Harmonised TLS library version reporting.
[exim.git] / src / src / exim.c
1 /* $Cambridge: exim/src/src/exim.c,v 1.71 2010/06/07 00:12:42 pdp Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10
11 /* The main function: entry point, initialization, and high-level control.
12 Also a few functions that don't naturally fit elsewhere. */
13
14
15 #include "exim.h"
16
17 extern void init_lookup_list(void);
18
19
20
21 /*************************************************
22 * Function interface to store functions *
23 *************************************************/
24
25 /* We need some real functions to pass to the PCRE regular expression library
26 for store allocation via Exim's store manager. The normal calls are actually
27 macros that pass over location information to make tracing easier. These
28 functions just interface to the standard macro calls. A good compiler will
29 optimize out the tail recursion and so not make them too expensive. There
30 are two sets of functions; one for use when we want to retain the compiled
31 regular expression for a long time; the other for short-term use. */
32
33 static void *
34 function_store_get(size_t size)
35 {
36 return store_get((int)size);
37 }
38
39 static void
40 function_dummy_free(void *block) { block = block; }
41
42 static void *
43 function_store_malloc(size_t size)
44 {
45 return store_malloc((int)size);
46 }
47
48 static void
49 function_store_free(void *block)
50 {
51 store_free(block);
52 }
53
54
55
56
57 /*************************************************
58 * Compile regular expression and panic on fail *
59 *************************************************/
60
61 /* This function is called when failure to compile a regular expression leads
62 to a panic exit. In other cases, pcre_compile() is called directly. In many
63 cases where this function is used, the results of the compilation are to be
64 placed in long-lived store, so we temporarily reset the store management
65 functions that PCRE uses if the use_malloc flag is set.
66
67 Argument:
68 pattern the pattern to compile
69 caseless TRUE if caseless matching is required
70 use_malloc TRUE if compile into malloc store
71
72 Returns: pointer to the compiled pattern
73 */
74
75 const pcre *
76 regex_must_compile(uschar *pattern, BOOL caseless, BOOL use_malloc)
77 {
78 int offset;
79 int options = PCRE_COPT;
80 const pcre *yield;
81 const uschar *error;
82 if (use_malloc)
83 {
84 pcre_malloc = function_store_malloc;
85 pcre_free = function_store_free;
86 }
87 if (caseless) options |= PCRE_CASELESS;
88 yield = pcre_compile(CS pattern, options, (const char **)&error, &offset, NULL);
89 pcre_malloc = function_store_get;
90 pcre_free = function_dummy_free;
91 if (yield == NULL)
92 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
93 "%s at offset %d while compiling %s", error, offset, pattern);
94 return yield;
95 }
96
97
98
99
100 /*************************************************
101 * Execute regular expression and set strings *
102 *************************************************/
103
104 /* This function runs a regular expression match, and sets up the pointers to
105 the matched substrings.
106
107 Arguments:
108 re the compiled expression
109 subject the subject string
110 options additional PCRE options
111 setup if < 0 do full setup
112 if >= 0 setup from setup+1 onwards,
113 excluding the full matched string
114
115 Returns: TRUE or FALSE
116 */
117
118 BOOL
119 regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup)
120 {
121 int ovector[3*(EXPAND_MAXN+1)];
122 int n = pcre_exec(re, NULL, CS subject, Ustrlen(subject), 0,
123 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
124 BOOL yield = n >= 0;
125 if (n == 0) n = EXPAND_MAXN + 1;
126 if (yield)
127 {
128 int nn;
129 expand_nmax = (setup < 0)? 0 : setup + 1;
130 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
131 {
132 expand_nstring[expand_nmax] = subject + ovector[nn];
133 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
134 }
135 expand_nmax--;
136 }
137 return yield;
138 }
139
140
141
142
143 /*************************************************
144 * Handler for SIGUSR1 *
145 *************************************************/
146
147 /* SIGUSR1 causes any exim process to write to the process log details of
148 what it is currently doing. It will only be used if the OS is capable of
149 setting up a handler that causes automatic restarting of any system call
150 that is in progress at the time.
151
152 Argument: the signal number (SIGUSR1)
153 Returns: nothing
154 */
155
156 static void
157 usr1_handler(int sig)
158 {
159 sig = sig; /* Keep picky compilers happy */
160 log_write(0, LOG_PROCESS, "%s", process_info);
161 log_close_all();
162 os_restarting_signal(SIGUSR1, usr1_handler);
163 }
164
165
166
167 /*************************************************
168 * Timeout handler *
169 *************************************************/
170
171 /* This handler is enabled most of the time that Exim is running. The handler
172 doesn't actually get used unless alarm() has been called to set a timer, to
173 place a time limit on a system call of some kind. When the handler is run, it
174 re-enables itself.
175
176 There are some other SIGALRM handlers that are used in special cases when more
177 than just a flag setting is required; for example, when reading a message's
178 input. These are normally set up in the code module that uses them, and the
179 SIGALRM handler is reset to this one afterwards.
180
181 Argument: the signal value (SIGALRM)
182 Returns: nothing
183 */
184
185 void
186 sigalrm_handler(int sig)
187 {
188 sig = sig; /* Keep picky compilers happy */
189 sigalrm_seen = TRUE;
190 os_non_restarting_signal(SIGALRM, sigalrm_handler);
191 }
192
193
194
195 /*************************************************
196 * Sleep for a fractional time interval *
197 *************************************************/
198
199 /* This function is called by millisleep() and exim_wait_tick() to wait for a
200 period of time that may include a fraction of a second. The coding is somewhat
201 tedious. We do not expect setitimer() ever to fail, but if it does, the process
202 will wait for ever, so we panic in this instance. (There was a case of this
203 when a bug in a function that calls milliwait() caused it to pass invalid data.
204 That's when I added the check. :-)
205
206 Argument: an itimerval structure containing the interval
207 Returns: nothing
208 */
209
210 static void
211 milliwait(struct itimerval *itval)
212 {
213 sigset_t sigmask;
214 sigset_t old_sigmask;
215 (void)sigemptyset(&sigmask); /* Empty mask */
216 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
217 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
218 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
219 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
220 "setitimer() failed: %s", strerror(errno));
221 (void)sigfillset(&sigmask); /* All signals */
222 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
223 (void)sigsuspend(&sigmask); /* Until SIGALRM */
224 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
225 }
226
227
228
229
230 /*************************************************
231 * Millisecond sleep function *
232 *************************************************/
233
234 /* The basic sleep() function has a granularity of 1 second, which is too rough
235 in some cases - for example, when using an increasing delay to slow down
236 spammers.
237
238 Argument: number of millseconds
239 Returns: nothing
240 */
241
242 void
243 millisleep(int msec)
244 {
245 struct itimerval itval;
246 itval.it_interval.tv_sec = 0;
247 itval.it_interval.tv_usec = 0;
248 itval.it_value.tv_sec = msec/1000;
249 itval.it_value.tv_usec = (msec % 1000) * 1000;
250 milliwait(&itval);
251 }
252
253
254
255 /*************************************************
256 * Compare microsecond times *
257 *************************************************/
258
259 /*
260 Arguments:
261 tv1 the first time
262 tv2 the second time
263
264 Returns: -1, 0, or +1
265 */
266
267 int
268 exim_tvcmp(struct timeval *t1, struct timeval *t2)
269 {
270 if (t1->tv_sec > t2->tv_sec) return +1;
271 if (t1->tv_sec < t2->tv_sec) return -1;
272 if (t1->tv_usec > t2->tv_usec) return +1;
273 if (t1->tv_usec < t2->tv_usec) return -1;
274 return 0;
275 }
276
277
278
279
280 /*************************************************
281 * Clock tick wait function *
282 *************************************************/
283
284 /* Exim uses a time + a pid to generate a unique identifier in two places: its
285 message IDs, and in file names for maildir deliveries. Because some OS now
286 re-use pids within the same second, sub-second times are now being used.
287 However, for absolute certaintly, we must ensure the clock has ticked before
288 allowing the relevant process to complete. At the time of implementation of
289 this code (February 2003), the speed of processors is such that the clock will
290 invariably have ticked already by the time a process has done its job. This
291 function prepares for the time when things are faster - and it also copes with
292 clocks that go backwards.
293
294 Arguments:
295 then_tv A timeval which was used to create uniqueness; its usec field
296 has been rounded down to the value of the resolution.
297 We want to be sure the current time is greater than this.
298 resolution The resolution that was used to divide the microseconds
299 (1 for maildir, larger for message ids)
300
301 Returns: nothing
302 */
303
304 void
305 exim_wait_tick(struct timeval *then_tv, int resolution)
306 {
307 struct timeval now_tv;
308 long int now_true_usec;
309
310 (void)gettimeofday(&now_tv, NULL);
311 now_true_usec = now_tv.tv_usec;
312 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
313
314 if (exim_tvcmp(&now_tv, then_tv) <= 0)
315 {
316 struct itimerval itval;
317 itval.it_interval.tv_sec = 0;
318 itval.it_interval.tv_usec = 0;
319 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
320 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
321
322 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
323 negative value for the microseconds is possible only in the case when "now"
324 is more than a second less than "then". That means that itval.it_value.tv_sec
325 is greater than zero. The following correction is therefore safe. */
326
327 if (itval.it_value.tv_usec < 0)
328 {
329 itval.it_value.tv_usec += 1000000;
330 itval.it_value.tv_sec -= 1;
331 }
332
333 DEBUG(D_transport|D_receive)
334 {
335 if (!running_in_test_harness)
336 {
337 debug_printf("tick check: %lu.%06lu %lu.%06lu\n",
338 then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec);
339 debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec,
340 itval.it_value.tv_usec);
341 }
342 }
343
344 milliwait(&itval);
345 }
346 }
347
348
349
350
351 /*************************************************
352 * Set up processing details *
353 *************************************************/
354
355 /* Save a text string for dumping when SIGUSR1 is received.
356 Do checks for overruns.
357
358 Arguments: format and arguments, as for printf()
359 Returns: nothing
360 */
361
362 void
363 set_process_info(const char *format, ...)
364 {
365 int len;
366 va_list ap;
367 sprintf(CS process_info, "%5d ", (int)getpid());
368 len = Ustrlen(process_info);
369 va_start(ap, format);
370 if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len, format, ap))
371 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
372 DEBUG(D_process_info) debug_printf("set_process_info: %s\n", process_info);
373 va_end(ap);
374 }
375
376
377
378
379
380 /*************************************************
381 * Call fopen() with umask 777 and adjust mode *
382 *************************************************/
383
384 /* Exim runs with umask(0) so that files created with open() have the mode that
385 is specified in the open() call. However, there are some files, typically in
386 the spool directory, that are created with fopen(). They end up world-writeable
387 if no precautions are taken. Although the spool directory is not accessible to
388 the world, this is an untidiness. So this is a wrapper function for fopen()
389 that sorts out the mode of the created file.
390
391 Arguments:
392 filename the file name
393 options the fopen() options
394 mode the required mode
395
396 Returns: the fopened FILE or NULL
397 */
398
399 FILE *
400 modefopen(const uschar *filename, const char *options, mode_t mode)
401 {
402 mode_t saved_umask = umask(0777);
403 FILE *f = Ufopen(filename, options);
404 (void)umask(saved_umask);
405 if (f != NULL) (void)fchmod(fileno(f), mode);
406 return f;
407 }
408
409
410
411
412 /*************************************************
413 * Ensure stdin, stdout, and stderr exist *
414 *************************************************/
415
416 /* Some operating systems grumble if an exec() happens without a standard
417 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
418 file will be opened and will use these fd values, and then some other bit of
419 code will assume, for example, that it can write error messages to stderr.
420 This function ensures that fds 0, 1, and 2 are open if they do not already
421 exist, by connecting them to /dev/null.
422
423 This function is also used to ensure that std{in,out,err} exist at all times,
424 so that if any library that Exim calls tries to use them, it doesn't crash.
425
426 Arguments: None
427 Returns: Nothing
428 */
429
430 void
431 exim_nullstd(void)
432 {
433 int i;
434 int devnull = -1;
435 struct stat statbuf;
436 for (i = 0; i <= 2; i++)
437 {
438 if (fstat(i, &statbuf) < 0 && errno == EBADF)
439 {
440 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
441 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
442 string_open_failed(errno, "/dev/null"));
443 if (devnull != i) (void)dup2(devnull, i);
444 }
445 }
446 if (devnull > 2) (void)close(devnull);
447 }
448
449
450
451
452 /*************************************************
453 * Close unwanted file descriptors for delivery *
454 *************************************************/
455
456 /* This function is called from a new process that has been forked to deliver
457 an incoming message, either directly, or using exec.
458
459 We want any smtp input streams to be closed in this new process. However, it
460 has been observed that using fclose() here causes trouble. When reading in -bS
461 input, duplicate copies of messages have been seen. The files will be sharing a
462 file pointer with the parent process, and it seems that fclose() (at least on
463 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
464 least sometimes. Hence we go for closing the underlying file descriptors.
465
466 If TLS is active, we want to shut down the TLS library, but without molesting
467 the parent's SSL connection.
