projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix what d291c7670e4c370cdc4f631ea58f82c7f4f87823 broke. Closes 1115
[exim.git] / src / src / transports / appendfile.c
CommitLineData
0756eb3c
PH		 1/*************************************************
2* Exim - an Internet mail transport agent *
3*************************************************/
4
80fea873 5/* Copyright (c) University of Cambridge 1995 - 2016 */
0756eb3c
PH		 6/* See the file NOTICE for conditions of use and distribution. */
7
8
9#include "../exim.h"
10#include "appendfile.h"
11
12#ifdef SUPPORT_MAILDIR
13#include "tf_maildir.h"
14#endif
15
16
17/* Encodings for mailbox formats, and their names. MBX format is actually
18supported only if SUPPORT_MBX is set. */
19
20enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
21
1ba28e2b 22static const char *mailbox_formats[] = {
0756eb3c
PH		 23 "unix", "mbx", "smail", "maildir", "mailstore" };
24
25
26/* Check warn threshold only if quota size set or not a percentage threshold
27 percentage check should only be done if quota > 0 */
28
29#define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \
30 (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
31
32
33/* Options specific to the appendfile transport. They must be in alphabetic
34order (note that "_" comes before the lower case letters). Some of them are
35stored in the publicly visible instance block - these are flagged with the
36opt_public flag. */
37
38optionlist appendfile_transport_options[] = {
555ae6af
PP		 39#ifdef SUPPORT_MAILDIR
40 { "*expand_maildir_use_size_file", opt_stringptr,
41 (void *)offsetof(appendfile_transport_options_block, expand_maildir_use_size_file) },
42#endif
0756eb3c
PH		 43 { "*set_use_fcntl_lock",opt_bool | opt_hidden,
44 (void *)offsetof(appendfile_transport_options_block, set_use_fcntl) },
45 { "*set_use_flock_lock",opt_bool | opt_hidden,
46 (void *)offsetof(appendfile_transport_options_block, set_use_flock) },
47 { "*set_use_lockfile", opt_bool | opt_hidden,
48 (void *)offsetof(appendfile_transport_options_block, set_use_lockfile) },
49#ifdef SUPPORT_MBX
50 { "*set_use_mbx_lock", opt_bool | opt_hidden,
51 (void *)offsetof(appendfile_transport_options_block, set_use_mbx_lock) },
52#endif
53 { "allow_fifo", opt_bool,
54 (void *)offsetof(appendfile_transport_options_block, allow_fifo) },
55 { "allow_symlink", opt_bool,
56 (void *)offsetof(appendfile_transport_options_block, allow_symlink) },
57 { "batch_id", opt_stringptr | opt_public,
58 (void *)offsetof(transport_instance, batch_id) },
59 { "batch_max", opt_int | opt_public,
60 (void *)offsetof(transport_instance, batch_max) },
61 { "check_group", opt_bool,
62 (void *)offsetof(appendfile_transport_options_block, check_group) },
63 { "check_owner", opt_bool,
64 (void *)offsetof(appendfile_transport_options_block, check_owner) },
65 { "check_string", opt_stringptr,
66 (void *)offsetof(appendfile_transport_options_block, check_string) },
67 { "create_directory", opt_bool,
68 (void *)offsetof(appendfile_transport_options_block, create_directory) },
69 { "create_file", opt_stringptr,
70 (void *)offsetof(appendfile_transport_options_block, create_file_string) },
71 { "directory", opt_stringptr,
72 (void *)offsetof(appendfile_transport_options_block, dirname) },
73 { "directory_file", opt_stringptr,
74 (void *)offsetof(appendfile_transport_options_block, dirfilename) },
75 { "directory_mode", opt_octint,
76 (void *)offsetof(appendfile_transport_options_block, dirmode) },
77 { "escape_string", opt_stringptr,
78 (void *)offsetof(appendfile_transport_options_block, escape_string) },
79 { "file", opt_stringptr,
80 (void *)offsetof(appendfile_transport_options_block, filename) },
81 { "file_format", opt_stringptr,
82 (void *)offsetof(appendfile_transport_options_block, file_format) },
83 { "file_must_exist", opt_bool,
84 (void *)offsetof(appendfile_transport_options_block, file_must_exist) },
85 { "lock_fcntl_timeout", opt_time,
86 (void *)offsetof(appendfile_transport_options_block, lock_fcntl_timeout) },
87 { "lock_flock_timeout", opt_time,
88 (void *)offsetof(appendfile_transport_options_block, lock_flock_timeout) },
89 { "lock_interval", opt_time,
90 (void *)offsetof(appendfile_transport_options_block, lock_interval) },
91 { "lock_retries", opt_int,
92 (void *)offsetof(appendfile_transport_options_block, lock_retries) },
93 { "lockfile_mode", opt_octint,
94 (void *)offsetof(appendfile_transport_options_block, lockfile_mode) },
95 { "lockfile_timeout", opt_time,
96 (void *)offsetof(appendfile_transport_options_block, lockfile_timeout) },
97 { "mailbox_filecount", opt_stringptr,
98 (void *)offsetof(appendfile_transport_options_block, mailbox_filecount_string) },
99 { "mailbox_size", opt_stringptr,
100 (void *)offsetof(appendfile_transport_options_block, mailbox_size_string) },
101#ifdef SUPPORT_MAILDIR
102 { "maildir_format", opt_bool,
103 (void *)offsetof(appendfile_transport_options_block, maildir_format ) } ,
104 { "maildir_quota_directory_regex", opt_stringptr,
105 (void *)offsetof(appendfile_transport_options_block, maildir_dir_regex) },
106 { "maildir_retries", opt_int,
107 (void *)offsetof(appendfile_transport_options_block, maildir_retries) },
108 { "maildir_tag", opt_stringptr,
109 (void *)offsetof(appendfile_transport_options_block, maildir_tag) },
555ae6af 110 { "maildir_use_size_file", opt_expand_bool,
0756eb3c 111 (void *)offsetof(appendfile_transport_options_block, maildir_use_size_file ) } ,
d6629cdc
PH		 112 { "maildirfolder_create_regex", opt_stringptr,
113 (void *)offsetof(appendfile_transport_options_block, maildirfolder_create_regex ) },
0756eb3c
PH		 114#endif /* SUPPORT_MAILDIR */
115#ifdef SUPPORT_MAILSTORE
116 { "mailstore_format", opt_bool,
117 (void *)offsetof(appendfile_transport_options_block, mailstore_format ) },
118 { "mailstore_prefix", opt_stringptr,
119 (void *)offsetof(appendfile_transport_options_block, mailstore_prefix ) },
120 { "mailstore_suffix", opt_stringptr,
121 (void *)offsetof(appendfile_transport_options_block, mailstore_suffix ) },
122#endif /* SUPPORT_MAILSTORE */
123#ifdef SUPPORT_MBX
124 { "mbx_format", opt_bool,
125 (void *)offsetof(appendfile_transport_options_block, mbx_format ) } ,
126#endif /* SUPPORT_MBX */
127 { "message_prefix", opt_stringptr,
128 (void *)offsetof(appendfile_transport_options_block, message_prefix) },
129 { "message_suffix", opt_stringptr,
130 (void *)offsetof(appendfile_transport_options_block, message_suffix) },
131 { "mode", opt_octint,
132 (void *)offsetof(appendfile_transport_options_block, mode) },
133 { "mode_fail_narrower",opt_bool,
134 (void *)offsetof(appendfile_transport_options_block, mode_fail_narrower) },
135 { "notify_comsat", opt_bool,
136 (void *)offsetof(appendfile_transport_options_block, notify_comsat) },
137 { "quota", opt_stringptr,
138 (void *)offsetof(appendfile_transport_options_block, quota) },
139 { "quota_directory", opt_stringptr,
140 (void *)offsetof(appendfile_transport_options_block, quota_directory) },
141 { "quota_filecount", opt_stringptr,
142 (void *)offsetof(appendfile_transport_options_block, quota_filecount) },
143 { "quota_is_inclusive", opt_bool,
144 (void *)offsetof(appendfile_transport_options_block, quota_is_inclusive) },
145 { "quota_size_regex", opt_stringptr,
146 (void *)offsetof(appendfile_transport_options_block, quota_size_regex) },
147 { "quota_warn_message", opt_stringptr | opt_public,
148 (void *)offsetof(transport_instance, warn_message) },
149 { "quota_warn_threshold", opt_stringptr,
150 (void *)offsetof(appendfile_transport_options_block, quota_warn_threshold) },
151 { "use_bsmtp", opt_bool,
152 (void *)offsetof(appendfile_transport_options_block, use_bsmtp) },
153 { "use_crlf", opt_bool,
154 (void *)offsetof(appendfile_transport_options_block, use_crlf) },
155 { "use_fcntl_lock", opt_bool_set,
156 (void *)offsetof(appendfile_transport_options_block, use_fcntl) },
157 { "use_flock_lock", opt_bool_set,
158 (void *)offsetof(appendfile_transport_options_block, use_flock) },
159 { "use_lockfile", opt_bool_set,
160 (void *)offsetof(appendfile_transport_options_block, use_lockfile) },
161#ifdef SUPPORT_MBX
162 { "use_mbx_lock", opt_bool_set,
163 (void *)offsetof(appendfile_transport_options_block, use_mbx_lock) },
164#endif /* SUPPORT_MBX */
165};
166
167/* Size of the options list. An extern variable has to be used so that its
168address can appear in the tables drtables.c. */
169
170int appendfile_transport_options_count =
171 sizeof(appendfile_transport_options)/sizeof(optionlist);
172
173/* Default private options block for the appendfile transport. */
174
175appendfile_transport_options_block appendfile_transport_option_defaults = {
176 NULL, /* filename */
177 NULL, /* dirname */
178 US"q${base62:$tod_epoch}-$inode", /* dirfilename */
179 NULL, /* message_prefix (default reset in init if not bsmtp) */
180 NULL, /* message_suffix (ditto) */
181 US"anywhere", /* create_file_string (string value for create_file) */
182 NULL, /* quota */
183 NULL, /* quota_directory */
184 NULL, /* quota_filecount */
185 NULL, /* quota_size_regex */
186 NULL, /* quota_warn_threshold */
187 NULL, /* mailbox_size_string */
188 NULL, /* mailbox_filecount_string */
94431adb 189 NULL, /* expand_maildir_use_size_file */
0756eb3c
PH		 190 US"^(?:cur|new|\\..*)$", /* maildir_dir_regex */
191 NULL, /* maildir_tag */
d6629cdc 192 NULL, /* maildirfolder_create_regex */
0756eb3c
PH		 193 NULL, /* mailstore_prefix */
194 NULL, /* mailstore_suffix */
195 NULL, /* check_string (default changed for non-bsmtp file)*/
196 NULL, /* escape_string (ditto) */
197 NULL, /* file_format */
0d7eb84a
PH		 198 0, /* quota_value */
199 0, /* quota_warn_threshold_value */
0756eb3c
PH		 200 -1, /* mailbox_size_value */
201 -1, /* mailbox_filecount_value */
0756eb3c 202 0, /* quota_filecount_value */
0756eb3c
PH		 203 APPENDFILE_MODE, /* mode */
204 APPENDFILE_DIRECTORY_MODE, /* dirmode */
205 APPENDFILE_LOCKFILE_MODE, /* lockfile_mode */
206 30*60, /* lockfile_timeout */
207 0, /* lock_fcntl_timeout */
208 0, /* lock_flock_timeout */
209 10, /* lock_retries */
210 3, /* lock_interval */
211 10, /* maildir_retries */
212 create_anywhere,/* create_file */
213 0, /* options */
214 FALSE, /* allow_fifo */
215 FALSE, /* allow_symlink */
216 FALSE, /* check_group */
217 TRUE, /* check_owner */
218 TRUE, /* create_directory */
219 FALSE, /* notify_comsat */
220 TRUE, /* use_lockfile */
221 FALSE, /* set_use_lockfile */
222 TRUE, /* use_fcntl */
223 FALSE, /* set_use_fcntl */
224 FALSE, /* use_flock */
225 FALSE, /* set_use_flock */
226 FALSE, /* use_mbx_lock */
227 FALSE, /* set_use_mbx_lock */
228 FALSE, /* use_bsmtp */
229 FALSE, /* use_crlf */
230 FALSE, /* file_must_exist */
231 TRUE, /* mode_fail_narrower */
232 FALSE, /* maildir_format */
233 FALSE, /* maildir_use_size_file */
234 FALSE, /* mailstore_format */
235 FALSE, /* mbx_format */
236 FALSE, /* quota_warn_threshold_is_percent */
d291c767
HSHR		 237 TRUE, /* quota_is_inclusive */
238 FALSE, /* quota_no_check */
239 FALSE /* quota_filecount_no_check */
0756eb3c
PH		 240};
241
242
243
244/*************************************************
245* Setup entry point *
246*************************************************/
247
248/* Called for each delivery in the privileged state, just before the uid/gid
249are changed and the main entry point is called. We use this function to
250expand any quota settings, so that it can access files that may not be readable
251by the user. It is also used to pick up external mailbox size information, if
252set.
