Copyright updates:
[exim.git] / src / src / exim.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
8
9
10 /* The main function: entry point, initialization, and high-level control.
11 Also a few functions that don't naturally fit elsewhere. */
12
13
14 #include "exim.h"
15
16 #if defined(__GLIBC__) && !defined(__UCLIBC__)
17 # include <gnu/libc-version.h>
18 #endif
19
20 #ifdef USE_GNUTLS
21 # include <gnutls/gnutls.h>
22 # if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
23 # define DISABLE_OCSP
24 # endif
25 #endif
26
27 #ifndef _TIME_H
28 # include <time.h>
29 #endif
30
31 extern void init_lookup_list(void);
32
33
34
35 /*************************************************
36 * Function interface to store functions *
37 *************************************************/
38
39 /* We need some real functions to pass to the PCRE regular expression library
40 for store allocation via Exim's store manager. The normal calls are actually
41 macros that pass over location information to make tracing easier. These
42 functions just interface to the standard macro calls. A good compiler will
43 optimize out the tail recursion and so not make them too expensive. There
44 are two sets of functions; one for use when we want to retain the compiled
45 regular expression for a long time; the other for short-term use. */
46
47 static void *
48 function_store_get(size_t size)
49 {
50 /* For now, regard all RE results as potentially tainted. We might need
51 more intelligence on this point. */
52 return store_get((int)size, TRUE);
53 }
54
55 static void
56 function_dummy_free(void *block) { block = block; }
57
58 static void *
59 function_store_malloc(size_t size)
60 {
61 return store_malloc((int)size);
62 }
63
64 static void
65 function_store_free(void *block)
66 {
67 store_free(block);
68 }
69
70
71
72
73 /*************************************************
74 * Enums for cmdline interface *
75 *************************************************/
76
77 enum commandline_info { CMDINFO_NONE=0,
78 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
79
80
81
82
83 /*************************************************
84 * Compile regular expression and panic on fail *
85 *************************************************/
86
87 /* This function is called when failure to compile a regular expression leads
88 to a panic exit. In other cases, pcre_compile() is called directly. In many
89 cases where this function is used, the results of the compilation are to be
90 placed in long-lived store, so we temporarily reset the store management
91 functions that PCRE uses if the use_malloc flag is set.
92
93 Argument:
94 pattern the pattern to compile
95 caseless TRUE if caseless matching is required
96 use_malloc TRUE if compile into malloc store
97
98 Returns: pointer to the compiled pattern
99 */
100
101 const pcre *
102 regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
103 {
104 int offset;
105 int options = PCRE_COPT;
106 const pcre *yield;
107 const uschar *error;
108 if (use_malloc)
109 {
110 pcre_malloc = function_store_malloc;
111 pcre_free = function_store_free;
112 }
113 if (caseless) options |= PCRE_CASELESS;
114 yield = pcre_compile(CCS pattern, options, CCSS &error, &offset, NULL);
115 pcre_malloc = function_store_get;
116 pcre_free = function_dummy_free;
117 if (yield == NULL)
118 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
119 "%s at offset %d while compiling %s", error, offset, pattern);
120 return yield;
121 }
122
123
124
125
126 /*************************************************
127 * Execute regular expression and set strings *
128 *************************************************/
129
130 /* This function runs a regular expression match, and sets up the pointers to
131 the matched substrings.
132
133 Arguments:
134 re the compiled expression
135 subject the subject string
136 options additional PCRE options
137 setup if < 0 do full setup
138 if >= 0 setup from setup+1 onwards,
139 excluding the full matched string
140
141 Returns: TRUE or FALSE
142 */
143
144 BOOL
145 regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
146 {
147 int ovector[3*(EXPAND_MAXN+1)];
148 uschar * s = string_copy(subject); /* de-constifying */
149 int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
150 PCRE_EOPT | options, ovector, nelem(ovector));
151 BOOL yield = n >= 0;
152 if (n == 0) n = EXPAND_MAXN + 1;
153 if (yield)
154 {
155 expand_nmax = setup < 0 ? 0 : setup + 1;
156 for (int nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
157 {
158 expand_nstring[expand_nmax] = s + ovector[nn];
159 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
160 }
161 expand_nmax--;
162 }
163 return yield;
164 }
165
166
167
168
169 /*************************************************
170 * Set up processing details *
171 *************************************************/
172
173 /* Save a text string for dumping when SIGUSR1 is received.
174 Do checks for overruns.
175
176 Arguments: format and arguments, as for printf()
177 Returns: nothing
178 */
179
180 void
181 set_process_info(const char *format, ...)
182 {
183 gstring gs = { .size = PROCESS_INFO_SIZE - 2, .ptr = 0, .s = process_info };
184 gstring * g;
185 int len;
186 va_list ap;
187
188 g = string_fmt_append(&gs, "%5d ", (int)getpid());
189 len = g->ptr;
190 va_start(ap, format);
191 if (!string_vformat(g, 0, format, ap))
192 {
193 gs.ptr = len;
194 g = string_cat(&gs, US"**** string overflowed buffer ****");
195 }
196 g = string_catn(g, US"\n", 1);
197 string_from_gstring(g);
198 process_info_len = g->ptr;
199 DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
200 va_end(ap);
201 }
202
203 /***********************************************
204 * Handler for SIGTERM *
205 ***********************************************/
206
207 static void
208 term_handler(int sig)
209 {
210 exit(1);
211 }
212
213
214 /*************************************************
215 * Handler for SIGUSR1 *
216 *************************************************/
217
218 /* SIGUSR1 causes any exim process to write to the process log details of
219 what it is currently doing. It will only be used if the OS is capable of
220 setting up a handler that causes automatic restarting of any system call
221 that is in progress at the time.
222
223 This function takes care to be signal-safe.
224
225 Argument: the signal number (SIGUSR1)
226 Returns: nothing
227 */
228
229 static void
230 usr1_handler(int sig)
231 {
232 int fd;
233
234 os_restarting_signal(sig, usr1_handler);
235
236 if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
237 {
238 /* If we are already running as the Exim user, try to create it in the
239 current process (assuming spool_directory exists). Otherwise, if we are
240 root, do the creation in an exim:exim subprocess. */
241
242 int euid = geteuid();
243 if (euid == exim_uid)
244 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
245 else if (euid == root_uid)
246 fd = log_create_as_exim(process_log_path);
247 }
248
249 /* If we are neither exim nor root, or if we failed to create the log file,
250 give up. There is not much useful we can do with errors, since we don't want
251 to disrupt whatever is going on outside the signal handler. */
252
253 if (fd < 0) return;
254
255 (void)write(fd, process_info, process_info_len);
256 (void)close(fd);
257 }
258
259
260
261 /*************************************************
262 * Timeout handler *
263 *************************************************/
264
265 /* This handler is enabled most of the time that Exim is running. The handler
266 doesn't actually get used unless alarm() has been called to set a timer, to
267 place a time limit on a system call of some kind. When the handler is run, it
268 re-enables itself.
269
270 There are some other SIGALRM handlers that are used in special cases when more
271 than just a flag setting is required; for example, when reading a message's
272 input. These are normally set up in the code module that uses them, and the
273 SIGALRM handler is reset to this one afterwards.
274
275 Argument: the signal value (SIGALRM)
276 Returns: nothing
277 */
278
279 void
280 sigalrm_handler(int sig)
281 {
282 sig = sig; /* Keep picky compilers happy */
283 sigalrm_seen = TRUE;
284 os_non_restarting_signal(SIGALRM, sigalrm_handler);
285 }
286
287
288
289 /*************************************************
290 * Sleep for a fractional time interval *
291 *************************************************/
292
293 /* This function is called by millisleep() and exim_wait_tick() to wait for a
294 period of time that may include a fraction of a second. The coding is somewhat
295 tedious. We do not expect setitimer() ever to fail, but if it does, the process
296 will wait for ever, so we panic in this instance. (There was a case of this
297 when a bug in a function that calls milliwait() caused it to pass invalid data.
298 That's when I added the check. :-)
299
300 We assume it to be not worth sleeping for under 50us; this value will
301 require revisiting as hardware advances. This avoids the issue of
302 a zero-valued timer setting meaning "never fire".
303
304 Argument: an itimerval structure containing the interval
305 Returns: nothing
306 */
307
308 static void
309 milliwait(struct itimerval *itval)
310 {
311 sigset_t sigmask;
312 sigset_t old_sigmask;
313 int save_errno = errno;
314
315 if (itval->it_value.tv_usec < 50 && itval->it_value.tv_sec == 0)
316 return;
317 (void)sigemptyset(&sigmask); /* Empty mask */
318 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
319 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
320 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
321 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
322 "setitimer() failed: %s", strerror(errno));
323 (void)sigfillset(&sigmask); /* All signals */
324 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
325 (void)sigsuspend(&sigmask); /* Until SIGALRM */
326 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
327 errno = save_errno;
328 sigalrm_seen = FALSE;
329 }
330
331
332
333
334 /*************************************************
335 * Millisecond sleep function *
336 *************************************************/
337
338 /* The basic sleep() function has a granularity of 1 second, which is too rough
339 in some cases - for example, when using an increasing delay to slow down
340 spammers.
341
342 Argument: number of millseconds
343 Returns: nothing
344 */
345
346 void
347 millisleep(int msec)
348 {
349 struct itimerval itval = {.it_interval = {.tv_sec = 0, .tv_usec = 0},
350 .it_value = {.tv_sec = msec/1000,
351 .tv_usec = (msec % 1000) * 1000}};
352 milliwait(&itval);
353 }
354
355
356
357 /*************************************************
358 * Compare microsecond times *
359 *************************************************/
360
361 /*
362 Arguments:
363 tv1 the first time
364 tv2 the second time
365
366 Returns: -1, 0, or +1
367 */
368
369 static int
370 exim_tvcmp(struct timeval *t1, struct timeval *t2)
371 {
372 if (t1->tv_sec > t2->tv_sec) return +1;
373 if (t1->tv_sec < t2->tv_sec) return -1;
374 if (t1->tv_usec > t2->tv_usec) return +1;
375 if (t1->tv_usec < t2->tv_usec) return -1;
376 return 0;
377 }
378
379
380
381
382 /*************************************************
383 * Clock tick wait function *
384 *************************************************/
385
386 #ifdef _POSIX_MONOTONIC_CLOCK
387 /* Amount CLOCK_MONOTONIC is behind realtime, at startup. */
388 static struct timespec offset_ts;
389
390 static void
391 exim_clock_init(void)
392 {
393 struct timeval tv;
394 if (clock_gettime(CLOCK_MONOTONIC, &offset_ts) != 0) return;
395 (void)gettimeofday(&tv, NULL);
396 offset_ts.tv_sec = tv.tv_sec - offset_ts.tv_sec;
397 offset_ts.tv_nsec = tv.tv_usec * 1000 - offset_ts.tv_nsec;
398 if (offset_ts.tv_nsec >= 0) return;
399 offset_ts.tv_sec--;
400 offset_ts.tv_nsec += 1000*1000*1000;
401 }
402 #endif
403
404
405 /* Exim uses a time + a pid to generate a unique identifier in two places: its
406 message IDs, and in file names for maildir deliveries. Because some OS now
407 re-use pids within the same second, sub-second times are now being used.
408 However, for absolute certainty, we must ensure the clock has ticked before
409 allowing the relevant process to complete. At the time of implementation of
410 this code (February 2003), the speed of processors is such that the clock will
411 invariably have ticked already by the time a process has done its job. This
412 function prepares for the time when things are faster - and it also copes with
413 clocks that go backwards.
414
415 Arguments:
416 tgt_tv A timeval which was used to create uniqueness; its usec field
417 has been rounded down to the value of the resolution.
418 We want to be sure the current time is greater than this.
419 resolution The resolution that was used to divide the microseconds
420 (1 for maildir, larger for message ids)
421
422 Returns: nothing
423 */
424
425 void
426 exim_wait_tick(struct timeval * tgt_tv, int resolution)
427 {
428 struct timeval now_tv;
429 long int now_true_usec;
430
431 #ifdef _POSIX_MONOTONIC_CLOCK
432 struct timespec now_ts;
433
434 if (clock_gettime(CLOCK_MONOTONIC, &now_ts) == 0)
435 {
436 now_ts.tv_sec += offset_ts.tv_sec;
437 if ((now_ts.tv_nsec += offset_ts.tv_nsec) >= 1000*1000*1000)
438 {
439 now_ts.tv_sec++;
440 now_ts.tv_nsec -= 1000*1000*1000;
441 }
442 now_tv.tv_sec = now_ts.tv_sec;
443 now_true_usec = (now_ts.tv_nsec / (resolution * 1000)) * resolution;
444 now_tv.tv_usec = now_true_usec;
445 }
446 else
447 #endif
448 {
449 (void)gettimeofday(&now_tv, NULL);
450 now_true_usec = now_tv.tv_usec;
451 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
452 }
453
454 while (exim_tvcmp(&now_tv, tgt_tv) <= 0)
455 {
456 struct itimerval itval;
457 itval.it_interval.tv_sec = 0;
458 itval.it_interval.tv_usec = 0;
459 itval.it_value.tv_sec = tgt_tv->tv_sec - now_tv.tv_sec;
460 itval.it_value.tv_usec = tgt_tv->tv_usec + resolution - now_true_usec;
461
462 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
463 negative value for the microseconds is possible only in the case when "now"
464 is more than a second less than "tgt". That means that itval.it_value.tv_sec
465 is greater than zero. The following correction is therefore safe. */
466
467 if (itval.it_value.tv_usec < 0)
468 {
469 itval.it_value.tv_usec += 1000000;
470 itval.it_value.tv_sec -= 1;
471 }
472
473 DEBUG(D_transport|D_receive)
474 {
475 if (!f.running_in_test_harness)
476 {
477 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
478 tgt_tv->tv_sec, (long) tgt_tv->tv_usec,
479 now_tv.tv_sec, (long) now_tv.tv_usec);
480 debug_printf("waiting " TIME_T_FMT ".%06lu sec\n",
481 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
482 }
483 }
484
485 milliwait(&itval);
486
487 /* Be prapared to go around if the kernel does not implement subtick
488 granularity (GNU Hurd) */
489
490 (void)gettimeofday(&now_tv, NULL);
491 now_true_usec = now_tv.tv_usec;
492 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
493 }
494 }
495
496
497
498
499 /*************************************************
500 * Call fopen() with umask 777 and adjust mode *
501 *************************************************/
502
503 /* Exim runs with umask(0) so that files created with open() have the mode that
504 is specified in the open() call. However, there are some files, typically in
505 the spool directory, that are created with fopen(). They end up world-writeable
506 if no precautions are taken. Although the spool directory is not accessible to
507 the world, this is an untidiness. So this is a wrapper function for fopen()
508 that sorts out the mode of the created file.