468
469 For delivery of a non-SMTP message, we want to close stdin and stdout (and
470 stderr unless debugging) because the calling process might have set them up as
471 pipes and be waiting for them to close before it waits for the submission
472 process to terminate. If they aren't closed, they hold up the calling process
473 until the initial delivery process finishes, which is not what we want.
474
475 Exception: We do want it for synchronous delivery!
476
477 And notwithstanding all the above, if D_resolver is set, implying resolver
478 debugging, leave stdout open, because that's where the resolver writes its
479 debugging output.
480
481 When we close stderr (which implies we've also closed stdout), we also get rid
482 of any controlling terminal.
483
484 Arguments: None
485 Returns: Nothing
486 */
487
488 static void
489 close_unwanted(void)
490 {
491 if (smtp_input)
492 {
493 #ifdef SUPPORT_TLS
494 tls_close(FALSE); /* Shut down the TLS library */
495 #endif
496 (void)close(fileno(smtp_in));
497 (void)close(fileno(smtp_out));
498 smtp_in = NULL;
499 }
500 else
501 {
502 (void)close(0); /* stdin */
503 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
504 if (debug_selector == 0) /* stderr */
505 {
506 if (!synchronous_delivery)
507 {
508 (void)close(2);
509 log_stderr = NULL;
510 }
511 (void)setsid();
512 }
513 }
514 }
515
516
517
518
519 /*************************************************
520 * Set uid and gid *
521 *************************************************/
522
523 /* This function sets a new uid and gid permanently, optionally calling
524 initgroups() to set auxiliary groups. There are some special cases when running
525 Exim in unprivileged modes. In these situations the effective uid will not be
526 root; if we already have the right effective uid/gid, and don't need to
527 initialize any groups, leave things as they are.
528
529 Arguments:
530 uid the uid
531 gid the gid
532 igflag TRUE if initgroups() wanted
533 msg text to use in debugging output and failure log
534
535 Returns: nothing; bombs out on failure
536 */
537
538 void
539 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
540 {
541 uid_t euid = geteuid();
542 gid_t egid = getegid();
543
544 if (euid == root_uid || euid != uid || egid != gid || igflag)
545 {
546 /* At least one OS returns +1 for initgroups failure, so just check for
547 non-zero. */
548
549 if (igflag)
550 {
551 struct passwd *pw = getpwuid(uid);
552 if (pw != NULL)
553 {
554 if (initgroups(pw->pw_name, gid) != 0)
555 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
556 (long int)uid, strerror(errno));
557 }
558 else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
559 "no passwd entry for uid=%ld", (long int)uid);
560 }
561
562 if (setgid(gid) < 0 || setuid(uid) < 0)
563 {
564 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
565 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
566 }
567 }
568
569 /* Debugging output included uid/gid and all groups */
570
571 DEBUG(D_uid)
572 {
573 int group_count, save_errno;
574 gid_t group_list[NGROUPS_MAX];
575 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
576 (long int)geteuid(), (long int)getegid(), (long int)getpid());
577 group_count = getgroups(NGROUPS_MAX, group_list);
578 save_errno = errno;
579 debug_printf(" auxiliary group list:");
580 if (group_count > 0)
581 {
582 int i;
583 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
584 }
585 else if (group_count < 0)
586 debug_printf(" <error: %s>", strerror(save_errno));
587 else debug_printf(" <none>");
588 debug_printf("\n");
589 }
590 }
591
592
593
594
595 /*************************************************
596 * Exit point *
597 *************************************************/
598
599 /* Exim exits via this function so that it always clears up any open
600 databases.
601
602 Arguments:
603 rc return code
604
605 Returns: does not return
606 */
607
608 void
609 exim_exit(int rc)
610 {
611 search_tidyup();
612 DEBUG(D_any)
613 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d "
614 ">>>>>>>>>>>>>>>>\n", (int)getpid(), rc);
615 exit(rc);
616 }
617
618
619
620
621 /*************************************************
622 * Extract port from host address *
623 *************************************************/
624
625 /* Called to extract the port from the values given to -oMa and -oMi.
626 It also checks the syntax of the address, and terminates it before the
627 port data when a port is extracted.
628
629 Argument:
630 address the address, with possible port on the end
631
632 Returns: the port, or zero if there isn't one
633 bombs out on a syntax error
634 */
635
636 static int
637 check_port(uschar *address)
638 {
639 int port = host_address_extract_port(address);
640 if (string_is_ip_address(address, NULL) == 0)
641 {
642 fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
643 exit(EXIT_FAILURE);
644 }
645 return port;
646 }
647
648
649
650 /*************************************************
651 * Test/verify an address *
652 *************************************************/
653
654 /* This function is called by the -bv and -bt code. It extracts a working
655 address from a full RFC 822 address. This isn't really necessary per se, but it
656 has the effect of collapsing source routes.
657
658 Arguments:
659 s the address string
660 flags flag bits for verify_address()
661 exit_value to be set for failures
662
663 Returns: nothing
664 */
665
666 static void
667 test_address(uschar *s, int flags, int *exit_value)
668 {
669 int start, end, domain;
670 uschar *parse_error = NULL;
671 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
672 FALSE);
673 if (address == NULL)
674 {
675 fprintf(stdout, "syntax error: %s\n", parse_error);
676 *exit_value = 2;
677 }
678 else
679 {
680 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
681 -1, -1, NULL, NULL, NULL);
682 if (rc == FAIL) *exit_value = 2;
683 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
684 }
685 }
686
687
688
689 /*************************************************
690 * Show supported features *
691 *************************************************/
692
693 /* This function is called for -bV/--version and for -d to output the optional
694 features of the current Exim binary.
695
696 Arguments: a FILE for printing
697 Returns: nothing
698 */
699
700 static void
701 show_whats_supported(FILE *f)
702 {
703 #ifdef DB_VERSION_STRING
704 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
705 #elif defined(BTREEVERSION) && defined(HASHVERSION)
706 #ifdef USE_DB
707 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
708 #else
709 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
710 #endif
711 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
712 fprintf(f, "Probably ndbm\n");
713 #elif defined(USE_TDB)
714 fprintf(f, "Using tdb\n");
715 #else
716 #ifdef USE_GDBM
717 fprintf(f, "Probably GDBM (native mode)\n");
718 #else
719 fprintf(f, "Probably GDBM (compatibility mode)\n");
720 #endif
721 #endif
722
723 fprintf(f, "Support for:");
724 #ifdef SUPPORT_CRYPTEQ
725 fprintf(f, " crypteq");
726 #endif
727 #if HAVE_ICONV
728 fprintf(f, " iconv()");
729 #endif
730 #if HAVE_IPV6
731 fprintf(f, " IPv6");
732 #endif
733 #ifdef HAVE_SETCLASSRESOURCES
734 fprintf(f, " use_setclassresources");
735 #endif
736 #ifdef SUPPORT_PAM
737 fprintf(f, " PAM");
738 #endif
739 #ifdef EXIM_PERL
740 fprintf(f, " Perl");
741 #endif
742 #ifdef EXPAND_DLFUNC
743 fprintf(f, " Expand_dlfunc");
744 #endif
745 #ifdef USE_TCP_WRAPPERS
746 fprintf(f, " TCPwrappers");
747 #endif
748 #ifdef SUPPORT_TLS
749 #ifdef USE_GNUTLS
750 fprintf(f, " GnuTLS");
751 #else
752 fprintf(f, " OpenSSL");
753 #endif
754 #endif
755 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
756 fprintf(f, " translate_ip_address");
757 #endif
758 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
759 fprintf(f, " move_frozen_messages");
760 #endif
761 #ifdef WITH_CONTENT_SCAN
762 fprintf(f, " Content_Scanning");
763 #endif
764 #ifndef DISABLE_DKIM
765 fprintf(f, " DKIM");
766 #endif
767 #ifdef WITH_OLD_DEMIME
768 fprintf(f, " Old_Demime");
769 #endif
770 #ifdef EXPERIMENTAL_SPF
771 fprintf(f, " Experimental_SPF");
772 #endif
773 #ifdef EXPERIMENTAL_SRS
774 fprintf(f, " Experimental_SRS");
775 #endif
776 #ifdef EXPERIMENTAL_BRIGHTMAIL
777 fprintf(f, " Experimental_Brightmail");
778 #endif
779 #ifdef EXPERIMENTAL_DCC
780 fprintf(f, " Experimental_DCC");
781 #endif
782 fprintf(f, "\n");
783
784 fprintf(f, "Lookups (built-in):");
785 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
786 fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
787 #endif
788 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
789 fprintf(f, " cdb");
790 #endif
791 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
792 fprintf(f, " dbm dbmnz");
793 #endif
794 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
795 fprintf(f, " dnsdb");
796 #endif
797 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
798 fprintf(f, " dsearch");
799 #endif
800 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
801 fprintf(f, " ibase");
802 #endif
803 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
804 fprintf(f, " ldap ldapdn ldapm");
805 #endif
806 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
807 fprintf(f, " mysql");
808 #endif
809 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
810 fprintf(f, " nis nis0");
811 #endif
812 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
813 fprintf(f, " nisplus");
814 #endif
815 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
816 fprintf(f, " oracle");
817 #endif
818 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
819 fprintf(f, " passwd");
820 #endif
821 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
822 fprintf(f, " pgsql");
823 #endif
824 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
825 fprintf(f, " sqlite");
826 #endif
827 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
828 fprintf(f, " testdb");
829 #endif
830 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
831 fprintf(f, " whoson");
832 #endif
833 fprintf(f, "\n");
834
835 fprintf(f, "Authenticators:");
836 #ifdef AUTH_CRAM_MD5
837 fprintf(f, " cram_md5");
838 #endif
839 #ifdef AUTH_CYRUS_SASL
840 fprintf(f, " cyrus_sasl");
841 #endif
842 #ifdef AUTH_DOVECOT
843 fprintf(f, " dovecot");
844 #endif
845 #ifdef AUTH_PLAINTEXT
846 fprintf(f, " plaintext");
847 #endif
848 #ifdef AUTH_SPA
849 fprintf(f, " spa");
850 #endif
851 fprintf(f, "\n");
852
853 fprintf(f, "Routers:");
854 #ifdef ROUTER_ACCEPT
855 fprintf(f, " accept");
856 #endif
857 #ifdef ROUTER_DNSLOOKUP
858 fprintf(f, " dnslookup");
859 #endif
860 #ifdef ROUTER_IPLITERAL
861 fprintf(f, " ipliteral");
862 #endif
863 #ifdef ROUTER_IPLOOKUP
864 fprintf(f, " iplookup");
865 #endif
866 #ifdef ROUTER_MANUALROUTE
867 fprintf(f, " manualroute");
868 #endif
869 #ifdef ROUTER_QUERYPROGRAM
870 fprintf(f, " queryprogram");
871 #endif
872 #ifdef ROUTER_REDIRECT
873 fprintf(f, " redirect");
874 #endif
875 fprintf(f, "\n");
876
877 fprintf(f, "Transports:");
878 #ifdef TRANSPORT_APPENDFILE
879 fprintf(f, " appendfile");
880 #ifdef SUPPORT_MAILDIR
881 fprintf(f, "/maildir");
882 #endif
883 #ifdef SUPPORT_MAILSTORE
884 fprintf(f, "/mailstore");
885 #endif
886 #ifdef SUPPORT_MBX
887 fprintf(f, "/mbx");
888 #endif
889 #endif
890 #ifdef TRANSPORT_AUTOREPLY
891 fprintf(f, " autoreply");
892 #endif
893 #ifdef TRANSPORT_LMTP
894 fprintf(f, " lmtp");
895 #endif
896 #ifdef TRANSPORT_PIPE
897 fprintf(f, " pipe");
898 #endif
899 #ifdef TRANSPORT_SMTP
900 fprintf(f, " smtp");
901 #endif
902 fprintf(f, "\n");
903
904 if (fixed_never_users[0] > 0)
905 {
906 int i;
907 fprintf(f, "Fixed never_users: ");
908 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
909 fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
910 fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
911 }
912
913 fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
914
915 /* Everything else is details which are only worth reporting when debugging.
916 Perhaps the tls_version_report should move into this too. */
917 DEBUG(D_any) do {
918
919 int i;
920
921 /* clang defines __GNUC__ (at least, for me) so test for it first */
922 #if defined(__clang__)
923 fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
924 #elif defined(__GNUC__)
925 fprintf(f, "Compiler: GCC [%s]\n",
926 # ifdef __VERSION__
927 __VERSION__
928 # else
929 "? unknown version ?"
930 # endif
931 );
932 #else
933 fprintf(f, "Compiler: <unknown>\n");
934 #endif
935
936 #ifdef SUPPORT_TLS
937 tls_version_report(f);
938 #endif
939
940 #ifdef AUTH_CYRUS_SASL
941 auth_cyrus_sasl_version_report(f);
942 #endif
943
944 fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
945 " Runtime: %s\n",
946 PCRE_MAJOR, PCRE_MINOR,
947 /* PRE_PRERELEASE is either defined and empty or a string.
