Commit | Line | Data |
---|---|---|
0756eb3c PH |
1 | /************************************************* |
2 | * Exim - an Internet mail transport agent * | |
3 | *************************************************/ | |
4 | ||
80fea873 | 5 | /* Copyright (c) University of Cambridge 1995 - 2016 */ |
0756eb3c PH |
6 | /* See the file NOTICE for conditions of use and distribution. */ |
7 | ||
8 | ||
9 | #include "../exim.h" | |
10 | #include "appendfile.h" | |
11 | ||
12 | #ifdef SUPPORT_MAILDIR | |
13 | #include "tf_maildir.h" | |
14 | #endif | |
15 | ||
16 | ||
17 | /* Encodings for mailbox formats, and their names. MBX format is actually | |
18 | supported only if SUPPORT_MBX is set. */ | |
19 | ||
20 | enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore }; | |
21 | ||
1ba28e2b | 22 | static const char *mailbox_formats[] = { |
0756eb3c PH |
23 | "unix", "mbx", "smail", "maildir", "mailstore" }; |
24 | ||
25 | ||
26 | /* Check warn threshold only if quota size set or not a percentage threshold | |
27 | percentage check should only be done if quota > 0 */ | |
28 | ||
29 | #define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \ | |
30 | (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0)) | |
31 | ||
32 | ||
33 | /* Options specific to the appendfile transport. They must be in alphabetic | |
34 | order (note that "_" comes before the lower case letters). Some of them are | |
35 | stored in the publicly visible instance block - these are flagged with the | |
36 | opt_public flag. */ | |
37 | ||
38 | optionlist appendfile_transport_options[] = { | |
555ae6af PP |
39 | #ifdef SUPPORT_MAILDIR |
40 | { "*expand_maildir_use_size_file", opt_stringptr, | |
41 | (void *)offsetof(appendfile_transport_options_block, expand_maildir_use_size_file) }, | |
42 | #endif | |
0756eb3c PH |
43 | { "*set_use_fcntl_lock",opt_bool | opt_hidden, |
44 | (void *)offsetof(appendfile_transport_options_block, set_use_fcntl) }, | |
45 | { "*set_use_flock_lock",opt_bool | opt_hidden, | |
46 | (void *)offsetof(appendfile_transport_options_block, set_use_flock) }, | |
47 | { "*set_use_lockfile", opt_bool | opt_hidden, | |
48 | (void *)offsetof(appendfile_transport_options_block, set_use_lockfile) }, | |
49 | #ifdef SUPPORT_MBX | |
50 | { "*set_use_mbx_lock", opt_bool | opt_hidden, | |
51 | (void *)offsetof(appendfile_transport_options_block, set_use_mbx_lock) }, | |
52 | #endif | |
53 | { "allow_fifo", opt_bool, | |
54 | (void *)offsetof(appendfile_transport_options_block, allow_fifo) }, | |
55 | { "allow_symlink", opt_bool, | |
56 | (void *)offsetof(appendfile_transport_options_block, allow_symlink) }, | |
57 | { "batch_id", opt_stringptr | opt_public, | |
58 | (void *)offsetof(transport_instance, batch_id) }, | |
59 | { "batch_max", opt_int | opt_public, | |
60 | (void *)offsetof(transport_instance, batch_max) }, | |
61 | { "check_group", opt_bool, | |
62 | (void *)offsetof(appendfile_transport_options_block, check_group) }, | |
63 | { "check_owner", opt_bool, | |
64 | (void *)offsetof(appendfile_transport_options_block, check_owner) }, | |
65 | { "check_string", opt_stringptr, | |
66 | (void *)offsetof(appendfile_transport_options_block, check_string) }, | |
67 | { "create_directory", opt_bool, | |
68 | (void *)offsetof(appendfile_transport_options_block, create_directory) }, | |
69 | { "create_file", opt_stringptr, | |
70 | (void *)offsetof(appendfile_transport_options_block, create_file_string) }, | |
71 | { "directory", opt_stringptr, | |
72 | (void *)offsetof(appendfile_transport_options_block, dirname) }, | |
73 | { "directory_file", opt_stringptr, | |
74 | (void *)offsetof(appendfile_transport_options_block, dirfilename) }, | |
75 | { "directory_mode", opt_octint, | |
76 | (void *)offsetof(appendfile_transport_options_block, dirmode) }, | |
77 | { "escape_string", opt_stringptr, | |
78 | (void *)offsetof(appendfile_transport_options_block, escape_string) }, | |
79 | { "file", opt_stringptr, | |
80 | (void *)offsetof(appendfile_transport_options_block, filename) }, | |
81 | { "file_format", opt_stringptr, | |
82 | (void *)offsetof(appendfile_transport_options_block, file_format) }, | |
83 | { "file_must_exist", opt_bool, | |
84 | (void *)offsetof(appendfile_transport_options_block, file_must_exist) }, | |
85 | { "lock_fcntl_timeout", opt_time, | |
86 | (void *)offsetof(appendfile_transport_options_block, lock_fcntl_timeout) }, | |
87 | { "lock_flock_timeout", opt_time, | |
88 | (void *)offsetof(appendfile_transport_options_block, lock_flock_timeout) }, | |
89 | { "lock_interval", opt_time, | |
90 | (void *)offsetof(appendfile_transport_options_block, lock_interval) }, | |
91 | { "lock_retries", opt_int, | |
92 | (void *)offsetof(appendfile_transport_options_block, lock_retries) }, | |
93 | { "lockfile_mode", opt_octint, | |
94 | (void *)offsetof(appendfile_transport_options_block, lockfile_mode) }, | |
95 | { "lockfile_timeout", opt_time, | |
96 | (void *)offsetof(appendfile_transport_options_block, lockfile_timeout) }, | |
97 | { "mailbox_filecount", opt_stringptr, | |
98 | (void *)offsetof(appendfile_transport_options_block, mailbox_filecount_string) }, | |
99 | { "mailbox_size", opt_stringptr, | |
100 | (void *)offsetof(appendfile_transport_options_block, mailbox_size_string) }, | |
101 | #ifdef SUPPORT_MAILDIR | |
102 | { "maildir_format", opt_bool, | |
103 | (void *)offsetof(appendfile_transport_options_block, maildir_format ) } , | |
104 | { "maildir_quota_directory_regex", opt_stringptr, | |
105 | (void *)offsetof(appendfile_transport_options_block, maildir_dir_regex) }, | |
106 | { "maildir_retries", opt_int, | |
107 | (void *)offsetof(appendfile_transport_options_block, maildir_retries) }, | |
108 | { "maildir_tag", opt_stringptr, | |
109 | (void *)offsetof(appendfile_transport_options_block, maildir_tag) }, | |
555ae6af | 110 | { "maildir_use_size_file", opt_expand_bool, |
0756eb3c | 111 | (void *)offsetof(appendfile_transport_options_block, maildir_use_size_file ) } , |
d6629cdc PH |
112 | { "maildirfolder_create_regex", opt_stringptr, |
113 | (void *)offsetof(appendfile_transport_options_block, maildirfolder_create_regex ) }, | |
0756eb3c PH |
114 | #endif /* SUPPORT_MAILDIR */ |
115 | #ifdef SUPPORT_MAILSTORE | |
116 | { "mailstore_format", opt_bool, | |
117 | (void *)offsetof(appendfile_transport_options_block, mailstore_format ) }, | |
118 | { "mailstore_prefix", opt_stringptr, | |
119 | (void *)offsetof(appendfile_transport_options_block, mailstore_prefix ) }, | |
120 | { "mailstore_suffix", opt_stringptr, | |
121 | (void *)offsetof(appendfile_transport_options_block, mailstore_suffix ) }, | |
122 | #endif /* SUPPORT_MAILSTORE */ | |
123 | #ifdef SUPPORT_MBX | |
124 | { "mbx_format", opt_bool, | |
125 | (void *)offsetof(appendfile_transport_options_block, mbx_format ) } , | |
126 | #endif /* SUPPORT_MBX */ | |
127 | { "message_prefix", opt_stringptr, | |
128 | (void *)offsetof(appendfile_transport_options_block, message_prefix) }, | |
129 | { "message_suffix", opt_stringptr, | |
130 | (void *)offsetof(appendfile_transport_options_block, message_suffix) }, | |
131 | { "mode", opt_octint, | |
132 | (void *)offsetof(appendfile_transport_options_block, mode) }, | |
133 | { "mode_fail_narrower",opt_bool, | |
134 | (void *)offsetof(appendfile_transport_options_block, mode_fail_narrower) }, | |
135 | { "notify_comsat", opt_bool, | |
136 | (void *)offsetof(appendfile_transport_options_block, notify_comsat) }, | |
137 | { "quota", opt_stringptr, | |
138 | (void *)offsetof(appendfile_transport_options_block, quota) }, | |
139 | { "quota_directory", opt_stringptr, | |
140 | (void *)offsetof(appendfile_transport_options_block, quota_directory) }, | |
141 | { "quota_filecount", opt_stringptr, | |
142 | (void *)offsetof(appendfile_transport_options_block, quota_filecount) }, | |
143 | { "quota_is_inclusive", opt_bool, | |
144 | (void *)offsetof(appendfile_transport_options_block, quota_is_inclusive) }, | |
145 | { "quota_size_regex", opt_stringptr, | |
146 | (void *)offsetof(appendfile_transport_options_block, quota_size_regex) }, | |
147 | { "quota_warn_message", opt_stringptr | opt_public, | |
148 | (void *)offsetof(transport_instance, warn_message) }, | |
149 | { "quota_warn_threshold", opt_stringptr, | |
150 | (void *)offsetof(appendfile_transport_options_block, quota_warn_threshold) }, | |
151 | { "use_bsmtp", opt_bool, | |
152 | (void *)offsetof(appendfile_transport_options_block, use_bsmtp) }, | |
153 | { "use_crlf", opt_bool, | |
154 | (void *)offsetof(appendfile_transport_options_block, use_crlf) }, | |
155 | { "use_fcntl_lock", opt_bool_set, | |
156 | (void *)offsetof(appendfile_transport_options_block, use_fcntl) }, | |
157 | { "use_flock_lock", opt_bool_set, | |
158 | (void *)offsetof(appendfile_transport_options_block, use_flock) }, | |
159 | { "use_lockfile", opt_bool_set, | |
160 | (void *)offsetof(appendfile_transport_options_block, use_lockfile) }, | |
161 | #ifdef SUPPORT_MBX | |
162 | { "use_mbx_lock", opt_bool_set, | |
163 | (void *)offsetof(appendfile_transport_options_block, use_mbx_lock) }, | |
164 | #endif /* SUPPORT_MBX */ | |
165 | }; | |
166 | ||
167 | /* Size of the options list. An extern variable has to be used so that its | |
168 | address can appear in the tables drtables.c. */ | |
169 | ||
170 | int appendfile_transport_options_count = | |
171 | sizeof(appendfile_transport_options)/sizeof(optionlist); | |
172 | ||
173 | /* Default private options block for the appendfile transport. */ | |
174 | ||
175 | appendfile_transport_options_block appendfile_transport_option_defaults = { | |
176 | NULL, /* filename */ | |
177 | NULL, /* dirname */ | |
178 | US"q${base62:$tod_epoch}-$inode", /* dirfilename */ | |
179 | NULL, /* message_prefix (default reset in init if not bsmtp) */ | |
180 | NULL, /* message_suffix (ditto) */ | |
181 | US"anywhere", /* create_file_string (string value for create_file) */ | |
182 | NULL, /* quota */ | |
183 | NULL, /* quota_directory */ | |
184 | NULL, /* quota_filecount */ | |
185 | NULL, /* quota_size_regex */ | |
186 | NULL, /* quota_warn_threshold */ | |
187 | NULL, /* mailbox_size_string */ | |
188 | NULL, /* mailbox_filecount_string */ | |
94431adb | 189 | NULL, /* expand_maildir_use_size_file */ |
0756eb3c PH |
190 | US"^(?:cur|new|\\..*)$", /* maildir_dir_regex */ |
191 | NULL, /* maildir_tag */ | |
d6629cdc | 192 | NULL, /* maildirfolder_create_regex */ |
0756eb3c PH |
193 | NULL, /* mailstore_prefix */ |
194 | NULL, /* mailstore_suffix */ | |
195 | NULL, /* check_string (default changed for non-bsmtp file)*/ | |
196 | NULL, /* escape_string (ditto) */ | |
197 | NULL, /* file_format */ | |
0d7eb84a PH |
198 | 0, /* quota_value */ |
199 | 0, /* quota_warn_threshold_value */ | |
0756eb3c PH |
200 | -1, /* mailbox_size_value */ |
201 | -1, /* mailbox_filecount_value */ | |
0756eb3c | 202 | 0, /* quota_filecount_value */ |
0756eb3c PH |
203 | APPENDFILE_MODE, /* mode */ |
204 | APPENDFILE_DIRECTORY_MODE, /* dirmode */ | |
205 | APPENDFILE_LOCKFILE_MODE, /* lockfile_mode */ | |
206 | 30*60, /* lockfile_timeout */ | |
207 | 0, /* lock_fcntl_timeout */ | |
208 | 0, /* lock_flock_timeout */ | |
209 | 10, /* lock_retries */ | |
210 | 3, /* lock_interval */ | |
211 | 10, /* maildir_retries */ | |
212 | create_anywhere,/* create_file */ | |
213 | 0, /* options */ | |
214 | FALSE, /* allow_fifo */ | |
215 | FALSE, /* allow_symlink */ | |
216 | FALSE, /* check_group */ | |
217 | TRUE, /* check_owner */ | |
218 | TRUE, /* create_directory */ | |
219 | FALSE, /* notify_comsat */ | |
220 | TRUE, /* use_lockfile */ | |
221 | FALSE, /* set_use_lockfile */ | |
222 | TRUE, /* use_fcntl */ | |
223 | FALSE, /* set_use_fcntl */ | |
224 | FALSE, /* use_flock */ | |
225 | FALSE, /* set_use_flock */ | |
226 | FALSE, /* use_mbx_lock */ | |
227 | FALSE, /* set_use_mbx_lock */ | |
228 | FALSE, /* use_bsmtp */ | |
229 | FALSE, /* use_crlf */ | |
230 | FALSE, /* file_must_exist */ | |
231 | TRUE, /* mode_fail_narrower */ | |
232 | FALSE, /* maildir_format */ | |
233 | FALSE, /* maildir_use_size_file */ | |
234 | FALSE, /* mailstore_format */ | |
235 | FALSE, /* mbx_format */ | |
236 | FALSE, /* quota_warn_threshold_is_percent */ | |
d291c767 HSHR |
237 | TRUE, /* quota_is_inclusive */ |
238 | FALSE, /* quota_no_check */ | |
239 | FALSE /* quota_filecount_no_check */ | |
0756eb3c PH |
240 | }; |
241 | ||
242 | ||
243 | ||
244 | /************************************************* | |
245 | * Setup entry point * | |
246 | *************************************************/ | |
247 | ||
248 | /* Called for each delivery in the privileged state, just before the uid/gid | |
249 | are changed and the main entry point is called. We use this function to | |
250 | expand any quota settings, so that it can access files that may not be readable | |
251 | by the user. It is also used to pick up external mailbox size information, if | |
252 | set. | |
253 | ||
254 | Arguments: | |
255 | tblock points to the transport instance | |
256 | addrlist addresses about to be delivered (not used) | |
257 | dummy not used (doesn't pass back data) | |
929ba01c PH |
258 | uid the uid that will be set (not used) |
259 | gid the gid that will be set (not used) | |
0756eb3c PH |
260 | errmsg where to put an error message |
261 | ||
262 | Returns: OK, FAIL, or DEFER | |
263 | */ | |
264 | ||
265 | static int | |
266 | appendfile_transport_setup(transport_instance *tblock, address_item *addrlist, | |
929ba01c | 267 | transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg) |
0756eb3c PH |
268 | { |
269 | appendfile_transport_options_block *ob = | |
270 | (appendfile_transport_options_block *)(tblock->options_block); | |
271 | uschar *q = ob->quota; | |
0d7eb84a | 272 | double default_value = 0.0; |
0756eb3c PH |
273 | int i; |
274 | ||
275 | addrlist = addrlist; /* Keep picky compilers happy */ | |
276 | dummy = dummy; | |
929ba01c PH |
277 | uid = uid; |
278 | gid = gid; | |
0756eb3c | 279 | |
555ae6af | 280 | if (ob->expand_maildir_use_size_file) |
94431adb | 281 | ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file, |
555ae6af PP |
282 | US"`maildir_use_size_file` in transport", tblock->name); |
283 | ||
0756eb3c PH |
284 | /* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size, |
285 | mailbox_filecount */ | |
286 | ||
287 | for (i = 0; i < 5; i++) | |
288 | { | |
0d7eb84a | 289 | double d; |
d291c767 | 290 | int no_check = 0; |
21c28500 | 291 | uschar *which = NULL; |
0d7eb84a | 292 | |
d291c767 HSHR |
293 | if (q == NULL) d = default_value; |
294 | else | |
0756eb3c | 295 | { |
0756eb3c PH |
296 | uschar *rest; |
297 | uschar *s = expand_string(q); | |
298 | ||
299 | if (s == NULL) | |
300 | { | |
301 | *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: " | |
302 | "%s", q, tblock->name, expand_string_message); | |
303 | return search_find_defer? DEFER : FAIL; | |
304 | } | |
305 | ||
306 | d = Ustrtod(s, &rest); | |
307 | ||
be22d70e | 308 | /* Handle following characters K, M, G, %, the latter being permitted |
0756eb3c PH |
309 | for quota_warn_threshold only. A threshold with no quota setting is |
310 | just ignored. */ | |
311 | ||
312 | if (tolower(*rest) == 'k') { d *= 1024.0; rest++; } | |
313 | else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; } | |
be22d70e | 314 | else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; } |
0756eb3c PH |
315 | else if (*rest == '%' && i == 2) |
316 | { | |
317 | if (ob->quota_value <= 0 && !ob->maildir_use_size_file) d = 0; | |
318 | else if ((int)d < 0 || (int)d > 100) | |
319 | { | |
320 | *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)" | |
321 | " for %s transport", (int)d, tblock->name); | |
322 | return FAIL; | |
323 | } | |
324 | ob->quota_warn_threshold_is_percent = TRUE; | |
325 | rest++; | |
326 | } | |
327 | ||
d291c767 HSHR |
328 | |
329 | /* For quota and quota_filecount there may be options | |
330 | appended. Currently only "no_check", so we can be lazy parsing it */ | |
331 | if (i < 2 && Ustrstr(rest, "/no_check") == rest) | |
332 | { | |
333 | no_check = 1; | |
334 | rest += sizeof("/no_check") - 1; | |
335 | } | |
336 | ||
0756eb3c PH |
337 | while (isspace(*rest)) rest++; |
338 | ||
339 | if (*rest != 0) | |
340 | { | |
341 | *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") " | |
d291c767 | 342 | "in %s transport [%s]", s, q, tblock->name); |
0756eb3c PH |
343 | return FAIL; |
344 | } | |
0756eb3c PH |
345 | } |
346 | ||
21c28500 PH |
347 | /* Set each value, checking for possible overflow. */ |
348 | ||
0756eb3c PH |
349 | switch (i) |
350 | { | |
351 | case 0: | |
21c28500 | 352 | if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) which = US"quota"; |
0d7eb84a | 353 | ob->quota_value = (off_t)d; |
d291c767 | 354 | ob->quota_no_check = no_check; |
0756eb3c | 355 | q = ob->quota_filecount; |
0756eb3c PH |
356 | break; |
357 | ||
358 | case 1: | |
21c28500 | 359 | if (d >= 2.0*1024.0*1024.0*1024.0) which = US"quota_filecount"; |
0d7eb84a | 360 | ob->quota_filecount_value = (int)d; |
d291c767 | 361 | ob->quota_filecount_no_check = no_check; |
0756eb3c | 362 | q = ob->quota_warn_threshold; |
0756eb3c PH |
363 | break; |
364 | ||
365 | case 2: | |
21c28500 PH |
366 | if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) |
367 | which = US"quota_warn_threshold"; | |
0d7eb84a | 368 | ob->quota_warn_threshold_value = (off_t)d; |
0756eb3c | 369 | q = ob->mailbox_size_string; |
0d7eb84a | 370 | default_value = -1.0; |
0756eb3c PH |
371 | break; |
372 | ||
373 | case 3: | |
21c28500 PH |
374 | if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) |
375 | which = US"mailbox_size";; | |
0d7eb84a | 376 | ob->mailbox_size_value = (off_t)d; |
0756eb3c | 377 | q = ob->mailbox_filecount_string; |
0d7eb84a PH |
378 | break; |
379 | ||
380 | case 4: | |
21c28500 | 381 | if (d >= 2.0*1024.0*1024.0*1024.0) which = US"mailbox_filecount"; |
0d7eb84a | 382 | ob->mailbox_filecount_value = (int)d; |
0756eb3c PH |
383 | break; |
384 | } | |
21c28500 PH |
385 | |
386 | if (which != NULL) | |
387 | { | |
388 | *errmsg = string_sprintf("%s value %.10g is too large (overflow) in " | |
389 | "%s transport", which, d, tblock->name); | |
