Intercept chown()/fchown() failure and emit a pointer to the bugreport. Closes 2391
[exim.git] / src / src / exim.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8
9 /* The main function: entry point, initialization, and high-level control.
10 Also a few functions that don't naturally fit elsewhere. */
11
12
13 #include "exim.h"
14
15 #if defined(__GLIBC__) && !defined(__UCLIBC__)
16 # include <gnu/libc-version.h>
17 #endif
18
19 #ifdef USE_GNUTLS
20 # include <gnutls/gnutls.h>
21 # if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22 # define DISABLE_OCSP
23 # endif
24 #endif
25
26 extern void init_lookup_list(void);
27
28
29
30 /*************************************************
31 * Function interface to store functions *
32 *************************************************/
33
34 /* We need some real functions to pass to the PCRE regular expression library
35 for store allocation via Exim's store manager. The normal calls are actually
36 macros that pass over location information to make tracing easier. These
37 functions just interface to the standard macro calls. A good compiler will
38 optimize out the tail recursion and so not make them too expensive. There
39 are two sets of functions; one for use when we want to retain the compiled
40 regular expression for a long time; the other for short-term use. */
41
42 static void *
43 function_store_get(size_t size)
44 {
45 return store_get((int)size);
46 }
47
48 static void
49 function_dummy_free(void *block) { block = block; }
50
51 static void *
52 function_store_malloc(size_t size)
53 {
54 return store_malloc((int)size);
55 }
56
57 static void
58 function_store_free(void *block)
59 {
60 store_free(block);
61 }
62
63
64
65
66 /*************************************************
67 * Enums for cmdline interface *
68 *************************************************/
69
70 enum commandline_info { CMDINFO_NONE=0,
71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
72
73
74
75
76 /*************************************************
77 * Compile regular expression and panic on fail *
78 *************************************************/
79
80 /* This function is called when failure to compile a regular expression leads
81 to a panic exit. In other cases, pcre_compile() is called directly. In many
82 cases where this function is used, the results of the compilation are to be
83 placed in long-lived store, so we temporarily reset the store management
84 functions that PCRE uses if the use_malloc flag is set.
85
86 Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91 Returns: pointer to the compiled pattern
92 */
93
94 const pcre *
95 regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
96 {
97 int offset;
98 int options = PCRE_COPT;
99 const pcre *yield;
100 const uschar *error;
101 if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106 if (caseless) options |= PCRE_CASELESS;
107 yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
108 pcre_malloc = function_store_get;
109 pcre_free = function_dummy_free;
110 if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113 return yield;
114 }
115
116
117
118
119 /*************************************************
120 * Execute regular expression and set strings *
121 *************************************************/
122
123 /* This function runs a regular expression match, and sets up the pointers to
124 the matched substrings.
125
126 Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134 Returns: TRUE or FALSE
135 */
136
137 BOOL
138 regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
139 {
140 int ovector[3*(EXPAND_MAXN+1)];
141 uschar * s = string_copy(subject); /* de-constifying */
142 int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
143 PCRE_EOPT | options, ovector, nelem(ovector));
144 BOOL yield = n >= 0;
145 if (n == 0) n = EXPAND_MAXN + 1;
146 if (yield)
147 {
148 expand_nmax = setup < 0 ? 0 : setup + 1;
149 for (int nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
150 {
151 expand_nstring[expand_nmax] = s + ovector[nn];
152 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
153 }
154 expand_nmax--;
155 }
156 return yield;
157 }
158
159
160
161
162 /*************************************************
163 * Set up processing details *
164 *************************************************/
165
166 /* Save a text string for dumping when SIGUSR1 is received.
167 Do checks for overruns.
168
169 Arguments: format and arguments, as for printf()
170 Returns: nothing
171 */
172
173 void
174 set_process_info(const char *format, ...)
175 {
176 gstring gs = { .size = PROCESS_INFO_SIZE - 2, .ptr = 0, .s = process_info };
177 gstring * g;
178 int len;
179 va_list ap;
180
181 g = string_fmt_append(&gs, "%5d ", (int)getpid());
182 len = g->ptr;
183 va_start(ap, format);
184 if (!string_vformat(g, FALSE, format, ap))
185 {
186 gs.ptr = len;
187 g = string_cat(&gs, US"**** string overflowed buffer ****");
188 }
189 g = string_catn(g, US"\n", 1);
190 string_from_gstring(g);
191 process_info_len = g->ptr;
192 DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
193 va_end(ap);
194 }
195
196 /***********************************************
197 * Handler for SIGTERM *
198 ***********************************************/
199
200 static void
201 term_handler(int sig)
202 {
203 exit(1);
204 }
205
206
207 /*************************************************
208 * Handler for SIGUSR1 *
209 *************************************************/
210
211 /* SIGUSR1 causes any exim process to write to the process log details of
212 what it is currently doing. It will only be used if the OS is capable of
213 setting up a handler that causes automatic restarting of any system call
214 that is in progress at the time.
215
216 This function takes care to be signal-safe.
217
218 Argument: the signal number (SIGUSR1)
219 Returns: nothing
220 */
221
222 static void
223 usr1_handler(int sig)
224 {
225 int fd;
226
227 os_restarting_signal(sig, usr1_handler);
228
229 if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
230 {
231 /* If we are already running as the Exim user, try to create it in the
232 current process (assuming spool_directory exists). Otherwise, if we are
233 root, do the creation in an exim:exim subprocess. */
234
235 int euid = geteuid();
236 if (euid == exim_uid)
237 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
238 else if (euid == root_uid)
239 fd = log_create_as_exim(process_log_path);
240 }
241
242 /* If we are neither exim nor root, or if we failed to create the log file,
243 give up. There is not much useful we can do with errors, since we don't want
244 to disrupt whatever is going on outside the signal handler. */
245
246 if (fd < 0) return;
247
248 (void)write(fd, process_info, process_info_len);
249 (void)close(fd);
250 }
251
252
253
254 /*************************************************
255 * Timeout handler *
256 *************************************************/
257
258 /* This handler is enabled most of the time that Exim is running. The handler
259 doesn't actually get used unless alarm() has been called to set a timer, to
260 place a time limit on a system call of some kind. When the handler is run, it
261 re-enables itself.
262
263 There are some other SIGALRM handlers that are used in special cases when more
264 than just a flag setting is required; for example, when reading a message's
265 input. These are normally set up in the code module that uses them, and the
266 SIGALRM handler is reset to this one afterwards.
267
268 Argument: the signal value (SIGALRM)
269 Returns: nothing
270 */
271
272 void
273 sigalrm_handler(int sig)
274 {
275 sig = sig; /* Keep picky compilers happy */
276 sigalrm_seen = TRUE;
277 os_non_restarting_signal(SIGALRM, sigalrm_handler);
278 }
279
280
281
282 /*************************************************
283 * Sleep for a fractional time interval *
284 *************************************************/
285
286 /* This function is called by millisleep() and exim_wait_tick() to wait for a
287 period of time that may include a fraction of a second. The coding is somewhat
288 tedious. We do not expect setitimer() ever to fail, but if it does, the process
289 will wait for ever, so we panic in this instance. (There was a case of this
290 when a bug in a function that calls milliwait() caused it to pass invalid data.
291 That's when I added the check. :-)
292
293 We assume it to be not worth sleeping for under 100us; this value will
294 require revisiting as hardware advances. This avoids the issue of
295 a zero-valued timer setting meaning "never fire".
296
297 Argument: an itimerval structure containing the interval
298 Returns: nothing
299 */
300
301 static void
302 milliwait(struct itimerval *itval)
303 {
304 sigset_t sigmask;
305 sigset_t old_sigmask;
306
307 if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
308 return;
309 (void)sigemptyset(&sigmask); /* Empty mask */
310 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
311 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
312 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
313 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
314 "setitimer() failed: %s", strerror(errno));
315 (void)sigfillset(&sigmask); /* All signals */
316 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
317 (void)sigsuspend(&sigmask); /* Until SIGALRM */
318 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
319 }
320
321
322
323
324 /*************************************************
325 * Millisecond sleep function *
326 *************************************************/
327
328 /* The basic sleep() function has a granularity of 1 second, which is too rough
329 in some cases - for example, when using an increasing delay to slow down
330 spammers.
331
332 Argument: number of millseconds
333 Returns: nothing
334 */
335
336 void
337 millisleep(int msec)
338 {
339 struct itimerval itval;
340 itval.it_interval.tv_sec = 0;
341 itval.it_interval.tv_usec = 0;
342 itval.it_value.tv_sec = msec/1000;
343 itval.it_value.tv_usec = (msec % 1000) * 1000;
344 milliwait(&itval);
345 }
346
347
348
349 /*************************************************
350 * Compare microsecond times *
351 *************************************************/
352
353 /*
354 Arguments:
355 tv1 the first time
356 tv2 the second time
357
358 Returns: -1, 0, or +1
359 */
360
361 static int
362 exim_tvcmp(struct timeval *t1, struct timeval *t2)
363 {
364 if (t1->tv_sec > t2->tv_sec) return +1;
365 if (t1->tv_sec < t2->tv_sec) return -1;
366 if (t1->tv_usec > t2->tv_usec) return +1;
367 if (t1->tv_usec < t2->tv_usec) return -1;
368 return 0;
369 }
370
371
372
373
374 /*************************************************
375 * Clock tick wait function *
376 *************************************************/
377
378 /* Exim uses a time + a pid to generate a unique identifier in two places: its
379 message IDs, and in file names for maildir deliveries. Because some OS now
380 re-use pids within the same second, sub-second times are now being used.
381 However, for absolute certainty, we must ensure the clock has ticked before
382 allowing the relevant process to complete. At the time of implementation of
383 this code (February 2003), the speed of processors is such that the clock will
384 invariably have ticked already by the time a process has done its job. This
385 function prepares for the time when things are faster - and it also copes with
386 clocks that go backwards.
387
388 Arguments:
389 then_tv A timeval which was used to create uniqueness; its usec field
390 has been rounded down to the value of the resolution.
391 We want to be sure the current time is greater than this.
392 resolution The resolution that was used to divide the microseconds
393 (1 for maildir, larger for message ids)
394
395 Returns: nothing
396 */
397
398 void
399 exim_wait_tick(struct timeval *then_tv, int resolution)
400 {
401 struct timeval now_tv;
402 long int now_true_usec;
403
404 (void)gettimeofday(&now_tv, NULL);
405 now_true_usec = now_tv.tv_usec;
406 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
407
408 if (exim_tvcmp(&now_tv, then_tv) <= 0)
409 {
410 struct itimerval itval;
411 itval.it_interval.tv_sec = 0;
412 itval.it_interval.tv_usec = 0;
413 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
414 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
415
416 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
417 negative value for the microseconds is possible only in the case when "now"
418 is more than a second less than "then". That means that itval.it_value.tv_sec
419 is greater than zero. The following correction is therefore safe. */
420
421 if (itval.it_value.tv_usec < 0)
422 {
423 itval.it_value.tv_usec += 1000000;
424 itval.it_value.tv_sec -= 1;
425 }
426
427 DEBUG(D_transport|D_receive)
428 {
429 if (!f.running_in_test_harness)
430 {
431 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
432 then_tv->tv_sec, (long) then_tv->tv_usec,
433 now_tv.tv_sec, (long) now_tv.tv_usec);
434 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
435 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
436 }
437 }
438
439 milliwait(&itval);
440 }
441 }
442
443
444
445
446 /*************************************************
447 * Call fopen() with umask 777 and adjust mode *
448 *************************************************/
449
450 /* Exim runs with umask(0) so that files created with open() have the mode that
451 is specified in the open() call. However, there are some files, typically in
452 the spool directory, that are created with fopen(). They end up world-writeable
453 if no precautions are taken. Although the spool directory is not accessible to
454 the world, this is an untidiness. So this is a wrapper function for fopen()
455 that sorts out the mode of the created file.
456
457 Arguments:
458 filename the file name
459 options the fopen() options
460 mode the required mode
461
462 Returns: the fopened FILE or NULL
463 */
464
465 FILE *
466 modefopen(const uschar *filename, const char *options, mode_t mode)
467 {
468 mode_t saved_umask = umask(0777);
469 FILE *f = Ufopen(filename, options);
470 (void)umask(saved_umask);
471 if (f != NULL) (void)fchmod(fileno(f), mode);
472 return f;
473 }
474
475
476 /*************************************************
477 * Ensure stdin, stdout, and stderr exist *
478 *************************************************/
479
480 /* Some operating systems grumble if an exec() happens without a standard
481 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
482 file will be opened and will use these fd values, and then some other bit of
483 code will assume, for example, that it can write error messages to stderr.
484 This function ensures that fds 0, 1, and 2 are open if they do not already
485 exist, by connecting them to /dev/null.
486
487 This function is also used to ensure that std{in,out,err} exist at all times,
488 so that if any library that Exim calls tries to use them, it doesn't crash.
