1198
1199(12d)For maildir format, rename the file into the new directory. For mailstore
1200 format, rename the envelope file to its correct name. Otherwise, generate
1201 a unique name from the directory_file option, and rename to that, possibly
1202 trying a few times if the file exists and re-expanding the name gives a
1203 different string.
1204
1205This transport yields FAIL only when a file name is generated by an alias or
1206forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
1207All other failures return DEFER (in addr->transport_return). */
1208
1209
1210BOOL
1211appendfile_transport_entry(
1212 transport_instance *tblock, /* data for this instantiation */
1213 address_item *addr) /* address we are working on */
1214{
1215appendfile_transport_options_block *ob =
1216 (appendfile_transport_options_block *)(tblock->options_block);
1217struct stat statbuf;
1218uschar *fdname = NULL;
1219uschar *filename = NULL;
1220uschar *hitchname = NULL;
1221uschar *dataname = NULL;
1222uschar *lockname = NULL;
1223uschar *newname = NULL;
1224uschar *nametag = NULL;
1225uschar *cr = US"";
1226uschar *filecount_msg = US"";
1227uschar *path;
1228struct utimbuf times;
1229struct timeval msg_tv;
01c490df 1230BOOL disable_quota = FALSE;
0756eb3c
PH		 1231BOOL isdirectory = FALSE;
1232BOOL isfifo = FALSE;
1233BOOL wait_for_tick = FALSE;
1234uid_t uid = geteuid(); /* See note above */
1235gid_t gid = getegid();
1236int mbformat;
1237int mode = (addr->mode > 0)? addr->mode : ob->mode;
0d7eb84a
PH		 1238off_t saved_size = -1;
1239off_t mailbox_size = ob->mailbox_size_value;
0756eb3c
PH		 1240int mailbox_filecount = ob->mailbox_filecount_value;
1241int hd = -1;
1242int fd = -1;
1243int yield = FAIL;
1244int i;
1245
1246#ifdef SUPPORT_MBX
1247int save_fd = 0;
1248int mbx_lockfd = -1;
1249uschar mbx_lockname[40];
1250FILE *temp_file = NULL;
1251#endif /* SUPPORT_MBX */
1252
1253#ifdef SUPPORT_MAILDIR
1254int maildirsize_fd = -1; /* fd for maildirsize file */
1255int maildir_save_errno;
1256#endif
1257
1258
1259DEBUG(D_transport) debug_printf("appendfile transport entered\n");
1260
1261/* An "address_file" or "address_directory" transport is used to deliver to
1262files specified via .forward or an alias file. Prior to release 4.20, the
1263"file" and "directory" options were ignored in this case. This has been changed
1264to allow the redirection data to specify what is in effect a folder, whose
1265location is determined by the options on the transport.
1266
1267Compatibility with the case when neither option is set is retained by forcing a
1268value for the file or directory name. A directory delivery is assumed if the
1269last character of the path from the router is '/'.
1270
1271The file path is in the local part of the address, but not in the $local_part
1272variable (that holds the parent local part). It is, however, in the
1273$address_file variable. Below, we update the local part in the address if it
1274changes by expansion, so that the final path ends up in the log. */
1275
1276if (testflag(addr, af_file) &&
1277 ob->filename == NULL &&
1278 ob->dirname == NULL)
1279 {
1280 fdname = US"$address_file";
1281 if (address_file[Ustrlen(address_file)-1] == '/' ||
1282 ob->maildir_format ||
1283 ob->mailstore_format)
1284 isdirectory = TRUE;
1285 }
1286
1287/* Handle (a) an "address file" delivery where "file" or "directory" is
1288explicitly set and (b) a non-address_file delivery, where one of "file" or
1289"directory" must be set; initialization ensures that they are not both set. */
1290
1291if (fdname == NULL)
1292 {
1293 fdname = ob->filename;
1294 if (fdname == NULL)
1295 {
1296 fdname = ob->dirname;
1297 isdirectory = TRUE;
1298 }
1299 if (fdname == NULL)
1300 {
1301 addr->transport_return = PANIC;
1302 addr->message = string_sprintf("Mandatory file or directory option "
1303 "missing from %s transport", tblock->name);
1304 return FALSE;
1305 }
1306 }
1307
1308/* Maildir and mailstore require a directory */
1309
1310if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
1311 {
1312 addr->transport_return = PANIC;
1313 addr->message = string_sprintf("mail%s_format requires \"directory\" "
1314 "to be specified for the %s transport",
1315 ob->maildir_format? "dir" : "store", tblock->name);
1316 return FALSE;
1317 }
1318
1319path = expand_string(fdname);
1320
1321if (path == NULL)
1322 {
1323 addr->transport_return = PANIC;
1324 addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
1325 "name for %s transport) failed: %s", fdname, tblock->name,
1326 expand_string_message);
1327 return FALSE;
1328 }
1329
1330if (path[0] != '/')
1331 {
1332 addr->message = string_sprintf("appendfile: file or directory name "
1333 "\"%s\" is not absolute", path);
1334 addr->basic_errno = ERRNO_NOTABSOLUTE;
1335 return FALSE;
1336 }
1337
f7fd3850
PH		 1338/* For a file delivery, make sure the local part in the address(es) is updated
1339to the true local part. */
0756eb3c 1340
f7fd3850
PH		 1341if (testflag(addr, af_file))
1342 {
1343 address_item *addr2;
1344 for (addr2 = addr; addr2 != NULL; addr2 = addr2->next)
1345 addr2->local_part = string_copy(path);
1346 }
0756eb3c
PH		 1347
1348/* The available mailbox formats depend on whether it is a directory or a file
1349delivery. */
1350
1351if (isdirectory)
1352 {
1353 mbformat =
1354 #ifdef SUPPORT_MAILDIR
1355 (ob->maildir_format)? mbf_maildir :
1356 #endif
1357 #ifdef SUPPORT_MAILSTORE
1358 (ob->mailstore_format)? mbf_mailstore :
1359 #endif
1360 mbf_smail;
1361 }
1362else
1363 {
1364 mbformat =
1365 #ifdef SUPPORT_MBX
1366 (ob->mbx_format)? mbf_mbx :
1367 #endif
1368 mbf_unix;
1369 }
1370
1371DEBUG(D_transport)
1372 {
b1c749bb
PH		 1373 debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
1374 " warning=" OFF_T_FMT "%s\n"
0756eb3c
PH		 1375 " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n "
1376 "maildir_use_size_file=%s\n",
b1c749bb
PH		 1377 mode, ob->notify_comsat, ob->quota_value,
1378 ob->quota_warn_threshold_value,
0756eb3c
PH		 1379 ob->quota_warn_threshold_is_percent? "%" : "",
1380 isdirectory? "directory" : "file",
1381 path, mailbox_formats[mbformat],
1382 (ob->message_prefix == NULL)? US"null" : string_printing(ob->message_prefix),
1383 (ob->message_suffix == NULL)? US"null" : string_printing(ob->message_suffix),
1384 (ob->maildir_use_size_file)? "yes" : "no");
1385
1386 if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n",
1387 ob->use_lockfile? "lockfile " : "",
1388 ob->use_mbx_lock? "mbx locking (" : "",
1389 ob->use_fcntl? "fcntl " : "",
1390 ob->use_flock? "flock" : "",
1391 ob->use_mbx_lock? ")" : "");
1392 }
1393
1394/* If the -N option is set, can't do any more. */
1395
1396if (dont_deliver)
1397 {
1398 DEBUG(D_transport)
1399 debug_printf("*** delivery by %s transport bypassed by -N option\n",
1400 tblock->name);
1401 addr->transport_return = OK;
1402 return FALSE;
1403 }
1404
1405/* Handle the case of a file name. If the file name is /dev/null, we can save
1406ourselves some effort and just give a success return right away. */
1407
1408if (!isdirectory)
1409 {
1410 BOOL use_lstat = TRUE;
1411 BOOL file_opened = FALSE;
1412 BOOL allow_creation_here = TRUE;
1413
1414 if (Ustrcmp(path, "/dev/null") == 0)
1415 {
1416 addr->transport_return = OK;
1417 return FALSE;
1418 }
1419
1420 /* Set the name of the file to be opened, and the file to which the data
1421 is written, and find out if we are permitted to create a non-existent file. */
1422
1423 dataname = filename = path;
1424 allow_creation_here = check_creation(filename, ob->create_file);
1425
1426 /* If ob->create_directory is set, attempt to create the directories in
1427 which this mailbox lives, but only if we are permitted to create the file
1428 itself. We know we are dealing with an absolute path, because this was
1429 checked above. */
1430
1431 if (ob->create_directory && allow_creation_here)
1432 {
1433 uschar *p = Ustrrchr(path, '/');
1434 *p = '\0';
1435 if (!directory_make(NULL, path, ob->dirmode, FALSE))
1436 {
1437 addr->basic_errno = errno;
1438 addr->message =
1439 string_sprintf("failed to create directories for %s: %s", path,
1440 strerror(errno));
1441 DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path);
1442 return FALSE;
1443 }
1444 *p = '/';
1445 }
1446
1447 /* If file_format is set we must check that any existing file matches one of
1448 the configured formats by checking the bytes it starts with. A match then
1449 indicates a specific transport - if it is not this one, pass control to it.
1450 Otherwise carry on here. An empty or non-existent file matches the current
1451 transport. We don't need to distinguish between non-existence and other open
1452 failures because if an existing file fails to open here, it will also fail
1453 again later when O_RDWR is used. */
1454
1455 if (ob->file_format != NULL)
1456 {
1457 int cfd = Uopen(path, O_RDONLY, 0);
1458 if (cfd >= 0)
1459 {
1460 transport_instance *tt = check_file_format(cfd, tblock, addr);
f1e894f3 1461 (void)close(cfd);
0756eb3c
PH		 1462
1463 /* If another transport is indicated, call it and return; if no transport
1464 was found, just return - the error data will have been set up.*/
1465
1466 if (tt != tblock)
1467 {
1468 if (tt != NULL)
1469 {
1470 set_process_info("delivering %s to %s using %s", message_id,
1471 addr->local_part, tt->name);
1472 debug_print_string(tt->debug_string);
1473 addr->transport = tt;
1474 (tt->info->code)(tt, addr);
1475 }
1476 return FALSE;
1477 }
1478 }
1479 }
1480
1481 /* The locking of mailbox files is worse than the naming of cats, which is
1482 known to be "a difficult matter" (T.S. Eliot) and just as cats must have
1483 three different names, so several different styles of locking are used.
