Intercept chown()/fchown() failure and emit a pointer to the bugreport. Closes 2391
[exim.git] / src / src / deliver.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8 /* The main code for delivering a message. */
9
10
11 #include "exim.h"
12 #include "transports/smtp.h"
13 #include <sys/uio.h>
14 #include <assert.h>
15
16
17 /* Data block for keeping track of subprocesses for parallel remote
18 delivery. */
19
20 typedef struct pardata {
21 address_item *addrlist; /* chain of addresses */
22 address_item *addr; /* next address data expected for */
23 pid_t pid; /* subprocess pid */
24 int fd; /* pipe fd for getting result from subprocess */
25 int transport_count; /* returned transport count value */
26 BOOL done; /* no more data needed */
27 uschar *msg; /* error message */
28 uschar *return_path; /* return_path for these addresses */
29 } pardata;
30
31 /* Values for the process_recipients variable */
32
33 enum { RECIP_ACCEPT, RECIP_IGNORE, RECIP_DEFER,
34 RECIP_FAIL, RECIP_FAIL_FILTER, RECIP_FAIL_TIMEOUT,
35 RECIP_FAIL_LOOP};
36
37 /* Mutually recursive functions for marking addresses done. */
38
39 static void child_done(address_item *, uschar *);
40 static void address_done(address_item *, uschar *);
41
42 /* Table for turning base-62 numbers into binary */
43
44 static uschar tab62[] =
45 {0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0, /* 0-9 */
46 0,10,11,12,13,14,15,16,17,18,19,20, /* A-K */
47 21,22,23,24,25,26,27,28,29,30,31,32, /* L-W */
48 33,34,35, 0, 0, 0, 0, 0, /* X-Z */
49 0,36,37,38,39,40,41,42,43,44,45,46, /* a-k */
50 47,48,49,50,51,52,53,54,55,56,57,58, /* l-w */
51 59,60,61}; /* x-z */
52
53
54 /*************************************************
55 * Local static variables *
56 *************************************************/
57
58 /* addr_duplicate is global because it needs to be seen from the Envelope-To
59 writing code. */
60
61 static address_item *addr_defer = NULL;
62 static address_item *addr_failed = NULL;
63 static address_item *addr_fallback = NULL;
64 static address_item *addr_local = NULL;
65 static address_item *addr_new = NULL;
66 static address_item *addr_remote = NULL;
67 static address_item *addr_route = NULL;
68 static address_item *addr_succeed = NULL;
69 static address_item *addr_dsntmp = NULL;
70 static address_item *addr_senddsn = NULL;
71
72 static FILE *message_log = NULL;
73 static BOOL update_spool;
74 static BOOL remove_journal;
75 static int parcount = 0;
76 static pardata *parlist = NULL;
77 static int return_count;
78 static uschar *frozen_info = US"";
79 static uschar *used_return_path = NULL;
80
81
82
83 /*************************************************
84 * read as much as requested *
85 *************************************************/
86
87 /* The syscall read(2) doesn't always returns as much as we want. For
88 several reasons it might get less. (Not talking about signals, as syscalls
89 are restartable). When reading from a network or pipe connection the sender
90 might send in smaller chunks, with delays between these chunks. The read(2)
91 may return such a chunk.
92
93 The more the writer writes and the smaller the pipe between write and read is,
94 the more we get the chance of reading leass than requested. (See bug 2130)
95
96 This function read(2)s until we got all the data we *requested*.
97
98 Note: This function may block. Use it only if you're sure about the
99 amount of data you will get.
100
101 Argument:
102 fd the file descriptor to read from
103 buffer pointer to a buffer of size len
104 len the requested(!) amount of bytes
105
106 Returns: the amount of bytes read
107 */
108 static ssize_t
109 readn(int fd, void * buffer, size_t len)
110 {
111 void * next = buffer;
112 void * end = buffer + len;
113
114 while (next < end)
115 {
116 ssize_t got = read(fd, next, end - next);
117
118 /* I'm not sure if there are signals that can interrupt us,
119 for now I assume the worst */
120 if (got == -1 && errno == EINTR) continue;
121 if (got <= 0) return next - buffer;
122 next += got;
123 }
124
125 return len;
126 }
127
128
129 /*************************************************
130 * Make a new address item *
131 *************************************************/
132
133 /* This function gets the store and initializes with default values. The
134 transport_return value defaults to DEFER, so that any unexpected failure to
135 deliver does not wipe out the message. The default unique string is set to a
136 copy of the address, so that its domain can be lowercased.
137
138 Argument:
139 address the RFC822 address string
140 copy force a copy of the address
141
142 Returns: a pointer to an initialized address_item
143 */
144
145 address_item *
146 deliver_make_addr(uschar *address, BOOL copy)
147 {
148 address_item *addr = store_get(sizeof(address_item));
149 *addr = address_defaults;
150 if (copy) address = string_copy(address);
151 addr->address = address;
152 addr->unique = string_copy(address);
153 return addr;
154 }
155
156
157
158
159 /*************************************************
160 * Set expansion values for an address *
161 *************************************************/
162
163 /* Certain expansion variables are valid only when handling an address or
164 address list. This function sets them up or clears the values, according to its
165 argument.
166
167 Arguments:
168 addr the address in question, or NULL to clear values
169 Returns: nothing
170 */
171
172 void
173 deliver_set_expansions(address_item *addr)
174 {
175 if (!addr)
176 {
177 const uschar ***p = address_expansions;
178 while (*p) **p++ = NULL;
179 return;
180 }
181
182 /* Exactly what gets set depends on whether there is one or more addresses, and
183 what they contain. These first ones are always set, taking their values from
184 the first address. */
185
186 if (!addr->host_list)
187 {
188 deliver_host = deliver_host_address = US"";
189 deliver_host_port = 0;
190 }
191 else
192 {
193 deliver_host = addr->host_list->name;
194 deliver_host_address = addr->host_list->address;
195 deliver_host_port = addr->host_list->port;
196 }
197
198 deliver_recipients = addr;
199 deliver_address_data = addr->prop.address_data;
200 deliver_domain_data = addr->prop.domain_data;
201 deliver_localpart_data = addr->prop.localpart_data;
202
203 /* These may be unset for multiple addresses */
204
205 deliver_domain = addr->domain;
206 self_hostname = addr->self_hostname;
207
208 #ifdef EXPERIMENTAL_BRIGHTMAIL
209 bmi_deliver = 1; /* deliver by default */
210 bmi_alt_location = NULL;
211 bmi_base64_verdict = NULL;
212 bmi_base64_tracker_verdict = NULL;
213 #endif
214
215 /* If there's only one address we can set everything. */
216
217 if (!addr->next)
218 {
219 address_item *addr_orig;
220
221 deliver_localpart = addr->local_part;
222 deliver_localpart_prefix = addr->prefix;
223 deliver_localpart_suffix = addr->suffix;
224
225 for (addr_orig = addr; addr_orig->parent; addr_orig = addr_orig->parent) ;
226 deliver_domain_orig = addr_orig->domain;
227
228 /* Re-instate any prefix and suffix in the original local part. In all
229 normal cases, the address will have a router associated with it, and we can
230 choose the caseful or caseless version accordingly. However, when a system
231 filter sets up a pipe, file, or autoreply delivery, no router is involved.
232 In this case, though, there won't be any prefix or suffix to worry about. */
233
234 deliver_localpart_orig = !addr_orig->router
235 ? addr_orig->local_part
236 : addr_orig->router->caseful_local_part
237 ? addr_orig->cc_local_part
238 : addr_orig->lc_local_part;
239
240 /* If there's a parent, make its domain and local part available, and if
241 delivering to a pipe or file, or sending an autoreply, get the local
242 part from the parent. For pipes and files, put the pipe or file string
243 into address_pipe and address_file. */
244
245 if (addr->parent)
246 {
247 deliver_domain_parent = addr->parent->domain;
248 deliver_localpart_parent = !addr->parent->router
249 ? addr->parent->local_part
250 : addr->parent->router->caseful_local_part
251 ? addr->parent->cc_local_part
252 : addr->parent->lc_local_part;
253
254 /* File deliveries have their own flag because they need to be picked out
255 as special more often. */
256
257 if (testflag(addr, af_pfr))
258 {
259 if (testflag(addr, af_file)) address_file = addr->local_part;
260 else if (deliver_localpart[0] == '|') address_pipe = addr->local_part;
261 deliver_localpart = addr->parent->local_part;
262 deliver_localpart_prefix = addr->parent->prefix;
263 deliver_localpart_suffix = addr->parent->suffix;
264 }
265 }
266
267 #ifdef EXPERIMENTAL_BRIGHTMAIL
268 /* Set expansion variables related to Brightmail AntiSpam */
269 bmi_base64_verdict = bmi_get_base64_verdict(deliver_localpart_orig, deliver_domain_orig);
270 bmi_base64_tracker_verdict = bmi_get_base64_tracker_verdict(bmi_base64_verdict);
271 /* get message delivery status (0 - don't deliver | 1 - deliver) */
272 bmi_deliver = bmi_get_delivery_status(bmi_base64_verdict);
273 /* if message is to be delivered, get eventual alternate location */
274 if (bmi_deliver == 1)
275 bmi_alt_location = bmi_get_alt_location(bmi_base64_verdict);
276 #endif
277
278 }
279
280 /* For multiple addresses, don't set local part, and leave the domain and
281 self_hostname set only if it is the same for all of them. It is possible to
282 have multiple pipe and file addresses, but only when all addresses have routed
283 to the same pipe or file. */
284
285 else
286 {
287 if (testflag(addr, af_pfr))
288 {
289 if (testflag(addr, af_file)) address_file = addr->local_part;
290 else if (addr->local_part[0] == '|') address_pipe = addr->local_part;
291 }
292 for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
293 {
294 if (deliver_domain && Ustrcmp(deliver_domain, addr2->domain) != 0)
295 deliver_domain = NULL;
296 if ( self_hostname
297 && ( !addr2->self_hostname
298 || Ustrcmp(self_hostname, addr2->self_hostname) != 0
299 ) )
300 self_hostname = NULL;
301 if (!deliver_domain && !self_hostname) break;
302 }
303 }
304 }
305
306
307
308
309 /*************************************************
310 * Open a msglog file *
311 *************************************************/
312
313 /* This function is used both for normal message logs, and for files in the
314 msglog directory that are used to catch output from pipes. Try to create the
315 directory if it does not exist. From release 4.21, normal message logs should
316 be created when the message is received.
317
318 Called from deliver_message(), can be operating as root.
319
320 Argument:
321 filename the file name
322 mode the mode required
323 error used for saying what failed
324
325 Returns: a file descriptor, or -1 (with errno set)
326 */
327
328 static int
329 open_msglog_file(uschar *filename, int mode, uschar **error)
330 {
331 for (int i = 2; i > 0; i--)
332 {
333 int fd = Uopen(filename,
334 #ifdef O_CLOEXEC
335 O_CLOEXEC |
336 #endif
337 #ifdef O_NOFOLLOW
338 O_NOFOLLOW |
339 #endif
340 O_WRONLY|O_APPEND|O_CREAT, mode);
341 if (fd >= 0)
342 {
343 /* Set the close-on-exec flag and change the owner to the exim uid/gid (this
344 function is called as root). Double check the mode, because the group setting
345 doesn't always get set automatically. */
346
347 #ifndef O_CLOEXEC
348 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
349 #endif
350 if (exim_fchown(fd, exim_uid, exim_gid, filename) < 0)
351 {
352 *error = US"chown";
353 return -1;
354 }
355 if (fchmod(fd, mode) < 0)
356 {
357 *error = US"chmod";
358 return -1;
359 }
360 return fd;
361 }
362 if (errno != ENOENT)
363 break;
364
365 (void)directory_make(spool_directory,
366 spool_sname(US"msglog", message_subdir),
367 MSGLOG_DIRECTORY_MODE, TRUE);
368 }
369
370 *error = US"create or open";
371 return -1;
372 }
373
374
375
376
377 /*************************************************
378 * Write to msglog if required *
379 *************************************************/
380
381 /* Write to the message log, if configured. This function may also be called
382 from transports.
383
384 Arguments:
385 format a string format
386
387 Returns: nothing
388 */
389
390 void
391 deliver_msglog(const char *format, ...)
392 {
393 va_list ap;
394 if (!message_logs) return;
395 va_start(ap, format);
396 vfprintf(message_log, format, ap);
397 fflush(message_log);
398 va_end(ap);
399 }
400
401
402
403
404 /*************************************************
405 * Replicate status for batch *
406 *************************************************/
407
408 /* When a transport handles a batch of addresses, it may treat them
409 individually, or it may just put the status in the first one, and return FALSE,
410 requesting that the status be copied to all the others externally. This is the
411 replication function. As well as the status, it copies the transport pointer,
412 which may have changed if appendfile passed the addresses on to a different
413 transport.
414
415 Argument: pointer to the first address in a chain
416 Returns: nothing
417 */
418
419 static void
420 replicate_status(address_item *addr)
421 {
422 for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
423 {
424 addr2->transport = addr->transport;
425 addr2->transport_return = addr->transport_return;
426 addr2->basic_errno = addr->basic_errno;
427 addr2->more_errno = addr->more_errno;
428 addr2->delivery_usec = addr->delivery_usec;
429 addr2->special_action = addr->special_action;
430 addr2->message = addr->message;
431 addr2->user_message = addr->user_message;
432 }
433 }
434
435
436
437 /*************************************************
438 * Compare lists of hosts *
439 *************************************************/
440
441 /* This function is given two pointers to chains of host items, and it yields
442 TRUE if the lists refer to the same hosts in the same order, except that
443
444 (1) Multiple hosts with the same non-negative MX values are permitted to appear
445 in different orders. Round-robinning nameservers can cause this to happen.
446
447 (2) Multiple hosts with the same negative MX values less than MX_NONE are also
448 permitted to appear in different orders. This is caused by randomizing
449 hosts lists.
450
451 This enables Exim to use a single SMTP transaction for sending to two entirely
452 different domains that happen to end up pointing at the same hosts.
453
454 Arguments:
455 one points to the first host list
456 two points to the second host list
457
458 Returns: TRUE if the lists refer to the same host set
459 */
460
461 static BOOL
462 same_hosts(host_item *one, host_item *two)
463 {
464 while (one && two)
465 {
466 if (Ustrcmp(one->name, two->name) != 0)
467 {
468 int mx = one->mx;
469 host_item *end_one = one;
470 host_item *end_two = two;
471
472 /* Batch up only if there was no MX and the list was not randomized */
473
474 if (mx == MX_NONE) return FALSE;
475
476 /* Find the ends of the shortest sequence of identical MX values */
477
478 while ( end_one->next && end_one->next->mx == mx
479 && end_two->next && end_two->next->mx == mx)
480 {
481 end_one = end_one->next;
482 end_two = end_two->next;
483 }
484
485 /* If there aren't any duplicates, there's no match. */
486
487 if (end_one == one) return FALSE;
488
489 /* For each host in the 'one' sequence, check that it appears in the 'two'
490 sequence, returning FALSE if not. */
491
492 for (;;)
493 {
494 host_item *hi;
495 for (hi = two; hi != end_two->next; hi = hi->next)
496 if (Ustrcmp(one->name, hi->name) == 0) break;
497 if (hi == end_two->next) return FALSE;
498 if (one == end_one) break;
499 one = one->next;
500 }
501
502 /* All the hosts in the 'one' sequence were found in the 'two' sequence.