253
254Arguments:
255 tblock points to the transport instance
256 addrlist addresses about to be delivered (not used)
257 dummy not used (doesn't pass back data)
929ba01c
PH		 258 uid the uid that will be set (not used)
259 gid the gid that will be set (not used)
0756eb3c
PH		 260 errmsg where to put an error message
261
262Returns: OK, FAIL, or DEFER
263*/
264
265static int
266appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
929ba01c 267 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
0756eb3c
PH		 268{
269appendfile_transport_options_block *ob =
270 (appendfile_transport_options_block *)(tblock->options_block);
271uschar *q = ob->quota;
0d7eb84a 272double default_value = 0.0;
0756eb3c
PH		 273int i;
274
275addrlist = addrlist; /* Keep picky compilers happy */
276dummy = dummy;
929ba01c
PH		 277uid = uid;
278gid = gid;
0756eb3c 279
555ae6af 280if (ob->expand_maildir_use_size_file)
94431adb 281 ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file,
555ae6af
PP		 282 US"`maildir_use_size_file` in transport", tblock->name);
283
0756eb3c
PH		 284/* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
285mailbox_filecount */
286
287for (i = 0; i < 5; i++)
288 {
0d7eb84a 289 double d;
d291c767 290 int no_check = 0;
21c28500 291 uschar *which = NULL;
0d7eb84a 292
d291c767
HSHR		 293 if (q == NULL) d = default_value;
294 else
0756eb3c 295 {
0756eb3c
PH		 296 uschar *rest;
297 uschar *s = expand_string(q);
298
299 if (s == NULL)
300 {
301 *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
302 "%s", q, tblock->name, expand_string_message);
303 return search_find_defer? DEFER : FAIL;
304 }
305
306 d = Ustrtod(s, &rest);
307
be22d70e 308 /* Handle following characters K, M, G, %, the latter being permitted
0756eb3c
PH		 309 for quota_warn_threshold only. A threshold with no quota setting is
310 just ignored. */
311
312 if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
313 else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
be22d70e 314 else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
0756eb3c
PH		 315 else if (*rest == '%' && i == 2)
316 {
317 if (ob->quota_value <= 0 && !ob->maildir_use_size_file) d = 0;
318 else if ((int)d < 0 || (int)d > 100)
319 {
320 *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
321 " for %s transport", (int)d, tblock->name);
322 return FAIL;
323 }
324 ob->quota_warn_threshold_is_percent = TRUE;
325 rest++;
326 }
327
d291c767
HSHR		 328
329 /* For quota and quota_filecount there may be options
330 appended. Currently only "no_check", so we can be lazy parsing it */
331 if (i < 2 && Ustrstr(rest, "/no_check") == rest)
332 {
333 no_check = 1;
334 rest += sizeof("/no_check") - 1;
335 }
336
0756eb3c
PH		 337 while (isspace(*rest)) rest++;
338
339 if (*rest != 0)
340 {
341 *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
d291c767 342 "in %s transport [%s]", s, q, tblock->name);
0756eb3c
PH		 343 return FAIL;
344 }
0756eb3c
PH		 345 }
346
21c28500
PH		 347 /* Set each value, checking for possible overflow. */
348
0756eb3c
PH		 349 switch (i)
350 {
351 case 0:
21c28500 352 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) which = US"quota";
0d7eb84a 353 ob->quota_value = (off_t)d;
d291c767 354 ob->quota_no_check = no_check;
0756eb3c 355 q = ob->quota_filecount;
0756eb3c
PH		 356 break;
357
358 case 1:
21c28500 359 if (d >= 2.0*1024.0*1024.0*1024.0) which = US"quota_filecount";
0d7eb84a 360 ob->quota_filecount_value = (int)d;
d291c767 361 ob->quota_filecount_no_check = no_check;
0756eb3c 362 q = ob->quota_warn_threshold;
0756eb3c
PH		 363 break;
364
365 case 2:
21c28500
PH		 366 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
367 which = US"quota_warn_threshold";
0d7eb84a 368 ob->quota_warn_threshold_value = (off_t)d;
0756eb3c 369 q = ob->mailbox_size_string;
0d7eb84a 370 default_value = -1.0;
0756eb3c
PH		 371 break;
372
373 case 3:
21c28500
PH		 374 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
375 which = US"mailbox_size";;
0d7eb84a 376 ob->mailbox_size_value = (off_t)d;
0756eb3c 377 q = ob->mailbox_filecount_string;
0d7eb84a
PH		 378 break;
379
380 case 4:
21c28500 381 if (d >= 2.0*1024.0*1024.0*1024.0) which = US"mailbox_filecount";
0d7eb84a 382 ob->mailbox_filecount_value = (int)d;
0756eb3c
PH		 383 break;
384 }
21c28500
PH		 385
386 if (which != NULL)
387 {
388 *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
389 "%s transport", which, d, tblock->name);
390 return FAIL;
391 }
0756eb3c
PH		 392 }
393
394return OK;
395}
396
397
398
399/*************************************************
400* Initialization entry point *
401*************************************************/
402
403/* Called for each instance, after its options have been read, to
404enable consistency checks to be done, or anything else that needs
405to be set up. */
406
407void
408appendfile_transport_init(transport_instance *tblock)
409{
410appendfile_transport_options_block *ob =
411 (appendfile_transport_options_block *)(tblock->options_block);
412
413/* Set up the setup entry point, to be called in the privileged state */
414
415tblock->setup = appendfile_transport_setup;
416
417/* Lock_retries must be greater than zero */
418
419if (ob->lock_retries == 0) ob->lock_retries = 1;
420
421/* Only one of a file name or directory name must be given. */
422
423if (ob->filename != NULL && ob->dirname != NULL)
424 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
425 "only one of \"file\" or \"directory\" can be specified", tblock->name);
426
427/* If a file name was specified, neither quota_filecount nor quota_directory
428must be given. */
429
430if (ob->filename != NULL)
431 {
432 if (ob->quota_filecount != NULL)
433 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
434 "quota_filecount must not be set without \"directory\"", tblock->name);
435 if (ob->quota_directory != NULL)
436 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
437 "quota_directory must not be set without \"directory\"", tblock->name);
438 }
439
440/* The default locking depends on whether MBX is set or not. Change the
441built-in default if none of the lock options has been explicitly set. At least
442one form of locking is required in all cases, but mbx locking changes the
443meaning of fcntl and flock locking. */
444
445/* Not all operating systems provide flock(). For those that do, if flock is
446requested, the default for fcntl is FALSE. */
447
448if (ob->use_flock)
449 {
450 #ifdef NO_FLOCK
451 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
452 "flock() support was not available in the operating system when this "
453 "binary was built", tblock->name);
454 #endif /* NO_FLOCK */
455 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
456 }
457
458#ifdef SUPPORT_MBX
459if (ob->mbx_format)
460 {
461 if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
462 !ob->set_use_mbx_lock)
463 {
464 ob->use_lockfile = ob->use_flock = FALSE;
465 ob->use_mbx_lock = ob->use_fcntl = TRUE;
466 }
467 else if (ob->use_mbx_lock)
468 {
469 if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
470 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
471 if (!ob->set_use_flock) ob->use_flock = FALSE;
472 if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
473 }
474 }
475#endif /* SUPPORT_MBX */
476
477if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
478 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
479 "no locking configured", tblock->name);
480
481/* Unset timeouts for non-used locking types */
482
483if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
484if (!ob->use_flock) ob->lock_flock_timeout = 0;
485
486/* If a directory name was specified, only one of maildir or mailstore may be
487specified, and if quota_filecount or quota_directory is given, quota must
488be set. */
489
490if (ob->dirname != NULL)
491 {
492 if (ob->maildir_format && ob->mailstore_format)
493 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
494 "only one of maildir and mailstore may be specified", tblock->name);
495 if (ob->quota_filecount != NULL && ob->quota == NULL)
496 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
497 "quota must be set if quota_filecount is set", tblock->name);
498 if (ob->quota_directory != NULL && ob->quota == NULL)
499 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
500 "quota must be set if quota_directory is set", tblock->name);
501 }
502
503/* If a fixed uid field is set, then a gid field must also be set. */
504
505if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL)
506 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
507 "user set without group for the %s transport", tblock->name);
508
509/* If "create_file" is set, check that a valid option is given, and set the
510integer variable. */
511
512if (ob->create_file_string != NULL)
513 {
514 int value = 0;
515 if (Ustrcmp(ob->create_file_string, "anywhere") == 0) value = create_anywhere;
516 else if (Ustrcmp(ob->create_file_string, "belowhome") == 0) value =
517 create_belowhome;
518 else if (Ustrcmp(ob->create_file_string, "inhome") == 0)
519 value = create_inhome;
520 else
521 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
522 "invalid value given for \"file_create\" for the %s transport: %s",
523 tblock->name, ob->create_file_string);
524 ob->create_file = value;
525 }
526
527/* If quota_warn_threshold is set, set up default for warn_message. It may
528not be used if the actual threshold for a given delivery ends up as zero,
529of if it's given as a percentage and there's no quota setting. */
530
531if (ob->quota_warn_threshold != NULL)
532 {
533 if (tblock->warn_message == NULL) tblock->warn_message = US
534 "To: $local_part@$domain\n"
535 "Subject: Your mailbox\n\n"
536 "This message is automatically created by mail delivery software (Exim).\n\n"
537 "The size of your mailbox has exceeded a warning threshold that is\n"
538 "set by the system administrator.\n";
539 }
540
541/* If batch SMTP is set, force the check and escape strings, and arrange that
542headers are also escaped. */
543
544if (ob->use_bsmtp)
545 {
546 ob->check_string = US".";
547 ob->escape_string = US"..";
548 ob->options |= topt_escape_headers;
549 }
550
551/* If not batch SMTP, not maildir, not mailstore, and directory is not set,
552insert default values for for the affixes and the check/escape strings. */
553
554else if (ob->dirname == NULL && !ob->maildir_format && !ob->mailstore_format)
555 {
556 if (ob->message_prefix == NULL) ob->message_prefix =
557 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
558 if (ob->message_suffix == NULL) ob->message_suffix = US"\n";
559 if (ob->check_string == NULL) ob->check_string = US"From ";
560 if (ob->escape_string == NULL) ob->escape_string = US">From ";
561
562 }
563
564/* Set up the bitwise options for transport_write_message from the various
565driver options. Only one of body_only and headers_only can be set. */
566
567ob->options |=
568 (tblock->body_only? topt_no_headers : 0) |
569 (tblock->headers_only? topt_no_body : 0) |
570 (tblock->return_path_add? topt_add_return_path : 0) |
571 (tblock->delivery_date_add? topt_add_delivery_date : 0) |
572 (tblock->envelope_to_add? topt_add_envelope_to : 0) |
573 ((ob->use_crlf || ob->mbx_format)? topt_use_crlf : 0);
574}
575
576
577
578/*************************************************
579* Notify comsat *
580*************************************************/
581
582/* The comsat daemon is the thing that provides asynchronous notification of
583the arrival of local messages, if requested by the user by "biff y". It is a
584BSD thing that uses a TCP/IP protocol for communication. A message consisting
585of the text "user@offset" must be sent, where offset is the place in the
586mailbox where new mail starts. There is no scope for telling it which file to
587look at, which makes it a less than useful if mail is being delivered into a
588non-standard place such as the user's home directory. In fact, it doesn't seem
589to pay much attention to the offset.
590
591Arguments:
592 user user name
593 offset offset in mailbox
594
595Returns: nothing
596*/
597
598static void
0d7eb84a 599notify_comsat(uschar *user, off_t offset)
0756eb3c
PH		 600{
601struct servent *sp;
602host_item host;
603host_item *h;
604uschar buffer[256];
605
606DEBUG(D_transport) debug_printf("notify_comsat called\n");
607
b1c749bb 608sprintf(CS buffer, "%.200s@" OFF_T_FMT "\n", user, offset);
0756eb3c
PH		 609
610if ((sp = getservbyname("biff", "udp")) == NULL)
611 {
612 DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
613 return;
614 }
615
616host.name = US"localhost";
617host.next = NULL;
618
619
620/* This code is all set up to look up "localhost" and use all its addresses
621until one succeeds. However, it appears that at least on some systems, comsat
622doesn't listen on the ::1 address. So for the moment, just force the address to
623be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
322050c2 624can be changed. (But actually, comsat is probably dying out anyway.) */
0756eb3c
PH		 625
626/******
322050c2 627if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
0756eb3c
PH		 628 {
629 DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
630 return;
631 }
632******/
633
634host.address = US"127.0.0.1";
635
636
fb05276a 637for (h = &host; h; h = h->next)
0756eb3c
PH		 638 {
639 int sock, rc;
fb05276a 640 int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET;
0756eb3c
PH		 641
642 DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
643
fb05276a 644 if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue;
0756eb3c
PH		 645
646 /* Connect never fails for a UDP socket, so don't set a timeout. */
647
fb05276a 648 (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, FALSE);
0756eb3c 649 rc = send(sock, buffer, Ustrlen(buffer) + 1, 0);
f1e894f3 650 (void)close(sock);
0756eb3c
PH		 651
652 if (rc >= 0) break;
653 DEBUG(D_transport)
654 debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
655 h->address);
656 }
657}
658
659
660
661/*************************************************
662* Check the format of a file *
663*************************************************/
664
665/* This function is called when file_format is set, to check that an existing
666file has the right format. The format string contains text/transport pairs. The
667string matching is literal. we just read big_buffer_size bytes, because this is
668all about the first few bytes of a file.
669
670Arguments:
671 cfd the open file
672 tblock the transport block
673 addr the address block - for inserting error data
674
675Returns: pointer to the required transport, or NULL
676*/
677
678transport_instance *
679check_file_format(int cfd, transport_instance *tblock, address_item *addr)
680{
55414b25 681const uschar *format =
0756eb3c
PH		 682 ((appendfile_transport_options_block *)(tblock->options_block))->file_format;
683uschar data[256];
684int len = read(cfd, data, sizeof(data));
685int sep = 0;
686uschar *s;
687
688DEBUG(D_transport) debug_printf("checking file format\n");
689
690/* An empty file matches the current transport */
691
692if (len == 0) return tblock;
693
694/* Search the formats for a match */
695
dc8091e7 696while ((s = string_nextinlist(&format,&sep,big_buffer,big_buffer_size)))
0756eb3c
PH		 697 {
698 int slen = Ustrlen(s);
699 BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
700 uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
dc8091e7
JH		 701
702 if (match && tp)
0756eb3c
PH		 703 {
704 transport_instance *tt;
dc8091e7 705 for (tt = transports; tt; tt = tt->next)
0756eb3c
PH		 706 if (Ustrcmp(tp, tt->name) == 0)
707 {
708 DEBUG(D_transport)
709 debug_printf("file format -> %s transport\n", tt->name);
710 return tt;
711 }
712 addr->basic_errno = ERRNO_BADTRANSPORT;
713 addr->message = string_sprintf("%s transport (for %.*s format) not found",
714 tp, slen, data);
715 return NULL;
716 }
717 }
718
719/* Failed to find a match */
720
721addr->basic_errno = ERRNO_FORMATUNKNOWN;
722addr->message = US"mailbox file format unrecognized";
723return NULL;
724}
725
726
727
728
729/*************************************************
730* Check directory's files for quota *
731*************************************************/
732
733/* This function is called if quota is set for one of the delivery modes that
734delivers into a specific directory. It scans the directory and stats all the
735files in order to get a total size and count. This is an expensive thing to do,
736but some people are prepared to bear the cost. Alternatively, if size_regex is
737set, it is used as a regex to try to extract the size from the file name, a
738strategy that some people use on maildir files on systems where the users have
739no shell access.
740
741The function is global, because it is also called from tf_maildir.c for maildir
742folders (which should contain only regular files).
743
744Note: Any problems can be written to debugging output, but cannot be written to
745the log, because we are running as an unprivileged user here.
746
747Arguments:
748 dirname the name of the directory
749 countptr where to add the file count (because this function recurses)
750 regex a compiled regex to get the size from a name
751
752Returns: the sum of the sizes of the stattable files
753 zero if the directory cannot be opened
754*/
755
0d7eb84a 756off_t
0756eb3c
PH		 757check_dir_size(uschar *dirname, int *countptr, const pcre *regex)
758{
759DIR *dir;
0d7eb84a 760off_t sum = 0;
0756eb3c
PH		 761int count = *countptr;
762struct dirent *ent;
763struct stat statbuf;
764
765dir = opendir(CS dirname);
766if (dir == NULL) return 0;
767
768while ((ent = readdir(dir)) != NULL)
769 {
770 uschar *name = US ent->d_name;
771 uschar buffer[1024];
772
773 if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
774
775 count++;
776
777 /* If there's a regex, try to find the size using it */
778
779 if (regex != NULL)
780 {
781 int ovector[6];
782 if (pcre_exec(regex, NULL, CS name, Ustrlen(name), 0, 0, ovector,6) >= 2)
783 {
784 uschar *endptr;
0d7eb84a 785 off_t size = (off_t)Ustrtod(name + ovector[2], &endptr);
0756eb3c
PH		 786 if (endptr == name + ovector[3])
787 {
788 sum += size;
789 DEBUG(D_transport)
b1c749bb
PH		 790 debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
791 size);
0756eb3c
PH		 792 continue;
793 }
794 }
795 DEBUG(D_transport)
796 debug_printf("check_dir_size: regex did not match %s\n", name);
797 }
798
799 /* No regex or no match for the regex, or captured non-digits */
800
801 if (!string_format(buffer, sizeof(buffer), "%s/%s", dirname, name))
802 {
803 DEBUG(D_transport)
804 debug_printf("check_dir_size: name too long: dir=%s name=%s\n", dirname,
805 name);
806 continue;
807 }
808
809 if (Ustat(buffer, &statbuf) < 0)
810 {
811 DEBUG(D_transport)
812 debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, buffer,
813 strerror(errno));
814 continue;
815 }
816
817 if ((statbuf.st_mode & S_IFMT) == S_IFREG)
818 sum += statbuf.st_size;
819 else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
820 sum += check_dir_size(buffer, &count, regex);
821 }
822
823closedir(dir);
824DEBUG(D_transport)
b1c749bb
PH		 825 debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
826 sum, count);
0d7eb84a 827
0756eb3c
PH		 828*countptr = count;
829return sum;
830}
831
832
833
834
835/*************************************************
836* Apply a lock to a file descriptor *
837*************************************************/
838
839/* This function applies a lock to a file descriptor, using a blocking or
840non-blocking lock, depending on the timeout value. It can apply either or
841both of a fcntl() and a flock() lock. However, not all OS support flock();
842for those that don't, the use_flock option cannot be set.