1484
1485 Research in other programs that lock mailboxes shows that there is no
1486 universally standard method. Having mailboxes NFS-mounted on the system that
1487 is delivering mail is not the best thing, but people do run like this,
1488 and so the code must do its best to cope.
1489
1490 Three different locking mechanisms are supported. The initialization function
1491 checks that at least one is configured.
1492
1493 LOCK FILES
1494
1495 Unless no_use_lockfile is set, we attempt to build a lock file in a way that
1496 will work over NFS. Only after that is done do we actually open the mailbox
1497 and apply locks to it (if configured).
1498
1499 Originally, Exim got the file opened before doing anything about locking.
1500 However, a very occasional problem was observed on Solaris 2 when delivering
1501 over NFS. It is seems that when a file is opened with O_APPEND, the file size
1502 gets remembered at open time. If another process on another host (that's
1503 important) has the file open and locked and writes to it and then releases
1504 the lock while the first process is waiting to get the lock, the first
1505 process may fail to write at the new end point of the file - despite the very
1506 definite statement about O_APPEND in the man page for write(). Experiments
1507 have reproduced this problem, but I do not know any way of forcing a host to
1508 update its attribute cache for an open NFS file. It would be nice if it did
1509 so when a lock was taken out, but this does not seem to happen. Anyway, to
1510 reduce the risk of this problem happening, we now create the lock file
1511 (if configured) *before* opening the mailbox. That will prevent two different
1512 Exims opening the file simultaneously. It may not prevent clashes with MUAs,
1513 however, but Pine at least seems to operate in the same way.
1514
1515 Lockfiles should normally be used when NFS is involved, because of the above
1516 problem.
1517
1518 The logic for creating the lock file is:
1519
1520 . The name of the lock file is <mailbox-name>.lock
1521
1522 . First, create a "hitching post" name by adding the primary host name,
1523 current time and pid to the lock file name. This should be unique.
1524
1525 . Create the hitching post file using WRONLY + CREAT + EXCL.
1526
1527 . If that fails EACCES, we assume it means that the user is unable to create
1528 files in the mail spool directory. Some installations might operate in this
1529 manner, so there is a configuration option to allow this state not to be an
1530 error - we proceed to lock using fcntl only, after the file is open.
1531
1532 . Otherwise, an error causes a deferment of the address.
1533
1534 . Hard link the hitching post to the lock file name.
1535
1536 . If the link succeeds, we have successfully created the lock file. Simply
1537 close and unlink the hitching post file.
1538
1539 . If the link does not succeed, proceed as follows:
1540
1541 o Fstat the hitching post file, and then close and unlink it.
1542
1543 o Now examine the stat data. If the number of links to the file is exactly
1544 2, the linking succeeded but for some reason, e.g. an NFS server crash,
1545 the return never made it back, so the link() function gave a failure
1546 return.
1547
1548 . This method allows for the lock file to be created by some other process
1549 right up to the moment of the attempt to hard link it, and is also robust
1550 against NFS server crash-reboots, which would probably result in timeouts
1551 in the middle of link().
1552
1553 . System crashes may cause lock files to get left lying around, and some means
1554 of flushing them is required. The approach of writing a pid (used by smail
1555 and by elm) into the file isn't useful when NFS may be in use. Pine uses a
1556 timeout, which seems a better approach. Since any program that writes to a
1557 mailbox using a lock file should complete its task very quickly, Pine
1558 removes lock files that are older than 5 minutes. We allow the value to be
1559 configurable on the transport.
1560
1561 FCNTL LOCKING
1562
1563 If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
1564 mailbox once it is open. This is done by default with a non-blocking lock.
1565 Failures to lock cause retries after a sleep, but only for a certain number
1566 of tries. A blocking lock is deliberately not used so that we don't hold the
1567 mailbox open. This minimizes the possibility of the NFS problem described
1568 under LOCK FILES above, if for some reason NFS deliveries are happening
1569 without lock files. However, the use of a non-blocking lock and sleep, though
1570 the safest approach, does not give the best performance on very busy systems.
1571 A blocking lock plus timeout does better. Therefore Exim has an option to
1572 allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
1573 enables the use of blocking fcntl() calls.
1574
1575 FLOCK LOCKING
1576
1577 If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
1578 same manner as for fcntl locking above. No-blocking/timeout is also set as
1579 above in lock_flock_timeout. Not all operating systems provide or support
1580 flock(). For those that don't (as determined by the definition of LOCK_SH in
1581 /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
1582 is implemented (not precisely) on top of fcntl(), which means there's no
1583 point in actually using it.
1584
1585 MBX LOCKING
1586
1587 If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
1588 then the rules used for locking in c-client are used. Exim takes out a shared
1589 lock on the mailbox file, and an exclusive lock on the file whose name is
1590 /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
1591 any other MBX client from getting an exclusive lock on it and expunging it.
1592 It also stops any other MBX client from unlinking the /tmp lock when it has
1593 finished with it.
1594
1595 The exclusive lock on the /tmp file prevents any other MBX client from
1596 updating the mailbox in any way. When writing is finished, if an exclusive
1597 lock on the mailbox can be obtained, indicating there are no current sharers,
1598 the /tmp file is unlinked.
1599
1600 MBX locking can use either fcntl() or flock() locking. If neither
1601 use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
1602 The calls for getting these locks are by default non-blocking, as for non-mbx
1603 locking, but can be made blocking by setting lock_fcntl_timeout and/or
1604 lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it
1605 probably makes sense to set timeouts for any MBX deliveries. */
1606
1607
1608 /* Build a lock file if configured to do so - the existence of a lock
1609 file is subsequently checked by looking for a non-negative value of the
1610 file descriptor hd - even though the file is no longer open. */
1611
1612 if (ob->use_lockfile)
1613 {
1614 lockname = string_sprintf("%s.lock", filename);
1615 hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
1616 (unsigned int)(time(NULL)), (unsigned int)getpid());
1617
1618 DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
1619 hitchname);
1620
1621 /* Lock file creation retry loop */
1622
1623 for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
1624 {
1625 int rc;
1626 hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
1627
1628 if (hd < 0)
1629 {
1630 addr->basic_errno = errno;
1631 addr->message =
1632 string_sprintf("creating lock file hitching post %s "
1633 "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
1634 (long int)getegid());
1635 return FALSE;
1636 }
1637
1638 /* Attempt to hitch the hitching post to the lock file. If link()
1639 succeeds (the common case, we hope) all is well. Otherwise, fstat the
1640 file, and get rid of the hitching post. If the number of links was 2,
1641 the link was created, despite the failure of link(). If the hitch was
1642 not successful, try again, having unlinked the lock file if it is too
1643 old.
1644
1645 There's a version of Linux (2.0.27) which doesn't update its local cache
1646 of the inode after link() by default - which many think is a bug - but
1647 if the link succeeds, this code will be OK. It just won't work in the
1648 case when link() fails after having actually created the link. The Linux
1649 NFS person is fixing this; a temporary patch is available if anyone is
1650 sufficiently worried. */
1651
1652 if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
f1e894f3 1653 (void)close(hd);
0756eb3c
PH		 1654 Uunlink(hitchname);
1655 if (rc != 0 && statbuf.st_nlink != 2)
1656 {
1657 if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
1658 time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
1659 {
1660 DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
1661 Uunlink(lockname);
1662 }
1663 DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
1664 continue;
1665 }
1666
1667 DEBUG(D_transport) debug_printf("lock file created\n");
1668 break;
1669 }
1670
1671 /* Check for too many tries at creating the lock file */
1672
1673 if (i >= ob->lock_retries)
1674 {
1675 addr->basic_errno = ERRNO_LOCKFAILED;
1676 addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
1677 filename);
1678 return FALSE;
1679 }
1680 }
1681
1682
1683 /* We now have to get the file open. First, stat() it and act on existence or
1684 non-existence. This is in a loop to handle the case of a file's being created
1685 or deleted as we watch, and also to handle retries when the locking fails.
1686 Rather than holding the file open while waiting for the fcntl() and/or
1687 flock() lock, we close and do the whole thing again. This should be safer,
1688 especially for NFS files, which might get altered from other hosts, making
1689 their cached sizes incorrect.
1690
1691 With the default settings, no symlinks are permitted, but there is an option
1692 to permit symlinks for those sysadmins that know what they are doing.
