371bc1025c5c584292aa32bf0c6004c9f945ddbd
[exim.git] / src / src / exim.c
1 /* $Cambridge: exim/src/src/exim.c,v 1.71 2010/06/07 00:12:42 pdp Exp $ */
2
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
6
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
9
10
11 /* The main function: entry point, initialization, and high-level control.
12 Also a few functions that don't naturally fit elsewhere. */
13
14
15 #include "exim.h"
16
17 extern void init_lookup_list(void);
18
19
20
21 /*************************************************
22 * Function interface to store functions *
23 *************************************************/
24
25 /* We need some real functions to pass to the PCRE regular expression library
26 for store allocation via Exim's store manager. The normal calls are actually
27 macros that pass over location information to make tracing easier. These
28 functions just interface to the standard macro calls. A good compiler will
29 optimize out the tail recursion and so not make them too expensive. There
30 are two sets of functions; one for use when we want to retain the compiled
31 regular expression for a long time; the other for short-term use. */
32
33 static void *
34 function_store_get(size_t size)
35 {
36 return store_get((int)size);
37 }
38
39 static void
40 function_dummy_free(void *block) { block = block; }
41
42 static void *
43 function_store_malloc(size_t size)
44 {
45 return store_malloc((int)size);
46 }
47
48 static void
49 function_store_free(void *block)
50 {
51 store_free(block);
52 }
53
54
55
56
57 /*************************************************
58 * Compile regular expression and panic on fail *
59 *************************************************/
60
61 /* This function is called when failure to compile a regular expression leads
62 to a panic exit. In other cases, pcre_compile() is called directly. In many
63 cases where this function is used, the results of the compilation are to be
64 placed in long-lived store, so we temporarily reset the store management
65 functions that PCRE uses if the use_malloc flag is set.
66
67 Argument:
68 pattern the pattern to compile
69 caseless TRUE if caseless matching is required
70 use_malloc TRUE if compile into malloc store
71
72 Returns: pointer to the compiled pattern
73 */
74
75 const pcre *
76 regex_must_compile(uschar *pattern, BOOL caseless, BOOL use_malloc)
77 {
78 int offset;
79 int options = PCRE_COPT;
80 const pcre *yield;
81 const uschar *error;
82 if (use_malloc)
83 {
84 pcre_malloc = function_store_malloc;
85 pcre_free = function_store_free;
86 }
87 if (caseless) options |= PCRE_CASELESS;
88 yield = pcre_compile(CS pattern, options, (const char **)&error, &offset, NULL);
89 pcre_malloc = function_store_get;
90 pcre_free = function_dummy_free;
91 if (yield == NULL)
92 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
93 "%s at offset %d while compiling %s", error, offset, pattern);
94 return yield;
95 }
96
97
98
99
100 /*************************************************
101 * Execute regular expression and set strings *
102 *************************************************/
103
104 /* This function runs a regular expression match, and sets up the pointers to
105 the matched substrings.
106
107 Arguments:
108 re the compiled expression
109 subject the subject string
110 options additional PCRE options
111 setup if < 0 do full setup
112 if >= 0 setup from setup+1 onwards,
113 excluding the full matched string
114
115 Returns: TRUE or FALSE
116 */
117
118 BOOL
119 regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup)
120 {
121 int ovector[3*(EXPAND_MAXN+1)];
122 int n = pcre_exec(re, NULL, CS subject, Ustrlen(subject), 0,
123 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
124 BOOL yield = n >= 0;
125 if (n == 0) n = EXPAND_MAXN + 1;
126 if (yield)
127 {
128 int nn;
129 expand_nmax = (setup < 0)? 0 : setup + 1;
130 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
131 {
132 expand_nstring[expand_nmax] = subject + ovector[nn];
133 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
134 }
135 expand_nmax--;
136 }
137 return yield;
138 }
139
140
141
142
143 /*************************************************
144 * Handler for SIGUSR1 *
145 *************************************************/
146
147 /* SIGUSR1 causes any exim process to write to the process log details of
148 what it is currently doing. It will only be used if the OS is capable of
149 setting up a handler that causes automatic restarting of any system call
150 that is in progress at the time.
151
152 Argument: the signal number (SIGUSR1)
153 Returns: nothing
154 */
155
156 static void
157 usr1_handler(int sig)
158 {
159 sig = sig; /* Keep picky compilers happy */
160 log_write(0, LOG_PROCESS, "%s", process_info);
161 log_close_all();
162 os_restarting_signal(SIGUSR1, usr1_handler);
163 }
164
165
166
167 /*************************************************
168 * Timeout handler *
169 *************************************************/
170
171 /* This handler is enabled most of the time that Exim is running. The handler
172 doesn't actually get used unless alarm() has been called to set a timer, to
173 place a time limit on a system call of some kind. When the handler is run, it
174 re-enables itself.
175
176 There are some other SIGALRM handlers that are used in special cases when more
177 than just a flag setting is required; for example, when reading a message's
178 input. These are normally set up in the code module that uses them, and the
179 SIGALRM handler is reset to this one afterwards.
180
181 Argument: the signal value (SIGALRM)
182 Returns: nothing
183 */
184
185 void
186 sigalrm_handler(int sig)
187 {
188 sig = sig; /* Keep picky compilers happy */
189 sigalrm_seen = TRUE;
190 os_non_restarting_signal(SIGALRM, sigalrm_handler);
191 }
192
193
194
195 /*************************************************
196 * Sleep for a fractional time interval *
197 *************************************************/
198
199 /* This function is called by millisleep() and exim_wait_tick() to wait for a
200 period of time that may include a fraction of a second. The coding is somewhat
201 tedious. We do not expect setitimer() ever to fail, but if it does, the process
202 will wait for ever, so we panic in this instance. (There was a case of this
203 when a bug in a function that calls milliwait() caused it to pass invalid data.
204 That's when I added the check. :-)
205
206 Argument: an itimerval structure containing the interval
207 Returns: nothing
208 */
209
210 static void
211 milliwait(struct itimerval *itval)
212 {
213 sigset_t sigmask;
214 sigset_t old_sigmask;
215 (void)sigemptyset(&sigmask); /* Empty mask */
216 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
217 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
218 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
219 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
220 "setitimer() failed: %s", strerror(errno));
221 (void)sigfillset(&sigmask); /* All signals */
222 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
223 (void)sigsuspend(&sigmask); /* Until SIGALRM */
224 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
225 }
226
227
228
229
230 /*************************************************
231 * Millisecond sleep function *
232 *************************************************/
233
234 /* The basic sleep() function has a granularity of 1 second, which is too rough
235 in some cases - for example, when using an increasing delay to slow down
236 spammers.
237
238 Argument: number of millseconds
239 Returns: nothing
240 */
241
242 void
243 millisleep(int msec)
244 {
245 struct itimerval itval;
246 itval.it_interval.tv_sec = 0;
247 itval.it_interval.tv_usec = 0;
248 itval.it_value.tv_sec = msec/1000;
249 itval.it_value.tv_usec = (msec % 1000) * 1000;
250 milliwait(&itval);
251 }
252
253
254
255 /*************************************************
256 * Compare microsecond times *
257 *************************************************/
258
259 /*
260 Arguments:
261 tv1 the first time
262 tv2 the second time
263
264 Returns: -1, 0, or +1
265 */
266
267 int
268 exim_tvcmp(struct timeval *t1, struct timeval *t2)
269 {
270 if (t1->tv_sec > t2->tv_sec) return +1;
271 if (t1->tv_sec < t2->tv_sec) return -1;
272 if (t1->tv_usec > t2->tv_usec) return +1;
273 if (t1->tv_usec < t2->tv_usec) return -1;
274 return 0;
275 }
276
277
278
279
280 /*************************************************
281 * Clock tick wait function *
282 *************************************************/
283
284 /* Exim uses a time + a pid to generate a unique identifier in two places: its
285 message IDs, and in file names for maildir deliveries. Because some OS now
286 re-use pids within the same second, sub-second times are now being used.
287 However, for absolute certaintly, we must ensure the clock has ticked before
288 allowing the relevant process to complete. At the time of implementation of
289 this code (February 2003), the speed of processors is such that the clock will
290 invariably have ticked already by the time a process has done its job. This
291 function prepares for the time when things are faster - and it also copes with
292 clocks that go backwards.
293
294 Arguments:
295 then_tv A timeval which was used to create uniqueness; its usec field
296 has been rounded down to the value of the resolution.
297 We want to be sure the current time is greater than this.
298 resolution The resolution that was used to divide the microseconds
299 (1 for maildir, larger for message ids)
300
301 Returns: nothing
302 */
303
304 void
305 exim_wait_tick(struct timeval *then_tv, int resolution)
306 {
307 struct timeval now_tv;
308 long int now_true_usec;
309
310 (void)gettimeofday(&now_tv, NULL);
311 now_true_usec = now_tv.tv_usec;
312 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
313
314 if (exim_tvcmp(&now_tv, then_tv) <= 0)
315 {
316 struct itimerval itval;
317 itval.it_interval.tv_sec = 0;
318 itval.it_interval.tv_usec = 0;
319 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
320 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
321
322 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
323 negative value for the microseconds is possible only in the case when "now"
324 is more than a second less than "then". That means that itval.it_value.tv_sec
325 is greater than zero. The following correction is therefore safe. */
326
327 if (itval.it_value.tv_usec < 0)
328 {
329 itval.it_value.tv_usec += 1000000;
330 itval.it_value.tv_sec -= 1;
331 }
332
333 DEBUG(D_transport|D_receive)
334 {
335 if (!running_in_test_harness)
336 {
337 debug_printf("tick check: %lu.%06lu %lu.%06lu\n",
338 then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec);
339 debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec,
340 itval.it_value.tv_usec);
341 }
342 }
343
344 milliwait(&itval);
345 }
346 }
347
348
349
350
351 /*************************************************
352 * Set up processing details *
353 *************************************************/
354
355 /* Save a text string for dumping when SIGUSR1 is received.
356 Do checks for overruns.
357
358 Arguments: format and arguments, as for printf()
359 Returns: nothing
360 */
361
362 void
363 set_process_info(const char *format, ...)