489
490 Arguments: None
491 Returns: Nothing
492 */
493
494 void
495 exim_nullstd(void)
496 {
497 int devnull = -1;
498 struct stat statbuf;
499 for (int i = 0; i <= 2; i++)
500 {
501 if (fstat(i, &statbuf) < 0 && errno == EBADF)
502 {
503 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
504 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
505 string_open_failed(errno, "/dev/null"));
506 if (devnull != i) (void)dup2(devnull, i);
507 }
508 }
509 if (devnull > 2) (void)close(devnull);
510 }
511
512
513
514
515 /*************************************************
516 * Close unwanted file descriptors for delivery *
517 *************************************************/
518
519 /* This function is called from a new process that has been forked to deliver
520 an incoming message, either directly, or using exec.
521
522 We want any smtp input streams to be closed in this new process. However, it
523 has been observed that using fclose() here causes trouble. When reading in -bS
524 input, duplicate copies of messages have been seen. The files will be sharing a
525 file pointer with the parent process, and it seems that fclose() (at least on
526 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
527 least sometimes. Hence we go for closing the underlying file descriptors.
528
529 If TLS is active, we want to shut down the TLS library, but without molesting
530 the parent's SSL connection.
531
532 For delivery of a non-SMTP message, we want to close stdin and stdout (and
533 stderr unless debugging) because the calling process might have set them up as
534 pipes and be waiting for them to close before it waits for the submission
535 process to terminate. If they aren't closed, they hold up the calling process
536 until the initial delivery process finishes, which is not what we want.
537
538 Exception: We do want it for synchronous delivery!
539
540 And notwithstanding all the above, if D_resolver is set, implying resolver
541 debugging, leave stdout open, because that's where the resolver writes its
542 debugging output.
543
544 When we close stderr (which implies we've also closed stdout), we also get rid
545 of any controlling terminal.
546
547 Arguments: None
548 Returns: Nothing
549 */
550
551 static void
552 close_unwanted(void)
553 {
554 if (smtp_input)
555 {
556 #ifdef SUPPORT_TLS
557 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
558 #endif
559 (void)close(fileno(smtp_in));
560 (void)close(fileno(smtp_out));
561 smtp_in = NULL;
562 }
563 else
564 {
565 (void)close(0); /* stdin */
566 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
567 if (debug_selector == 0) /* stderr */
568 {
569 if (!f.synchronous_delivery)
570 {
571 (void)close(2);
572 log_stderr = NULL;
573 }
574 (void)setsid();
575 }
576 }
577 }
578
579
580
581
582 /*************************************************
583 * Set uid and gid *
584 *************************************************/
585
586 /* This function sets a new uid and gid permanently, optionally calling
587 initgroups() to set auxiliary groups. There are some special cases when running
588 Exim in unprivileged modes. In these situations the effective uid will not be
589 root; if we already have the right effective uid/gid, and don't need to
590 initialize any groups, leave things as they are.
591
592 Arguments:
593 uid the uid
594 gid the gid
595 igflag TRUE if initgroups() wanted
596 msg text to use in debugging output and failure log
597
598 Returns: nothing; bombs out on failure
599 */
600
601 void
602 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
603 {
604 uid_t euid = geteuid();
605 gid_t egid = getegid();
606
607 if (euid == root_uid || euid != uid || egid != gid || igflag)
608 {
609 /* At least one OS returns +1 for initgroups failure, so just check for
610 non-zero. */
611
612 if (igflag)
613 {
614 struct passwd *pw = getpwuid(uid);
615 if (!pw)
616 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
617 "no passwd entry for uid=%ld", (long int)uid);
618
619 if (initgroups(pw->pw_name, gid) != 0)
620 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
621 (long int)uid, strerror(errno));
622 }
623
624 if (setgid(gid) < 0 || setuid(uid) < 0)
625 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
626 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
627 }
628
629 /* Debugging output included uid/gid and all groups */
630
631 DEBUG(D_uid)
632 {
633 int group_count, save_errno;
634 gid_t group_list[EXIM_GROUPLIST_SIZE];
635 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
636 (long int)geteuid(), (long int)getegid(), (long int)getpid());
637 group_count = getgroups(nelem(group_list), group_list);
638 save_errno = errno;
639 debug_printf(" auxiliary group list:");
640 if (group_count > 0)
641 for (int i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
642 else if (group_count < 0)
643 debug_printf(" <error: %s>", strerror(save_errno));
644 else debug_printf(" <none>");
645 debug_printf("\n");
646 }
647 }
648
649
650
651
652 /*************************************************
653 * Exit point *
654 *************************************************/
655
656 /* Exim exits via this function so that it always clears up any open
657 databases.
658
659 Arguments:
660 rc return code
661
662 Returns: does not return
663 */
664
665 void
666 exim_exit(int rc, const uschar * process)
667 {
668 search_tidyup();
669 DEBUG(D_any)
670 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
671 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
672 process ? "(" : "", process, process ? ") " : "", rc);
673 exit(rc);
674 }
675
676
677
678 /* Print error string, then die */
679 static void
680 exim_fail(const char * fmt, ...)
681 {
682 va_list ap;
683 va_start(ap, fmt);
684 vfprintf(stderr, fmt, ap);
685 exit(EXIT_FAILURE);
686 }
687
688 /* exim_chown_failure() called from exim_chown()/exim_fchown() on failure
689 of chown()/fchown(). See src/functions.h for more explanation */
690 int
691 exim_chown_failure(int fd, const uschar *name, uid_t owner, gid_t group)
692 {
693 #if 1
694 log_write(0, LOG_MAIN|LOG_PANIC,
695 __FILE__ ":%d: chown(%s, %d:%d) failed (%s)."
696 " Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391",
697 __LINE__, name?name:US"<unknown>", owner, group, strerror(errno));
698 #else
699 /* I leave this here, commented, in case the "bug"(?) comes up again.
700 It is not an Exim bug, but we can provide a workaround.
701 See Bug 2391
702 HS 2019-04-18 */
703
704 int saved_errno = errno; /* from the preceeding chown call */
705 struct stat buf;
706
707 if (0 == (fd < 0 ? stat(name, &buf) : fstat(fd, &buf)))
708 {
709 if (buf.st_uid == owner && buf.st_gid == group) return 0;
710 log_write(0, LOG_MAIN|LOG_PANIC, "Wrong ownership on %s", name);
711 }
712 else log_write(0, LOG_MAIN|LOG_PANIC, "Stat failed on %s: %s", name, strerror(errno));
713
714 errno = saved_errno;
715 return -1;
716 #endif
717 }
718
719
720 /*************************************************
721 * Extract port from host address *
722 *************************************************/
723
724 /* Called to extract the port from the values given to -oMa and -oMi.
725 It also checks the syntax of the address, and terminates it before the
726 port data when a port is extracted.
727
728 Argument:
729 address the address, with possible port on the end
730
731 Returns: the port, or zero if there isn't one
732 bombs out on a syntax error
733 */
734
735 static int
736 check_port(uschar *address)
737 {
738 int port = host_address_extract_port(address);
739 if (string_is_ip_address(address, NULL) == 0)
740 exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
741 return port;
742 }
743
744
745
746 /*************************************************
747 * Test/verify an address *
748 *************************************************/
749
750 /* This function is called by the -bv and -bt code. It extracts a working
751 address from a full RFC 822 address. This isn't really necessary per se, but it
752 has the effect of collapsing source routes.
753
754 Arguments:
755 s the address string
756 flags flag bits for verify_address()
757 exit_value to be set for failures
758
759 Returns: nothing
760 */
761
762 static void
763 test_address(uschar *s, int flags, int *exit_value)
764 {
765 int start, end, domain;
766 uschar *parse_error = NULL;
767 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
768 FALSE);
769 if (address == NULL)
770 {
771 fprintf(stdout, "syntax error: %s\n", parse_error);
772 *exit_value = 2;
773 }
774 else
775 {
776 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
777 -1, -1, NULL, NULL, NULL);
778 if (rc == FAIL) *exit_value = 2;
779 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
780 }
781 }
782
783
784
785 /*************************************************
786 * Show supported features *
787 *************************************************/
788
789 static void
790 show_db_version(FILE * f)
791 {
792 #ifdef DB_VERSION_STRING
793 DEBUG(D_any)
794 {
795 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
796 fprintf(f, " Runtime: %s\n",
797 db_version(NULL, NULL, NULL));
798 }
799 else
800 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
801
802 #elif defined(BTREEVERSION) && defined(HASHVERSION)
803 #ifdef USE_DB
804 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
805 #else
806 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
807 #endif
808
809 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
810 fprintf(f, "Probably ndbm\n");
811 #elif defined(USE_TDB)
812 fprintf(f, "Using tdb\n");
813 #else
814 #ifdef USE_GDBM
815 fprintf(f, "Probably GDBM (native mode)\n");
816 #else
817 fprintf(f, "Probably GDBM (compatibility mode)\n");
818 #endif
819 #endif
820 }
821
822
823 /* This function is called for -bV/--version and for -d to output the optional
824 features of the current Exim binary.
825
826 Arguments: a FILE for printing
827 Returns: nothing
828 */
829
830 static void
831 show_whats_supported(FILE * fp)
832 {
833 DEBUG(D_any) {} else show_db_version(fp);
834
835 fprintf(fp, "Support for:");
836 #ifdef SUPPORT_CRYPTEQ
837 fprintf(fp, " crypteq");
838 #endif
839 #if HAVE_ICONV
840 fprintf(fp, " iconv()");
841 #endif
842 #if HAVE_IPV6
843 fprintf(fp, " IPv6");
844 #endif
845 #ifdef HAVE_SETCLASSRESOURCES
846 fprintf(fp, " use_setclassresources");
847 #endif
848 #ifdef SUPPORT_PAM
849 fprintf(fp, " PAM");
850 #endif
851 #ifdef EXIM_PERL
852 fprintf(fp, " Perl");
853 #endif
854 #ifdef EXPAND_DLFUNC
855 fprintf(fp, " Expand_dlfunc");
856 #endif
857 #ifdef USE_TCP_WRAPPERS
858 fprintf(fp, " TCPwrappers");
859 #endif
860 #ifdef SUPPORT_TLS
861 # ifdef USE_GNUTLS
862 fprintf(fp, " GnuTLS");
863 # else
864 fprintf(fp, " OpenSSL");
865 # endif
866 #endif
867 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
868 fprintf(fp, " translate_ip_address");
869 #endif
870 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
871 fprintf(fp, " move_frozen_messages");
872 #endif
873 #ifdef WITH_CONTENT_SCAN
874 fprintf(fp, " Content_Scanning");
875 #endif
876 #ifdef SUPPORT_DANE
877 fprintf(fp, " DANE");
878 #endif
879 #ifndef DISABLE_DKIM
880 fprintf(fp, " DKIM");
881 #endif
882 #ifndef DISABLE_DNSSEC
883 fprintf(fp, " DNSSEC");
884 #endif
885 #ifndef DISABLE_EVENT
886 fprintf(fp, " Event");
887 #endif
888 #ifdef SUPPORT_I18N
889 fprintf(fp, " I18N");
890 #endif
891 #ifndef DISABLE_OCSP
892 fprintf(fp, " OCSP");
893 #endif
894 #ifndef DISABLE_PRDR
895 fprintf(fp, " PRDR");
896 #endif
897 #ifdef SUPPORT_PROXY
898 fprintf(fp, " PROXY");
899 #endif
900 #ifdef SUPPORT_SOCKS
901 fprintf(fp, " SOCKS");
902 #endif
903 #ifdef SUPPORT_SPF
904 fprintf(fp, " SPF");
905 #endif
906 #ifdef TCP_FASTOPEN
907 deliver_init();
908 if (f.tcp_fastopen_ok) fprintf(fp, " TCP_Fast_Open");
909 #endif
910 #ifdef EXPERIMENTAL_LMDB
911 fprintf(fp, " Experimental_LMDB");
912 #endif
913 #ifdef EXPERIMENTAL_QUEUEFILE
914 fprintf(fp, " Experimental_QUEUEFILE");
915 #endif
916 #ifdef EXPERIMENTAL_SRS
917 fprintf(fp, " Experimental_SRS");
918 #endif
919 #ifdef EXPERIMENTAL_ARC
920 fprintf(fp, " Experimental_ARC");
921 #endif
922 #ifdef EXPERIMENTAL_BRIGHTMAIL
923 fprintf(fp, " Experimental_Brightmail");
924 #endif
925 #ifdef EXPERIMENTAL_DCC
926 fprintf(fp, " Experimental_DCC");
927 #endif
928 #ifdef EXPERIMENTAL_DMARC
929 fprintf(fp, " Experimental_DMARC");
930 #endif
931 #ifdef EXPERIMENTAL_DSN_INFO
932 fprintf(fp, " Experimental_DSN_info");
933 #endif
934 #ifdef EXPERIMENTAL_PIPE_CONNECT
935 fprintf(fp, " Experimental_PIPE_CONNECT");
936 #endif
937 fprintf(fp, "\n");
938
939 fprintf(fp, "Lookups (built-in):");
940 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
941 fprintf(fp, " lsearch wildlsearch nwildlsearch iplsearch");
942 #endif
943 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
944 fprintf(fp, " cdb");
945 #endif
946 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
947 fprintf(fp, " dbm dbmjz dbmnz");
948 #endif
949 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
950 fprintf(fp, " dnsdb");
951 #endif
952 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
953 fprintf(fp, " dsearch");
954 #endif
955 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
956 fprintf(fp, " ibase");
957 #endif
958 #if defined(LOOKUP_JSON) && LOOKUP_JSON!=2
959 fprintf(fp, " json");
960 #endif
961 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
962 fprintf(fp, " ldap ldapdn ldapm");
963 #endif
964 #ifdef EXPERIMENTAL_LMDB
965 fprintf(fp, " lmdb");
966 #endif
967 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
968 fprintf(fp, " mysql");
969 #endif
970 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
971 fprintf(fp, " nis nis0");
972 #endif
973 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
974 fprintf(fp, " nisplus");
975 #endif
976 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
977 fprintf(fp, " oracle");
978 #endif
979 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
980 fprintf(fp, " passwd");
981 #endif
982 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
983 fprintf(fp, " pgsql");
984 #endif
985 #if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
986 fprintf(fp, " redis");
987 #endif
988 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
989 fprintf(fp, " sqlite");
990 #endif
991 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
992 fprintf(fp, " testdb");
993 #endif
994 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
995 fprintf(fp, " whoson");
996 #endif
997 fprintf(fp, "\n");
998
999 auth_show_supported(fp);
1000 route_show_supported(fp);
1001 transport_show_supported(fp);
1002
1003 #ifdef WITH_CONTENT_SCAN
1004 malware_show_supported(fp);
1005 #endif
1006
1007 if (fixed_never_users[0] > 0)
1008 {
1009 int i;
1010 fprintf(fp, "Fixed never_users: ");
1011 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
1012 fprintf(fp, "%d:", (unsigned int)fixed_never_users[i]);
1013 fprintf(fp, "%d\n", (unsigned int)fixed_never_users[i]);
1014 }
1015
1016 fprintf(fp, "Configure owner: %d:%d\n", config_uid, config_gid);
1017
1018 fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
1019
1020 /* Everything else is details which are only worth reporting when debugging.