1693 Shudder. However, insist that the initial symlink is owned by the right user.
1694 Thus lstat() is used initially; if a symlink is discovered, the loop is
1695 repeated such that stat() is used, to look at the end file. */
1696
1697 for (i = 0; i < ob->lock_retries; i++)
1698 {
1699 int sleep_before_retry = TRUE;
1700 file_opened = FALSE;
1701
1702 if((use_lstat? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
1703 {
1704 /* Let's hope that failure to stat (other than non-existence) is a
1705 rare event. */
1706
1707 if (errno != ENOENT)
1708 {
1709 addr->basic_errno = errno;
1710 addr->message = string_sprintf("attempting to stat mailbox %s",
1711 filename);
1712 goto RETURN;
1713 }
1714
1715 /* File does not exist. If it is required to pre-exist this state is an
1716 error. */
1717
1718 if (ob->file_must_exist)
1719 {
1720 addr->basic_errno = errno;
1721 addr->message = string_sprintf("mailbox %s does not exist, "
1722 "but file_must_exist is set", filename);
1723 goto RETURN;
1724 }
1725
1726 /* If not permitted to create this file because it isn't in or below
1727 the home directory, generate an error. */
1728
1729 if (!allow_creation_here)
1730 {
1731 addr->basic_errno = ERRNO_BADCREATE;
1732 addr->message = string_sprintf("mailbox %s does not exist, "
1733 "but creation outside the home directory is not permitted",
1734 filename);
1735 goto RETURN;
1736 }
1737
1738 /* Attempt to create and open the file. If open fails because of
1739 pre-existence, go round the loop again. For any other error, defer the
1740 address, except for an alias or forward generated file name with EPERM,
1741 ENOENT, or EACCES, as those are most likely to be user errors rather
1742 than Exim config errors. When a symbolic link is permitted and points
1743 to a non-existent file, we get here with use_lstat = FALSE. In this case
1744 we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
1745 consistency and because MBX locking requires it in order to be able to
1746 get a shared lock. */
1747
1748 fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
1749 (use_lstat? O_EXCL : 0), mode);
1750 if (fd < 0)
1751 {
1752 if (errno == EEXIST) continue;
1753 addr->basic_errno = errno;
1754 addr->message = string_sprintf("while creating mailbox %s",
1755 filename);
1756 if (testflag(addr, af_file) &&
1757 (errno == EPERM || errno == ENOENT || errno == EACCES))
1758 addr->transport_return = FAIL;
1759 goto RETURN;
1760 }
1761
1762 /* We have successfully created and opened the file. Ensure that the group
1763 and the mode are correct. */
1764
ff790e47
PH		 1765 (void)Uchown(filename, uid, gid);
1766 (void)Uchmod(filename, mode);
0756eb3c
PH		 1767 }
1768
1769
1770 /* The file already exists. Test its type, ownership, and permissions, and
1771 save the inode for checking later. If symlinks are permitted (not the
1772 default or recommended state) it may be a symlink that already exists.
1773 Check its ownership and then look for the file at the end of the link(s).
1774 This at least prevents one user creating a symlink for another user in
1775 a sticky directory. */
1776
1777 else
1778 {
1779 int oldmode = (int)statbuf.st_mode;
1780 ino_t inode = statbuf.st_ino;
1781 BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
1782
1783 isfifo = FALSE; /* In case things are changing */
1784
1785 /* Check owner if required - the default. */
1786
1787 if (ob->check_owner && statbuf.st_uid != uid)
1788 {
1789 addr->basic_errno = ERRNO_BADUGID;
1790 addr->message = string_sprintf("mailbox %s%s has wrong uid "
1791 "(%ld != %ld)", filename,
1792 islink? " (symlink)" : "",
1793 (long int)(statbuf.st_uid), (long int)uid);
1794 goto RETURN;
1795 }
1796
1797 /* Group is checked only if check_group is set. */
1798
1799 if (ob->check_group && statbuf.st_gid != gid)
1800 {
1801 addr->basic_errno = ERRNO_BADUGID;
1802 addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
1803 filename, islink? " (symlink)" : "", statbuf.st_gid, gid);
1804 goto RETURN;
1805 }
1806
a466095c
NM		 1807 /* Just in case this is a sticky-bit mail directory, we don't want
1808 users to be able to create hard links to other users' files. */
1809
1810 if (statbuf.st_nlink != 1)
1811 {
1812 addr->basic_errno = ERRNO_NOTREGULAR;
1813 addr->message = string_sprintf("mailbox %s%s has too many links (%d)",
1814 filename, islink? " (symlink)" : "", statbuf.st_nlink);
1815 goto RETURN;
1816
1817 }
1818
0756eb3c
PH		 1819 /* If symlinks are permitted (not recommended), the lstat() above will
1820 have found the symlink. Its ownership has just been checked; go round
1821 the loop again, using stat() instead of lstat(). That will never yield a
1822 mode of S_IFLNK. */
1823
1824 if (islink && ob->allow_symlink)
1825 {
1826 use_lstat = FALSE;
1827 i--; /* Don't count this time round */
1828 continue;
1829 }
1830
1831 /* An actual file exists. Check that it is a regular file, or FIFO
1832 if permitted. */
1833
1834 if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
1835
1836 else if ((oldmode & S_IFMT) != S_IFREG)
1837 {
1838 addr->basic_errno = ERRNO_NOTREGULAR;
1839 addr->message = string_sprintf("mailbox %s is not a regular file%s",
1840 filename, ob->allow_fifo? " or named pipe" : "");
1841 goto RETURN;
1842 }
1843
1844 /* If the mode is not what it would be for a newly created file, change
1845 the permissions if the mode is supplied for the address. Otherwise,
1846 reduce but do not extend the permissions. If the newly created
1847 permissions are greater than the existing permissions, don't change
1848 things when the mode is not from the address. */
1849
1850 if ((oldmode = (oldmode & 07777)) != mode)
1851 {
1852 int diffs = oldmode ^ mode;
1853 if (addr->mode > 0 || (diffs & oldmode) == diffs)
1854 {
1855 DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
1856 if (Uchmod(filename, mode) < 0)
1857 {
1858 addr->basic_errno = errno;
1859 addr->message = string_sprintf("attempting to chmod mailbox %s",
1860 filename);
1861 goto RETURN;
1862 }
1863 oldmode = mode;
1864 }
1865
1866 /* Mode not from address, and newly-created permissions are greater
1867 than existing permissions. Default is to complain, but it can be
1868 configured to go ahead and try to deliver anyway if that's what
1869 the administration wants. */
1870
1871 else if (ob->mode_fail_narrower)
1872 {
1873 addr->basic_errno = ERRNO_BADMODE;
1874 addr->message = string_sprintf("mailbox %s has the wrong mode %o "
1875 "(%o expected)", filename, oldmode, mode);
1876 goto RETURN;
1877 }
1878 }
1879
1880 /* We are happy with the existing file. Open it, and then do further
1881 tests to ensure that it is the same file that we were just looking at.
1882 If the file does not now exist, restart this loop, going back to using
1883 lstat again. For an NFS error, just defer; other opening errors are
1884 more serious. The file is opened RDWR so that its format can be checked,
1885 and also MBX locking requires the use of a shared (read) lock. However,
1886 a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
1887 reading the pipe. */
1888
1889 fd = Uopen(filename, isfifo? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
1890 mode);
1891 if (fd < 0)
1892 {
1893 if (errno == ENOENT)
1894 {
1895 use_lstat = TRUE;
1896 continue;
1897 }
1898 addr->basic_errno = errno;
1899 if (isfifo)
1900 {
1901 addr->message = string_sprintf("while opening named pipe %s "
1902 "(could mean no process is reading it)", filename);
1903 }
1904 else if (errno != EWOULDBLOCK)
1905 {
1906 addr->message = string_sprintf("while opening mailbox %s", filename);
1907 }
1908 goto RETURN;
1909 }
1910
1911 /* This fstat really shouldn't fail, as we have an open file! There's a
1912 dilemma here. We use fstat in order to be sure we are peering at the file
1913 we have got open. However, that won't tell us if the file was reached
1914 via a symbolic link. We checked this above, but there is a race exposure
1915 if the link was created between the previous lstat and the open. However,
1916 it would have to be created with the same inode in order to pass the
1917 check below. If ob->allow_symlink is set, causing the use of stat rather
1918 than lstat above, symbolic links may be there anyway, and the checking is
1919 weaker. */
1920
1921 if (fstat(fd, &statbuf) < 0)
1922 {
1923 addr->basic_errno = errno;
1924 addr->message = string_sprintf("attempting to stat open mailbox %s",
1925 filename);
1926 goto RETURN;
1927 }
1928
1929 /* Check the inode; this is isn't a perfect check, but gives some
1930 confidence. */
1931
1932 if (inode != statbuf.st_ino)
1933 {
1934 addr->basic_errno = ERRNO_INODECHANGED;
1935 addr->message = string_sprintf("opened mailbox %s inode number changed "
1936 "from %d to %ld", filename, inode, statbuf.st_ino);
1937 addr->special_action = SPECIAL_FREEZE;
1938 goto RETURN;
1939 }
1940
1941 /* Check it's still a regular file or FIFO, and the uid, gid, and
1942 permissions have not changed. */
1943
1944 if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
1945 (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
1946 {
1947 addr->basic_errno = ERRNO_NOTREGULAR;
1948 addr->message =
1949 string_sprintf("opened mailbox %s is no longer a %s", filename,
1950 isfifo? "named pipe" : "regular file");
1951 addr->special_action = SPECIAL_FREEZE;
1952 goto RETURN;
1953 }
1954
1955 if ((ob->check_owner && statbuf.st_uid != uid) ||
1956 (ob->check_group && statbuf.st_gid != gid))
1957 {
1958 addr->basic_errno = ERRNO_BADUGID;
1959 addr->message =
1960 string_sprintf("opened mailbox %s has wrong uid or gid", filename);
1961 addr->special_action = SPECIAL_FREEZE;
1962 goto RETURN;
1963 }
1964
1965 if ((statbuf.st_mode & 07777) != oldmode)
1966 {
1967 addr->basic_errno = ERRNO_BADMODE;
1968 addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
1969 "(%o expected)", filename, statbuf.st_mode & 07777, mode);
1970 addr->special_action = SPECIAL_FREEZE;
1971 goto RETURN;
1972 }
1973
1974 /* If file_format is set, check that the format of the file has not
1975 changed. Error data is set by the testing function. */
1976
1977 if (ob->file_format != NULL &&
1978 check_file_format(fd, tblock, addr) != tblock)
1979 {
1980 addr->message = US"open mailbox has changed format";
1981 goto RETURN;
1982 }
1983
1984 /* The file is OK. Carry on to do the locking. */
1985 }
1986
1987 /* We now have an open file, and must lock it using fcntl(), flock() or MBX
1988 locking rules if configured to do so. If a lock file is also required, it
1989 was created above and hd was left >= 0. At least one form of locking is
1990 required by the initialization function. If locking fails here, close the
1991 file and go round the loop all over again, after waiting for a bit, unless
1992 blocking locking was used. */
1993
1994 file_opened = TRUE;
1995 if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
1996 sleep_before_retry = FALSE;
1997
1998 /* Simple fcntl() and/or flock() locking */
1999
2000 if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
2001 {
2002 if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
2003 ob->use_flock, ob->lock_flock_timeout) >= 0) break;
2004 }
2005
2006 /* MBX locking rules */
2007
2008 #ifdef SUPPORT_MBX
2009 else if (ob->use_mbx_lock)
2010 {
bf83d8d3
PP		 2011 int mbx_tmp_oflags;
2012 struct stat lstatbuf, statbuf2;
0756eb3c
PH		 2013 if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
2014 ob->use_flock, ob->lock_flock_timeout) >= 0 &&
2015 fstat(fd, &statbuf) >= 0)
2016 {
2017 sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
2018 (long)statbuf.st_ino);
2019
bf83d8d3
PP		 2020 /*
2021 * 2010-05-29: SECURITY
2022 * Dan Rosenberg reported the presence of a race-condition in the
2023 * original code here. Beware that many systems still allow symlinks
2024 * to be followed in /tmp so an attacker can create a symlink pointing
2025 * elsewhere between a stat and an open, which we should avoid
2026 * following.