843
844Arguments:
845 fd the file descriptor
846 fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in
847 fcntl() format); the flock() type is deduced if needed
848 dofcntl do fcntl() locking
849 fcntltime non-zero to use blocking fcntl()
850 doflock do flock() locking
851 flocktime non-zero to use blocking flock()
852
853Returns: yield of the fcntl() or flock() call, with errno preserved;
854 sigalrm_seen set if there has been a timeout
855*/
856
857static int
858apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
859 int flocktime)
860{
861int yield = 0;
862int save_errno;
863struct flock lock_data;
864lock_data.l_type = fcntltype;
865lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
866
867sigalrm_seen = FALSE;
868
869if (dofcntl)
870 {
871 if (fcntltime > 0)
872 {
873 alarm(fcntltime);
874 yield = fcntl(fd, F_SETLKW, &lock_data);
875 save_errno = errno;
876 alarm(0);
877 errno = save_errno;
878 }
879 else yield = fcntl(fd, F_SETLK, &lock_data);
880 }
881
882#ifndef NO_FLOCK
883if (doflock && (yield >= 0))
884 {
885 int flocktype = (fcntltype == F_WRLCK)? LOCK_EX : LOCK_SH;
886 if (flocktime > 0)
887 {
888 alarm(flocktime);
889 yield = flock(fd, flocktype);
890 save_errno = errno;
891 alarm(0);
892 errno = save_errno;
893 }
894 else yield = flock(fd, flocktype | LOCK_NB);
895 }
896#endif /* NO_FLOCK */
897
898return yield;
899}
900
901
902
903
904#ifdef SUPPORT_MBX
905/*************************************************
906* Copy message into MBX mailbox *
907*************************************************/
908
909/* This function is called when a message intended for a MBX mailbox has been
910written to a temporary file. We can now get the size of the message and then
911copy it in MBX format to the mailbox.
912
913Arguments:
914 to_fd fd to write to (the real mailbox)
915 from_fd fd to read from (the temporary file)
916 saved_size current size of mailbox
917
918Returns: OK if all went well, DEFER otherwise, with errno preserved
919 the number of bytes written are added to transport_count
920 by virtue of calling transport_write_block()
921*/
922
923/* Values taken from c-client */
924
925#define MBX_HDRSIZE 2048
926#define MBX_NUSERFLAGS 30
927
928static int
0d7eb84a 929copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
0756eb3c 930{
0d7eb84a
PH		 931int used;
932off_t size;
0756eb3c 933struct stat statbuf;
42055a33
JH		 934transport_ctx tctx = {0};
935
936tctx.u.fd = to_fd;
0756eb3c
PH		 937
938/* If the current mailbox size is zero, write a header block */
939
940if (saved_size == 0)
941 {
942 int i;
943 uschar *s;
944 memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
945 sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
946 (long int)time(NULL));
947 for (i = 0; i < MBX_NUSERFLAGS; i++)
948 sprintf (CS(s += Ustrlen(s)), "\015\012");
42055a33 949 if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE))
0756eb3c
PH		 950 return DEFER;
951 }
952
953DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
954
955/* Now construct the message's header from the time and the RFC822 file
956size, including CRLFs, which is the size of the input (temporary) file. */
957
958if (fstat(from_fd, &statbuf) < 0) return DEFER;
959size = statbuf.st_size;
960
b1c749bb
PH		 961sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
962 tod_stamp(tod_mbx), size, 0L, 0, 0);
0756eb3c
PH		 963used = Ustrlen(deliver_out_buffer);
964
965/* Rewind the temporary file, and copy it over in chunks. */
966
d315eda1 967if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER;
0756eb3c
PH		 968
969while (size > 0)
970 {
971 int len = read(from_fd, deliver_out_buffer + used,
972 DELIVER_OUT_BUFFER_SIZE - used);
973 if (len <= 0)
974 {
975 if (len == 0) errno = ERRNO_MBXLENGTH;
976 return DEFER;
977 }
42055a33 978 if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE))
0756eb3c
PH		 979 return DEFER;
980 size -= len;
981 used = 0;
982 }
983
984return OK;
985}
986#endif /* SUPPORT_MBX */
987
988
989
990/*************************************************
991* Check creation is permitted *
992*************************************************/
993
994/* This function checks whether a given file name is permitted to be created,
995as controlled by the create_file option. If no home directory is set, however,
996we can't do any tests.
997
998Arguments:
999 filename the file name
1000 create_file the ob->create_file option
1001
1002Returns: TRUE if creation is permitted
1003*/
1004
1005static BOOL
1006check_creation(uschar *filename, int create_file)
1007{
1008BOOL yield = TRUE;
1009
1010if (deliver_home != NULL && create_file != create_anywhere)
1011 {
1012 int len = Ustrlen(deliver_home);
1013 uschar *file = filename;
1014
1015 while (file[0] == '/' && file[1] == '/') file++;
1016 if (Ustrncmp(file, deliver_home, len) != 0 || file[len] != '/' ||
1017 ( Ustrchr(file+len+2, '/') != NULL &&
1018 (
1019 create_file != create_belowhome ||
1020 Ustrstr(file+len, "/../") != NULL
1021 )
1022 )
1023 ) yield = FALSE;
1024
1025 /* If yield is TRUE, the file name starts with the home directory, and does
1026 not contain any instances of "/../" in the "belowhome" case. However, it may
1027 still contain symbolic links. We can check for this by making use of
1028 realpath(), which most Unixes seem to have (but make it possible to cut this
1029 out). We can't just use realpath() on the whole file name, because we know
1030 the file itself doesn't exist, and intermediate directories may also not
1031 exist. What we want to know is the real path of the longest existing part of
1032 the path. That must match the home directory's beginning, whichever is the
1033 shorter. */
1034
1035 #ifndef NO_REALPATH
1036 if (yield && create_file == create_belowhome)
1037 {
1038 uschar *slash, *next;
1039 uschar *rp = NULL;
1040 for (slash = Ustrrchr(file, '/'); /* There is known to be one */
1041 rp == NULL && slash > file; /* Stop if reached beginning */
1042 slash = next)
1043 {
1044 *slash = 0;
1045 rp = US realpath(CS file, CS big_buffer);
1046 next = Ustrrchr(file, '/');
1047 *slash = '/';
1048 }
1049
1050 /* If rp == NULL it means that none of the relevant directories exist.
1051 This is not a problem here - it means that no symbolic links can exist,
1052 which is all we are worried about. Otherwise, we must compare it
1053 against the start of the home directory. However, that may itself
1054 contain symbolic links, so we have to "realpath" it as well, if
1055 possible. */
1056
1057 if (rp != NULL)
1058 {
1059 uschar hdbuffer[PATH_MAX+1];
1060 uschar *rph = deliver_home;
1061 int rlen = Ustrlen(big_buffer);
1062
1063 rp = US realpath(CS deliver_home, CS hdbuffer);
1064 if (rp != NULL)
1065 {
1066 rph = hdbuffer;
1067 len = Ustrlen(rph);
1068 }
1069
1070 if (rlen > len) rlen = len;
1071 if (Ustrncmp(rph, big_buffer, rlen) != 0)
1072 {
1073 yield = FALSE;
1074 DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
1075 big_buffer, deliver_home);
1076 }
1077 }
1078 }
1079 #endif /* NO_REALPATH */
1080 }
1081
1082return yield;
1083}
1084
1085
1086
1087/*************************************************
1088* Main entry point *
1089*************************************************/
1090
1091/* See local README for general interface details. This transport always
1092returns FALSE, indicating that the status which has been placed in the first
1093address should be copied to any other addresses in a batch.
1094
1095Appendfile delivery is tricky and has led to various security problems in other
1096mailers. The logic used here is therefore laid out in some detail. When this
1097function is called, we are running in a subprocess which has had its gid and
1098uid set to the appropriate values. Therefore, we cannot write directly to the
1099exim logs. Any errors must be handled by setting appropriate return codes.
1100Note that the default setting for addr->transport_return is DEFER, so it need
1101not be set unless some other value is required.
1102
1103The code below calls geteuid() rather than getuid() to get the current uid
1104because in weird configurations not running setuid root there may be a
1105difference. In the standard configuration, where setuid() has been used in the
1106delivery process, there will be no difference between the uid and the euid.
1107
1108(1) If the af_file flag is set, this is a delivery to a file after .forward or
1109 alias expansion. Otherwise, there must be a configured file name or
1110 directory name.
1111
1112The following items apply in the case when a file name (as opposed to a
1113directory name) is given, that is, when appending to a single file:
1114
1115(2f) Expand the file name.
1116
1117(3f) If the file name is /dev/null, return success (optimization).
1118
1119(4f) If the file_format options is set, open the file for reading, and check
1120 that the bytes at the start of the file match one of the given strings.
1121 If the check indicates a transport other than the current one should be
1122 used, pass control to that other transport. Otherwise continue. An empty
1123 or non-existent file matches the current transport. The file is closed
1124 after the check.
1125
1126(5f) If a lock file is required, create it (see extensive separate comments
1127 below about the algorithm for doing this). It is important to do this
1128 before opening the mailbox if NFS is in use.
1129
1130(6f) Stat the file, using lstat() rather than stat(), in order to pick up
1131 details of any symbolic link.
1132
1133(7f) If the file already exists:
1134
1135 Check the owner and group if necessary, and defer if they are wrong.
1136
1137 If it is a symbolic link AND the allow_symlink option is set (NOT the
1138 default), go back to (6f) but this time use stat() instead of lstat().
1139
1140 If it's not a regular file (or FIFO when permitted), defer delivery.
1141
1142 Check permissions. If the required permissions are *less* than the
1143 existing ones, or supplied by the address (often by the user via filter),
1144 chmod() the file. Otherwise, defer.
1145
1146 Save the inode number.
1147
1148 Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
1149
1150 If open fails because the file does not exist, go to (6f); on any other
1151 failure, defer.
1152
1153 Check the inode number hasn't changed - I realize this isn't perfect (an
1154 inode can be reused) but it's cheap and will catch some of the races.
1155
1156 Check it's still a regular file (or FIFO if permitted).
1157
1158 Check that the owner and permissions haven't changed.
1159
1160 If file_format is set, check that the file still matches the format for
1161 the current transport. If not, defer delivery.
1162
1163(8f) If file does not exist initially:
1164
1165 Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
1166 this is via a symbolic link (only possible if allow_symlinks is set), in
4c04137d 1167 which case don't use O_EXCL, as it doesn't work.
0756eb3c
PH		 1168
1169 If open fails because the file already exists, go to (6f). To avoid
1170 looping for ever in a situation where the file is continuously being
1171 created and deleted, all of this happens inside a loop that operates
1172 lock_retries times and includes the fcntl and flock locking. If the
1173 loop completes without the file getting opened, defer and request
1174 freezing, because something really weird is happening.
1175
1176 If open fails for any other reason, defer for subsequent delivery except
1177 when this is a file delivery resulting from an alias or forward expansion
1178 and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
1179 most likely a user rather than a configuration error.
1180
1181(9f) We now have the file checked and open for writing. If so configured, lock
1182 it using fcntl, flock, or MBX locking rules. If this fails, close the file
1183 and goto (6f), up to lock_retries times, after sleeping for a while. If it
1184 still fails, give up and defer delivery.
1185
1186(10f)Save the access time (for subsequent restoration) and the size of the
1187 file, for comsat and for re-setting if delivery fails in the middle -
1188 e.g. for quota exceeded.
1189
1190The following items apply in the case when a directory name is given:
1191
1192(2d) Create a new file in the directory using a temporary name, by opening for
1193 writing and with O_CREAT. If maildir format is being used, the file
1194 is created in a temporary subdirectory with a prescribed name. If
1195 mailstore format is being used, the envelope file is first created with a
1196 temporary name, then the data file.
1197
1198The following items apply in all cases:
1199
1200(11) We now have the file open for writing, and locked if it was given as a
1201 file name. Write the message and flush the file, unless there is a setting
1202 of the local quota option, in which case we can check for its excession
1203 without doing any writing.
1204
1205 In the case of MBX format mailboxes, the message is first written to a
1206 temporary file, in order to get its correct length. This is then copied to
1207 the real file, preceded by an MBX header.
1208
1209 If there is a quota error on writing, defer the address. Timeout logic
1210 will determine for how long retries are attempted. We restore the mailbox
1211 to its original length if it's a single file. There doesn't seem to be a
1212 uniform error code for quota excession (it even differs between SunOS4
1213 and some versions of SunOS5) so a system-dependent macro called
1214 ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
1215 compile time.
1216
1217 For any other error (most commonly disk full), do the same.
1218
1219The following applies after appending to a file:
1220
1221(12f)Restore the atime; notify_comsat if required; close the file (which
1222 unlocks it if it was locked). Delete the lock file if it exists.
1223
1224The following applies after writing a unique file in a directory:
1225
1226(12d)For maildir format, rename the file into the new directory. For mailstore
1227 format, rename the envelope file to its correct name. Otherwise, generate
1228 a unique name from the directory_file option, and rename to that, possibly
1229 trying a few times if the file exists and re-expanding the name gives a
1230 different string.
1231
1232This transport yields FAIL only when a file name is generated by an alias or
1233forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
1234All other failures return DEFER (in addr->transport_return). */
1235
1236
1237BOOL
1238appendfile_transport_entry(
1239 transport_instance *tblock, /* data for this instantiation */
1240 address_item *addr) /* address we are working on */
1241{
1242appendfile_transport_options_block *ob =
1243 (appendfile_transport_options_block *)(tblock->options_block);
1244struct stat statbuf;
1245uschar *fdname = NULL;
1246uschar *filename = NULL;
1247uschar *hitchname = NULL;
1248uschar *dataname = NULL;
1249uschar *lockname = NULL;
1250uschar *newname = NULL;
1251uschar *nametag = NULL;
1252uschar *cr = US"";
1253uschar *filecount_msg = US"";
1254uschar *path;
1255struct utimbuf times;
1256struct timeval msg_tv;
01c490df 1257BOOL disable_quota = FALSE;
0756eb3c
PH		 1258BOOL isdirectory = FALSE;
1259BOOL isfifo = FALSE;
1260BOOL wait_for_tick = FALSE;
1261uid_t uid = geteuid(); /* See note above */
1262gid_t gid = getegid();
1263int mbformat;
1264int mode = (addr->mode > 0)? addr->mode : ob->mode;
0d7eb84a
PH		 1265off_t saved_size = -1;
1266off_t mailbox_size = ob->mailbox_size_value;
0756eb3c
PH		 1267int mailbox_filecount = ob->mailbox_filecount_value;
1268int hd = -1;
1269int fd = -1;
1270int yield = FAIL;
1271int i;
1272
1273#ifdef SUPPORT_MBX
1274int save_fd = 0;
1275int mbx_lockfd = -1;
1276uschar mbx_lockname[40];
1277FILE *temp_file = NULL;
1278#endif /* SUPPORT_MBX */
1279
1280#ifdef SUPPORT_MAILDIR
1281int maildirsize_fd = -1; /* fd for maildirsize file */
1282int maildir_save_errno;
1283#endif
1284
1285
1286DEBUG(D_transport) debug_printf("appendfile transport entered\n");
1287
1288/* An "address_file" or "address_directory" transport is used to deliver to
1289files specified via .forward or an alias file. Prior to release 4.20, the
1290"file" and "directory" options were ignored in this case. This has been changed
1291to allow the redirection data to specify what is in effect a folder, whose
1292location is determined by the options on the transport.