390 | return FAIL; | |
391 | } | |
0756eb3c PH |
392 | } |
393 | ||
394 | return OK; | |
395 | } | |
396 | ||
397 | ||
398 | ||
399 | /************************************************* | |
400 | * Initialization entry point * | |
401 | *************************************************/ | |
402 | ||
403 | /* Called for each instance, after its options have been read, to | |
404 | enable consistency checks to be done, or anything else that needs | |
405 | to be set up. */ | |
406 | ||
407 | void | |
408 | appendfile_transport_init(transport_instance *tblock) | |
409 | { | |
410 | appendfile_transport_options_block *ob = | |
411 | (appendfile_transport_options_block *)(tblock->options_block); | |
412 | ||
413 | /* Set up the setup entry point, to be called in the privileged state */ | |
414 | ||
415 | tblock->setup = appendfile_transport_setup; | |
416 | ||
417 | /* Lock_retries must be greater than zero */ | |
418 | ||
419 | if (ob->lock_retries == 0) ob->lock_retries = 1; | |
420 | ||
421 | /* Only one of a file name or directory name must be given. */ | |
422 | ||
423 | if (ob->filename != NULL && ob->dirname != NULL) | |
424 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " | |
425 | "only one of \"file\" or \"directory\" can be specified", tblock->name); | |
426 | ||
427 | /* If a file name was specified, neither quota_filecount nor quota_directory | |
428 | must be given. */ | |
429 | ||
430 | if (ob->filename != NULL) | |
431 | { | |
432 | if (ob->quota_filecount != NULL) | |
433 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " | |
434 | "quota_filecount must not be set without \"directory\"", tblock->name); | |
435 | if (ob->quota_directory != NULL) | |
436 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " | |
437 | "quota_directory must not be set without \"directory\"", tblock->name); | |
438 | } | |
439 | ||
440 | /* The default locking depends on whether MBX is set or not. Change the | |
441 | built-in default if none of the lock options has been explicitly set. At least | |
442 | one form of locking is required in all cases, but mbx locking changes the | |
443 | meaning of fcntl and flock locking. */ | |
444 | ||
445 | /* Not all operating systems provide flock(). For those that do, if flock is | |
446 | requested, the default for fcntl is FALSE. */ | |
447 | ||
448 | if (ob->use_flock) | |
449 | { | |
450 | #ifdef NO_FLOCK | |
451 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " | |
452 | "flock() support was not available in the operating system when this " | |
453 | "binary was built", tblock->name); | |
454 | #endif /* NO_FLOCK */ | |
455 | if (!ob->set_use_fcntl) ob->use_fcntl = FALSE; | |
456 | } | |
457 | ||
458 | #ifdef SUPPORT_MBX | |
459 | if (ob->mbx_format) | |
460 | { | |
461 | if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock && | |
462 | !ob->set_use_mbx_lock) | |
463 | { | |
464 | ob->use_lockfile = ob->use_flock = FALSE; | |
465 | ob->use_mbx_lock = ob->use_fcntl = TRUE; | |
466 | } | |
467 | else if (ob->use_mbx_lock) | |
468 | { | |
469 | if (!ob->set_use_lockfile) ob->use_lockfile = FALSE; | |
470 | if (!ob->set_use_fcntl) ob->use_fcntl = FALSE; | |
471 | if (!ob->set_use_flock) ob->use_flock = FALSE; | |
472 | if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE; | |
473 | } | |
474 | } | |
475 | #endif /* SUPPORT_MBX */ | |
476 | ||
477 | if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock) | |
478 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " | |
479 | "no locking configured", tblock->name); | |
480 | ||
481 | /* Unset timeouts for non-used locking types */ | |
482 | ||
483 | if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0; | |
484 | if (!ob->use_flock) ob->lock_flock_timeout = 0; | |
485 | ||
486 | /* If a directory name was specified, only one of maildir or mailstore may be | |
487 | specified, and if quota_filecount or quota_directory is given, quota must | |
488 | be set. */ | |
489 | ||
490 | if (ob->dirname != NULL) | |
491 | { | |
492 | if (ob->maildir_format && ob->mailstore_format) | |
493 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " | |
494 | "only one of maildir and mailstore may be specified", tblock->name); | |
495 | if (ob->quota_filecount != NULL && ob->quota == NULL) | |
496 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " | |
497 | "quota must be set if quota_filecount is set", tblock->name); | |
498 | if (ob->quota_directory != NULL && ob->quota == NULL) | |
499 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n " | |
500 | "quota must be set if quota_directory is set", tblock->name); | |
501 | } | |
502 | ||
503 | /* If a fixed uid field is set, then a gid field must also be set. */ | |
504 | ||
505 | if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL) | |
506 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG, | |
507 | "user set without group for the %s transport", tblock->name); | |
508 | ||
509 | /* If "create_file" is set, check that a valid option is given, and set the | |
510 | integer variable. */ | |
511 | ||
512 | if (ob->create_file_string != NULL) | |
513 | { | |
514 | int value = 0; | |
515 | if (Ustrcmp(ob->create_file_string, "anywhere") == 0) value = create_anywhere; | |
516 | else if (Ustrcmp(ob->create_file_string, "belowhome") == 0) value = | |
517 | create_belowhome; | |
518 | else if (Ustrcmp(ob->create_file_string, "inhome") == 0) | |
519 | value = create_inhome; | |
520 | else | |
521 | log_write(0, LOG_PANIC_DIE|LOG_CONFIG, | |
522 | "invalid value given for \"file_create\" for the %s transport: %s", | |
523 | tblock->name, ob->create_file_string); | |
524 | ob->create_file = value; | |
525 | } | |
526 | ||
527 | /* If quota_warn_threshold is set, set up default for warn_message. It may | |
528 | not be used if the actual threshold for a given delivery ends up as zero, | |
529 | of if it's given as a percentage and there's no quota setting. */ | |
530 | ||
531 | if (ob->quota_warn_threshold != NULL) | |
532 | { | |
533 | if (tblock->warn_message == NULL) tblock->warn_message = US | |
534 | "To: $local_part@$domain\n" | |
535 | "Subject: Your mailbox\n\n" | |
536 | "This message is automatically created by mail delivery software (Exim).\n\n" | |
537 | "The size of your mailbox has exceeded a warning threshold that is\n" | |
538 | "set by the system administrator.\n"; | |
539 | } | |
540 | ||
541 | /* If batch SMTP is set, force the check and escape strings, and arrange that | |
542 | headers are also escaped. */ | |
543 | ||
544 | if (ob->use_bsmtp) | |
545 | { | |
546 | ob->check_string = US"."; | |
547 | ob->escape_string = US".."; | |
548 | ob->options |= topt_escape_headers; | |
549 | } | |
550 | ||
551 | /* If not batch SMTP, not maildir, not mailstore, and directory is not set, | |
552 | insert default values for for the affixes and the check/escape strings. */ | |
553 | ||
554 | else if (ob->dirname == NULL && !ob->maildir_format && !ob->mailstore_format) | |
555 | { | |
556 | if (ob->message_prefix == NULL) ob->message_prefix = | |
557 | US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n"; | |
558 | if (ob->message_suffix == NULL) ob->message_suffix = US"\n"; | |
559 | if (ob->check_string == NULL) ob->check_string = US"From "; | |
560 | if (ob->escape_string == NULL) ob->escape_string = US">From "; | |
561 | ||
562 | } | |
563 | ||
564 | /* Set up the bitwise options for transport_write_message from the various | |
565 | driver options. Only one of body_only and headers_only can be set. */ | |
566 | ||
567 | ob->options |= | |
568 | (tblock->body_only? topt_no_headers : 0) | | |
569 | (tblock->headers_only? topt_no_body : 0) | | |
570 | (tblock->return_path_add? topt_add_return_path : 0) | | |
571 | (tblock->delivery_date_add? topt_add_delivery_date : 0) | | |
572 | (tblock->envelope_to_add? topt_add_envelope_to : 0) | | |
573 | ((ob->use_crlf || ob->mbx_format)? topt_use_crlf : 0); | |
574 | } | |
575 | ||
576 | ||
577 | ||
578 | /************************************************* | |
579 | * Notify comsat * | |
580 | *************************************************/ | |
581 | ||
582 | /* The comsat daemon is the thing that provides asynchronous notification of | |
583 | the arrival of local messages, if requested by the user by "biff y". It is a | |
584 | BSD thing that uses a TCP/IP protocol for communication. A message consisting | |
585 | of the text "user@offset" must be sent, where offset is the place in the | |
586 | mailbox where new mail starts. There is no scope for telling it which file to | |
587 | look at, which makes it a less than useful if mail is being delivered into a | |
588 | non-standard place such as the user's home directory. In fact, it doesn't seem | |
589 | to pay much attention to the offset. | |
590 | ||
591 | Arguments: | |
592 | user user name | |
593 | offset offset in mailbox | |
594 | ||
595 | Returns: nothing | |
596 | */ | |
597 | ||
598 | static void | |
0d7eb84a | 599 | notify_comsat(uschar *user, off_t offset) |
0756eb3c PH |
600 | { |
601 | struct servent *sp; | |
602 | host_item host; | |
603 | host_item *h; | |
604 | uschar buffer[256]; | |
605 | ||
606 | DEBUG(D_transport) debug_printf("notify_comsat called\n"); | |
607 | ||
b1c749bb | 608 | sprintf(CS buffer, "%.200s@" OFF_T_FMT "\n", user, offset); |
0756eb3c PH |
609 | |
610 | if ((sp = getservbyname("biff", "udp")) == NULL) | |
611 | { | |
612 | DEBUG(D_transport) debug_printf("biff/udp is an unknown service"); | |
613 | return; | |
614 | } | |
615 | ||
616 | host.name = US"localhost"; | |
617 | host.next = NULL; | |
618 | ||
619 | ||
620 | /* This code is all set up to look up "localhost" and use all its addresses | |
621 | until one succeeds. However, it appears that at least on some systems, comsat | |
622 | doesn't listen on the ::1 address. So for the moment, just force the address to | |
623 | be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this | |
322050c2 | 624 | can be changed. (But actually, comsat is probably dying out anyway.) */ |
0756eb3c PH |
625 | |
626 | /****** | |
322050c2 | 627 | if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED) |
0756eb3c PH |
628 | { |
629 | DEBUG(D_transport) debug_printf("\"localhost\" unknown\n"); | |
630 | return; | |
631 | } | |
632 | ******/ | |
633 | ||
634 | host.address = US"127.0.0.1"; | |
635 | ||
636 | ||
fb05276a | 637 | for (h = &host; h; h = h->next) |
0756eb3c PH |
638 | { |
639 | int sock, rc; | |
fb05276a | 640 | int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET; |
0756eb3c PH |
641 | |
642 | DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address); | |
643 | ||
fb05276a | 644 | if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue; |
0756eb3c PH |
645 | |
646 | /* Connect never fails for a UDP socket, so don't set a timeout. */ | |
647 | ||
fb05276a | 648 | (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, FALSE); |
0756eb3c | 649 | rc = send(sock, buffer, Ustrlen(buffer) + 1, 0); |
f1e894f3 | 650 | (void)close(sock); |
0756eb3c PH |
651 | |
652 | if (rc >= 0) break; | |
653 | DEBUG(D_transport) | |
654 | debug_printf("send to comsat failed for %s: %s\n", strerror(errno), | |
655 | h->address); | |
656 | } | |
657 | } | |
658 | ||
659 | ||
660 | ||
661 | /************************************************* | |
662 | * Check the format of a file * | |
663 | *************************************************/ | |
664 | ||
665 | /* This function is called when file_format is set, to check that an existing | |
666 | file has the right format. The format string contains text/transport pairs. The | |
667 | string matching is literal. we just read big_buffer_size bytes, because this is | |
668 | all about the first few bytes of a file. | |
669 | ||
670 | Arguments: | |
671 | cfd the open file | |
672 | tblock the transport block | |
673 | addr the address block - for inserting error data | |
674 | ||
675 | Returns: pointer to the required transport, or NULL | |
676 | */ | |
677 | ||
678 | transport_instance * | |
679 | check_file_format(int cfd, transport_instance *tblock, address_item *addr) | |
680 | { | |
55414b25 | 681 | const uschar *format = |
0756eb3c PH |
682 | ((appendfile_transport_options_block *)(tblock->options_block))->file_format; |
683 | uschar data[256]; | |
684 | int len = read(cfd, data, sizeof(data)); | |
685 | int sep = 0; | |
686 | uschar *s; | |
687 | ||
688 | DEBUG(D_transport) debug_printf("checking file format\n"); | |
689 | ||
690 | /* An empty file matches the current transport */ | |
691 | ||
692 | if (len == 0) return tblock; | |
693 | ||
694 | /* Search the formats for a match */ | |
695 | ||
dc8091e7 | 696 | while ((s = string_nextinlist(&format,&sep,big_buffer,big_buffer_size))) |
0756eb3c PH |
697 | { |
698 | int slen = Ustrlen(s); | |
699 | BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0; | |
700 | uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size); | |
dc8091e7 JH |
701 | |
702 | if (match && tp) | |
0756eb3c PH |
703 | { |
704 | transport_instance *tt; | |
dc8091e7 | 705 | for (tt = transports; tt; tt = tt->next) |
0756eb3c PH |
706 | if (Ustrcmp(tp, tt->name) == 0) |
707 | { | |
708 | DEBUG(D_transport) | |
709 | debug_printf("file format -> %s transport\n", tt->name); | |
710 | return tt; | |
711 | } | |
712 | addr->basic_errno = ERRNO_BADTRANSPORT; | |
713 | addr->message = string_sprintf("%s transport (for %.*s format) not found", | |
714 | tp, slen, data); | |
715 | return NULL; | |
716 | } | |
717 | } | |
718 | ||
719 | /* Failed to find a match */ | |
720 | ||
721 | addr->basic_errno = ERRNO_FORMATUNKNOWN; | |
722 | addr->message = US"mailbox file format unrecognized"; | |
723 | return NULL; | |
724 | } | |
725 | ||
726 | ||
727 | ||
728 | ||
729 | /************************************************* | |
730 | * Check directory's files for quota * | |
731 | *************************************************/ | |
732 | ||
733 | /* This function is called if quota is set for one of the delivery modes that | |
734 | delivers into a specific directory. It scans the directory and stats all the | |
735 | files in order to get a total size and count. This is an expensive thing to do, | |
736 | but some people are prepared to bear the cost. Alternatively, if size_regex is | |
737 | set, it is used as a regex to try to extract the size from the file name, a | |
738 | strategy that some people use on maildir files on systems where the users have | |
739 | no shell access. | |
740 | ||
741 | The function is global, because it is also called from tf_maildir.c for maildir | |
742 | folders (which should contain only regular files). | |
743 | ||
744 | Note: Any problems can be written to debugging output, but cannot be written to | |
745 | the log, because we are running as an unprivileged user here. | |
746 | ||
747 | Arguments: | |
748 | dirname the name of the directory | |
749 | countptr where to add the file count (because this function recurses) | |
750 | regex a compiled regex to get the size from a name | |
751 | ||
752 | Returns: the sum of the sizes of the stattable files | |
753 | zero if the directory cannot be opened | |
754 | */ | |
755 | ||
0d7eb84a | 756 | off_t |
0756eb3c PH |
757 | check_dir_size(uschar *dirname, int *countptr, const pcre *regex) |
758 | { | |
759 | DIR *dir; | |
0d7eb84a | 760 | off_t sum = 0; |
0756eb3c PH |
761 | int count = *countptr; |
762 | struct dirent *ent; | |
763 | struct stat statbuf; | |
764 | ||
765 | dir = opendir(CS dirname); | |
766 | if (dir == NULL) return 0; | |
767 | ||
768 | while ((ent = readdir(dir)) != NULL) | |
769 | { | |
770 | uschar *name = US ent->d_name; | |
771 | uschar buffer[1024]; | |
772 | ||
773 | if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue; | |
774 | ||
775 | count++; | |
776 | ||
777 | /* If there's a regex, try to find the size using it */ | |
778 | ||
779 | if (regex != NULL) | |
780 | { | |
781 | int ovector[6]; | |
782 | if (pcre_exec(regex, NULL, CS name, Ustrlen(name), 0, 0, ovector,6) >= 2) | |
783 | { | |
784 | uschar *endptr; | |
0d7eb84a | 785 | off_t size = (off_t)Ustrtod(name + ovector[2], &endptr); |
0756eb3c PH |
786 | if (endptr == name + ovector[3]) |
787 | { | |
788 | sum += size; | |
789 | DEBUG(D_transport) | |
b1c749bb PH |
790 | debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name, |
791 | size); | |
0756eb3c PH |
792 | continue; |
793 | } | |
794 | } | |
795 | DEBUG(D_transport) | |
796 | debug_printf("check_dir_size: regex did not match %s\n", name); | |
797 | } | |
798 | ||
799 | /* No regex or no match for the regex, or captured non-digits */ | |
800 | ||
801 | if (!string_format(buffer, sizeof(buffer), "%s/%s", dirname, name)) | |
802 | { | |
803 | DEBUG(D_transport) | |
804 | debug_printf("check_dir_size: name too long: dir=%s name=%s\n", dirname, | |
805 | name); | |
806 | continue; | |
807 | } | |
808 | ||
809 | if (Ustat(buffer, &statbuf) < 0) | |
810 | { | |
811 | DEBUG(D_transport) | |
812 | debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, buffer, | |
813 | strerror(errno)); | |
814 | continue; | |
815 | } | |
816 | ||
817 | if ((statbuf.st_mode & S_IFMT) == S_IFREG) | |
818 | sum += statbuf.st_size; | |
819 | else if ((statbuf.st_mode & S_IFMT) == S_IFDIR) | |
820 | sum += check_dir_size(buffer, &count, regex); | |
821 | } | |
822 | ||
823 | closedir(dir); | |
824 | DEBUG(D_transport) | |
b1c749bb PH |
825 | debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname, |
826 | sum, count); | |
0d7eb84a | 827 | |
0756eb3c PH |
828 | *countptr = count; |
829 | return sum; | |
830 | } | |
831 | ||
832 | ||
833 | ||
834 | ||
835 | /************************************************* | |
836 | * Apply a lock to a file descriptor * | |
837 | *************************************************/ | |
838 | ||
839 | /* This function applies a lock to a file descriptor, using a blocking or | |
840 | non-blocking lock, depending on the timeout value. It can apply either or | |
841 | both of a fcntl() and a flock() lock. However, not all OS support flock(); | |
842 | for those that don't, the use_flock option cannot be set. | |
843 | ||
844 | Arguments: | |