2027 *
2028 * It's unfortunate that we can't just use all the heavily debugged
2029 * locking from above.
2030 *
2031 * Also: remember to mirror changes into exim_lock.c */
2032
2033 /* first leave the old pre-check in place, it provides better
2034 * diagnostics for common cases */
0756eb3c
PH		 2035 if (Ulstat(mbx_lockname, &statbuf) >= 0)
2036 {
2037 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
2038 {
2039 addr->basic_errno = ERRNO_LOCKFAILED;
2040 addr->message = string_sprintf("symbolic link on MBX lock file %s",
2041 mbx_lockname);
2042 goto RETURN;
2043 }
2044 if (statbuf.st_nlink > 1)
2045 {
2046 addr->basic_errno = ERRNO_LOCKFAILED;
2047 addr->message = string_sprintf("hard link to MBX lock file %s",
2048 mbx_lockname);
2049 goto RETURN;
2050 }
2051 }
2052
bf83d8d3
PP		 2053 /* If we could just declare "we must be the ones who create this
2054 * file" then a hitching post in a subdir would work, since a
2055 * subdir directly in /tmp/ which we create wouldn't follow links
2056 * but this isn't our locking logic, so we can't safely change the
2057 * file existence rules. */
2058
2059 /* On systems which support O_NOFOLLOW, it's the easiest and most
2060 * obviously correct security fix */
2061 mbx_tmp_oflags = O_RDWR | O_CREAT;
2062#ifdef O_NOFOLLOW
2063 mbx_tmp_oflags |= O_NOFOLLOW;
2064#endif
2065 mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
0756eb3c
PH		 2066 if (mbx_lockfd < 0)
2067 {
2068 addr->basic_errno = ERRNO_LOCKFAILED;
2069 addr->message = string_sprintf("failed to open MBX lock file %s :%s",
2070 mbx_lockname, strerror(errno));
2071 goto RETURN;
2072 }
bf83d8d3 2073
73a46702 2074 if (Ulstat(mbx_lockname, &lstatbuf) < 0)
bf83d8d3
PP		 2075 {
2076 addr->basic_errno = ERRNO_LOCKFAILED;
2077 addr->message = string_sprintf("attempting to lstat open MBX "
2078 "lock file %s: %s", mbx_lockname, strerror(errno));
2079 goto RETURN;
2080 }
2081 if (fstat(mbx_lockfd, &statbuf2) < 0)
2082 {
2083 addr->basic_errno = ERRNO_LOCKFAILED;
2084 addr->message = string_sprintf("attempting to stat fd of open MBX "
2085 "lock file %s: %s", mbx_lockname, strerror(errno));
2086 goto RETURN;
2087 }
2088
2089 /*
2090 * At this point:
2091 * statbuf: if exists, is file which existed prior to opening the
2092 * lockfile, might have been replaced since then
2093 * statbuf2: result of stat'ing the open fd, is what was actually
2094 * opened
2095 * lstatbuf: result of lstat'ing the filename immediately after
2096 * the open but there's a race condition again between
2097 * those two steps: before open, symlink to foo, after
2098 * open but before lstat have one of:
2099 * * was no symlink, so is the opened file
2100 * (we created it, no messing possible after that point)
2101 * * hardlink to foo
2102 * * symlink elsewhere
2103 * * hardlink elsewhere
2104 * * new file/other
2105 * Don't want to compare to device of /tmp because some modern systems
2106 * have regressed to having /tmp be the safe actual filesystem as
2107 * valuable data, so is mostly worthless, unless we assume that *only*
2108 * Linux systems do this and that all Linux has O_NOFOLLOW. Something
2109 * for further consideration.
2110 * No point in doing a readlink on the lockfile as that will always be
2111 * at a different point in time from when we open it, so tells us
2112 * nothing; attempts to clean up and delete after ourselves would risk
2113 * deleting a *third* filename.
2114 */
2115 if ((statbuf2.st_nlink > 1) ||
2116 (lstatbuf.st_nlink > 1) ||
2117 (!S_ISREG(lstatbuf.st_mode)) ||
2118 (lstatbuf.st_dev != statbuf2.st_dev) ||
2119 (lstatbuf.st_ino != statbuf2.st_ino))
2120 {
2121 addr->basic_errno = ERRNO_LOCKFAILED;
2122 addr->message = string_sprintf("RACE CONDITION detected: "
2123 "mismatch post-initial-checks between \"%s\" and opened "
2124 "fd lead us to abort!", mbx_lockname);
2125 goto RETURN;
2126 }
0756eb3c 2127
7e9f683d 2128 (void)Uchmod(mbx_lockname, ob->lockfile_mode);
0756eb3c
PH		 2129
2130 if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
2131 ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
2132 {
2133 struct stat ostatbuf;
2134
2135 /* This tests for a specific race condition. Ensure that we still
2136 have the same file. */
2137
2138 if (Ulstat(mbx_lockname, &statbuf) == 0 &&
2139 fstat(mbx_lockfd, &ostatbuf) == 0 &&
2140 statbuf.st_dev == ostatbuf.st_dev &&
2141 statbuf.st_ino == ostatbuf.st_ino)
2142 break;
2143 DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
2144 "between creation and locking\n", mbx_lockname);
2145 }
2146
2147 DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
2148 strerror(errno));
f1e894f3 2149 (void)close(mbx_lockfd);
0756eb3c
PH		 2150 mbx_lockfd = -1;
2151 }
2152 else
2153 {
2154 DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
2155 filename, strerror(errno));
2156 }
2157 }
2158 #endif /* SUPPORT_MBX */
2159
2160 else break; /* No on-file locking required; break the open/lock loop */
2161
2162 DEBUG(D_transport)
2163 debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
2164
f1e894f3 2165 (void)close(fd);
0756eb3c
PH		 2166 fd = -1;
2167 use_lstat = TRUE; /* Reset to use lstat first */
2168
2169
2170 /* If a blocking call timed out, break the retry loop if the total time
2171 so far is not less than than retries * interval. Use the larger of the
2172 flock() and fcntl() timeouts. */
2173
2174 if (sigalrm_seen &&
2175 (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
2176 ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
2177 ob->lock_retries * ob->lock_interval)
2178 i = ob->lock_retries;
2179
2180 /* Wait a bit before retrying, except when it was a blocked fcntl() or
2181 flock() that caused the problem. */
2182
2183 if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
2184 }
2185
2186 /* Test for exceeding the maximum number of tries. Either the file remains
2187 locked, or, if we haven't got it open, something is terribly wrong... */
2188
2189 if (i >= ob->lock_retries)
2190 {
2191 if (!file_opened)
2192 {
2193 addr->basic_errno = ERRNO_EXISTRACE;
2194 addr->message = string_sprintf("mailbox %s: existence unclear", filename);
2195 addr->special_action = SPECIAL_FREEZE;
2196 }
2197 else
2198 {
2199 addr->basic_errno = ERRNO_LOCKFAILED;
2200 addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
2201 filename);
2202 }
2203 goto RETURN;
2204 }
2205
2206 DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
2207
2208 /* Save access time (for subsequent restoration), modification time (for
2209 restoration if updating fails), size of file (for comsat and for re-setting if
2210 delivery fails in the middle - e.g. for quota exceeded). */
2211
2212 if (fstat(fd, &statbuf) < 0)
2213 {
2214 addr->basic_errno = errno;
2215 addr->message = string_sprintf("while fstatting opened mailbox %s",
2216 filename);
2217 goto RETURN;
2218 }
2219
2220 times.actime = statbuf.st_atime;
2221 times.modtime = statbuf.st_mtime;
2222 saved_size = statbuf.st_size;
2223 if (mailbox_size < 0) mailbox_size = saved_size;
2224 mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */
2225 }
2226
2227/* Prepare for writing to a new file (as opposed to appending to an old one).
2228There are several different formats, but there is preliminary stuff concerned
2229with quotas that applies to all of them. Finding the current size by directory
2230scanning is expensive; for maildirs some fudges have been invented:
2231
2232 (1) A regex can be used to extract a file size from its name;
2233 (2) If maildir_use_size is set, a maildirsize file is used to cache the
2234 mailbox size.