948 * unless its an ancient version of PCRE in which case it
949 * is not defined */
950 #ifdef PCRE_PRERELEASE
951 PCRE_PRERELEASE "",
952 #else
953 "",
954 #endif
955 pcre_version());
956
957 init_lookup_list();
958 for (i = 0; i < lookup_list_count; i++)
959 {
960 if (lookup_list[i]->version_report)
961 lookup_list[i]->version_report(f);
962 }
963
964 #ifdef WHITELIST_D_MACROS
965 fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
966 #else
967 fprintf(f, "WHITELIST_D_MACROS unset\n");
968 #endif
969 #ifdef TRUSTED_CONFIG_LIST
970 fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
971 #else
972 fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
973 #endif
974
975 } while (0);
976 }
977
978
979
980
981 /*************************************************
982 * Quote a local part *
983 *************************************************/
984
985 /* This function is used when a sender address or a From: or Sender: header
986 line is being created from the caller's login, or from an authenticated_id. It
987 applies appropriate quoting rules for a local part.
988
989 Argument: the local part
990 Returns: the local part, quoted if necessary
991 */
992
993 uschar *
994 local_part_quote(uschar *lpart)
995 {
996 BOOL needs_quote = FALSE;
997 int size, ptr;
998 uschar *yield;
999 uschar *t;
1000
1001 for (t = lpart; !needs_quote && *t != 0; t++)
1002 {
1003 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1004 (*t != '.' || t == lpart || t[1] == 0);
1005 }
1006
1007 if (!needs_quote) return lpart;
1008
1009 size = ptr = 0;
1010 yield = string_cat(NULL, &size, &ptr, US"\"", 1);
1011
1012 for (;;)
1013 {
1014 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1015 if (nq == NULL)
1016 {
1017 yield = string_cat(yield, &size, &ptr, lpart, Ustrlen(lpart));
1018 break;
1019 }
1020 yield = string_cat(yield, &size, &ptr, lpart, nq - lpart);
1021 yield = string_cat(yield, &size, &ptr, US"\\", 1);
1022 yield = string_cat(yield, &size, &ptr, nq, 1);
1023 lpart = nq + 1;
1024 }
1025
1026 yield = string_cat(yield, &size, &ptr, US"\"", 1);
1027 yield[ptr] = 0;
1028 return yield;
1029 }
1030
1031
1032
1033 #ifdef USE_READLINE
1034 /*************************************************
1035 * Load readline() functions *
1036 *************************************************/
1037
1038 /* This function is called from testing executions that read data from stdin,
1039 but only when running as the calling user. Currently, only -be does this. The
1040 function loads the readline() function library and passes back the functions.
1041 On some systems, it needs the curses library, so load that too, but try without
1042 it if loading fails. All this functionality has to be requested at build time.
1043
1044 Arguments:
1045 fn_readline_ptr pointer to where to put the readline pointer
1046 fn_addhist_ptr pointer to where to put the addhistory function
1047
1048 Returns: the dlopen handle or NULL on failure
1049 */
1050
1051 static void *
1052 set_readline(char * (**fn_readline_ptr)(const char *),
1053 void (**fn_addhist_ptr)(const char *))
1054 {
1055 void *dlhandle;
1056 void *dlhandle_curses = dlopen("libcurses.so", RTLD_GLOBAL|RTLD_LAZY);
1057
1058 dlhandle = dlopen("libreadline.so", RTLD_GLOBAL|RTLD_NOW);
1059 if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1060
1061 if (dlhandle != NULL)
1062 {
1063 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1064 * char * readline (const char *prompt);
1065 * void add_history (const char *string);
1066 */
1067 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1068 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1069 }
1070 else
1071 {
1072 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1073 }
1074
1075 return dlhandle;
1076 }
1077 #endif
1078
1079
1080
1081 /*************************************************
1082 * Get a line from stdin for testing things *
1083 *************************************************/
1084
1085 /* This function is called when running tests that can take a number of lines
1086 of input (for example, -be and -bt). It handles continuations and trailing
1087 spaces. And prompting and a blank line output on eof. If readline() is in use,
1088 the arguments are non-NULL and provide the relevant functions.
1089
1090 Arguments:
1091 fn_readline readline function or NULL
1092 fn_addhist addhist function or NULL
1093
1094 Returns: pointer to dynamic memory, or NULL at end of file
1095 */
1096
1097 static uschar *
1098 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1099 {
1100 int i;
1101 int size = 0;
1102 int ptr = 0;
1103 uschar *yield = NULL;
1104
1105 if (fn_readline == NULL) { printf("> "); fflush(stdout); }
1106
1107 for (i = 0;; i++)
1108 {
1109 uschar buffer[1024];
1110 uschar *p, *ss;
1111
1112 #ifdef USE_READLINE
1113 char *readline_line = NULL;
1114 if (fn_readline != NULL)
1115 {
1116 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1117 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1118 p = US readline_line;
1119 }
1120 else
1121 #endif
1122
1123 /* readline() not in use */
1124
1125 {
1126 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1127 p = buffer;
1128 }
1129
1130 /* Handle the line */
1131
1132 ss = p + (int)Ustrlen(p);
1133 while (ss > p && isspace(ss[-1])) ss--;
1134
1135 if (i > 0)
1136 {
1137 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1138 }
1139
1140 yield = string_cat(yield, &size, &ptr, p, ss - p);
1141
1142 #ifdef USE_READLINE
1143 if (fn_readline != NULL) free(readline_line);
1144 #endif
1145
1146 if (ss == p || yield[ptr-1] != '\\')
1147 {
1148 yield[ptr] = 0;
1149 break;
1150 }
1151 yield[--ptr] = 0;
1152 }
1153
1154 if (yield == NULL) printf("\n");
1155 return yield;
1156 }
1157
1158
1159
1160 /*************************************************
1161 * Output usage information for the program *
1162 *************************************************/
1163
1164 /* This function is called when there are no recipients
1165 or a specific --help argument was added.
1166
1167 Arguments:
1168 progname information on what name we were called by
1169
1170 Returns: DOES NOT RETURN
1171 */
1172
1173 static void
1174 exim_usage(uschar *progname)
1175 {
1176
1177 /* Handle specific program invocation varients */
1178 if (Ustrcmp(progname, US"-mailq") == 0)
1179 {
1180 fprintf(stderr,
1181 "mailq - list the contents of the mail queue\n\n"
1182 "For a list of options, see the Exim documentation.\n");
1183 exit(EXIT_FAILURE);
1184 }
1185
1186 /* Generic usage - we output this whatever happens */
1187 fprintf(stderr,
1188 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1189 "not directly from a shell command line. Options and/or arguments control\n"
1190 "what it does when called. For a list of options, see the Exim documentation.\n");
1191
1192 exit(EXIT_FAILURE);
1193 }
1194
1195
1196
1197 /*************************************************
1198 * Validate that the macros given are okay *
1199 *************************************************/
1200
1201 /* Typically, Exim will drop privileges if macros are supplied. In some
1202 cases, we want to not do so.
1203
1204 Arguments: none (macros is a global)
1205 Returns: true if trusted, false otherwise
1206 */
1207
1208 static BOOL
1209 macros_trusted(void)
1210 {
1211 #ifdef WHITELIST_D_MACROS
1212 macro_item *m;
1213 uschar *whitelisted, *end, *p, **whites, **w;
1214 int white_count, i, n;
1215 size_t len;
1216 BOOL prev_char_item, found;
1217 #endif
1218
1219 if (macros == NULL)
1220 return TRUE;
1221 #ifndef WHITELIST_D_MACROS
1222 return FALSE;
1223 #else
1224
1225 /* We only trust -D overrides for some invoking users:
1226 root, the exim run-time user, the optional config owner user.
1227 I don't know why config-owner would be needed, but since they can own the
1228 config files anyway, there's no security risk to letting them override -D. */
1229 if ( ! ((real_uid == root_uid)
1230 || (real_uid == exim_uid)
1231 #ifdef CONFIGURE_OWNER
1232 || (real_uid == config_uid)
1233 #endif
1234 ))
1235 {
1236 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1237 return FALSE;
1238 }
1239
1240 /* Get a list of macros which are whitelisted */
1241 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1242 prev_char_item = FALSE;
1243 white_count = 0;
1244 for (p = whitelisted; *p != '\0'; ++p)
1245 {
1246 if (*p == ':' || isspace(*p))
1247 {
1248 *p = '\0';
1249 if (prev_char_item)
1250 ++white_count;
1251 prev_char_item = FALSE;
1252 continue;
1253 }
1254 if (!prev_char_item)
1255 prev_char_item = TRUE;
1256 }
1257 end = p;
1258 if (prev_char_item)
1259 ++white_count;
1260 if (!white_count)
1261 return FALSE;
1262 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1263 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1264 {
1265 if (*p != '\0')
1266 {
1267 whites[i++] = p;
1268 if (i == white_count)
1269 break;
1270 while (*p != '\0' && p < end)
1271 ++p;
1272 }
1273 }
1274 whites[i] = NULL;
1275
1276 /* The list of macros should be very short. Accept the N*M complexity. */
1277 for (m = macros; m != NULL; m = m->next)
1278 {
1279 found = FALSE;
1280 for (w = whites; *w; ++w)
1281 if (Ustrcmp(*w, m->name) == 0)
1282 {
1283 found = TRUE;
1284 break;
1285 }
1286 if (!found)
1287 return FALSE;
1288 if (m->replacement == NULL)
1289 continue;
1290 len = Ustrlen(m->replacement);
1291 if (len == 0)
1292 continue;
1293 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1294 0, PCRE_EOPT, NULL, 0);
1295 if (n < 0)
1296 {
1297 if (n != PCRE_ERROR_NOMATCH)
1298 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1299 return FALSE;
1300 }
1301 }
1302 DEBUG(D_any) debug_printf("macros_trusted overriden to true by whitelisting\n");
1303 return TRUE;
1304 #endif
1305 }
1306
1307
1308 /*************************************************
1309 * Entry point and high-level code *
1310 *************************************************/
1311
1312 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1313 the appropriate action. All the necessary functions are present in the one
1314 binary. I originally thought one should split it up, but it turns out that so
1315 much of the apparatus is needed in each chunk that one might as well just have
1316 it all available all the time, which then makes the coding easier as well.
1317
1318 Arguments:
1319 argc count of entries in argv
1320 argv argument strings, with argv[0] being the program name
1321
1322 Returns: EXIT_SUCCESS if terminated successfully
1323 EXIT_FAILURE otherwise, except when a message has been sent
1324 to the sender, and -oee was given
1325 */
1326
1327 int
1328 main(int argc, char **cargv)
1329 {
1330 uschar **argv = USS cargv;
1331 int arg_receive_timeout = -1;
1332 int arg_smtp_receive_timeout = -1;
1333 int arg_error_handling = error_handling;
1334 int filter_sfd = -1;
1335 int filter_ufd = -1;
1336 int group_count;
1337 int i, rv;
1338 int list_queue_option = 0;
1339 int msg_action = 0;
1340 int msg_action_arg = -1;
1341 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1342 int queue_only_reason = 0;
1343 #ifdef EXIM_PERL
1344 int perl_start_option = 0;
1345 #endif
1346 int recipients_arg = argc;
1347 int sender_address_domain = 0;
1348 int test_retry_arg = -1;
1349 int test_rewrite_arg = -1;
1350 BOOL arg_queue_only = FALSE;
1351 BOOL bi_option = FALSE;
1352 BOOL checking = FALSE;
1353 BOOL count_queue = FALSE;
1354 BOOL expansion_test = FALSE;
1355 BOOL extract_recipients = FALSE;
1356 BOOL forced_delivery = FALSE;
1357 BOOL f_end_dot = FALSE;
1358 BOOL deliver_give_up = FALSE;
1359 BOOL list_queue = FALSE;
1360 BOOL list_options = FALSE;
1361 BOOL local_queue_only;
1362 BOOL more = TRUE;
1363 BOOL one_msg_action = FALSE;
1364 BOOL queue_only_set = FALSE;
1365 BOOL receiving_message = TRUE;
1366 BOOL sender_ident_set = FALSE;
1367 BOOL session_local_queue_only;
1368 BOOL unprivileged;
1369 BOOL removed_privilege = FALSE;
1370 BOOL usage_wanted = FALSE;
1371 BOOL verify_address_mode = FALSE;
1372 BOOL verify_as_sender = FALSE;
1373 BOOL version_printed = FALSE;
1374 uschar *alias_arg = NULL;
1375 uschar *called_as = US"";
1376 uschar *start_queue_run_id = NULL;
1377 uschar *stop_queue_run_id = NULL;
1378 uschar *expansion_test_message = NULL;
1379 uschar *ftest_domain = NULL;
1380 uschar *ftest_localpart = NULL;
1381 uschar *ftest_prefix = NULL;
1382 uschar *ftest_suffix = NULL;
1383 uschar *malware_test_file = NULL;
1384 uschar *real_sender_address;
1385 uschar *originator_home = US"/";
1386 void *reset_point;
1387
1388 struct passwd *pw;
1389 struct stat statbuf;
1390 pid_t passed_qr_pid = (pid_t)0;
1391 int passed_qr_pipe = -1;
1392 gid_t group_list[NGROUPS_MAX];
1393
1394 /* Possible options for -R and -S */
1395
1396 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1397
1398 /* Need to define this in case we need to change the environment in order
1399 to get rid of a bogus time zone. We have to make it char rather than uschar
1400 because some OS define it in /usr/include/unistd.h. */
1401
1402 extern char **environ;
1403
1404 /* If the Exim user and/or group and/or the configuration file owner/group were
1405 defined by ref:name at build time, we must now find the actual uid/gid values.