509
510 Arguments:
511 filename the file name
512 options the fopen() options
513 mode the required mode
514
515 Returns: the fopened FILE or NULL
516 */
517
518 FILE *
519 modefopen(const uschar *filename, const char *options, mode_t mode)
520 {
521 mode_t saved_umask = umask(0777);
522 FILE *f = Ufopen(filename, options);
523 (void)umask(saved_umask);
524 if (f != NULL) (void)fchmod(fileno(f), mode);
525 return f;
526 }
527
528
529 /*************************************************
530 * Ensure stdin, stdout, and stderr exist *
531 *************************************************/
532
533 /* Some operating systems grumble if an exec() happens without a standard
534 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
535 file will be opened and will use these fd values, and then some other bit of
536 code will assume, for example, that it can write error messages to stderr.
537 This function ensures that fds 0, 1, and 2 are open if they do not already
538 exist, by connecting them to /dev/null.
539
540 This function is also used to ensure that std{in,out,err} exist at all times,
541 so that if any library that Exim calls tries to use them, it doesn't crash.
542
543 Arguments: None
544 Returns: Nothing
545 */
546
547 void
548 exim_nullstd(void)
549 {
550 int devnull = -1;
551 struct stat statbuf;
552 for (int i = 0; i <= 2; i++)
553 {
554 if (fstat(i, &statbuf) < 0 && errno == EBADF)
555 {
556 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
557 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
558 string_open_failed(errno, "/dev/null", NULL));
559 if (devnull != i) (void)dup2(devnull, i);
560 }
561 }
562 if (devnull > 2) (void)close(devnull);
563 }
564
565
566
567
568 /*************************************************
569 * Close unwanted file descriptors for delivery *
570 *************************************************/
571
572 /* This function is called from a new process that has been forked to deliver
573 an incoming message, either directly, or using exec.
574
575 We want any smtp input streams to be closed in this new process. However, it
576 has been observed that using fclose() here causes trouble. When reading in -bS
577 input, duplicate copies of messages have been seen. The files will be sharing a
578 file pointer with the parent process, and it seems that fclose() (at least on
579 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
580 least sometimes. Hence we go for closing the underlying file descriptors.
581
582 If TLS is active, we want to shut down the TLS library, but without molesting
583 the parent's SSL connection.
584
585 For delivery of a non-SMTP message, we want to close stdin and stdout (and
586 stderr unless debugging) because the calling process might have set them up as
587 pipes and be waiting for them to close before it waits for the submission
588 process to terminate. If they aren't closed, they hold up the calling process
589 until the initial delivery process finishes, which is not what we want.
590
591 Exception: We do want it for synchronous delivery!
592
593 And notwithstanding all the above, if D_resolver is set, implying resolver
594 debugging, leave stdout open, because that's where the resolver writes its
595 debugging output.
596
597 When we close stderr (which implies we've also closed stdout), we also get rid
598 of any controlling terminal.
599
600 Arguments: None
601 Returns: Nothing
602 */
603
604 static void
605 close_unwanted(void)
606 {
607 if (smtp_input)
608 {
609 #ifndef DISABLE_TLS
610 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
611 #endif
612 (void)close(fileno(smtp_in));
613 (void)close(fileno(smtp_out));
614 smtp_in = NULL;
615 }
616 else
617 {
618 (void)close(0); /* stdin */
619 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
620 if (debug_selector == 0) /* stderr */
621 {
622 if (!f.synchronous_delivery)
623 {
624 (void)close(2);
625 log_stderr = NULL;
626 }
627 (void)setsid();
628 }
629 }
630 }
631
632
633
634
635 /*************************************************
636 * Set uid and gid *
637 *************************************************/
638
639 /* This function sets a new uid and gid permanently, optionally calling
640 initgroups() to set auxiliary groups. There are some special cases when running
641 Exim in unprivileged modes. In these situations the effective uid will not be
642 root; if we already have the right effective uid/gid, and don't need to
643 initialize any groups, leave things as they are.
644
645 Arguments:
646 uid the uid
647 gid the gid
648 igflag TRUE if initgroups() wanted
649 msg text to use in debugging output and failure log
650
651 Returns: nothing; bombs out on failure
652 */
653
654 void
655 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
656 {
657 uid_t euid = geteuid();
658 gid_t egid = getegid();
659
660 if (euid == root_uid || euid != uid || egid != gid || igflag)
661 {
662 /* At least one OS returns +1 for initgroups failure, so just check for
663 non-zero. */
664
665 if (igflag)
666 {
667 struct passwd *pw = getpwuid(uid);
668 if (!pw)
669 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
670 "no passwd entry for uid=%ld", (long int)uid);
671
672 if (initgroups(pw->pw_name, gid) != 0)
673 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
674 (long int)uid, strerror(errno));
675 }
676
677 if (setgid(gid) < 0 || setuid(uid) < 0)
678 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
679 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
680 }
681
682 /* Debugging output included uid/gid and all groups */
683
684 DEBUG(D_uid)
685 {
686 int group_count, save_errno;
687 gid_t group_list[EXIM_GROUPLIST_SIZE];
688 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
689 (long int)geteuid(), (long int)getegid(), (long int)getpid());
690 group_count = getgroups(nelem(group_list), group_list);
691 save_errno = errno;
692 debug_printf(" auxiliary group list:");
693 if (group_count > 0)
694 for (int i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
695 else if (group_count < 0)
696 debug_printf(" <error: %s>", strerror(save_errno));
697 else debug_printf(" <none>");
698 debug_printf("\n");
699 }
700 }
701
702
703
704
705 /*************************************************
706 * Exit point *
707 *************************************************/
708
709 /* Exim exits via this function so that it always clears up any open
710 databases.
711
712 Arguments:
713 rc return code
714
715 Returns: does not return
716 */
717
718 void
719 exim_exit(int rc)
720 {
721 search_tidyup();
722 store_exit();
723 DEBUG(D_any)
724 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d (%s) terminating with rc=%d "
725 ">>>>>>>>>>>>>>>>\n",
726 (int)getpid(), process_purpose, rc);
727 exit(rc);
728 }
729
730
731 void
732 exim_underbar_exit(int rc)
733 {
734 store_exit();
735 DEBUG(D_any)
736 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d (%s) terminating with rc=%d "
737 ">>>>>>>>>>>>>>>>\n",
738 (int)getpid(), process_purpose, rc);
739 _exit(rc);
740 }
741
742
743
744 /* Print error string, then die */
745 static void
746 exim_fail(const char * fmt, ...)
747 {
748 va_list ap;
749 va_start(ap, fmt);
750 vfprintf(stderr, fmt, ap);
751 exit(EXIT_FAILURE);
752 }
753
754 /* exim_chown_failure() called from exim_chown()/exim_fchown() on failure
755 of chown()/fchown(). See src/functions.h for more explanation */
756 int
757 exim_chown_failure(int fd, const uschar *name, uid_t owner, gid_t group)
758 {
759 int saved_errno = errno; /* from the preceeding chown call */
760 #if 1
761 log_write(0, LOG_MAIN|LOG_PANIC,
762 __FILE__ ":%d: chown(%s, %d:%d) failed (%s)."
763 " Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391",
764 __LINE__, name?name:US"<unknown>", owner, group, strerror(errno));
765 #else
766 /* I leave this here, commented, in case the "bug"(?) comes up again.
767 It is not an Exim bug, but we can provide a workaround.
768 See Bug 2391
769 HS 2019-04-18 */
770
771 struct stat buf;
772
773 if (0 == (fd < 0 ? stat(name, &buf) : fstat(fd, &buf)))
774 {
775 if (buf.st_uid == owner && buf.st_gid == group) return 0;
776 log_write(0, LOG_MAIN|LOG_PANIC, "Wrong ownership on %s", name);
777 }
778 else log_write(0, LOG_MAIN|LOG_PANIC, "Stat failed on %s: %s", name, strerror(errno));
779
780 #endif
781 errno = saved_errno;
782 return -1;
783 }
784
785
786 /*************************************************
787 * Extract port from host address *
788 *************************************************/
789
790 /* Called to extract the port from the values given to -oMa and -oMi.
791 It also checks the syntax of the address, and terminates it before the
792 port data when a port is extracted.
793
794 Argument:
795 address the address, with possible port on the end
796
797 Returns: the port, or zero if there isn't one
798 bombs out on a syntax error
799 */
800
801 static int
802 check_port(uschar *address)
803 {
804 int port = host_address_extract_port(address);
805 if (string_is_ip_address(address, NULL) == 0)
806 exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
807 return port;
808 }
809
810
811
812 /*************************************************
813 * Test/verify an address *
814 *************************************************/
815
816 /* This function is called by the -bv and -bt code. It extracts a working
817 address from a full RFC 822 address. This isn't really necessary per se, but it
818 has the effect of collapsing source routes.
819
820 Arguments:
821 s the address string
822 flags flag bits for verify_address()
823 exit_value to be set for failures
824
825 Returns: nothing
826 */
827
828 static void
829 test_address(uschar *s, int flags, int *exit_value)
830 {
831 int start, end, domain;
832 uschar *parse_error = NULL;
833 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
834 FALSE);
835 if (!address)
836 {
837 fprintf(stdout, "syntax error: %s\n", parse_error);
838 *exit_value = 2;
839 }
840 else
841 {
842 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
843 -1, -1, NULL, NULL, NULL);
844 if (rc == FAIL) *exit_value = 2;
845 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
846 }
847 }
848
849
850
851 /*************************************************
852 * Show supported features *
853 *************************************************/
854
855 static void
856 show_db_version(FILE * f)
857 {
858 #ifdef DB_VERSION_STRING
859 DEBUG(D_any)
860 {
861 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
862 fprintf(f, " Runtime: %s\n",
863 db_version(NULL, NULL, NULL));
864 }
865 else
866 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
867
868 #elif defined(BTREEVERSION) && defined(HASHVERSION)
869 #ifdef USE_DB
870 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
871 #else
872 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
873 #endif
874
875 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
876 fprintf(f, "Probably ndbm\n");
877 #elif defined(USE_TDB)
878 fprintf(f, "Using tdb\n");
879 #else
880 #ifdef USE_GDBM
881 fprintf(f, "Probably GDBM (native mode)\n");
882 #else
883 fprintf(f, "Probably GDBM (compatibility mode)\n");
884 #endif
885 #endif
886 }
887
888
889 /* This function is called for -bV/--version and for -d to output the optional
890 features of the current Exim binary.