2235*/
2236
2237else
2238 {
2239 uschar *check_path = path; /* Default quota check path */
2240 const pcre *regex = NULL; /* Regex for file size from file name */
2241
2242 if (!check_creation(string_sprintf("%s/any", path), ob->create_file))
2243 {
2244 addr->basic_errno = ERRNO_BADCREATE;
2245 addr->message = string_sprintf("tried to create file in %s, but "
2246 "file creation outside the home directory is not permitted", path);
2247 goto RETURN;
2248 }
2249
2250 #ifdef SUPPORT_MAILDIR
d6629cdc
PH		 2251 /* For a maildir delivery, ensure that all the relevant directories exist,
2252 and a maildirfolder file if necessary. */
0756eb3c
PH		 2253
2254 if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
d6629cdc 2255 ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
0756eb3c
PH		 2256 return FALSE;
2257 #endif /* SUPPORT_MAILDIR */
2258
2259 /* If we are going to do a quota check, of if maildir_use_size_file is set
2260 for a maildir delivery, compile the regular expression if there is one. We
2261 may also need to adjust the path that is used. We need to do this for
2262 maildir_use_size_file even if the quota is unset, because we still want to
2263 create the file. When maildir support is not compiled,
2264 ob->maildir_use_size_file is always FALSE. */
2265
2266 if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
2267 {
2268 const uschar *error;
2269 int offset;
2270
01c490df 2271 /* Compile the regex if there is one. */
0756eb3c
PH		 2272
2273 if (ob->quota_size_regex != NULL)
2274 {
2275 regex = pcre_compile(CS ob->quota_size_regex, PCRE_COPT,
2276 (const char **)&error, &offset, NULL);
2277 if (regex == NULL)
2278 {
2279 addr->message = string_sprintf("appendfile: regular expression "
2280 "error: %s at offset %d while compiling %s", error, offset,
2281 ob->quota_size_regex);
2282 return FALSE;
2283 }
01c490df
PH		 2284 DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
2285 ob->quota_size_regex);
0756eb3c
PH		 2286 }
2287
2288 /* Use an explicitly configured directory if set */
2289
2290 if (ob->quota_directory != NULL)
2291 {
2292 check_path = expand_string(ob->quota_directory);
2293 if (check_path == NULL)
2294 {
2295 addr->transport_return = PANIC;
2296 addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
2297 "name for %s transport) failed: %s", ob->quota_directory,
2298 tblock->name, expand_string_message);
2299 return FALSE;
2300 }
2301
2302 if (check_path[0] != '/')
2303 {
2304 addr->message = string_sprintf("appendfile: quota_directory name "
2305 "\"%s\" is not absolute", check_path);
2306 addr->basic_errno = ERRNO_NOTABSOLUTE;
2307 return FALSE;
2308 }
2309 }
2310
2311 #ifdef SUPPORT_MAILDIR
2312 /* Otherwise, if we are handling a maildir delivery, and the directory
2313 contains a file called maildirfolder, this is a maildir++ feature telling
2314 us that this is a sub-directory of the real inbox. We should therefore do
2315 the quota check on the parent directory. Beware of the special case when
2316 the directory name itself ends in a slash. */
2317
2318 else if (mbformat == mbf_maildir)
2319 {
2320 struct stat statbuf;
2321 if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
2322 {
2323 uschar *new_check_path = string_copy(check_path);
2324 uschar *slash = Ustrrchr(new_check_path, '/');
2325 if (slash != NULL)
2326 {
2327 if (slash[1] == 0)
2328 {
2329 *slash = 0;
2330 slash = Ustrrchr(new_check_path, '/');
2331 }
2332 if (slash != NULL)
2333 {
2334 *slash = 0;
2335 check_path = new_check_path;
d6629cdc
PH		 2336 DEBUG(D_transport) debug_printf("maildirfolder file exists: "
2337 "quota check directory changed to %s\n", check_path);
0756eb3c
PH		 2338 }
2339 }
2340 }
2341 }
2342 #endif /* SUPPORT_MAILDIR */
2343 }
2344
2345 /* If we are using maildirsize files, we need to ensure that such a file
2346 exists and, if necessary, recalculate its contents. As a byproduct of this,
2347 we obtain the current size of the maildir. If no quota is to be enforced
2348 (ob->quota_value == 0), we still need the size if a threshold check will
2349 happen later.
2350
2351 Another regular expression is used to determine which directories inside the
2352 maildir are going to be counted. */
2353
2354 #ifdef SUPPORT_MAILDIR
2355 if (ob->maildir_use_size_file)
2356 {
2357 const pcre *dir_regex = NULL;
2358 const uschar *error;
2359 int offset;
2360
2361 if (ob->maildir_dir_regex != NULL)
2362 {
01c490df
PH		 2363 int check_path_len = Ustrlen(check_path);
2364
0756eb3c
PH		 2365 dir_regex = pcre_compile(CS ob->maildir_dir_regex, PCRE_COPT,
2366 (const char **)&error, &offset, NULL);
2367 if (dir_regex == NULL)
2368 {
2369 addr->message = string_sprintf("appendfile: regular expression "
2370 "error: %s at offset %d while compiling %s", error, offset,
2371 ob->maildir_dir_regex);
2372 return FALSE;
2373 }
01c490df
PH		 2374
2375 DEBUG(D_transport)
2376 debug_printf("using regex for maildir directory selection: %s\n",
2377 ob->maildir_dir_regex);
2378
2379 /* Check to see if we are delivering into an ignored directory, that is,
2380 if the delivery path starts with the quota check path, and the rest
2381 of the deliver path matches the regex; if so, set a flag to disable quota
2382 checking and maildirsize updating. */
2383
2384 if (Ustrncmp(path, check_path, check_path_len) == 0)
0756eb3c 2385 {
01c490df
PH		 2386 uschar *s = path + check_path_len;
2387 while (*s == '/') s++;
2388 s = (*s == 0)? US "new" : string_sprintf("%s/new", s);
2389 if (pcre_exec(dir_regex, NULL, CS s, Ustrlen(s), 0, 0, NULL, 0) < 0)
2390 {
2391 disable_quota = TRUE;
2392 DEBUG(D_transport) debug_printf("delivery directory does not match "
2393 "maildir_quota_directory_regex: disabling quota\n");
2394 }
0756eb3c
PH		 2395 }
2396 }
2397
2398 /* Quota enforcement; create and check the file. There is some discussion
2399 about whether this should happen if the quota is unset. At present, Exim
2400 always creates the file. If we ever want to change this, uncomment
2401 appropriate lines below, possibly doing a check on some option. */
2402
2403/* if (???? || ob->quota_value > 0) */
2404
01c490df 2405 if (!disable_quota)
0756eb3c 2406 {
0d7eb84a
PH		 2407 off_t size;
2408 int filecount;
0756eb3c
PH		 2409
2410 maildirsize_fd = maildir_ensure_sizefile(check_path, ob, regex, dir_regex,
2411 &size, &filecount);
2412
2413 if (maildirsize_fd == -1)
2414 {
2415 addr->basic_errno = errno;
2416 addr->message = string_sprintf("while opening or reading "
2417 "%s/maildirsize", check_path);
2418 return FALSE;
2419 }
554e333e
PP		 2420 /* can also return -2, which means that the file was removed because of
2421 raciness; but in this case, the size & filecount will still have been
2422 updated. */
0756eb3c 2423
554e333e
PP		 2424 if (mailbox_size < 0) mailbox_size = size;
2425 if (mailbox_filecount < 0) mailbox_filecount = filecount;
0756eb3c
PH		 2426 }
2427
2428 /* No quota enforcement; ensure file does *not* exist; calculate size if
2429 needed. */
2430
2431/* else
2432 * {
2433 * time_t old_latest;
2434 * (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
2435 * if (THRESHOLD_CHECK)
2436 * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
2437 * regex, dir_regex, FALSE);
2438 * }
2439*/
2440
2441 }
2442 #endif /* SUPPORT_MAILDIR */
2443
d35e429d
PH		 2444 /* Otherwise if we are going to do a quota check later on, and the mailbox
2445 size is not set, find the current size of the mailbox. Ditto for the file
2446 count. Note that ob->quota_filecount_value cannot be set without
2447 ob->quota_value being set. */
0756eb3c 2448
01c490df
PH		 2449 if (!disable_quota &&
2450 (ob->quota_value > 0 || THRESHOLD_CHECK) &&
d35e429d
PH		 2451 (mailbox_size < 0 ||
2452 (mailbox_filecount < 0 && ob->quota_filecount_value > 0)))
0756eb3c 2453 {
0d7eb84a 2454 off_t size;
5fe762f6 2455 int filecount = 0;
0756eb3c
PH		 2456 DEBUG(D_transport)
2457 debug_printf("quota checks on directory %s\n", check_path);
2458 size = check_dir_size(check_path, &filecount, regex);
2459 if (mailbox_size < 0) mailbox_size = size;
2460 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2461 }
2462
2463 /* Handle the case of creating a unique file in a given directory (not in
2464 maildir or mailstore format - this is how smail did it). A temporary name is
2465 used to create the file. Later, when it is written, the name is changed to a
2466 unique one. There is no need to lock the file. An attempt is made to create
2467 the directory if it does not exist. */
2468
2469 if (mbformat == mbf_smail)
2470 {
2471 DEBUG(D_transport)
2472 debug_printf("delivering to new file in %s\n", path);
2473 filename = dataname =
2474 string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
2475 fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
2476 if (fd < 0 && /* failed to open, and */
2477 (errno != ENOENT || /* either not non-exist */
2478 !ob->create_directory || /* or not allowed to make */
2479 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2480 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2481 {
2482 addr->basic_errno = errno;