503 Ensure both are pointing at the last host, and carry on as for equality. */
504
505 two = end_two;
506 }
507
508 /* if the names matched but ports do not, mismatch */
509 else if (one->port != two->port)
510 return FALSE;
511
512 /* Hosts matched */
513
514 one = one->next;
515 two = two->next;
516 }
517
518 /* True if both are NULL */
519
520 return (one == two);
521 }
522
523
524
525 /*************************************************
526 * Compare header lines *
527 *************************************************/
528
529 /* This function is given two pointers to chains of header items, and it yields
530 TRUE if they are the same header texts in the same order.
531
532 Arguments:
533 one points to the first header list
534 two points to the second header list
535
536 Returns: TRUE if the lists refer to the same header set
537 */
538
539 static BOOL
540 same_headers(header_line *one, header_line *two)
541 {
542 for (;; one = one->next, two = two->next)
543 {
544 if (one == two) return TRUE; /* Includes the case where both NULL */
545 if (!one || !two) return FALSE;
546 if (Ustrcmp(one->text, two->text) != 0) return FALSE;
547 }
548 }
549
550
551
552 /*************************************************
553 * Compare string settings *
554 *************************************************/
555
556 /* This function is given two pointers to strings, and it returns
557 TRUE if they are the same pointer, or if the two strings are the same.
558
559 Arguments:
560 one points to the first string
561 two points to the second string
562
563 Returns: TRUE or FALSE
564 */
565
566 static BOOL
567 same_strings(uschar *one, uschar *two)
568 {
569 if (one == two) return TRUE; /* Includes the case where both NULL */
570 if (!one || !two) return FALSE;
571 return (Ustrcmp(one, two) == 0);
572 }
573
574
575
576 /*************************************************
577 * Compare uid/gid for addresses *
578 *************************************************/
579
580 /* This function is given a transport and two addresses. It yields TRUE if the
581 uid/gid/initgroups settings for the two addresses are going to be the same when
582 they are delivered.
583
584 Arguments:
585 tp the transort
586 addr1 the first address
587 addr2 the second address
588
589 Returns: TRUE or FALSE
590 */
591
592 static BOOL
593 same_ugid(transport_instance *tp, address_item *addr1, address_item *addr2)
594 {
595 if ( !tp->uid_set && !tp->expand_uid
596 && !tp->deliver_as_creator
597 && ( testflag(addr1, af_uid_set) != testflag(addr2, af_gid_set)
598 || ( testflag(addr1, af_uid_set)
599 && ( addr1->uid != addr2->uid
600 || testflag(addr1, af_initgroups) != testflag(addr2, af_initgroups)
601 ) ) ) )
602 return FALSE;
603
604 if ( !tp->gid_set && !tp->expand_gid
605 && ( testflag(addr1, af_gid_set) != testflag(addr2, af_gid_set)
606 || ( testflag(addr1, af_gid_set)
607 && addr1->gid != addr2->gid
608 ) ) )
609 return FALSE;
610
611 return TRUE;
612 }
613
614
615
616
617 /*************************************************
618 * Record that an address is complete *
619 *************************************************/
620
621 /* This function records that an address is complete. This is straightforward
622 for most addresses, where the unique address is just the full address with the
623 domain lower cased. For homonyms (addresses that are the same as one of their
624 ancestors) their are complications. Their unique addresses have \x\ prepended
625 (where x = 0, 1, 2...), so that de-duplication works correctly for siblings and
626 cousins.
627
628 Exim used to record the unique addresses of homonyms as "complete". This,
629 however, fails when the pattern of redirection varies over time (e.g. if taking
630 unseen copies at only some times of day) because the prepended numbers may vary
631 from one delivery run to the next. This problem is solved by never recording
632 prepended unique addresses as complete. Instead, when a homonymic address has
633 actually been delivered via a transport, we record its basic unique address
634 followed by the name of the transport. This is checked in subsequent delivery
635 runs whenever an address is routed to a transport.
636
637 If the completed address is a top-level one (has no parent, which means it
638 cannot be homonymic) we also add the original address to the non-recipients
639 tree, so that it gets recorded in the spool file and therefore appears as
640 "done" in any spool listings. The original address may differ from the unique
641 address in the case of the domain.
642
643 Finally, this function scans the list of duplicates, marks as done any that
644 match this address, and calls child_done() for their ancestors.
645
646 Arguments:
647 addr address item that has been completed
648 now current time as a string
649
650 Returns: nothing
651 */
652
653 static void
654 address_done(address_item *addr, uschar *now)
655 {
656 update_spool = TRUE; /* Ensure spool gets updated */
657
658 /* Top-level address */
659
660 if (!addr->parent)
661 {
662 tree_add_nonrecipient(addr->unique);
663 tree_add_nonrecipient(addr->address);
664 }
665
666 /* Homonymous child address */
667
668 else if (testflag(addr, af_homonym))
669 {
670 if (addr->transport)
671 tree_add_nonrecipient(
672 string_sprintf("%s/%s", addr->unique + 3, addr->transport->name));
673 }
674
675 /* Non-homonymous child address */
676
677 else tree_add_nonrecipient(addr->unique);
678
679 /* Check the list of duplicate addresses and ensure they are now marked
680 done as well. */
681
682 for (address_item * dup = addr_duplicate; dup; dup = dup->next)
683 if (Ustrcmp(addr->unique, dup->unique) == 0)
684 {
685 tree_add_nonrecipient(dup->unique);
686 child_done(dup, now);
687 }
688 }
689
690
691
692
693 /*************************************************
694 * Decrease counts in parents and mark done *
695 *************************************************/
696
697 /* This function is called when an address is complete. If there is a parent
698 address, its count of children is decremented. If there are still other
699 children outstanding, the function exits. Otherwise, if the count has become
700 zero, address_done() is called to mark the parent and its duplicates complete.
701 Then loop for any earlier ancestors.
702
703 Arguments:
704 addr points to the completed address item
705 now the current time as a string, for writing to the message log
706
707 Returns: nothing
708 */
709
710 static void
711 child_done(address_item *addr, uschar *now)
712 {
713 while (addr->parent)
714 {
715 address_item *aa;
716
717 addr = addr->parent;
718 if (--addr->child_count > 0) return; /* Incomplete parent */
719 address_done(addr, now);
720
721 /* Log the completion of all descendents only when there is no ancestor with
722 the same original address. */
723
724 for (aa = addr->parent; aa; aa = aa->parent)
725 if (Ustrcmp(aa->address, addr->address) == 0) break;
726 if (aa) continue;
727
728 deliver_msglog("%s %s: children all complete\n", now, addr->address);
729 DEBUG(D_deliver) debug_printf("%s: children all complete\n", addr->address);
730 }
731 }
732
733
734
735 /*************************************************
736 * Delivery logging support functions *
737 *************************************************/
738
739 /* The LOGGING() checks in d_log_interface() are complicated for backwards
740 compatibility. When outgoing interface logging was originally added, it was
741 conditional on just incoming_interface (which is off by default). The
742 outgoing_interface option is on by default to preserve this behaviour, but
743 you can enable incoming_interface and disable outgoing_interface to get I=
744 fields on incoming lines only.
745
746 Arguments:
747 g The log line
748 addr The address to be logged
749
750 Returns: New value for s
751 */
752
753 static gstring *
754 d_log_interface(gstring * g)
755 {
756 if (LOGGING(incoming_interface) && LOGGING(outgoing_interface)
757 && sending_ip_address)
758 {
759 g = string_fmt_append(g, " I=[%s]", sending_ip_address);
760 if (LOGGING(outgoing_port))
761 g = string_fmt_append(g, ":%d", sending_port);
762 }
763 return g;
764 }
765
766
767
768 static gstring *
769 d_hostlog(gstring * g, address_item * addr)
770 {
771 host_item * h = addr->host_used;
772
773 g = string_append(g, 2, US" H=", h->name);
774
775 if (LOGGING(dnssec) && h->dnssec == DS_YES)
776 g = string_catn(g, US" DS", 3);
777
778 g = string_append(g, 3, US" [", h->address, US"]");
779
780 if (LOGGING(outgoing_port))
781 g = string_fmt_append(g, ":%d", h->port);
782
783 #ifdef SUPPORT_SOCKS
784 if (LOGGING(proxy) && proxy_local_address)
785 {
786 g = string_append(g, 3, US" PRX=[", proxy_local_address, US"]");
787 if (LOGGING(outgoing_port))
788 g = string_fmt_append(g, ":%d", proxy_local_port);
789 }
790 #endif
791
792 g = d_log_interface(g);
793
794 if (testflag(addr, af_tcp_fastopen))
795 g = string_catn(g, US" TFO*", testflag(addr, af_tcp_fastopen_data) ? 5 : 4);
796
797 return g;
798 }
799
800
801
802
803
804 #ifdef SUPPORT_TLS
805 static gstring *
806 d_tlslog(gstring * s, address_item * addr)
807 {
808 if (LOGGING(tls_cipher) && addr->cipher)
809 s = string_append(s, 2, US" X=", addr->cipher);
810 if (LOGGING(tls_certificate_verified) && addr->cipher)
811 s = string_append(s, 2, US" CV=",
812 testflag(addr, af_cert_verified)
813 ?
814 #ifdef SUPPORT_DANE
815 testflag(addr, af_dane_verified)
816 ? "dane"
817 :
818 #endif
819 "yes"
820 : "no");
821 if (LOGGING(tls_peerdn) && addr->peerdn)
822 s = string_append(s, 3, US" DN=\"", string_printing(addr->peerdn), US"\"");
823 return s;
824 }
825 #endif
826
827
828
829
830 #ifndef DISABLE_EVENT
831 uschar *
832 event_raise(uschar * action, const uschar * event, uschar * ev_data)
833 {
834 uschar * s;
835 if (action)
836 {
837 DEBUG(D_deliver)
838 debug_printf("Event(%s): event_action=|%s| delivery_IP=%s\n",
839 event,
840 action, deliver_host_address);
841
842 event_name = event;
843 event_data = ev_data;
844
845 if (!(s = expand_string(action)) && *expand_string_message)
846 log_write(0, LOG_MAIN|LOG_PANIC,
847 "failed to expand event_action %s in %s: %s\n",
848 event, transport_name ? transport_name : US"main", expand_string_message);
849
850 event_name = event_data = NULL;
851
852 /* If the expansion returns anything but an empty string, flag for
853 the caller to modify his normal processing
854 */
855 if (s && *s)
856 {
857 DEBUG(D_deliver)
858 debug_printf("Event(%s): event_action returned \"%s\"\n", event, s);
859 errno = ERRNO_EVENT;
860 return s;
861 }
862 }
863 return NULL;
864 }
865
866 void
867 msg_event_raise(const uschar * event, const address_item * addr)
868 {
869 const uschar * save_domain = deliver_domain;
870 uschar * save_local = deliver_localpart;
871 const uschar * save_host = deliver_host;
872 const uschar * save_address = deliver_host_address;
873 const int save_port = deliver_host_port;
874
875 router_name = addr->router ? addr->router->name : NULL;
876 deliver_domain = addr->domain;
877 deliver_localpart = addr->local_part;
878 deliver_host = addr->host_used ? addr->host_used->name : NULL;
879
880 if (!addr->transport)
881 {
882 if (Ustrcmp(event, "msg:fail:delivery") == 0)
883 {
884 /* An address failed with no transport involved. This happens when
885 a filter was used which triggered a fail command (in such a case
886 a transport isn't needed). Convert it to an internal fail event. */
887
888 (void) event_raise(event_action, US"msg:fail:internal", addr->message);
889 }
890 }
891 else
892 {
893 transport_name = addr->transport->name;
894
895 (void) event_raise(addr->transport->event_action, event,
896 addr->host_used
897 || Ustrcmp(addr->transport->driver_name, "smtp") == 0
898 || Ustrcmp(addr->transport->driver_name, "lmtp") == 0
899 || Ustrcmp(addr->transport->driver_name, "autoreply") == 0
900 ? addr->message : NULL);
901 }
902
903 deliver_host_port = save_port;
904 deliver_host_address = save_address;
905 deliver_host = save_host;
906 deliver_localpart = save_local;
907 deliver_domain = save_domain;
908 router_name = transport_name = NULL;
909 }
910 #endif /*DISABLE_EVENT*/
911
912
913
914 /******************************************************************************/
915
916
917 /*************************************************
918 * Generate local prt for logging *
919 *************************************************/
920
921 /* This function is a subroutine for use in string_log_address() below.
922
923 Arguments:
924 addr the address being logged
925 yield the current dynamic buffer pointer
926
927 Returns: the new value of the buffer pointer
928 */
929
930 static gstring *
931 string_get_localpart(address_item * addr, gstring * yield)
932 {
933 uschar * s;
934
935 s = addr->prefix;
936 if (testflag(addr, af_include_affixes) && s)
937 {
938 #ifdef SUPPORT_I18N
939 if (testflag(addr, af_utf8_downcvt))
940 s = string_localpart_utf8_to_alabel(s, NULL);
941 #endif
942 yield = string_cat(yield, s);
943 }
944
945 s = addr->local_part;
946 #ifdef SUPPORT_I18N
947 if (testflag(addr, af_utf8_downcvt))
948 s = string_localpart_utf8_to_alabel(s, NULL);
949 #endif
950 yield = string_cat(yield, s);
951
952 s = addr->suffix;
953 if (testflag(addr, af_include_affixes) && s)
954 {
955 #ifdef SUPPORT_I18N
956 if (testflag(addr, af_utf8_downcvt))
957 s = string_localpart_utf8_to_alabel(s, NULL);
958 #endif
959 yield = string_cat(yield, s);
960 }
961
962 return yield;
963 }
964
965
966 /*************************************************
967 * Generate log address list *
968 *************************************************/
969
970 /* This function generates a list consisting of an address and its parents, for
971 use in logging lines. For saved onetime aliased addresses, the onetime parent
972 field is used. If the address was delivered by a transport with rcpt_include_
973 affixes set, the af_include_affixes bit will be set in the address. In that
974 case, we include the affixes here too.