891
892 Arguments: a FILE for printing
893 Returns: nothing
894 */
895
896 static void
897 show_whats_supported(FILE * fp)
898 {
899 rmark reset_point = store_mark();
900 gstring * g;
901 DEBUG(D_any) {} else show_db_version(fp);
902
903 g = string_cat(NULL, US"Support for:");
904 #ifdef SUPPORT_CRYPTEQ
905 g = string_cat(g, US" crypteq");
906 #endif
907 #if HAVE_ICONV
908 g = string_cat(g, US" iconv()");
909 #endif
910 #if HAVE_IPV6
911 g = string_cat(g, US" IPv6");
912 #endif
913 #ifdef HAVE_SETCLASSRESOURCES
914 g = string_cat(g, US" use_setclassresources");
915 #endif
916 #ifdef SUPPORT_PAM
917 g = string_cat(g, US" PAM");
918 #endif
919 #ifdef EXIM_PERL
920 g = string_cat(g, US" Perl");
921 #endif
922 #ifdef EXPAND_DLFUNC
923 g = string_cat(g, US" Expand_dlfunc");
924 #endif
925 #ifdef USE_TCP_WRAPPERS
926 g = string_cat(g, US" TCPwrappers");
927 #endif
928 #ifdef USE_GNUTLS
929 g = string_cat(g, US" GnuTLS");
930 #endif
931 #ifdef USE_OPENSSL
932 g = string_cat(g, US" OpenSSL");
933 #endif
934 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
935 g = string_cat(g, US" translate_ip_address");
936 #endif
937 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
938 g = string_cat(g, US" move_frozen_messages");
939 #endif
940 #ifdef WITH_CONTENT_SCAN
941 g = string_cat(g, US" Content_Scanning");
942 #endif
943 #ifdef SUPPORT_DANE
944 g = string_cat(g, US" DANE");
945 #endif
946 #ifndef DISABLE_DKIM
947 g = string_cat(g, US" DKIM");
948 #endif
949 #ifndef DISABLE_DNSSEC
950 g = string_cat(g, US" DNSSEC");
951 #endif
952 #ifndef DISABLE_EVENT
953 g = string_cat(g, US" Event");
954 #endif
955 #ifdef SUPPORT_I18N
956 g = string_cat(g, US" I18N");
957 #endif
958 #ifndef DISABLE_OCSP
959 g = string_cat(g, US" OCSP");
960 #endif
961 #ifndef DISABLE_PIPE_CONNECT
962 g = string_cat(g, US" PIPE_CONNECT");
963 #endif
964 #ifndef DISABLE_PRDR
965 g = string_cat(g, US" PRDR");
966 #endif
967 #ifdef SUPPORT_PROXY
968 g = string_cat(g, US" PROXY");
969 #endif
970 #ifdef SUPPORT_SOCKS
971 g = string_cat(g, US" SOCKS");
972 #endif
973 #ifdef SUPPORT_SPF
974 g = string_cat(g, US" SPF");
975 #endif
976 #ifdef SUPPORT_DMARC
977 g = string_cat(g, US" DMARC");
978 #endif
979 #ifdef TCP_FASTOPEN
980 tcp_init();
981 if (f.tcp_fastopen_ok) g = string_cat(g, US" TCP_Fast_Open");
982 #endif
983 #ifdef EXPERIMENTAL_ARC
984 g = string_cat(g, US" Experimental_ARC");
985 #endif
986 #ifdef EXPERIMENTAL_BRIGHTMAIL
987 g = string_cat(g, US" Experimental_Brightmail");
988 #endif
989 #ifdef EXPERIMENTAL_DCC
990 g = string_cat(g, US" Experimental_DCC");
991 #endif
992 #ifdef EXPERIMENTAL_DSN_INFO
993 g = string_cat(g, US" Experimental_DSN_info");
994 #endif
995 #ifdef EXPERIMENTAL_LMDB
996 g = string_cat(g, US" Experimental_LMDB");
997 #endif
998 #ifdef EXPERIMENTAL_QUEUE_RAMP
999 g = string_cat(g, US" Experimental_Queue_Ramp");
1000 #endif
1001 #ifdef EXPERIMENTAL_QUEUEFILE
1002 g = string_cat(g, US" Experimental_QUEUEFILE");
1003 #endif
1004 #if defined(EXPERIMENTAL_SRS) || defined(EXPERIMENTAL_SRS_NATIVE)
1005 g = string_cat(g, US" Experimental_SRS");
1006 #endif
1007 #ifdef EXPERIMENTAL_TLS_RESUME
1008 g = string_cat(g, US" Experimental_TLS_resume");
1009 #endif
1010 g = string_cat(g, US"\n");
1011
1012 g = string_cat(g, US"Lookups (built-in):");
1013 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
1014 g = string_cat(g, US" lsearch wildlsearch nwildlsearch iplsearch");
1015 #endif
1016 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
1017 g = string_cat(g, US" cdb");
1018 #endif
1019 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
1020 g = string_cat(g, US" dbm dbmjz dbmnz");
1021 #endif
1022 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
1023 g = string_cat(g, US" dnsdb");
1024 #endif
1025 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
1026 g = string_cat(g, US" dsearch");
1027 #endif
1028 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
1029 g = string_cat(g, US" ibase");
1030 #endif
1031 #if defined(LOOKUP_JSON) && LOOKUP_JSON!=2
1032 g = string_cat(g, US" json");
1033 #endif
1034 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
1035 g = string_cat(g, US" ldap ldapdn ldapm");
1036 #endif
1037 #ifdef EXPERIMENTAL_LMDB
1038 g = string_cat(g, US" lmdb");
1039 #endif
1040 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
1041 g = string_cat(g, US" mysql");
1042 #endif
1043 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
1044 g = string_cat(g, US" nis nis0");
1045 #endif
1046 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
1047 g = string_cat(g, US" nisplus");
1048 #endif
1049 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
1050 g = string_cat(g, US" oracle");
1051 #endif
1052 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
1053 g = string_cat(g, US" passwd");
1054 #endif
1055 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
1056 g = string_cat(g, US" pgsql");
1057 #endif
1058 #if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
1059 g = string_cat(g, US" redis");
1060 #endif
1061 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
1062 g = string_cat(g, US" sqlite");
1063 #endif
1064 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
1065 g = string_cat(g, US" testdb");
1066 #endif
1067 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
1068 g = string_cat(g, US" whoson");
1069 #endif
1070 g = string_cat(g, US"\n");
1071
1072 g = auth_show_supported(g);
1073 g = route_show_supported(g);
1074 g = transport_show_supported(g);
1075
1076 #ifdef WITH_CONTENT_SCAN
1077 g = malware_show_supported(g);
1078 #endif
1079
1080 if (fixed_never_users[0] > 0)
1081 {
1082 int i;
1083 g = string_cat(g, US"Fixed never_users: ");
1084 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
1085 string_fmt_append(g, "%u:", (unsigned)fixed_never_users[i]);
1086 g = string_fmt_append(g, "%u\n", (unsigned)fixed_never_users[i]);
1087 }
1088
1089 g = string_fmt_append(g, "Configure owner: %d:%d\n", config_uid, config_gid);
1090 fputs(CS string_from_gstring(g), fp);
1091
1092 fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
1093
1094 /* Everything else is details which are only worth reporting when debugging.
1095 Perhaps the tls_version_report should move into this too. */
1096 DEBUG(D_any) do {
1097
1098 /* clang defines __GNUC__ (at least, for me) so test for it first */
1099 #if defined(__clang__)
1100 fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
1101 #elif defined(__GNUC__)
1102 fprintf(fp, "Compiler: GCC [%s]\n",
1103 # ifdef __VERSION__
1104 __VERSION__
1105 # else
1106 "? unknown version ?"
1107 # endif
1108 );
1109 #else
1110 fprintf(fp, "Compiler: <unknown>\n");
1111 #endif
1112
1113 #if defined(__GLIBC__) && !defined(__UCLIBC__)
1114 fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
1115 __GLIBC__, __GLIBC_MINOR__);
1116 if (__GLIBC_PREREQ(2, 1))
1117 fprintf(fp, " Runtime: %s\n",
1118 gnu_get_libc_version());
1119 #endif
1120
1121 show_db_version(fp);
1122
1123 #ifndef DISABLE_TLS
1124 tls_version_report(fp);
1125 #endif
1126 #ifdef SUPPORT_I18N
1127 utf8_version_report(fp);
1128 #endif
1129 #ifdef SUPPORT_SPF
1130 spf_lib_version_report(fp);
1131 #endif
1132
1133 for (auth_info * authi = auths_available; *authi->driver_name != '\0'; ++authi)
1134 if (authi->version_report)
1135 (*authi->version_report)(fp);
1136
1137 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
1138 characters; unless it's an ancient version of PCRE in which case it
1139 is not defined. */
1140 #ifndef PCRE_PRERELEASE
1141 # define PCRE_PRERELEASE
1142 #endif
1143 #define QUOTE(X) #X
1144 #define EXPAND_AND_QUOTE(X) QUOTE(X)
1145 fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
1146 " Runtime: %s\n",
1147 PCRE_MAJOR, PCRE_MINOR,
1148 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
1149 pcre_version());
1150 #undef QUOTE
1151 #undef EXPAND_AND_QUOTE
1152
1153 init_lookup_list();
1154 for (int i = 0; i < lookup_list_count; i++)
1155 if (lookup_list[i]->version_report)
1156 lookup_list[i]->version_report(fp);
1157
1158 #ifdef WHITELIST_D_MACROS
1159 fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1160 #else
1161 fprintf(fp, "WHITELIST_D_MACROS unset\n");
1162 #endif
1163 #ifdef TRUSTED_CONFIG_LIST
1164 fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1165 #else
1166 fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
1167 #endif
1168
1169 } while (0);
1170 store_reset(reset_point);
1171 }
1172
1173
1174 /*************************************************
1175 * Show auxiliary information about Exim *
1176 *************************************************/
1177
1178 static void
1179 show_exim_information(enum commandline_info request, FILE *stream)
1180 {
1181 switch(request)
1182 {
1183 case CMDINFO_NONE:
1184 fprintf(stream, "Oops, something went wrong.\n");
1185 return;
1186 case CMDINFO_HELP:
1187 fprintf(stream,
1188 "The -bI: flag takes a string indicating which information to provide.\n"
1189 "If the string is not recognised, you'll get this help (on stderr).\n"
1190 "\n"
1191 " exim -bI:help this information\n"
1192 " exim -bI:dscp list of known dscp value keywords\n"
1193 " exim -bI:sieve list of supported sieve extensions\n"
1194 );
1195 return;
1196 case CMDINFO_SIEVE:
1197 for (const uschar ** pp = exim_sieve_extension_list; *pp; ++pp)
1198 fprintf(stream, "%s\n", *pp);
1199 return;
1200 case CMDINFO_DSCP:
1201 dscp_list_to_stream(stream);
1202 return;
1203 }
1204 }
1205
1206
1207 /*************************************************
1208 * Quote a local part *
1209 *************************************************/
1210
1211 /* This function is used when a sender address or a From: or Sender: header
1212 line is being created from the caller's login, or from an authenticated_id. It
1213 applies appropriate quoting rules for a local part.
1214
1215 Argument: the local part
1216 Returns: the local part, quoted if necessary
1217 */
1218
1219 uschar *
1220 local_part_quote(uschar *lpart)
1221 {
1222 BOOL needs_quote = FALSE;
1223 gstring * g;
1224
1225 for (uschar * t = lpart; !needs_quote && *t != 0; t++)
1226 {
1227 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1228 (*t != '.' || t == lpart || t[1] == 0);
1229 }
1230
1231 if (!needs_quote) return lpart;
1232
1233 g = string_catn(NULL, US"\"", 1);
1234
1235 for (;;)
1236 {
1237 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1238 if (nq == NULL)
1239 {
1240 g = string_cat(g, lpart);
1241 break;
1242 }
1243 g = string_catn(g, lpart, nq - lpart);
1244 g = string_catn(g, US"\\", 1);
1245 g = string_catn(g, nq, 1);
1246 lpart = nq + 1;
1247 }
1248
1249 g = string_catn(g, US"\"", 1);
1250 return string_from_gstring(g);
1251 }
1252
1253
1254
1255 #ifdef USE_READLINE
1256 /*************************************************
1257 * Load readline() functions *
1258 *************************************************/
1259
1260 /* This function is called from testing executions that read data from stdin,
1261 but only when running as the calling user. Currently, only -be does this. The
1262 function loads the readline() function library and passes back the functions.
1263 On some systems, it needs the curses library, so load that too, but try without
1264 it if loading fails. All this functionality has to be requested at build time.
1265
1266 Arguments:
1267 fn_readline_ptr pointer to where to put the readline pointer
1268 fn_addhist_ptr pointer to where to put the addhistory function
1269
1270 Returns: the dlopen handle or NULL on failure
1271 */
1272
1273 static void *
1274 set_readline(char * (**fn_readline_ptr)(const char *),
1275 void (**fn_addhist_ptr)(const char *))
1276 {
1277 void *dlhandle;
1278 void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
1279
1280 dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
1281 if (dlhandle_curses) dlclose(dlhandle_curses);
1282
1283 if (dlhandle)
1284 {
1285 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1286 * char * readline (const char *prompt);
1287 * void add_history (const char *string);
1288 */
1289 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1290 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1291 }
1292 else
1293 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1294
1295 return dlhandle;
1296 }
1297 #endif
1298
1299
1300
1301 /*************************************************
1302 * Get a line from stdin for testing things *
1303 *************************************************/
1304
1305 /* This function is called when running tests that can take a number of lines
1306 of input (for example, -be and -bt). It handles continuations and trailing
1307 spaces. And prompting and a blank line output on eof. If readline() is in use,
1308 the arguments are non-NULL and provide the relevant functions.
1309
1310 Arguments:
1311 fn_readline readline function or NULL
1312 fn_addhist addhist function or NULL
1313
1314 Returns: pointer to dynamic memory, or NULL at end of file
1315 */
1316
1317 static uschar *
1318 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1319 {
1320 gstring * g = NULL;
1321
1322 if (!fn_readline) { printf("> "); fflush(stdout); }
1323
1324 for (int i = 0;; i++)
1325 {
1326 uschar buffer[1024];
1327 uschar *p, *ss;
1328
1329 #ifdef USE_READLINE
1330 char *readline_line = NULL;
1331 if (fn_readline)
1332 {
1333 if (!(readline_line = fn_readline((i > 0)? "":"> "))) break;
1334 if (*readline_line != 0 && fn_addhist) fn_addhist(readline_line);
1335 p = US readline_line;
1336 }
1337 else
1338 #endif
1339
1340 /* readline() not in use */
1341
1342 {
1343 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1344 p = buffer;
1345 }
1346
1347 /* Handle the line */
1348
1349 ss = p + (int)Ustrlen(p);
1350 while (ss > p && isspace(ss[-1])) ss--;
1351
1352 if (i > 0)
1353 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1354
1355 g = string_catn(g, p, ss - p);
1356
1357 #ifdef USE_READLINE
1358 if (fn_readline) free(readline_line);
1359 #endif
1360
1361 /* g can only be NULL if ss==p */
1362 if (ss == p || g->s[g->ptr-1] != '\\')
1363 break;
1364
1365 --g->ptr;
1366 (void) string_from_gstring(g);
1367 }
1368
1369 if (!g) printf("\n");
1370 return string_from_gstring(g);
1371 }
1372
1373
1374
1375 /*************************************************
1376 * Output usage information for the program *
1377 *************************************************/
1378
1379 /* This function is called when there are no recipients
1380 or a specific --help argument was added.