1021 Perhaps the tls_version_report should move into this too. */
1022 DEBUG(D_any) do {
1023
1024 /* clang defines __GNUC__ (at least, for me) so test for it first */
1025 #if defined(__clang__)
1026 fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
1027 #elif defined(__GNUC__)
1028 fprintf(fp, "Compiler: GCC [%s]\n",
1029 # ifdef __VERSION__
1030 __VERSION__
1031 # else
1032 "? unknown version ?"
1033 # endif
1034 );
1035 #else
1036 fprintf(fp, "Compiler: <unknown>\n");
1037 #endif
1038
1039 #if defined(__GLIBC__) && !defined(__UCLIBC__)
1040 fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
1041 __GLIBC__, __GLIBC_MINOR__);
1042 if (__GLIBC_PREREQ(2, 1))
1043 fprintf(fp, " Runtime: %s\n",
1044 gnu_get_libc_version());
1045 #endif
1046
1047 show_db_version(fp);
1048
1049 #ifdef SUPPORT_TLS
1050 tls_version_report(fp);
1051 #endif
1052 #ifdef SUPPORT_I18N
1053 utf8_version_report(fp);
1054 #endif
1055
1056 for (auth_info * authi = auths_available; *authi->driver_name != '\0'; ++authi)
1057 if (authi->version_report)
1058 (*authi->version_report)(fp);
1059
1060 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
1061 characters; unless it's an ancient version of PCRE in which case it
1062 is not defined. */
1063 #ifndef PCRE_PRERELEASE
1064 # define PCRE_PRERELEASE
1065 #endif
1066 #define QUOTE(X) #X
1067 #define EXPAND_AND_QUOTE(X) QUOTE(X)
1068 fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
1069 " Runtime: %s\n",
1070 PCRE_MAJOR, PCRE_MINOR,
1071 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
1072 pcre_version());
1073 #undef QUOTE
1074 #undef EXPAND_AND_QUOTE
1075
1076 init_lookup_list();
1077 for (int i = 0; i < lookup_list_count; i++)
1078 if (lookup_list[i]->version_report)
1079 lookup_list[i]->version_report(fp);
1080
1081 #ifdef WHITELIST_D_MACROS
1082 fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1083 #else
1084 fprintf(fp, "WHITELIST_D_MACROS unset\n");
1085 #endif
1086 #ifdef TRUSTED_CONFIG_LIST
1087 fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1088 #else
1089 fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
1090 #endif
1091
1092 } while (0);
1093 }
1094
1095
1096 /*************************************************
1097 * Show auxiliary information about Exim *
1098 *************************************************/
1099
1100 static void
1101 show_exim_information(enum commandline_info request, FILE *stream)
1102 {
1103 switch(request)
1104 {
1105 case CMDINFO_NONE:
1106 fprintf(stream, "Oops, something went wrong.\n");
1107 return;
1108 case CMDINFO_HELP:
1109 fprintf(stream,
1110 "The -bI: flag takes a string indicating which information to provide.\n"
1111 "If the string is not recognised, you'll get this help (on stderr).\n"
1112 "\n"
1113 " exim -bI:help this information\n"
1114 " exim -bI:dscp list of known dscp value keywords\n"
1115 " exim -bI:sieve list of supported sieve extensions\n"
1116 );
1117 return;
1118 case CMDINFO_SIEVE:
1119 for (const uschar ** pp = exim_sieve_extension_list; *pp; ++pp)
1120 fprintf(stream, "%s\n", *pp);
1121 return;
1122 case CMDINFO_DSCP:
1123 dscp_list_to_stream(stream);
1124 return;
1125 }
1126 }
1127
1128
1129 /*************************************************
1130 * Quote a local part *
1131 *************************************************/
1132
1133 /* This function is used when a sender address or a From: or Sender: header
1134 line is being created from the caller's login, or from an authenticated_id. It
1135 applies appropriate quoting rules for a local part.
1136
1137 Argument: the local part
1138 Returns: the local part, quoted if necessary
1139 */
1140
1141 uschar *
1142 local_part_quote(uschar *lpart)
1143 {
1144 BOOL needs_quote = FALSE;
1145 gstring * g;
1146
1147 for (uschar * t = lpart; !needs_quote && *t != 0; t++)
1148 {
1149 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1150 (*t != '.' || t == lpart || t[1] == 0);
1151 }
1152
1153 if (!needs_quote) return lpart;
1154
1155 g = string_catn(NULL, US"\"", 1);
1156
1157 for (;;)
1158 {
1159 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1160 if (nq == NULL)
1161 {
1162 g = string_cat(g, lpart);
1163 break;
1164 }
1165 g = string_catn(g, lpart, nq - lpart);
1166 g = string_catn(g, US"\\", 1);
1167 g = string_catn(g, nq, 1);
1168 lpart = nq + 1;
1169 }
1170
1171 g = string_catn(g, US"\"", 1);
1172 return string_from_gstring(g);
1173 }
1174
1175
1176
1177 #ifdef USE_READLINE
1178 /*************************************************
1179 * Load readline() functions *
1180 *************************************************/
1181
1182 /* This function is called from testing executions that read data from stdin,
1183 but only when running as the calling user. Currently, only -be does this. The
1184 function loads the readline() function library and passes back the functions.
1185 On some systems, it needs the curses library, so load that too, but try without
1186 it if loading fails. All this functionality has to be requested at build time.
1187
1188 Arguments:
1189 fn_readline_ptr pointer to where to put the readline pointer
1190 fn_addhist_ptr pointer to where to put the addhistory function
1191
1192 Returns: the dlopen handle or NULL on failure
1193 */
1194
1195 static void *
1196 set_readline(char * (**fn_readline_ptr)(const char *),
1197 void (**fn_addhist_ptr)(const char *))
1198 {
1199 void *dlhandle;
1200 void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
1201
1202 dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
1203 if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1204
1205 if (dlhandle != NULL)
1206 {
1207 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1208 * char * readline (const char *prompt);
1209 * void add_history (const char *string);
1210 */
1211 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1212 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1213 }
1214 else
1215 {
1216 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1217 }
1218
1219 return dlhandle;
1220 }
1221 #endif
1222
1223
1224
1225 /*************************************************
1226 * Get a line from stdin for testing things *
1227 *************************************************/
1228
1229 /* This function is called when running tests that can take a number of lines
1230 of input (for example, -be and -bt). It handles continuations and trailing
1231 spaces. And prompting and a blank line output on eof. If readline() is in use,
1232 the arguments are non-NULL and provide the relevant functions.
1233
1234 Arguments:
1235 fn_readline readline function or NULL
1236 fn_addhist addhist function or NULL
1237
1238 Returns: pointer to dynamic memory, or NULL at end of file
1239 */
1240
1241 static uschar *
1242 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1243 {
1244 gstring * g = NULL;
1245
1246 if (!fn_readline) { printf("> "); fflush(stdout); }
1247
1248 for (int i = 0;; i++)
1249 {
1250 uschar buffer[1024];
1251 uschar *p, *ss;
1252
1253 #ifdef USE_READLINE
1254 char *readline_line = NULL;
1255 if (fn_readline != NULL)
1256 {
1257 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1258 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1259 p = US readline_line;
1260 }
1261 else
1262 #endif
1263
1264 /* readline() not in use */
1265
1266 {
1267 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1268 p = buffer;
1269 }
1270
1271 /* Handle the line */
1272
1273 ss = p + (int)Ustrlen(p);
1274 while (ss > p && isspace(ss[-1])) ss--;
1275
1276 if (i > 0)
1277 {
1278 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1279 }
1280
1281 g = string_catn(g, p, ss - p);
1282
1283 #ifdef USE_READLINE
1284 if (fn_readline) free(readline_line);
1285 #endif
1286
1287 /* g can only be NULL if ss==p */
1288 if (ss == p || g->s[g->ptr-1] != '\\')
1289 break;
1290
1291 --g->ptr;
1292 (void) string_from_gstring(g);
1293 }
1294
1295 if (!g) printf("\n");
1296 return string_from_gstring(g);
1297 }
1298
1299
1300
1301 /*************************************************
1302 * Output usage information for the program *
1303 *************************************************/
1304
1305 /* This function is called when there are no recipients
1306 or a specific --help argument was added.
1307
1308 Arguments:
1309 progname information on what name we were called by
1310
1311 Returns: DOES NOT RETURN
1312 */
1313
1314 static void
1315 exim_usage(uschar *progname)
1316 {
1317
1318 /* Handle specific program invocation variants */
1319 if (Ustrcmp(progname, US"-mailq") == 0)
1320 exim_fail(
1321 "mailq - list the contents of the mail queue\n\n"
1322 "For a list of options, see the Exim documentation.\n");
1323
1324 /* Generic usage - we output this whatever happens */
1325 exim_fail(
1326 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1327 "not directly from a shell command line. Options and/or arguments control\n"
1328 "what it does when called. For a list of options, see the Exim documentation.\n");
1329 }
1330
1331
1332
1333 /*************************************************
1334 * Validate that the macros given are okay *
1335 *************************************************/
1336
1337 /* Typically, Exim will drop privileges if macros are supplied. In some
1338 cases, we want to not do so.
1339
1340 Arguments: opt_D_used - true if the commandline had a "-D" option
1341 Returns: true if trusted, false otherwise
1342 */
1343
1344 static BOOL
1345 macros_trusted(BOOL opt_D_used)
1346 {
1347 #ifdef WHITELIST_D_MACROS
1348 uschar *whitelisted, *end, *p, **whites;
1349 int white_count, i, n;
1350 size_t len;
1351 BOOL prev_char_item, found;
1352 #endif
1353
1354 if (!opt_D_used)
1355 return TRUE;
1356 #ifndef WHITELIST_D_MACROS
1357 return FALSE;
1358 #else
1359
1360 /* We only trust -D overrides for some invoking users:
1361 root, the exim run-time user, the optional config owner user.
1362 I don't know why config-owner would be needed, but since they can own the
1363 config files anyway, there's no security risk to letting them override -D. */
1364 if ( ! ((real_uid == root_uid)
1365 || (real_uid == exim_uid)
1366 #ifdef CONFIGURE_OWNER
1367 || (real_uid == config_uid)
1368 #endif
1369 ))
1370 {
1371 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1372 return FALSE;
1373 }
1374
1375 /* Get a list of macros which are whitelisted */
1376 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1377 prev_char_item = FALSE;
1378 white_count = 0;
1379 for (p = whitelisted; *p != '\0'; ++p)
1380 {
1381 if (*p == ':' || isspace(*p))
1382 {
1383 *p = '\0';
1384 if (prev_char_item)
1385 ++white_count;
1386 prev_char_item = FALSE;
1387 continue;
1388 }
1389 if (!prev_char_item)
1390 prev_char_item = TRUE;
1391 }
1392 end = p;
1393 if (prev_char_item)
1394 ++white_count;
1395 if (!white_count)
1396 return FALSE;
1397 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1398 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1399 {
1400 if (*p != '\0')
1401 {
1402 whites[i++] = p;
1403 if (i == white_count)
1404 break;
1405 while (*p != '\0' && p < end)
1406 ++p;
1407 }
1408 }
1409 whites[i] = NULL;
1410
1411 /* The list of commandline macros should be very short.