1406 This is a feature to make the lives of binary distributors easier. */
1407
1408 #ifdef EXIM_USERNAME
1409 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1410 {
1411 if (exim_uid == 0)
1412 {
1413 fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
1414 EXIM_USERNAME);
1415 exit(EXIT_FAILURE);
1416 }
1417 exim_gid = pw->pw_gid;
1418 }
1419 else
1420 {
1421 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1422 EXIM_USERNAME);
1423 exit(EXIT_FAILURE);
1424 }
1425 #endif
1426
1427 #ifdef EXIM_GROUPNAME
1428 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1429 {
1430 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1431 EXIM_GROUPNAME);
1432 exit(EXIT_FAILURE);
1433 }
1434 #endif
1435
1436 #ifdef CONFIGURE_OWNERNAME
1437 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1438 {
1439 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1440 CONFIGURE_OWNERNAME);
1441 exit(EXIT_FAILURE);
1442 }
1443 #endif
1444
1445 /* We default the system_filter_user to be the Exim run-time user, as a
1446 sane non-root value. */
1447 system_filter_uid = exim_uid;
1448
1449 #ifdef CONFIGURE_GROUPNAME
1450 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1451 {
1452 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1453 CONFIGURE_GROUPNAME);
1454 exit(EXIT_FAILURE);
1455 }
1456 #endif
1457
1458 /* In the Cygwin environment, some initialization needs doing. It is fudged
1459 in by means of this macro. */
1460
1461 #ifdef OS_INIT
1462 OS_INIT
1463 #endif
1464
1465 /* Check a field which is patched when we are running Exim within its
1466 testing harness; do a fast initial check, and then the whole thing. */
1467
1468 running_in_test_harness =
1469 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1470
1471 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1472 at the start of a program; however, it seems that some environments do not
1473 follow this. A "strange" locale can affect the formatting of timestamps, so we
1474 make quite sure. */
1475
1476 setlocale(LC_ALL, "C");
1477
1478 /* Set up the default handler for timing using alarm(). */
1479
1480 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1481
1482 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1483 because store_malloc writes a log entry on failure. */
1484
1485 log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
1486 if (log_buffer == NULL)
1487 {
1488 fprintf(stderr, "exim: failed to get store for log buffer\n");
1489 exit(EXIT_FAILURE);
1490 }
1491
1492 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1493 NULL when the daemon is run and the file is closed. We have to use this
1494 indirection, because some systems don't allow writing to the variable "stderr".
1495 */
1496
1497 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1498
1499 /* Arrange for the PCRE regex library to use our store functions. Note that
1500 the normal calls are actually macros that add additional arguments for
1501 debugging purposes so we have to assign specially constructed functions here.
1502 The default is to use store in the stacking pool, but this is overridden in the
1503 regex_must_compile() function. */
1504
1505 pcre_malloc = function_store_get;
1506 pcre_free = function_dummy_free;
1507
1508 /* Ensure there is a big buffer for temporary use in several places. It is put
1509 in malloc store so that it can be freed for enlargement if necessary. */
1510
1511 big_buffer = store_malloc(big_buffer_size);
1512
1513 /* Set up the handler for the data request signal, and set the initial
1514 descriptive text. */
1515
1516 set_process_info("initializing");
1517 os_restarting_signal(SIGUSR1, usr1_handler);
1518
1519 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1520 in the daemon code. For the rest of Exim's uses, we ignore it. */
1521
1522 signal(SIGHUP, SIG_IGN);
1523
1524 /* We don't want to die on pipe errors as the code is written to handle
1525 the write error instead. */
1526
1527 signal(SIGPIPE, SIG_IGN);
1528
1529 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1530 set to SIG_IGN. This causes subprocesses that complete before the parent
1531 process waits for them not to hang around, so when Exim calls wait(), nothing
1532 is there. The wait() code has been made robust against this, but let's ensure
1533 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1534 ending status. We use sigaction rather than plain signal() on those OS where
1535 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1536 problem on AIX with this.) */
1537
1538 #ifdef SA_NOCLDWAIT
1539 {
1540 struct sigaction act;
1541 act.sa_handler = SIG_DFL;
1542 sigemptyset(&(act.sa_mask));
1543 act.sa_flags = 0;
1544 sigaction(SIGCHLD, &act, NULL);
1545 }
1546 #else
1547 signal(SIGCHLD, SIG_DFL);
1548 #endif
1549
1550 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1551 SIGHUP. */
1552
1553 sighup_argv = argv;
1554
1555 /* Set up the version number. Set up the leading 'E' for the external form of
1556 message ids, set the pointer to the internal form, and initialize it to
1557 indicate no message being processed. */
1558
1559 version_init();
1560 message_id_option[0] = '-';
1561 message_id_external = message_id_option + 1;
1562 message_id_external[0] = 'E';
1563 message_id = message_id_external + 1;
1564 message_id[0] = 0;
1565
1566 /* Set the umask to zero so that any files Exim creates using open() are
1567 created with the modes that it specifies. NOTE: Files created with fopen() have
1568 a problem, which was not recognized till rather late (February 2006). With this
1569 umask, such files will be world writeable. (They are all content scanning files
1570 in the spool directory, which isn't world-accessible, so this is not a
1571 disaster, but it's untidy.) I don't want to change this overall setting,
1572 however, because it will interact badly with the open() calls. Instead, there's
1573 now a function called modefopen() that fiddles with the umask while calling
1574 fopen(). */
1575
1576 (void)umask(0);
1577
1578 /* Precompile the regular expression for matching a message id. Keep this in
1579 step with the code that generates ids in the accept.c module. We need to do
1580 this here, because the -M options check their arguments for syntactic validity
1581 using mac_ismsgid, which uses this. */
1582
1583 regex_ismsgid =
1584 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1585
1586 /* Precompile the regular expression that is used for matching an SMTP error
1587 code, possibly extended, at the start of an error message. Note that the
1588 terminating whitespace character is included. */
1589
1590 regex_smtp_code =
1591 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1592 FALSE, TRUE);
1593
1594 #ifdef WHITELIST_D_MACROS
1595 /* Precompile the regular expression used to filter the content of macros
1596 given to -D for permissibility. */
1597
1598 regex_whitelisted_macro =
1599 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1600 #endif
1601
1602
1603 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1604 this seems to be a generally accepted convention, since one finds symbolic
1605 links called "mailq" in standard OS configurations. */
1606
1607 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1608 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1609 {
1610 list_queue = TRUE;
1611 receiving_message = FALSE;
1612 called_as = US"-mailq";
1613 }
1614
1615 /* If the program is called as "rmail" treat it as equivalent to
1616 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1617 i.e. preventing a single dot on a line from terminating the message, and
1618 returning with zero return code, even in cases of error (provided an error
1619 message has been sent). */
1620
1621 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1622 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1623 {
1624 dot_ends = FALSE;
1625 called_as = US"-rmail";
1626 errors_sender_rc = EXIT_SUCCESS;
1627 }
1628
1629 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1630 this is a smail convention. */
1631
1632 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1633 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1634 {
1635 smtp_input = smtp_batched_input = TRUE;
1636 called_as = US"-rsmtp";
1637 }
1638
1639 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1640 this is a smail convention. */
1641
1642 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1643 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1644 {
1645 queue_interval = 0;
1646 receiving_message = FALSE;
1647 called_as = US"-runq";
1648 }
1649
1650 /* If the program is called as "newaliases" treat it as equivalent to
1651 "exim -bi"; this is a sendmail convention. */
1652
1653 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1654 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1655 {
1656 bi_option = TRUE;
1657 receiving_message = FALSE;
1658 called_as = US"-newaliases";
1659 }
1660
1661 /* Save the original effective uid for a couple of uses later. It should
1662 normally be root, but in some esoteric environments it may not be. */
1663
1664 original_euid = geteuid();
1665
1666 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1667 to be the same as the real ones. This makes a difference only if Exim is setuid
1668 (or setgid) to something other than root, which could be the case in some
1669 special configurations. */
1670
1671 real_uid = getuid();
1672 real_gid = getgid();
1673
1674 if (real_uid == root_uid)
1675 {
1676 rv = setgid(real_gid);
1677 if (rv)
1678 {
1679 fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
1680 (long int)real_gid, strerror(errno));
1681 exit(EXIT_FAILURE);
1682 }
1683 rv = setuid(real_uid);
1684 if (rv)
1685 {
1686 fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
1687 (long int)real_uid, strerror(errno));
1688 exit(EXIT_FAILURE);
1689 }
1690 }
1691
1692 /* If neither the original real uid nor the original euid was root, Exim is
1693 running in an unprivileged state. */
1694
1695 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1696
1697 /* Scan the program's arguments. Some can be dealt with right away; others are
1698 simply recorded for checking and handling afterwards. Do a high-level switch
1699 on the second character (the one after '-'), to save some effort. */
1700
1701 for (i = 1; i < argc; i++)
1702 {
1703 BOOL badarg = FALSE;
1704 uschar *arg = argv[i];
1705 uschar *argrest;
1706 int switchchar;
1707
1708 /* An argument not starting with '-' is the start of a recipients list;
1709 break out of the options-scanning loop. */
1710
1711 if (arg[0] != '-')
1712 {
1713 recipients_arg = i;
1714 break;
1715 }
1716
1717 /* An option consistion of -- terminates the options */
1718
1719 if (Ustrcmp(arg, "--") == 0)
1720 {
1721 recipients_arg = i + 1;
1722 break;
1723 }
1724
1725 /* Handle flagged options */
1726
1727 switchchar = arg[1];
1728 argrest = arg+2;
1729
1730 /* Make all -ex options synonymous with -oex arguments, since that
1731 is assumed by various callers. Also make -qR options synonymous with -R
1732 options, as that seems to be required as well. Allow for -qqR too, and
1733 the same for -S options. */
1734
1735 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1736 Ustrncmp(arg+1, "qR", 2) == 0 ||
1737 Ustrncmp(arg+1, "qS", 2) == 0)
1738 {
1739 switchchar = arg[2];
1740 argrest++;
1741 }
1742 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1743 {
1744 switchchar = arg[3];
1745 argrest += 2;
1746 queue_2stage = TRUE;
1747 }
1748
1749 /* Make -r synonymous with -f, since it is a documented alias */
1750
1751 else if (arg[1] == 'r') switchchar = 'f';
1752
1753 /* Make -ov synonymous with -v */
1754
1755 else if (Ustrcmp(arg, "-ov") == 0)
1756 {
1757 switchchar = 'v';
1758 argrest++;
1759 }
1760
1761 /* deal with --option_aliases */
1762 else if (switchchar == '-')
1763 {
1764 if (Ustrcmp(argrest, "help") == 0)
1765 {
1766 usage_wanted = TRUE;
1767 break;
1768 }
1769 else if (Ustrcmp(argrest, "version") == 0)
1770 {
1771 switchchar = 'b';
1772 argrest = US"V";
1773 }
1774 }
1775
1776 /* High-level switch on active initial letter */
1777
1778 switch(switchchar)
1779 {
1780 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1781 so has no need of it. */
1782
1783 case 'B':
1784 if (*argrest == 0) i++; /* Skip over the type */
1785 break;
1786
1787
1788 case 'b':
1789 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1790
1791 /* -bd: Run in daemon mode, awaiting SMTP connections.
1792 -bdf: Ditto, but in the foreground.