975
976 Arguments:
977 g points to growing-string struct
978 addr bottom (ultimate) address
979 all_parents if TRUE, include all parents
980 success TRUE for successful delivery
981
982 Returns: a growable string in dynamic store
983 */
984
985 static gstring *
986 string_log_address(gstring * g,
987 address_item *addr, BOOL all_parents, BOOL success)
988 {
989 BOOL add_topaddr = TRUE;
990 address_item *topaddr;
991
992 /* Find the ultimate parent */
993
994 for (topaddr = addr; topaddr->parent; topaddr = topaddr->parent) ;
995
996 /* We start with just the local part for pipe, file, and reply deliveries, and
997 for successful local deliveries from routers that have the log_as_local flag
998 set. File deliveries from filters can be specified as non-absolute paths in
999 cases where the transport is going to complete the path. If there is an error
1000 before this happens (expansion failure) the local part will not be updated, and
1001 so won't necessarily look like a path. Add extra text for this case. */
1002
1003 if ( testflag(addr, af_pfr)
1004 || ( success
1005 && addr->router && addr->router->log_as_local
1006 && addr->transport && addr->transport->info->local
1007 ) )
1008 {
1009 if (testflag(addr, af_file) && addr->local_part[0] != '/')
1010 g = string_catn(g, CUS"save ", 5);
1011 g = string_get_localpart(addr, g);
1012 }
1013
1014 /* Other deliveries start with the full address. It we have split it into local
1015 part and domain, use those fields. Some early failures can happen before the
1016 splitting is done; in those cases use the original field. */
1017
1018 else
1019 {
1020 uschar * cmp = g->s + g->ptr;
1021
1022 if (addr->local_part)
1023 {
1024 const uschar * s;
1025 g = string_get_localpart(addr, g);
1026 g = string_catn(g, US"@", 1);
1027 s = addr->domain;
1028 #ifdef SUPPORT_I18N
1029 if (testflag(addr, af_utf8_downcvt))
1030 s = string_localpart_utf8_to_alabel(s, NULL);
1031 #endif
1032 g = string_cat(g, s);
1033 }
1034 else
1035 g = string_cat(g, addr->address);
1036
1037 /* If the address we are going to print is the same as the top address,
1038 and all parents are not being included, don't add on the top address. First
1039 of all, do a caseless comparison; if this succeeds, do a caseful comparison
1040 on the local parts. */
1041
1042 string_from_gstring(g); /* ensure nul-terminated */
1043 if ( strcmpic(cmp, topaddr->address) == 0
1044 && Ustrncmp(cmp, topaddr->address, Ustrchr(cmp, '@') - cmp) == 0
1045 && !addr->onetime_parent
1046 && (!all_parents || !addr->parent || addr->parent == topaddr)
1047 )
1048 add_topaddr = FALSE;
1049 }
1050
1051 /* If all parents are requested, or this is a local pipe/file/reply, and
1052 there is at least one intermediate parent, show it in brackets, and continue
1053 with all of them if all are wanted. */
1054
1055 if ( (all_parents || testflag(addr, af_pfr))
1056 && addr->parent
1057 && addr->parent != topaddr)
1058 {
1059 uschar *s = US" (";
1060 for (address_item * addr2 = addr->parent; addr2 != topaddr; addr2 = addr2->parent)
1061 {
1062 g = string_catn(g, s, 2);
1063 g = string_cat (g, addr2->address);
1064 if (!all_parents) break;
1065 s = US", ";
1066 }
1067 g = string_catn(g, US")", 1);
1068 }
1069
1070 /* Add the top address if it is required */
1071
1072 if (add_topaddr)
1073 g = string_append(g, 3,
1074 US" <",
1075 addr->onetime_parent ? addr->onetime_parent : topaddr->address,
1076 US">");
1077
1078 return g;
1079 }
1080
1081
1082
1083 void
1084 timesince(struct timeval * diff, struct timeval * then)
1085 {
1086 gettimeofday(diff, NULL);
1087 diff->tv_sec -= then->tv_sec;
1088 if ((diff->tv_usec -= then->tv_usec) < 0)
1089 {
1090 diff->tv_sec--;
1091 diff->tv_usec += 1000*1000;
1092 }
1093 }
1094
1095
1096
1097 uschar *
1098 string_timediff(struct timeval * diff)
1099 {
1100 static uschar buf[sizeof("0.000s")];
1101
1102 if (diff->tv_sec >= 5 || !LOGGING(millisec))
1103 return readconf_printtime((int)diff->tv_sec);
1104
1105 sprintf(CS buf, "%u.%03us", (uint)diff->tv_sec, (uint)diff->tv_usec/1000);
1106 return buf;
1107 }
1108
1109
1110 uschar *
1111 string_timesince(struct timeval * then)
1112 {
1113 struct timeval diff;
1114
1115 timesince(&diff, then);
1116 return string_timediff(&diff);
1117 }
1118
1119 /******************************************************************************/
1120
1121
1122
1123 /* If msg is NULL this is a delivery log and logchar is used. Otherwise
1124 this is a nonstandard call; no two-character delivery flag is written
1125 but sender-host and sender are prefixed and "msg" is inserted in the log line.
1126
1127 Arguments:
1128 flags passed to log_write()
1129 */
1130 void
1131 delivery_log(int flags, address_item * addr, int logchar, uschar * msg)
1132 {
1133 gstring * g; /* Used for a temporary, expanding buffer, for building log lines */
1134 void * reset_point; /* released afterwards. */
1135
1136 /* Log the delivery on the main log. We use an extensible string to build up
1137 the log line, and reset the store afterwards. Remote deliveries should always
1138 have a pointer to the host item that succeeded; local deliveries can have a
1139 pointer to a single host item in their host list, for use by the transport. */
1140
1141 #ifndef DISABLE_EVENT
1142 /* presume no successful remote delivery */
1143 lookup_dnssec_authenticated = NULL;
1144 #endif
1145
1146 g = reset_point = string_get(256);
1147
1148 if (msg)
1149 g = string_append(g, 2, host_and_ident(TRUE), US" ");
1150 else
1151 {
1152 g->s[0] = logchar; g->ptr = 1;
1153 g = string_catn(g, US"> ", 2);
1154 }
1155 g = string_log_address(g, addr, LOGGING(all_parents), TRUE);
1156
1157 if (LOGGING(sender_on_delivery) || msg)
1158 g = string_append(g, 3, US" F=<",
1159 #ifdef SUPPORT_I18N
1160 testflag(addr, af_utf8_downcvt)
1161 ? string_address_utf8_to_alabel(sender_address, NULL)
1162 :
1163 #endif
1164 sender_address,
1165 US">");
1166
1167 if (*queue_name)
1168 g = string_append(g, 2, US" Q=", queue_name);
1169
1170 #ifdef EXPERIMENTAL_SRS
1171 if(addr->prop.srs_sender)
1172 g = string_append(g, 3, US" SRS=<", addr->prop.srs_sender, US">");
1173 #endif
1174
1175 /* You might think that the return path must always be set for a successful
1176 delivery; indeed, I did for some time, until this statement crashed. The case
1177 when it is not set is for a delivery to /dev/null which is optimised by not
1178 being run at all. */
1179
1180 if (used_return_path && LOGGING(return_path_on_delivery))
1181 g = string_append(g, 3, US" P=<", used_return_path, US">");
1182
1183 if (msg)
1184 g = string_append(g, 2, US" ", msg);
1185
1186 /* For a delivery from a system filter, there may not be a router */
1187 if (addr->router)
1188 g = string_append(g, 2, US" R=", addr->router->name);
1189
1190 g = string_append(g, 2, US" T=", addr->transport->name);
1191
1192 if (LOGGING(delivery_size))
1193 g = string_fmt_append(g, " S=%d", transport_count);
1194
1195 /* Local delivery */
1196
1197 if (addr->transport->info->local)
1198 {
1199 if (addr->host_list)
1200 g = string_append(g, 2, US" H=", addr->host_list->name);
1201 g = d_log_interface(g);
1202 if (addr->shadow_message)
1203 g = string_cat(g, addr->shadow_message);
1204 }
1205
1206 /* Remote delivery */
1207
1208 else
1209 {
1210 if (addr->host_used)
1211 {
1212 g = d_hostlog(g, addr);
1213 if (continue_sequence > 1)
1214 g = string_catn(g, US"*", 1);
1215
1216 #ifndef DISABLE_EVENT
1217 deliver_host_address = addr->host_used->address;
1218 deliver_host_port = addr->host_used->port;
1219 deliver_host = addr->host_used->name;
1220
1221 /* DNS lookup status */
1222 lookup_dnssec_authenticated = addr->host_used->dnssec==DS_YES ? US"yes"
1223 : addr->host_used->dnssec==DS_NO ? US"no"
1224 : NULL;
1225 #endif
1226 }
1227
1228 #ifdef SUPPORT_TLS
1229 g = d_tlslog(g, addr);
1230 #endif
1231
1232 if (addr->authenticator)
1233 {
1234 g = string_append(g, 2, US" A=", addr->authenticator);
1235 if (addr->auth_id)
1236 {
1237 g = string_append(g, 2, US":", addr->auth_id);
1238 if (LOGGING(smtp_mailauth) && addr->auth_sndr)
1239 g = string_append(g, 2, US":", addr->auth_sndr);
1240 }
1241 }
1242
1243 if (LOGGING(pipelining))
1244 {
1245 if (testflag(addr, af_pipelining))
1246 g = string_catn(g, US" L", 2);
1247 #ifdef EXPERIMENTAL_PIPE_CONNECT
1248 if (testflag(addr, af_early_pipe))
1249 g = string_catn(g, US"*", 1);
1250 #endif
1251 }
1252
1253 #ifndef DISABLE_PRDR
1254 if (testflag(addr, af_prdr_used))
1255 g = string_catn(g, US" PRDR", 5);
1256 #endif
1257
1258 if (testflag(addr, af_chunking_used))
1259 g = string_catn(g, US" K", 2);
1260 }
1261
1262 /* confirmation message (SMTP (host_used) and LMTP (driver_name)) */
1263
1264 if ( LOGGING(smtp_confirmation)
1265 && addr->message
1266 && (addr->host_used || Ustrcmp(addr->transport->driver_name, "lmtp") == 0)
1267 )
1268 {
1269 unsigned lim = big_buffer_size < 1024 ? big_buffer_size : 1024;
1270 uschar *p = big_buffer;
1271 uschar *ss = addr->message;
1272 *p++ = '\"';
1273 for (int i = 0; i < lim && ss[i] != 0; i++) /* limit logged amount */
1274 {
1275 if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; /* quote \ and " */
1276 *p++ = ss[i];
1277 }
1278 *p++ = '\"';
1279 *p = 0;
1280 g = string_append(g, 2, US" C=", big_buffer);
1281 }
1282
1283 /* Time on queue and actual time taken to deliver */
1284
1285 if (LOGGING(queue_time))
1286 g = string_append(g, 2, US" QT=",
1287 string_timesince(&received_time));
1288
1289 if (LOGGING(deliver_time))
1290 {
1291 struct timeval diff = {.tv_sec = addr->more_errno, .tv_usec = addr->delivery_usec};
1292 g = string_append(g, 2, US" DT=", string_timediff(&diff));
1293 }
1294
1295 /* string_cat() always leaves room for the terminator. Release the
1296 store we used to build the line after writing it. */
1297
1298 log_write(0, flags, "%s", string_from_gstring(g));
1299
1300 #ifndef DISABLE_EVENT
1301 if (!msg) msg_event_raise(US"msg:delivery", addr);
1302 #endif
1303
1304 store_reset(reset_point);
1305 return;
1306 }
1307
1308
1309
1310 static void
1311 deferral_log(address_item * addr, uschar * now,
1312 int logflags, uschar * driver_name, uschar * driver_kind)
1313 {
1314 gstring * g;
1315 void * reset_point;
1316
1317 /* Build up the line that is used for both the message log and the main
1318 log. */
1319
1320 g = reset_point = string_get(256);
1321
1322 /* Create the address string for logging. Must not do this earlier, because
1323 an OK result may be changed to FAIL when a pipe returns text. */
1324
1325 g = string_log_address(g, addr, LOGGING(all_parents), FALSE);
1326
1327 if (*queue_name)
1328 g = string_append(g, 2, US" Q=", queue_name);
1329
1330 /* Either driver_name contains something and driver_kind contains
1331 " router" or " transport" (note the leading space), or driver_name is
1332 a null string and driver_kind contains "routing" without the leading
1333 space, if all routing has been deferred. When a domain has been held,
1334 so nothing has been done at all, both variables contain null strings. */
1335
1336 if (driver_name)
1337 {
1338 if (driver_kind[1] == 't' && addr->router)
1339 g = string_append(g, 2, US" R=", addr->router->name);
1340 g = string_fmt_append(g, " %c=%s", toupper(driver_kind[1]), driver_name);
1341 }
1342 else if (driver_kind)
1343 g = string_append(g, 2, US" ", driver_kind);
1344
1345 g = string_fmt_append(g, " defer (%d)", addr->basic_errno);
1346
1347 if (addr->basic_errno > 0)
1348 g = string_append(g, 2, US": ",
1349 US strerror(addr->basic_errno));
1350
1351 if (addr->host_used)
1352 {
1353 g = string_append(g, 5,
1354 US" H=", addr->host_used->name,
1355 US" [", addr->host_used->address, US"]");
1356 if (LOGGING(outgoing_port))
1357 {
1358 int port = addr->host_used->port;
1359 g = string_fmt_append(g, ":%d", port == PORT_NONE ? 25 : port);
1360 }
1361 }
1362
1363 if (addr->message)
1364 g = string_append(g, 2, US": ", addr->message);
1365
1366 (void) string_from_gstring(g);
1367
1368 /* Log the deferment in the message log, but don't clutter it
1369 up with retry-time defers after the first delivery attempt. */
1370
1371 if (f.deliver_firsttime || addr->basic_errno > ERRNO_RETRY_BASE)
1372 deliver_msglog("%s %s\n", now, g->s);
1373
1374 /* Write the main log and reset the store.