845 | fd the file descriptor | |
846 | fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in | |
847 | fcntl() format); the flock() type is deduced if needed | |
848 | dofcntl do fcntl() locking | |
849 | fcntltime non-zero to use blocking fcntl() | |
850 | doflock do flock() locking | |
851 | flocktime non-zero to use blocking flock() | |
852 | ||
853 | Returns: yield of the fcntl() or flock() call, with errno preserved; | |
854 | sigalrm_seen set if there has been a timeout | |
855 | */ | |
856 | ||
857 | static int | |
858 | apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock, | |
859 | int flocktime) | |
860 | { | |
861 | int yield = 0; | |
862 | int save_errno; | |
863 | struct flock lock_data; | |
864 | lock_data.l_type = fcntltype; | |
865 | lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0; | |
866 | ||
867 | sigalrm_seen = FALSE; | |
868 | ||
869 | if (dofcntl) | |
870 | { | |
871 | if (fcntltime > 0) | |
872 | { | |
873 | alarm(fcntltime); | |
874 | yield = fcntl(fd, F_SETLKW, &lock_data); | |
875 | save_errno = errno; | |
876 | alarm(0); | |
877 | errno = save_errno; | |
878 | } | |
879 | else yield = fcntl(fd, F_SETLK, &lock_data); | |
880 | } | |
881 | ||
882 | #ifndef NO_FLOCK | |
883 | if (doflock && (yield >= 0)) | |
884 | { | |
885 | int flocktype = (fcntltype == F_WRLCK)? LOCK_EX : LOCK_SH; | |
886 | if (flocktime > 0) | |
887 | { | |
888 | alarm(flocktime); | |
889 | yield = flock(fd, flocktype); | |
890 | save_errno = errno; | |
891 | alarm(0); | |
892 | errno = save_errno; | |
893 | } | |
894 | else yield = flock(fd, flocktype | LOCK_NB); | |
895 | } | |
896 | #endif /* NO_FLOCK */ | |
897 | ||
898 | return yield; | |
899 | } | |
900 | ||
901 | ||
902 | ||
903 | ||
904 | #ifdef SUPPORT_MBX | |
905 | /************************************************* | |
906 | * Copy message into MBX mailbox * | |
907 | *************************************************/ | |
908 | ||
909 | /* This function is called when a message intended for a MBX mailbox has been | |
910 | written to a temporary file. We can now get the size of the message and then | |
911 | copy it in MBX format to the mailbox. | |
912 | ||
913 | Arguments: | |
914 | to_fd fd to write to (the real mailbox) | |
915 | from_fd fd to read from (the temporary file) | |
916 | saved_size current size of mailbox | |
917 | ||
918 | Returns: OK if all went well, DEFER otherwise, with errno preserved | |
919 | the number of bytes written are added to transport_count | |
920 | by virtue of calling transport_write_block() | |
921 | */ | |
922 | ||
923 | /* Values taken from c-client */ | |
924 | ||
925 | #define MBX_HDRSIZE 2048 | |
926 | #define MBX_NUSERFLAGS 30 | |
927 | ||
928 | static int | |
0d7eb84a | 929 | copy_mbx_message(int to_fd, int from_fd, off_t saved_size) |
0756eb3c | 930 | { |
0d7eb84a PH |
931 | int used; |
932 | off_t size; | |
0756eb3c | 933 | struct stat statbuf; |
42055a33 JH |
934 | transport_ctx tctx = {0}; |
935 | ||
936 | tctx.u.fd = to_fd; | |
0756eb3c PH |
937 | |
938 | /* If the current mailbox size is zero, write a header block */ | |
939 | ||
940 | if (saved_size == 0) | |
941 | { | |
942 | int i; | |
943 | uschar *s; | |
944 | memset (deliver_out_buffer, '\0', MBX_HDRSIZE); | |
945 | sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012", | |
946 | (long int)time(NULL)); | |
947 | for (i = 0; i < MBX_NUSERFLAGS; i++) | |
948 | sprintf (CS(s += Ustrlen(s)), "\015\012"); | |
42055a33 | 949 | if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE)) |
0756eb3c PH |
950 | return DEFER; |
951 | } | |
952 | ||
953 | DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n"); | |
954 | ||
955 | /* Now construct the message's header from the time and the RFC822 file | |
956 | size, including CRLFs, which is the size of the input (temporary) file. */ | |
957 | ||
958 | if (fstat(from_fd, &statbuf) < 0) return DEFER; | |
959 | size = statbuf.st_size; | |
960 | ||
b1c749bb PH |
961 | sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012", |
962 | tod_stamp(tod_mbx), size, 0L, 0, 0); | |
0756eb3c PH |
963 | used = Ustrlen(deliver_out_buffer); |
964 | ||
965 | /* Rewind the temporary file, and copy it over in chunks. */ | |
966 | ||
d315eda1 | 967 | if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER; |
0756eb3c PH |
968 | |
969 | while (size > 0) | |
970 | { | |
971 | int len = read(from_fd, deliver_out_buffer + used, | |
972 | DELIVER_OUT_BUFFER_SIZE - used); | |
973 | if (len <= 0) | |
974 | { | |
975 | if (len == 0) errno = ERRNO_MBXLENGTH; | |
976 | return DEFER; | |
977 | } | |
42055a33 | 978 | if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE)) |
0756eb3c PH |
979 | return DEFER; |
980 | size -= len; | |
981 | used = 0; | |
982 | } | |
983 | ||
984 | return OK; | |
985 | } | |
986 | #endif /* SUPPORT_MBX */ | |
987 | ||
988 | ||
989 | ||
990 | /************************************************* | |
991 | * Check creation is permitted * | |
992 | *************************************************/ | |
993 | ||
994 | /* This function checks whether a given file name is permitted to be created, | |
995 | as controlled by the create_file option. If no home directory is set, however, | |
996 | we can't do any tests. | |
997 | ||
998 | Arguments: | |
999 | filename the file name | |
1000 | create_file the ob->create_file option | |
1001 | ||
1002 | Returns: TRUE if creation is permitted | |
1003 | */ | |
1004 | ||
1005 | static BOOL | |
1006 | check_creation(uschar *filename, int create_file) | |
1007 | { | |
1008 | BOOL yield = TRUE; | |
1009 | ||
1010 | if (deliver_home != NULL && create_file != create_anywhere) | |
1011 | { | |
1012 | int len = Ustrlen(deliver_home); | |
1013 | uschar *file = filename; | |
1014 | ||
1015 | while (file[0] == '/' && file[1] == '/') file++; | |
1016 | if (Ustrncmp(file, deliver_home, len) != 0 || file[len] != '/' || | |
1017 | ( Ustrchr(file+len+2, '/') != NULL && | |
1018 | ( | |
1019 | create_file != create_belowhome || | |
1020 | Ustrstr(file+len, "/../") != NULL | |
1021 | ) | |
1022 | ) | |
1023 | ) yield = FALSE; | |
1024 | ||
1025 | /* If yield is TRUE, the file name starts with the home directory, and does | |
1026 | not contain any instances of "/../" in the "belowhome" case. However, it may | |
1027 | still contain symbolic links. We can check for this by making use of | |
1028 | realpath(), which most Unixes seem to have (but make it possible to cut this | |
1029 | out). We can't just use realpath() on the whole file name, because we know | |
1030 | the file itself doesn't exist, and intermediate directories may also not | |
1031 | exist. What we want to know is the real path of the longest existing part of | |
1032 | the path. That must match the home directory's beginning, whichever is the | |
1033 | shorter. */ | |
1034 | ||
1035 | #ifndef NO_REALPATH | |
1036 | if (yield && create_file == create_belowhome) | |
1037 | { | |
1038 | uschar *slash, *next; | |
1039 | uschar *rp = NULL; | |
1040 | for (slash = Ustrrchr(file, '/'); /* There is known to be one */ | |
1041 | rp == NULL && slash > file; /* Stop if reached beginning */ | |
1042 | slash = next) | |
1043 | { | |
1044 | *slash = 0; | |
1045 | rp = US realpath(CS file, CS big_buffer); | |
1046 | next = Ustrrchr(file, '/'); | |
1047 | *slash = '/'; | |
1048 | } | |
1049 | ||
1050 | /* If rp == NULL it means that none of the relevant directories exist. | |
1051 | This is not a problem here - it means that no symbolic links can exist, | |
1052 | which is all we are worried about. Otherwise, we must compare it | |
1053 | against the start of the home directory. However, that may itself | |
1054 | contain symbolic links, so we have to "realpath" it as well, if | |
1055 | possible. */ | |
1056 | ||
1057 | if (rp != NULL) | |
1058 | { | |
1059 | uschar hdbuffer[PATH_MAX+1]; | |
1060 | uschar *rph = deliver_home; | |
1061 | int rlen = Ustrlen(big_buffer); | |
1062 | ||
1063 | rp = US realpath(CS deliver_home, CS hdbuffer); | |
1064 | if (rp != NULL) | |
1065 | { | |
1066 | rph = hdbuffer; | |
1067 | len = Ustrlen(rph); | |
1068 | } | |
1069 | ||
1070 | if (rlen > len) rlen = len; | |
1071 | if (Ustrncmp(rph, big_buffer, rlen) != 0) | |
1072 | { | |
1073 | yield = FALSE; | |
1074 | DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n", | |
1075 | big_buffer, deliver_home); | |
1076 | } | |
1077 | } | |
1078 | } | |
1079 | #endif /* NO_REALPATH */ | |
1080 | } | |
1081 | ||
1082 | return yield; | |
1083 | } | |
1084 | ||
1085 | ||
1086 | ||
1087 | /************************************************* | |
1088 | * Main entry point * | |
1089 | *************************************************/ | |
1090 | ||
1091 | /* See local README for general interface details. This transport always | |
1092 | returns FALSE, indicating that the status which has been placed in the first | |
1093 | address should be copied to any other addresses in a batch. | |
1094 | ||
1095 | Appendfile delivery is tricky and has led to various security problems in other | |
1096 | mailers. The logic used here is therefore laid out in some detail. When this | |
1097 | function is called, we are running in a subprocess which has had its gid and | |
1098 | uid set to the appropriate values. Therefore, we cannot write directly to the | |
1099 | exim logs. Any errors must be handled by setting appropriate return codes. | |
1100 | Note that the default setting for addr->transport_return is DEFER, so it need | |
1101 | not be set unless some other value is required. | |
1102 | ||
1103 | The code below calls geteuid() rather than getuid() to get the current uid | |
1104 | because in weird configurations not running setuid root there may be a | |
1105 | difference. In the standard configuration, where setuid() has been used in the | |
1106 | delivery process, there will be no difference between the uid and the euid. | |
1107 | ||
1108 | (1) If the af_file flag is set, this is a delivery to a file after .forward or | |
1109 | alias expansion. Otherwise, there must be a configured file name or | |
1110 | directory name. | |
1111 | ||
1112 | The following items apply in the case when a file name (as opposed to a | |
1113 | directory name) is given, that is, when appending to a single file: | |
1114 | ||
1115 | (2f) Expand the file name. | |
1116 | ||
1117 | (3f) If the file name is /dev/null, return success (optimization). | |
1118 | ||
1119 | (4f) If the file_format options is set, open the file for reading, and check | |
1120 | that the bytes at the start of the file match one of the given strings. | |
1121 | If the check indicates a transport other than the current one should be | |
1122 | used, pass control to that other transport. Otherwise continue. An empty | |
1123 | or non-existent file matches the current transport. The file is closed | |
1124 | after the check. | |
1125 | ||
1126 | (5f) If a lock file is required, create it (see extensive separate comments | |
1127 | below about the algorithm for doing this). It is important to do this | |
1128 | before opening the mailbox if NFS is in use. | |
1129 | ||
1130 | (6f) Stat the file, using lstat() rather than stat(), in order to pick up | |
1131 | details of any symbolic link. | |
1132 | ||
1133 | (7f) If the file already exists: | |
1134 | ||
1135 | Check the owner and group if necessary, and defer if they are wrong. | |
1136 | ||
1137 | If it is a symbolic link AND the allow_symlink option is set (NOT the | |
1138 | default), go back to (6f) but this time use stat() instead of lstat(). | |
1139 | ||
1140 | If it's not a regular file (or FIFO when permitted), defer delivery. | |
1141 | ||
1142 | Check permissions. If the required permissions are *less* than the | |
1143 | existing ones, or supplied by the address (often by the user via filter), | |
1144 | chmod() the file. Otherwise, defer. | |
1145 | ||
1146 | Save the inode number. | |
1147 | ||
1148 | Open with O_RDRW + O_APPEND, thus failing if the file has vanished. | |
1149 | ||
1150 | If open fails because the file does not exist, go to (6f); on any other | |
1151 | failure, defer. | |
1152 | ||
1153 | Check the inode number hasn't changed - I realize this isn't perfect (an | |
1154 | inode can be reused) but it's cheap and will catch some of the races. | |
1155 | ||
1156 | Check it's still a regular file (or FIFO if permitted). | |
1157 | ||
1158 | Check that the owner and permissions haven't changed. | |
1159 | ||
1160 | If file_format is set, check that the file still matches the format for | |
1161 | the current transport. If not, defer delivery. | |
1162 | ||
1163 | (8f) If file does not exist initially: | |
1164 | ||
1165 | Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know | |
1166 | this is via a symbolic link (only possible if allow_symlinks is set), in | |
4c04137d | 1167 | which case don't use O_EXCL, as it doesn't work. |
0756eb3c PH |
1168 | |
1169 | If open fails because the file already exists, go to (6f). To avoid | |
1170 | looping for ever in a situation where the file is continuously being | |
1171 | created and deleted, all of this happens inside a loop that operates | |
1172 | lock_retries times and includes the fcntl and flock locking. If the | |
1173 | loop completes without the file getting opened, defer and request | |
1174 | freezing, because something really weird is happening. | |
1175 | ||
1176 | If open fails for any other reason, defer for subsequent delivery except | |
1177 | when this is a file delivery resulting from an alias or forward expansion | |
1178 | and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is | |
1179 | most likely a user rather than a configuration error. | |
1180 | ||
1181 | (9f) We now have the file checked and open for writing. If so configured, lock | |
1182 | it using fcntl, flock, or MBX locking rules. If this fails, close the file | |
1183 | and goto (6f), up to lock_retries times, after sleeping for a while. If it | |
1184 | still fails, give up and defer delivery. | |
1185 | ||
1186 | (10f)Save the access time (for subsequent restoration) and the size of the | |
1187 | file, for comsat and for re-setting if delivery fails in the middle - | |
1188 | e.g. for quota exceeded. | |
1189 | ||
1190 | The following items apply in the case when a directory name is given: | |
1191 | ||
1192 | (2d) Create a new file in the directory using a temporary name, by opening for | |
1193 | writing and with O_CREAT. If maildir format is being used, the file | |
1194 | is created in a temporary subdirectory with a prescribed name. If | |
1195 | mailstore format is being used, the envelope file is first created with a | |
1196 | temporary name, then the data file. | |
1197 | ||
1198 | The following items apply in all cases: | |
1199 | ||
1200 | (11) We now have the file open for writing, and locked if it was given as a | |
1201 | file name. Write the message and flush the file, unless there is a setting | |
1202 | of the local quota option, in which case we can check for its excession | |
1203 | without doing any writing. | |
1204 | ||
1205 | In the case of MBX format mailboxes, the message is first written to a | |
1206 | temporary file, in order to get its correct length. This is then copied to | |
1207 | the real file, preceded by an MBX header. | |
1208 | ||
1209 | If there is a quota error on writing, defer the address. Timeout logic | |
1210 | will determine for how long retries are attempted. We restore the mailbox | |
1211 | to its original length if it's a single file. There doesn't seem to be a | |
1212 | uniform error code for quota excession (it even differs between SunOS4 | |
1213 | and some versions of SunOS5) so a system-dependent macro called | |
1214 | ERRNO_QUOTA is used for it, and the value gets put into errno_quota at | |
1215 | compile time. | |
1216 | ||
1217 | For any other error (most commonly disk full), do the same. | |
1218 | ||
1219 | The following applies after appending to a file: | |
1220 | ||
1221 | (12f)Restore the atime; notify_comsat if required; close the file (which | |
1222 | unlocks it if it was locked). Delete the lock file if it exists. | |
1223 | ||
1224 | The following applies after writing a unique file in a directory: | |
1225 | ||
1226 | (12d)For maildir format, rename the file into the new directory. For mailstore | |
1227 | format, rename the envelope file to its correct name. Otherwise, generate | |
1228 | a unique name from the directory_file option, and rename to that, possibly | |
1229 | trying a few times if the file exists and re-expanding the name gives a | |
1230 | different string. | |
1231 | ||
1232 | This transport yields FAIL only when a file name is generated by an alias or | |
1233 | forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES. | |
1234 | All other failures return DEFER (in addr->transport_return). */ | |
1235 | ||
1236 | ||
1237 | BOOL | |
1238 | appendfile_transport_entry( | |
1239 | transport_instance *tblock, /* data for this instantiation */ | |
1240 | address_item *addr) /* address we are working on */ | |
1241 | { | |
1242 | appendfile_transport_options_block *ob = | |
1243 | (appendfile_transport_options_block *)(tblock->options_block); | |
1244 | struct stat statbuf; | |
1245 | uschar *fdname = NULL; | |
1246 | uschar *filename = NULL; | |
1247 | uschar *hitchname = NULL; | |
1248 | uschar *dataname = NULL; | |
1249 | uschar *lockname = NULL; | |
1250 | uschar *newname = NULL; | |
1251 | uschar *nametag = NULL; | |
1252 | uschar *cr = US""; | |
1253 | uschar *filecount_msg = US""; | |
1254 | uschar *path; | |
1255 | struct utimbuf times; | |
1256 | struct timeval msg_tv; | |
01c490df | 1257 | BOOL disable_quota = FALSE; |
0756eb3c PH |
1258 | BOOL isdirectory = FALSE; |
1259 | BOOL isfifo = FALSE; | |
1260 | BOOL wait_for_tick = FALSE; | |
1261 | uid_t uid = geteuid(); /* See note above */ | |
1262 | gid_t gid = getegid(); | |
1263 | int mbformat; | |
1264 | int mode = (addr->mode > 0)? addr->mode : ob->mode; | |
0d7eb84a PH |
1265 | off_t saved_size = -1; |
1266 | off_t mailbox_size = ob->mailbox_size_value; | |
0756eb3c PH |
1267 | int mailbox_filecount = ob->mailbox_filecount_value; |