1293
1294Compatibility with the case when neither option is set is retained by forcing a
1295value for the file or directory name. A directory delivery is assumed if the
1296last character of the path from the router is '/'.
1297
1298The file path is in the local part of the address, but not in the $local_part
1299variable (that holds the parent local part). It is, however, in the
1300$address_file variable. Below, we update the local part in the address if it
1301changes by expansion, so that the final path ends up in the log. */
1302
1303if (testflag(addr, af_file) &&
1304 ob->filename == NULL &&
1305 ob->dirname == NULL)
1306 {
1307 fdname = US"$address_file";
1308 if (address_file[Ustrlen(address_file)-1] == '/' ||
1309 ob->maildir_format ||
1310 ob->mailstore_format)
1311 isdirectory = TRUE;
1312 }
1313
1314/* Handle (a) an "address file" delivery where "file" or "directory" is
1315explicitly set and (b) a non-address_file delivery, where one of "file" or
1316"directory" must be set; initialization ensures that they are not both set. */
1317
1318if (fdname == NULL)
1319 {
1320 fdname = ob->filename;
1321 if (fdname == NULL)
1322 {
1323 fdname = ob->dirname;
1324 isdirectory = TRUE;
1325 }
1326 if (fdname == NULL)
1327 {
1328 addr->transport_return = PANIC;
1329 addr->message = string_sprintf("Mandatory file or directory option "
1330 "missing from %s transport", tblock->name);
1331 return FALSE;
1332 }
1333 }
1334
1335/* Maildir and mailstore require a directory */
1336
1337if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
1338 {
1339 addr->transport_return = PANIC;
1340 addr->message = string_sprintf("mail%s_format requires \"directory\" "
1341 "to be specified for the %s transport",
1342 ob->maildir_format? "dir" : "store", tblock->name);
1343 return FALSE;
1344 }
1345
1346path = expand_string(fdname);
1347
1348if (path == NULL)
1349 {
1350 addr->transport_return = PANIC;
1351 addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
1352 "name for %s transport) failed: %s", fdname, tblock->name,
1353 expand_string_message);
1354 return FALSE;
1355 }
1356
1357if (path[0] != '/')
1358 {
1359 addr->message = string_sprintf("appendfile: file or directory name "
1360 "\"%s\" is not absolute", path);
1361 addr->basic_errno = ERRNO_NOTABSOLUTE;
1362 return FALSE;
1363 }
1364
f7fd3850
PH		 1365/* For a file delivery, make sure the local part in the address(es) is updated
1366to the true local part. */
0756eb3c 1367
f7fd3850
PH		 1368if (testflag(addr, af_file))
1369 {
1370 address_item *addr2;
1371 for (addr2 = addr; addr2 != NULL; addr2 = addr2->next)
1372 addr2->local_part = string_copy(path);
1373 }
0756eb3c
PH		 1374
1375/* The available mailbox formats depend on whether it is a directory or a file
1376delivery. */
1377
1378if (isdirectory)
1379 {
1380 mbformat =
1381 #ifdef SUPPORT_MAILDIR
1382 (ob->maildir_format)? mbf_maildir :
1383 #endif
1384 #ifdef SUPPORT_MAILSTORE
1385 (ob->mailstore_format)? mbf_mailstore :
1386 #endif
1387 mbf_smail;
1388 }
1389else
1390 {
1391 mbformat =
1392 #ifdef SUPPORT_MBX
1393 (ob->mbx_format)? mbf_mbx :
1394 #endif
1395 mbf_unix;
1396 }
1397
1398DEBUG(D_transport)
1399 {
b1c749bb 1400 debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
f511c353 1401 "%s%s"
b1c749bb 1402 " warning=" OFF_T_FMT "%s\n"
0756eb3c
PH		 1403 " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n "
1404 "maildir_use_size_file=%s\n",
b1c749bb 1405 mode, ob->notify_comsat, ob->quota_value,
d291c767
HSHR		 1406 ob->quota_no_check? " (no_check)" : "",
1407 ob->quota_filecount_no_check? " (no_check_filecount)" : "",
b1c749bb 1408 ob->quota_warn_threshold_value,
0756eb3c
PH		 1409 ob->quota_warn_threshold_is_percent? "%" : "",
1410 isdirectory? "directory" : "file",
1411 path, mailbox_formats[mbformat],
1412 (ob->message_prefix == NULL)? US"null" : string_printing(ob->message_prefix),
1413 (ob->message_suffix == NULL)? US"null" : string_printing(ob->message_suffix),
1414 (ob->maildir_use_size_file)? "yes" : "no");
1415
1416 if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n",
1417 ob->use_lockfile? "lockfile " : "",
1418 ob->use_mbx_lock? "mbx locking (" : "",
1419 ob->use_fcntl? "fcntl " : "",
1420 ob->use_flock? "flock" : "",
1421 ob->use_mbx_lock? ")" : "");
1422 }
1423
1424/* If the -N option is set, can't do any more. */
1425
1426if (dont_deliver)
1427 {
1428 DEBUG(D_transport)
1429 debug_printf("*** delivery by %s transport bypassed by -N option\n",
1430 tblock->name);
1431 addr->transport_return = OK;
1432 return FALSE;
1433 }
1434
1435/* Handle the case of a file name. If the file name is /dev/null, we can save
1436ourselves some effort and just give a success return right away. */
1437
1438if (!isdirectory)
1439 {
1440 BOOL use_lstat = TRUE;
1441 BOOL file_opened = FALSE;
1442 BOOL allow_creation_here = TRUE;
1443
1444 if (Ustrcmp(path, "/dev/null") == 0)
1445 {
1446 addr->transport_return = OK;
1447 return FALSE;
1448 }
1449
1450 /* Set the name of the file to be opened, and the file to which the data
1451 is written, and find out if we are permitted to create a non-existent file. */
1452
1453 dataname = filename = path;
1454 allow_creation_here = check_creation(filename, ob->create_file);
1455
1456 /* If ob->create_directory is set, attempt to create the directories in
1457 which this mailbox lives, but only if we are permitted to create the file
1458 itself. We know we are dealing with an absolute path, because this was
1459 checked above. */
1460
1461 if (ob->create_directory && allow_creation_here)
1462 {
1463 uschar *p = Ustrrchr(path, '/');
1464 *p = '\0';
1465 if (!directory_make(NULL, path, ob->dirmode, FALSE))
1466 {
1467 addr->basic_errno = errno;
1468 addr->message =
1469 string_sprintf("failed to create directories for %s: %s", path,
1470 strerror(errno));
1471 DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path);
1472 return FALSE;
1473 }
1474 *p = '/';
1475 }
1476
1477 /* If file_format is set we must check that any existing file matches one of
1478 the configured formats by checking the bytes it starts with. A match then
1479 indicates a specific transport - if it is not this one, pass control to it.
1480 Otherwise carry on here. An empty or non-existent file matches the current
1481 transport. We don't need to distinguish between non-existence and other open
1482 failures because if an existing file fails to open here, it will also fail
1483 again later when O_RDWR is used. */
1484
1485 if (ob->file_format != NULL)
1486 {
1487 int cfd = Uopen(path, O_RDONLY, 0);
1488 if (cfd >= 0)
1489 {
1490 transport_instance *tt = check_file_format(cfd, tblock, addr);
f1e894f3 1491 (void)close(cfd);
0756eb3c
PH		 1492
1493 /* If another transport is indicated, call it and return; if no transport
1494 was found, just return - the error data will have been set up.*/
1495
1496 if (tt != tblock)
1497 {
1498 if (tt != NULL)
1499 {
1500 set_process_info("delivering %s to %s using %s", message_id,
1501 addr->local_part, tt->name);
1502 debug_print_string(tt->debug_string);
1503 addr->transport = tt;
1504 (tt->info->code)(tt, addr);
1505 }
1506 return FALSE;
1507 }
1508 }
1509 }
1510
1511 /* The locking of mailbox files is worse than the naming of cats, which is
1512 known to be "a difficult matter" (T.S. Eliot) and just as cats must have
1513 three different names, so several different styles of locking are used.
1514
1515 Research in other programs that lock mailboxes shows that there is no
1516 universally standard method. Having mailboxes NFS-mounted on the system that
1517 is delivering mail is not the best thing, but people do run like this,
1518 and so the code must do its best to cope.
1519
1520 Three different locking mechanisms are supported. The initialization function
1521 checks that at least one is configured.
1522
1523 LOCK FILES
1524
1525 Unless no_use_lockfile is set, we attempt to build a lock file in a way that
1526 will work over NFS. Only after that is done do we actually open the mailbox
1527 and apply locks to it (if configured).
1528
1529 Originally, Exim got the file opened before doing anything about locking.
1530 However, a very occasional problem was observed on Solaris 2 when delivering
1531 over NFS. It is seems that when a file is opened with O_APPEND, the file size
1532 gets remembered at open time. If another process on another host (that's
1533 important) has the file open and locked and writes to it and then releases
1534 the lock while the first process is waiting to get the lock, the first
1535 process may fail to write at the new end point of the file - despite the very
1536 definite statement about O_APPEND in the man page for write(). Experiments
1537 have reproduced this problem, but I do not know any way of forcing a host to
1538 update its attribute cache for an open NFS file. It would be nice if it did
1539 so when a lock was taken out, but this does not seem to happen. Anyway, to
1540 reduce the risk of this problem happening, we now create the lock file
1541 (if configured) *before* opening the mailbox. That will prevent two different
1542 Exims opening the file simultaneously. It may not prevent clashes with MUAs,
1543 however, but Pine at least seems to operate in the same way.
1544
1545 Lockfiles should normally be used when NFS is involved, because of the above
1546 problem.
1547
1548 The logic for creating the lock file is:
1549
1550 . The name of the lock file is <mailbox-name>.lock
1551
1552 . First, create a "hitching post" name by adding the primary host name,
1553 current time and pid to the lock file name. This should be unique.
1554
1555 . Create the hitching post file using WRONLY + CREAT + EXCL.
1556
1557 . If that fails EACCES, we assume it means that the user is unable to create
1558 files in the mail spool directory. Some installations might operate in this
1559 manner, so there is a configuration option to allow this state not to be an
1560 error - we proceed to lock using fcntl only, after the file is open.
1561
1562 . Otherwise, an error causes a deferment of the address.
1563
1564 . Hard link the hitching post to the lock file name.
1565
1566 . If the link succeeds, we have successfully created the lock file. Simply
1567 close and unlink the hitching post file.
1568
1569 . If the link does not succeed, proceed as follows:
1570
1571 o Fstat the hitching post file, and then close and unlink it.
1572
1573 o Now examine the stat data. If the number of links to the file is exactly
1574 2, the linking succeeded but for some reason, e.g. an NFS server crash,
1575 the return never made it back, so the link() function gave a failure
1576 return.
1577
1578 . This method allows for the lock file to be created by some other process
1579 right up to the moment of the attempt to hard link it, and is also robust
1580 against NFS server crash-reboots, which would probably result in timeouts
1581 in the middle of link().
1582
1583 . System crashes may cause lock files to get left lying around, and some means
1584 of flushing them is required. The approach of writing a pid (used by smail
1585 and by elm) into the file isn't useful when NFS may be in use. Pine uses a
1586 timeout, which seems a better approach. Since any program that writes to a
1587 mailbox using a lock file should complete its task very quickly, Pine
1588 removes lock files that are older than 5 minutes. We allow the value to be
1589 configurable on the transport.
1590
1591 FCNTL LOCKING
1592
1593 If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
1594 mailbox once it is open. This is done by default with a non-blocking lock.
1595 Failures to lock cause retries after a sleep, but only for a certain number
1596 of tries. A blocking lock is deliberately not used so that we don't hold the
1597 mailbox open. This minimizes the possibility of the NFS problem described
1598 under LOCK FILES above, if for some reason NFS deliveries are happening
1599 without lock files. However, the use of a non-blocking lock and sleep, though
1600 the safest approach, does not give the best performance on very busy systems.
1601 A blocking lock plus timeout does better. Therefore Exim has an option to
1602 allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
1603 enables the use of blocking fcntl() calls.
1604
1605 FLOCK LOCKING
1606
1607 If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
1608 same manner as for fcntl locking above. No-blocking/timeout is also set as
1609 above in lock_flock_timeout. Not all operating systems provide or support
1610 flock(). For those that don't (as determined by the definition of LOCK_SH in
1611 /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
1612 is implemented (not precisely) on top of fcntl(), which means there's no
1613 point in actually using it.
1614
1615 MBX LOCKING
1616
1617 If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
1618 then the rules used for locking in c-client are used. Exim takes out a shared
1619 lock on the mailbox file, and an exclusive lock on the file whose name is
1620 /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
1621 any other MBX client from getting an exclusive lock on it and expunging it.
1622 It also stops any other MBX client from unlinking the /tmp lock when it has
1623 finished with it.
1624
1625 The exclusive lock on the /tmp file prevents any other MBX client from
1626 updating the mailbox in any way. When writing is finished, if an exclusive
1627 lock on the mailbox can be obtained, indicating there are no current sharers,
1628 the /tmp file is unlinked.
1629
1630 MBX locking can use either fcntl() or flock() locking. If neither
1631 use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
1632 The calls for getting these locks are by default non-blocking, as for non-mbx
1633 locking, but can be made blocking by setting lock_fcntl_timeout and/or
1634 lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it
1635 probably makes sense to set timeouts for any MBX deliveries. */
1636
1637
1638 /* Build a lock file if configured to do so - the existence of a lock
1639 file is subsequently checked by looking for a non-negative value of the
1640 file descriptor hd - even though the file is no longer open. */
1641
1642 if (ob->use_lockfile)
1643 {
19050083 1644 /* cf. exim_lock.c */
0756eb3c
PH		 1645 lockname = string_sprintf("%s.lock", filename);
1646 hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
1647 (unsigned int)(time(NULL)), (unsigned int)getpid());
1648
1649 DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
1650 hitchname);
1651
1652 /* Lock file creation retry loop */
1653
1654 for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
1655 {
1656 int rc;
1657 hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
1658
1659 if (hd < 0)
1660 {
1661 addr->basic_errno = errno;
1662 addr->message =
1663 string_sprintf("creating lock file hitching post %s "
1664 "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
1665 (long int)getegid());
1666 return FALSE;
1667 }
1668
1669 /* Attempt to hitch the hitching post to the lock file. If link()
1670 succeeds (the common case, we hope) all is well. Otherwise, fstat the
1671 file, and get rid of the hitching post. If the number of links was 2,
1672 the link was created, despite the failure of link(). If the hitch was
1673 not successful, try again, having unlinked the lock file if it is too
1674 old.
1675
1676 There's a version of Linux (2.0.27) which doesn't update its local cache
1677 of the inode after link() by default - which many think is a bug - but
1678 if the link succeeds, this code will be OK. It just won't work in the
1679 case when link() fails after having actually created the link. The Linux
1680 NFS person is fixing this; a temporary patch is available if anyone is
1681 sufficiently worried. */
1682
1683 if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
f1e894f3 1684 (void)close(hd);
0756eb3c
PH		 1685 Uunlink(hitchname);
1686 if (rc != 0 && statbuf.st_nlink != 2)
1687 {
1688 if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
1689 time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
1690 {
1691 DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
1692 Uunlink(lockname);
1693 }
1694 DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
1695 continue;
1696 }
1697
1698 DEBUG(D_transport) debug_printf("lock file created\n");
1699 break;
1700 }
1701
1702 /* Check for too many tries at creating the lock file */
1703
1704 if (i >= ob->lock_retries)
1705 {
1706 addr->basic_errno = ERRNO_LOCKFAILED;
1707 addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
1708 filename);
1709 return FALSE;
1710 }
1711 }
1712
1713
1714 /* We now have to get the file open. First, stat() it and act on existence or
1715 non-existence. This is in a loop to handle the case of a file's being created
1716 or deleted as we watch, and also to handle retries when the locking fails.