1793 */
1794
1795 if (*argrest == 'd')
1796 {
1797 daemon_listen = TRUE;
1798 if (*(++argrest) == 'f') background_daemon = FALSE;
1799 else if (*argrest != 0) { badarg = TRUE; break; }
1800 }
1801
1802 /* -be: Run in expansion test mode
1803 -bem: Ditto, but read a message from a file first
1804 */
1805
1806 else if (*argrest == 'e')
1807 {
1808 expansion_test = checking = TRUE;
1809 if (argrest[1] == 'm')
1810 {
1811 if (++i >= argc) { badarg = TRUE; break; }
1812 expansion_test_message = argv[i];
1813 argrest++;
1814 }
1815 if (argrest[1] != 0) { badarg = TRUE; break; }
1816 }
1817
1818 /* -bF: Run system filter test */
1819
1820 else if (*argrest == 'F')
1821 {
1822 filter_test |= FTEST_SYSTEM;
1823 if (*(++argrest) != 0) { badarg = TRUE; break; }
1824 if (++i < argc) filter_test_sfile = argv[i]; else
1825 {
1826 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1827 exit(EXIT_FAILURE);
1828 }
1829 }
1830
1831 /* -bf: Run user filter test
1832 -bfd: Set domain for filter testing
1833 -bfl: Set local part for filter testing
1834 -bfp: Set prefix for filter testing
1835 -bfs: Set suffix for filter testing
1836 */
1837
1838 else if (*argrest == 'f')
1839 {
1840 if (*(++argrest) == 0)
1841 {
1842 filter_test |= FTEST_USER;
1843 if (++i < argc) filter_test_ufile = argv[i]; else
1844 {
1845 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1846 exit(EXIT_FAILURE);
1847 }
1848 }
1849 else
1850 {
1851 if (++i >= argc)
1852 {
1853 fprintf(stderr, "exim: string expected after %s\n", arg);
1854 exit(EXIT_FAILURE);
1855 }
1856 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
1857 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
1858 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
1859 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
1860 else { badarg = TRUE; break; }
1861 }
1862 }
1863
1864 /* -bh: Host checking - an IP address must follow. */
1865
1866 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
1867 {
1868 if (++i >= argc) { badarg = TRUE; break; }
1869 sender_host_address = argv[i];
1870 host_checking = checking = log_testing_mode = TRUE;
1871 host_checking_callout = argrest[1] == 'c';
1872 }
1873
1874 /* -bi: This option is used by sendmail to initialize *the* alias file,
1875 though it has the -oA option to specify a different file. Exim has no
1876 concept of *the* alias file, but since Sun's YP make script calls
1877 sendmail this way, some support must be provided. */
1878
1879 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
1880
1881 /* -bm: Accept and deliver message - the default option. Reinstate
1882 receiving_message, which got turned off for all -b options. */
1883
1884 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
1885
1886 /* -bmalware: test the filename given for malware */
1887
1888 else if (Ustrcmp(argrest, "malware") == 0)
1889 {
1890 if (++i >= argc) { badarg = TRUE; break; }
1891 malware_test_file = argv[i];
1892 }
1893
1894 /* -bnq: For locally originating messages, do not qualify unqualified
1895 addresses. In the envelope, this causes errors; in header lines they
1896 just get left. */
1897
1898 else if (Ustrcmp(argrest, "nq") == 0)
1899 {
1900 allow_unqualified_sender = FALSE;
1901 allow_unqualified_recipient = FALSE;
1902 }
1903
1904 /* -bpxx: List the contents of the mail queue, in various forms. If
1905 the option is -bpc, just a queue count is needed. Otherwise, if the
1906 first letter after p is r, then order is random. */
1907
1908 else if (*argrest == 'p')
1909 {
1910 if (*(++argrest) == 'c')
1911 {
1912 count_queue = TRUE;
1913 if (*(++argrest) != 0) badarg = TRUE;
1914 break;
1915 }
1916
1917 if (*argrest == 'r')
1918 {
1919 list_queue_option = 8;
1920 argrest++;
1921 }
1922 else list_queue_option = 0;
1923
1924 list_queue = TRUE;
1925
1926 /* -bp: List the contents of the mail queue, top-level only */
1927
1928 if (*argrest == 0) {}
1929
1930 /* -bpu: List the contents of the mail queue, top-level undelivered */
1931
1932 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
1933
1934 /* -bpa: List the contents of the mail queue, including all delivered */
1935
1936 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
1937
1938 /* Unknown after -bp[r] */
1939
1940 else
1941 {
1942 badarg = TRUE;
1943 break;
1944 }
1945 }
1946
1947
1948 /* -bP: List the configuration variables given as the address list.
1949 Force -v, so configuration errors get displayed. */
1950
1951 else if (Ustrcmp(argrest, "P") == 0)
1952 {
1953 list_options = TRUE;
1954 debug_selector |= D_v;
1955 debug_file = stderr;
1956 }
1957
1958 /* -brt: Test retry configuration lookup */
1959
1960 else if (Ustrcmp(argrest, "rt") == 0)
1961 {
1962 test_retry_arg = i + 1;
1963 goto END_ARG;
1964 }
1965
1966 /* -brw: Test rewrite configuration */
1967
1968 else if (Ustrcmp(argrest, "rw") == 0)
1969 {
1970 test_rewrite_arg = i + 1;
1971 goto END_ARG;
1972 }
1973
1974 /* -bS: Read SMTP commands on standard input, but produce no replies -
1975 all errors are reported by sending messages. */
1976
1977 else if (Ustrcmp(argrest, "S") == 0)
1978 smtp_input = smtp_batched_input = receiving_message = TRUE;
1979
1980 /* -bs: Read SMTP commands on standard input and produce SMTP replies
1981 on standard output. */
1982
1983 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
1984
1985 /* -bt: address testing mode */
1986
1987 else if (Ustrcmp(argrest, "t") == 0)
1988 address_test_mode = checking = log_testing_mode = TRUE;
1989
1990 /* -bv: verify addresses */
1991
1992 else if (Ustrcmp(argrest, "v") == 0)
1993 verify_address_mode = checking = log_testing_mode = TRUE;
1994
1995 /* -bvs: verify sender addresses */
1996
1997 else if (Ustrcmp(argrest, "vs") == 0)
1998 {
1999 verify_address_mode = checking = log_testing_mode = TRUE;
2000 verify_as_sender = TRUE;
2001 }
2002
2003 /* -bV: Print version string and support details */
2004
2005 else if (Ustrcmp(argrest, "V") == 0)
2006 {
2007 printf("Exim version %s #%s built %s\n", version_string,
2008 version_cnumber, version_date);
2009 printf("%s\n", CS version_copyright);
2010 version_printed = TRUE;
2011 show_whats_supported(stdout);
2012 }
2013
2014 else badarg = TRUE;
2015 break;
2016
2017
2018 /* -C: change configuration file list; ignore if it isn't really
2019 a change! Enforce a prefix check if required. */
2020
2021 case 'C':
2022 if (*argrest == 0)
2023 {
2024 if(++i < argc) argrest = argv[i]; else
2025 { badarg = TRUE; break; }
2026 }
2027 if (Ustrcmp(config_main_filelist, argrest) != 0)
2028 {
2029 #ifdef ALT_CONFIG_PREFIX
2030 int sep = 0;
2031 int len = Ustrlen(ALT_CONFIG_PREFIX);
2032 uschar *list = argrest;
2033 uschar *filename;
2034 while((filename = string_nextinlist(&list, &sep, big_buffer,
2035 big_buffer_size)) != NULL)
2036 {
2037 if ((Ustrlen(filename) < len ||
2038 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2039 Ustrstr(filename, "/../") != NULL) &&
2040 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2041 {
2042 fprintf(stderr, "-C Permission denied\n");
2043 exit(EXIT_FAILURE);
2044 }
2045 }
2046 #endif
2047 if (real_uid != root_uid)
2048 {
2049 #ifdef TRUSTED_CONFIG_LIST
2050
2051 if (real_uid != exim_uid
2052 #ifdef CONFIGURE_OWNER
2053 && real_uid != config_uid
2054 #endif
2055 )
2056 trusted_config = FALSE;
2057 else
2058 {
2059 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2060 if (trust_list)
2061 {
2062 struct stat statbuf;
2063
2064 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2065 (statbuf.st_uid != root_uid /* owner not root */
2066 #ifdef CONFIGURE_OWNER
2067 && statbuf.st_uid != config_uid /* owner not the special one */
2068 #endif
2069 ) || /* or */
2070 (statbuf.st_gid != root_gid /* group not root */
2071 #ifdef CONFIGURE_GROUP
2072 && statbuf.st_gid != config_gid /* group not the special one */
2073 #endif
2074 && (statbuf.st_mode & 020) != 0 /* group writeable */
2075 ) || /* or */
2076 (statbuf.st_mode & 2) != 0) /* world writeable */
2077 {
2078 trusted_config = FALSE;
2079 fclose(trust_list);
2080 }
2081 else
2082 {
2083 /* Well, the trust list at least is up to scratch... */
2084 void *reset_point = store_get(0);
2085 uschar *trusted_configs[32];
2086 int nr_configs = 0;
2087 int i = 0;
2088
2089 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2090 {
2091 uschar *start = big_buffer, *nl;
2092 while (*start && isspace(*start))
2093 start++;
2094 if (*start != '/')
2095 continue;
2096 nl = Ustrchr(start, '\n');
2097 if (nl)
2098 *nl = 0;
2099 trusted_configs[nr_configs++] = string_copy(start);
2100 if (nr_configs == 32)
2101 break;
2102 }
2103 fclose(trust_list);
2104
2105 if (nr_configs)
2106 {
2107 int sep = 0;
2108 uschar *list = argrest;
2109 uschar *filename;
2110 while (trusted_config && (filename = string_nextinlist(&list,
2111 &sep, big_buffer, big_buffer_size)) != NULL)
2112 {
2113 for (i=0; i < nr_configs; i++)
2114 {
2115 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2116 break;
2117 }
2118 if (i == nr_configs)
2119 {
2120 trusted_config = FALSE;
2121 break;
2122 }
2123 }
2124 store_reset(reset_point);
2125 }
2126 else
2127 {
2128 /* No valid prefixes found in trust_list file. */
2129 trusted_config = FALSE;
2130 }
2131 }
2132 }
2133 else
2134 {
2135 /* Could not open trust_list file. */
2136 trusted_config = FALSE;
2137 }
2138 }
2139 #else
2140 /* Not root; don't trust config */
2141 trusted_config = FALSE;
2142 #endif
2143 }
2144
2145 config_main_filelist = argrest;
2146 config_changed = TRUE;
2147 }
2148 break;
2149
2150
2151 /* -D: set up a macro definition */
2152
2153 case 'D':
2154 #ifdef DISABLE_D_OPTION
2155 fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2156 exit(EXIT_FAILURE);
2157 #else
2158 {
2159 int ptr = 0;
2160 macro_item *mlast = NULL;
2161 macro_item *m;
2162 uschar name[24];
2163 uschar *s = argrest;
2164
2165 while (isspace(*s)) s++;
2166
2167 if (*s < 'A' || *s > 'Z')
2168 {
2169 fprintf(stderr, "exim: macro name set by -D must start with "
2170 "an upper case letter\n");
2171 exit(EXIT_FAILURE);
2172 }
2173
2174 while (isalnum(*s) || *s == '_')
2175 {
2176 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2177 s++;
2178 }
2179 name[ptr] = 0;
2180 if (ptr == 0) { badarg = TRUE; break; }
2181 while (isspace(*s)) s++;
2182 if (*s != 0)
2183 {
2184 if (*s++ != '=') { badarg = TRUE; break; }
2185 while (isspace(*s)) s++;
2186 }
2187
2188 for (m = macros; m != NULL; m = m->next)
2189 {
2190 if (Ustrcmp(m->name, name) == 0)
2191 {
2192 fprintf(stderr, "exim: duplicated -D in command line\n");
2193 exit(EXIT_FAILURE);
2194 }
2195 mlast = m;
2196 }
2197
2198 m = store_get(sizeof(macro_item) + Ustrlen(name));
2199 m->next = NULL;
2200 m->command_line = TRUE;
2201 if (mlast == NULL) macros = m; else mlast->next = m;
2202 Ustrcpy(m->name, name);
2203 m->replacement = string_copy(s);
2204
2205 if (clmacro_count >= MAX_CLMACROS)
2206 {
2207 fprintf(stderr, "exim: too many -D options on command line\n");
2208 exit(EXIT_FAILURE);
2209 }
2210 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2211 m->replacement);
2212 }
2213 #endif
2214 break;
2215
2216 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2217 The latter is now a no-op, retained for compatibility only. If -dd is used,
2218 debugging subprocesses of the daemon is disabled. */
2219
2220 case 'd':
2221 if (Ustrcmp(argrest, "ropcr") == 0)
2222 {
2223 /* drop_cr = TRUE; */
2224 }
2225
2226 /* Use an intermediate variable so that we don't set debugging while
2227 decoding the debugging bits. */
2228
2229 else
2230 {
2231 unsigned int selector = D_default;
2232 debug_selector = 0;
2233 debug_file = NULL;
2234 if (*argrest == 'd')
2235 {
2236 debug_daemon = TRUE;
2237 argrest++;
2238 }
2239 if (*argrest != 0)
2240 decode_bits(&selector, NULL, D_memory, 0, argrest, debug_options,
2241 debug_options_count, US"debug", 0);
2242 debug_selector = selector;
2243 }
2244 break;
2245
2246
2247 /* -E: This is a local error message. This option is not intended for
2248 external use at all, but is not restricted to trusted callers because it
2249 does no harm (just suppresses certain error messages) and if Exim is run
2250 not setuid root it won't always be trusted when it generates error
2251 messages using this option. If there is a message id following -E, point
2252 message_reference at it, for logging. */
2253
2254 case 'E':
2255 local_error_message = TRUE;
2256 if (mac_ismsgid(argrest)) message_reference = argrest;
2257 break;
2258
2259
2260 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2261 option, so it looks as if historically the -oex options are also callable
2262 without the leading -o. So we have to accept them. Before the switch,
2263 anything starting -oe has been converted to -e. Exim does not support all
2264 of the sendmail error options. */
2265
2266 case 'e':
2267 if (Ustrcmp(argrest, "e") == 0)
2268 {
2269 arg_error_handling = ERRORS_SENDER;
2270 errors_sender_rc = EXIT_SUCCESS;
2271 }
2272 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2273 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2274 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2275 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2276 else badarg = TRUE;
2277 break;
2278
2279
2280 /* -F: Set sender's full name, used instead of the gecos entry from
2281 the password file. Since users can usually alter their gecos entries,
2282 there's no security involved in using this instead. The data can follow
2283 the -F or be in the next argument. */
2284
2285 case 'F':
2286 if (*argrest == 0)
2287 {
2288 if(++i < argc) argrest = argv[i]; else
2289 { badarg = TRUE; break; }
2290 }
2291 originator_name = argrest;
2292 sender_name_forced = TRUE;
2293 break;
2294
2295
2296 /* -f: Set sender's address - this value is only actually used if Exim is
2297 run by a trusted user, or if untrusted_set_sender is set and matches the
2298 address, except that the null address can always be set by any user. The
2299 test for this happens later, when the value given here is ignored when not
2300 permitted. For an untrusted user, the actual sender is still put in Sender:
2301 if it doesn't match the From: header (unless no_local_from_check is set).