1268 | int hd = -1; | |
1269 | int fd = -1; | |
1270 | int yield = FAIL; | |
1271 | int i; | |
1272 | ||
1273 | #ifdef SUPPORT_MBX | |
1274 | int save_fd = 0; | |
1275 | int mbx_lockfd = -1; | |
1276 | uschar mbx_lockname[40]; | |
1277 | FILE *temp_file = NULL; | |
1278 | #endif /* SUPPORT_MBX */ | |
1279 | ||
1280 | #ifdef SUPPORT_MAILDIR | |
1281 | int maildirsize_fd = -1; /* fd for maildirsize file */ | |
1282 | int maildir_save_errno; | |
1283 | #endif | |
1284 | ||
1285 | ||
1286 | DEBUG(D_transport) debug_printf("appendfile transport entered\n"); | |
1287 | ||
1288 | /* An "address_file" or "address_directory" transport is used to deliver to | |
1289 | files specified via .forward or an alias file. Prior to release 4.20, the | |
1290 | "file" and "directory" options were ignored in this case. This has been changed | |
1291 | to allow the redirection data to specify what is in effect a folder, whose | |
1292 | location is determined by the options on the transport. | |
1293 | ||
1294 | Compatibility with the case when neither option is set is retained by forcing a | |
1295 | value for the file or directory name. A directory delivery is assumed if the | |
1296 | last character of the path from the router is '/'. | |
1297 | ||
1298 | The file path is in the local part of the address, but not in the $local_part | |
1299 | variable (that holds the parent local part). It is, however, in the | |
1300 | $address_file variable. Below, we update the local part in the address if it | |
1301 | changes by expansion, so that the final path ends up in the log. */ | |
1302 | ||
1303 | if (testflag(addr, af_file) && | |
1304 | ob->filename == NULL && | |
1305 | ob->dirname == NULL) | |
1306 | { | |
1307 | fdname = US"$address_file"; | |
1308 | if (address_file[Ustrlen(address_file)-1] == '/' || | |
1309 | ob->maildir_format || | |
1310 | ob->mailstore_format) | |
1311 | isdirectory = TRUE; | |
1312 | } | |
1313 | ||
1314 | /* Handle (a) an "address file" delivery where "file" or "directory" is | |
1315 | explicitly set and (b) a non-address_file delivery, where one of "file" or | |
1316 | "directory" must be set; initialization ensures that they are not both set. */ | |
1317 | ||
1318 | if (fdname == NULL) | |
1319 | { | |
1320 | fdname = ob->filename; | |
1321 | if (fdname == NULL) | |
1322 | { | |
1323 | fdname = ob->dirname; | |
1324 | isdirectory = TRUE; | |
1325 | } | |
1326 | if (fdname == NULL) | |
1327 | { | |
1328 | addr->transport_return = PANIC; | |
1329 | addr->message = string_sprintf("Mandatory file or directory option " | |
1330 | "missing from %s transport", tblock->name); | |
1331 | return FALSE; | |
1332 | } | |
1333 | } | |
1334 | ||
1335 | /* Maildir and mailstore require a directory */ | |
1336 | ||
1337 | if ((ob->maildir_format || ob->mailstore_format) && !isdirectory) | |
1338 | { | |
1339 | addr->transport_return = PANIC; | |
1340 | addr->message = string_sprintf("mail%s_format requires \"directory\" " | |
1341 | "to be specified for the %s transport", | |
1342 | ob->maildir_format? "dir" : "store", tblock->name); | |
1343 | return FALSE; | |
1344 | } | |
1345 | ||
1346 | path = expand_string(fdname); | |
1347 | ||
1348 | if (path == NULL) | |
1349 | { | |
1350 | addr->transport_return = PANIC; | |
1351 | addr->message = string_sprintf("Expansion of \"%s\" (file or directory " | |
1352 | "name for %s transport) failed: %s", fdname, tblock->name, | |
1353 | expand_string_message); | |
1354 | return FALSE; | |
1355 | } | |
1356 | ||
1357 | if (path[0] != '/') | |
1358 | { | |
1359 | addr->message = string_sprintf("appendfile: file or directory name " | |
1360 | "\"%s\" is not absolute", path); | |
1361 | addr->basic_errno = ERRNO_NOTABSOLUTE; | |
1362 | return FALSE; | |
1363 | } | |
1364 | ||
f7fd3850 PH |
1365 | /* For a file delivery, make sure the local part in the address(es) is updated |
1366 | to the true local part. */ | |
0756eb3c | 1367 | |
f7fd3850 PH |
1368 | if (testflag(addr, af_file)) |
1369 | { | |
1370 | address_item *addr2; | |
1371 | for (addr2 = addr; addr2 != NULL; addr2 = addr2->next) | |
1372 | addr2->local_part = string_copy(path); | |
1373 | } | |
0756eb3c PH |
1374 | |
1375 | /* The available mailbox formats depend on whether it is a directory or a file | |
1376 | delivery. */ | |
1377 | ||
1378 | if (isdirectory) | |
1379 | { | |
1380 | mbformat = | |
1381 | #ifdef SUPPORT_MAILDIR | |
1382 | (ob->maildir_format)? mbf_maildir : | |
1383 | #endif | |
1384 | #ifdef SUPPORT_MAILSTORE | |
1385 | (ob->mailstore_format)? mbf_mailstore : | |
1386 | #endif | |
1387 | mbf_smail; | |
1388 | } | |
1389 | else | |
1390 | { | |
1391 | mbformat = | |
1392 | #ifdef SUPPORT_MBX | |
1393 | (ob->mbx_format)? mbf_mbx : | |
1394 | #endif | |
1395 | mbf_unix; | |
1396 | } | |
1397 | ||
1398 | DEBUG(D_transport) | |
1399 | { | |
b1c749bb | 1400 | debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT |
f511c353 | 1401 | "%s%s" |
b1c749bb | 1402 | " warning=" OFF_T_FMT "%s\n" |
0756eb3c PH |
1403 | " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n " |
1404 | "maildir_use_size_file=%s\n", | |
b1c749bb | 1405 | mode, ob->notify_comsat, ob->quota_value, |
d291c767 HSHR |
1406 | ob->quota_no_check? " (no_check)" : "", |
1407 | ob->quota_filecount_no_check? " (no_check_filecount)" : "", | |
b1c749bb | 1408 | ob->quota_warn_threshold_value, |
0756eb3c PH |
1409 | ob->quota_warn_threshold_is_percent? "%" : "", |
1410 | isdirectory? "directory" : "file", | |
1411 | path, mailbox_formats[mbformat], | |
1412 | (ob->message_prefix == NULL)? US"null" : string_printing(ob->message_prefix), | |
1413 | (ob->message_suffix == NULL)? US"null" : string_printing(ob->message_suffix), | |
1414 | (ob->maildir_use_size_file)? "yes" : "no"); | |
1415 | ||
1416 | if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n", | |
1417 | ob->use_lockfile? "lockfile " : "", | |
1418 | ob->use_mbx_lock? "mbx locking (" : "", | |
1419 | ob->use_fcntl? "fcntl " : "", | |
1420 | ob->use_flock? "flock" : "", | |
1421 | ob->use_mbx_lock? ")" : ""); | |
1422 | } | |
1423 | ||
1424 | /* If the -N option is set, can't do any more. */ | |
1425 | ||
1426 | if (dont_deliver) | |
1427 | { | |
1428 | DEBUG(D_transport) | |
1429 | debug_printf("*** delivery by %s transport bypassed by -N option\n", | |
1430 | tblock->name); | |
1431 | addr->transport_return = OK; | |
1432 | return FALSE; | |
1433 | } | |
1434 | ||
1435 | /* Handle the case of a file name. If the file name is /dev/null, we can save | |
1436 | ourselves some effort and just give a success return right away. */ | |
1437 | ||
1438 | if (!isdirectory) | |
1439 | { | |
1440 | BOOL use_lstat = TRUE; | |
1441 | BOOL file_opened = FALSE; | |
1442 | BOOL allow_creation_here = TRUE; | |
1443 | ||
1444 | if (Ustrcmp(path, "/dev/null") == 0) | |
1445 | { | |
1446 | addr->transport_return = OK; | |
1447 | return FALSE; | |
1448 | } | |
1449 | ||
1450 | /* Set the name of the file to be opened, and the file to which the data | |
1451 | is written, and find out if we are permitted to create a non-existent file. */ | |
1452 | ||
1453 | dataname = filename = path; | |
1454 | allow_creation_here = check_creation(filename, ob->create_file); | |
1455 | ||
1456 | /* If ob->create_directory is set, attempt to create the directories in | |
1457 | which this mailbox lives, but only if we are permitted to create the file | |
1458 | itself. We know we are dealing with an absolute path, because this was | |
1459 | checked above. */ | |
1460 | ||
1461 | if (ob->create_directory && allow_creation_here) | |
1462 | { | |
1463 | uschar *p = Ustrrchr(path, '/'); | |
1464 | *p = '\0'; | |
1465 | if (!directory_make(NULL, path, ob->dirmode, FALSE)) | |
1466 | { | |
1467 | addr->basic_errno = errno; | |
1468 | addr->message = | |
1469 | string_sprintf("failed to create directories for %s: %s", path, | |
1470 | strerror(errno)); | |
1471 | DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path); | |
1472 | return FALSE; | |
1473 | } | |
1474 | *p = '/'; | |
1475 | } | |
1476 | ||
1477 | /* If file_format is set we must check that any existing file matches one of | |
1478 | the configured formats by checking the bytes it starts with. A match then | |
1479 | indicates a specific transport - if it is not this one, pass control to it. | |
1480 | Otherwise carry on here. An empty or non-existent file matches the current | |
1481 | transport. We don't need to distinguish between non-existence and other open | |
1482 | failures because if an existing file fails to open here, it will also fail | |
1483 | again later when O_RDWR is used. */ | |
1484 | ||
1485 | if (ob->file_format != NULL) | |
1486 | { | |
1487 | int cfd = Uopen(path, O_RDONLY, 0); | |
1488 | if (cfd >= 0) | |
1489 | { | |
1490 | transport_instance *tt = check_file_format(cfd, tblock, addr); | |
f1e894f3 | 1491 | (void)close(cfd); |
0756eb3c PH |
1492 | |
1493 | /* If another transport is indicated, call it and return; if no transport | |
1494 | was found, just return - the error data will have been set up.*/ | |
1495 | ||
1496 | if (tt != tblock) | |
1497 | { | |
1498 | if (tt != NULL) | |
1499 | { | |
1500 | set_process_info("delivering %s to %s using %s", message_id, | |
1501 | addr->local_part, tt->name); | |
1502 | debug_print_string(tt->debug_string); | |
1503 | addr->transport = tt; | |
1504 | (tt->info->code)(tt, addr); | |
1505 | } | |
1506 | return FALSE; | |
1507 | } | |
1508 | } | |
1509 | } | |
1510 | ||
1511 | /* The locking of mailbox files is worse than the naming of cats, which is | |
1512 | known to be "a difficult matter" (T.S. Eliot) and just as cats must have | |
1513 | three different names, so several different styles of locking are used. | |
1514 | ||
1515 | Research in other programs that lock mailboxes shows that there is no | |
1516 | universally standard method. Having mailboxes NFS-mounted on the system that | |
1517 | is delivering mail is not the best thing, but people do run like this, | |
1518 | and so the code must do its best to cope. | |
1519 | ||
1520 | Three different locking mechanisms are supported. The initialization function | |
1521 | checks that at least one is configured. | |
1522 | ||
1523 | LOCK FILES | |
1524 | ||
1525 | Unless no_use_lockfile is set, we attempt to build a lock file in a way that | |
1526 | will work over NFS. Only after that is done do we actually open the mailbox | |
1527 | and apply locks to it (if configured). | |
1528 | ||
1529 | Originally, Exim got the file opened before doing anything about locking. | |
1530 | However, a very occasional problem was observed on Solaris 2 when delivering | |
1531 | over NFS. It is seems that when a file is opened with O_APPEND, the file size | |
1532 | gets remembered at open time. If another process on another host (that's | |
1533 | important) has the file open and locked and writes to it and then releases | |
1534 | the lock while the first process is waiting to get the lock, the first | |
1535 | process may fail to write at the new end point of the file - despite the very | |
1536 | definite statement about O_APPEND in the man page for write(). Experiments | |
1537 | have reproduced this problem, but I do not know any way of forcing a host to | |
1538 | update its attribute cache for an open NFS file. It would be nice if it did | |
1539 | so when a lock was taken out, but this does not seem to happen. Anyway, to | |
1540 | reduce the risk of this problem happening, we now create the lock file | |
1541 | (if configured) *before* opening the mailbox. That will prevent two different | |
1542 | Exims opening the file simultaneously. It may not prevent clashes with MUAs, | |
1543 | however, but Pine at least seems to operate in the same way. | |
1544 | ||
1545 | Lockfiles should normally be used when NFS is involved, because of the above | |
1546 | problem. | |
1547 | ||
1548 | The logic for creating the lock file is: | |
1549 | ||
1550 | . The name of the lock file is <mailbox-name>.lock | |
1551 | ||
1552 | . First, create a "hitching post" name by adding the primary host name, | |
1553 | current time and pid to the lock file name. This should be unique. | |
1554 | ||
1555 | . Create the hitching post file using WRONLY + CREAT + EXCL. | |
1556 | ||
1557 | . If that fails EACCES, we assume it means that the user is unable to create | |
1558 | files in the mail spool directory. Some installations might operate in this | |
1559 | manner, so there is a configuration option to allow this state not to be an | |
1560 | error - we proceed to lock using fcntl only, after the file is open. | |
1561 | ||
1562 | . Otherwise, an error causes a deferment of the address. | |
1563 | ||
1564 | . Hard link the hitching post to the lock file name. | |
1565 | ||
1566 | . If the link succeeds, we have successfully created the lock file. Simply | |
1567 | close and unlink the hitching post file. | |
1568 | ||
1569 | . If the link does not succeed, proceed as follows: | |
1570 | ||
1571 | o Fstat the hitching post file, and then close and unlink it. | |
1572 | ||
1573 | o Now examine the stat data. If the number of links to the file is exactly | |
1574 | 2, the linking succeeded but for some reason, e.g. an NFS server crash, | |
1575 | the return never made it back, so the link() function gave a failure | |
1576 | return. | |
1577 | ||
1578 | . This method allows for the lock file to be created by some other process | |
1579 | right up to the moment of the attempt to hard link it, and is also robust | |
1580 | against NFS server crash-reboots, which would probably result in timeouts | |
1581 | in the middle of link(). | |
1582 | ||
1583 | . System crashes may cause lock files to get left lying around, and some means | |
1584 | of flushing them is required. The approach of writing a pid (used by smail | |
1585 | and by elm) into the file isn't useful when NFS may be in use. Pine uses a | |
1586 | timeout, which seems a better approach. Since any program that writes to a | |
1587 | mailbox using a lock file should complete its task very quickly, Pine | |
1588 | removes lock files that are older than 5 minutes. We allow the value to be | |
1589 | configurable on the transport. | |
1590 | ||
1591 | FCNTL LOCKING | |
1592 | ||
1593 | If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the | |
1594 | mailbox once it is open. This is done by default with a non-blocking lock. | |
1595 | Failures to lock cause retries after a sleep, but only for a certain number | |
1596 | of tries. A blocking lock is deliberately not used so that we don't hold the | |
1597 | mailbox open. This minimizes the possibility of the NFS problem described | |
1598 | under LOCK FILES above, if for some reason NFS deliveries are happening | |
1599 | without lock files. However, the use of a non-blocking lock and sleep, though | |
1600 | the safest approach, does not give the best performance on very busy systems. | |
1601 | A blocking lock plus timeout does better. Therefore Exim has an option to | |
1602 | allow it to work this way. If lock_fcntl_timeout is set greater than zero, it | |
1603 | enables the use of blocking fcntl() calls. | |
1604 | ||
1605 | FLOCK LOCKING | |
1606 | ||
1607 | If use_flock_lock is set, then Exim gets an exclusive flock() lock in the | |
1608 | same manner as for fcntl locking above. No-blocking/timeout is also set as | |
1609 | above in lock_flock_timeout. Not all operating systems provide or support | |
1610 | flock(). For those that don't (as determined by the definition of LOCK_SH in | |
1611 | /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock() | |
1612 | is implemented (not precisely) on top of fcntl(), which means there's no | |
1613 | point in actually using it. | |
1614 | ||
1615 | MBX LOCKING | |
1616 | ||
1617 | If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined) | |
1618 | then the rules used for locking in c-client are used. Exim takes out a shared | |
1619 | lock on the mailbox file, and an exclusive lock on the file whose name is | |
1620 | /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops | |
1621 | any other MBX client from getting an exclusive lock on it and expunging it. | |
1622 | It also stops any other MBX client from unlinking the /tmp lock when it has | |
1623 | finished with it. | |
1624 | ||
1625 | The exclusive lock on the /tmp file prevents any other MBX client from | |
1626 | updating the mailbox in any way. When writing is finished, if an exclusive | |
1627 | lock on the mailbox can be obtained, indicating there are no current sharers, | |
1628 | the /tmp file is unlinked. | |
1629 | ||
1630 | MBX locking can use either fcntl() or flock() locking. If neither | |
1631 | use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only. | |
1632 | The calls for getting these locks are by default non-blocking, as for non-mbx | |
1633 | locking, but can be made blocking by setting lock_fcntl_timeout and/or | |
1634 | lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it | |
1635 | probably makes sense to set timeouts for any MBX deliveries. */ | |
1636 | ||
1637 | ||
1638 | /* Build a lock file if configured to do so - the existence of a lock | |
1639 | file is subsequently checked by looking for a non-negative value of the | |
1640 | file descriptor hd - even though the file is no longer open. */ | |
1641 | ||
1642 | if (ob->use_lockfile) | |
1643 | { | |
19050083 | 1644 | /* cf. exim_lock.c */ |
0756eb3c PH |
1645 | lockname = string_sprintf("%s.lock", filename); |
1646 | hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname, | |
1647 | (unsigned int)(time(NULL)), (unsigned int)getpid()); | |
1648 | ||
1649 | DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname, | |
1650 | hitchname); | |
1651 | ||
1652 | /* Lock file creation retry loop */ | |
1653 | ||
1654 | for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++) | |
1655 | { | |
1656 | int rc; | |
1657 | hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode); | |
1658 | ||
1659 | if (hd < 0) | |
1660 | { | |
1661 | addr->basic_errno = errno; | |
1662 | addr->message = | |
1663 | string_sprintf("creating lock file hitching post %s " | |