1717 Rather than holding the file open while waiting for the fcntl() and/or
1718 flock() lock, we close and do the whole thing again. This should be safer,
1719 especially for NFS files, which might get altered from other hosts, making
1720 their cached sizes incorrect.
1721
1722 With the default settings, no symlinks are permitted, but there is an option
1723 to permit symlinks for those sysadmins that know what they are doing.
1724 Shudder. However, insist that the initial symlink is owned by the right user.
1725 Thus lstat() is used initially; if a symlink is discovered, the loop is
1726 repeated such that stat() is used, to look at the end file. */
1727
1728 for (i = 0; i < ob->lock_retries; i++)
1729 {
1730 int sleep_before_retry = TRUE;
1731 file_opened = FALSE;
1732
1733 if((use_lstat? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
1734 {
1735 /* Let's hope that failure to stat (other than non-existence) is a
1736 rare event. */
1737
1738 if (errno != ENOENT)
1739 {
1740 addr->basic_errno = errno;
1741 addr->message = string_sprintf("attempting to stat mailbox %s",
1742 filename);
1743 goto RETURN;
1744 }
1745
1746 /* File does not exist. If it is required to pre-exist this state is an
1747 error. */
1748
1749 if (ob->file_must_exist)
1750 {
1751 addr->basic_errno = errno;
1752 addr->message = string_sprintf("mailbox %s does not exist, "
1753 "but file_must_exist is set", filename);
1754 goto RETURN;
1755 }
1756
1757 /* If not permitted to create this file because it isn't in or below
1758 the home directory, generate an error. */
1759
1760 if (!allow_creation_here)
1761 {
1762 addr->basic_errno = ERRNO_BADCREATE;
1763 addr->message = string_sprintf("mailbox %s does not exist, "
1764 "but creation outside the home directory is not permitted",
1765 filename);
1766 goto RETURN;
1767 }
1768
1769 /* Attempt to create and open the file. If open fails because of
1770 pre-existence, go round the loop again. For any other error, defer the
1771 address, except for an alias or forward generated file name with EPERM,
1772 ENOENT, or EACCES, as those are most likely to be user errors rather
1773 than Exim config errors. When a symbolic link is permitted and points
1774 to a non-existent file, we get here with use_lstat = FALSE. In this case
1775 we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
1776 consistency and because MBX locking requires it in order to be able to
1777 get a shared lock. */
1778
1779 fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
1780 (use_lstat? O_EXCL : 0), mode);
1781 if (fd < 0)
1782 {
1783 if (errno == EEXIST) continue;
1784 addr->basic_errno = errno;
1785 addr->message = string_sprintf("while creating mailbox %s",
1786 filename);
1787 if (testflag(addr, af_file) &&
1788 (errno == EPERM || errno == ENOENT || errno == EACCES))
1789 addr->transport_return = FAIL;
1790 goto RETURN;
1791 }
1792
1793 /* We have successfully created and opened the file. Ensure that the group
1794 and the mode are correct. */
1795
1ac6b2e7
JH		 1796 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
1797 {
1798 addr->basic_errno = errno;
1799 addr->message = string_sprintf("while setting perms on mailbox %s",
1800 filename);
1801 addr->transport_return = FAIL;
1802 goto RETURN;
1803 }
0756eb3c
PH		 1804 }
1805
1806
1807 /* The file already exists. Test its type, ownership, and permissions, and
1808 save the inode for checking later. If symlinks are permitted (not the
1809 default or recommended state) it may be a symlink that already exists.
1810 Check its ownership and then look for the file at the end of the link(s).
1811 This at least prevents one user creating a symlink for another user in
1812 a sticky directory. */
1813
1814 else
1815 {
1816 int oldmode = (int)statbuf.st_mode;
1817 ino_t inode = statbuf.st_ino;
1818 BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
1819
1820 isfifo = FALSE; /* In case things are changing */
1821
1822 /* Check owner if required - the default. */
1823
1824 if (ob->check_owner && statbuf.st_uid != uid)
1825 {
1826 addr->basic_errno = ERRNO_BADUGID;
1827 addr->message = string_sprintf("mailbox %s%s has wrong uid "
1828 "(%ld != %ld)", filename,
1829 islink? " (symlink)" : "",
1830 (long int)(statbuf.st_uid), (long int)uid);
1831 goto RETURN;
1832 }
1833
1834 /* Group is checked only if check_group is set. */
1835
1836 if (ob->check_group && statbuf.st_gid != gid)
1837 {
1838 addr->basic_errno = ERRNO_BADUGID;
1839 addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
1840 filename, islink? " (symlink)" : "", statbuf.st_gid, gid);
1841 goto RETURN;
1842 }
1843
a466095c
NM		 1844 /* Just in case this is a sticky-bit mail directory, we don't want
1845 users to be able to create hard links to other users' files. */
1846
1847 if (statbuf.st_nlink != 1)
1848 {
1849 addr->basic_errno = ERRNO_NOTREGULAR;
1850 addr->message = string_sprintf("mailbox %s%s has too many links (%d)",
1851 filename, islink? " (symlink)" : "", statbuf.st_nlink);
1852 goto RETURN;
1853
1854 }
1855
0756eb3c
PH		 1856 /* If symlinks are permitted (not recommended), the lstat() above will
1857 have found the symlink. Its ownership has just been checked; go round
1858 the loop again, using stat() instead of lstat(). That will never yield a
1859 mode of S_IFLNK. */
1860
1861 if (islink && ob->allow_symlink)
1862 {
1863 use_lstat = FALSE;
1864 i--; /* Don't count this time round */
1865 continue;
1866 }
1867
1868 /* An actual file exists. Check that it is a regular file, or FIFO
1869 if permitted. */
1870
1871 if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
1872
1873 else if ((oldmode & S_IFMT) != S_IFREG)
1874 {
1875 addr->basic_errno = ERRNO_NOTREGULAR;
1876 addr->message = string_sprintf("mailbox %s is not a regular file%s",
1877 filename, ob->allow_fifo? " or named pipe" : "");
1878 goto RETURN;
1879 }
1880
1881 /* If the mode is not what it would be for a newly created file, change
1882 the permissions if the mode is supplied for the address. Otherwise,
1883 reduce but do not extend the permissions. If the newly created
1884 permissions are greater than the existing permissions, don't change
1885 things when the mode is not from the address. */
1886
1887 if ((oldmode = (oldmode & 07777)) != mode)
1888 {
1889 int diffs = oldmode ^ mode;
1890 if (addr->mode > 0 || (diffs & oldmode) == diffs)
1891 {
1892 DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
1893 if (Uchmod(filename, mode) < 0)
1894 {
1895 addr->basic_errno = errno;
1896 addr->message = string_sprintf("attempting to chmod mailbox %s",
1897 filename);
1898 goto RETURN;
1899 }
1900 oldmode = mode;
1901 }
1902
1903 /* Mode not from address, and newly-created permissions are greater
1904 than existing permissions. Default is to complain, but it can be
1905 configured to go ahead and try to deliver anyway if that's what
1906 the administration wants. */
1907
1908 else if (ob->mode_fail_narrower)
1909 {
1910 addr->basic_errno = ERRNO_BADMODE;
1911 addr->message = string_sprintf("mailbox %s has the wrong mode %o "
1912 "(%o expected)", filename, oldmode, mode);
1913 goto RETURN;
1914 }
1915 }
1916
1917 /* We are happy with the existing file. Open it, and then do further
1918 tests to ensure that it is the same file that we were just looking at.
1919 If the file does not now exist, restart this loop, going back to using
1920 lstat again. For an NFS error, just defer; other opening errors are
1921 more serious. The file is opened RDWR so that its format can be checked,
1922 and also MBX locking requires the use of a shared (read) lock. However,
1923 a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
1924 reading the pipe. */
1925
1926 fd = Uopen(filename, isfifo? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
1927 mode);
1928 if (fd < 0)
1929 {
1930 if (errno == ENOENT)
1931 {
1932 use_lstat = TRUE;
1933 continue;
1934 }
1935 addr->basic_errno = errno;
1936 if (isfifo)
1937 {
1938 addr->message = string_sprintf("while opening named pipe %s "
1939 "(could mean no process is reading it)", filename);
1940 }
1941 else if (errno != EWOULDBLOCK)
1942 {
1943 addr->message = string_sprintf("while opening mailbox %s", filename);
1944 }
1945 goto RETURN;
1946 }
1947
1948 /* This fstat really shouldn't fail, as we have an open file! There's a
1949 dilemma here. We use fstat in order to be sure we are peering at the file
1950 we have got open. However, that won't tell us if the file was reached
1951 via a symbolic link. We checked this above, but there is a race exposure
1952 if the link was created between the previous lstat and the open. However,
1953 it would have to be created with the same inode in order to pass the
1954 check below. If ob->allow_symlink is set, causing the use of stat rather
1955 than lstat above, symbolic links may be there anyway, and the checking is
1956 weaker. */
1957
1958 if (fstat(fd, &statbuf) < 0)
1959 {
1960 addr->basic_errno = errno;
1961 addr->message = string_sprintf("attempting to stat open mailbox %s",
1962 filename);
1963 goto RETURN;
1964 }
1965
1966 /* Check the inode; this is isn't a perfect check, but gives some
1967 confidence. */
1968
1969 if (inode != statbuf.st_ino)
1970 {
1971 addr->basic_errno = ERRNO_INODECHANGED;
1972 addr->message = string_sprintf("opened mailbox %s inode number changed "
1973 "from %d to %ld", filename, inode, statbuf.st_ino);
1974 addr->special_action = SPECIAL_FREEZE;
1975 goto RETURN;
1976 }
1977
1978 /* Check it's still a regular file or FIFO, and the uid, gid, and
1979 permissions have not changed. */
1980
1981 if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
1982 (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
1983 {
1984 addr->basic_errno = ERRNO_NOTREGULAR;
1985 addr->message =
1986 string_sprintf("opened mailbox %s is no longer a %s", filename,
1987 isfifo? "named pipe" : "regular file");
1988 addr->special_action = SPECIAL_FREEZE;
1989 goto RETURN;
1990 }
1991
1992 if ((ob->check_owner && statbuf.st_uid != uid) ||
1993 (ob->check_group && statbuf.st_gid != gid))
1994 {
1995 addr->basic_errno = ERRNO_BADUGID;
1996 addr->message =
1997 string_sprintf("opened mailbox %s has wrong uid or gid", filename);
1998 addr->special_action = SPECIAL_FREEZE;
1999 goto RETURN;
2000 }
2001
2002 if ((statbuf.st_mode & 07777) != oldmode)
2003 {
2004 addr->basic_errno = ERRNO_BADMODE;
2005 addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
2006 "(%o expected)", filename, statbuf.st_mode & 07777, mode);
2007 addr->special_action = SPECIAL_FREEZE;
2008 goto RETURN;
2009 }
2010
2011 /* If file_format is set, check that the format of the file has not
2012 changed. Error data is set by the testing function. */
2013
2014 if (ob->file_format != NULL &&
2015 check_file_format(fd, tblock, addr) != tblock)
2016 {
2017 addr->message = US"open mailbox has changed format";
2018 goto RETURN;
2019 }
2020
2021 /* The file is OK. Carry on to do the locking. */
2022 }
2023
2024 /* We now have an open file, and must lock it using fcntl(), flock() or MBX
2025 locking rules if configured to do so. If a lock file is also required, it
2026 was created above and hd was left >= 0. At least one form of locking is
2027 required by the initialization function. If locking fails here, close the
2028 file and go round the loop all over again, after waiting for a bit, unless
2029 blocking locking was used. */
2030
2031 file_opened = TRUE;
2032 if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
2033 sleep_before_retry = FALSE;
2034
2035 /* Simple fcntl() and/or flock() locking */
2036
2037 if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
2038 {
2039 if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
2040 ob->use_flock, ob->lock_flock_timeout) >= 0) break;
2041 }
2042
2043 /* MBX locking rules */
2044
2045 #ifdef SUPPORT_MBX
2046 else if (ob->use_mbx_lock)
2047 {
bf83d8d3
PP		 2048 int mbx_tmp_oflags;
2049 struct stat lstatbuf, statbuf2;
0756eb3c
PH		 2050 if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
2051 ob->use_flock, ob->lock_flock_timeout) >= 0 &&
2052 fstat(fd, &statbuf) >= 0)
2053 {
2054 sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
2055 (long)statbuf.st_ino);
2056
bf83d8d3
PP		 2057 /*
2058 * 2010-05-29: SECURITY
2059 * Dan Rosenberg reported the presence of a race-condition in the
2060 * original code here. Beware that many systems still allow symlinks
2061 * to be followed in /tmp so an attacker can create a symlink pointing
2062 * elsewhere between a stat and an open, which we should avoid
2063 * following.
2064 *
2065 * It's unfortunate that we can't just use all the heavily debugged
2066 * locking from above.
2067 *
2068 * Also: remember to mirror changes into exim_lock.c */
2069
2070 /* first leave the old pre-check in place, it provides better
2071 * diagnostics for common cases */
0756eb3c
PH		 2072 if (Ulstat(mbx_lockname, &statbuf) >= 0)
2073 {
2074 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
2075 {
2076 addr->basic_errno = ERRNO_LOCKFAILED;
2077 addr->message = string_sprintf("symbolic link on MBX lock file %s",
2078 mbx_lockname);
2079 goto RETURN;
2080 }
2081 if (statbuf.st_nlink > 1)
2082 {
2083 addr->basic_errno = ERRNO_LOCKFAILED;
2084 addr->message = string_sprintf("hard link to MBX lock file %s",
2085 mbx_lockname);
2086 goto RETURN;
2087 }
2088 }
2089
bf83d8d3
PP		 2090 /* If we could just declare "we must be the ones who create this
2091 * file" then a hitching post in a subdir would work, since a
2092 * subdir directly in /tmp/ which we create wouldn't follow links
2093 * but this isn't our locking logic, so we can't safely change the
2094 * file existence rules. */
2095
2096 /* On systems which support O_NOFOLLOW, it's the easiest and most
2097 * obviously correct security fix */
2098 mbx_tmp_oflags = O_RDWR | O_CREAT;
2099#ifdef O_NOFOLLOW
2100 mbx_tmp_oflags |= O_NOFOLLOW;
2101#endif
2102 mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
0756eb3c
PH		 2103 if (mbx_lockfd < 0)
2104 {
2105 addr->basic_errno = ERRNO_LOCKFAILED;
2106 addr->message = string_sprintf("failed to open MBX lock file %s :%s",
2107 mbx_lockname, strerror(errno));
2108 goto RETURN;
2109 }
bf83d8d3 2110
73a46702 2111 if (Ulstat(mbx_lockname, &lstatbuf) < 0)
bf83d8d3
PP		 2112 {
2113 addr->basic_errno = ERRNO_LOCKFAILED;
2114 addr->message = string_sprintf("attempting to lstat open MBX "
2115 "lock file %s: %s", mbx_lockname, strerror(errno));
2116 goto RETURN;
2117 }
2118 if (fstat(mbx_lockfd, &statbuf2) < 0)
2119 {
2120 addr->basic_errno = ERRNO_LOCKFAILED;
2121 addr->message = string_sprintf("attempting to stat fd of open MBX "
2122 "lock file %s: %s", mbx_lockname, strerror(errno));
2123 goto RETURN;
2124 }
2125
2126 /*
2127 * At this point:
2128 * statbuf: if exists, is file which existed prior to opening the
2129 * lockfile, might have been replaced since then
2130 * statbuf2: result of stat'ing the open fd, is what was actually
2131 * opened
2132 * lstatbuf: result of lstat'ing the filename immediately after
2133 * the open but there's a race condition again between
2134 * those two steps: before open, symlink to foo, after
2135 * open but before lstat have one of:
2136 * * was no symlink, so is the opened file
2137 * (we created it, no messing possible after that point)
2138 * * hardlink to foo
2139 * * symlink elsewhere
2140 * * hardlink elsewhere
2141 * * new file/other
2142 * Don't want to compare to device of /tmp because some modern systems
2143 * have regressed to having /tmp be the safe actual filesystem as
2144 * valuable data, so is mostly worthless, unless we assume that *only*
2145 * Linux systems do this and that all Linux has O_NOFOLLOW. Something
2146 * for further consideration.