1375 For errors of the type "retry time not reached" (also remotes skipped
1376 on queue run), logging is controlled by L_retry_defer. Note that this kind
1377 of error number is negative, and all the retry ones are less than any
1378 others. */
1379
1380
1381 log_write(addr->basic_errno <= ERRNO_RETRY_BASE ? L_retry_defer : 0, logflags,
1382 "== %s", g->s);
1383
1384 store_reset(reset_point);
1385 return;
1386 }
1387
1388
1389
1390 static void
1391 failure_log(address_item * addr, uschar * driver_kind, uschar * now)
1392 {
1393 void * reset_point;
1394 gstring * g = reset_point = string_get(256);
1395
1396 #ifndef DISABLE_EVENT
1397 /* Message failures for which we will send a DSN get their event raised
1398 later so avoid doing it here. */
1399
1400 if ( !addr->prop.ignore_error
1401 && !(addr->dsn_flags & (rf_dsnflags & ~rf_notify_failure))
1402 )
1403 msg_event_raise(US"msg:fail:delivery", addr);
1404 #endif
1405
1406 /* Build up the log line for the message and main logs */
1407
1408 /* Create the address string for logging. Must not do this earlier, because
1409 an OK result may be changed to FAIL when a pipe returns text. */
1410
1411 g = string_log_address(g, addr, LOGGING(all_parents), FALSE);
1412
1413 if (LOGGING(sender_on_delivery))
1414 g = string_append(g, 3, US" F=<", sender_address, US">");
1415
1416 if (*queue_name)
1417 g = string_append(g, 2, US" Q=", queue_name);
1418
1419 /* Return path may not be set if no delivery actually happened */
1420
1421 if (used_return_path && LOGGING(return_path_on_delivery))
1422 g = string_append(g, 3, US" P=<", used_return_path, US">");
1423
1424 if (addr->router)
1425 g = string_append(g, 2, US" R=", addr->router->name);
1426 if (addr->transport)
1427 g = string_append(g, 2, US" T=", addr->transport->name);
1428
1429 if (addr->host_used)
1430 g = d_hostlog(g, addr);
1431
1432 #ifdef SUPPORT_TLS
1433 g = d_tlslog(g, addr);
1434 #endif
1435
1436 if (addr->basic_errno > 0)
1437 g = string_append(g, 2, US": ", US strerror(addr->basic_errno));
1438
1439 if (addr->message)
1440 g = string_append(g, 2, US": ", addr->message);
1441
1442 (void) string_from_gstring(g);
1443
1444 /* Do the logging. For the message log, "routing failed" for those cases,
1445 just to make it clearer. */
1446
1447 if (driver_kind)
1448 deliver_msglog("%s %s failed for %s\n", now, driver_kind, g->s);
1449 else
1450 deliver_msglog("%s %s\n", now, g->s);
1451
1452 log_write(0, LOG_MAIN, "** %s", g->s);
1453
1454 store_reset(reset_point);
1455 return;
1456 }
1457
1458
1459
1460 /*************************************************
1461 * Actions at the end of handling an address *
1462 *************************************************/
1463
1464 /* This is a function for processing a single address when all that can be done
1465 with it has been done.
1466
1467 Arguments:
1468 addr points to the address block
1469 result the result of the delivery attempt
1470 logflags flags for log_write() (LOG_MAIN and/or LOG_PANIC)
1471 driver_type indicates which type of driver (transport, or router) was last
1472 to process the address
1473 logchar '=' or '-' for use when logging deliveries with => or ->
1474
1475 Returns: nothing
1476 */
1477
1478 static void
1479 post_process_one(address_item *addr, int result, int logflags, int driver_type,
1480 int logchar)
1481 {
1482 uschar *now = tod_stamp(tod_log);
1483 uschar *driver_kind = NULL;
1484 uschar *driver_name = NULL;
1485
1486 DEBUG(D_deliver) debug_printf("post-process %s (%d)\n", addr->address, result);
1487
1488 /* Set up driver kind and name for logging. Disable logging if the router or
1489 transport has disabled it. */
1490
1491 if (driver_type == EXIM_DTYPE_TRANSPORT)
1492 {
1493 if (addr->transport)
1494 {
1495 driver_name = addr->transport->name;
1496 driver_kind = US" transport";
1497 f.disable_logging = addr->transport->disable_logging;
1498 }
1499 else driver_kind = US"transporting";
1500 }
1501 else if (driver_type == EXIM_DTYPE_ROUTER)
1502 {
1503 if (addr->router)
1504 {
1505 driver_name = addr->router->name;
1506 driver_kind = US" router";
1507 f.disable_logging = addr->router->disable_logging;
1508 }
1509 else driver_kind = US"routing";
1510 }
1511
1512 /* If there's an error message set, ensure that it contains only printing
1513 characters - it should, but occasionally things slip in and this at least
1514 stops the log format from getting wrecked. We also scan the message for an LDAP
1515 expansion item that has a password setting, and flatten the password. This is a
1516 fudge, but I don't know a cleaner way of doing this. (If the item is badly
1517 malformed, it won't ever have gone near LDAP.) */
1518
1519 if (addr->message)
1520 {
1521 const uschar * s = string_printing(addr->message);
1522
1523 /* deconst cast ok as string_printing known to have alloc'n'copied */
1524 addr->message = expand_hide_passwords(US s);
1525 }
1526
1527 /* If we used a transport that has one of the "return_output" options set, and
1528 if it did in fact generate some output, then for return_output we treat the
1529 message as failed if it was not already set that way, so that the output gets
1530 returned to the sender, provided there is a sender to send it to. For
1531 return_fail_output, do this only if the delivery failed. Otherwise we just
1532 unlink the file, and remove the name so that if the delivery failed, we don't
1533 try to send back an empty or unwanted file. The log_output options operate only
1534 on a non-empty file.
1535
1536 In any case, we close the message file, because we cannot afford to leave a
1537 file-descriptor for one address while processing (maybe very many) others. */
1538
1539 if (addr->return_file >= 0 && addr->return_filename)
1540 {
1541 BOOL return_output = FALSE;
1542 struct stat statbuf;
1543 (void)EXIMfsync(addr->return_file);
1544
1545 /* If there is no output, do nothing. */
1546
1547 if (fstat(addr->return_file, &statbuf) == 0 && statbuf.st_size > 0)
1548 {
1549 transport_instance *tb = addr->transport;
1550
1551 /* Handle logging options */
1552
1553 if ( tb->log_output
1554 || result == FAIL && tb->log_fail_output
1555 || result == DEFER && tb->log_defer_output
1556 )
1557 {
1558 uschar *s;
1559 FILE *f = Ufopen(addr->return_filename, "rb");
1560 if (!f)
1561 log_write(0, LOG_MAIN|LOG_PANIC, "failed to open %s to log output "
1562 "from %s transport: %s", addr->return_filename, tb->name,
1563 strerror(errno));
1564 else
1565 if ((s = US Ufgets(big_buffer, big_buffer_size, f)))
1566 {
1567 uschar *p = big_buffer + Ustrlen(big_buffer);
1568 const uschar * sp;
1569 while (p > big_buffer && isspace(p[-1])) p--;
1570 *p = 0;
1571 sp = string_printing(big_buffer);
1572 log_write(0, LOG_MAIN, "<%s>: %s transport output: %s",
1573 addr->address, tb->name, sp);
1574 }
1575 (void)fclose(f);
1576 }
1577
1578 /* Handle returning options, but only if there is an address to return
1579 the text to. */
1580
1581 if (sender_address[0] != 0 || addr->prop.errors_address)
1582 if (tb->return_output)
1583 {
1584 addr->transport_return = result = FAIL;
1585 if (addr->basic_errno == 0 && !addr->message)
1586 addr->message = US"return message generated";
1587 return_output = TRUE;
1588 }
1589 else
1590 if (tb->return_fail_output && result == FAIL) return_output = TRUE;
1591 }
1592
1593 /* Get rid of the file unless it might be returned, but close it in
1594 all cases. */
1595
1596 if (!return_output)
1597 {
1598 Uunlink(addr->return_filename);
1599 addr->return_filename = NULL;
1600 addr->return_file = -1;
1601 }
1602
1603 (void)close(addr->return_file);
1604 }
1605
1606 /* The success case happens only after delivery by a transport. */
1607
1608 if (result == OK)
1609 {
1610 addr->next = addr_succeed;
1611 addr_succeed = addr;
1612
1613 /* Call address_done() to ensure that we don't deliver to this address again,
1614 and write appropriate things to the message log. If it is a child address, we
1615 call child_done() to scan the ancestors and mark them complete if this is the
1616 last child to complete. */
1617
1618 address_done(addr, now);
1619 DEBUG(D_deliver) debug_printf("%s delivered\n", addr->address);
1620
1621 if (!addr->parent)
1622 deliver_msglog("%s %s: %s%s succeeded\n", now, addr->address,
1623 driver_name, driver_kind);
1624 else
1625 {
1626 deliver_msglog("%s %s <%s>: %s%s succeeded\n", now, addr->address,
1627 addr->parent->address, driver_name, driver_kind);
1628 child_done(addr, now);
1629 }
1630
1631 /* Certificates for logging (via events) */
1632 #ifdef SUPPORT_TLS
1633 tls_out.ourcert = addr->ourcert;
1634 addr->ourcert = NULL;
1635 tls_out.peercert = addr->peercert;
1636 addr->peercert = NULL;
1637
1638 tls_out.cipher = addr->cipher;
1639 tls_out.peerdn = addr->peerdn;
1640 tls_out.ocsp = addr->ocsp;
1641 # ifdef SUPPORT_DANE
1642 tls_out.dane_verified = testflag(addr, af_dane_verified);
1643 # endif
1644 #endif
1645
1646 delivery_log(LOG_MAIN, addr, logchar, NULL);
1647
1648 #ifdef SUPPORT_TLS
1649 tls_free_cert(&tls_out.ourcert);
1650 tls_free_cert(&tls_out.peercert);
1651 tls_out.cipher = NULL;
1652 tls_out.peerdn = NULL;
1653 tls_out.ocsp = OCSP_NOT_REQ;
1654 # ifdef SUPPORT_DANE
1655 tls_out.dane_verified = FALSE;
1656 # endif
1657 #endif
1658 }
1659
1660
1661 /* Soft failure, or local delivery process failed; freezing may be
1662 requested. */
1663
1664 else if (result == DEFER || result == PANIC)
1665 {
1666 if (result == PANIC) logflags |= LOG_PANIC;
1667
1668 /* This puts them on the chain in reverse order. Do not change this, because
1669 the code for handling retries assumes that the one with the retry
1670 information is last. */
1671
1672 addr->next = addr_defer;
1673 addr_defer = addr;
1674
1675 /* The only currently implemented special action is to freeze the
1676 message. Logging of this is done later, just before the -H file is
1677 updated. */
1678
1679 if (addr->special_action == SPECIAL_FREEZE)
1680 {
1681 f.deliver_freeze = TRUE;
1682 deliver_frozen_at = time(NULL);
1683 update_spool = TRUE;
1684 }
1685
1686 /* If doing a 2-stage queue run, we skip writing to either the message
1687 log or the main log for SMTP defers. */
1688
1689 if (!f.queue_2stage || addr->basic_errno != 0)
1690 deferral_log(addr, now, logflags, driver_name, driver_kind);
1691 }
1692
1693
1694 /* Hard failure. If there is an address to which an error message can be sent,
1695 put this address on the failed list. If not, put it on the deferred list and
1696 freeze the mail message for human attention. The latter action can also be
1697 explicitly requested by a router or transport. */
1698
1699 else
1700 {
1701 /* If this is a delivery error, or a message for which no replies are
1702 wanted, and the message's age is greater than ignore_bounce_errors_after,
1703 force the af_ignore_error flag. This will cause the address to be discarded
1704 later (with a log entry). */
1705
1706 if (!*sender_address && message_age >= ignore_bounce_errors_after)
1707 addr->prop.ignore_error = TRUE;
1708
1709 /* Freeze the message if requested, or if this is a bounce message (or other
1710 message with null sender) and this address does not have its own errors
1711 address. However, don't freeze if errors are being ignored. The actual code
1712 to ignore occurs later, instead of sending a message. Logging of freezing
1713 occurs later, just before writing the -H file. */
1714
1715 if ( !addr->prop.ignore_error
1716 && ( addr->special_action == SPECIAL_FREEZE
1717 || (sender_address[0] == 0 && !addr->prop.errors_address)
1718 ) )
1719 {
1720 frozen_info = addr->special_action == SPECIAL_FREEZE
1721 ? US""
1722 : f.sender_local && !f.local_error_message
1723 ? US" (message created with -f <>)"
1724 : US" (delivery error message)";
1725 f.deliver_freeze = TRUE;
1726 deliver_frozen_at = time(NULL);
1727 update_spool = TRUE;
1728
1729 /* The address is put on the defer rather than the failed queue, because
1730 the message is being retained. */
1731
1732 addr->next = addr_defer;
1733 addr_defer = addr;
1734 }
1735
1736 /* Don't put the address on the nonrecipients tree yet; wait until an
1737 error message has been successfully sent. */
1738
1739 else
1740 {
1741 addr->next = addr_failed;
1742 addr_failed = addr;
1743 }
1744
1745 failure_log(addr, driver_name ? NULL : driver_kind, now);
1746 }
1747
1748 /* Ensure logging is turned on again in all cases */
1749
1750 f.disable_logging = FALSE;
1751 }
1752
1753
1754
1755
1756 /*************************************************
1757 * Address-independent error *
1758 *************************************************/
1759
1760 /* This function is called when there's an error that is not dependent on a
1761 particular address, such as an expansion string failure. It puts the error into
1762 all the addresses in a batch, logs the incident on the main and panic logs, and
1763 clears the expansions. It is mostly called from local_deliver(), but can be
1764 called for a remote delivery via findugid().
1765
1766 Arguments:
1767 logit TRUE if (MAIN+PANIC) logging required
1768 addr the first of the chain of addresses
1769 code the error code
1770 format format string for error message, or NULL if already set in addr
1771 ... arguments for the format
1772
1773 Returns: nothing
1774 */
1775
1776 static void
1777 common_error(BOOL logit, address_item *addr, int code, uschar *format, ...)
1778 {
1779 addr->basic_errno = code;
1780
1781 if (format)
1782 {
1783 va_list ap;
1784 gstring * g;
1785
1786 va_start(ap, format);
1787 g = string_vformat(NULL, TRUE, CS format, ap);
1788 va_end(ap);
1789 addr->message = string_from_gstring(g);
1790 }
1791
1792 for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
1793 {
1794 addr2->basic_errno = code;
1795 addr2->message = addr->message;
1796 }
1797
1798 if (logit) log_write(0, LOG_MAIN|LOG_PANIC, "%s", addr->message);
1799 deliver_set_expansions(NULL);
1800 }
1801
1802
1803
1804
1805 /*************************************************
1806 * Check a "never users" list *
1807 *************************************************/
1808
1809 /* This function is called to check whether a uid is on one of the two "never
1810 users" lists.
1811
1812 Arguments:
1813 uid the uid to be checked
1814 nusers the list to be scanned; the first item in the list is the count
1815
1816 Returns: TRUE if the uid is on the list
1817 */
1818
1819 static BOOL
1820 check_never_users(uid_t uid, uid_t *nusers)
1821 {
1822 if (!nusers) return FALSE;
1823 for (int i = 1; i <= (int)(nusers[0]); i++) if (nusers[i] == uid) return TRUE;
1824 return FALSE;
1825 }
1826
1827
1828
1829 /*************************************************
1830 * Find uid and gid for a transport *
1831 *************************************************/
1832
1833 /* This function is called for both local and remote deliveries, to find the
1834 uid/gid under which to run the delivery. The values are taken preferentially
1835 from the transport (either explicit or deliver_as_creator), then from the
1836 address (i.e. the router), and if nothing is set, the exim uid/gid are used. If
1837 the resulting uid is on the "never_users" or the "fixed_never_users" list, a
1838 panic error is logged, and the function fails (which normally leads to delivery
1839 deferral).