1412 Accept the N*M complexity. */
1413 for (macro_item * m = macros_user; m; m = m->next) if (m->command_line)
1414 {
1415 found = FALSE;
1416 for (uschar ** w = whites; *w; ++w)
1417 if (Ustrcmp(*w, m->name) == 0)
1418 {
1419 found = TRUE;
1420 break;
1421 }
1422 if (!found)
1423 return FALSE;
1424 if (!m->replacement)
1425 continue;
1426 if ((len = m->replen) == 0)
1427 continue;
1428 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1429 0, PCRE_EOPT, NULL, 0);
1430 if (n < 0)
1431 {
1432 if (n != PCRE_ERROR_NOMATCH)
1433 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1434 return FALSE;
1435 }
1436 }
1437 DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
1438 return TRUE;
1439 #endif
1440 }
1441
1442
1443 /*************************************************
1444 * Expansion testing *
1445 *************************************************/
1446
1447 /* Expand and print one item, doing macro-processing.
1448
1449 Arguments:
1450 item line for expansion
1451 */
1452
1453 static void
1454 expansion_test_line(uschar * line)
1455 {
1456 int len;
1457 BOOL dummy_macexp;
1458
1459 Ustrncpy(big_buffer, line, big_buffer_size);
1460 big_buffer[big_buffer_size-1] = '\0';
1461 len = Ustrlen(big_buffer);
1462
1463 (void) macros_expand(0, &len, &dummy_macexp);
1464
1465 if (isupper(big_buffer[0]))
1466 {
1467 if (macro_read_assignment(big_buffer))
1468 printf("Defined macro '%s'\n", mlast->name);
1469 }
1470 else
1471 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1472 else printf("Failed: %s\n", expand_string_message);
1473 }
1474
1475
1476
1477 /*************************************************
1478 * Entry point and high-level code *
1479 *************************************************/
1480
1481 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1482 the appropriate action. All the necessary functions are present in the one
1483 binary. I originally thought one should split it up, but it turns out that so
1484 much of the apparatus is needed in each chunk that one might as well just have
1485 it all available all the time, which then makes the coding easier as well.
1486
1487 Arguments:
1488 argc count of entries in argv
1489 argv argument strings, with argv[0] being the program name
1490
1491 Returns: EXIT_SUCCESS if terminated successfully
1492 EXIT_FAILURE otherwise, except when a message has been sent
1493 to the sender, and -oee was given
1494 */
1495
1496 int
1497 main(int argc, char **cargv)
1498 {
1499 uschar **argv = USS cargv;
1500 int arg_receive_timeout = -1;
1501 int arg_smtp_receive_timeout = -1;
1502 int arg_error_handling = error_handling;
1503 int filter_sfd = -1;
1504 int filter_ufd = -1;
1505 int group_count;
1506 int i, rv;
1507 int list_queue_option = 0;
1508 int msg_action = 0;
1509 int msg_action_arg = -1;
1510 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1511 int queue_only_reason = 0;
1512 #ifdef EXIM_PERL
1513 int perl_start_option = 0;
1514 #endif
1515 int recipients_arg = argc;
1516 int sender_address_domain = 0;
1517 int test_retry_arg = -1;
1518 int test_rewrite_arg = -1;
1519 gid_t original_egid;
1520 BOOL arg_queue_only = FALSE;
1521 BOOL bi_option = FALSE;
1522 BOOL checking = FALSE;
1523 BOOL count_queue = FALSE;
1524 BOOL expansion_test = FALSE;
1525 BOOL extract_recipients = FALSE;
1526 BOOL flag_G = FALSE;
1527 BOOL flag_n = FALSE;
1528 BOOL forced_delivery = FALSE;
1529 BOOL f_end_dot = FALSE;
1530 BOOL deliver_give_up = FALSE;
1531 BOOL list_queue = FALSE;
1532 BOOL list_options = FALSE;
1533 BOOL list_config = FALSE;
1534 BOOL local_queue_only;
1535 BOOL more = TRUE;
1536 BOOL one_msg_action = FALSE;
1537 BOOL opt_D_used = FALSE;
1538 BOOL queue_only_set = FALSE;
1539 BOOL receiving_message = TRUE;
1540 BOOL sender_ident_set = FALSE;
1541 BOOL session_local_queue_only;
1542 BOOL unprivileged;
1543 BOOL removed_privilege = FALSE;
1544 BOOL usage_wanted = FALSE;
1545 BOOL verify_address_mode = FALSE;
1546 BOOL verify_as_sender = FALSE;
1547 BOOL version_printed = FALSE;
1548 uschar *alias_arg = NULL;
1549 uschar *called_as = US"";
1550 uschar *cmdline_syslog_name = NULL;
1551 uschar *start_queue_run_id = NULL;
1552 uschar *stop_queue_run_id = NULL;
1553 uschar *expansion_test_message = NULL;
1554 uschar *ftest_domain = NULL;
1555 uschar *ftest_localpart = NULL;
1556 uschar *ftest_prefix = NULL;
1557 uschar *ftest_suffix = NULL;
1558 uschar *log_oneline = NULL;
1559 uschar *malware_test_file = NULL;
1560 uschar *real_sender_address;
1561 uschar *originator_home = US"/";
1562 size_t sz;
1563 void *reset_point;
1564
1565 struct passwd *pw;
1566 struct stat statbuf;
1567 pid_t passed_qr_pid = (pid_t)0;
1568 int passed_qr_pipe = -1;
1569 gid_t group_list[EXIM_GROUPLIST_SIZE];
1570
1571 /* For the -bI: flag */
1572 enum commandline_info info_flag = CMDINFO_NONE;
1573 BOOL info_stdout = FALSE;
1574
1575 /* Possible options for -R and -S */
1576
1577 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1578
1579 /* Need to define this in case we need to change the environment in order
1580 to get rid of a bogus time zone. We have to make it char rather than uschar
1581 because some OS define it in /usr/include/unistd.h. */
1582
1583 extern char **environ;
1584
1585 /* If the Exim user and/or group and/or the configuration file owner/group were
1586 defined by ref:name at build time, we must now find the actual uid/gid values.
1587 This is a feature to make the lives of binary distributors easier. */
1588
1589 #ifdef EXIM_USERNAME
1590 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1591 {
1592 if (exim_uid == 0)
1593 exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
1594
1595 /* If ref:name uses a number as the name, route_finduser() returns
1596 TRUE with exim_uid set and pw coerced to NULL. */
1597 if (pw)
1598 exim_gid = pw->pw_gid;
1599 #ifndef EXIM_GROUPNAME
1600 else
1601 exim_fail(
1602 "exim: ref:name should specify a usercode, not a group.\n"
1603 "exim: can't let you get away with it unless you also specify a group.\n");
1604 #endif
1605 }
1606 else
1607 exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
1608 #endif
1609
1610 #ifdef EXIM_GROUPNAME
1611 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1612 exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
1613 #endif
1614
1615 #ifdef CONFIGURE_OWNERNAME
1616 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1617 exim_fail("exim: failed to find uid for user name \"%s\"\n",
1618 CONFIGURE_OWNERNAME);
1619 #endif
1620
1621 /* We default the system_filter_user to be the Exim run-time user, as a
1622 sane non-root value. */
1623 system_filter_uid = exim_uid;
1624
1625 #ifdef CONFIGURE_GROUPNAME
1626 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1627 exim_fail("exim: failed to find gid for group name \"%s\"\n",
1628 CONFIGURE_GROUPNAME);
1629 #endif
1630
1631 /* In the Cygwin environment, some initialization used to need doing.
1632 It was fudged in by means of this macro; now no longer but we'll leave
1633 it in case of others. */
1634
1635 #ifdef OS_INIT
1636 OS_INIT
1637 #endif
1638
1639 /* Check a field which is patched when we are running Exim within its
1640 testing harness; do a fast initial check, and then the whole thing. */
1641
1642 f.running_in_test_harness =
1643 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1644 if (f.running_in_test_harness)
1645 debug_store = TRUE;
1646
1647 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1648 at the start of a program; however, it seems that some environments do not
1649 follow this. A "strange" locale can affect the formatting of timestamps, so we
1650 make quite sure. */
1651
1652 setlocale(LC_ALL, "C");
1653
1654 /* Set up the default handler for timing using alarm(). */
1655
1656 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1657
1658 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1659 because store_malloc writes a log entry on failure. */
1660
1661 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
1662 exim_fail("exim: failed to get store for log buffer\n");
1663
1664 /* Initialize the default log options. */
1665
1666 bits_set(log_selector, log_selector_size, log_default);
1667
1668 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1669 NULL when the daemon is run and the file is closed. We have to use this
1670 indirection, because some systems don't allow writing to the variable "stderr".
1671 */
1672
1673 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1674
1675 /* Arrange for the PCRE regex library to use our store functions. Note that
1676 the normal calls are actually macros that add additional arguments for
1677 debugging purposes so we have to assign specially constructed functions here.
1678 The default is to use store in the stacking pool, but this is overridden in the
1679 regex_must_compile() function. */
1680
1681 pcre_malloc = function_store_get;
1682 pcre_free = function_dummy_free;
1683
1684 /* Ensure there is a big buffer for temporary use in several places. It is put
1685 in malloc store so that it can be freed for enlargement if necessary. */
1686
1687 big_buffer = store_malloc(big_buffer_size);
1688
1689 /* Set up the handler for the data request signal, and set the initial
1690 descriptive text. */
1691
1692 set_process_info("initializing");
1693 os_restarting_signal(SIGUSR1, usr1_handler);
1694
1695 /* If running in a dockerized environment, the TERM signal is only
1696 delegated to the PID 1 if we request it by setting an signal handler */
1697 if (getpid() == 1) signal(SIGTERM, term_handler);
1698
1699 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1700 in the daemon code. For the rest of Exim's uses, we ignore it. */
1701
1702 signal(SIGHUP, SIG_IGN);
1703
1704 /* We don't want to die on pipe errors as the code is written to handle
1705 the write error instead. */
1706
1707 signal(SIGPIPE, SIG_IGN);
1708
1709 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1710 set to SIG_IGN. This causes subprocesses that complete before the parent
1711 process waits for them not to hang around, so when Exim calls wait(), nothing
1712 is there. The wait() code has been made robust against this, but let's ensure
1713 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1714 ending status. We use sigaction rather than plain signal() on those OS where
1715 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1716 problem on AIX with this.) */
1717
1718 #ifdef SA_NOCLDWAIT
1719 {
1720 struct sigaction act;
1721 act.sa_handler = SIG_DFL;
1722 sigemptyset(&(act.sa_mask));
1723 act.sa_flags = 0;
1724 sigaction(SIGCHLD, &act, NULL);
1725 }
1726 #else
1727 signal(SIGCHLD, SIG_DFL);
1728 #endif
1729
1730 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1731 SIGHUP. */
1732
1733 sighup_argv = argv;
1734
1735 /* Set up the version number. Set up the leading 'E' for the external form of
1736 message ids, set the pointer to the internal form, and initialize it to
1737 indicate no message being processed. */
1738
1739 version_init();
1740 message_id_option[0] = '-';
1741 message_id_external = message_id_option + 1;
1742 message_id_external[0] = 'E';
1743 message_id = message_id_external + 1;
1744 message_id[0] = 0;
1745
1746 /* Set the umask to zero so that any files Exim creates using open() are
1747 created with the modes that it specifies. NOTE: Files created with fopen() have
1748 a problem, which was not recognized till rather late (February 2006). With this
1749 umask, such files will be world writeable. (They are all content scanning files
1750 in the spool directory, which isn't world-accessible, so this is not a
1751 disaster, but it's untidy.) I don't want to change this overall setting,
1752 however, because it will interact badly with the open() calls. Instead, there's
1753 now a function called modefopen() that fiddles with the umask while calling
1754 fopen(). */