2147 * No point in doing a readlink on the lockfile as that will always be
2148 * at a different point in time from when we open it, so tells us
2149 * nothing; attempts to clean up and delete after ourselves would risk
2150 * deleting a *third* filename.
2151 */
2152 if ((statbuf2.st_nlink > 1) ||
2153 (lstatbuf.st_nlink > 1) ||
2154 (!S_ISREG(lstatbuf.st_mode)) ||
2155 (lstatbuf.st_dev != statbuf2.st_dev) ||
2156 (lstatbuf.st_ino != statbuf2.st_ino))
2157 {
2158 addr->basic_errno = ERRNO_LOCKFAILED;
2159 addr->message = string_sprintf("RACE CONDITION detected: "
2160 "mismatch post-initial-checks between \"%s\" and opened "
2161 "fd lead us to abort!", mbx_lockname);
2162 goto RETURN;
2163 }
0756eb3c 2164
7e9f683d 2165 (void)Uchmod(mbx_lockname, ob->lockfile_mode);
0756eb3c
PH		 2166
2167 if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
2168 ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
2169 {
2170 struct stat ostatbuf;
2171
2172 /* This tests for a specific race condition. Ensure that we still
2173 have the same file. */
2174
2175 if (Ulstat(mbx_lockname, &statbuf) == 0 &&
2176 fstat(mbx_lockfd, &ostatbuf) == 0 &&
2177 statbuf.st_dev == ostatbuf.st_dev &&
2178 statbuf.st_ino == ostatbuf.st_ino)
2179 break;
2180 DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
2181 "between creation and locking\n", mbx_lockname);
2182 }
2183
2184 DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
2185 strerror(errno));
f1e894f3 2186 (void)close(mbx_lockfd);
0756eb3c
PH		 2187 mbx_lockfd = -1;
2188 }
2189 else
2190 {
2191 DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
2192 filename, strerror(errno));
2193 }
2194 }
2195 #endif /* SUPPORT_MBX */
2196
2197 else break; /* No on-file locking required; break the open/lock loop */
2198
2199 DEBUG(D_transport)
2200 debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
2201
f1e894f3 2202 (void)close(fd);
0756eb3c
PH		 2203 fd = -1;
2204 use_lstat = TRUE; /* Reset to use lstat first */
2205
2206
2207 /* If a blocking call timed out, break the retry loop if the total time
2208 so far is not less than than retries * interval. Use the larger of the
2209 flock() and fcntl() timeouts. */
2210
2211 if (sigalrm_seen &&
2212 (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
2213 ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
2214 ob->lock_retries * ob->lock_interval)
2215 i = ob->lock_retries;
2216
2217 /* Wait a bit before retrying, except when it was a blocked fcntl() or
2218 flock() that caused the problem. */
2219
2220 if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
2221 }
2222
2223 /* Test for exceeding the maximum number of tries. Either the file remains
2224 locked, or, if we haven't got it open, something is terribly wrong... */
2225
2226 if (i >= ob->lock_retries)
2227 {
2228 if (!file_opened)
2229 {
2230 addr->basic_errno = ERRNO_EXISTRACE;
2231 addr->message = string_sprintf("mailbox %s: existence unclear", filename);
2232 addr->special_action = SPECIAL_FREEZE;
2233 }
2234 else
2235 {
2236 addr->basic_errno = ERRNO_LOCKFAILED;
2237 addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
2238 filename);
2239 }
2240 goto RETURN;
2241 }
2242
2243 DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
2244
2245 /* Save access time (for subsequent restoration), modification time (for
2246 restoration if updating fails), size of file (for comsat and for re-setting if
2247 delivery fails in the middle - e.g. for quota exceeded). */
2248
2249 if (fstat(fd, &statbuf) < 0)
2250 {
2251 addr->basic_errno = errno;
2252 addr->message = string_sprintf("while fstatting opened mailbox %s",
2253 filename);
2254 goto RETURN;
2255 }
2256
2257 times.actime = statbuf.st_atime;
2258 times.modtime = statbuf.st_mtime;
2259 saved_size = statbuf.st_size;
2260 if (mailbox_size < 0) mailbox_size = saved_size;
2261 mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */
2262 }
2263
2264/* Prepare for writing to a new file (as opposed to appending to an old one).
2265There are several different formats, but there is preliminary stuff concerned
2266with quotas that applies to all of them. Finding the current size by directory
2267scanning is expensive; for maildirs some fudges have been invented:
2268
2269 (1) A regex can be used to extract a file size from its name;
2270 (2) If maildir_use_size is set, a maildirsize file is used to cache the
2271 mailbox size.
2272*/
2273
2274else
2275 {
2276 uschar *check_path = path; /* Default quota check path */
2277 const pcre *regex = NULL; /* Regex for file size from file name */
2278
2279 if (!check_creation(string_sprintf("%s/any", path), ob->create_file))
2280 {
2281 addr->basic_errno = ERRNO_BADCREATE;
2282 addr->message = string_sprintf("tried to create file in %s, but "
2283 "file creation outside the home directory is not permitted", path);
2284 goto RETURN;
2285 }
2286
2287 #ifdef SUPPORT_MAILDIR
d6629cdc
PH		 2288 /* For a maildir delivery, ensure that all the relevant directories exist,
2289 and a maildirfolder file if necessary. */
0756eb3c
PH		 2290
2291 if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
d6629cdc 2292 ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
0756eb3c
PH		 2293 return FALSE;
2294 #endif /* SUPPORT_MAILDIR */
2295
2296 /* If we are going to do a quota check, of if maildir_use_size_file is set
2297 for a maildir delivery, compile the regular expression if there is one. We
2298 may also need to adjust the path that is used. We need to do this for
2299 maildir_use_size_file even if the quota is unset, because we still want to
2300 create the file. When maildir support is not compiled,
2301 ob->maildir_use_size_file is always FALSE. */
2302
2303 if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
2304 {
2305 const uschar *error;
2306 int offset;
2307
01c490df 2308 /* Compile the regex if there is one. */
0756eb3c
PH		 2309
2310 if (ob->quota_size_regex != NULL)
2311 {
2312 regex = pcre_compile(CS ob->quota_size_regex, PCRE_COPT,
2313 (const char **)&error, &offset, NULL);
2314 if (regex == NULL)
2315 {
2316 addr->message = string_sprintf("appendfile: regular expression "
2317 "error: %s at offset %d while compiling %s", error, offset,
2318 ob->quota_size_regex);
2319 return FALSE;
2320 }
01c490df
PH		 2321 DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
2322 ob->quota_size_regex);
0756eb3c
PH		 2323 }
2324
2325 /* Use an explicitly configured directory if set */
2326
2327 if (ob->quota_directory != NULL)
2328 {
2329 check_path = expand_string(ob->quota_directory);
2330 if (check_path == NULL)
2331 {
2332 addr->transport_return = PANIC;
2333 addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
2334 "name for %s transport) failed: %s", ob->quota_directory,
2335 tblock->name, expand_string_message);
2336 return FALSE;
2337 }
2338
2339 if (check_path[0] != '/')
2340 {
2341 addr->message = string_sprintf("appendfile: quota_directory name "
2342 "\"%s\" is not absolute", check_path);
2343 addr->basic_errno = ERRNO_NOTABSOLUTE;
2344 return FALSE;
2345 }
2346 }
2347
2348 #ifdef SUPPORT_MAILDIR
2349 /* Otherwise, if we are handling a maildir delivery, and the directory
2350 contains a file called maildirfolder, this is a maildir++ feature telling
2351 us that this is a sub-directory of the real inbox. We should therefore do
2352 the quota check on the parent directory. Beware of the special case when
2353 the directory name itself ends in a slash. */
2354
2355 else if (mbformat == mbf_maildir)
2356 {
2357 struct stat statbuf;
2358 if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
2359 {
2360 uschar *new_check_path = string_copy(check_path);
2361 uschar *slash = Ustrrchr(new_check_path, '/');
2362 if (slash != NULL)
2363 {
2364 if (slash[1] == 0)
2365 {
2366 *slash = 0;
2367 slash = Ustrrchr(new_check_path, '/');
2368 }
2369 if (slash != NULL)
2370 {
2371 *slash = 0;
2372 check_path = new_check_path;
d6629cdc
PH		 2373 DEBUG(D_transport) debug_printf("maildirfolder file exists: "
2374 "quota check directory changed to %s\n", check_path);
0756eb3c
PH		 2375 }
2376 }
2377 }
2378 }
2379 #endif /* SUPPORT_MAILDIR */
2380 }
2381
2382 /* If we are using maildirsize files, we need to ensure that such a file
2383 exists and, if necessary, recalculate its contents. As a byproduct of this,
2384 we obtain the current size of the maildir. If no quota is to be enforced
2385 (ob->quota_value == 0), we still need the size if a threshold check will
2386 happen later.
2387
2388 Another regular expression is used to determine which directories inside the
2389 maildir are going to be counted. */
2390
2391 #ifdef SUPPORT_MAILDIR
2392 if (ob->maildir_use_size_file)
2393 {
2394 const pcre *dir_regex = NULL;
2395 const uschar *error;
2396 int offset;
2397
2398 if (ob->maildir_dir_regex != NULL)
2399 {
01c490df
PH		 2400 int check_path_len = Ustrlen(check_path);
2401
0756eb3c
PH		 2402 dir_regex = pcre_compile(CS ob->maildir_dir_regex, PCRE_COPT,
2403 (const char **)&error, &offset, NULL);
2404 if (dir_regex == NULL)
2405 {
2406 addr->message = string_sprintf("appendfile: regular expression "
2407 "error: %s at offset %d while compiling %s", error, offset,
2408 ob->maildir_dir_regex);
2409 return FALSE;
2410 }
01c490df
PH		 2411
2412 DEBUG(D_transport)
2413 debug_printf("using regex for maildir directory selection: %s\n",
2414 ob->maildir_dir_regex);
2415
2416 /* Check to see if we are delivering into an ignored directory, that is,
2417 if the delivery path starts with the quota check path, and the rest
2418 of the deliver path matches the regex; if so, set a flag to disable quota
2419 checking and maildirsize updating. */
2420
2421 if (Ustrncmp(path, check_path, check_path_len) == 0)
0756eb3c 2422 {
01c490df
PH		 2423 uschar *s = path + check_path_len;
2424 while (*s == '/') s++;
2425 s = (*s == 0)? US "new" : string_sprintf("%s/new", s);
2426 if (pcre_exec(dir_regex, NULL, CS s, Ustrlen(s), 0, 0, NULL, 0) < 0)
2427 {
2428 disable_quota = TRUE;
2429 DEBUG(D_transport) debug_printf("delivery directory does not match "
2430 "maildir_quota_directory_regex: disabling quota\n");
2431 }
0756eb3c
PH		 2432 }
2433 }
2434
2435 /* Quota enforcement; create and check the file. There is some discussion
2436 about whether this should happen if the quota is unset. At present, Exim
2437 always creates the file. If we ever want to change this, uncomment
2438 appropriate lines below, possibly doing a check on some option. */
2439
2440/* if (???? || ob->quota_value > 0) */
2441
01c490df 2442 if (!disable_quota)
0756eb3c 2443 {
0d7eb84a
PH		 2444 off_t size;
2445 int filecount;
0756eb3c
PH		 2446
2447 maildirsize_fd = maildir_ensure_sizefile(check_path, ob, regex, dir_regex,
2448 &size, &filecount);
2449
2450 if (maildirsize_fd == -1)
2451 {
2452 addr->basic_errno = errno;
2453 addr->message = string_sprintf("while opening or reading "
2454 "%s/maildirsize", check_path);
2455 return FALSE;
2456 }
554e333e
PP		 2457 /* can also return -2, which means that the file was removed because of
2458 raciness; but in this case, the size & filecount will still have been
2459 updated. */
0756eb3c 2460
554e333e
PP		 2461 if (mailbox_size < 0) mailbox_size = size;
2462 if (mailbox_filecount < 0) mailbox_filecount = filecount;
0756eb3c
PH		 2463 }
2464
2465 /* No quota enforcement; ensure file does *not* exist; calculate size if
2466 needed. */
2467
2468/* else
2469 * {
2470 * time_t old_latest;
2471 * (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
2472 * if (THRESHOLD_CHECK)
2473 * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
2474 * regex, dir_regex, FALSE);
2475 * }
2476*/
2477
2478 }
2479 #endif /* SUPPORT_MAILDIR */
2480
d35e429d
PH		 2481 /* Otherwise if we are going to do a quota check later on, and the mailbox
2482 size is not set, find the current size of the mailbox. Ditto for the file
2483 count. Note that ob->quota_filecount_value cannot be set without
2484 ob->quota_value being set. */
0756eb3c 2485
01c490df
PH		 2486 if (!disable_quota &&
2487 (ob->quota_value > 0 || THRESHOLD_CHECK) &&
d35e429d
PH		 2488 (mailbox_size < 0 ||
2489 (mailbox_filecount < 0 && ob->quota_filecount_value > 0)))
0756eb3c 2490 {
0d7eb84a 2491 off_t size;
5fe762f6 2492 int filecount = 0;
0756eb3c
PH		 2493 DEBUG(D_transport)
2494 debug_printf("quota checks on directory %s\n", check_path);
2495 size = check_dir_size(check_path, &filecount, regex);
2496 if (mailbox_size < 0) mailbox_size = size;
2497 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2498 }
2499
2500 /* Handle the case of creating a unique file in a given directory (not in
2501 maildir or mailstore format - this is how smail did it). A temporary name is
2502 used to create the file. Later, when it is written, the name is changed to a
2503 unique one. There is no need to lock the file. An attempt is made to create
2504 the directory if it does not exist. */
2505
2506 if (mbformat == mbf_smail)
2507 {
2508 DEBUG(D_transport)
2509 debug_printf("delivering to new file in %s\n", path);
2510 filename = dataname =
2511 string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
2512 fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
2513 if (fd < 0 && /* failed to open, and */
2514 (errno != ENOENT || /* either not non-exist */
2515 !ob->create_directory || /* or not allowed to make */
2516 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2517 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2518 {
2519 addr->basic_errno = errno;
2520 addr->message = string_sprintf("while creating file %s", filename);
2521 return FALSE;
2522 }
2523 }
2524
2525 #ifdef SUPPORT_MAILDIR
2526
2527 /* Handle the case of a unique file in maildir format. The file is written to
2528 the tmp subdirectory, with a prescribed form of name. */
2529
2530 else if (mbformat == mbf_maildir)
2531 {
2532 DEBUG(D_transport)
2533 debug_printf("delivering in maildir format in %s\n", path);
2534
2535 nametag = ob->maildir_tag;
2536
2537 /* Check that nametag expands successfully; a hard failure causes a panic
2538 return. The actual expansion for use happens again later, when
2539 $message_size is accurately known. */
2540
2541 if (nametag != NULL && expand_string(nametag) == NULL &&
2542 !expand_string_forcedfail)
2543 {
2544 addr->transport_return = PANIC;
2545 addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
2546 "for %s transport) failed: %s", nametag, tblock->name,
2547 expand_string_message);
2548 return FALSE;
2549 }
2550
2551 /* We ensured the existence of all the relevant directories above. Attempt
2552 to open the temporary file a limited number of times. I think this rather
2553 scary-looking for statement is actually OK. If open succeeds, the loop is
2554 broken; if not, there is a test on the value of i. Get the time again
2555 afresh each time round the loop. Its value goes into a variable that is
2556 checked at the end, to make sure we don't release this process until the
2557 clock has ticked. */
2558
2559 for (i = 1;; i++)
2560 {
2561 uschar *basename;
2562
2563 (void)gettimeofday(&msg_tv, NULL);
d0291a0a
JH		 2564 basename = string_sprintf(TIME_T_FMT ".H%luP%lu.%s",
2565 msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname);
0756eb3c
PH		 2566
2567 filename = dataname = string_sprintf("tmp/%s", basename);
2568 newname = string_sprintf("new/%s", basename);
2569
2570 if (Ustat(filename, &statbuf) == 0)
2571 errno = EEXIST;
2572 else if (errno == ENOENT)
2573 {