364 {
365 int len;
366 va_list ap;
367 sprintf(CS process_info, "%5d ", (int)getpid());
368 len = Ustrlen(process_info);
369 va_start(ap, format);
370 if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len, format, ap))
371 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
372 DEBUG(D_process_info) debug_printf("set_process_info: %s\n", process_info);
373 va_end(ap);
374 }
375
376
377
378
379
380 /*************************************************
381 * Call fopen() with umask 777 and adjust mode *
382 *************************************************/
383
384 /* Exim runs with umask(0) so that files created with open() have the mode that
385 is specified in the open() call. However, there are some files, typically in
386 the spool directory, that are created with fopen(). They end up world-writeable
387 if no precautions are taken. Although the spool directory is not accessible to
388 the world, this is an untidiness. So this is a wrapper function for fopen()
389 that sorts out the mode of the created file.
390
391 Arguments:
392 filename the file name
393 options the fopen() options
394 mode the required mode
395
396 Returns: the fopened FILE or NULL
397 */
398
399 FILE *
400 modefopen(const uschar *filename, const char *options, mode_t mode)
401 {
402 mode_t saved_umask = umask(0777);
403 FILE *f = Ufopen(filename, options);
404 (void)umask(saved_umask);
405 if (f != NULL) (void)fchmod(fileno(f), mode);
406 return f;
407 }
408
409
410
411
412 /*************************************************
413 * Ensure stdin, stdout, and stderr exist *
414 *************************************************/
415
416 /* Some operating systems grumble if an exec() happens without a standard
417 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
418 file will be opened and will use these fd values, and then some other bit of
419 code will assume, for example, that it can write error messages to stderr.
420 This function ensures that fds 0, 1, and 2 are open if they do not already
421 exist, by connecting them to /dev/null.
422
423 This function is also used to ensure that std{in,out,err} exist at all times,
424 so that if any library that Exim calls tries to use them, it doesn't crash.
425
426 Arguments: None
427 Returns: Nothing
428 */
429
430 void
431 exim_nullstd(void)
432 {
433 int i;
434 int devnull = -1;
435 struct stat statbuf;
436 for (i = 0; i <= 2; i++)
437 {
438 if (fstat(i, &statbuf) < 0 && errno == EBADF)
439 {
440 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
441 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
442 string_open_failed(errno, "/dev/null"));
443 if (devnull != i) (void)dup2(devnull, i);
444 }
445 }
446 if (devnull > 2) (void)close(devnull);
447 }
448
449
450
451
452 /*************************************************
453 * Close unwanted file descriptors for delivery *
454 *************************************************/
455
456 /* This function is called from a new process that has been forked to deliver
457 an incoming message, either directly, or using exec.
458
459 We want any smtp input streams to be closed in this new process. However, it
460 has been observed that using fclose() here causes trouble. When reading in -bS
461 input, duplicate copies of messages have been seen. The files will be sharing a
462 file pointer with the parent process, and it seems that fclose() (at least on
463 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
464 least sometimes. Hence we go for closing the underlying file descriptors.
465
466 If TLS is active, we want to shut down the TLS library, but without molesting
467 the parent's SSL connection.
468
469 For delivery of a non-SMTP message, we want to close stdin and stdout (and
470 stderr unless debugging) because the calling process might have set them up as
471 pipes and be waiting for them to close before it waits for the submission
472 process to terminate. If they aren't closed, they hold up the calling process
473 until the initial delivery process finishes, which is not what we want.
474
475 Exception: We do want it for synchronous delivery!
476
477 And notwithstanding all the above, if D_resolver is set, implying resolver
478 debugging, leave stdout open, because that's where the resolver writes its
479 debugging output.
480
481 When we close stderr (which implies we've also closed stdout), we also get rid
482 of any controlling terminal.
483
484 Arguments: None
485 Returns: Nothing
486 */
487
488 static void
489 close_unwanted(void)
490 {
491 if (smtp_input)
492 {
493 #ifdef SUPPORT_TLS
494 tls_close(FALSE); /* Shut down the TLS library */
495 #endif
496 (void)close(fileno(smtp_in));
497 (void)close(fileno(smtp_out));
498 smtp_in = NULL;
499 }
500 else
501 {
502 (void)close(0); /* stdin */
503 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
504 if (debug_selector == 0) /* stderr */
505 {
506 if (!synchronous_delivery)
507 {
508 (void)close(2);
509 log_stderr = NULL;
510 }
511 (void)setsid();
512 }
513 }
514 }
515
516
517
518
519 /*************************************************
520 * Set uid and gid *
521 *************************************************/
522
523 /* This function sets a new uid and gid permanently, optionally calling
524 initgroups() to set auxiliary groups. There are some special cases when running
525 Exim in unprivileged modes. In these situations the effective uid will not be
526 root; if we already have the right effective uid/gid, and don't need to
527 initialize any groups, leave things as they are.
528
529 Arguments:
530 uid the uid
531 gid the gid
532 igflag TRUE if initgroups() wanted
533 msg text to use in debugging output and failure log
534
535 Returns: nothing; bombs out on failure
536 */
537
538 void
539 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
540 {
541 uid_t euid = geteuid();
542 gid_t egid = getegid();
543
544 if (euid == root_uid || euid != uid || egid != gid || igflag)
545 {
546 /* At least one OS returns +1 for initgroups failure, so just check for
547 non-zero. */
548
549 if (igflag)
550 {
551 struct passwd *pw = getpwuid(uid);
552 if (pw != NULL)
553 {
554 if (initgroups(pw->pw_name, gid) != 0)
555 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
556 (long int)uid, strerror(errno));
557 }
558 else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
559 "no passwd entry for uid=%ld", (long int)uid);
560 }
561
562 if (setgid(gid) < 0 || setuid(uid) < 0)
563 {
564 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
565 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
566 }
567 }
568
569 /* Debugging output included uid/gid and all groups */
570
571 DEBUG(D_uid)
572 {
573 int group_count, save_errno;
574 gid_t group_list[NGROUPS_MAX];
575 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
576 (long int)geteuid(), (long int)getegid(), (long int)getpid());
577 group_count = getgroups(NGROUPS_MAX, group_list);
578 save_errno = errno;
579 debug_printf(" auxiliary group list:");
580 if (group_count > 0)
581 {
582 int i;
583 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
584 }
585 else if (group_count < 0)
586 debug_printf(" <error: %s>", strerror(save_errno));
587 else debug_printf(" <none>");
588 debug_printf("\n");
589 }
590 }
591
592
593
594
595 /*************************************************
596 * Exit point *
597 *************************************************/
598
599 /* Exim exits via this function so that it always clears up any open
600 databases.
601
602 Arguments:
603 rc return code
604
605 Returns: does not return
606 */
607
608 void
609 exim_exit(int rc)
610 {
611 search_tidyup();
612 DEBUG(D_any)
613 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d "
614 ">>>>>>>>>>>>>>>>\n", (int)getpid(), rc);
615 exit(rc);
616 }
617
618
619
620
621 /*************************************************
622 * Extract port from host address *
623 *************************************************/
624
625 /* Called to extract the port from the values given to -oMa and -oMi.
626 It also checks the syntax of the address, and terminates it before the
627 port data when a port is extracted.
628
629 Argument:
630 address the address, with possible port on the end
631
632 Returns: the port, or zero if there isn't one
633 bombs out on a syntax error
634 */
635
636 static int
637 check_port(uschar *address)
638 {
639 int port = host_address_extract_port(address);
640 if (string_is_ip_address(address, NULL) == 0)
641 {
642 fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
643 exit(EXIT_FAILURE);
644 }
645 return port;
646 }
647
648
649
650 /*************************************************
651 * Test/verify an address *
652 *************************************************/
653
654 /* This function is called by the -bv and -bt code. It extracts a working
655 address from a full RFC 822 address. This isn't really necessary per se, but it
656 has the effect of collapsing source routes.
657
658 Arguments:
659 s the address string
660 flags flag bits for verify_address()
661 exit_value to be set for failures
662
663 Returns: nothing
664 */
665
666 static void
667 test_address(uschar *s, int flags, int *exit_value)
668 {
669 int start, end, domain;
670 uschar *parse_error = NULL;
671 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
672 FALSE);
673 if (address == NULL)
674 {
675 fprintf(stdout, "syntax error: %s\n", parse_error);
676 *exit_value = 2;
677 }
678 else
679 {
680 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
681 -1, -1, NULL, NULL, NULL);
682 if (rc == FAIL) *exit_value = 2;
683 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
684 }
685 }
686
687
688
689 /*************************************************
690 * Show supported features *
691 *************************************************/
692
693 /* This function is called for -bV/--version and for -d to output the optional
694 features of the current Exim binary.