1381
1382 Arguments:
1383 progname information on what name we were called by
1384
1385 Returns: DOES NOT RETURN
1386 */
1387
1388 static void
1389 exim_usage(uschar *progname)
1390 {
1391
1392 /* Handle specific program invocation variants */
1393 if (Ustrcmp(progname, US"-mailq") == 0)
1394 exim_fail(
1395 "mailq - list the contents of the mail queue\n\n"
1396 "For a list of options, see the Exim documentation.\n");
1397
1398 /* Generic usage - we output this whatever happens */
1399 exim_fail(
1400 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1401 "not directly from a shell command line. Options and/or arguments control\n"
1402 "what it does when called. For a list of options, see the Exim documentation.\n");
1403 }
1404
1405
1406
1407 /*************************************************
1408 * Validate that the macros given are okay *
1409 *************************************************/
1410
1411 /* Typically, Exim will drop privileges if macros are supplied. In some
1412 cases, we want to not do so.
1413
1414 Arguments: opt_D_used - true if the commandline had a "-D" option
1415 Returns: true if trusted, false otherwise
1416 */
1417
1418 static BOOL
1419 macros_trusted(BOOL opt_D_used)
1420 {
1421 #ifdef WHITELIST_D_MACROS
1422 uschar *whitelisted, *end, *p, **whites;
1423 int white_count, i, n;
1424 size_t len;
1425 BOOL prev_char_item, found;
1426 #endif
1427
1428 if (!opt_D_used)
1429 return TRUE;
1430 #ifndef WHITELIST_D_MACROS
1431 return FALSE;
1432 #else
1433
1434 /* We only trust -D overrides for some invoking users:
1435 root, the exim run-time user, the optional config owner user.
1436 I don't know why config-owner would be needed, but since they can own the
1437 config files anyway, there's no security risk to letting them override -D. */
1438 if ( ! ((real_uid == root_uid)
1439 || (real_uid == exim_uid)
1440 #ifdef CONFIGURE_OWNER
1441 || (real_uid == config_uid)
1442 #endif
1443 ))
1444 {
1445 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1446 return FALSE;
1447 }
1448
1449 /* Get a list of macros which are whitelisted */
1450 whitelisted = string_copy_perm(US WHITELIST_D_MACROS, FALSE);
1451 prev_char_item = FALSE;
1452 white_count = 0;
1453 for (p = whitelisted; *p != '\0'; ++p)
1454 {
1455 if (*p == ':' || isspace(*p))
1456 {
1457 *p = '\0';
1458 if (prev_char_item)
1459 ++white_count;
1460 prev_char_item = FALSE;
1461 continue;
1462 }
1463 if (!prev_char_item)
1464 prev_char_item = TRUE;
1465 }
1466 end = p;
1467 if (prev_char_item)
1468 ++white_count;
1469 if (!white_count)
1470 return FALSE;
1471 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1472 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1473 {
1474 if (*p != '\0')
1475 {
1476 whites[i++] = p;
1477 if (i == white_count)
1478 break;
1479 while (*p != '\0' && p < end)
1480 ++p;
1481 }
1482 }
1483 whites[i] = NULL;
1484
1485 /* The list of commandline macros should be very short.
1486 Accept the N*M complexity. */
1487 for (macro_item * m = macros_user; m; m = m->next) if (m->command_line)
1488 {
1489 found = FALSE;
1490 for (uschar ** w = whites; *w; ++w)
1491 if (Ustrcmp(*w, m->name) == 0)
1492 {
1493 found = TRUE;
1494 break;
1495 }
1496 if (!found)
1497 return FALSE;
1498 if (!m->replacement)
1499 continue;
1500 if ((len = m->replen) == 0)
1501 continue;
1502 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1503 0, PCRE_EOPT, NULL, 0);
1504 if (n < 0)
1505 {
1506 if (n != PCRE_ERROR_NOMATCH)
1507 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1508 return FALSE;
1509 }
1510 }
1511 DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
1512 return TRUE;
1513 #endif
1514 }
1515
1516
1517 /*************************************************
1518 * Expansion testing *
1519 *************************************************/
1520
1521 /* Expand and print one item, doing macro-processing.
1522
1523 Arguments:
1524 item line for expansion
1525 */
1526
1527 static void
1528 expansion_test_line(uschar * line)
1529 {
1530 int len;
1531 BOOL dummy_macexp;
1532
1533 Ustrncpy(big_buffer, line, big_buffer_size);
1534 big_buffer[big_buffer_size-1] = '\0';
1535 len = Ustrlen(big_buffer);
1536
1537 (void) macros_expand(0, &len, &dummy_macexp);
1538
1539 if (isupper(big_buffer[0]))
1540 {
1541 if (macro_read_assignment(big_buffer))
1542 printf("Defined macro '%s'\n", mlast->name);
1543 }
1544 else
1545 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1546 else printf("Failed: %s\n", expand_string_message);
1547 }
1548
1549
1550
1551 /*************************************************
1552 * Entry point and high-level code *
1553 *************************************************/
1554
1555 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1556 the appropriate action. All the necessary functions are present in the one
1557 binary. I originally thought one should split it up, but it turns out that so
1558 much of the apparatus is needed in each chunk that one might as well just have
1559 it all available all the time, which then makes the coding easier as well.
1560
1561 Arguments:
1562 argc count of entries in argv
1563 argv argument strings, with argv[0] being the program name
1564
1565 Returns: EXIT_SUCCESS if terminated successfully
1566 EXIT_FAILURE otherwise, except when a message has been sent
1567 to the sender, and -oee was given
1568 */
1569
1570 int
1571 main(int argc, char **cargv)
1572 {
1573 uschar **argv = USS cargv;
1574 int arg_receive_timeout = -1;
1575 int arg_smtp_receive_timeout = -1;
1576 int arg_error_handling = error_handling;
1577 int filter_sfd = -1;
1578 int filter_ufd = -1;
1579 int group_count;
1580 int i, rv;
1581 int list_queue_option = 0;
1582 int msg_action = 0;
1583 int msg_action_arg = -1;
1584 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1585 int queue_only_reason = 0;
1586 #ifdef EXIM_PERL
1587 int perl_start_option = 0;
1588 #endif
1589 int recipients_arg = argc;
1590 int sender_address_domain = 0;
1591 int test_retry_arg = -1;
1592 int test_rewrite_arg = -1;
1593 gid_t original_egid;
1594 BOOL arg_queue_only = FALSE;
1595 BOOL bi_option = FALSE;
1596 BOOL checking = FALSE;
1597 BOOL count_queue = FALSE;
1598 BOOL expansion_test = FALSE;
1599 BOOL extract_recipients = FALSE;
1600 BOOL flag_G = FALSE;
1601 BOOL flag_n = FALSE;
1602 BOOL forced_delivery = FALSE;
1603 BOOL f_end_dot = FALSE;
1604 BOOL deliver_give_up = FALSE;
1605 BOOL list_queue = FALSE;
1606 BOOL list_options = FALSE;
1607 BOOL list_config = FALSE;
1608 BOOL local_queue_only;
1609 BOOL more = TRUE;
1610 BOOL one_msg_action = FALSE;
1611 BOOL opt_D_used = FALSE;
1612 BOOL queue_only_set = FALSE;
1613 BOOL receiving_message = TRUE;
1614 BOOL sender_ident_set = FALSE;
1615 BOOL session_local_queue_only;
1616 BOOL unprivileged;
1617 BOOL removed_privilege = FALSE;
1618 BOOL usage_wanted = FALSE;
1619 BOOL verify_address_mode = FALSE;
1620 BOOL verify_as_sender = FALSE;
1621 BOOL version_printed = FALSE;
1622 uschar *alias_arg = NULL;
1623 uschar *called_as = US"";
1624 uschar *cmdline_syslog_name = NULL;
1625 uschar *start_queue_run_id = NULL;
1626 uschar *stop_queue_run_id = NULL;
1627 uschar *expansion_test_message = NULL;
1628 uschar *ftest_domain = NULL;
1629 uschar *ftest_localpart = NULL;
1630 uschar *ftest_prefix = NULL;
1631 uschar *ftest_suffix = NULL;
1632 uschar *log_oneline = NULL;
1633 uschar *malware_test_file = NULL;
1634 uschar *real_sender_address;
1635 uschar *originator_home = US"/";
1636 size_t sz;
1637
1638 struct passwd *pw;
1639 struct stat statbuf;
1640 pid_t passed_qr_pid = (pid_t)0;
1641 int passed_qr_pipe = -1;
1642 gid_t group_list[EXIM_GROUPLIST_SIZE];
1643
1644 /* For the -bI: flag */
1645 enum commandline_info info_flag = CMDINFO_NONE;
1646 BOOL info_stdout = FALSE;
1647
1648 /* Possible options for -R and -S */
1649
1650 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1651
1652 /* Need to define this in case we need to change the environment in order
1653 to get rid of a bogus time zone. We have to make it char rather than uschar
1654 because some OS define it in /usr/include/unistd.h. */
1655
1656 extern char **environ;
1657
1658 #ifdef MEASURE_TIMING
1659 (void)gettimeofday(&timestamp_startup, NULL);
1660 #endif
1661
1662 /* If the Exim user and/or group and/or the configuration file owner/group were
1663 defined by ref:name at build time, we must now find the actual uid/gid values.
1664 This is a feature to make the lives of binary distributors easier. */
1665
1666 #ifdef EXIM_USERNAME
1667 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1668 {
1669 if (exim_uid == 0)
1670 exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
1671
1672 /* If ref:name uses a number as the name, route_finduser() returns
1673 TRUE with exim_uid set and pw coerced to NULL. */
1674 if (pw)
1675 exim_gid = pw->pw_gid;
1676 #ifndef EXIM_GROUPNAME
1677 else
1678 exim_fail(
1679 "exim: ref:name should specify a usercode, not a group.\n"
1680 "exim: can't let you get away with it unless you also specify a group.\n");
1681 #endif
1682 }
1683 else
1684 exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
1685 #endif
1686
1687 #ifdef EXIM_GROUPNAME
1688 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1689 exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
1690 #endif
1691
1692 #ifdef CONFIGURE_OWNERNAME
1693 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1694 exim_fail("exim: failed to find uid for user name \"%s\"\n",
1695 CONFIGURE_OWNERNAME);
1696 #endif
1697
1698 /* We default the system_filter_user to be the Exim run-time user, as a
1699 sane non-root value. */
1700 system_filter_uid = exim_uid;
1701
1702 #ifdef CONFIGURE_GROUPNAME
1703 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1704 exim_fail("exim: failed to find gid for group name \"%s\"\n",
1705 CONFIGURE_GROUPNAME);
1706 #endif
1707
1708 /* In the Cygwin environment, some initialization used to need doing.
1709 It was fudged in by means of this macro; now no longer but we'll leave
1710 it in case of others. */
1711
1712 #ifdef OS_INIT
1713 OS_INIT
1714 #endif
1715
1716 /* Check a field which is patched when we are running Exim within its
1717 testing harness; do a fast initial check, and then the whole thing. */
1718
1719 f.running_in_test_harness =
1720 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1721 if (f.running_in_test_harness)
1722 debug_store = TRUE;
1723
1724 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1725 at the start of a program; however, it seems that some environments do not
1726 follow this. A "strange" locale can affect the formatting of timestamps, so we
1727 make quite sure. */
1728
1729 setlocale(LC_ALL, "C");
1730
1731 /* Get the offset between CLOCK_MONOTONIC and wallclock */
1732
1733 #ifdef _POSIX_MONOTONIC_CLOCK
1734 exim_clock_init();
1735 #endif
1736
1737 /* Set up the default handler for timing using alarm(). */
1738
1739 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1740
1741 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1742 because store_malloc writes a log entry on failure. */
1743
1744 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
1745 exim_fail("exim: failed to get store for log buffer\n");
1746
1747 /* Initialize the default log options. */
1748
1749 bits_set(log_selector, log_selector_size, log_default);
1750
1751 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1752 NULL when the daemon is run and the file is closed. We have to use this
1753 indirection, because some systems don't allow writing to the variable "stderr".
1754 */
1755
1756 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1757
1758 /* Arrange for the PCRE regex library to use our store functions. Note that
1759 the normal calls are actually macros that add additional arguments for
1760 debugging purposes so we have to assign specially constructed functions here.