1664 | "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(), | |
1665 | (long int)getegid()); | |
1666 | return FALSE; | |
1667 | } | |
1668 | ||
1669 | /* Attempt to hitch the hitching post to the lock file. If link() | |
1670 | succeeds (the common case, we hope) all is well. Otherwise, fstat the | |
1671 | file, and get rid of the hitching post. If the number of links was 2, | |
1672 | the link was created, despite the failure of link(). If the hitch was | |
1673 | not successful, try again, having unlinked the lock file if it is too | |
1674 | old. | |
1675 | ||
1676 | There's a version of Linux (2.0.27) which doesn't update its local cache | |
1677 | of the inode after link() by default - which many think is a bug - but | |
1678 | if the link succeeds, this code will be OK. It just won't work in the | |
1679 | case when link() fails after having actually created the link. The Linux | |
1680 | NFS person is fixing this; a temporary patch is available if anyone is | |
1681 | sufficiently worried. */ | |
1682 | ||
1683 | if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf); | |
f1e894f3 | 1684 | (void)close(hd); |
0756eb3c PH |
1685 | Uunlink(hitchname); |
1686 | if (rc != 0 && statbuf.st_nlink != 2) | |
1687 | { | |
1688 | if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 && | |
1689 | time(NULL) - statbuf.st_ctime > ob->lockfile_timeout) | |
1690 | { | |
1691 | DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n"); | |
1692 | Uunlink(lockname); | |
1693 | } | |
1694 | DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n"); | |
1695 | continue; | |
1696 | } | |
1697 | ||
1698 | DEBUG(D_transport) debug_printf("lock file created\n"); | |
1699 | break; | |
1700 | } | |
1701 | ||
1702 | /* Check for too many tries at creating the lock file */ | |
1703 | ||
1704 | if (i >= ob->lock_retries) | |
1705 | { | |
1706 | addr->basic_errno = ERRNO_LOCKFAILED; | |
1707 | addr->message = string_sprintf("failed to lock mailbox %s (lock file)", | |
1708 | filename); | |
1709 | return FALSE; | |
1710 | } | |
1711 | } | |
1712 | ||
1713 | ||
1714 | /* We now have to get the file open. First, stat() it and act on existence or | |
1715 | non-existence. This is in a loop to handle the case of a file's being created | |
1716 | or deleted as we watch, and also to handle retries when the locking fails. | |
1717 | Rather than holding the file open while waiting for the fcntl() and/or | |
1718 | flock() lock, we close and do the whole thing again. This should be safer, | |
1719 | especially for NFS files, which might get altered from other hosts, making | |
1720 | their cached sizes incorrect. | |
1721 | ||
1722 | With the default settings, no symlinks are permitted, but there is an option | |
1723 | to permit symlinks for those sysadmins that know what they are doing. | |
1724 | Shudder. However, insist that the initial symlink is owned by the right user. | |
1725 | Thus lstat() is used initially; if a symlink is discovered, the loop is | |
1726 | repeated such that stat() is used, to look at the end file. */ | |
1727 | ||
1728 | for (i = 0; i < ob->lock_retries; i++) | |
1729 | { | |
1730 | int sleep_before_retry = TRUE; | |
1731 | file_opened = FALSE; | |
1732 | ||
1733 | if((use_lstat? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0) | |
1734 | { | |
1735 | /* Let's hope that failure to stat (other than non-existence) is a | |
1736 | rare event. */ | |
1737 | ||
1738 | if (errno != ENOENT) | |
1739 | { | |
1740 | addr->basic_errno = errno; | |
1741 | addr->message = string_sprintf("attempting to stat mailbox %s", | |
1742 | filename); | |
1743 | goto RETURN; | |
1744 | } | |
1745 | ||
1746 | /* File does not exist. If it is required to pre-exist this state is an | |
1747 | error. */ | |
1748 | ||
1749 | if (ob->file_must_exist) | |
1750 | { | |
1751 | addr->basic_errno = errno; | |
1752 | addr->message = string_sprintf("mailbox %s does not exist, " | |
1753 | "but file_must_exist is set", filename); | |
1754 | goto RETURN; | |
1755 | } | |
1756 | ||
1757 | /* If not permitted to create this file because it isn't in or below | |
1758 | the home directory, generate an error. */ | |
1759 | ||
1760 | if (!allow_creation_here) | |
1761 | { | |
1762 | addr->basic_errno = ERRNO_BADCREATE; | |
1763 | addr->message = string_sprintf("mailbox %s does not exist, " | |
1764 | "but creation outside the home directory is not permitted", | |
1765 | filename); | |
1766 | goto RETURN; | |
1767 | } | |
1768 | ||
1769 | /* Attempt to create and open the file. If open fails because of | |
1770 | pre-existence, go round the loop again. For any other error, defer the | |
1771 | address, except for an alias or forward generated file name with EPERM, | |
1772 | ENOENT, or EACCES, as those are most likely to be user errors rather | |
1773 | than Exim config errors. When a symbolic link is permitted and points | |
1774 | to a non-existent file, we get here with use_lstat = FALSE. In this case | |
1775 | we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for | |
1776 | consistency and because MBX locking requires it in order to be able to | |
1777 | get a shared lock. */ | |
1778 | ||
1779 | fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT | | |
1780 | (use_lstat? O_EXCL : 0), mode); | |
1781 | if (fd < 0) | |
1782 | { | |
1783 | if (errno == EEXIST) continue; | |
1784 | addr->basic_errno = errno; | |
1785 | addr->message = string_sprintf("while creating mailbox %s", | |
1786 | filename); | |
1787 | if (testflag(addr, af_file) && | |
1788 | (errno == EPERM || errno == ENOENT || errno == EACCES)) | |
1789 | addr->transport_return = FAIL; | |
1790 | goto RETURN; | |
1791 | } | |
1792 | ||
1793 | /* We have successfully created and opened the file. Ensure that the group | |
1794 | and the mode are correct. */ | |
1795 | ||
1ac6b2e7 JH |
1796 | if(Uchown(filename, uid, gid) || Uchmod(filename, mode)) |
1797 | { | |
1798 | addr->basic_errno = errno; | |
1799 | addr->message = string_sprintf("while setting perms on mailbox %s", | |
1800 | filename); | |
1801 | addr->transport_return = FAIL; | |
1802 | goto RETURN; | |
1803 | } | |
0756eb3c PH |
1804 | } |
1805 | ||
1806 | ||
1807 | /* The file already exists. Test its type, ownership, and permissions, and | |
1808 | save the inode for checking later. If symlinks are permitted (not the | |
1809 | default or recommended state) it may be a symlink that already exists. | |
1810 | Check its ownership and then look for the file at the end of the link(s). | |
1811 | This at least prevents one user creating a symlink for another user in | |
1812 | a sticky directory. */ | |
1813 | ||
1814 | else | |
1815 | { | |
1816 | int oldmode = (int)statbuf.st_mode; | |
1817 | ino_t inode = statbuf.st_ino; | |
1818 | BOOL islink = (oldmode & S_IFMT) == S_IFLNK; | |
1819 | ||
1820 | isfifo = FALSE; /* In case things are changing */ | |
1821 | ||
1822 | /* Check owner if required - the default. */ | |
1823 | ||
1824 | if (ob->check_owner && statbuf.st_uid != uid) | |
1825 | { | |
1826 | addr->basic_errno = ERRNO_BADUGID; | |
1827 | addr->message = string_sprintf("mailbox %s%s has wrong uid " | |
1828 | "(%ld != %ld)", filename, | |
1829 | islink? " (symlink)" : "", | |
1830 | (long int)(statbuf.st_uid), (long int)uid); | |
1831 | goto RETURN; | |
1832 | } | |
1833 | ||
1834 | /* Group is checked only if check_group is set. */ | |
1835 | ||
1836 | if (ob->check_group && statbuf.st_gid != gid) | |
1837 | { | |
1838 | addr->basic_errno = ERRNO_BADUGID; | |
1839 | addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)", | |
1840 | filename, islink? " (symlink)" : "", statbuf.st_gid, gid); | |
1841 | goto RETURN; | |
1842 | } | |
1843 | ||
a466095c NM |
1844 | /* Just in case this is a sticky-bit mail directory, we don't want |
1845 | users to be able to create hard links to other users' files. */ | |
1846 | ||
1847 | if (statbuf.st_nlink != 1) | |
1848 | { | |
1849 | addr->basic_errno = ERRNO_NOTREGULAR; | |
1850 | addr->message = string_sprintf("mailbox %s%s has too many links (%d)", | |
1851 | filename, islink? " (symlink)" : "", statbuf.st_nlink); | |
1852 | goto RETURN; | |
1853 | ||
1854 | } | |
1855 | ||
0756eb3c PH |
1856 | /* If symlinks are permitted (not recommended), the lstat() above will |
1857 | have found the symlink. Its ownership has just been checked; go round | |
1858 | the loop again, using stat() instead of lstat(). That will never yield a | |
1859 | mode of S_IFLNK. */ | |
1860 | ||
1861 | if (islink && ob->allow_symlink) | |
1862 | { | |
1863 | use_lstat = FALSE; | |
1864 | i--; /* Don't count this time round */ | |
1865 | continue; | |
1866 | } | |
1867 | ||
1868 | /* An actual file exists. Check that it is a regular file, or FIFO | |
1869 | if permitted. */ | |
1870 | ||
1871 | if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE; | |
1872 | ||
1873 | else if ((oldmode & S_IFMT) != S_IFREG) | |
1874 | { | |
1875 | addr->basic_errno = ERRNO_NOTREGULAR; | |
1876 | addr->message = string_sprintf("mailbox %s is not a regular file%s", | |
1877 | filename, ob->allow_fifo? " or named pipe" : ""); | |
1878 | goto RETURN; | |
1879 | } | |
1880 | ||
1881 | /* If the mode is not what it would be for a newly created file, change | |
1882 | the permissions if the mode is supplied for the address. Otherwise, | |
1883 | reduce but do not extend the permissions. If the newly created | |
1884 | permissions are greater than the existing permissions, don't change | |
1885 | things when the mode is not from the address. */ | |
1886 | ||
1887 | if ((oldmode = (oldmode & 07777)) != mode) | |
1888 | { | |
1889 | int diffs = oldmode ^ mode; | |
1890 | if (addr->mode > 0 || (diffs & oldmode) == diffs) | |
1891 | { | |
1892 | DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename); | |
1893 | if (Uchmod(filename, mode) < 0) | |
1894 | { | |
1895 | addr->basic_errno = errno; | |
1896 | addr->message = string_sprintf("attempting to chmod mailbox %s", | |
1897 | filename); | |
1898 | goto RETURN; | |
1899 | } | |
1900 | oldmode = mode; | |
1901 | } | |
1902 | ||
1903 | /* Mode not from address, and newly-created permissions are greater | |
1904 | than existing permissions. Default is to complain, but it can be | |
1905 | configured to go ahead and try to deliver anyway if that's what | |
1906 | the administration wants. */ | |
1907 | ||
1908 | else if (ob->mode_fail_narrower) | |
1909 | { | |
1910 | addr->basic_errno = ERRNO_BADMODE; | |
1911 | addr->message = string_sprintf("mailbox %s has the wrong mode %o " | |
1912 | "(%o expected)", filename, oldmode, mode); | |
1913 | goto RETURN; | |
1914 | } | |
1915 | } | |
1916 | ||
1917 | /* We are happy with the existing file. Open it, and then do further | |
1918 | tests to ensure that it is the same file that we were just looking at. | |
1919 | If the file does not now exist, restart this loop, going back to using | |
1920 | lstat again. For an NFS error, just defer; other opening errors are | |
1921 | more serious. The file is opened RDWR so that its format can be checked, | |
1922 | and also MBX locking requires the use of a shared (read) lock. However, | |
1923 | a FIFO is opened WRONLY + NDELAY so that it fails if there is no process | |
1924 | reading the pipe. */ | |
1925 | ||
1926 | fd = Uopen(filename, isfifo? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND), | |
1927 | mode); | |
1928 | if (fd < 0) | |
1929 | { | |
1930 | if (errno == ENOENT) | |
1931 | { | |
1932 | use_lstat = TRUE; | |
1933 | continue; | |
1934 | } | |
1935 | addr->basic_errno = errno; | |
1936 | if (isfifo) | |
1937 | { | |
1938 | addr->message = string_sprintf("while opening named pipe %s " | |
1939 | "(could mean no process is reading it)", filename); | |
1940 | } | |
1941 | else if (errno != EWOULDBLOCK) | |
1942 | { | |
1943 | addr->message = string_sprintf("while opening mailbox %s", filename); | |
1944 | } | |
1945 | goto RETURN; | |
1946 | } | |
1947 | ||
1948 | /* This fstat really shouldn't fail, as we have an open file! There's a | |
1949 | dilemma here. We use fstat in order to be sure we are peering at the file | |
1950 | we have got open. However, that won't tell us if the file was reached | |
1951 | via a symbolic link. We checked this above, but there is a race exposure | |
1952 | if the link was created between the previous lstat and the open. However, | |
1953 | it would have to be created with the same inode in order to pass the | |
1954 | check below. If ob->allow_symlink is set, causing the use of stat rather | |
1955 | than lstat above, symbolic links may be there anyway, and the checking is | |
1956 | weaker. */ | |
1957 | ||
1958 | if (fstat(fd, &statbuf) < 0) | |
1959 | { | |
1960 | addr->basic_errno = errno; | |
1961 | addr->message = string_sprintf("attempting to stat open mailbox %s", | |
1962 | filename); | |
1963 | goto RETURN; | |
1964 | } | |
1965 | ||
1966 | /* Check the inode; this is isn't a perfect check, but gives some | |
1967 | confidence. */ | |
1968 | ||
1969 | if (inode != statbuf.st_ino) | |
1970 | { | |
1971 | addr->basic_errno = ERRNO_INODECHANGED; | |
1972 | addr->message = string_sprintf("opened mailbox %s inode number changed " | |
1973 | "from %d to %ld", filename, inode, statbuf.st_ino); | |
1974 | addr->special_action = SPECIAL_FREEZE; | |
1975 | goto RETURN; | |
1976 | } | |
1977 | ||
1978 | /* Check it's still a regular file or FIFO, and the uid, gid, and | |
1979 | permissions have not changed. */ | |
1980 | ||
1981 | if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) || | |
1982 | (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO)) | |
1983 | { | |
1984 | addr->basic_errno = ERRNO_NOTREGULAR; | |
1985 | addr->message = | |
1986 | string_sprintf("opened mailbox %s is no longer a %s", filename, | |
1987 | isfifo? "named pipe" : "regular file"); | |
1988 | addr->special_action = SPECIAL_FREEZE; | |
1989 | goto RETURN; | |
1990 | } | |
1991 | ||
1992 | if ((ob->check_owner && statbuf.st_uid != uid) || | |
1993 | (ob->check_group && statbuf.st_gid != gid)) | |
1994 | { | |
1995 | addr->basic_errno = ERRNO_BADUGID; | |
1996 | addr->message = | |
1997 | string_sprintf("opened mailbox %s has wrong uid or gid", filename); | |
1998 | addr->special_action = SPECIAL_FREEZE; | |
1999 | goto RETURN; | |
2000 | } | |
2001 | ||
2002 | if ((statbuf.st_mode & 07777) != oldmode) | |
2003 | { | |
2004 | addr->basic_errno = ERRNO_BADMODE; | |
2005 | addr->message = string_sprintf("opened mailbox %s has wrong mode %o " | |
2006 | "(%o expected)", filename, statbuf.st_mode & 07777, mode); | |
2007 | addr->special_action = SPECIAL_FREEZE; | |
2008 | goto RETURN; | |
2009 | } | |
2010 | ||
2011 | /* If file_format is set, check that the format of the file has not | |
2012 | changed. Error data is set by the testing function. */ | |
2013 | ||
2014 | if (ob->file_format != NULL && | |
2015 | check_file_format(fd, tblock, addr) != tblock) | |
2016 | { | |
2017 | addr->message = US"open mailbox has changed format"; | |
2018 | goto RETURN; | |
2019 | } | |
2020 | ||
2021 | /* The file is OK. Carry on to do the locking. */ | |
2022 | } | |
2023 | ||
2024 | /* We now have an open file, and must lock it using fcntl(), flock() or MBX | |
2025 | locking rules if configured to do so. If a lock file is also required, it | |
2026 | was created above and hd was left >= 0. At least one form of locking is | |
2027 | required by the initialization function. If locking fails here, close the | |
2028 | file and go round the loop all over again, after waiting for a bit, unless | |
2029 | blocking locking was used. */ | |
2030 | ||
2031 | file_opened = TRUE; | |
2032 | if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0)) | |
2033 | sleep_before_retry = FALSE; | |
2034 | ||
2035 | /* Simple fcntl() and/or flock() locking */ | |
2036 | ||
2037 | if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock)) | |
2038 | { | |
2039 | if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout, | |
2040 | ob->use_flock, ob->lock_flock_timeout) >= 0) break; | |
2041 | } | |
2042 | ||
2043 | /* MBX locking rules */ | |
2044 | ||
2045 | #ifdef SUPPORT_MBX | |
2046 | else if (ob->use_mbx_lock) | |
2047 | { | |
bf83d8d3 PP |
2048 | int mbx_tmp_oflags; |
2049 | struct stat lstatbuf, statbuf2; | |
0756eb3c PH |
2050 | if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout, |
2051 | ob->use_flock, ob->lock_flock_timeout) >= 0 && | |
2052 | fstat(fd, &statbuf) >= 0) | |
2053 | { | |
2054 | sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev, | |
2055 | (long)statbuf.st_ino); | |
2056 | ||
bf83d8d3 PP |
2057 | /* |
2058 | * 2010-05-29: SECURITY | |
2059 | * Dan Rosenberg reported the presence of a race-condition in the | |
2060 | * original code here. Beware that many systems still allow symlinks | |
2061 | * to be followed in /tmp so an attacker can create a symlink pointing | |
2062 | * elsewhere between a stat and an open, which we should avoid | |
2063 | * following. | |
2064 | * | |
2065 | * It's unfortunate that we can't just use all the heavily debugged | |
2066 | * locking from above. | |
2067 | * | |
2068 | * Also: remember to mirror changes into exim_lock.c */ | |
2069 | ||
2070 | /* first leave the old pre-check in place, it provides better | |
2071 | * diagnostics for common cases */ | |
0756eb3c PH |
2072 | if (Ulstat(mbx_lockname, &statbuf) >= 0) |
2073 | { | |
2074 | if ((statbuf.st_mode & S_IFMT) == S_IFLNK) | |
2075 | { | |
2076 | addr->basic_errno = ERRNO_LOCKFAILED; | |
2077 | addr->message = string_sprintf("symbolic link on MBX lock file %s", | |
2078 | mbx_lockname); | |
2079 | goto RETURN; | |
2080 | } | |
2081 | if (statbuf.st_nlink > 1) | |
2082 | { | |
2083 | addr->basic_errno = ERRNO_LOCKFAILED; | |
2084 | addr->message = string_sprintf("hard link to MBX lock file %s", | |
2085 | mbx_lockname); | |
2086 | goto RETURN; | |
2087 | } | |
2088 | } | |
2089 | ||
bf83d8d3 PP |
2090 | /* If we could just declare "we must be the ones who create this |
2091 | * file" then a hitching post in a subdir would work, since a | |
2092 | * subdir directly in /tmp/ which we create wouldn't follow links | |