695
696 Arguments: a FILE for printing
697 Returns: nothing
698 */
699
700 static void
701 show_whats_supported(FILE *f)
702 {
703 #ifdef DB_VERSION_STRING
704 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
705 #elif defined(BTREEVERSION) && defined(HASHVERSION)
706 #ifdef USE_DB
707 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
708 #else
709 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
710 #endif
711 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
712 fprintf(f, "Probably ndbm\n");
713 #elif defined(USE_TDB)
714 fprintf(f, "Using tdb\n");
715 #else
716 #ifdef USE_GDBM
717 fprintf(f, "Probably GDBM (native mode)\n");
718 #else
719 fprintf(f, "Probably GDBM (compatibility mode)\n");
720 #endif
721 #endif
722
723 fprintf(f, "Support for:");
724 #ifdef SUPPORT_CRYPTEQ
725 fprintf(f, " crypteq");
726 #endif
727 #if HAVE_ICONV
728 fprintf(f, " iconv()");
729 #endif
730 #if HAVE_IPV6
731 fprintf(f, " IPv6");
732 #endif
733 #ifdef HAVE_SETCLASSRESOURCES
734 fprintf(f, " use_setclassresources");
735 #endif
736 #ifdef SUPPORT_PAM
737 fprintf(f, " PAM");
738 #endif
739 #ifdef EXIM_PERL
740 fprintf(f, " Perl");
741 #endif
742 #ifdef EXPAND_DLFUNC
743 fprintf(f, " Expand_dlfunc");
744 #endif
745 #ifdef USE_TCP_WRAPPERS
746 fprintf(f, " TCPwrappers");
747 #endif
748 #ifdef SUPPORT_TLS
749 #ifdef USE_GNUTLS
750 fprintf(f, " GnuTLS");
751 #else
752 fprintf(f, " OpenSSL");
753 #endif
754 #endif
755 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
756 fprintf(f, " translate_ip_address");
757 #endif
758 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
759 fprintf(f, " move_frozen_messages");
760 #endif
761 #ifdef WITH_CONTENT_SCAN
762 fprintf(f, " Content_Scanning");
763 #endif
764 #ifndef DISABLE_DKIM
765 fprintf(f, " DKIM");
766 #endif
767 #ifdef WITH_OLD_DEMIME
768 fprintf(f, " Old_Demime");
769 #endif
770 #ifdef EXPERIMENTAL_SPF
771 fprintf(f, " Experimental_SPF");
772 #endif
773 #ifdef EXPERIMENTAL_SRS
774 fprintf(f, " Experimental_SRS");
775 #endif
776 #ifdef EXPERIMENTAL_BRIGHTMAIL
777 fprintf(f, " Experimental_Brightmail");
778 #endif
779 #ifdef EXPERIMENTAL_DCC
780 fprintf(f, " Experimental_DCC");
781 #endif
782 fprintf(f, "\n");
783
784 fprintf(f, "Lookups (built-in):");
785 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
786 fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
787 #endif
788 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
789 fprintf(f, " cdb");
790 #endif
791 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
792 fprintf(f, " dbm dbmnz");
793 #endif
794 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
795 fprintf(f, " dnsdb");
796 #endif
797 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
798 fprintf(f, " dsearch");
799 #endif
800 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
801 fprintf(f, " ibase");
802 #endif
803 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
804 fprintf(f, " ldap ldapdn ldapm");
805 #endif
806 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
807 fprintf(f, " mysql");
808 #endif
809 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
810 fprintf(f, " nis nis0");
811 #endif
812 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
813 fprintf(f, " nisplus");
814 #endif
815 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
816 fprintf(f, " oracle");
817 #endif
818 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
819 fprintf(f, " passwd");
820 #endif
821 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
822 fprintf(f, " pgsql");
823 #endif
824 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
825 fprintf(f, " sqlite");
826 #endif
827 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
828 fprintf(f, " testdb");
829 #endif
830 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
831 fprintf(f, " whoson");
832 #endif
833 fprintf(f, "\n");
834
835 fprintf(f, "Authenticators:");
836 #ifdef AUTH_CRAM_MD5
837 fprintf(f, " cram_md5");
838 #endif
839 #ifdef AUTH_CYRUS_SASL
840 fprintf(f, " cyrus_sasl");
841 #endif
842 #ifdef AUTH_DOVECOT
843 fprintf(f, " dovecot");
844 #endif
845 #ifdef AUTH_PLAINTEXT
846 fprintf(f, " plaintext");
847 #endif
848 #ifdef AUTH_SPA
849 fprintf(f, " spa");
850 #endif
851 fprintf(f, "\n");
852
853 fprintf(f, "Routers:");
854 #ifdef ROUTER_ACCEPT
855 fprintf(f, " accept");
856 #endif
857 #ifdef ROUTER_DNSLOOKUP
858 fprintf(f, " dnslookup");
859 #endif
860 #ifdef ROUTER_IPLITERAL
861 fprintf(f, " ipliteral");
862 #endif
863 #ifdef ROUTER_IPLOOKUP
864 fprintf(f, " iplookup");
865 #endif
866 #ifdef ROUTER_MANUALROUTE
867 fprintf(f, " manualroute");
868 #endif
869 #ifdef ROUTER_QUERYPROGRAM
870 fprintf(f, " queryprogram");
871 #endif
872 #ifdef ROUTER_REDIRECT
873 fprintf(f, " redirect");
874 #endif
875 fprintf(f, "\n");
876
877 fprintf(f, "Transports:");
878 #ifdef TRANSPORT_APPENDFILE
879 fprintf(f, " appendfile");
880 #ifdef SUPPORT_MAILDIR
881 fprintf(f, "/maildir");
882 #endif
883 #ifdef SUPPORT_MAILSTORE
884 fprintf(f, "/mailstore");
885 #endif
886 #ifdef SUPPORT_MBX
887 fprintf(f, "/mbx");
888 #endif
889 #endif
890 #ifdef TRANSPORT_AUTOREPLY
891 fprintf(f, " autoreply");
892 #endif
893 #ifdef TRANSPORT_LMTP
894 fprintf(f, " lmtp");
895 #endif
896 #ifdef TRANSPORT_PIPE
897 fprintf(f, " pipe");
898 #endif
899 #ifdef TRANSPORT_SMTP
900 fprintf(f, " smtp");
901 #endif
902 fprintf(f, "\n");
903
904 if (fixed_never_users[0] > 0)
905 {
906 int i;
907 fprintf(f, "Fixed never_users: ");
908 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
909 fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
910 fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
911 }
912
913 fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
914
915 /* Everything else is details which are only worth reporting when debugging.
916 Perhaps the tls_version_report should move into this too. */
917 DEBUG(D_any) do {
918
919 int i;
920
921 /* clang defines __GNUC__ (at least, for me) so test for it first */
922 #if defined(__clang__)
923 fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
924 #elif defined(__GNUC__)
925 fprintf(f, "Compiler: GCC [%s]\n",
926 # ifdef __VERSION__
927 __VERSION__
928 # else
929 "? unknown version ?"
930 # endif
931 );
932 #else
933 fprintf(f, "Compiler: <unknown>\n");
934 #endif
935
936 #ifdef SUPPORT_TLS
937 tls_version_report(f);
938 #endif
939
940 #ifdef AUTH_CYRUS_SASL
941 auth_cyrus_sasl_version_report(f);
942 #endif
943
944 fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
945 " Runtime: %s\n",
946 PCRE_MAJOR, PCRE_MINOR,
947 /* PRE_PRERELEASE is either defined and empty or a string.
948 * unless its an ancient version of PCRE in which case it
949 * is not defined */
950 #ifdef PCRE_PRERELEASE
951 PCRE_PRERELEASE "",
952 #else
953 "",
954 #endif
955 pcre_version());
956
957 init_lookup_list();
958 for (i = 0; i < lookup_list_count; i++)
959 {
960 if (lookup_list[i]->version_report)
961 lookup_list[i]->version_report(f);
962 }
963
964 #ifdef WHITELIST_D_MACROS
965 fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
966 #else
967 fprintf(f, "WHITELIST_D_MACROS unset\n");
968 #endif
969 #ifdef TRUSTED_CONFIG_LIST
970 fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
971 #else
972 fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
973 #endif
974
975 } while (0);
976 }
977
978
979
980
981 /*************************************************
982 * Quote a local part *
983 *************************************************/
984
985 /* This function is used when a sender address or a From: or Sender: header
986 line is being created from the caller's login, or from an authenticated_id. It
987 applies appropriate quoting rules for a local part.
988
989 Argument: the local part
990 Returns: the local part, quoted if necessary
991 */
992
993 uschar *
994 local_part_quote(uschar *lpart)
995 {
996 BOOL needs_quote = FALSE;
997 int size, ptr;
998 uschar *yield;
999 uschar *t;
1000
1001 for (t = lpart; !needs_quote && *t != 0; t++)
1002 {
1003 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1004 (*t != '.' || t == lpart || t[1] == 0);
1005 }
1006
1007 if (!needs_quote) return lpart;
1008
1009 size = ptr = 0;
1010 yield = string_cat(NULL, &size, &ptr, US"\"", 1);
1011
1012 for (;;)
1013 {
1014 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1015 if (nq == NULL)
1016 {
1017 yield = string_cat(yield, &size, &ptr, lpart, Ustrlen(lpart));
1018 break;
1019 }
1020 yield = string_cat(yield, &size, &ptr, lpart, nq - lpart);
1021 yield = string_cat(yield, &size, &ptr, US"\\", 1);
1022 yield = string_cat(yield, &size, &ptr, nq, 1);
1023 lpart = nq + 1;
1024 }
1025
1026 yield = string_cat(yield, &size, &ptr, US"\"", 1);
1027 yield[ptr] = 0;
1028 return yield;
1029 }
1030
1031
1032
1033 #ifdef USE_READLINE
1034 /*************************************************
1035 * Load readline() functions *
1036 *************************************************/
1037
1038 /* This function is called from testing executions that read data from stdin,
1039 but only when running as the calling user. Currently, only -be does this. The
1040 function loads the readline() function library and passes back the functions.
1041 On some systems, it needs the curses library, so load that too, but try without
1042 it if loading fails. All this functionality has to be requested at build time.
1043
1044 Arguments:
1045 fn_readline_ptr pointer to where to put the readline pointer
1046 fn_addhist_ptr pointer to where to put the addhistory function
1047
1048 Returns: the dlopen handle or NULL on failure
1049 */
1050
1051 static void *
1052 set_readline(char * (**fn_readline_ptr)(const char *),
1053 void (**fn_addhist_ptr)(const char *))
1054 {
1055 void *dlhandle;
1056 void *dlhandle_curses = dlopen("libcurses.so", RTLD_GLOBAL|RTLD_LAZY);
1057
1058 dlhandle = dlopen("libreadline.so", RTLD_GLOBAL|RTLD_NOW);
1059 if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1060
1061 if (dlhandle != NULL)
1062 {
1063 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1064 * char * readline (const char *prompt);
1065 * void add_history (const char *string);
1066 */
1067 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1068 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1069 }
1070 else
1071 {
1072 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1073 }
1074
1075 return dlhandle;
1076 }
1077 #endif
1078
1079
1080
1081 /*************************************************
1082 * Get a line from stdin for testing things *
1083 *************************************************/
1084
1085 /* This function is called when running tests that can take a number of lines
1086 of input (for example, -be and -bt). It handles continuations and trailing
1087 spaces. And prompting and a blank line output on eof. If readline() is in use,
1088 the arguments are non-NULL and provide the relevant functions.