1755
1756 (void)umask(0);
1757
1758 /* Precompile the regular expression for matching a message id. Keep this in
1759 step with the code that generates ids in the accept.c module. We need to do
1760 this here, because the -M options check their arguments for syntactic validity
1761 using mac_ismsgid, which uses this. */
1762
1763 regex_ismsgid =
1764 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1765
1766 /* Precompile the regular expression that is used for matching an SMTP error
1767 code, possibly extended, at the start of an error message. Note that the
1768 terminating whitespace character is included. */
1769
1770 regex_smtp_code =
1771 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1772 FALSE, TRUE);
1773
1774 #ifdef WHITELIST_D_MACROS
1775 /* Precompile the regular expression used to filter the content of macros
1776 given to -D for permissibility. */
1777
1778 regex_whitelisted_macro =
1779 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1780 #endif
1781
1782 for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1783
1784 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1785 this seems to be a generally accepted convention, since one finds symbolic
1786 links called "mailq" in standard OS configurations. */
1787
1788 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1789 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1790 {
1791 list_queue = TRUE;
1792 receiving_message = FALSE;
1793 called_as = US"-mailq";
1794 }
1795
1796 /* If the program is called as "rmail" treat it as equivalent to
1797 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1798 i.e. preventing a single dot on a line from terminating the message, and
1799 returning with zero return code, even in cases of error (provided an error
1800 message has been sent). */
1801
1802 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1803 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1804 {
1805 f.dot_ends = FALSE;
1806 called_as = US"-rmail";
1807 errors_sender_rc = EXIT_SUCCESS;
1808 }
1809
1810 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1811 this is a smail convention. */
1812
1813 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1814 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1815 {
1816 smtp_input = smtp_batched_input = TRUE;
1817 called_as = US"-rsmtp";
1818 }
1819
1820 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1821 this is a smail convention. */
1822
1823 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1824 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1825 {
1826 queue_interval = 0;
1827 receiving_message = FALSE;
1828 called_as = US"-runq";
1829 }
1830
1831 /* If the program is called as "newaliases" treat it as equivalent to
1832 "exim -bi"; this is a sendmail convention. */
1833
1834 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1835 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1836 {
1837 bi_option = TRUE;
1838 receiving_message = FALSE;
1839 called_as = US"-newaliases";
1840 }
1841
1842 /* Save the original effective uid for a couple of uses later. It should
1843 normally be root, but in some esoteric environments it may not be. */
1844
1845 original_euid = geteuid();
1846 original_egid = getegid();
1847
1848 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1849 to be the same as the real ones. This makes a difference only if Exim is setuid
1850 (or setgid) to something other than root, which could be the case in some
1851 special configurations. */
1852
1853 real_uid = getuid();
1854 real_gid = getgid();
1855
1856 if (real_uid == root_uid)
1857 {
1858 if ((rv = setgid(real_gid)))
1859 exim_fail("exim: setgid(%ld) failed: %s\n",
1860 (long int)real_gid, strerror(errno));
1861 if ((rv = setuid(real_uid)))
1862 exim_fail("exim: setuid(%ld) failed: %s\n",
1863 (long int)real_uid, strerror(errno));
1864 }
1865
1866 /* If neither the original real uid nor the original euid was root, Exim is
1867 running in an unprivileged state. */
1868
1869 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1870
1871 /* Scan the program's arguments. Some can be dealt with right away; others are
1872 simply recorded for checking and handling afterwards. Do a high-level switch
1873 on the second character (the one after '-'), to save some effort. */
1874
1875 for (i = 1; i < argc; i++)
1876 {
1877 BOOL badarg = FALSE;
1878 uschar *arg = argv[i];
1879 uschar *argrest;
1880 int switchchar;
1881
1882 /* An argument not starting with '-' is the start of a recipients list;
1883 break out of the options-scanning loop. */
1884
1885 if (arg[0] != '-')
1886 {
1887 recipients_arg = i;
1888 break;
1889 }
1890
1891 /* An option consisting of -- terminates the options */
1892
1893 if (Ustrcmp(arg, "--") == 0)
1894 {
1895 recipients_arg = i + 1;
1896 break;
1897 }
1898
1899 /* Handle flagged options */
1900
1901 switchchar = arg[1];
1902 argrest = arg+2;
1903
1904 /* Make all -ex options synonymous with -oex arguments, since that
1905 is assumed by various callers. Also make -qR options synonymous with -R
1906 options, as that seems to be required as well. Allow for -qqR too, and
1907 the same for -S options. */
1908
1909 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1910 Ustrncmp(arg+1, "qR", 2) == 0 ||
1911 Ustrncmp(arg+1, "qS", 2) == 0)
1912 {
1913 switchchar = arg[2];
1914 argrest++;
1915 }
1916 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1917 {
1918 switchchar = arg[3];
1919 argrest += 2;
1920 f.queue_2stage = TRUE;
1921 }
1922
1923 /* Make -r synonymous with -f, since it is a documented alias */
1924
1925 else if (arg[1] == 'r') switchchar = 'f';
1926
1927 /* Make -ov synonymous with -v */
1928
1929 else if (Ustrcmp(arg, "-ov") == 0)
1930 {
1931 switchchar = 'v';
1932 argrest++;
1933 }
1934
1935 /* deal with --option_aliases */
1936 else if (switchchar == '-')
1937 {
1938 if (Ustrcmp(argrest, "help") == 0)
1939 {
1940 usage_wanted = TRUE;
1941 break;
1942 }
1943 else if (Ustrcmp(argrest, "version") == 0)
1944 {
1945 switchchar = 'b';
1946 argrest = US"V";
1947 }
1948 }
1949
1950 /* High-level switch on active initial letter */
1951
1952 switch(switchchar)
1953 {
1954
1955 /* sendmail uses -Ac and -Am to control which .cf file is used;
1956 we ignore them. */
1957 case 'A':
1958 if (*argrest == '\0') { badarg = TRUE; break; }
1959 else
1960 {
1961 BOOL ignore = FALSE;
1962 switch (*argrest)
1963 {
1964 case 'c':
1965 case 'm':
1966 if (*(argrest + 1) == '\0')
1967 ignore = TRUE;
1968 break;
1969 }
1970 if (!ignore) { badarg = TRUE; break; }
1971 }
1972 break;
1973
1974 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1975 so has no need of it. */
1976
1977 case 'B':
1978 if (*argrest == 0) i++; /* Skip over the type */
1979 break;
1980
1981
1982 case 'b':
1983 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1984
1985 /* -bd: Run in daemon mode, awaiting SMTP connections.
1986 -bdf: Ditto, but in the foreground.
1987 */
1988
1989 if (*argrest == 'd')
1990 {
1991 f.daemon_listen = TRUE;
1992 if (*(++argrest) == 'f') f.background_daemon = FALSE;
1993 else if (*argrest != 0) { badarg = TRUE; break; }
1994 }
1995
1996 /* -be: Run in expansion test mode
1997 -bem: Ditto, but read a message from a file first
1998 */
1999
2000 else if (*argrest == 'e')
2001 {
2002 expansion_test = checking = TRUE;
2003 if (argrest[1] == 'm')
2004 {
2005 if (++i >= argc) { badarg = TRUE; break; }
2006 expansion_test_message = argv[i];
2007 argrest++;
2008 }
2009 if (argrest[1] != 0) { badarg = TRUE; break; }
2010 }
2011
2012 /* -bF: Run system filter test */
2013
2014 else if (*argrest == 'F')
2015 {
2016 filter_test |= checking = FTEST_SYSTEM;
2017 if (*(++argrest) != 0) { badarg = TRUE; break; }
2018 if (++i < argc) filter_test_sfile = argv[i]; else
2019 exim_fail("exim: file name expected after %s\n", argv[i-1]);
2020 }
2021
2022 /* -bf: Run user filter test
2023 -bfd: Set domain for filter testing
2024 -bfl: Set local part for filter testing
2025 -bfp: Set prefix for filter testing
2026 -bfs: Set suffix for filter testing
2027 */
2028
2029 else if (*argrest == 'f')
2030 {
2031 if (*(++argrest) == 0)
2032 {
2033 filter_test |= checking = FTEST_USER;
2034 if (++i < argc) filter_test_ufile = argv[i]; else
2035 exim_fail("exim: file name expected after %s\n", argv[i-1]);
2036 }
2037 else
2038 {
2039 if (++i >= argc)
2040 exim_fail("exim: string expected after %s\n", arg);
2041 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2042 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2043 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2044 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2045 else { badarg = TRUE; break; }
2046 }
2047 }
2048
2049 /* -bh: Host checking - an IP address must follow. */
2050
2051 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2052 {
2053 if (++i >= argc) { badarg = TRUE; break; }
2054 sender_host_address = argv[i];
2055 host_checking = checking = f.log_testing_mode = TRUE;
2056 f.host_checking_callout = argrest[1] == 'c';
2057 message_logs = FALSE;
2058 }
2059
2060 /* -bi: This option is used by sendmail to initialize *the* alias file,
2061 though it has the -oA option to specify a different file. Exim has no
2062 concept of *the* alias file, but since Sun's YP make script calls
2063 sendmail this way, some support must be provided. */
2064
2065 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2066
2067 /* -bI: provide information, of the type to follow after a colon.
2068 This is an Exim flag. */
2069
2070 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2071 {
2072 uschar *p = &argrest[2];
2073 info_flag = CMDINFO_HELP;
2074 if (Ustrlen(p))
2075 {
2076 if (strcmpic(p, CUS"sieve") == 0)
2077 {
2078 info_flag = CMDINFO_SIEVE;
2079 info_stdout = TRUE;
2080 }
2081 else if (strcmpic(p, CUS"dscp") == 0)
2082 {
2083 info_flag = CMDINFO_DSCP;
2084 info_stdout = TRUE;
2085 }
2086 else if (strcmpic(p, CUS"help") == 0)
2087 {
2088 info_stdout = TRUE;
2089 }
2090 }
2091 }
2092
2093 /* -bm: Accept and deliver message - the default option. Reinstate
2094 receiving_message, which got turned off for all -b options. */
2095
2096 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2097
2098 /* -bmalware: test the filename given for malware */
2099
2100 else if (Ustrcmp(argrest, "malware") == 0)
2101 {
2102 if (++i >= argc) { badarg = TRUE; break; }
2103 checking = TRUE;
2104 malware_test_file = argv[i];
2105 }
2106
2107 /* -bnq: For locally originating messages, do not qualify unqualified
2108 addresses. In the envelope, this causes errors; in header lines they
2109 just get left. */
2110
2111 else if (Ustrcmp(argrest, "nq") == 0)
2112 {
2113 f.allow_unqualified_sender = FALSE;
2114 f.allow_unqualified_recipient = FALSE;
2115 }
2116
2117 /* -bpxx: List the contents of the mail queue, in various forms. If
2118 the option is -bpc, just a queue count is needed. Otherwise, if the
2119 first letter after p is r, then order is random. */
2120
2121 else if (*argrest == 'p')
2122 {
2123 if (*(++argrest) == 'c')
2124 {
2125 count_queue = TRUE;
2126 if (*(++argrest) != 0) badarg = TRUE;
2127 break;
2128 }
2129
2130 if (*argrest == 'r')
2131 {
2132 list_queue_option = 8;
2133 argrest++;
2134 }
2135 else list_queue_option = 0;
2136
2137 list_queue = TRUE;
2138
2139 /* -bp: List the contents of the mail queue, top-level only */
2140
2141 if (*argrest == 0) {}
2142
2143 /* -bpu: List the contents of the mail queue, top-level undelivered */
2144
2145 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2146
2147 /* -bpa: List the contents of the mail queue, including all delivered */
2148
2149 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2150
2151 /* Unknown after -bp[r] */
2152
2153 else
2154 {
2155 badarg = TRUE;
2156 break;
2157 }
2158 }
2159
2160
2161 /* -bP: List the configuration variables given as the address list.