2093 | * but this isn't our locking logic, so we can't safely change the | |
2094 | * file existence rules. */ | |
2095 | ||
2096 | /* On systems which support O_NOFOLLOW, it's the easiest and most | |
2097 | * obviously correct security fix */ | |
2098 | mbx_tmp_oflags = O_RDWR | O_CREAT; | |
2099 | #ifdef O_NOFOLLOW | |
2100 | mbx_tmp_oflags |= O_NOFOLLOW; | |
2101 | #endif | |
2102 | mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode); | |
0756eb3c PH |
2103 | if (mbx_lockfd < 0) |
2104 | { | |
2105 | addr->basic_errno = ERRNO_LOCKFAILED; | |
2106 | addr->message = string_sprintf("failed to open MBX lock file %s :%s", | |
2107 | mbx_lockname, strerror(errno)); | |
2108 | goto RETURN; | |
2109 | } | |
bf83d8d3 | 2110 | |
73a46702 | 2111 | if (Ulstat(mbx_lockname, &lstatbuf) < 0) |
bf83d8d3 PP |
2112 | { |
2113 | addr->basic_errno = ERRNO_LOCKFAILED; | |
2114 | addr->message = string_sprintf("attempting to lstat open MBX " | |
2115 | "lock file %s: %s", mbx_lockname, strerror(errno)); | |
2116 | goto RETURN; | |
2117 | } | |
2118 | if (fstat(mbx_lockfd, &statbuf2) < 0) | |
2119 | { | |
2120 | addr->basic_errno = ERRNO_LOCKFAILED; | |
2121 | addr->message = string_sprintf("attempting to stat fd of open MBX " | |
2122 | "lock file %s: %s", mbx_lockname, strerror(errno)); | |
2123 | goto RETURN; | |
2124 | } | |
2125 | ||
2126 | /* | |
2127 | * At this point: | |
2128 | * statbuf: if exists, is file which existed prior to opening the | |
2129 | * lockfile, might have been replaced since then | |
2130 | * statbuf2: result of stat'ing the open fd, is what was actually | |
2131 | * opened | |
2132 | * lstatbuf: result of lstat'ing the filename immediately after | |
2133 | * the open but there's a race condition again between | |
2134 | * those two steps: before open, symlink to foo, after | |
2135 | * open but before lstat have one of: | |
2136 | * * was no symlink, so is the opened file | |
2137 | * (we created it, no messing possible after that point) | |
2138 | * * hardlink to foo | |
2139 | * * symlink elsewhere | |
2140 | * * hardlink elsewhere | |
2141 | * * new file/other | |
2142 | * Don't want to compare to device of /tmp because some modern systems | |
2143 | * have regressed to having /tmp be the safe actual filesystem as | |
2144 | * valuable data, so is mostly worthless, unless we assume that *only* | |
2145 | * Linux systems do this and that all Linux has O_NOFOLLOW. Something | |
2146 | * for further consideration. | |
2147 | * No point in doing a readlink on the lockfile as that will always be | |
2148 | * at a different point in time from when we open it, so tells us | |
2149 | * nothing; attempts to clean up and delete after ourselves would risk | |
2150 | * deleting a *third* filename. | |
2151 | */ | |
2152 | if ((statbuf2.st_nlink > 1) || | |
2153 | (lstatbuf.st_nlink > 1) || | |
2154 | (!S_ISREG(lstatbuf.st_mode)) || | |
2155 | (lstatbuf.st_dev != statbuf2.st_dev) || | |
2156 | (lstatbuf.st_ino != statbuf2.st_ino)) | |
2157 | { | |
2158 | addr->basic_errno = ERRNO_LOCKFAILED; | |
2159 | addr->message = string_sprintf("RACE CONDITION detected: " | |
2160 | "mismatch post-initial-checks between \"%s\" and opened " | |
2161 | "fd lead us to abort!", mbx_lockname); | |
2162 | goto RETURN; | |
2163 | } | |
0756eb3c | 2164 | |
7e9f683d | 2165 | (void)Uchmod(mbx_lockname, ob->lockfile_mode); |
0756eb3c PH |
2166 | |
2167 | if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl, | |
2168 | ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0) | |
2169 | { | |
2170 | struct stat ostatbuf; | |
2171 | ||
2172 | /* This tests for a specific race condition. Ensure that we still | |
2173 | have the same file. */ | |
2174 | ||
2175 | if (Ulstat(mbx_lockname, &statbuf) == 0 && | |
2176 | fstat(mbx_lockfd, &ostatbuf) == 0 && | |
2177 | statbuf.st_dev == ostatbuf.st_dev && | |
2178 | statbuf.st_ino == ostatbuf.st_ino) | |
2179 | break; | |
2180 | DEBUG(D_transport) debug_printf("MBX lockfile %s changed " | |
2181 | "between creation and locking\n", mbx_lockname); | |
2182 | } | |
2183 | ||
2184 | DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname, | |
2185 | strerror(errno)); | |
f1e894f3 | 2186 | (void)close(mbx_lockfd); |
0756eb3c PH |
2187 | mbx_lockfd = -1; |
2188 | } | |
2189 | else | |
2190 | { | |
2191 | DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n", | |
2192 | filename, strerror(errno)); | |
2193 | } | |
2194 | } | |
2195 | #endif /* SUPPORT_MBX */ | |
2196 | ||
2197 | else break; /* No on-file locking required; break the open/lock loop */ | |
2198 | ||
2199 | DEBUG(D_transport) | |
2200 | debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n"); | |
2201 | ||
f1e894f3 | 2202 | (void)close(fd); |
0756eb3c PH |
2203 | fd = -1; |
2204 | use_lstat = TRUE; /* Reset to use lstat first */ | |
2205 | ||
2206 | ||
2207 | /* If a blocking call timed out, break the retry loop if the total time | |
2208 | so far is not less than than retries * interval. Use the larger of the | |
2209 | flock() and fcntl() timeouts. */ | |
2210 | ||
2211 | if (sigalrm_seen && | |
2212 | (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)? | |
2213 | ob->lock_fcntl_timeout : ob->lock_flock_timeout) >= | |
2214 | ob->lock_retries * ob->lock_interval) | |
2215 | i = ob->lock_retries; | |
2216 | ||
2217 | /* Wait a bit before retrying, except when it was a blocked fcntl() or | |
2218 | flock() that caused the problem. */ | |
2219 | ||
2220 | if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval); | |
2221 | } | |
2222 | ||
2223 | /* Test for exceeding the maximum number of tries. Either the file remains | |
2224 | locked, or, if we haven't got it open, something is terribly wrong... */ | |
2225 | ||
2226 | if (i >= ob->lock_retries) | |
2227 | { | |
2228 | if (!file_opened) | |
2229 | { | |
2230 | addr->basic_errno = ERRNO_EXISTRACE; | |
2231 | addr->message = string_sprintf("mailbox %s: existence unclear", filename); | |
2232 | addr->special_action = SPECIAL_FREEZE; | |
2233 | } | |
2234 | else | |
2235 | { | |
2236 | addr->basic_errno = ERRNO_LOCKFAILED; | |
2237 | addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)", | |
2238 | filename); | |
2239 | } | |
2240 | goto RETURN; | |
2241 | } | |
2242 | ||
2243 | DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename); | |
2244 | ||
2245 | /* Save access time (for subsequent restoration), modification time (for | |
2246 | restoration if updating fails), size of file (for comsat and for re-setting if | |
2247 | delivery fails in the middle - e.g. for quota exceeded). */ | |
2248 | ||
2249 | if (fstat(fd, &statbuf) < 0) | |
2250 | { | |
2251 | addr->basic_errno = errno; | |
2252 | addr->message = string_sprintf("while fstatting opened mailbox %s", | |
2253 | filename); | |
2254 | goto RETURN; | |
2255 | } | |
2256 | ||
2257 | times.actime = statbuf.st_atime; | |
2258 | times.modtime = statbuf.st_mtime; | |
2259 | saved_size = statbuf.st_size; | |
2260 | if (mailbox_size < 0) mailbox_size = saved_size; | |
2261 | mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */ | |
2262 | } | |
2263 | ||
2264 | /* Prepare for writing to a new file (as opposed to appending to an old one). | |
2265 | There are several different formats, but there is preliminary stuff concerned | |
2266 | with quotas that applies to all of them. Finding the current size by directory | |
2267 | scanning is expensive; for maildirs some fudges have been invented: | |
2268 | ||
2269 | (1) A regex can be used to extract a file size from its name; | |
2270 | (2) If maildir_use_size is set, a maildirsize file is used to cache the | |
2271 | mailbox size. | |
2272 | */ | |
2273 | ||
2274 | else | |
2275 | { | |
2276 | uschar *check_path = path; /* Default quota check path */ | |
2277 | const pcre *regex = NULL; /* Regex for file size from file name */ | |
2278 | ||
2279 | if (!check_creation(string_sprintf("%s/any", path), ob->create_file)) | |
2280 | { | |
2281 | addr->basic_errno = ERRNO_BADCREATE; | |
2282 | addr->message = string_sprintf("tried to create file in %s, but " | |
2283 | "file creation outside the home directory is not permitted", path); | |
2284 | goto RETURN; | |
2285 | } | |
2286 | ||
2287 | #ifdef SUPPORT_MAILDIR | |
d6629cdc PH |
2288 | /* For a maildir delivery, ensure that all the relevant directories exist, |
2289 | and a maildirfolder file if necessary. */ | |
0756eb3c PH |
2290 | |
2291 | if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr, | |
d6629cdc | 2292 | ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex)) |
0756eb3c PH |
2293 | return FALSE; |
2294 | #endif /* SUPPORT_MAILDIR */ | |
2295 | ||
2296 | /* If we are going to do a quota check, of if maildir_use_size_file is set | |
2297 | for a maildir delivery, compile the regular expression if there is one. We | |
2298 | may also need to adjust the path that is used. We need to do this for | |
2299 | maildir_use_size_file even if the quota is unset, because we still want to | |
2300 | create the file. When maildir support is not compiled, | |
2301 | ob->maildir_use_size_file is always FALSE. */ | |
2302 | ||
2303 | if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file) | |
2304 | { | |
2305 | const uschar *error; | |
2306 | int offset; | |
2307 | ||
01c490df | 2308 | /* Compile the regex if there is one. */ |
0756eb3c PH |
2309 | |
2310 | if (ob->quota_size_regex != NULL) | |
2311 | { | |
2312 | regex = pcre_compile(CS ob->quota_size_regex, PCRE_COPT, | |
2313 | (const char **)&error, &offset, NULL); | |
2314 | if (regex == NULL) | |
2315 | { | |
2316 | addr->message = string_sprintf("appendfile: regular expression " | |
2317 | "error: %s at offset %d while compiling %s", error, offset, | |
2318 | ob->quota_size_regex); | |
2319 | return FALSE; | |
2320 | } | |
01c490df PH |
2321 | DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n", |
2322 | ob->quota_size_regex); | |
0756eb3c PH |
2323 | } |
2324 | ||
2325 | /* Use an explicitly configured directory if set */ | |
2326 | ||
2327 | if (ob->quota_directory != NULL) | |
2328 | { | |
2329 | check_path = expand_string(ob->quota_directory); | |
2330 | if (check_path == NULL) | |
2331 | { | |
2332 | addr->transport_return = PANIC; | |
2333 | addr->message = string_sprintf("Expansion of \"%s\" (quota_directory " | |
2334 | "name for %s transport) failed: %s", ob->quota_directory, | |
2335 | tblock->name, expand_string_message); | |
2336 | return FALSE; | |
2337 | } | |
2338 | ||
2339 | if (check_path[0] != '/') | |
2340 | { | |
2341 | addr->message = string_sprintf("appendfile: quota_directory name " | |
2342 | "\"%s\" is not absolute", check_path); | |
2343 | addr->basic_errno = ERRNO_NOTABSOLUTE; | |
2344 | return FALSE; | |
2345 | } | |
2346 | } | |
2347 | ||
2348 | #ifdef SUPPORT_MAILDIR | |
2349 | /* Otherwise, if we are handling a maildir delivery, and the directory | |
2350 | contains a file called maildirfolder, this is a maildir++ feature telling | |
2351 | us that this is a sub-directory of the real inbox. We should therefore do | |
2352 | the quota check on the parent directory. Beware of the special case when | |
2353 | the directory name itself ends in a slash. */ | |
2354 | ||
2355 | else if (mbformat == mbf_maildir) | |
2356 | { | |
2357 | struct stat statbuf; | |
2358 | if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0) | |
2359 | { | |
2360 | uschar *new_check_path = string_copy(check_path); | |
2361 | uschar *slash = Ustrrchr(new_check_path, '/'); | |
2362 | if (slash != NULL) | |
2363 | { | |
2364 | if (slash[1] == 0) | |
2365 | { | |
2366 | *slash = 0; | |
2367 | slash = Ustrrchr(new_check_path, '/'); | |
2368 | } | |
2369 | if (slash != NULL) | |
2370 | { | |
2371 | *slash = 0; | |
2372 | check_path = new_check_path; | |
d6629cdc PH |
2373 | DEBUG(D_transport) debug_printf("maildirfolder file exists: " |
2374 | "quota check directory changed to %s\n", check_path); | |
0756eb3c PH |
2375 | } |
2376 | } | |
2377 | } | |
2378 | } | |
2379 | #endif /* SUPPORT_MAILDIR */ | |
2380 | } | |
2381 | ||
2382 | /* If we are using maildirsize files, we need to ensure that such a file | |
2383 | exists and, if necessary, recalculate its contents. As a byproduct of this, | |
2384 | we obtain the current size of the maildir. If no quota is to be enforced | |
2385 | (ob->quota_value == 0), we still need the size if a threshold check will | |
2386 | happen later. | |
2387 | ||
2388 | Another regular expression is used to determine which directories inside the | |
2389 | maildir are going to be counted. */ | |
2390 | ||
2391 | #ifdef SUPPORT_MAILDIR | |
2392 | if (ob->maildir_use_size_file) | |
2393 | { | |
2394 | const pcre *dir_regex = NULL; | |
2395 | const uschar *error; | |
2396 | int offset; | |
2397 | ||
2398 | if (ob->maildir_dir_regex != NULL) | |
2399 | { | |
01c490df PH |
2400 | int check_path_len = Ustrlen(check_path); |
2401 | ||
0756eb3c PH |
2402 | dir_regex = pcre_compile(CS ob->maildir_dir_regex, PCRE_COPT, |
2403 | (const char **)&error, &offset, NULL); | |
2404 | if (dir_regex == NULL) | |
2405 | { | |
2406 | addr->message = string_sprintf("appendfile: regular expression " | |
2407 | "error: %s at offset %d while compiling %s", error, offset, | |
2408 | ob->maildir_dir_regex); | |
2409 | return FALSE; | |
2410 | } | |
01c490df PH |
2411 | |
2412 | DEBUG(D_transport) | |
2413 | debug_printf("using regex for maildir directory selection: %s\n", | |
2414 | ob->maildir_dir_regex); | |
2415 | ||
2416 | /* Check to see if we are delivering into an ignored directory, that is, | |
2417 | if the delivery path starts with the quota check path, and the rest | |
2418 | of the deliver path matches the regex; if so, set a flag to disable quota | |
2419 | checking and maildirsize updating. */ | |
2420 | ||
2421 | if (Ustrncmp(path, check_path, check_path_len) == 0) | |
0756eb3c | 2422 | { |
01c490df PH |
2423 | uschar *s = path + check_path_len; |
2424 | while (*s == '/') s++; | |
2425 | s = (*s == 0)? US "new" : string_sprintf("%s/new", s); | |
2426 | if (pcre_exec(dir_regex, NULL, CS s, Ustrlen(s), 0, 0, NULL, 0) < 0) | |
2427 | { | |
2428 | disable_quota = TRUE; | |
2429 | DEBUG(D_transport) debug_printf("delivery directory does not match " | |
2430 | "maildir_quota_directory_regex: disabling quota\n"); | |
2431 | } | |
0756eb3c PH |
2432 | } |
2433 | } | |
2434 | ||
2435 | /* Quota enforcement; create and check the file. There is some discussion | |
2436 | about whether this should happen if the quota is unset. At present, Exim | |
2437 | always creates the file. If we ever want to change this, uncomment | |
2438 | appropriate lines below, possibly doing a check on some option. */ | |
2439 | ||
2440 | /* if (???? || ob->quota_value > 0) */ | |
2441 | ||
01c490df | 2442 | if (!disable_quota) |
0756eb3c | 2443 | { |
0d7eb84a PH |
2444 | off_t size; |
2445 | int filecount; | |
0756eb3c PH |
2446 | |
2447 | maildirsize_fd = maildir_ensure_sizefile(check_path, ob, regex, dir_regex, | |
2448 | &size, &filecount); | |
2449 | ||
2450 | if (maildirsize_fd == -1) | |
2451 | { | |
2452 | addr->basic_errno = errno; | |
2453 | addr->message = string_sprintf("while opening or reading " | |
2454 | "%s/maildirsize", check_path); | |
2455 | return FALSE; | |
2456 | } | |
554e333e PP |
2457 | /* can also return -2, which means that the file was removed because of |
2458 | raciness; but in this case, the size & filecount will still have been | |
2459 | updated. */ | |
0756eb3c | 2460 | |
554e333e PP |
2461 | if (mailbox_size < 0) mailbox_size = size; |
2462 | if (mailbox_filecount < 0) mailbox_filecount = filecount; | |
0756eb3c PH |
2463 | } |
2464 | ||
2465 | /* No quota enforcement; ensure file does *not* exist; calculate size if | |
2466 | needed. */ | |
2467 | ||
2468 | /* else | |
2469 | * { | |
2470 | * time_t old_latest; | |
2471 | * (void)unlink(CS string_sprintf("%s/maildirsize", check_path)); | |
2472 | * if (THRESHOLD_CHECK) | |
2473 | * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest, | |
2474 | * regex, dir_regex, FALSE); | |
2475 | * } | |
2476 | */ | |
2477 | ||
2478 | } | |
2479 | #endif /* SUPPORT_MAILDIR */ | |
2480 | ||
d35e429d PH |
2481 | /* Otherwise if we are going to do a quota check later on, and the mailbox |
2482 | size is not set, find the current size of the mailbox. Ditto for the file | |
2483 | count. Note that ob->quota_filecount_value cannot be set without | |
2484 | ob->quota_value being set. */ | |
0756eb3c | 2485 | |
01c490df PH |
2486 | if (!disable_quota && |
2487 | (ob->quota_value > 0 || THRESHOLD_CHECK) && | |
d35e429d PH |
2488 | (mailbox_size < 0 || |
2489 | (mailbox_filecount < 0 && ob->quota_filecount_value > 0))) | |
0756eb3c | 2490 | { |
0d7eb84a | 2491 | off_t size; |
5fe762f6 | 2492 | int filecount = 0; |
0756eb3c PH |
2493 | DEBUG(D_transport) |
2494 | debug_printf("quota checks on directory %s\n", check_path); | |
2495 | size = check_dir_size(check_path, &filecount, regex); | |
2496 | if (mailbox_size < 0) mailbox_size = size; | |
2497 | if (mailbox_filecount < 0) mailbox_filecount = filecount; | |
2498 | } | |
2499 | ||
2500 | /* Handle the case of creating a unique file in a given directory (not in | |
2501 | maildir or mailstore format - this is how smail did it). A temporary name is | |
2502 | used to create the file. Later, when it is written, the name is changed to a | |
2503 | unique one. There is no need to lock the file. An attempt is made to create | |
2504 | the directory if it does not exist. */ | |
2505 | ||
2506 | if (mbformat == mbf_smail) | |
2507 | { | |
2508 | DEBUG(D_transport) | |
2509 | debug_printf("delivering to new file in %s\n", path); | |
2510 | filename = dataname = | |
2511 | string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname); | |
2512 | fd = Uopen(filename, O_WRONLY|O_CREAT, mode); | |
2513 | if (fd < 0 && /* failed to open, and */ | |
2514 | (errno != ENOENT || /* either not non-exist */ | |
2515 | !ob->create_directory || /* or not allowed to make */ | |
2516 | !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */ | |
2517 | (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */ | |
2518 | { | |
2519 | addr->basic_errno = errno; | |