2302 The data can follow the -f or be in the next argument. The -r switch is an
2303 obsolete form of -f but since there appear to be programs out there that
2304 use anything that sendmail has ever supported, better accept it - the
2305 synonymizing is done before the switch above.
2306
2307 At this stage, we must allow domain literal addresses, because we don't
2308 know what the setting of allow_domain_literals is yet. Ditto for trailing
2309 dots and strip_trailing_dot. */
2310
2311 case 'f':
2312 {
2313 int start, end;
2314 uschar *errmess;
2315 if (*argrest == 0)
2316 {
2317 if (i+1 < argc) argrest = argv[++i]; else
2318 { badarg = TRUE; break; }
2319 }
2320 if (*argrest == 0)
2321 {
2322 sender_address = string_sprintf(""); /* Ensure writeable memory */
2323 }
2324 else
2325 {
2326 uschar *temp = argrest + Ustrlen(argrest) - 1;
2327 while (temp >= argrest && isspace(*temp)) temp--;
2328 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2329 allow_domain_literals = TRUE;
2330 strip_trailing_dot = TRUE;
2331 sender_address = parse_extract_address(argrest, &errmess, &start, &end,
2332 &sender_address_domain, TRUE);
2333 allow_domain_literals = FALSE;
2334 strip_trailing_dot = FALSE;
2335 if (sender_address == NULL)
2336 {
2337 fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2338 return EXIT_FAILURE;
2339 }
2340 }
2341 sender_address_forced = TRUE;
2342 }
2343 break;
2344
2345 /* This is some Sendmail thing which can be ignored */
2346
2347 case 'G':
2348 break;
2349
2350 /* -h: Set the hop count for an incoming message. Exim does not currently
2351 support this; it always computes it by counting the Received: headers.
2352 To put it in will require a change to the spool header file format. */
2353
2354 case 'h':
2355 if (*argrest == 0)
2356 {
2357 if(++i < argc) argrest = argv[i]; else
2358 { badarg = TRUE; break; }
2359 }
2360 if (!isdigit(*argrest)) badarg = TRUE;
2361 break;
2362
2363
2364 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2365 not to be documented for sendmail but mailx (at least) uses it) */
2366
2367 case 'i':
2368 if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2369 break;
2370
2371
2372 case 'M':
2373 receiving_message = FALSE;
2374
2375 /* -MC: continue delivery of another message via an existing open
2376 file descriptor. This option is used for an internal call by the
2377 smtp transport when there is a pending message waiting to go to an
2378 address to which it has got a connection. Five subsequent arguments are
2379 required: transport name, host name, IP address, sequence number, and
2380 message_id. Transports may decline to create new processes if the sequence
2381 number gets too big. The channel is stdin. This (-MC) must be the last
2382 argument. There's a subsequent check that the real-uid is privileged.
2383
2384 If we are running in the test harness. delay for a bit, to let the process
2385 that set this one up complete. This makes for repeatability of the logging,
2386 etc. output. */
2387
2388 if (Ustrcmp(argrest, "C") == 0)
2389 {
2390 union sockaddr_46 interface_sock;
2391 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2392
2393 if (argc != i + 6)
2394 {
2395 fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2396 return EXIT_FAILURE;
2397 }
2398
2399 if (msg_action_arg >= 0)
2400 {
2401 fprintf(stderr, "exim: incompatible arguments\n");
2402 return EXIT_FAILURE;
2403 }
2404
2405 continue_transport = argv[++i];
2406 continue_hostname = argv[++i];
2407 continue_host_address = argv[++i];
2408 continue_sequence = Uatoi(argv[++i]);
2409 msg_action = MSG_DELIVER;
2410 msg_action_arg = ++i;
2411 forced_delivery = TRUE;
2412 queue_run_pid = passed_qr_pid;
2413 queue_run_pipe = passed_qr_pipe;
2414
2415 if (!mac_ismsgid(argv[i]))
2416 {
2417 fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2418 argv[i]);
2419 return EXIT_FAILURE;
2420 }
2421
2422 /* Set up $sending_ip_address and $sending_port */
2423
2424 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2425 &size) == 0)
2426 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2427 &sending_port);
2428 else
2429 {
2430 fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2431 strerror(errno));
2432 return EXIT_FAILURE;
2433 }
2434
2435 if (running_in_test_harness) millisleep(500);
2436 break;
2437 }
2438
2439 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2440 precedes -MC (see above). The flag indicates that the host to which
2441 Exim is connected has accepted an AUTH sequence. */
2442
2443 else if (Ustrcmp(argrest, "CA") == 0)
2444 {
2445 smtp_authenticated = TRUE;
2446 break;
2447 }
2448
2449 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2450 it preceded -MC (see above) */
2451
2452 else if (Ustrcmp(argrest, "CP") == 0)
2453 {
2454 smtp_use_pipelining = TRUE;
2455 break;
2456 }
2457
2458 /* -MCQ: pass on the pid of the queue-running process that started
2459 this chain of deliveries and the fd of its synchronizing pipe; this
2460 is useful only when it precedes -MC (see above) */
2461
2462 else if (Ustrcmp(argrest, "CQ") == 0)
2463 {
2464 if(++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2465 else badarg = TRUE;
2466 if(++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2467 else badarg = TRUE;
2468 break;
2469 }
2470
2471 /* -MCS: set the smtp_use_size flag; this is useful only when it
2472 precedes -MC (see above) */
2473
2474 else if (Ustrcmp(argrest, "CS") == 0)
2475 {
2476 smtp_use_size = TRUE;
2477 break;
2478 }
2479
2480 /* -MCT: set the tls_offered flag; this is useful only when it
2481 precedes -MC (see above). The flag indicates that the host to which
2482 Exim is connected has offered TLS support. */
2483
2484 #ifdef SUPPORT_TLS
2485 else if (Ustrcmp(argrest, "CT") == 0)
2486 {
2487 tls_offered = TRUE;
2488 break;
2489 }
2490 #endif
2491
2492 /* -M[x]: various operations on the following list of message ids:
2493 -M deliver the messages, ignoring next retry times and thawing
2494 -Mc deliver the messages, checking next retry times, no thawing
2495 -Mf freeze the messages
2496 -Mg give up on the messages
2497 -Mt thaw the messages
2498 -Mrm remove the messages
2499 In the above cases, this must be the last option. There are also the
2500 following options which are followed by a single message id, and which
2501 act on that message. Some of them use the "recipient" addresses as well.
2502 -Mar add recipient(s)
2503 -Mmad mark all recipients delivered
2504 -Mmd mark recipients(s) delivered
2505 -Mes edit sender
2506 -Mset load a message for use with -be
2507 -Mvb show body
2508 -Mvc show copy (of whole message, in RFC 2822 format)
2509 -Mvh show header
2510 -Mvl show log
2511 */
2512
2513 else if (*argrest == 0)
2514 {
2515 msg_action = MSG_DELIVER;
2516 forced_delivery = deliver_force_thaw = TRUE;
2517 }
2518 else if (Ustrcmp(argrest, "ar") == 0)
2519 {
2520 msg_action = MSG_ADD_RECIPIENT;
2521 one_msg_action = TRUE;
2522 }
2523 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2524 else if (Ustrcmp(argrest, "es") == 0)
2525 {
2526 msg_action = MSG_EDIT_SENDER;
2527 one_msg_action = TRUE;
2528 }
2529 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2530 else if (Ustrcmp(argrest, "g") == 0)
2531 {
2532 msg_action = MSG_DELIVER;
2533 deliver_give_up = TRUE;
2534 }
2535 else if (Ustrcmp(argrest, "mad") == 0)
2536 {
2537 msg_action = MSG_MARK_ALL_DELIVERED;
2538 }
2539 else if (Ustrcmp(argrest, "md") == 0)
2540 {
2541 msg_action = MSG_MARK_DELIVERED;
2542 one_msg_action = TRUE;
2543 }
2544 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2545 else if (Ustrcmp(argrest, "set") == 0)
2546 {
2547 msg_action = MSG_LOAD;
2548 one_msg_action = TRUE;
2549 }
2550 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2551 else if (Ustrcmp(argrest, "vb") == 0)
2552 {
2553 msg_action = MSG_SHOW_BODY;
2554 one_msg_action = TRUE;
2555 }
2556 else if (Ustrcmp(argrest, "vc") == 0)
2557 {
2558 msg_action = MSG_SHOW_COPY;
2559 one_msg_action = TRUE;
2560 }
2561 else if (Ustrcmp(argrest, "vh") == 0)
2562 {
2563 msg_action = MSG_SHOW_HEADER;
2564 one_msg_action = TRUE;
2565 }
2566 else if (Ustrcmp(argrest, "vl") == 0)
2567 {
2568 msg_action = MSG_SHOW_LOG;
2569 one_msg_action = TRUE;
2570 }
2571 else { badarg = TRUE; break; }
2572
2573 /* All the -Mxx options require at least one message id. */
2574
2575 msg_action_arg = i + 1;
2576 if (msg_action_arg >= argc)
2577 {
2578 fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2579 return EXIT_FAILURE;
2580 }
2581
2582 /* Some require only message ids to follow */
2583
2584 if (!one_msg_action)
2585 {
2586 int j;
2587 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2588 {
2589 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2590 argv[j], arg);
2591 return EXIT_FAILURE;
2592 }
2593 goto END_ARG; /* Remaining args are ids */
2594 }
2595
2596 /* Others require only one message id, possibly followed by addresses,
2597 which will be handled as normal arguments. */
2598
2599 else
2600 {
2601 if (!mac_ismsgid(argv[msg_action_arg]))
2602 {
2603 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2604 argv[msg_action_arg], arg);
2605 return EXIT_FAILURE;
2606 }
2607 i++;
2608 }
2609 break;
2610
2611
2612 /* Some programs seem to call the -om option without the leading o;
2613 for sendmail it askes for "me too". Exim always does this. */
2614
2615 case 'm':
2616 if (*argrest != 0) badarg = TRUE;
2617 break;
2618
2619
2620 /* -N: don't do delivery - a debugging option that stops transports doing
2621 their thing. It implies debugging at the D_v level. */
2622
2623 case 'N':
2624 if (*argrest == 0)
2625 {
2626 dont_deliver = TRUE;
2627 debug_selector |= D_v;
2628 debug_file = stderr;
2629 }
2630 else badarg = TRUE;
2631 break;
2632
2633
2634 /* -n: This means "don't alias" in sendmail, apparently. Just ignore
2635 it. */
2636
2637 case 'n':
2638 break;
2639
2640 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2641 option to the specified value. This form uses long names. We need to handle
2642 -O option=value and -Ooption=value. */
2643
2644 case 'O':
2645 if (*argrest == 0)
2646 {
2647 if (++i >= argc)
2648 {
2649 fprintf(stderr, "exim: string expected after -O\n");
2650 exit(EXIT_FAILURE);
2651 }
2652 }
2653 break;
2654
2655 case 'o':
2656
2657 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2658 file" option). */
2659
2660 if (*argrest == 'A')
2661 {
2662 alias_arg = argrest + 1;
2663 if (alias_arg[0] == 0)
2664 {
2665 if (i+1 < argc) alias_arg = argv[++i]; else
2666 {
2667 fprintf(stderr, "exim: string expected after -oA\n");
2668 exit(EXIT_FAILURE);
2669 }
2670 }
2671 }
2672
2673 /* -oB: Set a connection message max value for remote deliveries */
2674
2675 else if (*argrest == 'B')
2676 {
2677 uschar *p = argrest + 1;
2678 if (p[0] == 0)
2679 {
2680 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2681 {
2682 connection_max_messages = 1;
2683 p = NULL;
2684 }
2685 }
2686
2687 if (p != NULL)
2688 {
2689 if (!isdigit(*p))
2690 {
2691 fprintf(stderr, "exim: number expected after -oB\n");
2692 exit(EXIT_FAILURE);
2693 }
2694 connection_max_messages = Uatoi(p);
2695 }
2696 }
2697
2698 /* -odb: background delivery */
2699
2700 else if (Ustrcmp(argrest, "db") == 0)
2701 {
2702 synchronous_delivery = FALSE;
2703 arg_queue_only = FALSE;
2704 queue_only_set = TRUE;
2705 }
2706
2707 /* -odf: foreground delivery (smail-compatible option); same effect as
2708 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2709 */
2710
2711 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2712 {
2713 synchronous_delivery = TRUE;
2714 arg_queue_only = FALSE;
2715 queue_only_set = TRUE;
2716 }
2717
2718 /* -odq: queue only */
2719
2720 else if (Ustrcmp(argrest, "dq") == 0)
2721 {
2722 synchronous_delivery = FALSE;
2723 arg_queue_only = TRUE;
2724 queue_only_set = TRUE;
2725 }
2726
2727 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2728 but no remote delivery */
2729
2730 else if (Ustrcmp(argrest, "dqs") == 0)
2731 {
2732 queue_smtp = TRUE;
2733 arg_queue_only = FALSE;
2734 queue_only_set = TRUE;
2735 }
2736
2737 /* -oex: Sendmail error flags. As these are also accepted without the
2738 leading -o prefix, for compatibility with vacation and other callers,
2739 they are handled with -e above. */
2740
2741 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2742 -oitrue: Another sendmail syntax for the same */
2743
2744 else if (Ustrcmp(argrest, "i") == 0 ||
2745 Ustrcmp(argrest, "itrue") == 0)
2746 dot_ends = FALSE;
2747
2748 /* -oM*: Set various characteristics for an incoming message; actually
2749 acted on for trusted callers only. */
2750
2751 else if (*argrest == 'M')
2752 {
2753 if (i+1 >= argc)
2754 {
2755 fprintf(stderr, "exim: data expected after -o%s\n", argrest);
2756 exit(EXIT_FAILURE);
2757 }
2758
2759 /* -oMa: Set sender host address */
2760
2761 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2762
2763 /* -oMaa: Set authenticator name */
2764
2765 else if (Ustrcmp(argrest, "Maa") == 0)
2766 sender_host_authenticated = argv[++i];
2767
2768 /* -oMas: setting authenticated sender */
2769
2770 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2771
2772 /* -oMai: setting authenticated id */
2773
2774 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2775
2776 /* -oMi: Set incoming interface address */
2777
2778 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2779
2780 /* -oMr: Received protocol */
2781
2782 else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
2783
2784 /* -oMs: Set sender host name */
2785
2786 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
2787
2788 /* -oMt: Set sender ident */
2789
2790 else if (Ustrcmp(argrest, "Mt") == 0)
2791 {
2792 sender_ident_set = TRUE;
2793 sender_ident = argv[++i];
2794 }
2795
2796 /* Else a bad argument */
2797
2798 else
2799 {
2800 badarg = TRUE;
2801 break;
2802 }
2803 }
2804
2805 /* -om: Me-too flag for aliases. Exim always does this. Some programs
2806 seem to call this as -m (undocumented), so that is also accepted (see
2807 above). */
2808
2809 else if (Ustrcmp(argrest, "m") == 0) {}
2810
2811 /* -oo: An ancient flag for old-style addresses which still seems to
2812 crop up in some calls (see in SCO). */
2813
2814 else if (Ustrcmp(argrest, "o") == 0) {}
2815
2816 /* -oP <name>: set pid file path for daemon */
2817
2818 else if (Ustrcmp(argrest, "P") == 0)
2819 override_pid_file_path = argv[++i];
2820
2821 /* -or <n>: set timeout for non-SMTP acceptance
2822 -os <n>: set timeout for SMTP acceptance */
2823
2824 else if (*argrest == 'r' || *argrest == 's')
2825 {
2826 int *tp = (*argrest == 'r')?