1840
1841 Arguments:
1842 addr the address (possibly a chain)
1843 tp the transport
1844 uidp pointer to uid field
1845 gidp pointer to gid field
1846 igfp pointer to the use_initgroups field
1847
1848 Returns: FALSE if failed - error has been set in address(es)
1849 */
1850
1851 static BOOL
1852 findugid(address_item *addr, transport_instance *tp, uid_t *uidp, gid_t *gidp,
1853 BOOL *igfp)
1854 {
1855 uschar *nuname;
1856 BOOL gid_set = FALSE;
1857
1858 /* Default initgroups flag comes from the transport */
1859
1860 *igfp = tp->initgroups;
1861
1862 /* First see if there's a gid on the transport, either fixed or expandable.
1863 The expanding function always logs failure itself. */
1864
1865 if (tp->gid_set)
1866 {
1867 *gidp = tp->gid;
1868 gid_set = TRUE;
1869 }
1870 else if (tp->expand_gid)
1871 {
1872 if (!route_find_expanded_group(tp->expand_gid, tp->name, US"transport", gidp,
1873 &(addr->message)))
1874 {
1875 common_error(FALSE, addr, ERRNO_GIDFAIL, NULL);
1876 return FALSE;
1877 }
1878 gid_set = TRUE;
1879 }
1880
1881 /* If the transport did not set a group, see if the router did. */
1882
1883 if (!gid_set && testflag(addr, af_gid_set))
1884 {
1885 *gidp = addr->gid;
1886 gid_set = TRUE;
1887 }
1888
1889 /* Pick up a uid from the transport if one is set. */
1890
1891 if (tp->uid_set) *uidp = tp->uid;
1892
1893 /* Otherwise, try for an expandable uid field. If it ends up as a numeric id,
1894 it does not provide a passwd value from which a gid can be taken. */
1895
1896 else if (tp->expand_uid)
1897 {
1898 struct passwd *pw;
1899 if (!route_find_expanded_user(tp->expand_uid, tp->name, US"transport", &pw,
1900 uidp, &(addr->message)))
1901 {
1902 common_error(FALSE, addr, ERRNO_UIDFAIL, NULL);
1903 return FALSE;
1904 }
1905 if (!gid_set && pw)
1906 {
1907 *gidp = pw->pw_gid;
1908 gid_set = TRUE;
1909 }
1910 }
1911
1912 /* If the transport doesn't set the uid, test the deliver_as_creator flag. */
1913
1914 else if (tp->deliver_as_creator)
1915 {
1916 *uidp = originator_uid;
1917 if (!gid_set)
1918 {
1919 *gidp = originator_gid;
1920 gid_set = TRUE;
1921 }
1922 }
1923
1924 /* Otherwise see if the address specifies the uid and if so, take it and its
1925 initgroups flag. */
1926
1927 else if (testflag(addr, af_uid_set))
1928 {
1929 *uidp = addr->uid;
1930 *igfp = testflag(addr, af_initgroups);
1931 }
1932
1933 /* Nothing has specified the uid - default to the Exim user, and group if the
1934 gid is not set. */
1935
1936 else
1937 {
1938 *uidp = exim_uid;
1939 if (!gid_set)
1940 {
1941 *gidp = exim_gid;
1942 gid_set = TRUE;
1943 }
1944 }
1945
1946 /* If no gid is set, it is a disaster. We default to the Exim gid only if
1947 defaulting to the Exim uid. In other words, if the configuration has specified
1948 a uid, it must also provide a gid. */
1949
1950 if (!gid_set)
1951 {
1952 common_error(TRUE, addr, ERRNO_GIDFAIL, US"User set without group for "
1953 "%s transport", tp->name);
1954 return FALSE;
1955 }
1956
1957 /* Check that the uid is not on the lists of banned uids that may not be used
1958 for delivery processes. */
1959
1960 nuname = check_never_users(*uidp, never_users)
1961 ? US"never_users"
1962 : check_never_users(*uidp, fixed_never_users)
1963 ? US"fixed_never_users"
1964 : NULL;
1965 if (nuname)
1966 {
1967 common_error(TRUE, addr, ERRNO_UIDFAIL, US"User %ld set for %s transport "
1968 "is on the %s list", (long int)(*uidp), tp->name, nuname);
1969 return FALSE;
1970 }
1971
1972 /* All is well */
1973
1974 return TRUE;
1975 }
1976
1977
1978
1979
1980 /*************************************************
1981 * Check the size of a message for a transport *
1982 *************************************************/
1983
1984 /* Checks that the message isn't too big for the selected transport.
1985 This is called only when it is known that the limit is set.
1986
1987 Arguments:
1988 tp the transport
1989 addr the (first) address being delivered
1990
1991 Returns: OK
1992 DEFER expansion failed or did not yield an integer
1993 FAIL message too big
1994 */
1995
1996 int
1997 check_message_size(transport_instance *tp, address_item *addr)
1998 {
1999 int rc = OK;
2000 int size_limit;
2001
2002 deliver_set_expansions(addr);
2003 size_limit = expand_string_integer(tp->message_size_limit, TRUE);
2004 deliver_set_expansions(NULL);
2005
2006 if (expand_string_message)
2007 {
2008 rc = DEFER;
2009 addr->message = size_limit == -1
2010 ? string_sprintf("failed to expand message_size_limit "
2011 "in %s transport: %s", tp->name, expand_string_message)
2012 : string_sprintf("invalid message_size_limit "
2013 "in %s transport: %s", tp->name, expand_string_message);
2014 }
2015 else if (size_limit > 0 && message_size > size_limit)
2016 {
2017 rc = FAIL;
2018 addr->message =
2019 string_sprintf("message is too big (transport limit = %d)",
2020 size_limit);
2021 }
2022
2023 return rc;
2024 }
2025
2026
2027
2028 /*************************************************
2029 * Transport-time check for a previous delivery *
2030 *************************************************/
2031
2032 /* Check that this base address hasn't previously been delivered to its routed
2033 transport. If it has been delivered, mark it done. The check is necessary at
2034 delivery time in order to handle homonymic addresses correctly in cases where
2035 the pattern of redirection changes between delivery attempts (so the unique
2036 fields change). Non-homonymic previous delivery is detected earlier, at routing
2037 time (which saves unnecessary routing).
2038
2039 Arguments:
2040 addr the address item
2041 testing TRUE if testing wanted only, without side effects
2042
2043 Returns: TRUE if previously delivered by the transport
2044 */
2045
2046 static BOOL
2047 previously_transported(address_item *addr, BOOL testing)
2048 {
2049 (void)string_format(big_buffer, big_buffer_size, "%s/%s",
2050 addr->unique + (testflag(addr, af_homonym)? 3:0), addr->transport->name);
2051
2052 if (tree_search(tree_nonrecipients, big_buffer) != 0)
2053 {
2054 DEBUG(D_deliver|D_route|D_transport)
2055 debug_printf("%s was previously delivered (%s transport): discarded\n",
2056 addr->address, addr->transport->name);
2057 if (!testing) child_done(addr, tod_stamp(tod_log));
2058 return TRUE;
2059 }
2060
2061 return FALSE;
2062 }
2063
2064
2065
2066 /******************************************************
2067 * Check for a given header in a header string *
2068 ******************************************************/
2069
2070 /* This function is used when generating quota warnings. The configuration may
2071 specify any header lines it likes in quota_warn_message. If certain of them are
2072 missing, defaults are inserted, so we need to be able to test for the presence
2073 of a given header.
2074
2075 Arguments:
2076 hdr the required header name
2077 hstring the header string
2078
2079 Returns: TRUE the header is in the string
2080 FALSE the header is not in the string
2081 */
2082
2083 static BOOL
2084 contains_header(uschar *hdr, uschar *hstring)
2085 {
2086 int len = Ustrlen(hdr);
2087 uschar *p = hstring;
2088 while (*p != 0)
2089 {
2090 if (strncmpic(p, hdr, len) == 0)
2091 {
2092 p += len;
2093 while (*p == ' ' || *p == '\t') p++;
2094 if (*p == ':') return TRUE;
2095 }
2096 while (*p != 0 && *p != '\n') p++;
2097 if (*p == '\n') p++;
2098 }
2099 return FALSE;
2100 }
2101
2102
2103
2104
2105 /*************************************************
2106 * Perform a local delivery *
2107 *************************************************/
2108
2109 /* Each local delivery is performed in a separate process which sets its
2110 uid and gid as specified. This is a safer way than simply changing and
2111 restoring using seteuid(); there is a body of opinion that seteuid() cannot be
2112 used safely. From release 4, Exim no longer makes any use of it. Besides, not
2113 all systems have seteuid().
2114
2115 If the uid/gid are specified in the transport_instance, they are used; the
2116 transport initialization must ensure that either both or neither are set.
2117 Otherwise, the values associated with the address are used. If neither are set,
2118 it is a configuration error.
2119
2120 The transport or the address may specify a home directory (transport over-
2121 rides), and if they do, this is set as $home. If neither have set a working
2122 directory, this value is used for that as well. Otherwise $home is left unset
2123 and the cwd is set to "/" - a directory that should be accessible to all users.
2124
2125 Using a separate process makes it more complicated to get error information
2126 back. We use a pipe to pass the return code and also an error code and error
2127 text string back to the parent process.
2128
2129 Arguments:
2130 addr points to an address block for this delivery; for "normal" local
2131 deliveries this is the only address to be delivered, but for
2132 pseudo-remote deliveries (e.g. by batch SMTP to a file or pipe)
2133 a number of addresses can be handled simultaneously, and in this
2134 case addr will point to a chain of addresses with the same
2135 characteristics.
2136
2137 shadowing TRUE if running a shadow transport; this causes output from pipes
2138 to be ignored.
2139
2140 Returns: nothing
2141 */
2142
2143 static void
2144 deliver_local(address_item *addr, BOOL shadowing)
2145 {
2146 BOOL use_initgroups;
2147 uid_t uid;
2148 gid_t gid;
2149 int status, len, rc;
2150 int pfd[2];
2151 pid_t pid;
2152 uschar *working_directory;
2153 address_item *addr2;
2154 transport_instance *tp = addr->transport;
2155
2156 /* Set up the return path from the errors or sender address. If the transport
2157 has its own return path setting, expand it and replace the existing value. */
2158
2159 if(addr->prop.errors_address)
2160 return_path = addr->prop.errors_address;
2161 #ifdef EXPERIMENTAL_SRS
2162 else if (addr->prop.srs_sender)
2163 return_path = addr->prop.srs_sender;
2164 #endif
2165 else
2166 return_path = sender_address;
2167
2168 if (tp->return_path)
2169 {
2170 uschar *new_return_path = expand_string(tp->return_path);
2171 if (!new_return_path)
2172 {
2173 if (!f.expand_string_forcedfail)
2174 {
2175 common_error(TRUE, addr, ERRNO_EXPANDFAIL,
2176 US"Failed to expand return path \"%s\" in %s transport: %s",
2177 tp->return_path, tp->name, expand_string_message);
2178 return;
2179 }
2180 }
2181 else return_path = new_return_path;
2182 }
2183
2184 /* For local deliveries, one at a time, the value used for logging can just be
2185 set directly, once and for all. */
2186
2187 used_return_path = return_path;
2188
2189 /* Sort out the uid, gid, and initgroups flag. If an error occurs, the message
2190 gets put into the address(es), and the expansions are unset, so we can just
2191 return. */
2192
2193 if (!findugid(addr, tp, &uid, &gid, &use_initgroups)) return;
2194
2195 /* See if either the transport or the address specifies a home directory. A
2196 home directory set in the address may already be expanded; a flag is set to
2197 indicate that. In other cases we must expand it. */
2198
2199 if ( (deliver_home = tp->home_dir) /* Set in transport, or */
2200 || ( (deliver_home = addr->home_dir) /* Set in address and */
2201 && !testflag(addr, af_home_expanded) /* not expanded */
2202 ) )
2203 {
2204 uschar *rawhome = deliver_home;
2205 deliver_home = NULL; /* in case it contains $home */
2206 if (!(deliver_home = expand_string(rawhome)))
2207 {
2208 common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"home directory \"%s\" failed "
2209 "to expand for %s transport: %s", rawhome, tp->name,
2210 expand_string_message);
2211 return;
2212 }
2213 if (*deliver_home != '/')
2214 {
2215 common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"home directory path \"%s\" "
2216 "is not absolute for %s transport", deliver_home, tp->name);
2217 return;
2218 }
2219 }
2220
2221 /* See if either the transport or the address specifies a current directory,
2222 and if so, expand it. If nothing is set, use the home directory, unless it is
2223 also unset in which case use "/", which is assumed to be a directory to which
2224 all users have access. It is necessary to be in a visible directory for some
2225 operating systems when running pipes, as some commands (e.g. "rm" under Solaris
2226 2.5) require this. */
2227
2228 working_directory = tp->current_dir ? tp->current_dir : addr->current_dir;
2229 if (working_directory)
2230 {
2231 uschar *raw = working_directory;
2232 if (!(working_directory = expand_string(raw)))
2233 {
2234 common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"current directory \"%s\" "
2235 "failed to expand for %s transport: %s", raw, tp->name,
2236 expand_string_message);
2237 return;
2238 }
2239 if (*working_directory != '/')
2240 {
2241 common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"current directory path "
2242 "\"%s\" is not absolute for %s transport", working_directory, tp->name);
2243 return;
2244 }
2245 }
2246 else working_directory = deliver_home ? deliver_home : US"/";
2247
2248 /* If one of the return_output flags is set on the transport, create and open a
2249 file in the message log directory for the transport to write its output onto.
2250 This is mainly used by pipe transports. The file needs to be unique to the
2251 address. This feature is not available for shadow transports. */
2252
2253 if ( !shadowing
2254 && ( tp->return_output || tp->return_fail_output
2255 || tp->log_output || tp->log_fail_output || tp->log_defer_output
2256 ) )
2257 {
2258 uschar * error;
2259
2260 addr->return_filename =
2261 spool_fname(US"msglog", message_subdir, message_id,
2262 string_sprintf("-%d-%d", getpid(), return_count++));
2263
2264 if ((addr->return_file = open_msglog_file(addr->return_filename, 0400, &error)) < 0)
2265 {
2266 common_error(TRUE, addr, errno, US"Unable to %s file for %s transport "
2267 "to return message: %s", error, tp->name, strerror(errno));
2268 return;
2269 }
2270 }
2271
2272 /* Create the pipe for inter-process communication. */
2273
2274 if (pipe(pfd) != 0)
2275 {
2276 common_error(TRUE, addr, ERRNO_PIPEFAIL, US"Creation of pipe failed: %s",
2277 strerror(errno));
2278 return;
2279 }
2280
2281 /* Now fork the process to do the real work in the subprocess, but first
2282 ensure that all cached resources are freed so that the subprocess starts with
2283 a clean slate and doesn't interfere with the parent process. */
2284
2285 search_tidyup();
2286
2287 if ((pid = fork()) == 0)
2288 {
2289 BOOL replicate = TRUE;
2290
2291 /* Prevent core dumps, as we don't want them in users' home directories.