2520 | addr->message = string_sprintf("while creating file %s", filename); | |
2521 | return FALSE; | |
2522 | } | |
2523 | } | |
2524 | ||
2525 | #ifdef SUPPORT_MAILDIR | |
2526 | ||
2527 | /* Handle the case of a unique file in maildir format. The file is written to | |
2528 | the tmp subdirectory, with a prescribed form of name. */ | |
2529 | ||
2530 | else if (mbformat == mbf_maildir) | |
2531 | { | |
2532 | DEBUG(D_transport) | |
2533 | debug_printf("delivering in maildir format in %s\n", path); | |
2534 | ||
2535 | nametag = ob->maildir_tag; | |
2536 | ||
2537 | /* Check that nametag expands successfully; a hard failure causes a panic | |
2538 | return. The actual expansion for use happens again later, when | |
2539 | $message_size is accurately known. */ | |
2540 | ||
2541 | if (nametag != NULL && expand_string(nametag) == NULL && | |
2542 | !expand_string_forcedfail) | |
2543 | { | |
2544 | addr->transport_return = PANIC; | |
2545 | addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag " | |
2546 | "for %s transport) failed: %s", nametag, tblock->name, | |
2547 | expand_string_message); | |
2548 | return FALSE; | |
2549 | } | |
2550 | ||
2551 | /* We ensured the existence of all the relevant directories above. Attempt | |
2552 | to open the temporary file a limited number of times. I think this rather | |
2553 | scary-looking for statement is actually OK. If open succeeds, the loop is | |
2554 | broken; if not, there is a test on the value of i. Get the time again | |
2555 | afresh each time round the loop. Its value goes into a variable that is | |
2556 | checked at the end, to make sure we don't release this process until the | |
2557 | clock has ticked. */ | |
2558 | ||
2559 | for (i = 1;; i++) | |
2560 | { | |
2561 | uschar *basename; | |
2562 | ||
2563 | (void)gettimeofday(&msg_tv, NULL); | |
d0291a0a JH |
2564 | basename = string_sprintf(TIME_T_FMT ".H%luP%lu.%s", |
2565 | msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname); | |
0756eb3c PH |
2566 | |
2567 | filename = dataname = string_sprintf("tmp/%s", basename); | |
2568 | newname = string_sprintf("new/%s", basename); | |
2569 | ||
2570 | if (Ustat(filename, &statbuf) == 0) | |
2571 | errno = EEXIST; | |
2572 | else if (errno == ENOENT) | |
2573 | { | |
2574 | fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode); | |
2575 | if (fd >= 0) break; | |
2576 | DEBUG (D_transport) debug_printf ("open failed for %s: %s\n", | |
2577 | filename, strerror(errno)); | |
2578 | } | |
2579 | ||
2580 | /* Too many retries - give up */ | |
2581 | ||
2582 | if (i >= ob->maildir_retries) | |
2583 | { | |
2584 | addr->message = string_sprintf ("failed to open %s (%d tr%s)", | |
2585 | filename, i, (i == 1)? "y" : "ies"); | |
2586 | addr->basic_errno = errno; | |
8932dffe PH |
2587 | if (errno == errno_quota || errno == ENOSPC) |
2588 | addr->user_message = US"mailbox is full"; | |
0756eb3c PH |
2589 | return FALSE; |
2590 | } | |
2591 | ||
2592 | /* Open or stat failed but we haven't tried too many times yet. */ | |
2593 | ||
2594 | sleep(2); | |
2595 | } | |
2596 | ||
2597 | /* Note that we have to ensure the clock has ticked before leaving */ | |
2598 | ||
2599 | wait_for_tick = TRUE; | |
2600 | ||
2601 | /* Why are these here? Put in because they are present in the non-maildir | |
2602 | directory case above. */ | |
2603 | ||
1ac6b2e7 JH |
2604 | if(Uchown(filename, uid, gid) || Uchmod(filename, mode)) |
2605 | { | |
2606 | addr->basic_errno = errno; | |
2607 | addr->message = string_sprintf("while setting perms on maildir %s", | |
2608 | filename); | |
2609 | return FALSE; | |
2610 | } | |
0756eb3c PH |
2611 | } |
2612 | ||
2613 | #endif /* SUPPORT_MAILDIR */ | |
2614 | ||
2615 | #ifdef SUPPORT_MAILSTORE | |
2616 | ||
2617 | /* Handle the case of a unique file in mailstore format. First write the | |
2618 | envelope to a temporary file, then open the main file. The unique base name | |
2619 | for the files consists of the message id plus the pid of this delivery | |
2620 | process. */ | |
2621 | ||
2622 | else | |
2623 | { | |
2624 | FILE *env_file; | |
2625 | address_item *taddr; | |
2626 | mailstore_basename = string_sprintf("%s/%s-%s", path, message_id, | |
2627 | string_base62((long int)getpid())); | |
2628 | ||
2629 | DEBUG(D_transport) | |
2630 | debug_printf("delivering in mailstore format in %s\n", path); | |
2631 | ||
2632 | filename = string_sprintf("%s.tmp", mailstore_basename); | |
2633 | newname = string_sprintf("%s.env", mailstore_basename); | |
2634 | dataname = string_sprintf("%s.msg", mailstore_basename); | |
2635 | ||
2636 | fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode); | |
2637 | if (fd < 0 && /* failed to open, and */ | |
2638 | (errno != ENOENT || /* either not non-exist */ | |
2639 | !ob->create_directory || /* or not allowed to make */ | |
2640 | !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */ | |
2641 | (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */ | |
2642 | { | |
2643 | addr->basic_errno = errno; | |
2644 | addr->message = string_sprintf("while creating file %s", filename); | |
2645 | return FALSE; | |
2646 | } | |
2647 | ||
2648 | /* Why are these here? Put in because they are present in the non-maildir | |
2649 | directory case above. */ | |
2650 | ||
1ac6b2e7 JH |
2651 | if(Uchown(filename, uid, gid) || Uchmod(filename, mode)) |
2652 | { | |
2653 | addr->basic_errno = errno; | |
2654 | addr->message = string_sprintf("while setting perms on file %s", | |
2655 | filename); | |
2656 | return FALSE; | |
2657 | } | |
0756eb3c PH |
2658 | |
2659 | /* Built a C stream from the open file descriptor. */ | |
2660 | ||
2661 | if ((env_file = fdopen(fd, "wb")) == NULL) | |
2662 | { | |
2663 | addr->basic_errno = errno; | |
2664 | addr->transport_return = PANIC; | |
2665 | addr->message = string_sprintf("fdopen of %s (" | |
2666 | "for %s transport) failed", filename, tblock->name); | |
f1e894f3 | 2667 | (void)close(fd); |
0756eb3c PH |
2668 | Uunlink(filename); |
2669 | return FALSE; | |
2670 | } | |
2671 | ||
2672 | /* Write the envelope file, then close it. */ | |
2673 | ||
2674 | if (ob->mailstore_prefix != NULL) | |
2675 | { | |
2676 | uschar *s = expand_string(ob->mailstore_prefix); | |
2677 | if (s == NULL) | |
2678 | { | |
2679 | if (!expand_string_forcedfail) | |
2680 | { | |
2681 | addr->transport_return = PANIC; | |
2682 | addr->message = string_sprintf("Expansion of \"%s\" (mailstore " | |
2683 | "prefix for %s transport) failed: %s", ob->mailstore_prefix, | |
2684 | tblock->name, expand_string_message); | |
f1e894f3 | 2685 | (void)fclose(env_file); |
0756eb3c PH |
2686 | Uunlink(filename); |
2687 | return FALSE; | |
2688 | } | |
2689 | } | |
2690 | else | |
2691 | { | |
2692 | int n = Ustrlen(s); | |
2693 | fprintf(env_file, "%s", CS s); | |
2694 | if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n"); | |
2695 | } | |
2696 | } | |
2697 | ||
2698 | fprintf(env_file, "%s\n", sender_address); | |
2699 | ||
2700 | for (taddr = addr; taddr!= NULL; taddr = taddr->next) | |
2701 | fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain); | |
2702 | ||
2703 | if (ob->mailstore_suffix != NULL) | |
2704 | { | |
2705 | uschar *s = expand_string(ob->mailstore_suffix); | |
2706 | if (s == NULL) | |
2707 | { | |
2708 | if (!expand_string_forcedfail) | |
2709 | { | |
2710 | addr->transport_return = PANIC; | |
2711 | addr->message = string_sprintf("Expansion of \"%s\" (mailstore " | |
2712 | "suffix for %s transport) failed: %s", ob->mailstore_suffix, | |
2713 | tblock->name, expand_string_message); | |
f1e894f3 | 2714 | (void)fclose(env_file); |
0756eb3c PH |
2715 | Uunlink(filename); |
2716 | return FALSE; | |
2717 | } | |
2718 | } | |
2719 | else | |
2720 | { | |
2721 | int n = Ustrlen(s); | |
2722 | fprintf(env_file, "%s", CS s); | |
2723 | if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n"); | |
2724 | } | |
2725 | } | |
2726 | ||
2727 | if (fclose(env_file) != 0) | |
2728 | { | |
2729 | addr->basic_errno = errno; | |
2730 | addr->message = string_sprintf("while closing %s", filename); | |
2731 | Uunlink(filename); | |
2732 | return FALSE; | |
2733 | } | |
2734 | ||
2735 | DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename); | |
2736 | ||
2737 | /* Now open the data file, and ensure that it has the correct ownership and | |
2738 | mode. */ | |
2739 | ||
2740 | fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode); | |
2741 | if (fd < 0) | |
2742 | { | |
2743 | addr->basic_errno = errno; | |
2744 | addr->message = string_sprintf("while creating file %s", dataname); | |
2745 | Uunlink(filename); | |
2746 | return FALSE; | |
2747 | } | |
1ac6b2e7 JH |
2748 | if(Uchown(dataname, uid, gid) || Uchmod(dataname, mode)) |
2749 | { | |
2750 | addr->basic_errno = errno; | |
2751 | addr->message = string_sprintf("while setting perms on file %s", | |
2752 | dataname); | |
2753 | return FALSE; | |
2754 | } | |
0756eb3c PH |
2755 | } |
2756 | ||
2757 | #endif /* SUPPORT_MAILSTORE */ | |
2758 | ||
2759 | ||
2760 | /* In all cases of writing to a new file, ensure that the file which is | |
2761 | going to be renamed has the correct ownership and mode. */ | |
2762 | ||
1ac6b2e7 JH |
2763 | if(Uchown(filename, uid, gid) || Uchmod(filename, mode)) |
2764 | { | |
2765 | addr->basic_errno = errno; | |
2766 | addr->message = string_sprintf("while setting perms on file %s", | |
2767 | filename); | |
2768 | return FALSE; | |
2769 | } | |
0756eb3c PH |
2770 | } |
2771 | ||
2772 | ||
2773 | /* At last we can write the message to the file, preceded by any configured | |
2774 | prefix line, and followed by any configured suffix line. If there are any | |
2775 | writing errors, we must defer. */ | |
2776 | ||
2777 | DEBUG(D_transport) debug_printf("writing to file %s\n", dataname); | |
2778 | ||
2779 | yield = OK; | |
2780 | errno = 0; | |
2781 | ||
2782 | /* If there is a local quota setting, check that we are not going to exceed it | |
2783 | with this message if quota_is_inclusive is set; if it is not set, the check | |
2784 | is for the mailbox already being over quota (i.e. the current message is not | |
2785 | included in the check). */ | |
2786 | ||
01c490df | 2787 | if (!disable_quota && ob->quota_value > 0) |
0756eb3c PH |
2788 | { |
2789 | DEBUG(D_transport) | |
2790 | { | |
b1c749bb PH |
2791 | debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT |
2792 | " this message = %d (%sincluded)\n", | |
2793 | ob->quota_value, mailbox_size, message_size, | |
2794 | ob->quota_is_inclusive? "" : "not "); | |
0756eb3c PH |
2795 | debug_printf(" file count quota = %d count = %d\n", |
2796 | ob->quota_filecount_value, mailbox_filecount); | |
2797 | } | |
d291c767 | 2798 | |
0756eb3c PH |
2799 | if (mailbox_size + (ob->quota_is_inclusive? message_size:0) > ob->quota_value) |
2800 | { | |
d291c767 HSHR |
2801 | |
2802 | if (!ob->quota_no_check) | |
2803 | { | |
2804 | DEBUG(D_transport) debug_printf("mailbox quota exceeded\n"); | |
2805 | yield = DEFER; | |
2806 | errno = ERRNO_EXIMQUOTA; | |
2807 | } | |
2808 | else DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n"); | |
2809 | ||
0756eb3c | 2810 | } |
d291c767 HSHR |
2811 | |
2812 | if (ob->quota_filecount_value > 0 | |
2813 | && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) > | |
2814 | ob->quota_filecount_value) | |
2815 | if(!ob->quota_filecount_no_check) | |
2816 | { | |
2817 | DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n"); | |
2818 | yield = DEFER; | |
2819 | errno = ERRNO_EXIMQUOTA; | |
2820 | filecount_msg = US" filecount"; | |
2821 | } | |
2822 | else DEBUG(D_transport) if (ob->quota_filecount_no_check) | |
2823 | debug_printf("mailbox file count quota exceeded but ignored\n"); | |
2824 | ||
0756eb3c PH |
2825 | } |
2826 | ||
2827 | /* If we are writing in MBX format, what we actually do is to write the message | |
2828 | to a temporary file, and then copy it to the real file once we know its size. | |
2829 | This is the most straightforward way of getting the correct length in the | |
2830 | separator line. So, what we do here is to save the real file descriptor, and | |
2831 | replace it with one for a temporary file. The temporary file gets unlinked once | |
2832 | opened, so that it goes away on closure. */ | |
2833 | ||
2834 | #ifdef SUPPORT_MBX | |
2835 | if (yield == OK && ob->mbx_format) | |
2836 | { | |
2837 | temp_file = tmpfile(); | |
2838 | if (temp_file == NULL) | |
2839 | { | |
2840 | addr->basic_errno = errno; | |
2841 | addr->message = US"while setting up temporary file"; | |
2842 | yield = DEFER; | |
2843 | goto RETURN; | |
2844 | } | |
2845 | save_fd = fd; | |
2846 | fd = fileno(temp_file); | |
2847 | DEBUG(D_transport) debug_printf("writing to temporary file\n"); | |
2848 | } | |
2849 | #endif /* SUPPORT_MBX */ | |
2850 | ||
2851 | /* Zero the count of bytes written. It is incremented by the transport_xxx() | |
2852 | functions. */ | |
2853 | ||
2854 | transport_count = 0; | |
332f5cf3 | 2855 | transport_newlines = 0; |
0756eb3c PH |
2856 | |
2857 | /* Write any configured prefix text first */ | |
2858 | ||
2859 | if (yield == OK && ob->message_prefix != NULL && ob->message_prefix[0] != 0) | |
2860 | { | |
2861 | uschar *prefix = expand_string(ob->message_prefix); | |
2862 | if (prefix == NULL) | |
2863 | { | |
2864 | errno = ERRNO_EXPANDFAIL; | |
2865 | addr->transport_return = PANIC; | |
2866 | addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s " | |
2867 | "transport) failed", ob->message_prefix, tblock->name); | |
2868 | yield = DEFER; | |
2869 | } | |
2870 | else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER; | |
2871 | } | |
2872 | ||
2873 | /* If the use_bsmtp option is on, we need to write SMTP prefix information. The | |
2874 | various different values for batching are handled outside; if there is more | |
2875 | than one address available here, all must be included. If any address is a | |
2876 | file, use its parent in the RCPT TO. */ | |
2877 | ||
2878 | if (yield == OK && ob->use_bsmtp) | |
2879 | { | |
2880 | transport_count = 0; | |
332f5cf3 | 2881 | transport_newlines = 0; |
0756eb3c PH |
2882 | if (ob->use_crlf) cr = US"\r"; |
2883 | if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr)) | |
2884 | yield = DEFER; | |
2885 | else | |
2886 | { | |
2887 | address_item *a; | |
332f5cf3 | 2888 | transport_newlines++; |
0756eb3c PH |
2889 | for (a = addr; a != NULL; a = a->next) |
2890 | { | |
2891 | address_item *b = testflag(a, af_pfr)? a->parent: a; | |
2892 | if (!transport_write_string(fd, "RCPT TO:<%s>%s\n", | |
2893 | transport_rcpt_address(b, tblock->rcpt_include_affixes), cr)) | |
2894 | { yield = DEFER; break; } | |
332f5cf3 | 2895 | transport_newlines++; |
0756eb3c PH |
2896 | } |
2897 | if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr)) | |
2898 | yield = DEFER; | |
332f5cf3 PP |
2899 | else |
2900 | transport_newlines++; | |
0756eb3c PH |
2901 | } |
2902 | } | |
2903 | ||
2904 | /* Now the message itself. The options for transport_write_message were set up | |
2905 | at initialization time. */ | |
2906 | ||
2907 | if (yield == OK) | |
2908 | { | |
6b46ecc6 | 2909 | transport_ctx tctx = { |
42055a33 | 2910 | fd, |
6b46ecc6 JH |
2911 | tblock, |
2912 | addr, | |
2913 | ob->check_string, | |
2914 | ob->escape_string, | |
2915 | ob->options | |
2916 | }; | |
42055a33 | 2917 | if (!transport_write_message(&tctx, 0)) |
0756eb3c PH |
2918 | yield = DEFER; |
2919 | } | |
2920 | ||
2921 | /* Now a configured suffix. */ | |
2922 | ||
2923 | if (yield == OK && ob->message_suffix != NULL && ob->message_suffix[0] != 0) | |
2924 | { | |
2925 | uschar *suffix = expand_string(ob->message_suffix); | |
2926 | if (suffix == NULL) | |
2927 | { | |
2928 | errno = ERRNO_EXPANDFAIL; | |
2929 | addr->transport_return = PANIC; | |
2930 | addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s " | |
2931 | "transport) failed", ob->message_suffix, tblock->name); | |
2932 | yield = DEFER; | |
2933 | } | |
2934 | else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER; | |
2935 | } | |
2936 | ||
2937 | /* If batch smtp, write the terminating dot. */ | |
2938 | ||
332f5cf3 PP |
2939 | if (yield == OK && ob->use_bsmtp ) { |
2940 | if(!transport_write_string(fd, ".%s\n", cr)) yield = DEFER; | |
2941 | else transport_newlines++; | |
2942 | } | |
0756eb3c PH |
2943 | |
2944 | /* If MBX format is being used, all that writing was to the temporary file. | |
2945 | However, if there was an earlier failure (Exim quota exceeded, for example), | |
2946 | the temporary file won't have got opened - and no writing will have been done. | |
2947 | If writing was OK, we restore the fd, and call a function that copies the | |
2948 | message in MBX format into the real file. Otherwise use the temporary name in | |
2949 | any messages. */ | |
2950 | ||
2951 | #ifdef SUPPORT_MBX | |
2952 | if (temp_file != NULL && ob->mbx_format) | |
2953 | { | |
2954 | int mbx_save_errno; | |
2955 | fd = save_fd; | |
2956 | ||
2957 | if (yield == OK) | |
2958 | { | |
2959 | transport_count = 0; /* Reset transport count for actual write */ | |
332f5cf3 PP |
2960 | /* No need to reset transport_newlines as we're just using a block copy |
2961 | * routine so the number won't be affected */ | |
0756eb3c PH |
2962 | yield = copy_mbx_message(fd, fileno(temp_file), saved_size); |
2963 | } | |
2964 | else if (errno >= 0) dataname = US"temporary file"; | |
2965 | ||
2966 | /* Preserve errno while closing the temporary file. */ | |
2967 | ||
2968 | mbx_save_errno = errno; | |
f1e894f3 | 2969 | (void)fclose(temp_file); |
0756eb3c PH |
2970 | errno = mbx_save_errno; |
2971 | } | |
2972 | #endif /* SUPPORT_MBX */ | |
2973 | ||
2974 | /* Force out the remaining data to check for any errors; some OS don't allow | |
2975 | fsync() to be called for a FIFO. */ | |
2976 | ||
54fc8428 | 2977 | if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER; |
0756eb3c | 2978 | |
332f5cf3 PP |
2979 | /* Update message_size and message_linecount to the accurate count of bytes |
2980 | written, including added headers. Note; we subtract 1 from message_linecount as | |
2981 | this variable doesn't count the new line between the header and the body of the | |