1089
1090 Arguments:
1091 fn_readline readline function or NULL
1092 fn_addhist addhist function or NULL
1093
1094 Returns: pointer to dynamic memory, or NULL at end of file
1095 */
1096
1097 static uschar *
1098 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1099 {
1100 int i;
1101 int size = 0;
1102 int ptr = 0;
1103 uschar *yield = NULL;
1104
1105 if (fn_readline == NULL) { printf("> "); fflush(stdout); }
1106
1107 for (i = 0;; i++)
1108 {
1109 uschar buffer[1024];
1110 uschar *p, *ss;
1111
1112 #ifdef USE_READLINE
1113 char *readline_line = NULL;
1114 if (fn_readline != NULL)
1115 {
1116 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1117 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1118 p = US readline_line;
1119 }
1120 else
1121 #endif
1122
1123 /* readline() not in use */
1124
1125 {
1126 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1127 p = buffer;
1128 }
1129
1130 /* Handle the line */
1131
1132 ss = p + (int)Ustrlen(p);
1133 while (ss > p && isspace(ss[-1])) ss--;
1134
1135 if (i > 0)
1136 {
1137 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1138 }
1139
1140 yield = string_cat(yield, &size, &ptr, p, ss - p);
1141
1142 #ifdef USE_READLINE
1143 if (fn_readline != NULL) free(readline_line);
1144 #endif
1145
1146 if (ss == p || yield[ptr-1] != '\\')
1147 {
1148 yield[ptr] = 0;
1149 break;
1150 }
1151 yield[--ptr] = 0;
1152 }
1153
1154 if (yield == NULL) printf("\n");
1155 return yield;
1156 }
1157
1158
1159
1160 /*************************************************
1161 * Output usage information for the program *
1162 *************************************************/
1163
1164 /* This function is called when there are no recipients
1165 or a specific --help argument was added.
1166
1167 Arguments:
1168 progname information on what name we were called by
1169
1170 Returns: DOES NOT RETURN
1171 */
1172
1173 static void
1174 exim_usage(uschar *progname)
1175 {
1176
1177 /* Handle specific program invocation varients */
1178 if (Ustrcmp(progname, US"-mailq") == 0)
1179 {
1180 fprintf(stderr,
1181 "mailq - list the contents of the mail queue\n\n"
1182 "For a list of options, see the Exim documentation.\n");
1183 exit(EXIT_FAILURE);
1184 }
1185
1186 /* Generic usage - we output this whatever happens */
1187 fprintf(stderr,
1188 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1189 "not directly from a shell command line. Options and/or arguments control\n"
1190 "what it does when called. For a list of options, see the Exim documentation.\n");
1191
1192 exit(EXIT_FAILURE);
1193 }
1194
1195
1196
1197 /*************************************************
1198 * Validate that the macros given are okay *
1199 *************************************************/
1200
1201 /* Typically, Exim will drop privileges if macros are supplied. In some
1202 cases, we want to not do so.
1203
1204 Arguments: none (macros is a global)
1205 Returns: true if trusted, false otherwise
1206 */
1207
1208 static BOOL
1209 macros_trusted(void)
1210 {
1211 #ifdef WHITELIST_D_MACROS
1212 macro_item *m;
1213 uschar *whitelisted, *end, *p, **whites, **w;
1214 int white_count, i, n;
1215 size_t len;
1216 BOOL prev_char_item, found;
1217 #endif
1218
1219 if (macros == NULL)
1220 return TRUE;
1221 #ifndef WHITELIST_D_MACROS
1222 return FALSE;
1223 #else
1224
1225 /* We only trust -D overrides for some invoking users:
1226 root, the exim run-time user, the optional config owner user.
1227 I don't know why config-owner would be needed, but since they can own the
1228 config files anyway, there's no security risk to letting them override -D. */
1229 if ( ! ((real_uid == root_uid)
1230 || (real_uid == exim_uid)
1231 #ifdef CONFIGURE_OWNER
1232 || (real_uid == config_uid)
1233 #endif
1234 ))
1235 {
1236 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1237 return FALSE;
1238 }
1239
1240 /* Get a list of macros which are whitelisted */
1241 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1242 prev_char_item = FALSE;
1243 white_count = 0;
1244 for (p = whitelisted; *p != '\0'; ++p)
1245 {
1246 if (*p == ':' || isspace(*p))
1247 {
1248 *p = '\0';
1249 if (prev_char_item)
1250 ++white_count;
1251 prev_char_item = FALSE;
1252 continue;
1253 }
1254 if (!prev_char_item)
1255 prev_char_item = TRUE;
1256 }
1257 end = p;
1258 if (prev_char_item)
1259 ++white_count;
1260 if (!white_count)
1261 return FALSE;
1262 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1263 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1264 {
1265 if (*p != '\0')
1266 {
1267 whites[i++] = p;
1268 if (i == white_count)
1269 break;
1270 while (*p != '\0' && p < end)
1271 ++p;
1272 }
1273 }
1274 whites[i] = NULL;
1275
1276 /* The list of macros should be very short. Accept the N*M complexity. */
1277 for (m = macros; m != NULL; m = m->next)
1278 {
1279 found = FALSE;
1280 for (w = whites; *w; ++w)
1281 if (Ustrcmp(*w, m->name) == 0)
1282 {
1283 found = TRUE;
1284 break;
1285 }
1286 if (!found)
1287 return FALSE;
1288 if (m->replacement == NULL)
1289 continue;
1290 len = Ustrlen(m->replacement);
1291 if (len == 0)
1292 continue;
1293 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1294 0, PCRE_EOPT, NULL, 0);
1295 if (n < 0)
1296 {
1297 if (n != PCRE_ERROR_NOMATCH)
1298 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1299 return FALSE;
1300 }
1301 }
1302 DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
1303 return TRUE;
1304 #endif
1305 }
1306
1307
1308 /*************************************************
1309 * Entry point and high-level code *
1310 *************************************************/
1311
1312 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1313 the appropriate action. All the necessary functions are present in the one
1314 binary. I originally thought one should split it up, but it turns out that so
1315 much of the apparatus is needed in each chunk that one might as well just have
1316 it all available all the time, which then makes the coding easier as well.
1317
1318 Arguments:
1319 argc count of entries in argv
1320 argv argument strings, with argv[0] being the program name
1321
1322 Returns: EXIT_SUCCESS if terminated successfully
1323 EXIT_FAILURE otherwise, except when a message has been sent
1324 to the sender, and -oee was given
1325 */
1326
1327 int
1328 main(int argc, char **cargv)
1329 {
1330 uschar **argv = USS cargv;
1331 int arg_receive_timeout = -1;
1332 int arg_smtp_receive_timeout = -1;
1333 int arg_error_handling = error_handling;
1334 int filter_sfd = -1;
1335 int filter_ufd = -1;
1336 int group_count;
1337 int i, rv;
1338 int list_queue_option = 0;
1339 int msg_action = 0;
1340 int msg_action_arg = -1;
1341 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1342 int queue_only_reason = 0;
1343 #ifdef EXIM_PERL
1344 int perl_start_option = 0;
1345 #endif
1346 int recipients_arg = argc;
1347 int sender_address_domain = 0;
1348 int test_retry_arg = -1;
1349 int test_rewrite_arg = -1;
1350 BOOL arg_queue_only = FALSE;
1351 BOOL bi_option = FALSE;
1352 BOOL checking = FALSE;
1353 BOOL count_queue = FALSE;
1354 BOOL expansion_test = FALSE;
1355 BOOL extract_recipients = FALSE;
1356 BOOL forced_delivery = FALSE;
1357 BOOL f_end_dot = FALSE;
1358 BOOL deliver_give_up = FALSE;
1359 BOOL list_queue = FALSE;
1360 BOOL list_options = FALSE;
1361 BOOL local_queue_only;
1362 BOOL more = TRUE;
1363 BOOL one_msg_action = FALSE;
1364 BOOL queue_only_set = FALSE;
1365 BOOL receiving_message = TRUE;
1366 BOOL sender_ident_set = FALSE;
1367 BOOL session_local_queue_only;
1368 BOOL unprivileged;
1369 BOOL removed_privilege = FALSE;
1370 BOOL usage_wanted = FALSE;
1371 BOOL verify_address_mode = FALSE;
1372 BOOL verify_as_sender = FALSE;
1373 BOOL version_printed = FALSE;
1374 uschar *alias_arg = NULL;
1375 uschar *called_as = US"";
1376 uschar *start_queue_run_id = NULL;
1377 uschar *stop_queue_run_id = NULL;
1378 uschar *expansion_test_message = NULL;
1379 uschar *ftest_domain = NULL;
1380 uschar *ftest_localpart = NULL;
1381 uschar *ftest_prefix = NULL;
1382 uschar *ftest_suffix = NULL;
1383 uschar *malware_test_file = NULL;
1384 uschar *real_sender_address;
1385 uschar *originator_home = US"/";
1386 void *reset_point;
1387
1388 struct passwd *pw;
1389 struct stat statbuf;
1390 pid_t passed_qr_pid = (pid_t)0;
1391 int passed_qr_pipe = -1;
1392 gid_t group_list[NGROUPS_MAX];
1393
1394 /* Possible options for -R and -S */
1395
1396 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1397
1398 /* Need to define this in case we need to change the environment in order
1399 to get rid of a bogus time zone. We have to make it char rather than uschar
1400 because some OS define it in /usr/include/unistd.h. */
1401
1402 extern char **environ;
1403
1404 /* If the Exim user and/or group and/or the configuration file owner/group were
1405 defined by ref:name at build time, we must now find the actual uid/gid values.