2574 fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode);
2575 if (fd >= 0) break;
2576 DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
2577 filename, strerror(errno));
2578 }
2579
2580 /* Too many retries - give up */
2581
2582 if (i >= ob->maildir_retries)
2583 {
2584 addr->message = string_sprintf ("failed to open %s (%d tr%s)",
2585 filename, i, (i == 1)? "y" : "ies");
2586 addr->basic_errno = errno;
8932dffe
PH		 2587 if (errno == errno_quota || errno == ENOSPC)
2588 addr->user_message = US"mailbox is full";
0756eb3c
PH		 2589 return FALSE;
2590 }
2591
2592 /* Open or stat failed but we haven't tried too many times yet. */
2593
2594 sleep(2);
2595 }
2596
2597 /* Note that we have to ensure the clock has ticked before leaving */
2598
2599 wait_for_tick = TRUE;
2600
2601 /* Why are these here? Put in because they are present in the non-maildir
2602 directory case above. */
2603
1ac6b2e7
JH		 2604 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
2605 {
2606 addr->basic_errno = errno;
2607 addr->message = string_sprintf("while setting perms on maildir %s",
2608 filename);
2609 return FALSE;
2610 }
0756eb3c
PH		 2611 }
2612
2613 #endif /* SUPPORT_MAILDIR */
2614
2615 #ifdef SUPPORT_MAILSTORE
2616
2617 /* Handle the case of a unique file in mailstore format. First write the
2618 envelope to a temporary file, then open the main file. The unique base name
2619 for the files consists of the message id plus the pid of this delivery
2620 process. */
2621
2622 else
2623 {
2624 FILE *env_file;
2625 address_item *taddr;
2626 mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
2627 string_base62((long int)getpid()));
2628
2629 DEBUG(D_transport)
2630 debug_printf("delivering in mailstore format in %s\n", path);
2631
2632 filename = string_sprintf("%s.tmp", mailstore_basename);
2633 newname = string_sprintf("%s.env", mailstore_basename);
2634 dataname = string_sprintf("%s.msg", mailstore_basename);
2635
2636 fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2637 if (fd < 0 && /* failed to open, and */
2638 (errno != ENOENT || /* either not non-exist */
2639 !ob->create_directory || /* or not allowed to make */
2640 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2641 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2642 {
2643 addr->basic_errno = errno;
2644 addr->message = string_sprintf("while creating file %s", filename);
2645 return FALSE;
2646 }
2647
2648 /* Why are these here? Put in because they are present in the non-maildir
2649 directory case above. */
2650
1ac6b2e7
JH		 2651 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
2652 {
2653 addr->basic_errno = errno;
2654 addr->message = string_sprintf("while setting perms on file %s",
2655 filename);
2656 return FALSE;
2657 }
0756eb3c
PH		 2658
2659 /* Built a C stream from the open file descriptor. */
2660
2661 if ((env_file = fdopen(fd, "wb")) == NULL)
2662 {
2663 addr->basic_errno = errno;
2664 addr->transport_return = PANIC;
2665 addr->message = string_sprintf("fdopen of %s ("
2666 "for %s transport) failed", filename, tblock->name);
f1e894f3 2667 (void)close(fd);
0756eb3c
PH		 2668 Uunlink(filename);
2669 return FALSE;
2670 }
2671
2672 /* Write the envelope file, then close it. */
2673
2674 if (ob->mailstore_prefix != NULL)
2675 {
2676 uschar *s = expand_string(ob->mailstore_prefix);
2677 if (s == NULL)
2678 {
2679 if (!expand_string_forcedfail)
2680 {
2681 addr->transport_return = PANIC;
2682 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2683 "prefix for %s transport) failed: %s", ob->mailstore_prefix,
2684 tblock->name, expand_string_message);
f1e894f3 2685 (void)fclose(env_file);
0756eb3c
PH		 2686 Uunlink(filename);
2687 return FALSE;
2688 }
2689 }
2690 else
2691 {
2692 int n = Ustrlen(s);
2693 fprintf(env_file, "%s", CS s);
2694 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2695 }
2696 }
2697
2698 fprintf(env_file, "%s\n", sender_address);
2699
2700 for (taddr = addr; taddr!= NULL; taddr = taddr->next)
2701 fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
2702
2703 if (ob->mailstore_suffix != NULL)
2704 {
2705 uschar *s = expand_string(ob->mailstore_suffix);
2706 if (s == NULL)
2707 {
2708 if (!expand_string_forcedfail)
2709 {
2710 addr->transport_return = PANIC;
2711 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2712 "suffix for %s transport) failed: %s", ob->mailstore_suffix,
2713 tblock->name, expand_string_message);
f1e894f3 2714 (void)fclose(env_file);
0756eb3c
PH		 2715 Uunlink(filename);
2716 return FALSE;
2717 }
2718 }
2719 else
2720 {
2721 int n = Ustrlen(s);
2722 fprintf(env_file, "%s", CS s);
2723 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2724 }
2725 }
2726
2727 if (fclose(env_file) != 0)
2728 {
2729 addr->basic_errno = errno;
2730 addr->message = string_sprintf("while closing %s", filename);
2731 Uunlink(filename);
2732 return FALSE;
2733 }
2734
2735 DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
2736
2737 /* Now open the data file, and ensure that it has the correct ownership and
2738 mode. */
2739
2740 fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode);
2741 if (fd < 0)
2742 {
2743 addr->basic_errno = errno;
2744 addr->message = string_sprintf("while creating file %s", dataname);
2745 Uunlink(filename);
2746 return FALSE;
2747 }
1ac6b2e7
JH		 2748 if(Uchown(dataname, uid, gid) || Uchmod(dataname, mode))
2749 {
2750 addr->basic_errno = errno;
2751 addr->message = string_sprintf("while setting perms on file %s",
2752 dataname);
2753 return FALSE;
2754 }
0756eb3c
PH		 2755 }
2756
2757 #endif /* SUPPORT_MAILSTORE */
2758
2759
2760 /* In all cases of writing to a new file, ensure that the file which is
2761 going to be renamed has the correct ownership and mode. */
2762
1ac6b2e7
JH		 2763 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
2764 {
2765 addr->basic_errno = errno;
2766 addr->message = string_sprintf("while setting perms on file %s",
2767 filename);
2768 return FALSE;
2769 }
0756eb3c
PH		 2770 }
2771
2772
2773/* At last we can write the message to the file, preceded by any configured
2774prefix line, and followed by any configured suffix line. If there are any
2775writing errors, we must defer. */
2776
2777DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
2778
2779yield = OK;
2780errno = 0;
2781
2782/* If there is a local quota setting, check that we are not going to exceed it
2783with this message if quota_is_inclusive is set; if it is not set, the check
2784is for the mailbox already being over quota (i.e. the current message is not
2785included in the check). */
2786
01c490df 2787if (!disable_quota && ob->quota_value > 0)
0756eb3c
PH		 2788 {
2789 DEBUG(D_transport)
2790 {
b1c749bb
PH		 2791 debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
2792 " this message = %d (%sincluded)\n",
2793 ob->quota_value, mailbox_size, message_size,
2794 ob->quota_is_inclusive? "" : "not ");
0756eb3c
PH		 2795 debug_printf(" file count quota = %d count = %d\n",
2796 ob->quota_filecount_value, mailbox_filecount);
2797 }
d291c767 2798
0756eb3c
PH		 2799 if (mailbox_size + (ob->quota_is_inclusive? message_size:0) > ob->quota_value)
2800 {
d291c767
HSHR		 2801
2802 if (!ob->quota_no_check)
2803 {
2804 DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
2805 yield = DEFER;
2806 errno = ERRNO_EXIMQUOTA;
2807 }
2808 else DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n");
2809
0756eb3c 2810 }
d291c767
HSHR		 2811
2812 if (ob->quota_filecount_value > 0
2813 && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
2814 ob->quota_filecount_value)
2815 if(!ob->quota_filecount_no_check)
2816 {
2817 DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
2818 yield = DEFER;
2819 errno = ERRNO_EXIMQUOTA;
2820 filecount_msg = US" filecount";
2821 }
2822 else DEBUG(D_transport) if (ob->quota_filecount_no_check)
2823 debug_printf("mailbox file count quota exceeded but ignored\n");
2824
0756eb3c
PH		 2825 }
2826
2827/* If we are writing in MBX format, what we actually do is to write the message
2828to a temporary file, and then copy it to the real file once we know its size.
2829This is the most straightforward way of getting the correct length in the
2830separator line. So, what we do here is to save the real file descriptor, and
2831replace it with one for a temporary file. The temporary file gets unlinked once
2832opened, so that it goes away on closure. */
2833
2834#ifdef SUPPORT_MBX
2835if (yield == OK && ob->mbx_format)
2836 {
2837 temp_file = tmpfile();
2838 if (temp_file == NULL)
2839 {
2840 addr->basic_errno = errno;
2841 addr->message = US"while setting up temporary file";
2842 yield = DEFER;
2843 goto RETURN;
2844 }
2845 save_fd = fd;
2846 fd = fileno(temp_file);
2847 DEBUG(D_transport) debug_printf("writing to temporary file\n");
2848 }
2849#endif /* SUPPORT_MBX */
2850
2851/* Zero the count of bytes written. It is incremented by the transport_xxx()
2852functions. */
2853
2854transport_count = 0;
332f5cf3 2855transport_newlines = 0;
0756eb3c
PH		 2856
2857/* Write any configured prefix text first */
2858
2859if (yield == OK && ob->message_prefix != NULL && ob->message_prefix[0] != 0)
2860 {
2861 uschar *prefix = expand_string(ob->message_prefix);
2862 if (prefix == NULL)
2863 {
2864 errno = ERRNO_EXPANDFAIL;
2865 addr->transport_return = PANIC;
2866 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
2867 "transport) failed", ob->message_prefix, tblock->name);
2868 yield = DEFER;
2869 }
2870 else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER;
2871 }
2872
2873/* If the use_bsmtp option is on, we need to write SMTP prefix information. The
2874various different values for batching are handled outside; if there is more
2875than one address available here, all must be included. If any address is a
2876file, use its parent in the RCPT TO. */
2877
2878if (yield == OK && ob->use_bsmtp)
2879 {
2880 transport_count = 0;
332f5cf3 2881 transport_newlines = 0;
0756eb3c
PH		 2882 if (ob->use_crlf) cr = US"\r";
2883 if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
2884 yield = DEFER;
2885 else
2886 {
2887 address_item *a;
332f5cf3 2888 transport_newlines++;
0756eb3c
PH		 2889 for (a = addr; a != NULL; a = a->next)
2890 {
2891 address_item *b = testflag(a, af_pfr)? a->parent: a;
2892 if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
2893 transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
2894 { yield = DEFER; break; }
332f5cf3 2895 transport_newlines++;
0756eb3c
PH		 2896 }
2897 if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
2898 yield = DEFER;
332f5cf3
PP		 2899 else
2900 transport_newlines++;
0756eb3c
PH		 2901 }
2902 }
2903
2904/* Now the message itself. The options for transport_write_message were set up
2905at initialization time. */
2906
2907if (yield == OK)
2908 {
6b46ecc6 2909 transport_ctx tctx = {
42055a33 2910 fd,
6b46ecc6
JH		 2911 tblock,
2912 addr,
2913 ob->check_string,
2914 ob->escape_string,
2915 ob->options
2916 };
42055a33 2917 if (!transport_write_message(&tctx, 0))
0756eb3c
PH		 2918 yield = DEFER;
2919 }
2920
2921/* Now a configured suffix. */
2922
2923if (yield == OK && ob->message_suffix != NULL && ob->message_suffix[0] != 0)
2924 {
2925 uschar *suffix = expand_string(ob->message_suffix);
2926 if (suffix == NULL)
2927 {
2928 errno = ERRNO_EXPANDFAIL;
2929 addr->transport_return = PANIC;
2930 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
2931 "transport) failed", ob->message_suffix, tblock->name);
2932 yield = DEFER;
2933 }
2934 else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER;
2935 }
2936
2937/* If batch smtp, write the terminating dot. */
2938
332f5cf3
PP		 2939if (yield == OK && ob->use_bsmtp ) {
2940 if(!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
2941 else transport_newlines++;
2942}
0756eb3c
PH		 2943
2944/* If MBX format is being used, all that writing was to the temporary file.
2945However, if there was an earlier failure (Exim quota exceeded, for example),
2946the temporary file won't have got opened - and no writing will have been done.
2947If writing was OK, we restore the fd, and call a function that copies the
2948message in MBX format into the real file. Otherwise use the temporary name in
2949any messages. */
2950
2951#ifdef SUPPORT_MBX
2952if (temp_file != NULL && ob->mbx_format)
2953 {
2954 int mbx_save_errno;
2955 fd = save_fd;
2956
2957 if (yield == OK)
2958 {
2959 transport_count = 0; /* Reset transport count for actual write */
332f5cf3
PP		 2960 /* No need to reset transport_newlines as we're just using a block copy
2961 * routine so the number won't be affected */
0756eb3c
PH		 2962 yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
2963 }
2964 else if (errno >= 0) dataname = US"temporary file";
2965
2966 /* Preserve errno while closing the temporary file. */
2967
2968 mbx_save_errno = errno;
f1e894f3 2969 (void)fclose(temp_file);
0756eb3c
PH		 2970 errno = mbx_save_errno;
2971 }
2972#endif /* SUPPORT_MBX */
2973
2974/* Force out the remaining data to check for any errors; some OS don't allow
2975fsync() to be called for a FIFO. */
2976
54fc8428 2977if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
0756eb3c 2978
332f5cf3
PP		 2979/* Update message_size and message_linecount to the accurate count of bytes
2980written, including added headers. Note; we subtract 1 from message_linecount as
2981this variable doesn't count the new line between the header and the body of the
2982message. */
0756eb3c
PH		 2983
2984message_size = transport_count;
332f5cf3 2985message_linecount = transport_newlines - 1;
0756eb3c
PH		 2986
2987/* If using a maildir++ quota file, add this message's size to it, and
01c490df
PH		 2988close the file descriptor, except when the quota has been disabled because we
2989are delivering into an uncounted folder. */
0756eb3c
PH		 2990
2991#ifdef SUPPORT_MAILDIR
01c490df
PH		 2992if (!disable_quota)
2993 {
2994 if (yield == OK && maildirsize_fd >= 0)
2995 maildir_record_length(maildirsize_fd, message_size);
2996 maildir_save_errno = errno; /* Preserve errno while closing the file */
554e333e
PP		 2997 if (maildirsize_fd >= 0)
2998 (void)close(maildirsize_fd);
01c490df
PH		 2999 errno = maildir_save_errno;
3000 }
0756eb3c
PH		 3001#endif /* SUPPORT_MAILDIR */
3002
3003/* If there is a quota warning threshold and we are have crossed it with this
3004message, set the SPECIAL_WARN flag in the address, to cause a warning message
3005to be sent. */
3006
01c490df 3007if (!disable_quota && THRESHOLD_CHECK)
0756eb3c 3008 {
0d7eb84a 3009 off_t threshold = ob->quota_warn_threshold_value;
0756eb3c 3010 if (ob->quota_warn_threshold_is_percent)
0d7eb84a 3011 threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
0756eb3c 3012 DEBUG(D_transport)
b1c749bb
PH		 3013 debug_printf("quota = " OFF_T_FMT
3014 " threshold = " OFF_T_FMT
3015 " old size = " OFF_T_FMT
3016 " message size = %d\n",
3017 ob->quota_value, threshold, mailbox_size,
0d7eb84a 3018 message_size);
0756eb3c
PH		 3019 if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
3020 addr->special_action = SPECIAL_WARN;
3021
3022 /******* You might think that the test ought to be this:
3023 *
3024 * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
3025 * mailbox_size <= threshold && mailbox_size + message_size > threshold)
3026 *
3027 * (indeed, I was sent a patch with that in). However, it is possible to
3028 * have a warning threshold without actually imposing a quota, and I have
3029 * therefore kept Exim backwards compatible.