2982 | message. */ | |
0756eb3c PH |
2983 | |
2984 | message_size = transport_count; | |
332f5cf3 | 2985 | message_linecount = transport_newlines - 1; |
0756eb3c PH |
2986 | |
2987 | /* If using a maildir++ quota file, add this message's size to it, and | |
01c490df PH |
2988 | close the file descriptor, except when the quota has been disabled because we |
2989 | are delivering into an uncounted folder. */ | |
0756eb3c PH |
2990 | |
2991 | #ifdef SUPPORT_MAILDIR | |
01c490df PH |
2992 | if (!disable_quota) |
2993 | { | |
2994 | if (yield == OK && maildirsize_fd >= 0) | |
2995 | maildir_record_length(maildirsize_fd, message_size); | |
2996 | maildir_save_errno = errno; /* Preserve errno while closing the file */ | |
554e333e PP |
2997 | if (maildirsize_fd >= 0) |
2998 | (void)close(maildirsize_fd); | |
01c490df PH |
2999 | errno = maildir_save_errno; |
3000 | } | |
0756eb3c PH |
3001 | #endif /* SUPPORT_MAILDIR */ |
3002 | ||
3003 | /* If there is a quota warning threshold and we are have crossed it with this | |
3004 | message, set the SPECIAL_WARN flag in the address, to cause a warning message | |
3005 | to be sent. */ | |
3006 | ||
01c490df | 3007 | if (!disable_quota && THRESHOLD_CHECK) |
0756eb3c | 3008 | { |
0d7eb84a | 3009 | off_t threshold = ob->quota_warn_threshold_value; |
0756eb3c | 3010 | if (ob->quota_warn_threshold_is_percent) |
0d7eb84a | 3011 | threshold = (off_t)(((double)ob->quota_value * threshold) / 100); |
0756eb3c | 3012 | DEBUG(D_transport) |
b1c749bb PH |
3013 | debug_printf("quota = " OFF_T_FMT |
3014 | " threshold = " OFF_T_FMT | |
3015 | " old size = " OFF_T_FMT | |
3016 | " message size = %d\n", | |
3017 | ob->quota_value, threshold, mailbox_size, | |
0d7eb84a | 3018 | message_size); |
0756eb3c PH |
3019 | if (mailbox_size <= threshold && mailbox_size + message_size > threshold) |
3020 | addr->special_action = SPECIAL_WARN; | |
3021 | ||
3022 | /******* You might think that the test ought to be this: | |
3023 | * | |
3024 | * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 && | |
3025 | * mailbox_size <= threshold && mailbox_size + message_size > threshold) | |
3026 | * | |
3027 | * (indeed, I was sent a patch with that in). However, it is possible to | |
3028 | * have a warning threshold without actually imposing a quota, and I have | |
3029 | * therefore kept Exim backwards compatible. | |
3030 | ********/ | |
3031 | ||
3032 | } | |
3033 | ||
3034 | /* Handle error while writing the file. Control should come here directly after | |
3035 | the error, with the reason in errno. In the case of expansion failure in prefix | |
3036 | or suffix, it will be ERRNO_EXPANDFAIL. */ | |
3037 | ||
3038 | if (yield != OK) | |
3039 | { | |
3040 | addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */ | |
3041 | ||
3042 | /* Save the error number. If positive, it will ultimately cause a strerror() | |
3043 | call to generate some text. */ | |
3044 | ||
3045 | addr->basic_errno = errno; | |
3046 | ||
3047 | /* For system or Exim quota excession, or disk full, set more_errno to the | |
3048 | time since the file was last read. If delivery was into a directory, the | |
3049 | time since last read logic is not relevant, in general. However, for maildir | |
3050 | deliveries we can approximate it by looking at the last modified time of the | |
3051 | "new" subdirectory. Since Exim won't be adding new messages, a change to the | |
3052 | "new" subdirectory implies that an MUA has moved a message from there to the | |
3053 | "cur" directory. */ | |
3054 | ||
3055 | if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC) | |
3056 | { | |
3057 | addr->more_errno = 0; | |
3058 | if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime); | |
3059 | ||
3060 | #ifdef SUPPORT_MAILDIR | |
3061 | else if (mbformat == mbf_maildir) | |
3062 | { | |
3063 | struct stat statbuf; | |
3064 | if (Ustat("new", &statbuf) < 0) | |
3065 | { | |
3066 | DEBUG(D_transport) debug_printf("maildir quota exceeded: " | |
3067 | "stat error %d for \"new\": %s\n", errno, strerror(errno)); | |
3068 | } | |
3069 | else /* Want a repeatable time when in test harness */ | |
3070 | { | |
3071 | addr->more_errno = running_in_test_harness? 10 : | |
3072 | (int)time(NULL) - statbuf.st_mtime; | |
3073 | } | |
3074 | DEBUG(D_transport) | |
3075 | debug_printf("maildir: time since \"new\" directory modified = %s\n", | |
3076 | readconf_printtime(addr->more_errno)); | |
3077 | } | |
3078 | #endif /* SUPPORT_MAILDIR */ | |
3079 | } | |
3080 | ||
3081 | /* Handle system quota excession. Add an explanatory phrase for the error | |
3082 | message, since some systems don't have special quota-excession errors, | |
3083 | and on those that do, "quota" doesn't always mean anything to the user. */ | |
3084 | ||
3085 | if (errno == errno_quota) | |
3086 | { | |
3087 | #ifndef EDQUOT | |
3088 | addr->message = string_sprintf("mailbox is full " | |
3089 | "(quota exceeded while writing to file %s)", filename); | |
3090 | #else | |
3091 | addr->message = string_sprintf("mailbox is full"); | |
3092 | #endif /* EDQUOT */ | |
5a11a7b4 | 3093 | addr->user_message = US"mailbox is full"; |
0756eb3c PH |
3094 | DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n", |
3095 | dataname, | |
3096 | isdirectory? US"" : US": time since file read = ", | |
3097 | isdirectory? US"" : readconf_printtime(addr->more_errno)); | |
3098 | } | |
3099 | ||
3100 | /* Handle Exim's own quota-imposition */ | |
3101 | ||
3102 | else if (errno == ERRNO_EXIMQUOTA) | |
3103 | { | |
3104 | addr->message = string_sprintf("mailbox is full " | |
3105 | "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg, | |
3106 | dataname); | |
3107 | addr->user_message = US"mailbox is full"; | |
3108 | DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n", | |
3109 | filecount_msg, dataname, | |
3110 | isdirectory? US"" : US": time since file read = ", | |
3111 | isdirectory? US"" : readconf_printtime(addr->more_errno)); | |
3112 | } | |
3113 | ||
3114 | /* Handle a process failure while writing via a filter; the return | |
3115 | from child_close() is in more_errno. */ | |
3116 | ||
3117 | else if (errno == ERRNO_FILTER_FAIL) | |
8e669ac1 | 3118 | { |
35af9f61 PH |
3119 | yield = PANIC; |
3120 | addr->message = string_sprintf("transport filter process failed (%d) " | |
3121 | "while writing to %s%s", addr->more_errno, dataname, | |
3122 | (addr->more_errno == EX_EXECFAILED)? ": unable to execute command" : ""); | |
8e669ac1 | 3123 | } |
0756eb3c PH |
3124 | |
3125 | /* Handle failure to expand header changes */ | |
3126 | ||
3127 | else if (errno == ERRNO_CHHEADER_FAIL) | |
3128 | { | |
3129 | yield = PANIC; | |
3130 | addr->message = | |
3131 | string_sprintf("failed to expand headers_add or headers_remove while " | |
3132 | "writing to %s: %s", dataname, expand_string_message); | |
3133 | } | |
3134 | ||
3135 | /* Handle failure to complete writing of a data block */ | |
3136 | ||
3137 | else if (errno == ERRNO_WRITEINCOMPLETE) | |
3138 | { | |
3139 | addr->message = string_sprintf("failed to write data block while " | |
3140 | "writing to %s", dataname); | |
3141 | } | |
3142 | ||
3143 | /* Handle length mismatch on MBX copying */ | |
3144 | ||
3145 | #ifdef SUPPORT_MBX | |
3146 | else if (errno == ERRNO_MBXLENGTH) | |
3147 | { | |
3148 | addr->message = string_sprintf("length mismatch while copying MBX " | |
3149 | "temporary file to %s", dataname); | |
3150 | } | |
3151 | #endif /* SUPPORT_MBX */ | |
3152 | ||
3153 | /* For other errors, a general-purpose explanation, if the message is | |
3154 | not already set. */ | |
3155 | ||
3156 | else if (addr->message == NULL) | |
3157 | addr->message = string_sprintf("error while writing to %s", dataname); | |
3158 | ||
3159 | /* For a file, reset the file size to what it was before we started, leaving | |
3160 | the last modification time unchanged, so it will get reset also. All systems | |
3161 | investigated so far have ftruncate(), whereas not all have the F_FREESP | |
3162 | fcntl() call (BSDI & FreeBSD do not). */ | |
3163 | ||
1ac6b2e7 | 3164 | if (!isdirectory && ftruncate(fd, saved_size)) |
4c04137d | 3165 | DEBUG(D_transport) debug_printf("Error resetting file size\n"); |
0756eb3c PH |
3166 | } |
3167 | ||
3168 | /* Handle successful writing - we want the modification time to be now for | |
3169 | appended files. Remove the default backstop error number. For a directory, now | |
3170 | is the time to rename the file with a unique name. As soon as such a name | |
3171 | appears it may get used by another process, so we close the file first and | |
3172 | check that all is well. */ | |
3173 | ||
3174 | else | |
3175 | { | |
3176 | times.modtime = time(NULL); | |
3177 | addr->basic_errno = 0; | |
3178 | ||
3179 | /* Handle the case of writing to a new file in a directory. This applies | |
3180 | to all single-file formats - maildir, mailstore, and "smail format". */ | |
3181 | ||
3182 | if (isdirectory) | |
3183 | { | |
3184 | if (fstat(fd, &statbuf) < 0) | |
3185 | { | |
3186 | addr->basic_errno = errno; | |
3187 | addr->message = string_sprintf("while fstatting opened message file %s", | |
3188 | filename); | |
3189 | yield = DEFER; | |
3190 | } | |
3191 | ||
3192 | else if (close(fd) < 0) | |
3193 | { | |
3194 | addr->basic_errno = errno; | |
3195 | addr->message = string_sprintf("close() error for %s", | |
3196 | (ob->mailstore_format)? dataname : filename); | |
3197 | yield = DEFER; | |
3198 | } | |
3199 | ||
3200 | /* File is successfully written and closed. Arrange to rename it. For the | |
3201 | different kinds of single-file delivery, some games can be played with the | |
3202 | name. The message size is by this time set to the accurate value so that | |
3203 | its value can be used in expansions. */ | |
3204 | ||
3205 | else | |
3206 | { | |
3207 | uschar *renamename = newname; | |
3208 | fd = -1; | |
3209 | ||
3210 | DEBUG(D_transport) debug_printf("renaming temporary file\n"); | |
3211 | ||
3212 | /* If there is no rename name set, we are in a non-maildir, non-mailstore | |
3213 | situation. The name is built by expanding the directory_file option, and | |
3214 | we make the inode number available for use in this. The expansion was | |
3215 | checked for syntactic validity above, before we wrote the file. | |
3216 | ||
3217 | We have to be careful here, in case the file name exists. (In the other | |
3218 | cases, the names used are constructed to be unique.) The rename() | |
3219 | function just replaces an existing file - we don't want that! So instead | |
3220 | of calling rename(), we must use link() and unlink(). | |
3221 | ||
3222 | In this case, if the link fails because of an existing file, we wait | |
3223 | for one second and try the expansion again, to see if it produces a | |
3224 | different value. Do this up to 5 times unless the name stops changing. | |
3225 | This makes it possible to build values that are based on the time, and | |
3226 | still cope with races from multiple simultaneous deliveries. */ | |
3227 | ||
3228 | if (newname == NULL) | |
3229 | { | |
3230 | int i; | |
3231 | uschar *renameleaf; | |
3232 | uschar *old_renameleaf = US""; | |
3233 | ||
3234 | for (i = 0; ; sleep(1), i++) | |
3235 | { | |
3236 | deliver_inode = statbuf.st_ino; | |
3237 | renameleaf = expand_string(ob->dirfilename); | |
3238 | deliver_inode = 0; | |
3239 | ||
3240 | if (renameleaf == NULL) | |
3241 | { | |
3242 | addr->transport_return = PANIC; | |
3243 | addr->message = string_sprintf("Expansion of \"%s\" " | |
3244 | "(directory_file for %s transport) failed: %s", | |
3245 | ob->dirfilename, tblock->name, expand_string_message); | |
3246 | goto RETURN; | |
3247 | } | |
3248 | ||
3249 | renamename = string_sprintf("%s/%s", path, renameleaf); | |
3250 | if (Ulink(filename, renamename) < 0) | |
3251 | { | |
3252 | DEBUG(D_transport) debug_printf("link failed: %s\n", | |
3253 | strerror(errno)); | |
3254 | if (errno != EEXIST || i >= 4 || | |
3255 | Ustrcmp(renameleaf, old_renameleaf) == 0) | |
3256 | { | |
3257 | addr->basic_errno = errno; | |
3258 | addr->message = string_sprintf("while renaming %s as %s", | |
3259 | filename, renamename); | |
3260 | yield = DEFER; | |
3261 | break; | |
3262 | } | |
3263 | old_renameleaf = renameleaf; | |
3264 | DEBUG(D_transport) debug_printf("%s exists - trying again\n", | |
3265 | renamename); | |
3266 | } | |
3267 | else | |
3268 | { | |
3269 | Uunlink(filename); | |
3270 | filename = NULL; | |
3271 | break; | |
3272 | } | |
3273 | } /* re-expand loop */ | |
3274 | } /* not mailstore or maildir */ | |
3275 | ||
3276 | /* For maildir and mailstore formats, the new name was created earlier, | |
3277 | except that for maildir, there is the possibility of adding a "tag" on | |
3278 | the end of the name by expanding the value of nametag. This usually | |
3279 | includes a reference to the message size. The expansion of nametag was | |
3280 | checked above, before the file was opened. It either succeeded, or | |
3281 | provoked a soft failure. So any failure here can be treated as soft. | |
3282 | Ignore non-printing characters and / and put a colon at the start if the | |
3283 | first character is alphanumeric. */ | |
3284 | ||
3285 | else | |
3286 | { | |
3287 | if (nametag != NULL) | |
3288 | { | |
3289 | uschar *iptr = expand_string(nametag); | |
3290 | if (iptr != NULL) | |
3291 | { | |
3292 | uschar *etag = store_get(Ustrlen(iptr) + 2); | |
3293 | uschar *optr = etag; | |
3294 | while (*iptr != 0) | |
3295 | { | |
3296 | if (mac_isgraph(*iptr) && *iptr != '/') | |
3297 | { | |
3298 | if (optr == etag && isalnum(*iptr)) *optr++ = ':'; | |
3299 | *optr++ = *iptr; | |
3300 | } | |
3301 | iptr++; | |
3302 | } | |
3303 | *optr = 0; | |
3304 | renamename = string_sprintf("%s%s", newname, etag); | |
3305 | } | |
3306 | } | |
3307 | ||
3308 | /* Do the rename. If the name is too long and a tag exists, try again | |
3309 | without the tag. */ | |
3310 | ||
3311 | if (Urename(filename, renamename) < 0 && | |
3312 | (nametag == NULL || errno != ENAMETOOLONG || | |
3313 | (renamename = newname, Urename(filename, renamename) < 0))) | |
3314 | { | |
3315 | addr->basic_errno = errno; | |
3316 | addr->message = string_sprintf("while renaming %s as %s", | |
3317 | filename, renamename); | |
3318 | yield = DEFER; | |
3319 | } | |
3320 | ||
3321 | /* Rename succeeded */ | |
3322 | ||
3323 | else | |
3324 | { | |
3325 | DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename, | |
3326 | renamename); | |
3327 | filename = dataname = NULL; /* Prevents attempt to unlink at end */ | |
3328 | } | |
3329 | } /* maildir or mailstore */ | |
3330 | } /* successful write + close */ | |
3331 | } /* isdirectory */ | |
3332 | } /* write success */ | |
3333 | ||
3334 | ||
3335 | /* For a file, restore the last access time (atime), and set the modification | |
3336 | time as required - changed if write succeeded, unchanged if not. */ | |
3337 | ||
3338 | if (!isdirectory) utime(CS filename, ×); | |
3339 | ||
3340 | /* Notify comsat if configured to do so. It only makes sense if the configured | |
3341 | file is the one that the comsat daemon knows about. */ | |
3342 | ||
3343 | if (ob->notify_comsat && yield == OK && deliver_localpart != NULL) | |
3344 | notify_comsat(deliver_localpart, saved_size); | |
3345 | ||
3346 | /* Pass back the final return code in the address structure */ | |
3347 | ||
3348 | DEBUG(D_transport) | |
3349 | debug_printf("appendfile yields %d with errno=%d more_errno=%d\n", | |
3350 | yield, addr->basic_errno, addr->more_errno); | |
3351 | ||
3352 | addr->transport_return = yield; | |
3353 | ||
3354 | /* Close the file, which will release the fcntl lock. For a directory write it | |
3355 | is closed above, except in cases of error which goto RETURN, when we also need | |
3356 | to remove the original file(s). For MBX locking, if all has gone well, before | |
3357 | closing the file, see if we can get an exclusive lock on it, in which case we | |
3358 | can unlink the /tmp lock file before closing it. This is always a non-blocking | |
3359 | lock; there's no need to wait if we can't get it. If everything has gone right | |
3360 | but close fails, defer the message. Then unlink the lock file, if present. This | |
3361 | point in the code is jumped to from a number of places when errors are | |
3362 | detected, in order to get the file closed and the lock file tidied away. */ | |
3363 | ||
3364 | RETURN: | |
3365 | ||
3366 | #ifdef SUPPORT_MBX | |
3367 | if (mbx_lockfd >= 0) | |
3368 | { | |
3369 | if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0, | |
3370 | ob->use_flock, 0) >= 0) | |
3371 | { | |
3372 | DEBUG(D_transport) | |
3373 | debug_printf("unlinking MBX lock file %s\n", mbx_lockname); | |
3374 | Uunlink(mbx_lockname); | |
3375 | } | |
f1e894f3 | 3376 | (void)close(mbx_lockfd); |
0756eb3c PH |
3377 | } |
3378 | #endif /* SUPPORT_MBX */ | |
3379 | ||
3380 | if (fd >= 0 && close(fd) < 0 && yield == OK) | |
3381 | { | |
3382 | addr->basic_errno = errno; | |
3383 | addr->message = string_sprintf("while closing %s", filename); | |
3384 | addr->transport_return = DEFER; | |
3385 | } | |
3386 | ||
3387 | if (hd >= 0) Uunlink(lockname); | |
3388 | ||
3389 | /* We get here with isdirectory and filename set only in error situations. */ | |
3390 | ||
3391 | if (isdirectory && filename != NULL) | |
3392 | { | |
3393 | Uunlink(filename); | |
3394 | if (dataname != filename) Uunlink(dataname); | |
3395 | } | |
3396 | ||
3397 | /* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a | |
3398 | file name relies on time + pid. We must not allow the process to finish until | |
3399 | the clock has move on by at least one microsecond. Usually we expect this | |
3400 | already to be the case, but machines keep getting faster... */ | |
3401 | ||
3402 | if (wait_for_tick) exim_wait_tick(&msg_tv, 1); | |
3403 | ||
3404 | /* A return of FALSE means that if there was an error, a common error was | |
3405 | put in the first address of a batch. */ | |
3406 | ||
3407 | return FALSE; | |
3408 | } | |
3409 | ||
3410 | /* End of transport/appendfile.c */ |