2827 &arg_receive_timeout : &arg_smtp_receive_timeout;
2828 if (argrest[1] == 0)
2829 {
2830 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
2831 }
2832 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
2833 if (*tp < 0)
2834 {
2835 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2836 exit(EXIT_FAILURE);
2837 }
2838 }
2839
2840 /* -oX <list>: Override local_interfaces and/or default daemon ports */
2841
2842 else if (Ustrcmp(argrest, "X") == 0)
2843 override_local_interfaces = argv[++i];
2844
2845 /* Unknown -o argument */
2846
2847 else badarg = TRUE;
2848 break;
2849
2850
2851 /* -ps: force Perl startup; -pd force delayed Perl startup */
2852
2853 case 'p':
2854 #ifdef EXIM_PERL
2855 if (*argrest == 's' && argrest[1] == 0)
2856 {
2857 perl_start_option = 1;
2858 break;
2859 }
2860 if (*argrest == 'd' && argrest[1] == 0)
2861 {
2862 perl_start_option = -1;
2863 break;
2864 }
2865 #endif
2866
2867 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
2868 which sets the host protocol and host name */
2869
2870 if (*argrest == 0)
2871 {
2872 if (i+1 < argc) argrest = argv[++i]; else
2873 { badarg = TRUE; break; }
2874 }
2875
2876 if (*argrest != 0)
2877 {
2878 uschar *hn = Ustrchr(argrest, ':');
2879 if (hn == NULL)
2880 {
2881 received_protocol = argrest;
2882 }
2883 else
2884 {
2885 received_protocol = string_copyn(argrest, hn - argrest);
2886 sender_host_name = hn + 1;
2887 }
2888 }
2889 break;
2890
2891
2892 case 'q':
2893 receiving_message = FALSE;
2894 if (queue_interval >= 0)
2895 {
2896 fprintf(stderr, "exim: -q specified more than once\n");
2897 exit(EXIT_FAILURE);
2898 }
2899
2900 /* -qq...: Do queue runs in a 2-stage manner */
2901
2902 if (*argrest == 'q')
2903 {
2904 queue_2stage = TRUE;
2905 argrest++;
2906 }
2907
2908 /* -qi...: Do only first (initial) deliveries */
2909
2910 if (*argrest == 'i')
2911 {
2912 queue_run_first_delivery = TRUE;
2913 argrest++;
2914 }
2915
2916 /* -qf...: Run the queue, forcing deliveries
2917 -qff..: Ditto, forcing thawing as well */
2918
2919 if (*argrest == 'f')
2920 {
2921 queue_run_force = TRUE;
2922 if (*(++argrest) == 'f')
2923 {
2924 deliver_force_thaw = TRUE;
2925 argrest++;
2926 }
2927 }
2928
2929 /* -q[f][f]l...: Run the queue only on local deliveries */
2930
2931 if (*argrest == 'l')
2932 {
2933 queue_run_local = TRUE;
2934 argrest++;
2935 }
2936
2937 /* -q[f][f][l]: Run the queue, optionally forced, optionally local only,
2938 optionally starting from a given message id. */
2939
2940 if (*argrest == 0 &&
2941 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
2942 {
2943 queue_interval = 0;
2944 if (i+1 < argc && mac_ismsgid(argv[i+1]))
2945 start_queue_run_id = argv[++i];
2946 if (i+1 < argc && mac_ismsgid(argv[i+1]))
2947 stop_queue_run_id = argv[++i];
2948 }
2949
2950 /* -q[f][f][l]<n>: Run the queue at regular intervals, optionally forced,
2951 optionally local only. */
2952
2953 else
2954 {
2955 if (*argrest != 0)
2956 queue_interval = readconf_readtime(argrest, 0, FALSE);
2957 else
2958 queue_interval = readconf_readtime(argv[++i], 0, FALSE);
2959 if (queue_interval <= 0)
2960 {
2961 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2962 exit(EXIT_FAILURE);
2963 }
2964 }
2965 break;
2966
2967
2968 case 'R': /* Synonymous with -qR... */
2969 receiving_message = FALSE;
2970
2971 /* -Rf: As -R (below) but force all deliveries,
2972 -Rff: Ditto, but also thaw all frozen messages,
2973 -Rr: String is regex
2974 -Rrf: Regex and force
2975 -Rrff: Regex and force and thaw
2976
2977 in all cases provided there are no further characters in this
2978 argument. */
2979
2980 if (*argrest != 0)
2981 {
2982 int i;
2983 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
2984 {
2985 if (Ustrcmp(argrest, rsopts[i]) == 0)
2986 {
2987 if (i != 2) queue_run_force = TRUE;
2988 if (i >= 2) deliver_selectstring_regex = TRUE;
2989 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
2990 argrest += Ustrlen(rsopts[i]);
2991 }
2992 }
2993 }
2994
2995 /* -R: Set string to match in addresses for forced queue run to
2996 pick out particular messages. */
2997
2998 if (*argrest == 0)
2999 {
3000 if (i+1 < argc) deliver_selectstring = argv[++i]; else
3001 {
3002 fprintf(stderr, "exim: string expected after -R\n");
3003 exit(EXIT_FAILURE);
3004 }
3005 }
3006 else deliver_selectstring = argrest;
3007 break;
3008
3009
3010 /* -r: an obsolete synonym for -f (see above) */
3011
3012
3013 /* -S: Like -R but works on sender. */
3014
3015 case 'S': /* Synonymous with -qS... */
3016 receiving_message = FALSE;
3017
3018 /* -Sf: As -S (below) but force all deliveries,
3019 -Sff: Ditto, but also thaw all frozen messages,
3020 -Sr: String is regex
3021 -Srf: Regex and force
3022 -Srff: Regex and force and thaw
3023
3024 in all cases provided there are no further characters in this
3025 argument. */
3026
3027 if (*argrest != 0)
3028 {
3029 int i;
3030 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3031 {
3032 if (Ustrcmp(argrest, rsopts[i]) == 0)
3033 {
3034 if (i != 2) queue_run_force = TRUE;
3035 if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3036 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3037 argrest += Ustrlen(rsopts[i]);
3038 }
3039 }
3040 }
3041
3042 /* -S: Set string to match in addresses for forced queue run to
3043 pick out particular messages. */
3044
3045 if (*argrest == 0)
3046 {
3047 if (i+1 < argc) deliver_selectstring_sender = argv[++i]; else
3048 {
3049 fprintf(stderr, "exim: string expected after -S\n");
3050 exit(EXIT_FAILURE);
3051 }
3052 }
3053 else deliver_selectstring_sender = argrest;
3054 break;
3055
3056 /* -Tqt is an option that is exclusively for use by the testing suite.
3057 It is not recognized in other circumstances. It allows for the setting up
3058 of explicit "queue times" so that various warning/retry things can be
3059 tested. Otherwise variability of clock ticks etc. cause problems. */
3060
3061 case 'T':
3062 if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3063 fudged_queue_times = argv[++i];
3064 else badarg = TRUE;
3065 break;
3066
3067
3068 /* -t: Set flag to extract recipients from body of message. */
3069
3070 case 't':
3071 if (*argrest == 0) extract_recipients = TRUE;
3072
3073 /* -ti: Set flag to extract recipients from body of message, and also
3074 specify that dot does not end the message. */
3075
3076 else if (Ustrcmp(argrest, "i") == 0)
3077 {
3078 extract_recipients = TRUE;
3079 dot_ends = FALSE;
3080 }
3081
3082 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3083
3084 #ifdef SUPPORT_TLS
3085 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE;
3086 #endif
3087
3088 else badarg = TRUE;
3089 break;
3090
3091
3092 /* -U: This means "initial user submission" in sendmail, apparently. The
3093 doc claims that in future sendmail may refuse syntactically invalid
3094 messages instead of fixing them. For the moment, we just ignore it. */
3095
3096 case 'U':
3097 break;
3098
3099
3100 /* -v: verify things - this is a very low-level debugging */
3101
3102 case 'v':
3103 if (*argrest == 0)
3104 {
3105 debug_selector |= D_v;
3106 debug_file = stderr;
3107 }
3108 else badarg = TRUE;
3109 break;
3110
3111
3112 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3113
3114 The -x flag tells the sendmail command that mail from a local
3115 mail program has National Language Support (NLS) extended characters
3116 in the body of the mail item. The sendmail command can send mail with
3117 extended NLS characters across networks that normally corrupts these
3118 8-bit characters.