2292 HP-UX doesn't have RLIMIT_CORE; I don't know how to do this in that
2293 system. Some experimental/developing systems (e.g. GNU/Hurd) may define
2294 RLIMIT_CORE but not support it in setrlimit(). For such systems, do not
2295 complain if the error is "not supported".
2296
2297 There are two scenarios where changing the max limit has an effect. In one,
2298 the user is using a .forward and invoking a command of their choice via pipe;
2299 for these, we do need the max limit to be 0 unless the admin chooses to
2300 permit an increased limit. In the other, the command is invoked directly by
2301 the transport and is under administrator control, thus being able to raise
2302 the limit aids in debugging. So there's no general always-right answer.
2303
2304 Thus we inhibit core-dumps completely but let individual transports, while
2305 still root, re-raise the limits back up to aid debugging. We make the
2306 default be no core-dumps -- few enough people can use core dumps in
2307 diagnosis that it's reasonable to make them something that has to be explicitly requested.
2308 */
2309
2310 #ifdef RLIMIT_CORE
2311 struct rlimit rl;
2312 rl.rlim_cur = 0;
2313 rl.rlim_max = 0;
2314 if (setrlimit(RLIMIT_CORE, &rl) < 0)
2315 {
2316 # ifdef SETRLIMIT_NOT_SUPPORTED
2317 if (errno != ENOSYS && errno != ENOTSUP)
2318 # endif
2319 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_CORE) failed: %s",
2320 strerror(errno));
2321 }
2322 #endif
2323
2324 /* Reset the random number generator, so different processes don't all
2325 have the same sequence. */
2326
2327 random_seed = 0;
2328
2329 /* If the transport has a setup entry, call this first, while still
2330 privileged. (Appendfile uses this to expand quota, for example, while
2331 able to read private files.) */
2332
2333 if (addr->transport->setup)
2334 switch((addr->transport->setup)(addr->transport, addr, NULL, uid, gid,
2335 &(addr->message)))
2336 {
2337 case DEFER:
2338 addr->transport_return = DEFER;
2339 goto PASS_BACK;
2340
2341 case FAIL:
2342 addr->transport_return = PANIC;
2343 goto PASS_BACK;
2344 }
2345
2346 /* Ignore SIGINT and SIGTERM during delivery. Also ignore SIGUSR1, as
2347 when the process becomes unprivileged, it won't be able to write to the
2348 process log. SIGHUP is ignored throughout exim, except when it is being
2349 run as a daemon. */
2350
2351 signal(SIGINT, SIG_IGN);
2352 signal(SIGTERM, SIG_IGN);
2353 signal(SIGUSR1, SIG_IGN);
2354
2355 /* Close the unwanted half of the pipe, and set close-on-exec for the other
2356 half - for transports that exec things (e.g. pipe). Then set the required
2357 gid/uid. */
2358
2359 (void)close(pfd[pipe_read]);
2360 (void)fcntl(pfd[pipe_write], F_SETFD, fcntl(pfd[pipe_write], F_GETFD) |
2361 FD_CLOEXEC);
2362 exim_setugid(uid, gid, use_initgroups,
2363 string_sprintf("local delivery to %s <%s> transport=%s", addr->local_part,
2364 addr->address, addr->transport->name));
2365
2366 DEBUG(D_deliver)
2367 {
2368 debug_printf(" home=%s current=%s\n", deliver_home, working_directory);
2369 for (address_item * batched = addr->next; batched; batched = batched->next)
2370 debug_printf("additional batched address: %s\n", batched->address);
2371 }
2372
2373 /* Set an appropriate working directory. */
2374
2375 if (Uchdir(working_directory) < 0)
2376 {
2377 addr->transport_return = DEFER;
2378 addr->basic_errno = errno;
2379 addr->message = string_sprintf("failed to chdir to %s", working_directory);
2380 }
2381
2382 /* If successful, call the transport */
2383
2384 else
2385 {
2386 BOOL ok = TRUE;
2387 set_process_info("delivering %s to %s using %s", message_id,
2388 addr->local_part, addr->transport->name);
2389
2390 /* Setting this global in the subprocess means we need never clear it */
2391 transport_name = addr->transport->name;
2392
2393 /* If a transport filter has been specified, set up its argument list.
2394 Any errors will get put into the address, and FALSE yielded. */
2395
2396 if (addr->transport->filter_command)
2397 {
2398 ok = transport_set_up_command(&transport_filter_argv,
2399 addr->transport->filter_command,
2400 TRUE, PANIC, addr, US"transport filter", NULL);
2401 transport_filter_timeout = addr->transport->filter_timeout;
2402 }
2403 else transport_filter_argv = NULL;
2404
2405 if (ok)
2406 {
2407 debug_print_string(addr->transport->debug_string);
2408 replicate = !(addr->transport->info->code)(addr->transport, addr);
2409 }
2410 }
2411
2412 /* Pass the results back down the pipe. If necessary, first replicate the
2413 status in the top address to the others in the batch. The label is the
2414 subject of a goto when a call to the transport's setup function fails. We
2415 pass the pointer to the transport back in case it got changed as a result of
2416 file_format in appendfile. */
2417
2418 PASS_BACK:
2419
2420 if (replicate) replicate_status(addr);
2421 for (addr2 = addr; addr2; addr2 = addr2->next)
2422 {
2423 int i;
2424 int local_part_length = Ustrlen(addr2->local_part);
2425 uschar *s;
2426 int ret;
2427
2428 if( (ret = write(pfd[pipe_write], &addr2->transport_return, sizeof(int))) != sizeof(int)
2429 || (ret = write(pfd[pipe_write], &transport_count, sizeof(transport_count))) != sizeof(transport_count)
2430 || (ret = write(pfd[pipe_write], &addr2->flags, sizeof(addr2->flags))) != sizeof(addr2->flags)
2431 || (ret = write(pfd[pipe_write], &addr2->basic_errno, sizeof(int))) != sizeof(int)
2432 || (ret = write(pfd[pipe_write], &addr2->more_errno, sizeof(int))) != sizeof(int)
2433 || (ret = write(pfd[pipe_write], &addr2->delivery_usec, sizeof(int))) != sizeof(int)
2434 || (ret = write(pfd[pipe_write], &addr2->special_action, sizeof(int))) != sizeof(int)
2435 || (ret = write(pfd[pipe_write], &addr2->transport,
2436 sizeof(transport_instance *))) != sizeof(transport_instance *)
2437
2438 /* For a file delivery, pass back the local part, in case the original
2439 was only part of the final delivery path. This gives more complete
2440 logging. */
2441
2442 || (testflag(addr2, af_file)
2443 && ( (ret = write(pfd[pipe_write], &local_part_length, sizeof(int))) != sizeof(int)
2444 || (ret = write(pfd[pipe_write], addr2->local_part, local_part_length)) != local_part_length
2445 )
2446 )
2447 )
2448 log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
2449 ret == -1 ? strerror(errno) : "short write");
2450
2451 /* Now any messages */
2452
2453 for (i = 0, s = addr2->message; i < 2; i++, s = addr2->user_message)
2454 {
2455 int message_length = s ? Ustrlen(s) + 1 : 0;
2456 if( (ret = write(pfd[pipe_write], &message_length, sizeof(int))) != sizeof(int)
2457 || message_length > 0 && (ret = write(pfd[pipe_write], s, message_length)) != message_length
2458 )
2459 log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
2460 ret == -1 ? strerror(errno) : "short write");
2461 }
2462 }
2463
2464 /* OK, this process is now done. Free any cached resources that it opened,
2465 and close the pipe we were writing down before exiting. */
2466
2467 (void)close(pfd[pipe_write]);
2468 search_tidyup();
2469 exit(EXIT_SUCCESS);
2470 }
2471
2472 /* Back in the main process: panic if the fork did not succeed. This seems
2473 better than returning an error - if forking is failing it is probably best
2474 not to try other deliveries for this message. */
2475
2476 if (pid < 0)
2477 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Fork failed for local delivery to %s",
2478 addr->address);
2479
2480 /* Read the pipe to get the delivery status codes and error messages. Our copy
2481 of the writing end must be closed first, as otherwise read() won't return zero
2482 on an empty pipe. We check that a status exists for each address before
2483 overwriting the address structure. If data is missing, the default DEFER status
2484 will remain. Afterwards, close the reading end. */
2485
2486 (void)close(pfd[pipe_write]);
2487
2488 for (addr2 = addr; addr2; addr2 = addr2->next)
2489 {
2490 if ((len = read(pfd[pipe_read], &status, sizeof(int))) > 0)
2491 {
2492 int i;
2493 uschar **sptr;
2494
2495 addr2->transport_return = status;
2496 len = read(pfd[pipe_read], &transport_count,
2497 sizeof(transport_count));
2498 len = read(pfd[pipe_read], &addr2->flags, sizeof(addr2->flags));
2499 len = read(pfd[pipe_read], &addr2->basic_errno, sizeof(int));
2500 len = read(pfd[pipe_read], &addr2->more_errno, sizeof(int));
2501 len = read(pfd[pipe_read], &addr2->delivery_usec, sizeof(int));
2502 len = read(pfd[pipe_read], &addr2->special_action, sizeof(int));
2503 len = read(pfd[pipe_read], &addr2->transport,
2504 sizeof(transport_instance *));
2505
2506 if (testflag(addr2, af_file))
2507 {
2508 int llen;
2509 if ( read(pfd[pipe_read], &llen, sizeof(int)) != sizeof(int)
2510 || llen > 64*4 /* limit from rfc 5821, times I18N factor */
2511 )
2512 {
2513 log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part length read"
2514 " from delivery subprocess");
2515 break;
2516 }
2517 /* sanity-checked llen so disable the Coverity error */
2518 /* coverity[tainted_data] */
2519 if (read(pfd[pipe_read], big_buffer, llen) != llen)
2520 {
2521 log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part read"
2522 " from delivery subprocess");
2523 break;
2524 }
2525 big_buffer[llen] = 0;
2526 addr2->local_part = string_copy(big_buffer);
2527 }
2528
2529 for (i = 0, sptr = &addr2->message; i < 2; i++, sptr = &addr2->user_message)
2530 {
2531 int message_length;
2532 len = read(pfd[pipe_read], &message_length, sizeof(int));
2533 if (message_length > 0)
2534 {
2535 len = read(pfd[pipe_read], big_buffer, message_length);
2536 big_buffer[big_buffer_size-1] = '\0'; /* guard byte */
2537 if (len > 0) *sptr = string_copy(big_buffer);
2538 }
2539 }
2540 }
2541
2542 else
2543 {
2544 log_write(0, LOG_MAIN|LOG_PANIC, "failed to read delivery status for %s "
2545 "from delivery subprocess", addr2->unique);
2546 break;
2547 }
2548 }
2549
2550 (void)close(pfd[pipe_read]);
2551
2552 /* Unless shadowing, write all successful addresses immediately to the journal
2553 file, to ensure they are recorded asap. For homonymic addresses, use the base
2554 address plus the transport name. Failure to write the journal is panic-worthy,
2555 but don't stop, as it may prove possible subsequently to update the spool file
2556 in order to record the delivery. */
2557
2558 if (!shadowing)
2559 {
2560 for (addr2 = addr; addr2; addr2 = addr2->next)
2561 if (addr2->transport_return == OK)
2562 {
2563 if (testflag(addr2, af_homonym))
2564 sprintf(CS big_buffer, "%.500s/%s\n", addr2->unique + 3, tp->name);
2565 else
2566 sprintf(CS big_buffer, "%.500s\n", addr2->unique);
2567
2568 /* In the test harness, wait just a bit to let the subprocess finish off
2569 any debug output etc first. */
2570
2571 if (f.running_in_test_harness) millisleep(300);
2572
2573 DEBUG(D_deliver) debug_printf("journalling %s", big_buffer);
2574 len = Ustrlen(big_buffer);
2575 if (write(journal_fd, big_buffer, len) != len)
2576 log_write(0, LOG_MAIN|LOG_PANIC, "failed to update journal for %s: %s",
2577 big_buffer, strerror(errno));
2578 }
2579
2580 /* Ensure the journal file is pushed out to disk. */
2581
2582 if (EXIMfsync(journal_fd) < 0)
2583 log_write(0, LOG_MAIN|LOG_PANIC, "failed to fsync journal: %s",
2584 strerror(errno));
2585 }
2586
2587 /* Wait for the process to finish. If it terminates with a non-zero code,
2588 freeze the message (except for SIGTERM, SIGKILL and SIGQUIT), but leave the
2589 status values of all the addresses as they are. Take care to handle the case
2590 when the subprocess doesn't seem to exist. This has been seen on one system
2591 when Exim was called from an MUA that set SIGCHLD to SIG_IGN. When that
2592 happens, wait() doesn't recognize the termination of child processes. Exim now
2593 resets SIGCHLD to SIG_DFL, but this code should still be robust. */
2594
2595 while ((rc = wait(&status)) != pid)
2596 if (rc < 0 && errno == ECHILD) /* Process has vanished */
2597 {
2598 log_write(0, LOG_MAIN, "%s transport process vanished unexpectedly",
2599 addr->transport->driver_name);
2600 status = 0;
2601 break;
2602 }
2603
2604 if ((status & 0xffff) != 0)
2605 {
2606 int msb = (status >> 8) & 255;
2607 int lsb = status & 255;
2608 int code = (msb == 0)? (lsb & 0x7f) : msb;
2609 if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
2610 addr->special_action = SPECIAL_FREEZE;
2611 log_write(0, LOG_MAIN|LOG_PANIC, "%s transport process returned non-zero "
2612 "status 0x%04x: %s %d",
2613 addr->transport->driver_name,
2614 status,
2615 msb == 0 ? "terminated by signal" : "exit code",
2616 code);
2617 }
2618
2619 /* If SPECIAL_WARN is set in the top address, send a warning message. */
2620
2621 if (addr->special_action == SPECIAL_WARN && addr->transport->warn_message)
2622 {
2623 int fd;
2624 uschar *warn_message;
2625 pid_t pid;
2626
2627 DEBUG(D_deliver) debug_printf("Warning message requested by transport\n");
2628
2629 if (!(warn_message = expand_string(addr->transport->warn_message)))
2630 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand \"%s\" (warning "
2631 "message for %s transport): %s", addr->transport->warn_message,
2632 addr->transport->name, expand_string_message);
2633
2634 else if ((pid = child_open_exim(&fd)) > 0)
2635 {
2636 FILE *f = fdopen(fd, "wb");
2637 if (errors_reply_to && !contains_header(US"Reply-To", warn_message))
2638 fprintf(f, "Reply-To: %s\n", errors_reply_to);
2639 fprintf(f, "Auto-Submitted: auto-replied\n");
2640 if (!contains_header(US"From", warn_message))
2641 moan_write_from(f);
2642 fprintf(f, "%s", CS warn_message);
2643
2644 /* Close and wait for child process to complete, without a timeout. */
2645
2646 (void)fclose(f);
2647 (void)child_close(pid, 0);
2648 }
2649
2650 addr->special_action = SPECIAL_NONE;
2651 }
2652 }
2653
2654
2655
2656
2657 /* Check transport for the given concurrency limit. Return TRUE if over
2658 the limit (or an expansion failure), else FALSE and if there was a limit,
2659 the key for the hints database used for the concurrency count. */
2660
2661 static BOOL
2662 tpt_parallel_check(transport_instance * tp, address_item * addr, uschar ** key)
2663 {
2664 unsigned max_parallel;
2665
2666 if (!tp->max_parallel) return FALSE;
2667
2668 max_parallel = (unsigned) expand_string_integer(tp->max_parallel, TRUE);
2669 if (expand_string_message)
2670 {
2671 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand max_parallel option "
2672 "in %s transport (%s): %s", tp->name, addr->address,
2673 expand_string_message);
2674 return TRUE;
2675 }
2676
2677 if (max_parallel > 0)
2678 {
2679 uschar * serialize_key = string_sprintf("tpt-serialize-%s", tp->name);
2680 if (!enq_start(serialize_key, max_parallel))
2681 {
2682 address_item * next;
2683 DEBUG(D_transport)
2684 debug_printf("skipping tpt %s because concurrency limit %u reached\n",
2685 tp->name, max_parallel);
2686 do
2687 {
2688 next = addr->next;
2689 addr->message = US"concurrency limit reached for transport";
2690 addr->basic_errno = ERRNO_TRETRY;
2691 post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0);
2692 } while ((addr = next));
2693 return TRUE;
2694 }
2695 *key = serialize_key;
2696 }
2697 return FALSE;
2698 }
2699
2700
2701
2702 /*************************************************
2703 * Do local deliveries *
2704 *************************************************/
2705
2706 /* This function processes the list of addresses in addr_local. True local
2707 deliveries are always done one address at a time. However, local deliveries can
2708 be batched up in some cases. Typically this is when writing batched SMTP output
2709 files for use by some external transport mechanism, or when running local
2710 deliveries over LMTP.