1406 This is a feature to make the lives of binary distributors easier. */
1407
1408 #ifdef EXIM_USERNAME
1409 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1410 {
1411 if (exim_uid == 0)
1412 {
1413 fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
1414 EXIM_USERNAME);
1415 exit(EXIT_FAILURE);
1416 }
1417 /* If ref:name uses a number as the name, route_finduser() returns
1418 TRUE with exim_uid set and pw coerced to NULL. */
1419 if (pw)
1420 exim_gid = pw->pw_gid;
1421 #ifndef EXIM_GROUPNAME
1422 else
1423 {
1424 fprintf(stderr,
1425 "exim: ref:name should specify a usercode, not a group.\n"
1426 "exim: can't let you get away with it unless you also specify a group.\n");
1427 exit(EXIT_FAILURE);
1428 }
1429 #endif
1430 }
1431 else
1432 {
1433 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1434 EXIM_USERNAME);
1435 exit(EXIT_FAILURE);
1436 }
1437 #endif
1438
1439 #ifdef EXIM_GROUPNAME
1440 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1441 {
1442 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1443 EXIM_GROUPNAME);
1444 exit(EXIT_FAILURE);
1445 }
1446 #endif
1447
1448 #ifdef CONFIGURE_OWNERNAME
1449 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1450 {
1451 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1452 CONFIGURE_OWNERNAME);
1453 exit(EXIT_FAILURE);
1454 }
1455 #endif
1456
1457 /* We default the system_filter_user to be the Exim run-time user, as a
1458 sane non-root value. */
1459 system_filter_uid = exim_uid;
1460
1461 #ifdef CONFIGURE_GROUPNAME
1462 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1463 {
1464 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1465 CONFIGURE_GROUPNAME);
1466 exit(EXIT_FAILURE);
1467 }
1468 #endif
1469
1470 /* In the Cygwin environment, some initialization needs doing. It is fudged
1471 in by means of this macro. */
1472
1473 #ifdef OS_INIT
1474 OS_INIT
1475 #endif
1476
1477 /* Check a field which is patched when we are running Exim within its
1478 testing harness; do a fast initial check, and then the whole thing. */
1479
1480 running_in_test_harness =
1481 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1482
1483 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1484 at the start of a program; however, it seems that some environments do not
1485 follow this. A "strange" locale can affect the formatting of timestamps, so we
1486 make quite sure. */
1487
1488 setlocale(LC_ALL, "C");
1489
1490 /* Set up the default handler for timing using alarm(). */
1491
1492 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1493
1494 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1495 because store_malloc writes a log entry on failure. */
1496
1497 log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
1498 if (log_buffer == NULL)
1499 {
1500 fprintf(stderr, "exim: failed to get store for log buffer\n");
1501 exit(EXIT_FAILURE);
1502 }
1503
1504 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1505 NULL when the daemon is run and the file is closed. We have to use this
1506 indirection, because some systems don't allow writing to the variable "stderr".
1507 */
1508
1509 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1510
1511 /* Arrange for the PCRE regex library to use our store functions. Note that
1512 the normal calls are actually macros that add additional arguments for
1513 debugging purposes so we have to assign specially constructed functions here.
1514 The default is to use store in the stacking pool, but this is overridden in the
1515 regex_must_compile() function. */
1516
1517 pcre_malloc = function_store_get;
1518 pcre_free = function_dummy_free;
1519
1520 /* Ensure there is a big buffer for temporary use in several places. It is put
1521 in malloc store so that it can be freed for enlargement if necessary. */
1522
1523 big_buffer = store_malloc(big_buffer_size);
1524
1525 /* Set up the handler for the data request signal, and set the initial
1526 descriptive text. */
1527
1528 set_process_info("initializing");
1529 os_restarting_signal(SIGUSR1, usr1_handler);
1530
1531 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1532 in the daemon code. For the rest of Exim's uses, we ignore it. */
1533
1534 signal(SIGHUP, SIG_IGN);
1535
1536 /* We don't want to die on pipe errors as the code is written to handle
1537 the write error instead. */
1538
1539 signal(SIGPIPE, SIG_IGN);
1540
1541 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1542 set to SIG_IGN. This causes subprocesses that complete before the parent
1543 process waits for them not to hang around, so when Exim calls wait(), nothing
1544 is there. The wait() code has been made robust against this, but let's ensure
1545 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1546 ending status. We use sigaction rather than plain signal() on those OS where
1547 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1548 problem on AIX with this.) */
1549
1550 #ifdef SA_NOCLDWAIT
1551 {
1552 struct sigaction act;
1553 act.sa_handler = SIG_DFL;
1554 sigemptyset(&(act.sa_mask));
1555 act.sa_flags = 0;
1556 sigaction(SIGCHLD, &act, NULL);
1557 }
1558 #else
1559 signal(SIGCHLD, SIG_DFL);
1560 #endif
1561
1562 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1563 SIGHUP. */
1564
1565 sighup_argv = argv;
1566
1567 /* Set up the version number. Set up the leading 'E' for the external form of
1568 message ids, set the pointer to the internal form, and initialize it to
1569 indicate no message being processed. */
1570
1571 version_init();
1572 message_id_option[0] = '-';
1573 message_id_external = message_id_option + 1;
1574 message_id_external[0] = 'E';
1575 message_id = message_id_external + 1;
1576 message_id[0] = 0;
1577
1578 /* Set the umask to zero so that any files Exim creates using open() are
1579 created with the modes that it specifies. NOTE: Files created with fopen() have
1580 a problem, which was not recognized till rather late (February 2006). With this
1581 umask, such files will be world writeable. (They are all content scanning files
1582 in the spool directory, which isn't world-accessible, so this is not a
1583 disaster, but it's untidy.) I don't want to change this overall setting,
1584 however, because it will interact badly with the open() calls. Instead, there's
1585 now a function called modefopen() that fiddles with the umask while calling
1586 fopen(). */
1587
1588 (void)umask(0);
1589
1590 /* Precompile the regular expression for matching a message id. Keep this in
1591 step with the code that generates ids in the accept.c module. We need to do
1592 this here, because the -M options check their arguments for syntactic validity
1593 using mac_ismsgid, which uses this. */
1594
1595 regex_ismsgid =
1596 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1597
1598 /* Precompile the regular expression that is used for matching an SMTP error
1599 code, possibly extended, at the start of an error message. Note that the
1600 terminating whitespace character is included. */
1601
1602 regex_smtp_code =
1603 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1604 FALSE, TRUE);
1605
1606 #ifdef WHITELIST_D_MACROS
1607 /* Precompile the regular expression used to filter the content of macros
1608 given to -D for permissibility. */
1609
1610 regex_whitelisted_macro =
1611 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1612 #endif
1613
1614
1615 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1616 this seems to be a generally accepted convention, since one finds symbolic
1617 links called "mailq" in standard OS configurations. */
1618
1619 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1620 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1621 {
1622 list_queue = TRUE;
1623 receiving_message = FALSE;
1624 called_as = US"-mailq";
1625 }
1626
1627 /* If the program is called as "rmail" treat it as equivalent to
1628 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1629 i.e. preventing a single dot on a line from terminating the message, and
1630 returning with zero return code, even in cases of error (provided an error
1631 message has been sent). */
1632
1633 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1634 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1635 {
1636 dot_ends = FALSE;
1637 called_as = US"-rmail";
1638 errors_sender_rc = EXIT_SUCCESS;
1639 }
1640
1641 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1642 this is a smail convention. */
1643
1644 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1645 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1646 {
1647 smtp_input = smtp_batched_input = TRUE;
1648 called_as = US"-rsmtp";
1649 }
1650
1651 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1652 this is a smail convention. */
1653
1654 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1655 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1656 {
1657 queue_interval = 0;
1658 receiving_message = FALSE;
1659 called_as = US"-runq";
1660 }
1661
1662 /* If the program is called as "newaliases" treat it as equivalent to
1663 "exim -bi"; this is a sendmail convention. */
1664
1665 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1666 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1667 {
1668 bi_option = TRUE;
1669 receiving_message = FALSE;
1670 called_as = US"-newaliases";
1671 }
1672
1673 /* Save the original effective uid for a couple of uses later. It should
1674 normally be root, but in some esoteric environments it may not be. */
1675
1676 original_euid = geteuid();
1677
1678 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1679 to be the same as the real ones. This makes a difference only if Exim is setuid
1680 (or setgid) to something other than root, which could be the case in some
1681 special configurations. */
1682
1683 real_uid = getuid();
1684 real_gid = getgid();
1685
1686 if (real_uid == root_uid)
1687 {
1688 rv = setgid(real_gid);
1689 if (rv)
1690 {
1691 fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
1692 (long int)real_gid, strerror(errno));
1693 exit(EXIT_FAILURE);
1694 }
1695 rv = setuid(real_uid);
1696 if (rv)
1697 {
1698 fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
1699 (long int)real_uid, strerror(errno));
1700 exit(EXIT_FAILURE);
1701 }
1702 }
1703
1704 /* If neither the original real uid nor the original euid was root, Exim is
1705 running in an unprivileged state. */
1706
1707 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1708
1709 /* Scan the program's arguments. Some can be dealt with right away; others are
1710 simply recorded for checking and handling afterwards. Do a high-level switch
1711 on the second character (the one after '-'), to save some effort. */
1712
1713 for (i = 1; i < argc; i++)
1714 {
1715 BOOL badarg = FALSE;
1716 uschar *arg = argv[i];
1717 uschar *argrest;
1718 int switchchar;
1719
1720 /* An argument not starting with '-' is the start of a recipients list;
1721 break out of the options-scanning loop. */
1722
1723 if (arg[0] != '-')
1724 {
1725 recipients_arg = i;
1726 break;
1727 }
1728
1729 /* An option consistion of -- terminates the options */
1730
1731 if (Ustrcmp(arg, "--") == 0)
1732 {
1733 recipients_arg = i + 1;
1734 break;
1735 }
1736
1737 /* Handle flagged options */
1738
1739 switchchar = arg[1];
1740 argrest = arg+2;
1741
1742 /* Make all -ex options synonymous with -oex arguments, since that
1743 is assumed by various callers. Also make -qR options synonymous with -R
1744 options, as that seems to be required as well. Allow for -qqR too, and
1745 the same for -S options. */
1746
1747 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1748 Ustrncmp(arg+1, "qR", 2) == 0 ||
1749 Ustrncmp(arg+1, "qS", 2) == 0)
1750 {
1751 switchchar = arg[2];
1752 argrest++;
1753 }
1754 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1755 {
1756 switchchar = arg[3];
1757 argrest += 2;
1758 queue_2stage = TRUE;
1759 }
1760
1761 /* Make -r synonymous with -f, since it is a documented alias */
1762
1763 else if (arg[1] == 'r') switchchar = 'f';
1764
1765 /* Make -ov synonymous with -v */
1766
1767 else if (Ustrcmp(arg, "-ov") == 0)
1768 {
1769 switchchar = 'v';
1770 argrest++;
1771 }
1772
1773 /* deal with --option_aliases */
1774 else if (switchchar == '-')
1775 {
1776 if (Ustrcmp(argrest, "help") == 0)
1777 {
1778 usage_wanted = TRUE;
1779 break;
1780 }
1781 else if (Ustrcmp(argrest, "version") == 0)
1782 {
1783 switchchar = 'b';
1784 argrest = US"V";
1785 }
1786 }
1787
1788 /* High-level switch on active initial letter */
1789
1790 switch(switchchar)
1791 {
1792 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1793 so has no need of it. */
1794
1795 case 'B':
1796 if (*argrest == 0) i++; /* Skip over the type */
1797 break;
1798
1799
1800 case 'b':
1801 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1802
1803 /* -bd: Run in daemon mode, awaiting SMTP connections.