3119
3120 As Exim is 8-bit clean, it just ignores this flag. */
3121
3122 case 'x':
3123 if (*argrest != 0) badarg = TRUE;
3124 break;
3125
3126 /* All other initial characters are errors */
3127
3128 default:
3129 badarg = TRUE;
3130 break;
3131 } /* End of high-level switch statement */
3132
3133 /* Failed to recognize the option, or syntax error */
3134
3135 if (badarg)
3136 {
3137 fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3138 "option %s\n", arg);
3139 exit(EXIT_FAILURE);
3140 }
3141 }
3142
3143
3144 /* If -R or -S have been specified without -q, assume a single queue run. */
3145
3146 if ((deliver_selectstring != NULL || deliver_selectstring_sender != NULL) &&
3147 queue_interval < 0) queue_interval = 0;
3148
3149
3150 END_ARG:
3151 /* If usage_wanted is set we call the usage function - which never returns */
3152 if (usage_wanted) exim_usage(called_as);
3153
3154 /* Arguments have been processed. Check for incompatibilities. */
3155 if ((
3156 (smtp_input || extract_recipients || recipients_arg < argc) &&
3157 (daemon_listen || queue_interval >= 0 || bi_option ||
3158 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3159 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3160 ) ||
3161 (
3162 msg_action_arg > 0 &&
3163 (daemon_listen || queue_interval >= 0 || list_options ||
3164 (checking && msg_action != MSG_LOAD) ||
3165 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3166 ) ||
3167 (
3168 (daemon_listen || queue_interval >= 0) &&
3169 (sender_address != NULL || list_options || list_queue || checking ||
3170 bi_option)
3171 ) ||
3172 (
3173 daemon_listen && queue_interval == 0
3174 ) ||
3175 (
3176 list_options &&
3177 (checking || smtp_input || extract_recipients ||
3178 filter_test != FTEST_NONE || bi_option)
3179 ) ||
3180 (
3181 verify_address_mode &&
3182 (address_test_mode || smtp_input || extract_recipients ||
3183 filter_test != FTEST_NONE || bi_option)
3184 ) ||
3185 (
3186 address_test_mode && (smtp_input || extract_recipients ||
3187 filter_test != FTEST_NONE || bi_option)
3188 ) ||
3189 (
3190 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3191 extract_recipients)
3192 ) ||
3193 (
3194 deliver_selectstring != NULL && queue_interval < 0
3195 ) ||
3196 (
3197 msg_action == MSG_LOAD &&
3198 (!expansion_test || expansion_test_message != NULL)
3199 )
3200 )
3201 {
3202 fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3203 exit(EXIT_FAILURE);
3204 }
3205
3206 /* If debugging is set up, set the file and the file descriptor to pass on to
3207 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3208 to run in the foreground. */
3209
3210 if (debug_selector != 0)
3211 {
3212 debug_file = stderr;
3213 debug_fd = fileno(debug_file);
3214 background_daemon = FALSE;
3215 if (running_in_test_harness) millisleep(100); /* lets caller finish */
3216 if (debug_selector != D_v) /* -v only doesn't show this */
3217 {
3218 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3219 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3220 debug_selector);
3221 if (!version_printed)
3222 show_whats_supported(stderr);
3223 }
3224 }
3225
3226 /* When started with root privilege, ensure that the limits on the number of
3227 open files and the number of processes (where that is accessible) are
3228 sufficiently large, or are unset, in case Exim has been called from an
3229 environment where the limits are screwed down. Not all OS have the ability to
3230 change some of these limits. */
3231
3232 if (unprivileged)
3233 {
3234 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3235 }
3236 else
3237 {
3238 struct rlimit rlp;
3239
3240 #ifdef RLIMIT_NOFILE
3241 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3242 {
3243 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3244 strerror(errno));
3245 rlp.rlim_cur = rlp.rlim_max = 0;
3246 }
3247
3248 /* I originally chose 1000 as a nice big number that was unlikely to
3249 be exceeded. It turns out that some older OS have a fixed upper limit of
3250 256. */
3251
3252 if (rlp.rlim_cur < 1000)
3253 {
3254 rlp.rlim_cur = rlp.rlim_max = 1000;
3255 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3256 {
3257 rlp.rlim_cur = rlp.rlim_max = 256;
3258 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3259 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3260 strerror(errno));
3261 }
3262 }
3263 #endif
3264
3265 #ifdef RLIMIT_NPROC
3266 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3267 {
3268 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3269 strerror(errno));
3270 rlp.rlim_cur = rlp.rlim_max = 0;
3271 }
3272
3273 #ifdef RLIM_INFINITY
3274 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3275 {
3276 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3277 #else
3278 if (rlp.rlim_cur < 1000)
3279 {
3280 rlp.rlim_cur = rlp.rlim_max = 1000;
3281 #endif
3282 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3283 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3284 strerror(errno));
3285 }
3286 #endif
3287 }
3288
3289 /* Exim is normally entered as root (but some special configurations are
3290 possible that don't do this). However, it always spins off sub-processes that
3291 set their uid and gid as required for local delivery. We don't want to pass on
3292 any extra groups that root may belong to, so we want to get rid of them all at
3293 this point.
3294
3295 We need to obey setgroups() at this stage, before possibly giving up root
3296 privilege for a changed configuration file, but later on we might need to
3297 check on the additional groups for the admin user privilege - can't do that
3298 till after reading the config, which might specify the exim gid. Therefore,
3299 save the group list here first. */
3300
3301 group_count = getgroups(NGROUPS_MAX, group_list);
3302 if (group_count < 0)
3303 {
3304 fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
3305 exit(EXIT_FAILURE);
3306 }
3307
3308 /* There is a fundamental difference in some BSD systems in the matter of
3309 groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3310 known not to be different. On the "different" systems there is a single group
3311 list, and the first entry in it is the current group. On all other versions of
3312 Unix there is a supplementary group list, which is in *addition* to the current
3313 group. Consequently, to get rid of all extraneous groups on a "standard" system
3314 you pass over 0 groups to setgroups(), while on a "different" system you pass
3315 over a single group - the current group, which is always the first group in the
3316 list. Calling setgroups() with zero groups on a "different" system results in
3317 an error return. The following code should cope with both types of system.
3318
3319 However, if this process isn't running as root, setgroups() can't be used
3320 since you have to be root to run it, even if throwing away groups. Not being
3321 root here happens only in some unusual configurations. We just ignore the
3322 error. */
3323
3324 if (setgroups(0, NULL) != 0)
3325 {
3326 if (setgroups(1, group_list) != 0 && !unprivileged)
3327 {
3328 fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3329 exit(EXIT_FAILURE);
3330 }
3331 }
3332
3333 /* If the configuration file name has been altered by an argument on the
3334 command line (either a new file name or a macro definition) and the caller is
3335 not root, or if this is a filter testing run, remove any setuid privilege the
3336 program has and run as the underlying user.
3337
3338 The exim user is locked out of this, which severely restricts the use of -C
3339 for some purposes.
3340
3341 Otherwise, set the real ids to the effective values (should be root unless run
3342 from inetd, which it can either be root or the exim uid, if one is configured).
3343
3344 There is a private mechanism for bypassing some of this, in order to make it
3345 possible to test lots of configurations automatically, without having either to
3346 recompile each time, or to patch in an actual configuration file name and other
3347 values (such as the path name). If running in the test harness, pretend that
3348 configuration file changes and macro definitions haven't happened. */
3349
3350 if (( /* EITHER */
3351 (!trusted_config || /* Config changed, or */
3352 !macros_trusted()) && /* impermissible macros and */
3353 real_uid != root_uid && /* Not root, and */
3354 !running_in_test_harness /* Not fudged */
3355 ) || /* OR */
3356 expansion_test /* expansion testing */
3357 || /* OR */
3358 filter_test != FTEST_NONE) /* Filter testing */
3359 {
3360 setgroups(group_count, group_list);
3361 exim_setugid(real_uid, real_gid, FALSE,
3362 US"-C, -D, -be or -bf forces real uid");
3363 removed_privilege = TRUE;
3364
3365 /* In the normal case when Exim is called like this, stderr is available
3366 and should be used for any logging information because attempts to write
3367 to the log will usually fail. To arrange this, we unset really_exim. However,
3368 if no stderr is available there is no point - we might as well have a go
3369 at the log (if it fails, syslog will be written).
3370
3371 Note that if the invoker is Exim, the logs remain available. Messing with
3372 this causes unlogged successful deliveries. */
3373
3374 if ((log_stderr != NULL) && (real_uid != exim_uid))
3375 really_exim = FALSE;
3376 }
3377
3378 /* Privilege is to be retained for the moment. It may be dropped later,
3379 depending on the job that this Exim process has been asked to do. For now, set
3380 the real uid to the effective so that subsequent re-execs of Exim are done by a
3381 privileged user. */
3382
3383 else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3384
3385 /* If testing a filter, open the file(s) now, before wasting time doing other
3386 setups and reading the message. */
3387
3388 if ((filter_test & FTEST_SYSTEM) != 0)
3389 {
3390 filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3391 if (filter_sfd < 0)
3392 {
3393 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3394 strerror(errno));
3395 return EXIT_FAILURE;
3396 }
3397 }
3398
3399 if ((filter_test & FTEST_USER) != 0)
3400 {
3401 filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3402 if (filter_ufd < 0)
3403 {
3404 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
3405 strerror(errno));
3406 return EXIT_FAILURE;
3407 }
3408 }
3409
3410 /* Read the main runtime configuration data; this gives up if there
3411 is a failure. It leaves the configuration file open so that the subsequent
3412 configuration data for delivery can be read if needed. */
3413
3414 readconf_main();
3415
3416 /* Handle the decoding of logging options. */
3417
3418 decode_bits(&log_write_selector, &log_extra_selector, 0, 0,
3419 log_selector_string, log_options, log_options_count, US"log", 0);
3420
3421 DEBUG(D_any)
3422 {
3423 debug_printf("configuration file is %s\n", config_main_filename);
3424 debug_printf("log selectors = %08x %08x\n", log_write_selector,
3425 log_extra_selector);
3426 }
3427
3428 /* If domain literals are not allowed, check the sender address that was
3429 supplied with -f. Ditto for a stripped trailing dot. */
3430
3431 if (sender_address != NULL)
3432 {
3433 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3434 {
3435 fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
3436 "allowed\n", sender_address);
3437 return EXIT_FAILURE;
3438 }
3439 if (f_end_dot && !strip_trailing_dot)
3440 {
3441 fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed "
3442 "(trailing dot not allowed)\n", sender_address);
3443 return EXIT_FAILURE;
3444 }
3445 }
3446
3447 /* Paranoia check of maximum lengths of certain strings. There is a check
3448 on the length of the log file path in log.c, which will come into effect
3449 if there are any calls to write the log earlier than this. However, if we
3450 get this far but the string is very long, it is better to stop now than to
3451 carry on and (e.g.) receive a message and then have to collapse. The call to
3452 log_write() from here will cause the ultimate panic collapse if the complete
3453 file name exceeds the buffer length. */
3454
3455 if (Ustrlen(log_file_path) > 200)
3456 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3457 "log_file_path is longer than 200 chars: aborting");
3458
3459 if (Ustrlen(pid_file_path) > 200)
3460 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3461 "pid_file_path is longer than 200 chars: aborting");
3462
3463 if (Ustrlen(spool_directory) > 200)
3464 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3465 "spool_directory is longer than 200 chars: aborting");
3466
3467 /* Length check on the process name given to syslog for its TAG field,
3468 which is only permitted to be 32 characters or less. See RFC 3164. */
3469
3470 if (Ustrlen(syslog_processname) > 32)
3471 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3472 "syslog_processname is longer than 32 chars: aborting");
3473
3474 /* In some operating systems, the environment variable TMPDIR controls where
3475 temporary files are created; Exim doesn't use these (apart from when delivering
3476 to MBX mailboxes), but called libraries such as DBM libraries may require them.
3477 If TMPDIR is found in the environment, reset it to the value defined in the
3478 TMPDIR macro, if this macro is defined. */
3479
3480 #ifdef TMPDIR
3481 {
3482 uschar **p;
3483 for (p = USS environ; *p != NULL; p++)
3484 {
3485 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 &&
3486 Ustrcmp(*p+7, TMPDIR) != 0)
3487 {
3488 uschar *newp = malloc(Ustrlen(TMPDIR) + 8);
3489 sprintf(CS newp, "TMPDIR=%s", TMPDIR);
3490 *p = newp;
3491 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", TMPDIR);
3492 }
3493 }
3494 }
3495 #endif
3496
3497 /* Timezone handling. If timezone_string is "utc", set a flag to cause all
3498 timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3499 we may need to get rid of a bogus timezone setting. This can arise when Exim is
3500 called by a user who has set the TZ variable. This then affects the timestamps
3501 in log files and in Received: headers, and any created Date: header lines. The
3502 required timezone is settable in the configuration file, so nothing can be done
3503 about this earlier - but hopefully nothing will normally be logged earlier than
3504 this. We have to make a new environment if TZ is wrong, but don't bother if
3505 timestamps_utc is set, because then all times are in UTC anyway. */
3506
3507 if (timezone_string != NULL && strcmpic(timezone_string, US"UTC") == 0)
3508 {
3509 timestamps_utc = TRUE;
3510 }
3511 else
3512 {
3513 uschar *envtz = US getenv("TZ");
3514 if ((envtz == NULL && timezone_string != NULL) ||
3515 (envtz != NULL &&
3516 (timezone_string == NULL ||
3517 Ustrcmp(timezone_string, envtz) != 0)))
3518 {
3519 uschar **p = USS environ;
3520 uschar **new;
3521 uschar **newp;
3522 int count = 0;
3523 while (*p++ != NULL) count++;
3524 if (envtz == NULL) count++;
3525 newp = new = malloc(sizeof(uschar *) * (count + 1));
3526 for (p = USS environ; *p != NULL; p++)
3527 {
3528 if (Ustrncmp(*p, "TZ=", 3) == 0) continue;
3529 *newp++ = *p;
3530 }
3531 if (timezone_string != NULL)
3532 {
3533 *newp = malloc(Ustrlen