1761 The default is to use store in the stacking pool, but this is overridden in the
1762 regex_must_compile() function. */
1763
1764 pcre_malloc = function_store_get;
1765 pcre_free = function_dummy_free;
1766
1767 /* Ensure there is a big buffer for temporary use in several places. It is put
1768 in malloc store so that it can be freed for enlargement if necessary. */
1769
1770 big_buffer = store_malloc(big_buffer_size);
1771
1772 /* Set up the handler for the data request signal, and set the initial
1773 descriptive text. */
1774
1775 process_info = store_get(PROCESS_INFO_SIZE, TRUE); /* tainted */
1776 set_process_info("initializing");
1777 os_restarting_signal(SIGUSR1, usr1_handler);
1778
1779 /* If running in a dockerized environment, the TERM signal is only
1780 delegated to the PID 1 if we request it by setting an signal handler */
1781 if (getpid() == 1) signal(SIGTERM, term_handler);
1782
1783 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1784 in the daemon code. For the rest of Exim's uses, we ignore it. */
1785
1786 signal(SIGHUP, SIG_IGN);
1787
1788 /* We don't want to die on pipe errors as the code is written to handle
1789 the write error instead. */
1790
1791 signal(SIGPIPE, SIG_IGN);
1792
1793 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1794 set to SIG_IGN. This causes subprocesses that complete before the parent
1795 process waits for them not to hang around, so when Exim calls wait(), nothing
1796 is there. The wait() code has been made robust against this, but let's ensure
1797 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1798 ending status. We use sigaction rather than plain signal() on those OS where
1799 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1800 problem on AIX with this.) */
1801
1802 #ifdef SA_NOCLDWAIT
1803 {
1804 struct sigaction act;
1805 act.sa_handler = SIG_DFL;
1806 sigemptyset(&(act.sa_mask));
1807 act.sa_flags = 0;
1808 sigaction(SIGCHLD, &act, NULL);
1809 }
1810 #else
1811 signal(SIGCHLD, SIG_DFL);
1812 #endif
1813
1814 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1815 SIGHUP. */
1816
1817 sighup_argv = argv;
1818
1819 /* Set up the version number. Set up the leading 'E' for the external form of
1820 message ids, set the pointer to the internal form, and initialize it to
1821 indicate no message being processed. */
1822
1823 version_init();
1824 message_id_option[0] = '-';
1825 message_id_external = message_id_option + 1;
1826 message_id_external[0] = 'E';
1827 message_id = message_id_external + 1;
1828 message_id[0] = 0;
1829
1830 /* Set the umask to zero so that any files Exim creates using open() are
1831 created with the modes that it specifies. NOTE: Files created with fopen() have
1832 a problem, which was not recognized till rather late (February 2006). With this
1833 umask, such files will be world writeable. (They are all content scanning files
1834 in the spool directory, which isn't world-accessible, so this is not a
1835 disaster, but it's untidy.) I don't want to change this overall setting,
1836 however, because it will interact badly with the open() calls. Instead, there's
1837 now a function called modefopen() that fiddles with the umask while calling
1838 fopen(). */
1839
1840 (void)umask(0);
1841
1842 /* Precompile the regular expression for matching a message id. Keep this in
1843 step with the code that generates ids in the accept.c module. We need to do
1844 this here, because the -M options check their arguments for syntactic validity
1845 using mac_ismsgid, which uses this. */
1846
1847 regex_ismsgid =
1848 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1849
1850 /* Precompile the regular expression that is used for matching an SMTP error
1851 code, possibly extended, at the start of an error message. Note that the
1852 terminating whitespace character is included. */
1853
1854 regex_smtp_code =
1855 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1856 FALSE, TRUE);
1857
1858 #ifdef WHITELIST_D_MACROS
1859 /* Precompile the regular expression used to filter the content of macros
1860 given to -D for permissibility. */
1861
1862 regex_whitelisted_macro =
1863 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1864 #endif
1865
1866 for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1867
1868 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1869 this seems to be a generally accepted convention, since one finds symbolic
1870 links called "mailq" in standard OS configurations. */
1871
1872 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1873 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1874 {
1875 list_queue = TRUE;
1876 receiving_message = FALSE;
1877 called_as = US"-mailq";
1878 }
1879
1880 /* If the program is called as "rmail" treat it as equivalent to
1881 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1882 i.e. preventing a single dot on a line from terminating the message, and
1883 returning with zero return code, even in cases of error (provided an error
1884 message has been sent). */
1885
1886 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1887 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1888 {
1889 f.dot_ends = FALSE;
1890 called_as = US"-rmail";
1891 errors_sender_rc = EXIT_SUCCESS;
1892 }
1893
1894 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1895 this is a smail convention. */
1896
1897 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1898 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1899 {
1900 smtp_input = smtp_batched_input = TRUE;
1901 called_as = US"-rsmtp";
1902 }
1903
1904 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1905 this is a smail convention. */
1906
1907 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1908 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1909 {
1910 queue_interval = 0;
1911 receiving_message = FALSE;
1912 called_as = US"-runq";
1913 }
1914
1915 /* If the program is called as "newaliases" treat it as equivalent to
1916 "exim -bi"; this is a sendmail convention. */
1917
1918 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1919 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1920 {
1921 bi_option = TRUE;
1922 receiving_message = FALSE;
1923 called_as = US"-newaliases";
1924 }
1925
1926 /* Save the original effective uid for a couple of uses later. It should
1927 normally be root, but in some esoteric environments it may not be. */
1928
1929 original_euid = geteuid();
1930 original_egid = getegid();
1931
1932 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1933 to be the same as the real ones. This makes a difference only if Exim is setuid
1934 (or setgid) to something other than root, which could be the case in some
1935 special configurations. */
1936
1937 real_uid = getuid();
1938 real_gid = getgid();
1939
1940 if (real_uid == root_uid)
1941 {
1942 if ((rv = setgid(real_gid)))
1943 exim_fail("exim: setgid(%ld) failed: %s\n",
1944 (long int)real_gid, strerror(errno));
1945 if ((rv = setuid(real_uid)))
1946 exim_fail("exim: setuid(%ld) failed: %s\n",
1947 (long int)real_uid, strerror(errno));
1948 }
1949
1950 /* If neither the original real uid nor the original euid was root, Exim is
1951 running in an unprivileged state. */
1952
1953 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1954
1955 /* For most of the args-parsing we need to use permanent pool memory */
1956 {
1957 int old_pool = store_pool;
1958 store_pool = POOL_PERM;
1959
1960 /* Scan the program's arguments. Some can be dealt with right away; others are
1961 simply recorded for checking and handling afterwards. Do a high-level switch
1962 on the second character (the one after '-'), to save some effort. */
1963
1964 for (i = 1; i < argc; i++)
1965 {
1966 BOOL badarg = FALSE;
1967 uschar * arg = argv[i];
1968 uschar * argrest;
1969 int switchchar;
1970
1971 /* An argument not starting with '-' is the start of a recipients list;
1972 break out of the options-scanning loop. */
1973
1974 if (arg[0] != '-')
1975 {
1976 recipients_arg = i;
1977 break;
1978 }
1979
1980 /* An option consisting of -- terminates the options */
1981
1982 if (Ustrcmp(arg, "--") == 0)
1983 {
1984 recipients_arg = i + 1;
1985 break;
1986 }
1987
1988 /* Handle flagged options */
1989
1990 switchchar = arg[1];
1991 argrest = arg+2;
1992
1993 /* Make all -ex options synonymous with -oex arguments, since that
1994 is assumed by various callers. Also make -qR options synonymous with -R
1995 options, as that seems to be required as well. Allow for -qqR too, and
1996 the same for -S options. */
1997
1998 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1999 Ustrncmp(arg+1, "qR", 2) == 0 ||
2000 Ustrncmp(arg+1, "qS", 2) == 0)
2001 {
2002 switchchar = arg[2];
2003 argrest++;
2004 }
2005 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
2006 {
2007 switchchar = arg[3];
2008 argrest += 2;
2009 f.queue_2stage = TRUE;
2010 }
2011
2012 /* Make -r synonymous with -f, since it is a documented alias */
2013
2014 else if (arg[1] == 'r') switchchar = 'f';
2015
2016 /* Make -ov synonymous with -v */
2017
2018 else if (Ustrcmp(arg, "-ov") == 0)
2019 {
2020 switchchar = 'v';
2021 argrest++;
2022 }
2023
2024 /* deal with --option_aliases */
2025 else if (switchchar == '-')
2026 {
2027 if (Ustrcmp(argrest, "help") == 0)
2028 {
2029 usage_wanted = TRUE;
2030 break;
2031 }
2032 else if (Ustrcmp(argrest, "version") == 0)
2033 {
2034 switchchar = 'b';
2035 argrest = US"V";
2036 }
2037 }
2038
2039 /* High-level switch on active initial letter */
2040
2041 switch(switchchar)
2042 {
2043
2044 /* sendmail uses -Ac and -Am to control which .cf file is used;
2045 we ignore them. */
2046 case 'A':
2047 if (!*argrest) { badarg = TRUE; break; }
2048 else
2049 {
2050 BOOL ignore = FALSE;
2051 switch (*argrest)
2052 {
2053 case 'c':
2054 case 'm':
2055 if (*(argrest + 1) == '\0')
2056 ignore = TRUE;
2057 break;
2058 }
2059 if (!ignore) badarg = TRUE;
2060 }
2061 break;
2062
2063 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
2064 so has no need of it. */
2065
2066 case 'B':
2067 if (!*argrest) i++; /* Skip over the type */
2068 break;
2069
2070
2071 case 'b':
2072 {
2073 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
2074
2075 switch (*argrest++)
2076 {
2077 /* -bd: Run in daemon mode, awaiting SMTP connections.
2078 -bdf: Ditto, but in the foreground.
2079 */
2080 case 'd':
2081 f.daemon_listen = TRUE;
2082 if (*argrest == 'f') f.background_daemon = FALSE;
2083 else if (*argrest) badarg = TRUE;
2084 break;
2085
2086 /* -be: Run in expansion test mode
2087 -bem: Ditto, but read a message from a file first
2088 */
2089 case 'e':
2090 expansion_test = checking = TRUE;
2091 if (*argrest == 'm')
2092 {
2093 if (++i >= argc) { badarg = TRUE; break; }
2094 expansion_test_message = argv[i];
2095 argrest++;
2096 }
2097 if (*argrest) badarg = TRUE;
2098 break;
2099
2100 /* -bF: Run system filter test */
2101 case 'F':
2102 filter_test |= checking = FTEST_SYSTEM;
2103 if (*argrest) badarg = TRUE;
2104 else if (++i < argc) filter_test_sfile = argv[i];
2105 else exim_fail("exim: file name expected after %s\n", argv[i-1]);
2106 break;
2107
2108 /* -bf: Run user filter test
2109 -bfd: Set domain for filter testing
2110 -bfl: Set local part for filter testing
2111 -bfp: Set prefix for filter testing
2112 -bfs: Set suffix for filter testing
2113 */
2114 case 'f':
2115 if (!*argrest)
2116 {
2117 filter_test |= checking = FTEST_USER;
2118 if (++i < argc) filter_test_ufile = argv[i];
2119 else exim_fail("exim: file name expected after %s\n", argv[i-1]);
2120 }
2121 else
2122 {
2123 if (++i >= argc)
2124 exim_fail("exim: string expected after %s\n", arg);
2125 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2126 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2127 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2128 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2129 else badarg = TRUE;
2130 }
2131 break;
2132
2133 /* -bh: Host checking - an IP address must follow. */
2134 case 'h':
2135 if (!*argrest || Ustrcmp(argrest, "c") == 0)
2136 {
2137 if (++i >= argc) { badarg = TRUE; break; }
2138 sender_host_address = string_copy_taint(argv[i], TRUE);
2139 host_checking = checking = f.log_testing_mode = TRUE;
2140 f.host_checking_callout = *argrest == 'c';
2141 message_logs = FALSE;
2142 }
2143 else badarg = TRUE;
2144 break;
2145
2146 /* -bi: This option is used by sendmail to initialize *the* alias file,
2147 though it has the -oA option to specify a different file. Exim has no
2148 concept of *the* alias file, but since Sun's YP make script calls
2149 sendmail this way, some support must be provided. */
2150 case 'i':
2151 if (!*++argrest) bi_option = TRUE;
2152 else badarg = TRUE;
2153 break;
2154
2155 /* -bI: provide information, of the type to follow after a colon.
2156 This is an Exim flag. */
2157 case 'I':
2158 if (Ustrlen(argrest) >= 1 && *argrest == ':')
2159 {
2160 uschar *p = argrest+1;
2161 info_flag = CMDINFO_HELP;
2162 if (Ustrlen(p))
2163 if (strcmpic(p, CUS"sieve") == 0)
2164 {
2165 info_flag = CMDINFO_SIEVE;
2166 info_stdout = TRUE;
2167 }
2168 else if (strcmpic(p, CUS"dscp") == 0)
2169 {
2170 info_flag = CMDINFO_DSCP;
2171 info_stdout = TRUE;
2172 }
2173 else if (strcmpic(p, CUS"help") == 0)
2174 info_stdout = TRUE;
2175 }
2176 else badarg = TRUE;
2177 break;
2178
2179 /* -bm: Accept and deliver message - the default option. Reinstate
2180 receiving_message, which got turned off for all -b options.
2181 -bmalware: test the filename given for malware */
2182 case 'm':
2183 if (!*argrest) receiving_message = TRUE;
2184 else if (Ustrcmp(argrest, "alware") == 0)
2185 {
2186 if (++i >= argc) { badarg = TRUE; break; }
2187 checking = TRUE;
2188 malware_test_file = argv[i];
2189 }
2190 else badarg = TRUE;
2191 break;
2192
2193 /* -bnq: For locally originating messages, do not qualify unqualified
2194 addresses. In the envelope, this causes errors; in header lines they
2195 just get left. */
2196 case 'n':
2197 if (Ustrcmp(argrest, "q") == 0)
2198 {
2199 f.allow_unqualified_sender = FALSE;
2200 f.allow_unqualified_recipient = FALSE;
2201 }
2202 else badarg = TRUE;
2203 break;
2204
2205 /* -bpxx: List the contents of the mail queue, in various forms. If
2206 the option is -bpc, just a queue count is needed. Otherwise, if the
2207 first letter after p is r, then order is random. */
2208 case 'p':
2209 if (*argrest == 'c')
2210 {
2211 count_queue = TRUE;
2212 if (*++argrest) badarg = TRUE;
2213 break;
2214 }
2215
2216 if (*argrest == 'r')
2217 {
2218 list_queue_option = 8;
2219 argrest++;
2220 }
2221 else list_queue_option = 0;
2222
2223 list_queue = TRUE;
2224
2225 /* -bp: List the contents of the mail queue, top-level only */
2226
2227 if (!*argrest) {}
2228
2229 /* -bpu: List the contents of the mail queue, top-level undelivered */
2230
2231 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2232
2233 /* -bpa: List the contents of the mail queue, including all delivered */
2234
2235 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2236
2237 /* Unknown after -bp[r] */
2238
2239 else badarg = TRUE;
2240 break;
2241
2242
2243 /* -bP: List the configuration variables given as the address list.