2711
2712 Arguments: None
2713 Returns: Nothing
2714 */
2715
2716 static void
2717 do_local_deliveries(void)
2718 {
2719 open_db dbblock;
2720 open_db *dbm_file = NULL;
2721 time_t now = time(NULL);
2722
2723 /* Loop until we have exhausted the supply of local deliveries */
2724
2725 while (addr_local)
2726 {
2727 struct timeval delivery_start;
2728 struct timeval deliver_time;
2729 address_item *addr2, *addr3, *nextaddr;
2730 int logflags = LOG_MAIN;
2731 int logchar = f.dont_deliver? '*' : '=';
2732 transport_instance *tp;
2733 uschar * serialize_key = NULL;
2734
2735 /* Pick the first undelivered address off the chain */
2736
2737 address_item *addr = addr_local;
2738 addr_local = addr->next;
2739 addr->next = NULL;
2740
2741 DEBUG(D_deliver|D_transport)
2742 debug_printf("--------> %s <--------\n", addr->address);
2743
2744 /* An internal disaster if there is no transport. Should not occur! */
2745
2746 if (!(tp = addr->transport))
2747 {
2748 logflags |= LOG_PANIC;
2749 f.disable_logging = FALSE; /* Jic */
2750 addr->message = addr->router
2751 ? string_sprintf("No transport set by %s router", addr->router->name)
2752 : string_sprintf("No transport set by system filter");
2753 post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
2754 continue;
2755 }
2756
2757 /* Check that this base address hasn't previously been delivered to this
2758 transport. The check is necessary at this point to handle homonymic addresses
2759 correctly in cases where the pattern of redirection changes between delivery
2760 attempts. Non-homonymic previous delivery is detected earlier, at routing
2761 time. */
2762
2763 if (previously_transported(addr, FALSE)) continue;
2764
2765 /* There are weird cases where logging is disabled */
2766
2767 f.disable_logging = tp->disable_logging;
2768
2769 /* Check for batched addresses and possible amalgamation. Skip all the work
2770 if either batch_max <= 1 or there aren't any other addresses for local
2771 delivery. */
2772
2773 if (tp->batch_max > 1 && addr_local)
2774 {
2775 int batch_count = 1;
2776 BOOL uses_dom = readconf_depends((driver_instance *)tp, US"domain");
2777 BOOL uses_lp = ( testflag(addr, af_pfr)
2778 && (testflag(addr, af_file) || addr->local_part[0] == '|')
2779 )
2780 || readconf_depends((driver_instance *)tp, US"local_part");
2781 uschar *batch_id = NULL;
2782 address_item **anchor = &addr_local;
2783 address_item *last = addr;
2784 address_item *next;
2785
2786 /* Expand the batch_id string for comparison with other addresses.
2787 Expansion failure suppresses batching. */
2788
2789 if (tp->batch_id)
2790 {
2791 deliver_set_expansions(addr);
2792 batch_id = expand_string(tp->batch_id);
2793 deliver_set_expansions(NULL);
2794 if (!batch_id)
2795 {
2796 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
2797 "in %s transport (%s): %s", tp->name, addr->address,
2798 expand_string_message);
2799 batch_count = tp->batch_max;
2800 }
2801 }
2802
2803 /* Until we reach the batch_max limit, pick off addresses which have the
2804 same characteristics. These are:
2805
2806 same transport
2807 not previously delivered (see comment about 50 lines above)
2808 same local part if the transport's configuration contains $local_part
2809 or if this is a file or pipe delivery from a redirection
2810 same domain if the transport's configuration contains $domain
2811 same errors address
2812 same additional headers
2813 same headers to be removed
2814 same uid/gid for running the transport
2815 same first host if a host list is set
2816 */
2817
2818 while ((next = *anchor) && batch_count < tp->batch_max)
2819 {
2820 BOOL ok =
2821 tp == next->transport
2822 && !previously_transported(next, TRUE)
2823 && testflag(addr, af_pfr) == testflag(next, af_pfr)
2824 && testflag(addr, af_file) == testflag(next, af_file)
2825 && (!uses_lp || Ustrcmp(next->local_part, addr->local_part) == 0)
2826 && (!uses_dom || Ustrcmp(next->domain, addr->domain) == 0)
2827 && same_strings(next->prop.errors_address, addr->prop.errors_address)
2828 && same_headers(next->prop.extra_headers, addr->prop.extra_headers)
2829 && same_strings(next->prop.remove_headers, addr->prop.remove_headers)
2830 && same_ugid(tp, addr, next)
2831 && ( !addr->host_list && !next->host_list
2832 || addr->host_list
2833 && next->host_list
2834 && Ustrcmp(addr->host_list->name, next->host_list->name) == 0
2835 );
2836
2837 /* If the transport has a batch_id setting, batch_id will be non-NULL
2838 from the expansion outside the loop. Expand for this address and compare.
2839 Expansion failure makes this address ineligible for batching. */
2840
2841 if (ok && batch_id)
2842 {
2843 uschar *bid;
2844 address_item *save_nextnext = next->next;
2845 next->next = NULL; /* Expansion for a single address */
2846 deliver_set_expansions(next);
2847 next->next = save_nextnext;
2848 bid = expand_string(tp->batch_id);
2849 deliver_set_expansions(NULL);
2850 if (!bid)
2851 {
2852 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
2853 "in %s transport (%s): %s", tp->name, next->address,
2854 expand_string_message);
2855 ok = FALSE;
2856 }
2857 else ok = (Ustrcmp(batch_id, bid) == 0);
2858 }
2859
2860 /* Take address into batch if OK. */
2861
2862 if (ok)
2863 {
2864 *anchor = next->next; /* Include the address */
2865 next->next = NULL;
2866 last->next = next;
2867 last = next;
2868 batch_count++;
2869 }
2870 else anchor = &next->next; /* Skip the address */
2871 }
2872 }
2873
2874 /* We now have one or more addresses that can be delivered in a batch. Check
2875 whether the transport is prepared to accept a message of this size. If not,
2876 fail them all forthwith. If the expansion fails, or does not yield an
2877 integer, defer delivery. */
2878
2879 if (tp->message_size_limit)
2880 {
2881 int rc = check_message_size(tp, addr);
2882 if (rc != OK)
2883 {
2884 replicate_status(addr);
2885 while (addr)
2886 {
2887 addr2 = addr->next;
2888 post_process_one(addr, rc, logflags, EXIM_DTYPE_TRANSPORT, 0);
2889 addr = addr2;
2890 }
2891 continue; /* With next batch of addresses */
2892 }
2893 }
2894
2895 /* If we are not running the queue, or if forcing, all deliveries will be
2896 attempted. Otherwise, we must respect the retry times for each address. Even
2897 when not doing this, we need to set up the retry key string, and determine
2898 whether a retry record exists, because after a successful delivery, a delete
2899 retry item must be set up. Keep the retry database open only for the duration
2900 of these checks, rather than for all local deliveries, because some local
2901 deliveries (e.g. to pipes) can take a substantial time. */
2902
2903 if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE)))
2904 {
2905 DEBUG(D_deliver|D_retry|D_hints_lookup)
2906 debug_printf("no retry data available\n");
2907 }
2908
2909 addr2 = addr;
2910 addr3 = NULL;
2911 while (addr2)
2912 {
2913 BOOL ok = TRUE; /* to deliver this address */
2914 uschar *retry_key;
2915
2916 /* Set up the retry key to include the domain or not, and change its
2917 leading character from "R" to "T". Must make a copy before doing this,
2918 because the old key may be pointed to from a "delete" retry item after
2919 a routing delay. */
2920
2921 retry_key = string_copy(
2922 tp->retry_use_local_part ? addr2->address_retry_key :
2923 addr2->domain_retry_key);
2924 *retry_key = 'T';
2925
2926 /* Inspect the retry data. If there is no hints file, delivery happens. */
2927
2928 if (dbm_file)
2929 {
2930 dbdata_retry *retry_record = dbfn_read(dbm_file, retry_key);
2931
2932 /* If there is no retry record, delivery happens. If there is,
2933 remember it exists so it can be deleted after a successful delivery. */
2934
2935 if (retry_record)
2936 {
2937 setflag(addr2, af_lt_retry_exists);
2938
2939 /* A retry record exists for this address. If queue running and not
2940 forcing, inspect its contents. If the record is too old, or if its
2941 retry time has come, or if it has passed its cutoff time, delivery
2942 will go ahead. */
2943
2944 DEBUG(D_retry)
2945 {
2946 debug_printf("retry record exists: age=%s ",
2947 readconf_printtime(now - retry_record->time_stamp));
2948 debug_printf("(max %s)\n", readconf_printtime(retry_data_expire));
2949 debug_printf(" time to retry = %s expired = %d\n",
2950 readconf_printtime(retry_record->next_try - now),
2951 retry_record->expired);
2952 }
2953
2954 if (f.queue_running && !f.deliver_force)
2955 {
2956 ok = (now - retry_record->time_stamp > retry_data_expire)
2957 || (now >= retry_record->next_try)
2958 || retry_record->expired;
2959
2960 /* If we haven't reached the retry time, there is one more check
2961 to do, which is for the ultimate address timeout. */
2962
2963 if (!ok)
2964 ok = retry_ultimate_address_timeout(retry_key, addr2->domain,
2965 retry_record, now);
2966 }
2967 }
2968 else DEBUG(D_retry) debug_printf("no retry record exists\n");
2969 }
2970
2971 /* This address is to be delivered. Leave it on the chain. */
2972
2973 if (ok)
2974 {
2975 addr3 = addr2;
2976 addr2 = addr2->next;
2977 }
2978
2979 /* This address is to be deferred. Take it out of the chain, and
2980 post-process it as complete. Must take it out of the chain first,
2981 because post processing puts it on another chain. */
2982
2983 else
2984 {
2985 address_item *this = addr2;
2986 this->message = US"Retry time not yet reached";
2987 this->basic_errno = ERRNO_LRETRY;
2988 addr2 = addr3 ? (addr3->next = addr2->next)
2989 : (addr = addr2->next);
2990 post_process_one(this, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
2991 }
2992 }
2993
2994 if (dbm_file) dbfn_close(dbm_file);
2995
2996 /* If there are no addresses left on the chain, they all deferred. Loop
2997 for the next set of addresses. */
2998
2999 if (!addr) continue;
3000
3001 /* If the transport is limited for parallellism, enforce that here.
3002 We use a hints DB entry, incremented here and decremented after
3003 the transport (and any shadow transport) completes. */
3004
3005 if (tpt_parallel_check(tp, addr, &serialize_key))
3006 {
3007 if (expand_string_message)
3008 {
3009 logflags |= LOG_PANIC;
3010 do
3011 {
3012 addr = addr->next;
3013 post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
3014 } while ((addr = addr2));
3015 }
3016 continue; /* Loop for the next set of addresses. */
3017 }
3018
3019
3020 /* So, finally, we do have some addresses that can be passed to the
3021 transport. Before doing so, set up variables that are relevant to a
3022 single delivery. */
3023
3024 deliver_set_expansions(addr);
3025
3026 gettimeofday(&delivery_start, NULL);
3027 deliver_local(addr, FALSE);
3028 timesince(&deliver_time, &delivery_start);
3029
3030 /* If a shadow transport (which must perforce be another local transport), is
3031 defined, and its condition is met, we must pass the message to the shadow
3032 too, but only those addresses that succeeded. We do this by making a new
3033 chain of addresses - also to keep the original chain uncontaminated. We must
3034 use a chain rather than doing it one by one, because the shadow transport may
3035 batch.