2483 addr->message = string_sprintf("while creating file %s", filename);
2484 return FALSE;
2485 }
2486 }
2487
2488 #ifdef SUPPORT_MAILDIR
2489
2490 /* Handle the case of a unique file in maildir format. The file is written to
2491 the tmp subdirectory, with a prescribed form of name. */
2492
2493 else if (mbformat == mbf_maildir)
2494 {
2495 DEBUG(D_transport)
2496 debug_printf("delivering in maildir format in %s\n", path);
2497
2498 nametag = ob->maildir_tag;
2499
2500 /* Check that nametag expands successfully; a hard failure causes a panic
2501 return. The actual expansion for use happens again later, when
2502 $message_size is accurately known. */
2503
2504 if (nametag != NULL && expand_string(nametag) == NULL &&
2505 !expand_string_forcedfail)
2506 {
2507 addr->transport_return = PANIC;
2508 addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
2509 "for %s transport) failed: %s", nametag, tblock->name,
2510 expand_string_message);
2511 return FALSE;
2512 }
2513
2514 /* We ensured the existence of all the relevant directories above. Attempt
2515 to open the temporary file a limited number of times. I think this rather
2516 scary-looking for statement is actually OK. If open succeeds, the loop is
2517 broken; if not, there is a test on the value of i. Get the time again
2518 afresh each time round the loop. Its value goes into a variable that is
2519 checked at the end, to make sure we don't release this process until the
2520 clock has ticked. */
2521
2522 for (i = 1;; i++)
2523 {
2524 uschar *basename;
2525
2526 (void)gettimeofday(&msg_tv, NULL);
2527 basename = string_sprintf("%lu.H%luP%lu.%s", msg_tv.tv_sec,
2528 msg_tv.tv_usec, getpid(), primary_hostname);
2529
2530 filename = dataname = string_sprintf("tmp/%s", basename);
2531 newname = string_sprintf("new/%s", basename);
2532
2533 if (Ustat(filename, &statbuf) == 0)
2534 errno = EEXIST;
2535 else if (errno == ENOENT)
2536 {
2537 fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode);
2538 if (fd >= 0) break;
2539 DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
2540 filename, strerror(errno));
2541 }
2542
2543 /* Too many retries - give up */
2544
2545 if (i >= ob->maildir_retries)
2546 {
2547 addr->message = string_sprintf ("failed to open %s (%d tr%s)",
2548 filename, i, (i == 1)? "y" : "ies");
2549 addr->basic_errno = errno;
8932dffe
PH		 2550 if (errno == errno_quota || errno == ENOSPC)
2551 addr->user_message = US"mailbox is full";
0756eb3c
PH		 2552 return FALSE;
2553 }
2554
2555 /* Open or stat failed but we haven't tried too many times yet. */
2556
2557 sleep(2);
2558 }
2559
2560 /* Note that we have to ensure the clock has ticked before leaving */
2561
2562 wait_for_tick = TRUE;
2563
2564 /* Why are these here? Put in because they are present in the non-maildir
2565 directory case above. */
2566
ff790e47
PH		 2567 (void)Uchown(filename, uid, gid);
2568 (void)Uchmod(filename, mode);
0756eb3c
PH		 2569 }
2570
2571 #endif /* SUPPORT_MAILDIR */
2572
2573 #ifdef SUPPORT_MAILSTORE
2574
2575 /* Handle the case of a unique file in mailstore format. First write the
2576 envelope to a temporary file, then open the main file. The unique base name
2577 for the files consists of the message id plus the pid of this delivery
2578 process. */
2579
2580 else
2581 {
2582 FILE *env_file;
2583 address_item *taddr;
2584 mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
2585 string_base62((long int)getpid()));
2586
2587 DEBUG(D_transport)
2588 debug_printf("delivering in mailstore format in %s\n", path);
2589
2590 filename = string_sprintf("%s.tmp", mailstore_basename);
2591 newname = string_sprintf("%s.env", mailstore_basename);
2592 dataname = string_sprintf("%s.msg", mailstore_basename);
2593
2594 fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2595 if (fd < 0 && /* failed to open, and */
2596 (errno != ENOENT || /* either not non-exist */
2597 !ob->create_directory || /* or not allowed to make */
2598 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2599 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2600 {
2601 addr->basic_errno = errno;
2602 addr->message = string_sprintf("while creating file %s", filename);
2603 return FALSE;
2604 }
2605
2606 /* Why are these here? Put in because they are present in the non-maildir
2607 directory case above. */
2608
ff790e47
PH		 2609 (void)Uchown(filename, uid, gid);
2610 (void)Uchmod(filename, mode);
0756eb3c
PH		 2611
2612 /* Built a C stream from the open file descriptor. */
2613
2614 if ((env_file = fdopen(fd, "wb")) == NULL)
2615 {
2616 addr->basic_errno = errno;
2617 addr->transport_return = PANIC;
2618 addr->message = string_sprintf("fdopen of %s ("
2619 "for %s transport) failed", filename, tblock->name);
f1e894f3 2620 (void)close(fd);
0756eb3c
PH		 2621 Uunlink(filename);
2622 return FALSE;
2623 }
2624
2625 /* Write the envelope file, then close it. */
2626
2627 if (ob->mailstore_prefix != NULL)
2628 {
2629 uschar *s = expand_string(ob->mailstore_prefix);
2630 if (s == NULL)
2631 {
2632 if (!expand_string_forcedfail)
2633 {
2634 addr->transport_return = PANIC;
2635 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2636 "prefix for %s transport) failed: %s", ob->mailstore_prefix,
2637 tblock->name, expand_string_message);
f1e894f3 2638 (void)fclose(env_file);
0756eb3c
PH		 2639 Uunlink(filename);
2640 return FALSE;
2641 }
2642 }
2643 else
2644 {
2645 int n = Ustrlen(s);
2646 fprintf(env_file, "%s", CS s);
2647 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2648 }
2649 }
2650
2651 fprintf(env_file, "%s\n", sender_address);
2652
2653 for (taddr = addr; taddr!= NULL; taddr = taddr->next)
2654 fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
2655
2656 if (ob->mailstore_suffix != NULL)
2657 {
2658 uschar *s = expand_string(ob->mailstore_suffix);
2659 if (s == NULL)
2660 {
2661 if (!expand_string_forcedfail)
2662 {
2663 addr->transport_return = PANIC;
2664 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2665 "suffix for %s transport) failed: %s", ob->mailstore_suffix,
2666 tblock->name, expand_string_message);
f1e894f3 2667 (void)fclose(env_file);
0756eb3c
PH		 2668 Uunlink(filename);
2669 return FALSE;
2670 }
2671 }
2672 else
2673 {
2674 int n = Ustrlen(s);
2675 fprintf(env_file, "%s", CS s);
2676 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2677 }
2678 }
2679
2680 if (fclose(env_file) != 0)
2681 {
2682 addr->basic_errno = errno;
2683 addr->message = string_sprintf("while closing %s", filename);
2684 Uunlink(filename);
2685 return FALSE;
2686 }
2687
2688 DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
2689
2690 /* Now open the data file, and ensure that it has the correct ownership and
2691 mode. */
2692
2693 fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode);
2694 if (fd < 0)
2695 {
2696 addr->basic_errno = errno;
2697 addr->message = string_sprintf("while creating file %s", dataname);
2698 Uunlink(filename);
2699 return FALSE;
2700 }
ff790e47
PH		 2701 (void)Uchown(dataname, uid, gid);
2702 (void)Uchmod(dataname, mode);
0756eb3c
PH		 2703 }
2704
2705 #endif /* SUPPORT_MAILSTORE */
2706
2707
2708 /* In all cases of writing to a new file, ensure that the file which is
2709 going to be renamed has the correct ownership and mode. */
2710
ff790e47
PH		 2711 (void)Uchown(filename, uid, gid);
2712 (void)Uchmod(filename, mode);
0756eb3c
PH		 2713 }
2714
2715
2716/* At last we can write the message to the file, preceded by any configured
2717prefix line, and followed by any configured suffix line. If there are any
2718writing errors, we must defer. */
2719
2720DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
2721
2722yield = OK;
2723errno = 0;
2724
2725/* If there is a local quota setting, check that we are not going to exceed it
2726with this message if quota_is_inclusive is set; if it is not set, the check
2727is for the mailbox already being over quota (i.e. the current message is not
2728included in the check). */
2729
01c490df 2730if (!disable_quota && ob->quota_value > 0)
0756eb3c
PH		 2731 {
2732 DEBUG(D_transport)
2733 {
b1c749bb
PH		 2734 debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
2735 " this message = %d (%sincluded)\n",
2736 ob->quota_value, mailbox_size, message_size,
2737 ob->quota_is_inclusive? "" : "not ");
0756eb3c
PH		 2738 debug_printf(" file count quota = %d count = %d\n",
2739 ob->quota_filecount_value, mailbox_filecount);
2740 }
2741 if (mailbox_size + (ob->quota_is_inclusive? message_size:0) > ob->quota_value)
2742 {
2743 DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
2744 yield = DEFER;
2745 errno = ERRNO_EXIMQUOTA;
2746 }
2747 else if (ob->quota_filecount_value > 0 &&
2748 mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
2749 ob->quota_filecount_value)
2750 {
2751 DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
2752 yield = DEFER;
2753 errno = ERRNO_EXIMQUOTA;
2754 filecount_msg = US" filecount";
2755 }
2756 }
2757
2758/* If we are writing in MBX format, what we actually do is to write the message
2759to a temporary file, and then copy it to the real file once we know its size.