1804 -bdf: Ditto, but in the foreground.
1805 */
1806
1807 if (*argrest == 'd')
1808 {
1809 daemon_listen = TRUE;
1810 if (*(++argrest) == 'f') background_daemon = FALSE;
1811 else if (*argrest != 0) { badarg = TRUE; break; }
1812 }
1813
1814 /* -be: Run in expansion test mode
1815 -bem: Ditto, but read a message from a file first
1816 */
1817
1818 else if (*argrest == 'e')
1819 {
1820 expansion_test = checking = TRUE;
1821 if (argrest[1] == 'm')
1822 {
1823 if (++i >= argc) { badarg = TRUE; break; }
1824 expansion_test_message = argv[i];
1825 argrest++;
1826 }
1827 if (argrest[1] != 0) { badarg = TRUE; break; }
1828 }
1829
1830 /* -bF: Run system filter test */
1831
1832 else if (*argrest == 'F')
1833 {
1834 filter_test |= FTEST_SYSTEM;
1835 if (*(++argrest) != 0) { badarg = TRUE; break; }
1836 if (++i < argc) filter_test_sfile = argv[i]; else
1837 {
1838 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1839 exit(EXIT_FAILURE);
1840 }
1841 }
1842
1843 /* -bf: Run user filter test
1844 -bfd: Set domain for filter testing
1845 -bfl: Set local part for filter testing
1846 -bfp: Set prefix for filter testing
1847 -bfs: Set suffix for filter testing
1848 */
1849
1850 else if (*argrest == 'f')
1851 {
1852 if (*(++argrest) == 0)
1853 {
1854 filter_test |= FTEST_USER;
1855 if (++i < argc) filter_test_ufile = argv[i]; else
1856 {
1857 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1858 exit(EXIT_FAILURE);
1859 }
1860 }
1861 else
1862 {
1863 if (++i >= argc)
1864 {
1865 fprintf(stderr, "exim: string expected after %s\n", arg);
1866 exit(EXIT_FAILURE);
1867 }
1868 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
1869 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
1870 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
1871 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
1872 else { badarg = TRUE; break; }
1873 }
1874 }
1875
1876 /* -bh: Host checking - an IP address must follow. */
1877
1878 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
1879 {
1880 if (++i >= argc) { badarg = TRUE; break; }
1881 sender_host_address = argv[i];
1882 host_checking = checking = log_testing_mode = TRUE;
1883 host_checking_callout = argrest[1] == 'c';
1884 }
1885
1886 /* -bi: This option is used by sendmail to initialize *the* alias file,
1887 though it has the -oA option to specify a different file. Exim has no
1888 concept of *the* alias file, but since Sun's YP make script calls
1889 sendmail this way, some support must be provided. */
1890
1891 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
1892
1893 /* -bm: Accept and deliver message - the default option. Reinstate
1894 receiving_message, which got turned off for all -b options. */
1895
1896 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
1897
1898 /* -bmalware: test the filename given for malware */
1899
1900 else if (Ustrcmp(argrest, "malware") == 0)
1901 {
1902 if (++i >= argc) { badarg = TRUE; break; }
1903 malware_test_file = argv[i];
1904 }
1905
1906 /* -bnq: For locally originating messages, do not qualify unqualified
1907 addresses. In the envelope, this causes errors; in header lines they
1908 just get left. */
1909
1910 else if (Ustrcmp(argrest, "nq") == 0)
1911 {
1912 allow_unqualified_sender = FALSE;
1913 allow_unqualified_recipient = FALSE;
1914 }
1915
1916 /* -bpxx: List the contents of the mail queue, in various forms. If
1917 the option is -bpc, just a queue count is needed. Otherwise, if the
1918 first letter after p is r, then order is random. */
1919
1920 else if (*argrest == 'p')
1921 {
1922 if (*(++argrest) == 'c')
1923 {
1924 count_queue = TRUE;
1925 if (*(++argrest) != 0) badarg = TRUE;
1926 break;
1927 }
1928
1929 if (*argrest == 'r')
1930 {
1931 list_queue_option = 8;
1932 argrest++;
1933 }
1934 else list_queue_option = 0;
1935
1936 list_queue = TRUE;
1937
1938 /* -bp: List the contents of the mail queue, top-level only */
1939
1940 if (*argrest == 0) {}
1941
1942 /* -bpu: List the contents of the mail queue, top-level undelivered */
1943
1944 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
1945
1946 /* -bpa: List the contents of the mail queue, including all delivered */
1947
1948 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
1949
1950 /* Unknown after -bp[r] */
1951
1952 else
1953 {
1954 badarg = TRUE;
1955 break;
1956 }
1957 }
1958
1959
1960 /* -bP: List the configuration variables given as the address list.
1961 Force -v, so configuration errors get displayed. */
1962
1963 else if (Ustrcmp(argrest, "P") == 0)
1964 {
1965 list_options = TRUE;
1966 debug_selector |= D_v;
1967 debug_file = stderr;
1968 }
1969
1970 /* -brt: Test retry configuration lookup */
1971
1972 else if (Ustrcmp(argrest, "rt") == 0)
1973 {
1974 test_retry_arg = i + 1;
1975 goto END_ARG;
1976 }
1977
1978 /* -brw: Test rewrite configuration */
1979
1980 else if (Ustrcmp(argrest, "rw") == 0)
1981 {
1982 test_rewrite_arg = i + 1;
1983 goto END_ARG;
1984 }
1985
1986 /* -bS: Read SMTP commands on standard input, but produce no replies -
1987 all errors are reported by sending messages. */
1988
1989 else if (Ustrcmp(argrest, "S") == 0)
1990 smtp_input = smtp_batched_input = receiving_message = TRUE;
1991
1992 /* -bs: Read SMTP commands on standard input and produce SMTP replies
1993 on standard output. */
1994
1995 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
1996
1997 /* -bt: address testing mode */
1998
1999 else if (Ustrcmp(argrest, "t") == 0)
2000 address_test_mode = checking = log_testing_mode = TRUE;
2001
2002 /* -bv: verify addresses */
2003
2004 else if (Ustrcmp(argrest, "v") == 0)
2005 verify_address_mode = checking = log_testing_mode = TRUE;
2006
2007 /* -bvs: verify sender addresses */
2008
2009 else if (Ustrcmp(argrest, "vs") == 0)
2010 {
2011 verify_address_mode = checking = log_testing_mode = TRUE;
2012 verify_as_sender = TRUE;
2013 }
2014
2015 /* -bV: Print version string and support details */
2016
2017 else if (Ustrcmp(argrest, "V") == 0)
2018 {
2019 printf("Exim version %s #%s built %s\n", version_string,
2020 version_cnumber, version_date);
2021 printf("%s\n", CS version_copyright);
2022 version_printed = TRUE;
2023 show_whats_supported(stdout);
2024 }
2025
2026 else badarg = TRUE;
2027 break;
2028
2029
2030 /* -C: change configuration file list; ignore if it isn't really
2031 a change! Enforce a prefix check if required. */
2032
2033 case 'C':
2034 if (*argrest == 0)
2035 {
2036 if(++i < argc) argrest = argv[i]; else
2037 { badarg = TRUE; break; }
2038 }
2039 if (Ustrcmp(config_main_filelist, argrest) != 0)
2040 {
2041 #ifdef ALT_CONFIG_PREFIX
2042 int sep = 0;
2043 int len = Ustrlen(ALT_CONFIG_PREFIX);
2044 uschar *list = argrest;
2045 uschar *filename;
2046 while((filename = string_nextinlist(&list, &sep, big_buffer,
2047 big_buffer_size)) != NULL)
2048 {
2049 if ((Ustrlen(filename) < len ||
2050 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2051 Ustrstr(filename, "/../") != NULL) &&
2052 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2053 {
2054 fprintf(stderr, "-C Permission denied\n");
2055 exit(EXIT_FAILURE);
2056 }
2057 }
2058 #endif
2059 if (real_uid != root_uid)
2060 {
2061 #ifdef TRUSTED_CONFIG_LIST
2062
2063 if (real_uid != exim_uid
2064 #ifdef CONFIGURE_OWNER
2065 && real_uid != config_uid
2066 #endif
2067 )
2068 trusted_config = FALSE;
2069 else
2070 {
2071 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2072 if (trust_list)
2073 {
2074 struct stat statbuf;
2075
2076 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2077 (statbuf.st_uid != root_uid /* owner not root */
2078 #ifdef CONFIGURE_OWNER
2079 && statbuf.st_uid != config_uid /* owner not the special one */
2080 #endif
2081 ) || /* or */
2082 (statbuf.st_gid != root_gid /* group not root */
2083 #ifdef CONFIGURE_GROUP
2084 && statbuf.st_gid != config_gid /* group not the special one */
2085 #endif
2086 && (statbuf.st_mode & 020) != 0 /* group writeable */
2087 ) || /* or */
2088 (statbuf.st_mode & 2) != 0) /* world writeable */
2089 {
2090 trusted_config = FALSE;
2091 fclose(trust_list);
2092 }
2093 else
2094 {
2095 /* Well, the trust list at least is up to scratch... */
2096 void *reset_point = store_get(0);
2097 uschar *trusted_configs[32];
2098 int nr_configs = 0;
2099 int i = 0;
2100
2101 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2102 {
2103 uschar *start = big_buffer, *nl;
2104 while (*start && isspace(*start))
2105 start++;
2106 if (*start != '/')
2107 continue;
2108 nl = Ustrchr(start, '\n');
2109 if (nl)
2110 *nl = 0;