2244 Force -v, so configuration errors get displayed. */
2245 case 'P':
2246
2247 /* -bP config: we need to setup here, because later,
2248 * when list_options is checked, the config is read already */
2249 if (*argrest)
2250 badarg = TRUE;
2251 else if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2252 {
2253 list_config = TRUE;
2254 readconf_save_config(version_string);
2255 }
2256 else
2257 {
2258 list_options = TRUE;
2259 debug_selector |= D_v;
2260 debug_file = stderr;
2261 }
2262 break;
2263
2264 /* -brt: Test retry configuration lookup */
2265 case 'r':
2266 if (Ustrcmp(argrest, "t") == 0)
2267 {
2268 checking = TRUE;
2269 test_retry_arg = i + 1;
2270 goto END_ARG;
2271 }
2272
2273 /* -brw: Test rewrite configuration */
2274
2275 else if (Ustrcmp(argrest, "w") == 0)
2276 {
2277 checking = TRUE;
2278 test_rewrite_arg = i + 1;
2279 goto END_ARG;
2280 }
2281 else badarg = TRUE;
2282 break;
2283
2284 /* -bS: Read SMTP commands on standard input, but produce no replies -
2285 all errors are reported by sending messages. */
2286 case 'S':
2287 if (!*argrest)
2288 smtp_input = smtp_batched_input = receiving_message = TRUE;
2289 else badarg = TRUE;
2290 break;
2291
2292 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2293 on standard output. */
2294 case 's':
2295 if (!*argrest) smtp_input = receiving_message = TRUE;
2296 else badarg = TRUE;
2297 break;
2298
2299 /* -bt: address testing mode */
2300 case 't':
2301 if (!*argrest)
2302 f.address_test_mode = checking = f.log_testing_mode = TRUE;
2303 else badarg = TRUE;
2304 break;
2305
2306 /* -bv: verify addresses */
2307 case 'v':
2308 if (!*argrest)
2309 verify_address_mode = checking = f.log_testing_mode = TRUE;
2310
2311 /* -bvs: verify sender addresses */
2312
2313 else if (Ustrcmp(argrest, "s") == 0)
2314 {
2315 verify_address_mode = checking = f.log_testing_mode = TRUE;
2316 verify_as_sender = TRUE;
2317 }
2318 else badarg = TRUE;
2319 break;
2320
2321 /* -bV: Print version string and support details */
2322 case 'V':
2323 if (!*argrest)
2324 {
2325 printf("Exim version %s #%s built %s\n", version_string,
2326 version_cnumber, version_date);
2327 printf("%s\n", CS version_copyright);
2328 version_printed = TRUE;
2329 show_whats_supported(stdout);
2330 f.log_testing_mode = TRUE;
2331 }
2332 else badarg = TRUE;
2333 break;
2334
2335 /* -bw: inetd wait mode, accept a listening socket as stdin */
2336 case 'w':
2337 f.inetd_wait_mode = TRUE;
2338 f.background_daemon = FALSE;
2339 f.daemon_listen = TRUE;
2340 if (*argrest)
2341 if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
2342 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
2343 break;
2344
2345 default:
2346 badarg = TRUE;
2347 break;
2348 }
2349 break;
2350 }
2351
2352
2353 /* -C: change configuration file list; ignore if it isn't really
2354 a change! Enforce a prefix check if required. */
2355
2356 case 'C':
2357 if (!*argrest)
2358 if (++i < argc) argrest = argv[i]; else { badarg = TRUE; break; }
2359 if (Ustrcmp(config_main_filelist, argrest) != 0)
2360 {
2361 #ifdef ALT_CONFIG_PREFIX
2362 int sep = 0;
2363 int len = Ustrlen(ALT_CONFIG_PREFIX);
2364 const uschar *list = argrest;
2365 uschar *filename;
2366 while((filename = string_nextinlist(&list, &sep, big_buffer,
2367 big_buffer_size)))
2368 if ( ( Ustrlen(filename) < len
2369 || Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0
2370 || Ustrstr(filename, "/../") != NULL
2371 )
2372 && (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid)
2373 )
2374 exim_fail("-C Permission denied\n");
2375 #endif
2376 if (real_uid != root_uid)
2377 {
2378 #ifdef TRUSTED_CONFIG_LIST
2379
2380 if (real_uid != exim_uid
2381 #ifdef CONFIGURE_OWNER
2382 && real_uid != config_uid
2383 #endif
2384 )
2385 f.trusted_config = FALSE;
2386 else
2387 {
2388 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2389 if (trust_list)
2390 {
2391 struct stat statbuf;
2392
2393 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2394 (statbuf.st_uid != root_uid /* owner not root */
2395 #ifdef CONFIGURE_OWNER
2396 && statbuf.st_uid != config_uid /* owner not the special one */
2397 #endif
2398 ) || /* or */
2399 (statbuf.st_gid != root_gid /* group not root */
2400 #ifdef CONFIGURE_GROUP
2401 && statbuf.st_gid != config_gid /* group not the special one */
2402 #endif
2403 && (statbuf.st_mode & 020) != 0 /* group writeable */
2404 ) || /* or */
2405 (statbuf.st_mode & 2) != 0) /* world writeable */
2406 {
2407 f.trusted_config = FALSE;
2408 fclose(trust_list);
2409 }
2410 else
2411 {
2412 /* Well, the trust list at least is up to scratch... */
2413 rmark reset_point;
2414 uschar *trusted_configs[32];
2415 int nr_configs = 0;
2416 int i = 0;
2417 int old_pool = store_pool;
2418 store_pool = POOL_MAIN;
2419
2420 reset_point = store_mark();
2421 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2422 {
2423 uschar *start = big_buffer, *nl;
2424 while (*start && isspace(*start))
2425 start++;
2426 if (*start != '/')
2427 continue;
2428 nl = Ustrchr(start, '\n');
2429 if (nl)
2430 *nl = 0;
2431 trusted_configs[nr_configs++] = string_copy(start);
2432 if (nr_configs == nelem(trusted_configs))
2433 break;
2434 }
2435 fclose(trust_list);
2436
2437 if (nr_configs)
2438 {
2439 int sep = 0;
2440 const uschar *list = argrest;
2441 uschar *filename;
2442 while (f.trusted_config && (filename = string_nextinlist(&list,
2443 &sep, big_buffer, big_buffer_size)))
2444 {
2445 for (i=0; i < nr_configs; i++)
2446 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2447 break;
2448 if (i == nr_configs)
2449 {
2450 f.trusted_config = FALSE;
2451 break;
2452 }
2453 }
2454 }
2455 else /* No valid prefixes found in trust_list file. */
2456 f.trusted_config = FALSE;
2457 store_reset(reset_point);
2458 store_pool = old_pool;
2459 }
2460 }
2461 else /* Could not open trust_list file. */
2462 f.trusted_config = FALSE;
2463 }
2464 #else
2465 /* Not root; don't trust config */
2466 f.trusted_config = FALSE;
2467 #endif
2468 }
2469
2470 config_main_filelist = argrest;
2471 f.config_changed = TRUE;
2472 }
2473 break;
2474
2475
2476 /* -D: set up a macro definition */
2477
2478 case 'D':
2479 #ifdef DISABLE_D_OPTION
2480 exim_fail("exim: -D is not available in this Exim binary\n");
2481 #else
2482 {
2483 int ptr = 0;
2484 macro_item *m;
2485 uschar name[24];
2486 uschar *s = argrest;
2487
2488 opt_D_used = TRUE;
2489 while (isspace(*s)) s++;
2490
2491 if (*s < 'A' || *s > 'Z')
2492 exim_fail("exim: macro name set by -D must start with "
2493 "an upper case letter\n");
2494
2495 while (isalnum(*s) || *s == '_')
2496 {
2497 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2498 s++;
2499 }
2500 name[ptr] = 0;
2501 if (ptr == 0) { badarg = TRUE; break; }
2502 while (isspace(*s)) s++;
2503 if (*s != 0)
2504 {
2505 if (*s++ != '=') { badarg = TRUE; break; }
2506 while (isspace(*s)) s++;
2507 }
2508
2509 for (m = macros_user; m; m = m->next)
2510 if (Ustrcmp(m->name, name) == 0)
2511 exim_fail("exim: duplicated -D in command line\n");
2512
2513 m = macro_create(name, s, TRUE);
2514
2515 if (clmacro_count >= MAX_CLMACROS)
2516 exim_fail("exim: too many -D options on command line\n");
2517 clmacros[clmacro_count++] =
2518 string_sprintf("-D%s=%s", m->name, m->replacement);
2519 }
2520 #endif
2521 break;
2522
2523 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2524 The latter is now a no-op, retained for compatibility only. If -dd is used,
2525 debugging subprocesses of the daemon is disabled. */
2526
2527 case 'd':
2528 if (Ustrcmp(argrest, "ropcr") == 0)
2529 {
2530 /* drop_cr = TRUE; */
2531 }
2532
2533 /* Use an intermediate variable so that we don't set debugging while
2534 decoding the debugging bits. */
2535
2536 else
2537 {
2538 unsigned int selector = D_default;
2539 debug_selector = 0;
2540 debug_file = NULL;
2541 if (*argrest == 'd')
2542 {
2543 f.debug_daemon = TRUE;
2544 argrest++;
2545 }
2546 if (*argrest)
2547 decode_bits(&selector, 1, debug_notall, argrest,
2548 debug_options, debug_options_count, US"debug", 0);
2549 debug_selector = selector;
2550 }
2551 break;
2552
2553
2554 /* -E: This is a local error message. This option is not intended for
2555 external use at all, but is not restricted to trusted callers because it
2556 does no harm (just suppresses certain error messages) and if Exim is run
2557 not setuid root it won't always be trusted when it generates error
2558 messages using this option. If there is a message id following -E, point
2559 message_reference at it, for logging. */
2560
2561 case 'E':
2562 f.local_error_message = TRUE;
2563 if (mac_ismsgid(argrest)) message_reference = argrest;
2564 break;
2565
2566
2567 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2568 option, so it looks as if historically the -oex options are also callable
2569 without the leading -o. So we have to accept them. Before the switch,
2570 anything starting -oe has been converted to -e. Exim does not support all
2571 of the sendmail error options. */
2572
2573 case 'e':
2574 if (Ustrcmp(argrest, "e") == 0)
2575 {
2576 arg_error_handling = ERRORS_SENDER;
2577 errors_sender_rc = EXIT_SUCCESS;
2578 }
2579 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2580 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2581 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2582 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2583 else badarg = TRUE;
2584 break;
2585
2586
2587 /* -F: Set sender's full name, used instead of the gecos entry from
2588 the password file. Since users can usually alter their gecos entries,
2589 there's no security involved in using this instead. The data can follow
2590 the -F or be in the next argument. */
2591
2592 case 'F':
2593 if (!*argrest)
2594 if (++i < argc) argrest = argv[i]; else { badarg = TRUE; break; }
2595 originator_name = string_copy_taint(argrest, TRUE);
2596 f.sender_name_forced = TRUE;
2597 break;
2598
2599
2600 /* -f: Set sender's address - this value is only actually used if Exim is
2601 run by a trusted user, or if untrusted_set_sender is set and matches the
2602 address, except that the null address can always be set by any user. The
2603 test for this happens later, when the value given here is ignored when not
2604 permitted. For an untrusted user, the actual sender is still put in Sender:
2605 if it doesn't match the From: header (unless no_local_from_check is set).
2606 The data can follow the -f or be in the next argument. The -r switch is an
2607 obsolete form of -f but since there appear to be programs out there that
2608 use anything that sendmail has ever supported, better accept it - the
2609 synonymizing is done before the switch above.
2610
2611 At this stage, we must allow domain literal addresses, because we don't
2612 know what the setting of allow_domain_literals is yet. Ditto for trailing
2613 dots and strip_trailing_dot. */
2614
2615 case 'f':
2616 {
2617 int dummy_start, dummy_end;
2618 uschar *errmess;
2619 if (!*argrest)
2620 if (i+1 < argc) argrest = argv[++i]; else { badarg = TRUE; break; }
2621 if (!*argrest)
2622 *(sender_address = store_get(1, FALSE)) = '\0'; /* Ensure writeable memory */
2623 else
2624 {
2625 uschar * temp = argrest + Ustrlen(argrest) - 1;
2626 while (temp >= argrest && isspace(*temp)) temp--;
2627 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2628 allow_domain_literals = TRUE;
2629 strip_trailing_dot = TRUE;
2630 #ifdef SUPPORT_I18N
2631 allow_utf8_domains = TRUE;
2632 #endif
2633 if (!(sender_address = parse_extract_address(argrest, &errmess,
2634 &dummy_start, &dummy_end, &sender_address_domain, TRUE)))
2635 exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
2636
2637 sender_address = string_copy_taint(sender_address, TRUE);
2638 #ifdef SUPPORT_I18N
2639 message_smtputf8 = string_is_utf8(sender_address);
2640 allow_utf8_domains = FALSE;
2641 #endif
2642 allow_domain_literals = FALSE;
2643 strip_trailing_dot = FALSE;
2644 }
2645 f.sender_address_forced = TRUE;
2646 }
2647 break;
2648
2649 /* -G: sendmail invocation to specify that it's a gateway submission and
2650 sendmail may complain about problems instead of fixing them.