2760This is the most straightforward way of getting the correct length in the
2761separator line. So, what we do here is to save the real file descriptor, and
2762replace it with one for a temporary file. The temporary file gets unlinked once
2763opened, so that it goes away on closure. */
2764
2765#ifdef SUPPORT_MBX
2766if (yield == OK && ob->mbx_format)
2767 {
2768 temp_file = tmpfile();
2769 if (temp_file == NULL)
2770 {
2771 addr->basic_errno = errno;
2772 addr->message = US"while setting up temporary file";
2773 yield = DEFER;
2774 goto RETURN;
2775 }
2776 save_fd = fd;
2777 fd = fileno(temp_file);
2778 DEBUG(D_transport) debug_printf("writing to temporary file\n");
2779 }
2780#endif /* SUPPORT_MBX */
2781
2782/* Zero the count of bytes written. It is incremented by the transport_xxx()
2783functions. */
2784
2785transport_count = 0;
332f5cf3 2786transport_newlines = 0;
0756eb3c
PH		 2787
2788/* Write any configured prefix text first */
2789
2790if (yield == OK && ob->message_prefix != NULL && ob->message_prefix[0] != 0)
2791 {
2792 uschar *prefix = expand_string(ob->message_prefix);
2793 if (prefix == NULL)
2794 {
2795 errno = ERRNO_EXPANDFAIL;
2796 addr->transport_return = PANIC;
2797 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
2798 "transport) failed", ob->message_prefix, tblock->name);
2799 yield = DEFER;
2800 }
2801 else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER;
2802 }
2803
2804/* If the use_bsmtp option is on, we need to write SMTP prefix information. The
2805various different values for batching are handled outside; if there is more
2806than one address available here, all must be included. If any address is a
2807file, use its parent in the RCPT TO. */
2808
2809if (yield == OK && ob->use_bsmtp)
2810 {
2811 transport_count = 0;
332f5cf3 2812 transport_newlines = 0;
0756eb3c
PH		 2813 if (ob->use_crlf) cr = US"\r";
2814 if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
2815 yield = DEFER;
2816 else
2817 {
2818 address_item *a;
332f5cf3 2819 transport_newlines++;
0756eb3c
PH		 2820 for (a = addr; a != NULL; a = a->next)
2821 {
2822 address_item *b = testflag(a, af_pfr)? a->parent: a;
2823 if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
2824 transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
2825 { yield = DEFER; break; }
332f5cf3 2826 transport_newlines++;
0756eb3c
PH		 2827 }
2828 if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
2829 yield = DEFER;
332f5cf3
PP		 2830 else
2831 transport_newlines++;
0756eb3c
PH		 2832 }
2833 }
2834
2835/* Now the message itself. The options for transport_write_message were set up
2836at initialization time. */
2837
2838if (yield == OK)
2839 {
2840 if (!transport_write_message(addr, fd, ob->options, 0, tblock->add_headers,
2841 tblock->remove_headers, ob->check_string, ob->escape_string,
2842 tblock->rewrite_rules, tblock->rewrite_existflags))
2843 yield = DEFER;
2844 }
2845
2846/* Now a configured suffix. */
2847
2848if (yield == OK && ob->message_suffix != NULL && ob->message_suffix[0] != 0)
2849 {
2850 uschar *suffix = expand_string(ob->message_suffix);
2851 if (suffix == NULL)
2852 {
2853 errno = ERRNO_EXPANDFAIL;
2854 addr->transport_return = PANIC;
2855 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
2856 "transport) failed", ob->message_suffix, tblock->name);
2857 yield = DEFER;
2858 }
2859 else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER;
2860 }
2861
2862/* If batch smtp, write the terminating dot. */
2863
332f5cf3
PP		 2864if (yield == OK && ob->use_bsmtp ) {
2865 if(!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
2866 else transport_newlines++;
2867}
0756eb3c
PH		 2868
2869/* If MBX format is being used, all that writing was to the temporary file.
2870However, if there was an earlier failure (Exim quota exceeded, for example),
2871the temporary file won't have got opened - and no writing will have been done.
2872If writing was OK, we restore the fd, and call a function that copies the
2873message in MBX format into the real file. Otherwise use the temporary name in
2874any messages. */
2875
2876#ifdef SUPPORT_MBX
2877if (temp_file != NULL && ob->mbx_format)
2878 {
2879 int mbx_save_errno;
2880 fd = save_fd;
2881
2882 if (yield == OK)
2883 {
2884 transport_count = 0; /* Reset transport count for actual write */
332f5cf3
PP		 2885 /* No need to reset transport_newlines as we're just using a block copy
2886 * routine so the number won't be affected */
0756eb3c
PH		 2887 yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
2888 }
2889 else if (errno >= 0) dataname = US"temporary file";
2890
2891 /* Preserve errno while closing the temporary file. */
2892
2893 mbx_save_errno = errno;
f1e894f3 2894 (void)fclose(temp_file);
0756eb3c
PH		 2895 errno = mbx_save_errno;
2896 }
2897#endif /* SUPPORT_MBX */
2898
2899/* Force out the remaining data to check for any errors; some OS don't allow
2900fsync() to be called for a FIFO. */
2901
54fc8428 2902if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
0756eb3c 2903
332f5cf3
PP		 2904/* Update message_size and message_linecount to the accurate count of bytes
2905written, including added headers. Note; we subtract 1 from message_linecount as
2906this variable doesn't count the new line between the header and the body of the
2907message. */
0756eb3c
PH		 2908
2909message_size = transport_count;
332f5cf3 2910message_linecount = transport_newlines - 1;
0756eb3c
PH		 2911
2912/* If using a maildir++ quota file, add this message's size to it, and
01c490df
PH		 2913close the file descriptor, except when the quota has been disabled because we
2914are delivering into an uncounted folder. */
0756eb3c
PH		 2915
2916#ifdef SUPPORT_MAILDIR
01c490df
PH		 2917if (!disable_quota)
2918 {
2919 if (yield == OK && maildirsize_fd >= 0)
2920 maildir_record_length(maildirsize_fd, message_size);
2921 maildir_save_errno = errno; /* Preserve errno while closing the file */
554e333e
PP		 2922 if (maildirsize_fd >= 0)
2923 (void)close(maildirsize_fd);
01c490df
PH		 2924 errno = maildir_save_errno;
2925 }
0756eb3c
PH		 2926#endif /* SUPPORT_MAILDIR */
2927
2928/* If there is a quota warning threshold and we are have crossed it with this
2929message, set the SPECIAL_WARN flag in the address, to cause a warning message
2930to be sent. */
2931
01c490df 2932if (!disable_quota && THRESHOLD_CHECK)
0756eb3c 2933 {
0d7eb84a 2934 off_t threshold = ob->quota_warn_threshold_value;
0756eb3c 2935 if (ob->quota_warn_threshold_is_percent)
0d7eb84a 2936 threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
0756eb3c 2937 DEBUG(D_transport)
b1c749bb
PH		 2938 debug_printf("quota = " OFF_T_FMT
2939 " threshold = " OFF_T_FMT
2940 " old size = " OFF_T_FMT
2941 " message size = %d\n",
2942 ob->quota_value, threshold, mailbox_size,
0d7eb84a 2943 message_size);
0756eb3c
PH		 2944 if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
2945 addr->special_action = SPECIAL_WARN;
2946
2947 /******* You might think that the test ought to be this:
2948 *
2949 * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
2950 * mailbox_size <= threshold && mailbox_size + message_size > threshold)
2951 *
2952 * (indeed, I was sent a patch with that in). However, it is possible to
2953 * have a warning threshold without actually imposing a quota, and I have
2954 * therefore kept Exim backwards compatible.
2955 ********/
2956
2957 }
2958
2959/* Handle error while writing the file. Control should come here directly after
2960the error, with the reason in errno. In the case of expansion failure in prefix
2961or suffix, it will be ERRNO_EXPANDFAIL. */
2962
2963if (yield != OK)
2964 {
2965 addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */
2966
2967 /* Save the error number. If positive, it will ultimately cause a strerror()
2968 call to generate some text. */
2969
2970 addr->basic_errno = errno;
2971
2972 /* For system or Exim quota excession, or disk full, set more_errno to the
2973 time since the file was last read. If delivery was into a directory, the
2974 time since last read logic is not relevant, in general. However, for maildir
2975 deliveries we can approximate it by looking at the last modified time of the
2976 "new" subdirectory. Since Exim won't be adding new messages, a change to the
2977 "new" subdirectory implies that an MUA has moved a message from there to the
2978 "cur" directory. */
2979
2980 if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
2981 {
2982 addr->more_errno = 0;
2983 if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
2984
2985 #ifdef SUPPORT_MAILDIR
2986 else if (mbformat == mbf_maildir)
2987 {
2988 struct stat statbuf;
2989 if (Ustat("new", &statbuf) < 0)
2990 {
2991 DEBUG(D_transport) debug_printf("maildir quota exceeded: "
2992 "stat error %d for \"new\": %s\n", errno, strerror(errno));
2993 }
2994 else /* Want a repeatable time when in test harness */
2995 {
2996 addr->more_errno = running_in_test_harness? 10 :
2997 (int)time(NULL) - statbuf.st_mtime;
2998 }
2999 DEBUG(D_transport)
3000 debug_printf("maildir: time since \"new\" directory modified = %s\n",
3001 readconf_printtime(addr->more_errno));
3002 }
3003 #endif /* SUPPORT_MAILDIR */
3004 }
3005
3006 /* Handle system quota excession. Add an explanatory phrase for the error
3007 message, since some systems don't have special quota-excession errors,
3008 and on those that do, "quota" doesn't always mean anything to the user. */
3009
3010 if (errno == errno_quota)
3011 {
3012 #ifndef EDQUOT
3013 addr->message = string_sprintf("mailbox is full "
3014 "(quota exceeded while writing to file %s)", filename);
3015 #else
3016 addr->message = string_sprintf("mailbox is full");
3017 #endif /* EDQUOT */
5a11a7b4 3018 addr->user_message = US"mailbox is full";
0756eb3c
PH		 3019 DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
3020 dataname,
3021 isdirectory? US"" : US": time since file read = ",
3022 isdirectory? US"" : readconf_printtime(addr->more_errno));
3023 }
3024
3025 /* Handle Exim's own quota-imposition */
3026
3027 else if (errno == ERRNO_EXIMQUOTA)
3028 {
3029 addr->message = string_sprintf("mailbox is full "
3030 "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
3031 dataname);
3032 addr->user_message = US"mailbox is full";
3033 DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
3034 filecount_msg, dataname,
3035 isdirectory? US"" : US": time since file read = ",
3036 isdirectory? US"" : readconf_printtime(addr->more_errno));
3037 }
3038
3039 /* Handle a process failure while writing via a filter; the return
3040 from child_close() is in more_errno. */
3041
3042 else if (errno == ERRNO_FILTER_FAIL)
8e669ac1 3043 {
35af9f61
PH		 3044 yield = PANIC;
3045 addr->message = string_sprintf("transport filter process failed (%d) "
3046 "while writing to %s%s", addr->more_errno, dataname,
3047 (addr->more_errno == EX_EXECFAILED)? ": unable to execute command" : "");
8e669ac1 3048 }
0756eb3c
PH		 3049
3050 /* Handle failure to expand header changes */
3051
3052 else if (errno == ERRNO_CHHEADER_FAIL)
3053 {
3054 yield = PANIC;
3055 addr->message =
3056 string_sprintf("failed to expand headers_add or headers_remove while "
3057 "writing to %s: %s", dataname, expand_string_message);
3058 }
3059
3060 /* Handle failure to complete writing of a data block */
3061
3062 else if (errno == ERRNO_WRITEINCOMPLETE)
3063 {
3064 addr->message = string_sprintf("failed to write data block while "
3065 "writing to %s", dataname);
3066 }
3067
3068 /* Handle length mismatch on MBX copying */
3069
3070 #ifdef SUPPORT_MBX
3071 else if (errno == ERRNO_MBXLENGTH)
3072 {
3073 addr->message = string_sprintf("length mismatch while copying MBX "
3074 "temporary file to %s", dataname);
3075 }
3076 #endif /* SUPPORT_MBX */
3077
3078 /* For other errors, a general-purpose explanation, if the message is
3079 not already set. */
3080
3081 else if (addr->message == NULL)
3082 addr->message = string_sprintf("error while writing to %s", dataname);
3083
3084 /* For a file, reset the file size to what it was before we started, leaving
3085 the last modification time unchanged, so it will get reset also. All systems
3086 investigated so far have ftruncate(), whereas not all have the F_FREESP
3087 fcntl() call (BSDI & FreeBSD do not). */
3088
ff790e47 3089 if (!isdirectory) (void)ftruncate(fd, saved_size);
0756eb3c
PH		 3090 }
3091
3092/* Handle successful writing - we want the modification time to be now for
3093appended files. Remove the default backstop error number. For a directory, now
3094is the time to rename the file with a unique name. As soon as such a name
3095appears it may get used by another process, so we close the file first and
3096check that all is well. */
3097
3098else
3099 {
3100 times.modtime = time(NULL);
3101 addr->basic_errno = 0;
3102
3103 /* Handle the case of writing to a new file in a directory. This applies
3104 to all single-file formats - maildir, mailstore, and "smail format". */
3105
3106 if (isdirectory)
3107 {
3108 if (fstat(fd, &statbuf) < 0)
3109 {
3110 addr->basic_errno = errno;
3111 addr->message = string_sprintf("while fstatting opened message file %s",
3112 filename);
3113 yield = DEFER;
3114 }
3115
3116 else if (close(fd) < 0)
3117 {
3118 addr->basic_errno = errno;
3119 addr->message = string_sprintf("close() error for %s",
3120 (ob->mailstore_format)? dataname : filename);
3121 yield = DEFER;
3122 }
3123
3124 /* File is successfully written and closed. Arrange to rename it. For the
3125 different kinds of single-file delivery, some games can be played with the
3126 name. The message size is by this time set to the accurate value so that
3127 its value can be used in expansions. */
3128
3129 else
3130 {
3131 uschar *renamename = newname;
3132 fd = -1;
3133
3134 DEBUG(D_transport) debug_printf("renaming temporary file\n");
3135
3136 /* If there is no rename name set, we are in a non-maildir, non-mailstore
3137 situation. The name is built by expanding the directory_file option, and
3138 we make the inode number available for use in this. The expansion was
3139 checked for syntactic validity above, before we wrote the file.