2162 Force -v, so configuration errors get displayed. */
2163
2164 else if (Ustrcmp(argrest, "P") == 0)
2165 {
2166 /* -bP config: we need to setup here, because later,
2167 * when list_options is checked, the config is read already */
2168 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2169 {
2170 list_config = TRUE;
2171 readconf_save_config(version_string);
2172 }
2173 else
2174 {
2175 list_options = TRUE;
2176 debug_selector |= D_v;
2177 debug_file = stderr;
2178 }
2179 }
2180
2181 /* -brt: Test retry configuration lookup */
2182
2183 else if (Ustrcmp(argrest, "rt") == 0)
2184 {
2185 checking = TRUE;
2186 test_retry_arg = i + 1;
2187 goto END_ARG;
2188 }
2189
2190 /* -brw: Test rewrite configuration */
2191
2192 else if (Ustrcmp(argrest, "rw") == 0)
2193 {
2194 checking = TRUE;
2195 test_rewrite_arg = i + 1;
2196 goto END_ARG;
2197 }
2198
2199 /* -bS: Read SMTP commands on standard input, but produce no replies -
2200 all errors are reported by sending messages. */
2201
2202 else if (Ustrcmp(argrest, "S") == 0)
2203 smtp_input = smtp_batched_input = receiving_message = TRUE;
2204
2205 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2206 on standard output. */
2207
2208 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2209
2210 /* -bt: address testing mode */
2211
2212 else if (Ustrcmp(argrest, "t") == 0)
2213 f.address_test_mode = checking = f.log_testing_mode = TRUE;
2214
2215 /* -bv: verify addresses */
2216
2217 else if (Ustrcmp(argrest, "v") == 0)
2218 verify_address_mode = checking = f.log_testing_mode = TRUE;
2219
2220 /* -bvs: verify sender addresses */
2221
2222 else if (Ustrcmp(argrest, "vs") == 0)
2223 {
2224 verify_address_mode = checking = f.log_testing_mode = TRUE;
2225 verify_as_sender = TRUE;
2226 }
2227
2228 /* -bV: Print version string and support details */
2229
2230 else if (Ustrcmp(argrest, "V") == 0)
2231 {
2232 printf("Exim version %s #%s built %s\n", version_string,
2233 version_cnumber, version_date);
2234 printf("%s\n", CS version_copyright);
2235 version_printed = TRUE;
2236 show_whats_supported(stdout);
2237 f.log_testing_mode = TRUE;
2238 }
2239
2240 /* -bw: inetd wait mode, accept a listening socket as stdin */
2241
2242 else if (*argrest == 'w')
2243 {
2244 f.inetd_wait_mode = TRUE;
2245 f.background_daemon = FALSE;
2246 f.daemon_listen = TRUE;
2247 if (*(++argrest) != '\0')
2248 if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
2249 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
2250 }
2251
2252 else badarg = TRUE;
2253 break;
2254
2255
2256 /* -C: change configuration file list; ignore if it isn't really
2257 a change! Enforce a prefix check if required. */
2258
2259 case 'C':
2260 if (*argrest == 0)
2261 {
2262 if(++i < argc) argrest = argv[i]; else
2263 { badarg = TRUE; break; }
2264 }
2265 if (Ustrcmp(config_main_filelist, argrest) != 0)
2266 {
2267 #ifdef ALT_CONFIG_PREFIX
2268 int sep = 0;
2269 int len = Ustrlen(ALT_CONFIG_PREFIX);
2270 const uschar *list = argrest;
2271 uschar *filename;
2272 while((filename = string_nextinlist(&list, &sep, big_buffer,
2273 big_buffer_size)) != NULL)
2274 {
2275 if ((Ustrlen(filename) < len ||
2276 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2277 Ustrstr(filename, "/../") != NULL) &&
2278 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2279 exim_fail("-C Permission denied\n");
2280 }
2281 #endif
2282 if (real_uid != root_uid)
2283 {
2284 #ifdef TRUSTED_CONFIG_LIST
2285
2286 if (real_uid != exim_uid
2287 #ifdef CONFIGURE_OWNER
2288 && real_uid != config_uid
2289 #endif
2290 )
2291 f.trusted_config = FALSE;
2292 else
2293 {
2294 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2295 if (trust_list)
2296 {
2297 struct stat statbuf;
2298
2299 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2300 (statbuf.st_uid != root_uid /* owner not root */
2301 #ifdef CONFIGURE_OWNER
2302 && statbuf.st_uid != config_uid /* owner not the special one */
2303 #endif
2304 ) || /* or */
2305 (statbuf.st_gid != root_gid /* group not root */
2306 #ifdef CONFIGURE_GROUP
2307 && statbuf.st_gid != config_gid /* group not the special one */
2308 #endif
2309 && (statbuf.st_mode & 020) != 0 /* group writeable */
2310 ) || /* or */
2311 (statbuf.st_mode & 2) != 0) /* world writeable */
2312 {
2313 f.trusted_config = FALSE;
2314 fclose(trust_list);
2315 }
2316 else
2317 {
2318 /* Well, the trust list at least is up to scratch... */
2319 void *reset_point = store_get(0);
2320 uschar *trusted_configs[32];
2321 int nr_configs = 0;
2322 int i = 0;
2323
2324 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2325 {
2326 uschar *start = big_buffer, *nl;
2327 while (*start && isspace(*start))
2328 start++;
2329 if (*start != '/')
2330 continue;
2331 nl = Ustrchr(start, '\n');
2332 if (nl)
2333 *nl = 0;
2334 trusted_configs[nr_configs++] = string_copy(start);
2335 if (nr_configs == 32)
2336 break;
2337 }
2338 fclose(trust_list);
2339
2340 if (nr_configs)
2341 {
2342 int sep = 0;
2343 const uschar *list = argrest;
2344 uschar *filename;
2345 while (f.trusted_config && (filename = string_nextinlist(&list,
2346 &sep, big_buffer, big_buffer_size)) != NULL)
2347 {
2348 for (i=0; i < nr_configs; i++)
2349 {
2350 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2351 break;
2352 }
2353 if (i == nr_configs)
2354 {
2355 f.trusted_config = FALSE;
2356 break;
2357 }
2358 }
2359 store_reset(reset_point);
2360 }
2361 else
2362 {
2363 /* No valid prefixes found in trust_list file. */
2364 f.trusted_config = FALSE;
2365 }
2366 }
2367 }
2368 else
2369 {
2370 /* Could not open trust_list file. */
2371 f.trusted_config = FALSE;
2372 }
2373 }
2374 #else
2375 /* Not root; don't trust config */
2376 f.trusted_config = FALSE;
2377 #endif
2378 }
2379
2380 config_main_filelist = argrest;
2381 f.config_changed = TRUE;
2382 }
2383 break;
2384
2385
2386 /* -D: set up a macro definition */
2387
2388 case 'D':
2389 #ifdef DISABLE_D_OPTION
2390 exim_fail("exim: -D is not available in this Exim binary\n");
2391 #else
2392 {
2393 int ptr = 0;
2394 macro_item *m;
2395 uschar name[24];
2396 uschar *s = argrest;
2397
2398 opt_D_used = TRUE;
2399 while (isspace(*s)) s++;
2400
2401 if (*s < 'A' || *s > 'Z')
2402 exim_fail("exim: macro name set by -D must start with "
2403 "an upper case letter\n");
2404
2405 while (isalnum(*s) || *s == '_')
2406 {
2407 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2408 s++;
2409 }
2410 name[ptr] = 0;
2411 if (ptr == 0) { badarg = TRUE; break; }
2412 while (isspace(*s)) s++;
2413 if (*s != 0)
2414 {
2415 if (*s++ != '=') { badarg = TRUE; break; }
2416 while (isspace(*s)) s++;
2417 }
2418
2419 for (m = macros_user; m; m = m->next)
2420 if (Ustrcmp(m->name, name) == 0)
2421 exim_fail("exim: duplicated -D in command line\n");
2422
2423 m = macro_create(name, s, TRUE);
2424
2425 if (clmacro_count >= MAX_CLMACROS)
2426 exim_fail("exim: too many -D options on command line\n");
2427 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2428 m->replacement);
2429 }
2430 #endif
2431 break;
2432
2433 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2434 The latter is now a no-op, retained for compatibility only. If -dd is used,
2435 debugging subprocesses of the daemon is disabled. */
2436
2437 case 'd':
2438 if (Ustrcmp(argrest, "ropcr") == 0)
2439 {
2440 /* drop_cr = TRUE; */
2441 }
2442
2443 /* Use an intermediate variable so that we don't set debugging while
2444 decoding the debugging bits. */
2445
2446 else
2447 {
2448 unsigned int selector = D_default;
2449 debug_selector = 0;
2450 debug_file = NULL;
2451 if (*argrest == 'd')
2452 {
2453 f.debug_daemon = TRUE;
2454 argrest++;
2455 }
2456 if (*argrest != 0)
2457 decode_bits(&selector, 1, debug_notall, argrest,
2458 debug_options, debug_options_count, US"debug", 0);
2459 debug_selector = selector;
2460 }
2461 break;
2462
2463
2464 /* -E: This is a local error message. This option is not intended for
2465 external use at all, but is not restricted to trusted callers because it
2466 does no harm (just suppresses certain error messages) and if Exim is run
2467 not setuid root it won't always be trusted when it generates error
2468 messages using this option. If there is a message id following -E, point
2469 message_reference at it, for logging. */
2470
2471 case 'E':
2472 f.local_error_message = TRUE;
2473 if (mac_ismsgid(argrest)) message_reference = argrest;
2474 break;
2475
2476
2477 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2478 option, so it looks as if historically the -oex options are also callable
2479 without the leading -o. So we have to accept them. Before the switch,
2480 anything starting -oe has been converted to -e. Exim does not support all
2481 of the sendmail error options. */
2482
2483 case 'e':
2484 if (Ustrcmp(argrest, "e") == 0)
2485 {
2486 arg_error_handling = ERRORS_SENDER;
2487 errors_sender_rc = EXIT_SUCCESS;
2488 }
2489 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2490 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2491 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2492 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2493 else badarg = TRUE;
2494 break;
2495
2496
2497 /* -F: Set sender's full name, used instead of the gecos entry from
2498 the password file. Since users can usually alter their gecos entries,
2499 there's no security involved in using this instead. The data can follow
2500 the -F or be in the next argument. */
2501
2502 case 'F':
2503 if (*argrest == 0)
2504 {
2505 if(++i < argc) argrest = argv[i]; else
2506 { badarg = TRUE; break; }
2507 }
2508 originator_name = argrest;
2509 f.sender_name_forced = TRUE;
2510 break;
2511
2512
2513 /* -f: Set sender's address - this value is only actually used if Exim is
2514 run by a trusted user, or if untrusted_set_sender is set and matches the
2515 address, except that the null address can always be set by any user. The
2516 test for this happens later, when the value given here is ignored when not
2517 permitted. For an untrusted user, the actual sender is still put in Sender:
2518 if it doesn't match the From: header (unless no_local_from_check is set).
2519 The data can follow the -f or be in the next argument. The -r switch is an
2520 obsolete form of -f but since there appear to be programs out there that
2521 use anything that sendmail has ever supported, better accept it - the
2522 synonymizing is done before the switch above.
2523
2524 At this stage, we must allow domain literal addresses, because we don't
2525 know what the setting of allow_domain_literals is yet. Ditto for trailing
2526 dots and strip_trailing_dot. */
2527
2528 case 'f':
2529 {
2530 int dummy_start, dummy_end;
2531 uschar *errmess;
2532 if (*argrest == 0)
2533 {
2534 if (i+1 < argc) argrest = argv[++i]; else
2535 { badarg = TRUE; break; }
2536 }
2537 if (*argrest == 0)
2538 sender_address = string_sprintf(""); /* Ensure writeable memory */
2539 else
2540 {
2541 uschar *temp = argrest + Ustrlen(argrest) - 1;
2542 while (temp >= argrest && isspace(*temp)) temp--;
2543 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2544 allow_domain_literals = TRUE;
2545 strip_trailing_dot = TRUE;
2546 #ifdef SUPPORT_I18N
2547 allow_utf8_domains = TRUE;
2548 #endif
2549 sender_address = parse_extract_address(argrest, &errmess,
2550 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
2551 #ifdef SUPPORT_I18N
2552 message_smtputf8 = string_is_utf8(sender_address);
2553 allow_utf8_domains = FALSE;
2554 #endif
2555 allow_domain_literals = FALSE;
2556 strip_trailing_dot = FALSE;
2557 if (!sender_address)
2558 exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
2559 }
2560 f.sender_address_forced = TRUE;
2561 }
2562 break;
2563
2564 /* -G: sendmail invocation to specify that it's a gateway submission and
2565 sendmail may complain about problems instead of fixing them.
2566 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2567 not at this time complain about problems. */
2568
2569 case 'G':
2570 flag_G = TRUE;
2571 break;
2572
2573 /* -h: Set the hop count for an incoming message. Exim does not currently
2574 support this; it always computes it by counting the Received: headers.
2575 To put it in will require a change to the spool header file format. */
2576
2577 case 'h':
2578 if (*argrest == 0)
2579 {
2580 if(++i < argc) argrest = argv[i]; else
2581 { badarg = TRUE; break; }
2582 }
2583 if (!isdigit(*argrest)) badarg = TRUE;
2584 break;
2585
2586
2587 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2588 not to be documented for sendmail but mailx (at least) uses it) */
2589
2590 case 'i':
2591 if (*argrest == 0) f.dot_ends = FALSE; else badarg = TRUE;
2592 break;
2593
2594
2595 /* -L: set the identifier used for syslog; equivalent to setting
2596 syslog_processname in the config file, but needs to be an admin option. */
2597
2598 case 'L':
2599 if (*argrest == '\0')
2600 {
2601 if(++i < argc) argrest = argv[i]; else
2602 { badarg = TRUE; break; }
2603 }
2604 if ((sz = Ustrlen(argrest)) > 32)
2605 exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
2606 if (sz < 1)
2607 exim_fail("exim: the -L syslog name is too short\n");
2608 cmdline_syslog_name = argrest;
2609 break;
2610
2611 case 'M':
2612 receiving_message = FALSE;
2613
2614 /* -MC: continue delivery of another message via an existing open
2615 file descriptor. This option is used for an internal call by the
2616 smtp transport when there is a pending message waiting to go to an
2617 address to which it has got a connection. Five subsequent arguments are
2618 required: transport name, host name, IP address, sequence number, and
2619 message_id. Transports may decline to create new processes if the sequence
2620 number gets too big. The channel is stdin. This (-MC) must be the last
2621 argument. There's a subsequent check that the real-uid is privileged.