2111 trusted_configs[nr_configs++] = string_copy(start);
2112 if (nr_configs == 32)
2113 break;
2114 }
2115 fclose(trust_list);
2116
2117 if (nr_configs)
2118 {
2119 int sep = 0;
2120 uschar *list = argrest;
2121 uschar *filename;
2122 while (trusted_config && (filename = string_nextinlist(&list,
2123 &sep, big_buffer, big_buffer_size)) != NULL)
2124 {
2125 for (i=0; i < nr_configs; i++)
2126 {
2127 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2128 break;
2129 }
2130 if (i == nr_configs)
2131 {
2132 trusted_config = FALSE;
2133 break;
2134 }
2135 }
2136 store_reset(reset_point);
2137 }
2138 else
2139 {
2140 /* No valid prefixes found in trust_list file. */
2141 trusted_config = FALSE;
2142 }
2143 }
2144 }
2145 else
2146 {
2147 /* Could not open trust_list file. */
2148 trusted_config = FALSE;
2149 }
2150 }
2151 #else
2152 /* Not root; don't trust config */
2153 trusted_config = FALSE;
2154 #endif
2155 }
2156
2157 config_main_filelist = argrest;
2158 config_changed = TRUE;
2159 }
2160 break;
2161
2162
2163 /* -D: set up a macro definition */
2164
2165 case 'D':
2166 #ifdef DISABLE_D_OPTION
2167 fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2168 exit(EXIT_FAILURE);
2169 #else
2170 {
2171 int ptr = 0;
2172 macro_item *mlast = NULL;
2173 macro_item *m;
2174 uschar name[24];
2175 uschar *s = argrest;
2176
2177 while (isspace(*s)) s++;
2178
2179 if (*s < 'A' || *s > 'Z')
2180 {
2181 fprintf(stderr, "exim: macro name set by -D must start with "
2182 "an upper case letter\n");
2183 exit(EXIT_FAILURE);
2184 }
2185
2186 while (isalnum(*s) || *s == '_')
2187 {
2188 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2189 s++;
2190 }
2191 name[ptr] = 0;
2192 if (ptr == 0) { badarg = TRUE; break; }
2193 while (isspace(*s)) s++;
2194 if (*s != 0)
2195 {
2196 if (*s++ != '=') { badarg = TRUE; break; }
2197 while (isspace(*s)) s++;
2198 }
2199
2200 for (m = macros; m != NULL; m = m->next)
2201 {
2202 if (Ustrcmp(m->name, name) == 0)
2203 {
2204 fprintf(stderr, "exim: duplicated -D in command line\n");
2205 exit(EXIT_FAILURE);
2206 }
2207 mlast = m;
2208 }
2209
2210 m = store_get(sizeof(macro_item) + Ustrlen(name));
2211 m->next = NULL;
2212 m->command_line = TRUE;
2213 if (mlast == NULL) macros = m; else mlast->next = m;
2214 Ustrcpy(m->name, name);
2215 m->replacement = string_copy(s);
2216
2217 if (clmacro_count >= MAX_CLMACROS)
2218 {
2219 fprintf(stderr, "exim: too many -D options on command line\n");
2220 exit(EXIT_FAILURE);
2221 }
2222 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2223 m->replacement);
2224 }
2225 #endif
2226 break;
2227
2228 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2229 The latter is now a no-op, retained for compatibility only. If -dd is used,
2230 debugging subprocesses of the daemon is disabled. */
2231
2232 case 'd':
2233 if (Ustrcmp(argrest, "ropcr") == 0)
2234 {
2235 /* drop_cr = TRUE; */
2236 }
2237
2238 /* Use an intermediate variable so that we don't set debugging while
2239 decoding the debugging bits. */
2240
2241 else
2242 {
2243 unsigned int selector = D_default;
2244 debug_selector = 0;
2245 debug_file = NULL;
2246 if (*argrest == 'd')
2247 {
2248 debug_daemon = TRUE;
2249 argrest++;
2250 }
2251 if (*argrest != 0)
2252 decode_bits(&selector, NULL, D_memory, 0, argrest, debug_options,
2253 debug_options_count, US"debug", 0);
2254 debug_selector = selector;
2255 }
2256 break;
2257
2258
2259 /* -E: This is a local error message. This option is not intended for
2260 external use at all, but is not restricted to trusted callers because it
2261 does no harm (just suppresses certain error messages) and if Exim is run
2262 not setuid root it won't always be trusted when it generates error
2263 messages using this option. If there is a message id following -E, point
2264 message_reference at it, for logging. */
2265
2266 case 'E':
2267 local_error_message = TRUE;
2268 if (mac_ismsgid(argrest)) message_reference = argrest;
2269 break;
2270
2271
2272 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2273 option, so it looks as if historically the -oex options are also callable
2274 without the leading -o. So we have to accept them. Before the switch,
2275 anything starting -oe has been converted to -e. Exim does not support all
2276 of the sendmail error options. */
2277
2278 case 'e':
2279 if (Ustrcmp(argrest, "e") == 0)
2280 {
2281 arg_error_handling = ERRORS_SENDER;
2282 errors_sender_rc = EXIT_SUCCESS;
2283 }
2284 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2285 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2286 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2287 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2288 else badarg = TRUE;
2289 break;
2290
2291
2292 /* -F: Set sender's full name, used instead of the gecos entry from
2293 the password file. Since users can usually alter their gecos entries,
2294 there's no security involved in using this instead. The data can follow
2295 the -F or be in the next argument. */
2296
2297 case 'F':
2298 if (*argrest == 0)
2299 {
2300 if(++i < argc) argrest = argv[i]; else
2301 { badarg = TRUE; break; }
2302 }
2303 originator_name = argrest;
2304 sender_name_forced = TRUE;
2305 break;
2306
2307
2308 /* -f: Set sender's address - this value is only actually used if Exim is
2309 run by a trusted user, or if untrusted_set_sender is set and matches the
2310 address, except that the null address can always be set by any user. The
2311 test for this happens later, when the value given here is ignored when not
2312 permitted. For an untrusted user, the actual sender is still put in Sender:
2313 if it doesn't match the From: header (unless no_local_from_check is set).
2314 The data can follow the -f or be in the next argument. The -r switch is an
2315 obsolete form of -f but since there appear to be programs out there that
2316 use anything that sendmail has ever supported, better accept it - the
2317 synonymizing is done before the switch above.
2318
2319 At this stage, we must allow domain literal addresses, because we don't
2320 know what the setting of allow_domain_literals is yet. Ditto for trailing
2321 dots and strip_trailing_dot. */
2322
2323 case 'f':
2324 {
2325 int start, end;
2326 uschar *errmess;
2327 if (*argrest == 0)
2328 {
2329 if (i+1 < argc) argrest = argv[++i]; else
2330 { badarg = TRUE; break; }
2331 }
2332 if (*argrest == 0)
2333 {
2334 sender_address = string_sprintf(""); /* Ensure writeable memory */
2335 }
2336 else
2337 {
2338 uschar *temp = argrest + Ustrlen(argrest) - 1;
2339 while (temp >= argrest && isspace(*temp)) temp--;
2340 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2341 allow_domain_literals = TRUE;
2342 strip_trailing_dot = TRUE;
2343 sender_address = parse_extract_address(argrest, &errmess, &start, &end,
2344 &sender_address_domain, TRUE);
2345 allow_domain_literals = FALSE;
2346 strip_trailing_dot = FALSE;
2347 if (sender_address == NULL)
2348 {
2349 fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2350 return EXIT_FAILURE;
2351 }
2352 }
2353 sender_address_forced = TRUE;
2354 }
2355 break;
2356
2357 /* This is some Sendmail thing which can be ignored */
2358
2359 case 'G':
2360 break;
2361
2362 /* -h: Set the hop count for an incoming message. Exim does not currently
2363 support this; it always computes it by counting the Received: headers.
2364 To put it in will require a change to the spool header file format. */
2365
2366 case 'h':
2367 if (*argrest == 0)
2368 {
2369 if(++i < argc) argrest = argv[i]; else
2370 { badarg = TRUE; break; }
2371 }
2372 if (!isdigit(*argrest)) badarg = TRUE;
2373 break;
2374
2375
2376 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2377 not to be documented for sendmail but mailx (at least) uses it) */
2378
2379 case 'i':
2380 if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2381 break;
2382
2383
2384 case 'M':
2385 receiving_message = FALSE;
2386
2387 /* -MC: continue delivery of another message via an existing open
2388 file descriptor. This option is used for an internal call by the
2389 smtp transport when there is a pending message waiting to go to an
2390 address to which it has got a connection. Five subsequent arguments are
2391 required: transport name, host name, IP address, sequence number, and
2392 message_id. Transports may decline to create new processes if the sequence
2393 number gets too big. The channel is stdin. This (-MC) must be the last
2394 argument. There's a subsequent check that the real-uid is privileged.