2651 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2652 not at this time complain about problems. */
2653
2654 case 'G':
2655 flag_G = TRUE;
2656 break;
2657
2658 /* -h: Set the hop count for an incoming message. Exim does not currently
2659 support this; it always computes it by counting the Received: headers.
2660 To put it in will require a change to the spool header file format. */
2661
2662 case 'h':
2663 if (!*argrest)
2664 if (++i < argc) argrest = argv[i]; else { badarg = TRUE; break; }
2665 if (!isdigit(*argrest)) badarg = TRUE;
2666 break;
2667
2668
2669 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2670 not to be documented for sendmail but mailx (at least) uses it) */
2671
2672 case 'i':
2673 if (!*argrest) f.dot_ends = FALSE; else badarg = TRUE;
2674 break;
2675
2676
2677 /* -L: set the identifier used for syslog; equivalent to setting
2678 syslog_processname in the config file, but needs to be an admin option. */
2679
2680 case 'L':
2681 if (!*argrest)
2682 if (++i < argc) argrest = argv[i]; else { badarg = TRUE; break; }
2683 if ((sz = Ustrlen(argrest)) > 32)
2684 exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
2685 if (sz < 1)
2686 exim_fail("exim: the -L syslog name is too short\n");
2687 cmdline_syslog_name = string_copy_taint(argrest, TRUE);
2688 break;
2689
2690 case 'M':
2691 receiving_message = FALSE;
2692
2693 /* -MC: continue delivery of another message via an existing open
2694 file descriptor. This option is used for an internal call by the
2695 smtp transport when there is a pending message waiting to go to an
2696 address to which it has got a connection. Five subsequent arguments are
2697 required: transport name, host name, IP address, sequence number, and
2698 message_id. Transports may decline to create new processes if the sequence
2699 number gets too big. The channel is stdin. This (-MC) must be the last
2700 argument. There's a subsequent check that the real-uid is privileged.
2701
2702 If we are running in the test harness. delay for a bit, to let the process
2703 that set this one up complete. This makes for repeatability of the logging,
2704 etc. output. */
2705
2706 if (Ustrcmp(argrest, "C") == 0)
2707 {
2708 union sockaddr_46 interface_sock;
2709 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2710
2711 if (argc != i + 6)
2712 exim_fail("exim: too many or too few arguments after -MC\n");
2713
2714 if (msg_action_arg >= 0)
2715 exim_fail("exim: incompatible arguments\n");
2716
2717 continue_transport = string_copy_taint(argv[++i], TRUE);
2718 continue_hostname = string_copy_taint(argv[++i], TRUE);
2719 continue_host_address = string_copy_taint(argv[++i], TRUE);
2720 continue_sequence = Uatoi(argv[++i]);
2721 msg_action = MSG_DELIVER;
2722 msg_action_arg = ++i;
2723 forced_delivery = TRUE;
2724 queue_run_pid = passed_qr_pid;
2725 queue_run_pipe = passed_qr_pipe;
2726
2727 if (!mac_ismsgid(argv[i]))
2728 exim_fail("exim: malformed message id %s after -MC option\n",
2729 argv[i]);
2730
2731 /* Set up $sending_ip_address and $sending_port, unless proxied */
2732
2733 if (!continue_proxy_cipher)
2734 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2735 &size) == 0)
2736 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2737 &sending_port);
2738 else
2739 exim_fail("exim: getsockname() failed after -MC option: %s\n",
2740 strerror(errno));
2741
2742 testharness_pause_ms(500);
2743 break;
2744 }
2745
2746 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2747 {
2748 switch(argrest[1])
2749 {
2750 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2751 precedes -MC (see above). The flag indicates that the host to which
2752 Exim is connected has accepted an AUTH sequence. */
2753
2754 case 'A': f.smtp_authenticated = TRUE; break;
2755
2756 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2757 that exim is connected to supports the esmtp extension DSN */
2758
2759 case 'D': smtp_peer_options |= OPTION_DSN; break;
2760
2761 /* -MCd: for debug, set a process-purpose string */
2762
2763 case 'd': if (++i < argc)
2764 process_purpose = string_copy_taint(argv[i], TRUE);
2765 else badarg = TRUE;
2766 break;
2767
2768 /* -MCG: set the queue name, to a non-default value */
2769
2770 case 'G': if (++i < argc) queue_name = string_copy_taint(argv[i], TRUE);
2771 else badarg = TRUE;
2772 break;
2773
2774 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2775
2776 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
2777
2778 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2779 it preceded -MC (see above) */
2780
2781 case 'P': smtp_peer_options |= OPTION_PIPE; break;
2782
2783 /* -MCQ: pass on the pid of the queue-running process that started
2784 this chain of deliveries and the fd of its synchronizing pipe; this
2785 is useful only when it precedes -MC (see above) */
2786
2787 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2788 else badarg = TRUE;
2789 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2790 else badarg = TRUE;
2791 break;
2792
2793 /* -MCS: set the smtp_use_size flag; this is useful only when it
2794 precedes -MC (see above) */
2795
2796 case 'S': smtp_peer_options |= OPTION_SIZE; break;
2797
2798 #ifndef DISABLE_TLS
2799 /* -MCt: similar to -MCT below but the connection is still open
2800 via a proxy process which handles the TLS context and coding.
2801 Require three arguments for the proxied local address and port,
2802 and the TLS cipher. */
2803
2804 case 't': if (++i < argc)
2805 sending_ip_address = string_copy_taint(argv[i], TRUE);
2806 else badarg = TRUE;
2807 if (++i < argc)
2808 sending_port = (int)(Uatol(argv[i]));
2809 else badarg = TRUE;
2810 if (++i < argc)
2811 continue_proxy_cipher = string_copy_taint(argv[i], TRUE);
2812 else badarg = TRUE;
2813 /*FALLTHROUGH*/
2814
2815 /* -MCT: set the tls_offered flag; this is useful only when it
2816 precedes -MC (see above). The flag indicates that the host to which
2817 Exim is connected has offered TLS support. */
2818
2819 case 'T': smtp_peer_options |= OPTION_TLS; break;
2820 #endif
2821
2822 default: badarg = TRUE; break;
2823 }
2824 break;
2825 }
2826
2827 /* -M[x]: various operations on the following list of message ids:
2828 -M deliver the messages, ignoring next retry times and thawing
2829 -Mc deliver the messages, checking next retry times, no thawing
2830 -Mf freeze the messages
2831 -Mg give up on the messages
2832 -Mt thaw the messages
2833 -Mrm remove the messages
2834 In the above cases, this must be the last option. There are also the
2835 following options which are followed by a single message id, and which
2836 act on that message. Some of them use the "recipient" addresses as well.
2837 -Mar add recipient(s)
2838 -Mmad mark all recipients delivered
2839 -Mmd mark recipients(s) delivered
2840 -Mes edit sender
2841 -Mset load a message for use with -be
2842 -Mvb show body
2843 -Mvc show copy (of whole message, in RFC 2822 format)
2844 -Mvh show header
2845 -Mvl show log
2846 */
2847
2848 else if (!*argrest)
2849 {
2850 msg_action = MSG_DELIVER;
2851 forced_delivery = f.deliver_force_thaw = TRUE;
2852 }
2853 else if (Ustrcmp(argrest, "ar") == 0)
2854 {
2855 msg_action = MSG_ADD_RECIPIENT;
2856 one_msg_action = TRUE;
2857 }
2858 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2859 else if (Ustrcmp(argrest, "es") == 0)
2860 {
2861 msg_action = MSG_EDIT_SENDER;
2862 one_msg_action = TRUE;
2863 }
2864 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2865 else if (Ustrcmp(argrest, "g") == 0)
2866 {
2867 msg_action = MSG_DELIVER;
2868 deliver_give_up = TRUE;
2869 }
2870 else if (Ustrcmp(argrest, "G") == 0)
2871 {
2872 msg_action = MSG_SETQUEUE;
2873 queue_name_dest = string_copy_taint(argv[++i], TRUE);
2874 }
2875 else if (Ustrcmp(argrest, "mad") == 0)
2876 {
2877 msg_action = MSG_MARK_ALL_DELIVERED;
2878 }
2879 else if (Ustrcmp(argrest, "md") == 0)
2880 {
2881 msg_action = MSG_MARK_DELIVERED;
2882 one_msg_action = TRUE;
2883 }
2884 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2885 else if (Ustrcmp(argrest, "set") == 0)
2886 {
2887 msg_action = MSG_LOAD;
2888 one_msg_action = TRUE;
2889 }
2890 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2891 else if (Ustrcmp(argrest, "vb") == 0)
2892 {
2893 msg_action = MSG_SHOW_BODY;
2894 one_msg_action = TRUE;
2895 }
2896 else if (Ustrcmp(argrest, "vc") == 0)
2897 {
2898 msg_action = MSG_SHOW_COPY;
2899 one_msg_action = TRUE;
2900 }
2901 else if (Ustrcmp(argrest, "vh") == 0)
2902 {
2903 msg_action = MSG_SHOW_HEADER;
2904 one_msg_action = TRUE;
2905 }
2906 else if (Ustrcmp(argrest, "vl") == 0)
2907 {
2908 msg_action = MSG_SHOW_LOG;
2909 one_msg_action = TRUE;
2910 }
2911 else { badarg = TRUE; break; }
2912
2913 /* All the -Mxx options require at least one message id. */
2914
2915 msg_action_arg = i + 1;
2916 if (msg_action_arg >= argc)
2917 exim_fail("exim: no message ids given after %s option\n", arg);
2918
2919 /* Some require only message ids to follow */
2920
2921 if (!one_msg_action)
2922 {
2923 for (int j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2924 exim_fail("exim: malformed message id %s after %s option\n",
2925 argv[j], arg);
2926 goto END_ARG; /* Remaining args are ids */
2927 }
2928
2929 /* Others require only one message id, possibly followed by addresses,
2930 which will be handled as normal arguments. */
2931
2932 else
2933 {
2934 if (!mac_ismsgid(argv[msg_action_arg]))
2935 exim_fail("exim: malformed message id %s after %s option\n",
2936 argv[msg_action_arg], arg);
2937 i++;
2938 }
2939 break;
2940
2941
2942 /* Some programs seem to call the -om option without the leading o;
2943 for sendmail it askes for "me too". Exim always does this. */
2944
2945 case 'm':
2946 if (*argrest) badarg = TRUE;
2947 break;
2948
2949
2950 /* -N: don't do delivery - a debugging option that stops transports doing
2951 their thing. It implies debugging at the D_v level. */
2952
2953 case 'N':
2954 if (!*argrest)
2955 {
2956 f.dont_deliver = TRUE;
2957 debug_selector |= D_v;
2958 debug_file = stderr;
2959 }
2960 else badarg = TRUE;
2961 break;
2962
2963
2964 /* -n: This means "don't alias" in sendmail, apparently.