2622
2623 If we are running in the test harness. delay for a bit, to let the process
2624 that set this one up complete. This makes for repeatability of the logging,
2625 etc. output. */
2626
2627 if (Ustrcmp(argrest, "C") == 0)
2628 {
2629 union sockaddr_46 interface_sock;
2630 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2631
2632 if (argc != i + 6)
2633 exim_fail("exim: too many or too few arguments after -MC\n");
2634
2635 if (msg_action_arg >= 0)
2636 exim_fail("exim: incompatible arguments\n");
2637
2638 continue_transport = argv[++i];
2639 continue_hostname = argv[++i];
2640 continue_host_address = argv[++i];
2641 continue_sequence = Uatoi(argv[++i]);
2642 msg_action = MSG_DELIVER;
2643 msg_action_arg = ++i;
2644 forced_delivery = TRUE;
2645 queue_run_pid = passed_qr_pid;
2646 queue_run_pipe = passed_qr_pipe;
2647
2648 if (!mac_ismsgid(argv[i]))
2649 exim_fail("exim: malformed message id %s after -MC option\n",
2650 argv[i]);
2651
2652 /* Set up $sending_ip_address and $sending_port, unless proxied */
2653
2654 if (!continue_proxy_cipher)
2655 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2656 &size) == 0)
2657 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2658 &sending_port);
2659 else
2660 exim_fail("exim: getsockname() failed after -MC option: %s\n",
2661 strerror(errno));
2662
2663 if (f.running_in_test_harness) millisleep(500);
2664 break;
2665 }
2666
2667 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2668 {
2669 switch(argrest[1])
2670 {
2671 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2672 precedes -MC (see above). The flag indicates that the host to which
2673 Exim is connected has accepted an AUTH sequence. */
2674
2675 case 'A': f.smtp_authenticated = TRUE; break;
2676
2677 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2678 that exim is connected to supports the esmtp extension DSN */
2679
2680 case 'D': smtp_peer_options |= OPTION_DSN; break;
2681
2682 /* -MCG: set the queue name, to a non-default value */
2683
2684 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2685 else badarg = TRUE;
2686 break;
2687
2688 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2689
2690 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
2691
2692 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2693 it preceded -MC (see above) */
2694
2695 case 'P': smtp_peer_options |= OPTION_PIPE; break;
2696
2697 /* -MCQ: pass on the pid of the queue-running process that started
2698 this chain of deliveries and the fd of its synchronizing pipe; this
2699 is useful only when it precedes -MC (see above) */
2700
2701 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2702 else badarg = TRUE;
2703 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2704 else badarg = TRUE;
2705 break;
2706
2707 /* -MCS: set the smtp_use_size flag; this is useful only when it
2708 precedes -MC (see above) */
2709
2710 case 'S': smtp_peer_options |= OPTION_SIZE; break;
2711
2712 #ifdef SUPPORT_TLS
2713 /* -MCt: similar to -MCT below but the connection is still open
2714 via a proxy process which handles the TLS context and coding.
2715 Require three arguments for the proxied local address and port,
2716 and the TLS cipher. */
2717
2718 case 't': if (++i < argc) sending_ip_address = argv[i];
2719 else badarg = TRUE;
2720 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2721 else badarg = TRUE;
2722 if (++i < argc) continue_proxy_cipher = argv[i];
2723 else badarg = TRUE;
2724 /*FALLTHROUGH*/
2725
2726 /* -MCT: set the tls_offered flag; this is useful only when it
2727 precedes -MC (see above). The flag indicates that the host to which
2728 Exim is connected has offered TLS support. */
2729
2730 case 'T': smtp_peer_options |= OPTION_TLS; break;
2731 #endif
2732
2733 default: badarg = TRUE; break;
2734 }
2735 break;
2736 }
2737
2738 /* -M[x]: various operations on the following list of message ids:
2739 -M deliver the messages, ignoring next retry times and thawing
2740 -Mc deliver the messages, checking next retry times, no thawing
2741 -Mf freeze the messages
2742 -Mg give up on the messages
2743 -Mt thaw the messages
2744 -Mrm remove the messages
2745 In the above cases, this must be the last option. There are also the
2746 following options which are followed by a single message id, and which
2747 act on that message. Some of them use the "recipient" addresses as well.
2748 -Mar add recipient(s)
2749 -Mmad mark all recipients delivered
2750 -Mmd mark recipients(s) delivered
2751 -Mes edit sender
2752 -Mset load a message for use with -be
2753 -Mvb show body
2754 -Mvc show copy (of whole message, in RFC 2822 format)
2755 -Mvh show header
2756 -Mvl show log
2757 */
2758
2759 else if (*argrest == 0)
2760 {
2761 msg_action = MSG_DELIVER;
2762 forced_delivery = f.deliver_force_thaw = TRUE;
2763 }
2764 else if (Ustrcmp(argrest, "ar") == 0)
2765 {
2766 msg_action = MSG_ADD_RECIPIENT;
2767 one_msg_action = TRUE;
2768 }
2769 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2770 else if (Ustrcmp(argrest, "es") == 0)
2771 {
2772 msg_action = MSG_EDIT_SENDER;
2773 one_msg_action = TRUE;
2774 }
2775 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2776 else if (Ustrcmp(argrest, "g") == 0)
2777 {
2778 msg_action = MSG_DELIVER;
2779 deliver_give_up = TRUE;
2780 }
2781 else if (Ustrcmp(argrest, "mad") == 0)
2782 {
2783 msg_action = MSG_MARK_ALL_DELIVERED;
2784 }
2785 else if (Ustrcmp(argrest, "md") == 0)
2786 {
2787 msg_action = MSG_MARK_DELIVERED;
2788 one_msg_action = TRUE;
2789 }
2790 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2791 else if (Ustrcmp(argrest, "set") == 0)
2792 {
2793 msg_action = MSG_LOAD;
2794 one_msg_action = TRUE;
2795 }
2796 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2797 else if (Ustrcmp(argrest, "vb") == 0)
2798 {
2799 msg_action = MSG_SHOW_BODY;
2800 one_msg_action = TRUE;
2801 }
2802 else if (Ustrcmp(argrest, "vc") == 0)
2803 {
2804 msg_action = MSG_SHOW_COPY;
2805 one_msg_action = TRUE;
2806 }
2807 else if (Ustrcmp(argrest, "vh") == 0)
2808 {
2809 msg_action = MSG_SHOW_HEADER;
2810 one_msg_action = TRUE;
2811 }
2812 else if (Ustrcmp(argrest, "vl") == 0)
2813 {
2814 msg_action = MSG_SHOW_LOG;
2815 one_msg_action = TRUE;
2816 }
2817 else { badarg = TRUE; break; }
2818
2819 /* All the -Mxx options require at least one message id. */
2820
2821 msg_action_arg = i + 1;
2822 if (msg_action_arg >= argc)
2823 exim_fail("exim: no message ids given after %s option\n", arg);
2824
2825 /* Some require only message ids to follow */
2826
2827 if (!one_msg_action)
2828 {
2829 for (int j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2830 exim_fail("exim: malformed message id %s after %s option\n",
2831 argv[j], arg);
2832 goto END_ARG; /* Remaining args are ids */
2833 }
2834
2835 /* Others require only one message id, possibly followed by addresses,
2836 which will be handled as normal arguments. */
2837
2838 else
2839 {
2840 if (!mac_ismsgid(argv[msg_action_arg]))
2841 exim_fail("exim: malformed message id %s after %s option\n",
2842 argv[msg_action_arg], arg);
2843 i++;
2844 }
2845 break;
2846
2847
2848 /* Some programs seem to call the -om option without the leading o;
2849 for sendmail it askes for "me too". Exim always does this. */
2850
2851 case 'm':
2852 if (*argrest != 0) badarg = TRUE;
2853 break;
2854
2855
2856 /* -N: don't do delivery - a debugging option that stops transports doing
2857 their thing. It implies debugging at the D_v level. */
2858
2859 case 'N':
2860 if (*argrest == 0)
2861 {
2862 f.dont_deliver = TRUE;
2863 debug_selector |= D_v;
2864 debug_file = stderr;
2865 }
2866 else badarg = TRUE;
2867 break;
2868
2869
2870 /* -n: This means "don't alias" in sendmail, apparently.
2871 For normal invocations, it has no effect.
2872 It may affect some other options. */
2873
2874 case 'n':
2875 flag_n = TRUE;
2876 break;
2877
2878 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2879 option to the specified value. This form uses long names. We need to handle
2880 -O option=value and -Ooption=value. */
2881
2882 case 'O':
2883 if (*argrest == 0)
2884 {
2885 if (++i >= argc)
2886 exim_fail("exim: string expected after -O\n");
2887 }
2888 break;
2889
2890 case 'o':
2891
2892 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2893 file" option). */
2894
2895 if (*argrest == 'A')
2896 {
2897 alias_arg = argrest + 1;
2898 if (alias_arg[0] == 0)
2899 {
2900 if (i+1 < argc) alias_arg = argv[++i]; else
2901 exim_fail("exim: string expected after -oA\n");
2902 }
2903 }
2904
2905 /* -oB: Set a connection message max value for remote deliveries */
2906
2907 else if (*argrest == 'B')
2908 {
2909 uschar *p = argrest + 1;
2910 if (p[0] == 0)
2911 {
2912 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2913 {
2914 connection_max_messages = 1;
2915 p = NULL;
2916 }
2917 }
2918
2919 if (p != NULL)
2920 {
2921 if (!isdigit(*p))
2922 exim_fail("exim: number expected after -oB\n");
2923 connection_max_messages = Uatoi(p);
2924 }
2925 }
2926
2927 /* -odb: background delivery */
2928
2929 else if (Ustrcmp(argrest, "db") == 0)
2930 {
2931 f.synchronous_delivery = FALSE;
2932 arg_queue_only = FALSE;
2933 queue_only_set = TRUE;
2934 }
2935
2936 /* -odf: foreground delivery (smail-compatible option); same effect as
2937 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2938 */
2939
2940 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2941 {
2942 f.synchronous_delivery = TRUE;
2943 arg_queue_only = FALSE;
2944 queue_only_set = TRUE;
2945 }
2946
2947 /* -odq: queue only */
2948
2949 else if (Ustrcmp(argrest, "dq") == 0)
2950 {
2951 f.synchronous_delivery = FALSE;
2952 arg_queue_only = TRUE;
2953 queue_only_set = TRUE;
2954 }
2955
2956 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2957 but no remote delivery */
2958
2959 else if (Ustrcmp(argrest, "dqs") == 0)
2960 {
2961 f.queue_smtp = TRUE;
2962 arg_queue_only = FALSE;
2963 queue_only_set = TRUE;
2964 }
2965
2966 /* -oex: Sendmail error flags. As these are also accepted without the
2967 leading -o prefix, for compatibility with vacation and other callers,
2968 they are handled with -e above. */
2969
2970 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2971 -oitrue: Another sendmail syntax for the same */
2972
2973 else if (Ustrcmp(argrest, "i") == 0 ||
2974 Ustrcmp(argrest, "itrue") == 0)
2975 f.dot_ends = FALSE;
2976
2977 /* -oM*: Set various characteristics for an incoming message; actually
2978 acted on for trusted callers only. */
2979
2980 else if (*argrest == 'M')
2981 {
2982 if (i+1 >= argc)
2983 exim_fail("exim: data expected after -o%s\n", argrest);
2984
2985 /* -oMa: Set sender host address */
2986
2987 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2988
2989 /* -oMaa: Set authenticator name */
2990
2991 else if (Ustrcmp(argrest, "Maa") == 0)
2992 sender_host_authenticated = argv[++i];
2993
2994 /* -oMas: setting authenticated sender */
2995
2996 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2997
2998 /* -oMai: setting authenticated id */
2999
3000 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
3001
3002 /* -oMi: Set incoming interface address */
3003
3004 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
3005
3006 /* -oMm: Message reference */
3007
3008 else if (Ustrcmp(argrest, "Mm") == 0)
3009 {
3010 if (!mac_ismsgid(argv[i+1]))
3011 exim_fail("-oMm must be a valid message ID\n");
3012 if (!f.trusted_config)
3013 exim_fail("-oMm must be called by a trusted user/config\n");
3014 message_reference = argv[++i];
3015 }
3016
3017 /* -oMr: Received protocol */
3018
3019 else if (Ustrcmp(argrest, "Mr") == 0)
3020
3021 if (received_protocol)
3022 exim_fail("received_protocol is set already\n");
3023 else
3024 received_protocol = argv[++i];
3025
3026 /* -oMs: Set sender host name */
3027
3028 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3029
3030 /* -oMt: Set sender ident */
3031
3032 else if (Ustrcmp(argrest, "Mt") == 0)
3033 {
3034 sender_ident_set = TRUE;
3035 sender_ident = argv[++i];
3036 }
3037
3038 /* Else a bad argument */
3039
3040 else
3041 {
3042 badarg = TRUE;
3043 break;
3044 }
3045 }
3046
3047 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3048 seem to call this as -m (undocumented), so that is also accepted (see
3049 above). */
3050
3051 else if (Ustrcmp(argrest, "m") == 0) {}
3052
3053 /* -oo: An ancient flag for old-style addresses which still seems to
3054 crop up in some calls (see in SCO). */
3055
3056 else if (Ustrcmp(argrest, "o") == 0) {}
3057
3058 /* -oP <name>: set pid file path for daemon */
3059
3060 else if (Ustrcmp(argrest, "P") == 0)
3061 override_pid_file_path = argv[++i];
3062
3063 /* -or <n>: set timeout for non-SMTP acceptance
3064 -os <n>: set timeout for SMTP acceptance */
3065
3066 else if (*argrest == 'r' || *argrest == 's')
3067 {
3068 int *tp = (*argrest == 'r')?