3140
3141 We have to be careful here, in case the file name exists. (In the other
3142 cases, the names used are constructed to be unique.) The rename()
3143 function just replaces an existing file - we don't want that! So instead
3144 of calling rename(), we must use link() and unlink().
3145
3146 In this case, if the link fails because of an existing file, we wait
3147 for one second and try the expansion again, to see if it produces a
3148 different value. Do this up to 5 times unless the name stops changing.
3149 This makes it possible to build values that are based on the time, and
3150 still cope with races from multiple simultaneous deliveries. */
3151
3152 if (newname == NULL)
3153 {
3154 int i;
3155 uschar *renameleaf;
3156 uschar *old_renameleaf = US"";
3157
3158 for (i = 0; ; sleep(1), i++)
3159 {
3160 deliver_inode = statbuf.st_ino;
3161 renameleaf = expand_string(ob->dirfilename);
3162 deliver_inode = 0;
3163
3164 if (renameleaf == NULL)
3165 {
3166 addr->transport_return = PANIC;
3167 addr->message = string_sprintf("Expansion of \"%s\" "
3168 "(directory_file for %s transport) failed: %s",
3169 ob->dirfilename, tblock->name, expand_string_message);
3170 goto RETURN;
3171 }
3172
3173 renamename = string_sprintf("%s/%s", path, renameleaf);
3174 if (Ulink(filename, renamename) < 0)
3175 {
3176 DEBUG(D_transport) debug_printf("link failed: %s\n",
3177 strerror(errno));
3178 if (errno != EEXIST || i >= 4 ||
3179 Ustrcmp(renameleaf, old_renameleaf) == 0)
3180 {
3181 addr->basic_errno = errno;
3182 addr->message = string_sprintf("while renaming %s as %s",
3183 filename, renamename);
3184 yield = DEFER;
3185 break;
3186 }
3187 old_renameleaf = renameleaf;
3188 DEBUG(D_transport) debug_printf("%s exists - trying again\n",
3189 renamename);
3190 }
3191 else
3192 {
3193 Uunlink(filename);
3194 filename = NULL;
3195 break;
3196 }
3197 } /* re-expand loop */
3198 } /* not mailstore or maildir */
3199
3200 /* For maildir and mailstore formats, the new name was created earlier,
3201 except that for maildir, there is the possibility of adding a "tag" on
3202 the end of the name by expanding the value of nametag. This usually
3203 includes a reference to the message size. The expansion of nametag was
3204 checked above, before the file was opened. It either succeeded, or
3205 provoked a soft failure. So any failure here can be treated as soft.
3206 Ignore non-printing characters and / and put a colon at the start if the
3207 first character is alphanumeric. */
3208
3209 else
3210 {
3211 if (nametag != NULL)
3212 {
3213 uschar *iptr = expand_string(nametag);
3214 if (iptr != NULL)
3215 {
3216 uschar *etag = store_get(Ustrlen(iptr) + 2);
3217 uschar *optr = etag;
3218 while (*iptr != 0)
3219 {
3220 if (mac_isgraph(*iptr) && *iptr != '/')
3221 {
3222 if (optr == etag && isalnum(*iptr)) *optr++ = ':';
3223 *optr++ = *iptr;
3224 }
3225 iptr++;
3226 }
3227 *optr = 0;
3228 renamename = string_sprintf("%s%s", newname, etag);
3229 }
3230 }
3231
3232 /* Do the rename. If the name is too long and a tag exists, try again
3233 without the tag. */
3234
3235 if (Urename(filename, renamename) < 0 &&
3236 (nametag == NULL || errno != ENAMETOOLONG ||
3237 (renamename = newname, Urename(filename, renamename) < 0)))
3238 {
3239 addr->basic_errno = errno;
3240 addr->message = string_sprintf("while renaming %s as %s",
3241 filename, renamename);
3242 yield = DEFER;
3243 }
3244
3245 /* Rename succeeded */
3246
3247 else
3248 {
3249 DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename,
3250 renamename);
3251 filename = dataname = NULL; /* Prevents attempt to unlink at end */
3252 }
3253 } /* maildir or mailstore */
3254 } /* successful write + close */
3255 } /* isdirectory */
3256 } /* write success */
3257
3258
3259/* For a file, restore the last access time (atime), and set the modification
3260time as required - changed if write succeeded, unchanged if not. */
3261
3262if (!isdirectory) utime(CS filename, &times);
3263
3264/* Notify comsat if configured to do so. It only makes sense if the configured
3265file is the one that the comsat daemon knows about. */
3266
3267if (ob->notify_comsat && yield == OK && deliver_localpart != NULL)
3268 notify_comsat(deliver_localpart, saved_size);
3269
3270/* Pass back the final return code in the address structure */
3271
3272DEBUG(D_transport)
3273 debug_printf("appendfile yields %d with errno=%d more_errno=%d\n",
3274 yield, addr->basic_errno, addr->more_errno);
3275
3276addr->transport_return = yield;
3277
3278/* Close the file, which will release the fcntl lock. For a directory write it
3279is closed above, except in cases of error which goto RETURN, when we also need
3280to remove the original file(s). For MBX locking, if all has gone well, before
3281closing the file, see if we can get an exclusive lock on it, in which case we
3282can unlink the /tmp lock file before closing it. This is always a non-blocking
3283lock; there's no need to wait if we can't get it. If everything has gone right
3284but close fails, defer the message. Then unlink the lock file, if present. This
3285point in the code is jumped to from a number of places when errors are
3286detected, in order to get the file closed and the lock file tidied away. */
3287
3288RETURN:
3289
3290#ifdef SUPPORT_MBX
3291if (mbx_lockfd >= 0)
3292 {
3293 if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0,
3294 ob->use_flock, 0) >= 0)
3295 {
3296 DEBUG(D_transport)
3297 debug_printf("unlinking MBX lock file %s\n", mbx_lockname);
3298 Uunlink(mbx_lockname);
3299 }
f1e894f3 3300 (void)close(mbx_lockfd);
0756eb3c
PH		 3301 }
3302#endif /* SUPPORT_MBX */
3303
3304if (fd >= 0 && close(fd) < 0 && yield == OK)
3305 {
3306 addr->basic_errno = errno;
3307 addr->message = string_sprintf("while closing %s", filename);
3308 addr->transport_return = DEFER;
3309 }
3310
3311if (hd >= 0) Uunlink(lockname);
3312
3313/* We get here with isdirectory and filename set only in error situations. */
3314
3315if (isdirectory && filename != NULL)
3316 {
3317 Uunlink(filename);
3318 if (dataname != filename) Uunlink(dataname);
3319 }
3320
3321/* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a
3322file name relies on time + pid. We must not allow the process to finish until
3323the clock has move on by at least one microsecond. Usually we expect this
3324already to be the case, but machines keep getting faster... */
3325
3326if (wait_for_tick) exim_wait_tick(&msg_tv, 1);
3327
3328/* A return of FALSE means that if there was an error, a common error was
3329put in the first address of a batch. */
3330
3331return FALSE;
3332}
3333
3334/* End of transport/appendfile.c */
Unnamed repository; edit this file 'description' to name the repository.