2965 For normal invocations, it has no effect.
2966 It may affect some other options. */
2967
2968 case 'n':
2969 flag_n = TRUE;
2970 break;
2971
2972 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2973 option to the specified value. This form uses long names. We need to handle
2974 -O option=value and -Ooption=value. */
2975
2976 case 'O':
2977 if (!*argrest)
2978 if (++i >= argc)
2979 exim_fail("exim: string expected after -O\n");
2980 break;
2981
2982 case 'o':
2983 switch (*argrest++)
2984 {
2985 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2986 file" option). */
2987 case 'A':
2988 if (!*(alias_arg = argrest))
2989 if (i+1 < argc) alias_arg = argv[++i];
2990 else exim_fail("exim: string expected after -oA\n");
2991 break;
2992
2993 /* -oB: Set a connection message max value for remote deliveries */
2994 case 'B':
2995 {
2996 uschar * p = argrest;
2997 if (!*p)
2998 if (i+1 < argc && isdigit((argv[i+1][0])))
2999 p = argv[++i];
3000 else
3001 {
3002 connection_max_messages = 1;
3003 p = NULL;
3004 }
3005
3006 if (p)
3007 {
3008 if (!isdigit(*p))
3009 exim_fail("exim: number expected after -oB\n");
3010 connection_max_messages = Uatoi(p);
3011 }
3012 }
3013 break;
3014
3015 /* -odb: background delivery */
3016
3017 case 'd':
3018 if (Ustrcmp(argrest, "b") == 0)
3019 {
3020 f.synchronous_delivery = FALSE;
3021 arg_queue_only = FALSE;
3022 queue_only_set = TRUE;
3023 }
3024
3025 /* -odd: testsuite-only: add no inter-process delays */
3026
3027 else if (Ustrcmp(argrest, "d") == 0)
3028 f.testsuite_delays = FALSE;
3029
3030 /* -odf: foreground delivery (smail-compatible option); same effect as
3031 -odi: interactive (synchronous) delivery (sendmail-compatible option)
3032 */
3033
3034 else if (Ustrcmp(argrest, "f") == 0 || Ustrcmp(argrest, "i") == 0)
3035 {
3036 f.synchronous_delivery = TRUE;
3037 arg_queue_only = FALSE;
3038 queue_only_set = TRUE;
3039 }
3040
3041 /* -odq: queue only */
3042
3043 else if (Ustrcmp(argrest, "q") == 0)
3044 {
3045 f.synchronous_delivery = FALSE;
3046 arg_queue_only = TRUE;
3047 queue_only_set = TRUE;
3048 }
3049
3050 /* -odqs: queue SMTP only - do local deliveries and remote routing,
3051 but no remote delivery */
3052
3053 else if (Ustrcmp(argrest, "qs") == 0)
3054 {
3055 f.queue_smtp = TRUE;
3056 arg_queue_only = FALSE;
3057 queue_only_set = TRUE;
3058 }
3059 else badarg = TRUE;
3060 break;
3061
3062 /* -oex: Sendmail error flags. As these are also accepted without the
3063 leading -o prefix, for compatibility with vacation and other callers,
3064 they are handled with -e above. */
3065
3066 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
3067 -oitrue: Another sendmail syntax for the same */
3068
3069 case 'i':
3070 if (!*argrest || Ustrcmp(argrest, "true") == 0)
3071 f.dot_ends = FALSE;
3072 else badarg = TRUE;
3073 break;
3074
3075 /* -oM*: Set various characteristics for an incoming message; actually
3076 acted on for trusted callers only. */
3077
3078 case 'M':
3079 {
3080 if (i+1 >= argc)
3081 exim_fail("exim: data expected after -oM%s\n", argrest);
3082
3083 /* -oMa: Set sender host address */
3084
3085 if (Ustrcmp(argrest, "a") == 0)
3086 sender_host_address = string_copy_taint(argv[++i], TRUE);
3087
3088 /* -oMaa: Set authenticator name */
3089
3090 else if (Ustrcmp(argrest, "aa") == 0)
3091 sender_host_authenticated = string_copy_taint(argv[++i], TRUE);
3092
3093 /* -oMas: setting authenticated sender */
3094
3095 else if (Ustrcmp(argrest, "as") == 0)
3096 authenticated_sender = string_copy_taint(argv[++i], TRUE);
3097
3098 /* -oMai: setting authenticated id */
3099
3100 else if (Ustrcmp(argrest, "ai") == 0)
3101 authenticated_id = string_copy_taint(argv[++i], TRUE);
3102
3103 /* -oMi: Set incoming interface address */
3104
3105 else if (Ustrcmp(argrest, "i") == 0)
3106 interface_address = string_copy_taint(argv[++i], TRUE);
3107
3108 /* -oMm: Message reference */
3109
3110 else if (Ustrcmp(argrest, "m") == 0)
3111 {
3112 if (!mac_ismsgid(argv[i+1]))
3113 exim_fail("-oMm must be a valid message ID\n");
3114 if (!f.trusted_config)
3115 exim_fail("-oMm must be called by a trusted user/config\n");
3116 message_reference = argv[++i];
3117 }
3118
3119 /* -oMr: Received protocol */
3120
3121 else if (Ustrcmp(argrest, "r") == 0)
3122
3123 if (received_protocol)
3124 exim_fail("received_protocol is set already\n");
3125 else
3126 received_protocol = string_copy_taint(argv[++i], TRUE);
3127
3128 /* -oMs: Set sender host name */
3129
3130 else if (Ustrcmp(argrest, "s") == 0)
3131 sender_host_name = string_copy_taint(argv[++i], TRUE);
3132
3133 /* -oMt: Set sender ident */
3134
3135 else if (Ustrcmp(argrest, "t") == 0)
3136 {
3137 sender_ident_set = TRUE;
3138 sender_ident = string_copy_taint(argv[++i], TRUE);
3139 }
3140
3141 /* Else a bad argument */
3142
3143 else
3144 badarg = TRUE;
3145 }
3146 break;
3147
3148 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3149 seem to call this as -m (undocumented), so that is also accepted (see
3150 above). */
3151 /* -oo: An ancient flag for old-style addresses which still seems to
3152 crop up in some calls (see in SCO). */
3153
3154 case 'm':
3155 case 'o':
3156 if (*argrest) badarg = TRUE;
3157 break;
3158
3159 /* -oP <name>: set pid file path for daemon
3160 -oPX: delete pid file of daemon */
3161
3162 case 'P':
3163 if (!*argrest) override_pid_file_path = argv[++i];
3164 else if (Ustrcmp(argrest, "X") == 0) delete_pid_file();
3165 else badarg = TRUE;
3166 break;
3167
3168
3169 /* -or <n>: set timeout for non-SMTP acceptance
3170 -os <n>: set timeout for SMTP acceptance */
3171
3172 case 'r':
3173 case 's':
3174 {
3175 int * tp = argrest[-1] == 'r'
3176 ? &arg_receive_timeout : &arg_smtp_receive_timeout;
3177 if (*argrest)
3178 *tp = readconf_readtime(argrest, 0, FALSE);
3179 else if (i+1 < argc)
3180 *tp = readconf_readtime(argv[++i], 0, FALSE);
3181
3182 if (*tp < 0)
3183 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3184 }
3185 break;
3186
3187 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3188
3189 case 'X':
3190 if (*argrest) badarg = TRUE;
3191 else override_local_interfaces = string_copy_taint(argv[++i], TRUE);
3192 break;
3193
3194 /* Unknown -o argument */
3195
3196 default:
3197 badarg = TRUE;
3198 }
3199 break;
3200
3201
3202 /* -ps: force Perl startup; -pd force delayed Perl startup */
3203
3204 case 'p':
3205 #ifdef EXIM_PERL
3206 if (*argrest == 's' && argrest[1] == 0)
3207 {
3208 perl_start_option = 1;
3209 break;
3210 }
3211 if (*argrest == 'd' && argrest[1] == 0)
3212 {
3213 perl_start_option = -1;
3214 break;
3215 }
3216 #endif
3217
3218 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3219 which sets the host protocol and host name */
3220
3221 if (!*argrest)
3222 if (i+1 < argc) argrest = argv[++i]; else { badarg = TRUE; break; }
3223
3224 if (*argrest)
3225 {
3226 uschar * hn = Ustrchr(argrest, ':');
3227
3228 if (received_protocol)
3229 exim_fail("received_protocol is set already\n");
3230
3231 if (!hn)
3232 received_protocol = string_copy_taint(argrest, TRUE);
3233 else
3234 {
3235 received_protocol = string_copyn_taint(argrest, hn - argrest, TRUE);
3236 sender_host_name = string_copy_taint(hn + 1, TRUE);
3237 }
3238 }
3239 break;
3240
3241
3242 case 'q':
3243 receiving_message = FALSE;
3244 if (queue_interval >= 0)
3245 exim_fail("exim: -q specified more than once\n");
3246
3247 /* -qq...: Do queue runs in a 2-stage manner */
3248
3249 if (*argrest == 'q')
3250 {
3251 f.queue_2stage = TRUE;
3252 argrest++;
3253 }
3254
3255 /* -qi...: Do only first (initial) deliveries */
3256
3257 if (*argrest == 'i')
3258 {
3259 f.queue_run_first_delivery = TRUE;
3260 argrest++;
3261 }
3262
3263 /* -qf...: Run the queue, forcing deliveries
3264 -qff..: Ditto, forcing thawing as well */
3265
3266 if (*argrest == 'f')
3267 {
3268 f.queue_run_force = TRUE;
3269 if (*++argrest == 'f')
3270 {
3271 f.deliver_force_thaw = TRUE;
3272 argrest++;
3273 }
3274 }
3275
3276 /* -q[f][f]l...: Run the queue only on local deliveries */
3277
3278 if (*argrest == 'l')
3279 {
3280 f.queue_run_local = TRUE;
3281 argrest++;
3282 }
3283
3284 /* -q[f][f][l][G<name>]... Work on the named queue */
3285
3286 if (*argrest == 'G')
3287 {
3288 int i;
3289 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3290 queue_name = string_copyn(argrest, i);
3291 argrest += i;
3292 if (*argrest == '/') argrest++;
3293 }
3294
3295 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3296 only, optionally named, optionally starting from a given message id. */
3297
3298 if (!(list_queue || count_queue))
3299 if ( !*argrest
3300 && (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3301 {
3302 queue_interval = 0;
3303 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3304 start_queue_run_id = string_copy_taint(argv[++i], TRUE);
3305 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3306 stop_queue_run_id = string_copy_taint(argv[++i], TRUE);
3307 }
3308
3309 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3310 forced, optionally local only, optionally named. */
3311
3312 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3313 0, FALSE)) <= 0)
3314 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3315 break;
3316
3317
3318 case 'R': /* Synonymous with -qR... */
3319 receiving_message = FALSE;
3320
3321 /* -Rf: As -R (below) but force all deliveries,
3322 -Rff: Ditto, but also thaw all frozen messages,
3323 -Rr: String is regex
3324 -Rrf: Regex and force
3325 -Rrff: Regex and force and thaw
3326
3327 in all cases provided there are no further characters in this
3328 argument. */
3329
3330 if (*argrest)
3331 for (int i = 0; i < nelem(rsopts); i++)
3332 if (Ustrcmp(argrest, rsopts[i]) == 0)
3333 {
3334 if (i != 2) f.queue_run_force = TRUE;
3335 if (i >= 2) f.deliver_selectstring_regex = TRUE;
3336 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3337 argrest += Ustrlen(rsopts[i]);
3338 }
3339
3340 /* -R: Set string to match in addresses for forced queue run to
3341 pick out particular messages. */
3342
3343 if (*argrest)
3344 deliver_selectstring = string_copy_taint(argrest, TRUE);
3345 else if (i+1 < argc)
3346 deliver_selectstring = string_copy_taint(argv[++i], TRUE);
3347 else
3348 exim_fail("exim: string expected after -R\n");
3349 break;
3350
3351
3352 /* -r: an obsolete synonym for -f (see above) */
3353
3354
3355 /* -S: Like -R but works on sender. */
3356
3357 case 'S': /* Synonymous with -qS... */
3358 receiving_message = FALSE;
3359
3360 /* -Sf: As -S (below) but force all deliveries,
3361 -Sff: Ditto, but also thaw all frozen messages,
3362 -Sr: String is regex
3363 -Srf: Regex and force
3364 -Srff: Regex and force and thaw
3365
3366 in all cases provided there are no further characters in this
3367 argument. */
3368
3369 if (*argrest)
3370 for (int i = 0; i < nelem(rsopts); i++)
3371 if (Ustrcmp(argrest, rsopts[i]) == 0)
3372 {
3373 if (i != 2) f.queue_run_force = TRUE;
3374 if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
3375 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3376 argrest += Ustrlen(rsopts[i]);
3377 }
3378
3379 /* -S: Set string to match in addresses for forced queue run to
3380 pick out particular messages. */
3381
3382 if (*argrest)
3383 deliver_selectstring_sender = string_copy_taint(argrest, TRUE);
3384 else if (i+1 < argc)
3385 deliver_selectstring_sender = string_copy_taint(argv[++i], TRUE);
3386 else
3387 exim_fail("exim: string expected after -S\n");
3388 break;
3389
3390 /* -Tqt is an option that is exclusively for use by the testing suite.
3391 It is not recognized in other circumstances. It allows for the setting up
3392 of explicit "queue times" so that various warning/retry things can be
3393 tested. Otherwise variability of clock ticks etc. cause problems. */
3394
3395 case 'T':
3396 if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3397 fudged_queue_times = string_copy_taint(argv[++i], TRUE);
3398 else badarg = TRUE;
3399 break;
3400
3401
3402 /* -t: Set flag to extract recipients from body of message. */
3403
3404 case 't':
3405 if (!*argrest) extract_recipients = TRUE;
3406
3407 /* -ti: Set flag to extract recipients from body of message, and also
3408 specify that dot does not end the message. */
3409
3410 else if (Ustrcmp(argrest, "i") == 0)
3411 {
3412 extract_recipients = TRUE;
3413 f.dot_ends = FALSE;
3414 }
3415
3416 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3417
3418 #ifndef DISABLE_TLS
3419 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
3420 #endif
3421
3422 else badarg = TRUE;
3423 break;
3424
3425
3426 /* -U: This means "initial user submission" in sendmail, apparently. The
3427 doc claims that in future sendmail may refuse syntactically invalid
3428 messages instead of fixing them. For the moment, we just ignore it. */
3429
3430 case 'U':
3431 break;
3432
3433
3434 /* -v: verify things - this is a very low-level debugging */
3435
3436 case 'v':
3437 if (!*argrest)
3438 {
3439 debug_selector |= D_v;
3440 debug_file = stderr;
3441 }
3442 else badarg = TRUE;
3443 break;
3444
3445
3446 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3447
3448 The -x flag tells the sendmail command that mail from a local
3449 mail program has National Language Support (NLS) extended characters
3450 in the body of the mail item. The sendmail command can send mail with
3451 extended NLS characters across networks that normally corrupts these
3452 8-bit characters.
3453
3454 As Exim is 8-bit clean, it just ignores this flag. */
3455
3456 case 'x':
3457 if (*argrest) badarg = TRUE;
3458 break;
3459
3460 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3461 logs to that file. We swallow the parameter and otherwise ignore it. */
3462
3463 case 'X':
3464 if (!*argrest)
3465 if (++i >= argc)
3466 exim_fail("exim: string expected after -X\n");
3467 break;
3468
3469 case 'z':
3470 if (!*argrest)
3471 if (++i < argc)
3472 log_oneline = string_copy_taint(argv[i], TRUE);
3473 else
3474 exim_fail("exim: file name expected after %s\n", argv[i-1]);
3475 break;
3476
3477 /* All other initial characters are errors */
3478
3479 default:
3480 badarg = TRUE;
3481 break;
3482 } /* End of high-level switch statement */
3483
3484 /* Failed to recognize the option, or syntax error */
3485
3486 if (badarg)
3487 exim_fail("exim abandoned: unknown, malformed, or incomplete "
3488 "option %s\n", arg);
3489 }
3490
3491
3492 /* If -R or -S have been specified without -q, assume a single queue run. */
3493
3494 if ( (deliver_selectstring || deliver_selectstring_sender)
3495 && queue_interval < 0)
3496 queue_interval = 0;
3497
3498
3499 END_ARG:
3500 store_pool = old_pool;
3501 }