3036
3037 NOTE: if the condition fails because of a lookup defer, there is nothing we
3038 can do! */
3039
3040 if ( tp->shadow
3041 && ( !tp->shadow_condition
3042 || expand_check_condition(tp->shadow_condition, tp->name, US"transport")
3043 ) )
3044 {
3045 transport_instance *stp;
3046 address_item *shadow_addr = NULL;
3047 address_item **last = &shadow_addr;
3048
3049 for (stp = transports; stp; stp = stp->next)
3050 if (Ustrcmp(stp->name, tp->shadow) == 0) break;
3051
3052 if (!stp)
3053 log_write(0, LOG_MAIN|LOG_PANIC, "shadow transport \"%s\" not found ",
3054 tp->shadow);
3055
3056 /* Pick off the addresses that have succeeded, and make clones. Put into
3057 the shadow_message field a pointer to the shadow_message field of the real
3058 address. */
3059
3060 else for (addr2 = addr; addr2; addr2 = addr2->next)
3061 if (addr2->transport_return == OK)
3062 {
3063 addr3 = store_get(sizeof(address_item));
3064 *addr3 = *addr2;
3065 addr3->next = NULL;
3066 addr3->shadow_message = US &addr2->shadow_message;
3067 addr3->transport = stp;
3068 addr3->transport_return = DEFER;
3069 addr3->return_filename = NULL;
3070 addr3->return_file = -1;
3071 *last = addr3;
3072 last = &addr3->next;
3073 }
3074
3075 /* If we found any addresses to shadow, run the delivery, and stick any
3076 message back into the shadow_message field in the original. */
3077
3078 if (shadow_addr)
3079 {
3080 int save_count = transport_count;
3081
3082 DEBUG(D_deliver|D_transport)
3083 debug_printf(">>>>>>>>>>>>>>>> Shadow delivery >>>>>>>>>>>>>>>>\n");
3084 deliver_local(shadow_addr, TRUE);
3085
3086 for(; shadow_addr; shadow_addr = shadow_addr->next)
3087 {
3088 int sresult = shadow_addr->transport_return;
3089 *(uschar **)shadow_addr->shadow_message =
3090 sresult == OK
3091 ? string_sprintf(" ST=%s", stp->name)
3092 : string_sprintf(" ST=%s (%s%s%s)", stp->name,
3093 shadow_addr->basic_errno <= 0
3094 ? US""
3095 : US strerror(shadow_addr->basic_errno),
3096 shadow_addr->basic_errno <= 0 || !shadow_addr->message
3097 ? US""
3098 : US": ",
3099 shadow_addr->message
3100 ? shadow_addr->message
3101 : shadow_addr->basic_errno <= 0
3102 ? US"unknown error"
3103 : US"");
3104
3105 DEBUG(D_deliver|D_transport)
3106 debug_printf("%s shadow transport returned %s for %s\n",
3107 stp->name, rc_to_string(sresult), shadow_addr->address);
3108 }
3109
3110 DEBUG(D_deliver|D_transport)
3111 debug_printf(">>>>>>>>>>>>>>>> End shadow delivery >>>>>>>>>>>>>>>>\n");
3112
3113 transport_count = save_count; /* Restore original transport count */
3114 }
3115 }
3116
3117 /* Cancel the expansions that were set up for the delivery. */
3118
3119 deliver_set_expansions(NULL);
3120
3121 /* If the transport was parallelism-limited, decrement the hints DB record. */
3122
3123 if (serialize_key) enq_end(serialize_key);
3124
3125 /* Now we can process the results of the real transport. We must take each
3126 address off the chain first, because post_process_one() puts it on another
3127 chain. */
3128
3129 for (addr2 = addr; addr2; addr2 = nextaddr)
3130 {
3131 int result = addr2->transport_return;
3132 nextaddr = addr2->next;
3133
3134 DEBUG(D_deliver|D_transport)
3135 debug_printf("%s transport returned %s for %s\n",
3136 tp->name, rc_to_string(result), addr2->address);
3137
3138 /* If there is a retry_record, or if delivery is deferred, build a retry
3139 item for setting a new retry time or deleting the old retry record from
3140 the database. These items are handled all together after all addresses
3141 have been handled (so the database is open just for a short time for
3142 updating). */
3143
3144 if (result == DEFER || testflag(addr2, af_lt_retry_exists))
3145 {
3146 int flags = result == DEFER ? 0 : rf_delete;
3147 uschar *retry_key = string_copy(tp->retry_use_local_part
3148 ? addr2->address_retry_key : addr2->domain_retry_key);
3149 *retry_key = 'T';
3150 retry_add_item(addr2, retry_key, flags);
3151 }
3152
3153 /* Done with this address */
3154
3155 if (result == OK)
3156 {
3157 addr2->more_errno = deliver_time.tv_sec;
3158 addr2->delivery_usec = deliver_time.tv_usec;
3159 }
3160 post_process_one(addr2, result, logflags, EXIM_DTYPE_TRANSPORT, logchar);
3161
3162 /* If a pipe delivery generated text to be sent back, the result may be
3163 changed to FAIL, and we must copy this for subsequent addresses in the
3164 batch. */
3165
3166 if (addr2->transport_return != result)
3167 {
3168 for (addr3 = nextaddr; addr3; addr3 = addr3->next)
3169 {
3170 addr3->transport_return = addr2->transport_return;
3171 addr3->basic_errno = addr2->basic_errno;
3172 addr3->message = addr2->message;
3173 }
3174 result = addr2->transport_return;
3175 }
3176
3177 /* Whether or not the result was changed to FAIL, we need to copy the
3178 return_file value from the first address into all the addresses of the
3179 batch, so they are all listed in the error message. */
3180
3181 addr2->return_file = addr->return_file;
3182
3183 /* Change log character for recording successful deliveries. */
3184
3185 if (result == OK) logchar = '-';
3186 }
3187 } /* Loop back for next batch of addresses */
3188 }
3189
3190
3191
3192
3193 /*************************************************
3194 * Sort remote deliveries *
3195 *************************************************/
3196
3197 /* This function is called if remote_sort_domains is set. It arranges that the
3198 chain of addresses for remote deliveries is ordered according to the strings
3199 specified. Try to make this shuffling reasonably efficient by handling
3200 sequences of addresses rather than just single ones.
3201
3202 Arguments: None
3203 Returns: Nothing
3204 */
3205
3206 static void
3207 sort_remote_deliveries(void)
3208 {
3209 int sep = 0;
3210 address_item **aptr = &addr_remote;
3211 const uschar *listptr = remote_sort_domains;
3212 uschar *pattern;
3213 uschar patbuf[256];
3214
3215 while ( *aptr
3216 && (pattern = string_nextinlist(&listptr, &sep, patbuf, sizeof(patbuf)))
3217 )
3218 {
3219 address_item *moved = NULL;
3220 address_item **bptr = &moved;
3221
3222 while (*aptr)
3223 {
3224 address_item **next;
3225 deliver_domain = (*aptr)->domain; /* set $domain */
3226 if (match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
3227 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
3228 {
3229 aptr = &(*aptr)->next;
3230 continue;
3231 }
3232
3233 next = &(*aptr)->next;
3234 while ( *next
3235 && (deliver_domain = (*next)->domain, /* Set $domain */
3236 match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
3237 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) != OK
3238 )
3239 next = &(*next)->next;
3240
3241 /* If the batch of non-matchers is at the end, add on any that were
3242 extracted further up the chain, and end this iteration. Otherwise,
3243 extract them from the chain and hang on the moved chain. */
3244
3245 if (!*next)
3246 {
3247 *next = moved;
3248 break;
3249 }
3250
3251 *bptr = *aptr;
3252 *aptr = *next;
3253 *next = NULL;
3254 bptr = next;
3255 aptr = &(*aptr)->next;
3256 }
3257
3258 /* If the loop ended because the final address matched, *aptr will
3259 be NULL. Add on to the end any extracted non-matching addresses. If
3260 *aptr is not NULL, the loop ended via "break" when *next is null, that
3261 is, there was a string of non-matching addresses at the end. In this
3262 case the extracted addresses have already been added on the end. */
3263
3264 if (!*aptr) *aptr = moved;
3265 }
3266
3267 DEBUG(D_deliver)
3268 {
3269 debug_printf("remote addresses after sorting:\n");
3270 for (address_item * addr = addr_remote; addr; addr = addr->next)
3271 debug_printf(" %s\n", addr->address);
3272 }
3273 }
3274
3275
3276
3277 /*************************************************
3278 * Read from pipe for remote delivery subprocess *
3279 *************************************************/
3280
3281 /* This function is called when the subprocess is complete, but can also be
3282 called before it is complete, in order to empty a pipe that is full (to prevent
3283 deadlock). It must therefore keep track of its progress in the parlist data
3284 block.
3285
3286 We read the pipe to get the delivery status codes and a possible error message
3287 for each address, optionally preceded by unusability data for the hosts and
3288 also by optional retry data.
3289
3290 Read in large chunks into the big buffer and then scan through, interpreting
3291 the data therein. In most cases, only a single read will be necessary. No
3292 individual item will ever be anywhere near 2500 bytes in length, so by ensuring
3293 that we read the next chunk when there is less than 2500 bytes left in the
3294 non-final chunk, we can assume each item is complete in the buffer before
3295 handling it. Each item is written using a single write(), which is atomic for
3296 small items (less than PIPE_BUF, which seems to be at least 512 in any Unix and
3297 often bigger) so even if we are reading while the subprocess is still going, we
3298 should never have only a partial item in the buffer.
3299
3300 hs12: This assumption is not true anymore, since we get quite large items (certificate
3301 information and such).
3302
3303 Argument:
3304 poffset the offset of the parlist item
3305 eop TRUE if the process has completed
3306
3307 Returns: TRUE if the terminating 'Z' item has been read,
3308 or there has been a disaster (i.e. no more data needed);
3309 FALSE otherwise
3310 */
3311
3312 static BOOL
3313 par_read_pipe(int poffset, BOOL eop)
3314 {
3315 host_item *h;
3316 pardata *p = parlist + poffset;
3317 address_item *addrlist = p->addrlist;
3318 address_item *addr = p->addr;
3319 pid_t pid = p->pid;
3320 int fd = p->fd;
3321
3322 uschar *msg = p->msg;
3323 BOOL done = p->done;
3324
3325 /* Loop through all items, reading from the pipe when necessary. The pipe
3326 used to be non-blocking. But I do not see a reason for using non-blocking I/O
3327 here, as the preceding select() tells us, if data is available for reading.
3328
3329 A read() on a "selected" handle should never block, but(!) it may return
3330 less data then we expected. (The buffer size we pass to read() shouldn't be
3331 understood as a "request", but as a "limit".)
3332
3333 Each separate item is written to the pipe in a timely manner. But, especially for
3334 larger items, the read(2) may already return partial data from the write(2).
3335
3336 The write is atomic mostly (depending on the amount written), but atomic does
3337 not imply "all or noting", it just is "not intermixed" with other writes on the
3338 same channel (pipe).
3339
3340 */
3341
3342 DEBUG(D_deliver) debug_printf("reading pipe for subprocess %d (%s)\n",
3343 (int)p->pid, eop? "ended" : "not ended yet");
3344
3345 while (!done)
3346 {
3347 retry_item *r, **rp;
3348 uschar pipeheader[PIPE_HEADER_SIZE+1];
3349 uschar *id = &pipeheader[0];
3350 uschar *subid = &pipeheader[1];
3351 uschar *ptr = big_buffer;
3352 size_t required = PIPE_HEADER_SIZE; /* first the pipehaeder, later the data */
3353 ssize_t got;
3354
3355 DEBUG(D_deliver) debug_printf(
3356 "expect %lu bytes (pipeheader) from tpt process %d\n", (u_long)required, pid);
3357
3358 /* We require(!) all the PIPE_HEADER_SIZE bytes here, as we know,
3359 they're written in a timely manner, so waiting for the write shouldn't hurt a lot.
3360 If we get less, we can assume the subprocess do be done and do not expect any further
3361 information from it. */
3362
3363 if ((got = readn(fd, pipeheader, required)) != required)
3364 {
3365 msg = string_sprintf("got " SSIZE_T_FMT " of %d bytes (pipeheader) "
3366 "from transport process %d for transport %s",
3367 got, PIPE_HEADER_SIZE, pid, addr->transport->driver_name);
3368 done = TRUE;
3369 break;
3370 }
3371
3372 pipeheader[PIPE_HEADER_SIZE] = '\0';
3373 DEBUG(D_deliver)
3374 debug_printf("got %ld bytes (pipeheader) from transport process %d\n",
3375 (long) got, pid);
3376
3377 {
3378 /* If we can't decode the pipeheader, the subprocess seems to have a
3379 problem, we do not expect any furher information from it. */
3380 char *endc;
3381 required = Ustrtol(pipeheader+2, &endc, 10);
3382 if (*endc)
3383 {
3384 msg = string_sprintf("failed to read pipe "
3385 "from transport process %d for transport %s: error decoding size from header",
3386 pid, addr->transport->driver_name);
3387 done = TRUE;
3388 break;
3389 }
3390 }
3391
3392 DEBUG(D_deliver)
3393 debug_printf("expect %lu bytes (pipedata) from transport process %d\n",
3394 (u_long)required, pid);
3395
3396 /* Same as above, the transport process will write the bytes announced
3397 in a timely manner, so we can just wait for the bytes, getting less than expected
3398 is considered a problem of the subprocess, we do not expect anything else from it. */
3399 if ((got = readn(fd, big_buffer, required)) != required)
3400 {
3401 msg = string_sprintf("got only " SSIZE_T_FMT " of " SIZE_T_FMT
3402 " bytes (pipedata) from transport process %d for transport %s",
3403 got, required, pid, addr->transport->driver_name);
3404 done = TRUE;
3405 break;
3406 }
3407
3408 /* Handle each possible type of item, assuming the complete item is
3409 available in store. */
3410
3411 switch (*id)
3412 {
3413 /* Host items exist only if any hosts were marked unusable. Match
3414 up by checking the IP address. */
3415
3416 case 'H':
3417 for (h = addrlist->host_list; h; h = h->next)
3418 {
3419 if (!h->address || Ustrcmp(h->address, ptr+2) != 0) continue;
3420 h->status = ptr[0];
3421 h->why = ptr[1];
3422 }
3423 ptr += 2;
3424 while (*ptr++);
3425 break;
3426
3427 /* Retry items are sent in a preceding R item for each address. This is
3428 kept separate to keep each message short enough to guarantee it won't
3429 be split in the pipe. Hopefully, in the majority of cases, there won't in
3430 fact be any retry items at all.
3431
3432 The complete set of retry items might include an item to delete a
3433 routing retry if there was a previous routing delay. However, routing
3434 retries are also used when a remote transport identifies an address error.
3435 In that case, there may also be an "add" item for the same key. Arrange
3436 that a "delete" item is dropped in favour of an "add" item. */
3437
3438 case 'R':
3439 if (!addr) goto ADDR_MISMATCH;
3440
3441 DEBUG(D_deliver|D_retry)
3442 debug_printf("reading retry information for %s from subprocess\n",
3443 ptr+1);
3444
3445 /* Cut out any "delete" items on the list. */
3446
3447 for (rp = &addr->retries; (r = *rp); rp = &r->next)
3448 if (Ustrcmp(r->key, ptr+1) == 0) /* Found item with same key */
3449 {
3450 if (!(r->flags & rf_delete)) break; /* It was not "delete" */
3451 *rp = r->next; /* Excise a delete item */
3452 DEBUG(D_deliver|D_retry)
3453 debug_printf(" existing delete item dropped\n");
3454 }
3455
3456 /* We want to add a delete item only if there is no non-delete item;
3457 however we still have to step ptr through the data. */
3458
3459 if (!r || !(*ptr & rf_delete))
3460 {
3461 r = store_get(sizeof(retry_item));