3030 ********/
3031
3032 }
3033
3034/* Handle error while writing the file. Control should come here directly after
3035the error, with the reason in errno. In the case of expansion failure in prefix
3036or suffix, it will be ERRNO_EXPANDFAIL. */
3037
3038if (yield != OK)
3039 {
3040 addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */
3041
3042 /* Save the error number. If positive, it will ultimately cause a strerror()
3043 call to generate some text. */
3044
3045 addr->basic_errno = errno;
3046
3047 /* For system or Exim quota excession, or disk full, set more_errno to the
3048 time since the file was last read. If delivery was into a directory, the
3049 time since last read logic is not relevant, in general. However, for maildir
3050 deliveries we can approximate it by looking at the last modified time of the
3051 "new" subdirectory. Since Exim won't be adding new messages, a change to the
3052 "new" subdirectory implies that an MUA has moved a message from there to the
3053 "cur" directory. */
3054
3055 if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
3056 {
3057 addr->more_errno = 0;
3058 if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
3059
3060 #ifdef SUPPORT_MAILDIR
3061 else if (mbformat == mbf_maildir)
3062 {
3063 struct stat statbuf;
3064 if (Ustat("new", &statbuf) < 0)
3065 {
3066 DEBUG(D_transport) debug_printf("maildir quota exceeded: "
3067 "stat error %d for \"new\": %s\n", errno, strerror(errno));
3068 }
3069 else /* Want a repeatable time when in test harness */
3070 {
3071 addr->more_errno = running_in_test_harness? 10 :
3072 (int)time(NULL) - statbuf.st_mtime;
3073 }
3074 DEBUG(D_transport)
3075 debug_printf("maildir: time since \"new\" directory modified = %s\n",
3076 readconf_printtime(addr->more_errno));
3077 }
3078 #endif /* SUPPORT_MAILDIR */
3079 }
3080
3081 /* Handle system quota excession. Add an explanatory phrase for the error
3082 message, since some systems don't have special quota-excession errors,
3083 and on those that do, "quota" doesn't always mean anything to the user. */
3084
3085 if (errno == errno_quota)
3086 {
3087 #ifndef EDQUOT
3088 addr->message = string_sprintf("mailbox is full "
3089 "(quota exceeded while writing to file %s)", filename);
3090 #else
3091 addr->message = string_sprintf("mailbox is full");
3092 #endif /* EDQUOT */
5a11a7b4 3093 addr->user_message = US"mailbox is full";
0756eb3c
PH		 3094 DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
3095 dataname,
3096 isdirectory? US"" : US": time since file read = ",
3097 isdirectory? US"" : readconf_printtime(addr->more_errno));
3098 }
3099
3100 /* Handle Exim's own quota-imposition */
3101
3102 else if (errno == ERRNO_EXIMQUOTA)
3103 {
3104 addr->message = string_sprintf("mailbox is full "
3105 "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
3106 dataname);
3107 addr->user_message = US"mailbox is full";
3108 DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
3109 filecount_msg, dataname,
3110 isdirectory? US"" : US": time since file read = ",
3111 isdirectory? US"" : readconf_printtime(addr->more_errno));
3112 }
3113
3114 /* Handle a process failure while writing via a filter; the return
3115 from child_close() is in more_errno. */
3116
3117 else if (errno == ERRNO_FILTER_FAIL)
8e669ac1 3118 {
35af9f61
PH		 3119 yield = PANIC;
3120 addr->message = string_sprintf("transport filter process failed (%d) "
3121 "while writing to %s%s", addr->more_errno, dataname,
3122 (addr->more_errno == EX_EXECFAILED)? ": unable to execute command" : "");
8e669ac1 3123 }
0756eb3c
PH		 3124
3125 /* Handle failure to expand header changes */
3126
3127 else if (errno == ERRNO_CHHEADER_FAIL)
3128 {
3129 yield = PANIC;
3130 addr->message =
3131 string_sprintf("failed to expand headers_add or headers_remove while "
3132 "writing to %s: %s", dataname, expand_string_message);
3133 }
3134
3135 /* Handle failure to complete writing of a data block */
3136
3137 else if (errno == ERRNO_WRITEINCOMPLETE)
3138 {
3139 addr->message = string_sprintf("failed to write data block while "
3140 "writing to %s", dataname);
3141 }
3142
3143 /* Handle length mismatch on MBX copying */
3144
3145 #ifdef SUPPORT_MBX
3146 else if (errno == ERRNO_MBXLENGTH)
3147 {
3148 addr->message = string_sprintf("length mismatch while copying MBX "
3149 "temporary file to %s", dataname);
3150 }
3151 #endif /* SUPPORT_MBX */
3152
3153 /* For other errors, a general-purpose explanation, if the message is
3154 not already set. */
3155
3156 else if (addr->message == NULL)
3157 addr->message = string_sprintf("error while writing to %s", dataname);
3158
3159 /* For a file, reset the file size to what it was before we started, leaving
3160 the last modification time unchanged, so it will get reset also. All systems
3161 investigated so far have ftruncate(), whereas not all have the F_FREESP
3162 fcntl() call (BSDI & FreeBSD do not). */
3163
1ac6b2e7 3164 if (!isdirectory && ftruncate(fd, saved_size))
4c04137d 3165 DEBUG(D_transport) debug_printf("Error resetting file size\n");
0756eb3c
PH		 3166 }
3167
3168/* Handle successful writing - we want the modification time to be now for
3169appended files. Remove the default backstop error number. For a directory, now
3170is the time to rename the file with a unique name. As soon as such a name
3171appears it may get used by another process, so we close the file first and
3172check that all is well. */
3173
3174else
3175 {
3176 times.modtime = time(NULL);
3177 addr->basic_errno = 0;
3178
3179 /* Handle the case of writing to a new file in a directory. This applies
3180 to all single-file formats - maildir, mailstore, and "smail format". */
3181
3182 if (isdirectory)
3183 {
3184 if (fstat(fd, &statbuf) < 0)
3185 {
3186 addr->basic_errno = errno;
3187 addr->message = string_sprintf("while fstatting opened message file %s",
3188 filename);
3189 yield = DEFER;
3190 }
3191
3192 else if (close(fd) < 0)
3193 {
3194 addr->basic_errno = errno;
3195 addr->message = string_sprintf("close() error for %s",
3196 (ob->mailstore_format)? dataname : filename);
3197 yield = DEFER;
3198 }
3199
3200 /* File is successfully written and closed. Arrange to rename it. For the
3201 different kinds of single-file delivery, some games can be played with the
3202 name. The message size is by this time set to the accurate value so that
3203 its value can be used in expansions. */
3204
3205 else
3206 {
3207 uschar *renamename = newname;
3208 fd = -1;
3209
3210 DEBUG(D_transport) debug_printf("renaming temporary file\n");
3211
3212 /* If there is no rename name set, we are in a non-maildir, non-mailstore
3213 situation. The name is built by expanding the directory_file option, and
3214 we make the inode number available for use in this. The expansion was
3215 checked for syntactic validity above, before we wrote the file.
3216
3217 We have to be careful here, in case the file name exists. (In the other
3218 cases, the names used are constructed to be unique.) The rename()
3219 function just replaces an existing file - we don't want that! So instead
3220 of calling rename(), we must use link() and unlink().
3221
3222 In this case, if the link fails because of an existing file, we wait
3223 for one second and try the expansion again, to see if it produces a
3224 different value. Do this up to 5 times unless the name stops changing.
3225 This makes it possible to build values that are based on the time, and
3226 still cope with races from multiple simultaneous deliveries. */
3227
3228 if (newname == NULL)
3229 {
3230 int i;
3231 uschar *renameleaf;
3232 uschar *old_renameleaf = US"";
3233
3234 for (i = 0; ; sleep(1), i++)
3235 {
3236 deliver_inode = statbuf.st_ino;
3237 renameleaf = expand_string(ob->dirfilename);
3238 deliver_inode = 0;
3239
3240 if (renameleaf == NULL)
3241 {
3242 addr->transport_return = PANIC;
3243 addr->message = string_sprintf("Expansion of \"%s\" "
3244 "(directory_file for %s transport) failed: %s",
3245 ob->dirfilename, tblock->name, expand_string_message);
3246 goto RETURN;
3247 }
3248
3249 renamename = string_sprintf("%s/%s", path, renameleaf);
3250 if (Ulink(filename, renamename) < 0)
3251 {
3252 DEBUG(D_transport) debug_printf("link failed: %s\n",
3253 strerror(errno));
3254 if (errno != EEXIST || i >= 4 ||
3255 Ustrcmp(renameleaf, old_renameleaf) == 0)
3256 {
3257 addr->basic_errno = errno;
3258 addr->message = string_sprintf("while renaming %s as %s",
3259 filename, renamename);
3260 yield = DEFER;
3261 break;
3262 }
3263 old_renameleaf = renameleaf;
3264 DEBUG(D_transport) debug_printf("%s exists - trying again\n",
3265 renamename);
3266 }
3267 else
3268 {
3269 Uunlink(filename);
3270 filename = NULL;
3271 break;
3272 }
3273 } /* re-expand loop */
3274 } /* not mailstore or maildir */
3275
3276 /* For maildir and mailstore formats, the new name was created earlier,
3277 except that for maildir, there is the possibility of adding a "tag" on
3278 the end of the name by expanding the value of nametag. This usually
3279 includes a reference to the message size. The expansion of nametag was
3280 checked above, before the file was opened. It either succeeded, or
3281 provoked a soft failure. So any failure here can be treated as soft.
3282 Ignore non-printing characters and / and put a colon at the start if the
3283 first character is alphanumeric. */
3284
3285 else
3286 {
3287 if (nametag != NULL)
3288 {
3289 uschar *iptr = expand_string(nametag);
3290 if (iptr != NULL)
3291 {
3292 uschar *etag = store_get(Ustrlen(iptr) + 2);
3293 uschar *optr = etag;
3294 while (*iptr != 0)
3295 {
3296 if (mac_isgraph(*iptr) && *iptr != '/')
3297 {
3298 if (optr == etag && isalnum(*iptr)) *optr++ = ':';
3299 *optr++ = *iptr;
3300 }
3301 iptr++;
3302 }
3303 *optr = 0;
3304 renamename = string_sprintf("%s%s", newname, etag);
3305 }
3306 }
3307
3308 /* Do the rename. If the name is too long and a tag exists, try again
3309 without the tag. */
3310
3311 if (Urename(filename, renamename) < 0 &&
3312 (nametag == NULL || errno != ENAMETOOLONG ||
3313 (renamename = newname, Urename(filename, renamename) < 0)))
3314 {
3315 addr->basic_errno = errno;
3316 addr->message = string_sprintf("while renaming %s as %s",
3317 filename, renamename);
3318 yield = DEFER;
3319 }
3320
3321 /* Rename succeeded */
3322
3323 else
3324 {
3325 DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename,
3326 renamename);
3327 filename = dataname = NULL; /* Prevents attempt to unlink at end */
3328 }
3329 } /* maildir or mailstore */
3330 } /* successful write + close */
3331 } /* isdirectory */
3332 } /* write success */
3333
3334
3335/* For a file, restore the last access time (atime), and set the modification
3336time as required - changed if write succeeded, unchanged if not. */
3337
3338if (!isdirectory) utime(CS filename, &times);
3339
3340/* Notify comsat if configured to do so. It only makes sense if the configured
3341file is the one that the comsat daemon knows about. */
3342
3343if (ob->notify_comsat && yield == OK && deliver_localpart != NULL)
3344 notify_comsat(deliver_localpart, saved_size);
3345
3346/* Pass back the final return code in the address structure */
3347
3348DEBUG(D_transport)
3349 debug_printf("appendfile yields %d with errno=%d more_errno=%d\n",
3350 yield, addr->basic_errno, addr->more_errno);
3351
3352addr->transport_return = yield;
3353
3354/* Close the file, which will release the fcntl lock. For a directory write it
3355is closed above, except in cases of error which goto RETURN, when we also need
3356to remove the original file(s). For MBX locking, if all has gone well, before
3357closing the file, see if we can get an exclusive lock on it, in which case we
3358can unlink the /tmp lock file before closing it. This is always a non-blocking
3359lock; there's no need to wait if we can't get it. If everything has gone right
3360but close fails, defer the message. Then unlink the lock file, if present. This
3361point in the code is jumped to from a number of places when errors are
3362detected, in order to get the file closed and the lock file tidied away. */
3363
3364RETURN:
3365
3366#ifdef SUPPORT_MBX
3367if (mbx_lockfd >= 0)
3368 {
3369 if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0,
3370 ob->use_flock, 0) >= 0)
3371 {
3372 DEBUG(D_transport)
3373 debug_printf("unlinking MBX lock file %s\n", mbx_lockname);
3374 Uunlink(mbx_lockname);
3375 }
f1e894f3 3376 (void)close(mbx_lockfd);
0756eb3c
PH		 3377 }
3378#endif /* SUPPORT_MBX */
3379
3380if (fd >= 0 && close(fd) < 0 && yield == OK)
3381 {
3382 addr->basic_errno = errno;
3383 addr->message = string_sprintf("while closing %s", filename);
3384 addr->transport_return = DEFER;
3385 }
3386
3387if (hd >= 0) Uunlink(lockname);
3388
3389/* We get here with isdirectory and filename set only in error situations. */
3390
3391if (isdirectory && filename != NULL)
3392 {
3393 Uunlink(filename);
3394 if (dataname != filename) Uunlink(dataname);
3395 }
3396
3397/* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a
3398file name relies on time + pid. We must not allow the process to finish until
3399the clock has move on by at least one microsecond. Usually we expect this
3400already to be the case, but machines keep getting faster... */
3401
3402if (wait_for_tick) exim_wait_tick(&msg_tv, 1);
3403
3404/* A return of FALSE means that if there was an error, a common error was
3405put in the first address of a batch. */
3406
3407return FALSE;
3408}
3409
3410/* End of transport/appendfile.c */
Unnamed repository; edit this file 'description' to name the repository.