3069 &arg_receive_timeout : &arg_smtp_receive_timeout;
3070 if (argrest[1] == 0)
3071 {
3072 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3073 }
3074 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3075 if (*tp < 0)
3076 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3077 }
3078
3079 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3080
3081 else if (Ustrcmp(argrest, "X") == 0)
3082 override_local_interfaces = argv[++i];
3083
3084 /* Unknown -o argument */
3085
3086 else badarg = TRUE;
3087 break;
3088
3089
3090 /* -ps: force Perl startup; -pd force delayed Perl startup */
3091
3092 case 'p':
3093 #ifdef EXIM_PERL
3094 if (*argrest == 's' && argrest[1] == 0)
3095 {
3096 perl_start_option = 1;
3097 break;
3098 }
3099 if (*argrest == 'd' && argrest[1] == 0)
3100 {
3101 perl_start_option = -1;
3102 break;
3103 }
3104 #endif
3105
3106 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3107 which sets the host protocol and host name */
3108
3109 if (*argrest == 0)
3110 if (i+1 < argc)
3111 argrest = argv[++i];
3112 else
3113 { badarg = TRUE; break; }
3114
3115 if (*argrest != 0)
3116 {
3117 uschar *hn;
3118
3119 if (received_protocol)
3120 exim_fail("received_protocol is set already\n");
3121
3122 hn = Ustrchr(argrest, ':');
3123 if (hn == NULL)
3124 received_protocol = argrest;
3125 else
3126 {
3127 int old_pool = store_pool;
3128 store_pool = POOL_PERM;
3129 received_protocol = string_copyn(argrest, hn - argrest);
3130 store_pool = old_pool;
3131 sender_host_name = hn + 1;
3132 }
3133 }
3134 break;
3135
3136
3137 case 'q':
3138 receiving_message = FALSE;
3139 if (queue_interval >= 0)
3140 exim_fail("exim: -q specified more than once\n");
3141
3142 /* -qq...: Do queue runs in a 2-stage manner */
3143
3144 if (*argrest == 'q')
3145 {
3146 f.queue_2stage = TRUE;
3147 argrest++;
3148 }
3149
3150 /* -qi...: Do only first (initial) deliveries */
3151
3152 if (*argrest == 'i')
3153 {
3154 f.queue_run_first_delivery = TRUE;
3155 argrest++;
3156 }
3157
3158 /* -qf...: Run the queue, forcing deliveries
3159 -qff..: Ditto, forcing thawing as well */
3160
3161 if (*argrest == 'f')
3162 {
3163 f.queue_run_force = TRUE;
3164 if (*++argrest == 'f')
3165 {
3166 f.deliver_force_thaw = TRUE;
3167 argrest++;
3168 }
3169 }
3170
3171 /* -q[f][f]l...: Run the queue only on local deliveries */
3172
3173 if (*argrest == 'l')
3174 {
3175 f.queue_run_local = TRUE;
3176 argrest++;
3177 }
3178
3179 /* -q[f][f][l][G<name>]... Work on the named queue */
3180
3181 if (*argrest == 'G')
3182 {
3183 int i;
3184 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3185 queue_name = string_copyn(argrest, i);
3186 argrest += i;
3187 if (*argrest == '/') argrest++;
3188 }
3189
3190 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3191 only, optionally named, optionally starting from a given message id. */
3192
3193 if (*argrest == 0 &&
3194 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3195 {
3196 queue_interval = 0;
3197 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3198 start_queue_run_id = argv[++i];
3199 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3200 stop_queue_run_id = argv[++i];
3201 }
3202
3203 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3204 forced, optionally local only, optionally named. */
3205
3206 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3207 0, FALSE)) <= 0)
3208 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3209 break;
3210
3211
3212 case 'R': /* Synonymous with -qR... */
3213 receiving_message = FALSE;
3214
3215 /* -Rf: As -R (below) but force all deliveries,
3216 -Rff: Ditto, but also thaw all frozen messages,
3217 -Rr: String is regex
3218 -Rrf: Regex and force
3219 -Rrff: Regex and force and thaw
3220
3221 in all cases provided there are no further characters in this
3222 argument. */
3223
3224 if (*argrest != 0)
3225 for (int i = 0; i < nelem(rsopts); i++)
3226 if (Ustrcmp(argrest, rsopts[i]) == 0)
3227 {
3228 if (i != 2) f.queue_run_force = TRUE;
3229 if (i >= 2) f.deliver_selectstring_regex = TRUE;
3230 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3231 argrest += Ustrlen(rsopts[i]);
3232 }
3233
3234 /* -R: Set string to match in addresses for forced queue run to
3235 pick out particular messages. */
3236
3237 if (*argrest)
3238 deliver_selectstring = argrest;
3239 else if (i+1 < argc)
3240 deliver_selectstring = argv[++i];
3241 else
3242 exim_fail("exim: string expected after -R\n");
3243 break;
3244
3245
3246 /* -r: an obsolete synonym for -f (see above) */
3247
3248
3249 /* -S: Like -R but works on sender. */
3250
3251 case 'S': /* Synonymous with -qS... */
3252 receiving_message = FALSE;
3253
3254 /* -Sf: As -S (below) but force all deliveries,
3255 -Sff: Ditto, but also thaw all frozen messages,
3256 -Sr: String is regex
3257 -Srf: Regex and force
3258 -Srff: Regex and force and thaw
3259
3260 in all cases provided there are no further characters in this
3261 argument. */
3262
3263 if (*argrest)
3264 for (int i = 0; i < nelem(rsopts); i++)
3265 if (Ustrcmp(argrest, rsopts[i]) == 0)
3266 {
3267 if (i != 2) f.queue_run_force = TRUE;
3268 if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
3269 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3270 argrest += Ustrlen(rsopts[i]);
3271 }
3272
3273 /* -S: Set string to match in addresses for forced queue run to
3274 pick out particular messages. */
3275
3276 if (*argrest)
3277 deliver_selectstring_sender = argrest;
3278 else if (i+1 < argc)
3279 deliver_selectstring_sender = argv[++i];
3280 else
3281 exim_fail("exim: string expected after -S\n");
3282 break;
3283
3284 /* -Tqt is an option that is exclusively for use by the testing suite.
3285 It is not recognized in other circumstances. It allows for the setting up
3286 of explicit "queue times" so that various warning/retry things can be
3287 tested. Otherwise variability of clock ticks etc. cause problems. */
3288
3289 case 'T':
3290 if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3291 fudged_queue_times = argv[++i];
3292 else badarg = TRUE;
3293 break;
3294
3295
3296 /* -t: Set flag to extract recipients from body of message. */
3297
3298 case 't':
3299 if (*argrest == 0) extract_recipients = TRUE;
3300
3301 /* -ti: Set flag to extract recipients from body of message, and also
3302 specify that dot does not end the message. */
3303
3304 else if (Ustrcmp(argrest, "i") == 0)
3305 {
3306 extract_recipients = TRUE;
3307 f.dot_ends = FALSE;
3308 }
3309
3310 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3311
3312 #ifdef SUPPORT_TLS
3313 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
3314 #endif
3315
3316 else badarg = TRUE;
3317 break;
3318
3319
3320 /* -U: This means "initial user submission" in sendmail, apparently. The
3321 doc claims that in future sendmail may refuse syntactically invalid
3322 messages instead of fixing them. For the moment, we just ignore it. */
3323
3324 case 'U':
3325 break;
3326
3327
3328 /* -v: verify things - this is a very low-level debugging */
3329
3330 case 'v':
3331 if (*argrest == 0)
3332 {
3333 debug_selector |= D_v;
3334 debug_file = stderr;
3335 }
3336 else badarg = TRUE;
3337 break;
3338
3339
3340 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3341
3342 The -x flag tells the sendmail command that mail from a local
3343 mail program has National Language Support (NLS) extended characters
3344 in the body of the mail item. The sendmail command can send mail with
3345 extended NLS characters across networks that normally corrupts these
3346 8-bit characters.
3347
3348 As Exim is 8-bit clean, it just ignores this flag. */
3349
3350 case 'x':
3351 if (*argrest != 0) badarg = TRUE;
3352 break;
3353
3354 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3355 logs to that file. We swallow the parameter and otherwise ignore it. */
3356
3357 case 'X':
3358 if (*argrest == '\0')
3359 if (++i >= argc)
3360 exim_fail("exim: string expected after -X\n");
3361 break;
3362
3363 case 'z':
3364 if (*argrest == '\0')
3365 if (++i < argc)
3366 log_oneline = argv[i];
3367 else
3368 exim_fail("exim: file name expected after %s\n", argv[i-1]);
3369 break;
3370
3371 /* All other initial characters are errors */
3372
3373 default:
3374 badarg = TRUE;
3375 break;
3376 } /* End of high-level switch statement */
3377
3378 /* Failed to recognize the option, or syntax error */
3379
3380 if (badarg)
3381 exim_fail("exim abandoned: unknown, malformed, or incomplete "
3382 "option %s\n", arg);
3383 }
3384
3385
3386 /* If -R or -S have been specified without -q, assume a single queue run. */
3387
3388 if ( (deliver_selectstring || deliver_selectstring_sender)
3389 && queue_interval < 0)
3390 queue_interval = 0;
3391
3392
3393 END_ARG:
3394 /* If usage_wanted is set we call the usage function - which never returns */
3395 if (usage_wanted) exim_usage(called_as);
3396
3397 /* Arguments have been processed. Check for incompatibilities. */
3398 if ((
3399 (smtp_input || extract_recipients || recipients_arg < argc) &&
3400 (f.daemon_listen || queue_interval >= 0 || bi_option ||
3401 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3402 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3403 ) ||
3404 (
3405 msg_action_arg > 0 &&
3406 (f.daemon_listen || queue_interval > 0 || list_options ||
3407 (checking && msg_action != MSG_LOAD) ||
3408 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3409 ) ||
3410 (
3411 (f.daemon_listen || queue_interval > 0) &&
3412 (sender_address != NULL || list_options || list_queue || checking ||
3413 bi_option)
3414 ) ||
3415 (
3416 f.daemon_listen && queue_interval == 0
3417 ) ||
3418 (
3419 f.inetd_wait_mode && queue_interval >= 0
3420 ) ||
3421 (
3422 list_options &&
3423 (checking || smtp_input || extract_recipients ||
3424 filter_test != FTEST_NONE || bi_option)
3425 ) ||
3426 (
3427 verify_address_mode &&
3428 (f.address_test_mode || smtp_input || extract_recipients ||
3429 filter_test != FTEST_NONE || bi_option)
3430 ) ||
3431 (
3432 f.address_test_mode && (smtp_input || extract_recipients ||
3433 filter_test != FTEST_NONE || bi_option)
3434 ) ||
3435 (
3436 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3437 extract_recipients)
3438 ) ||
3439 (
3440 deliver_selectstring != NULL && queue_interval < 0
3441 ) ||
3442 (
3443 msg_action == MSG_LOAD &&
3444 (!expansion_test || expansion_test_message != NULL)
3445 )
3446 )
3447 exim_fail("exim: incompatible command-line options or arguments\n");
3448
3449 /* If debugging is set up, set the file and the file descriptor to pass on to
3450 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3451 to run in the foreground. */
3452
3453 if (debug_selector != 0)
3454 {
3455 debug_file = stderr;
3456 debug_fd = fileno(debug_file);
3457 f.background_daemon = FALSE;
3458 if (f.running_in_test_harness) millisleep(100); /* lets caller finish */
3459 if (debug_selector != D_v) /* -v only doesn't show this */
3460 {
3461 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3462 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3463 debug_selector);
3464 if (!version_printed)
3465 show_whats_supported(stderr);
3466 }
3467 }
3468
3469 /* When started with root privilege, ensure that the limits on the number of
3470 open files and the number of processes (where that is accessible) are
3471 sufficiently large, or are unset, in case Exim has been called from an
3472 environment where the limits are screwed down. Not all OS have the ability to
3473 change some of these limits. */
3474
3475 if (unprivileged)
3476 {
3477 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3478 }
3479 else
3480 {
3481 struct rlimit rlp;
3482
3483 #ifdef RLIMIT_NOFILE
3484 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3485 {
3486 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3487 strerror(errno));
3488 rlp.rlim_cur = rlp.rlim_max = 0;
3489 }
3490
3491 /* I originally chose 1000 as a nice big number that was unlikely to
3492 be exceeded. It turns out that some older OS have a fixed upper limit of
3493 256. */
3494
3495 if (rlp.rlim_cur < 1000)
3496 {
3497 rlp.rlim_cur = rlp.rlim_max = 1000;
3498 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3499 {
3500 rlp.rlim_cur = rlp.rlim_max = 256;
3501 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3502 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3503 strerror(errno));
3504 }
3505 }
3506 #endif
3507
3508 #ifdef RLIMIT_NPROC
3509 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3510 {
3511 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3512 <