2395
2396 If we are running in the test harness. delay for a bit, to let the process
2397 that set this one up complete. This makes for repeatability of the logging,
2398 etc. output. */
2399
2400 if (Ustrcmp(argrest, "C") == 0)
2401 {
2402 union sockaddr_46 interface_sock;
2403 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2404
2405 if (argc != i + 6)
2406 {
2407 fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2408 return EXIT_FAILURE;
2409 }
2410
2411 if (msg_action_arg >= 0)
2412 {
2413 fprintf(stderr, "exim: incompatible arguments\n");
2414 return EXIT_FAILURE;
2415 }
2416
2417 continue_transport = argv[++i];
2418 continue_hostname = argv[++i];
2419 continue_host_address = argv[++i];
2420 continue_sequence = Uatoi(argv[++i]);
2421 msg_action = MSG_DELIVER;
2422 msg_action_arg = ++i;
2423 forced_delivery = TRUE;
2424 queue_run_pid = passed_qr_pid;
2425 queue_run_pipe = passed_qr_pipe;
2426
2427 if (!mac_ismsgid(argv[i]))
2428 {
2429 fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2430 argv[i]);
2431 return EXIT_FAILURE;
2432 }
2433
2434 /* Set up $sending_ip_address and $sending_port */
2435
2436 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2437 &size) == 0)
2438 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2439 &sending_port);
2440 else
2441 {
2442 fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2443 strerror(errno));
2444 return EXIT_FAILURE;
2445 }
2446
2447 if (running_in_test_harness) millisleep(500);
2448 break;
2449 }
2450
2451 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2452 precedes -MC (see above). The flag indicates that the host to which
2453 Exim is connected has accepted an AUTH sequence. */
2454
2455 else if (Ustrcmp(argrest, "CA") == 0)
2456 {
2457 smtp_authenticated = TRUE;
2458 break;
2459 }
2460
2461 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2462 it preceded -MC (see above) */
2463
2464 else if (Ustrcmp(argrest, "CP") == 0)
2465 {
2466 smtp_use_pipelining = TRUE;
2467 break;
2468 }
2469
2470 /* -MCQ: pass on the pid of the queue-running process that started
2471 this chain of deliveries and the fd of its synchronizing pipe; this
2472 is useful only when it precedes -MC (see above) */
2473
2474 else if (Ustrcmp(argrest, "CQ") == 0)
2475 {
2476 if(++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2477 else badarg = TRUE;
2478 if(++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2479 else badarg = TRUE;
2480 break;
2481 }
2482
2483 /* -MCS: set the smtp_use_size flag; this is useful only when it
2484 precedes -MC (see above) */
2485
2486 else if (Ustrcmp(argrest, "CS") == 0)
2487 {
2488 smtp_use_size = TRUE;
2489 break;
2490 }
2491
2492 /* -MCT: set the tls_offered flag; this is useful only when it
2493 precedes -MC (see above). The flag indicates that the host to which
2494 Exim is connected has offered TLS support. */
2495
2496 #ifdef SUPPORT_TLS
2497 else if (Ustrcmp(argrest, "CT") == 0)
2498 {
2499 tls_offered = TRUE;
2500 break;
2501 }
2502 #endif
2503
2504 /* -M[x]: various operations on the following list of message ids:
2505 -M deliver the messages, ignoring next retry times and thawing
2506 -Mc deliver the messages, checking next retry times, no thawing
2507 -Mf freeze the messages
2508 -Mg give up on the messages
2509 -Mt thaw the messages
2510 -Mrm remove the messages
2511 In the above cases, this must be the last option. There are also the
2512 following options which are followed by a single message id, and which
2513 act on that message. Some of them use the "recipient" addresses as well.
2514 -Mar add recipient(s)
2515 -Mmad mark all recipients delivered
2516 -Mmd mark recipients(s) delivered
2517 -Mes edit sender
2518 -Mset load a message for use with -be
2519 -Mvb show body
2520 -Mvc show copy (of whole message, in RFC 2822 format)
2521 -Mvh show header
2522 -Mvl show log
2523 */
2524
2525 else if (*argrest == 0)
2526 {
2527 msg_action = MSG_DELIVER;
2528 forced_delivery = deliver_force_thaw = TRUE;
2529 }
2530 else if (Ustrcmp(argrest, "ar") == 0)
2531 {
2532 msg_action = MSG_ADD_RECIPIENT;
2533 one_msg_action = TRUE;
2534 }
2535 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2536 else if (Ustrcmp(argrest, "es") == 0)
2537 {
2538 msg_action = MSG_EDIT_SENDER;
2539 one_msg_action = TRUE;
2540 }
2541 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2542 else if (Ustrcmp(argrest, "g") == 0)
2543 {
2544 msg_action = MSG_DELIVER;
2545 deliver_give_up = TRUE;
2546 }
2547 else if (Ustrcmp(argrest, "mad") == 0)
2548 {
2549 msg_action = MSG_MARK_ALL_DELIVERED;
2550 }
2551 else if (Ustrcmp(argrest, "md") == 0)
2552 {
2553 msg_action = MSG_MARK_DELIVERED;
2554 one_msg_action = TRUE;
2555 }
2556 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2557 else if (Ustrcmp(argrest, "set") == 0)
2558 {
2559 msg_action = MSG_LOAD;
2560 one_msg_action = TRUE;
2561 }
2562 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2563 else if (Ustrcmp(argrest, "vb") == 0)
2564 {
2565 msg_action = MSG_SHOW_BODY;
2566 one_msg_action = TRUE;
2567 }
2568 else if (Ustrcmp(argrest, "vc") == 0)
2569 {
2570 msg_action = MSG_SHOW_COPY;
2571 one_msg_action = TRUE;
2572 }
2573 else if (Ustrcmp(argrest, "vh") == 0)
2574 {
2575 msg_action = MSG_SHOW_HEADER;
2576 one_msg_action = TRUE;
2577 }
2578 else if (Ustrcmp(argrest, "vl") == 0)
2579 {
2580 msg_action = MSG_SHOW_LOG;
2581 one_msg_action = TRUE;
2582 }
2583 else { badarg = TRUE; break; }
2584
2585 /* All the -Mxx options require at least one message id. */
2586
2587 msg_action_arg = i + 1;
2588 if (msg_action_arg >= argc)
2589 {
2590 fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2591 return EXIT_FAILURE;
2592 }
2593
2594 /* Some require only message ids to follow */
2595
2596 if (!one_msg_action)
2597 {
2598 int j;
2599 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2600 {
2601 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2602 argv[j], arg);
2603 return EXIT_FAILURE;
2604 }
2605 goto END_ARG; /* Remaining args are ids */
2606 }
2607
2608 /* Others require only one message id, possibly followed by addresses,
2609 which will be handled as normal arguments. */
2610
2611 else
2612 {
2613 if (!mac_ismsgid(argv[msg_action_arg]))
2614 {
2615 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2616 argv[msg_action_arg], arg);
2617 return EXIT_FAILURE;
2618 }
2619 i++;
2620 }
2621 break;
2622
2623
2624 /* Some programs seem to call the -om option without the leading o;
2625 for sendmail it askes for "me too". Exim always does this. */
2626
2627 case 'm':
2628 if (*argrest != 0) badarg = TRUE;
2629 break;
2630
2631
2632 /* -N: don't do delivery - a debugging option that stops transports doing
2633 their thing. It implies debugging at the D_v level. */
2634
2635 case 'N':
2636 if (*argrest == 0)
2637 {
2638 dont_deliver = TRUE;
2639 debug_selector |= D_v;
2640 debug_file = stderr;
2641 }
2642 else badarg = TRUE;
2643 break;
2644
2645
2646 /* -n: This means "don't alias" in sendmail, apparently. Just ignore
2647 it. */
2648
2649 case 'n':
2650 break;
2651
2652 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2653 option to the specified value. This form uses long names. We need to handle
2654 -O option=value and -Ooption=value. */
2655
2656 case 'O':
2657 if (*argrest == 0)
2658 {
2659 if (++i >= argc)
2660 {
2661 fprintf(stderr, "exim: string expected after -O\n");
2662 exit(EXIT_FAILURE);
2663 }
2664 }
2665 break;
2666
2667 case 'o':
2668
2669 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2670 file" option). */
2671
2672 if (*argrest == 'A')
2673 {
2674 alias_arg = argrest + 1;
2675 if (alias_arg[0] == 0)
2676 {
2677 if (i+1 < argc) alias_arg = argv[++i]; else
2678 {
2679 fprintf(stderr, "exim: string expected after -oA\n");
2680 exit(EXIT_FAILURE);
2681 }
2682 }
2683 }
2684
2685 /* -oB: Set a connection message max value for remote deliveries */
2686
2687 else if (*argrest == 'B')
2688 {
2689 uschar *p = argrest + 1;
2690 if (p[0] == 0)
2691 {
2692 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2693 {
2694 connection_max_messages = 1;
2695 p = NULL;
2696 }
2697 }
2698
2699 if (p != NULL)
2700 {
2701 if (!isdigit(*p))
2702 {
2703 fprintf(stderr, "exim: number expected after -oB\n");
2704 exit(EXIT_FAILURE);
2705 }
2706 connection_max_messages = Uatoi(p);
2707 }
2708 }
2709
2710 /* -odb: background delivery */
2711
2712 else if (Ustrcmp(argrest, "db") == 0)
2713 {
2714 synchronous_delivery = FALSE;
2715 arg_queue_only = FALSE;
2716 queue_only_set = TRUE;
2717 }
2718
2719 /* -odf: foreground delivery (smail-compatible option); same effect as
2720 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2721 */
2722
2723 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2724 {
2725 synchronous_delivery = TRUE;
2726 arg_queue_only = FALSE;
2727 queue_only_set = TRUE;
2728 }
2729
2730 /* -odq: queue only */
2731
2732 else if (Ustrcmp(argrest, "dq") == 0)
2733 {
2734 synchronous_delivery = FALSE;
2735 arg_queue_only = TRUE;
2736 queue_only_set = TRUE;
2737 }
2738
2739 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2740 but no remote delivery */
2741
2742 else if (Ustrcmp(argrest, "dqs") == 0)
2743 {
2744 queue_smtp = TRUE;
2745 arg_queue_only = FALSE;
2746 queue_only_set = TRUE;
2747 }
2748
2749 /* -oex: Sendmail error flags. As these are also accepted without the
2750 leading -o prefix, for compatibility with vacation and other callers,
2751 they are handled with -e above. */
2752
2753 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2754 -oitrue: Another sendmail syntax for the same */
2755
2756 else if (Ustrcmp(argrest, "i") == 0 ||
2757 Ustrcmp(argrest, "itrue") == 0)
2758 dot_ends = FALSE;
2759
2760 /* -oM*: Set various characteristics for an incoming message; actually
2761 acted on for trusted callers only. */
2762
2763 else if (*argrest == 'M')
2764 {
2765 if (i+1 >= argc)
2766 {
2767 fprintf(stderr, "exim: data expected after -o%s\n", argrest);
2768 exit(EXIT_FAILURE);
2769 }
2770
2771 /* -oMa: Set sender host address */
2772
2773 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2774
2775 /* -oMaa: Set authenticator name */
2776
2777 else if (Ustrcmp(argrest, "Maa") == 0)
2778 sender_host_authenticated = argv[++i];
2779
2780 /* -oMas: setting authenticated sender */
2781
2782 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2783
2784 /* -oMai: setting authenticated id */
2785
2786 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2787
2788 /* -oMi: Set incoming interface address */
2789
2790 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2791
2792 /* -oMr: Received protocol */
2793
2794 else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
2795
2796 /* -oMs: Set sender host name */
2797
2798 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
2799
2800 /* -oMt: Set sender ident */
2801
2802 else if (Ustrcmp(argrest, "Mt") == 0)
2803 {
2804 sender_ident_set = TRUE;
2805 sender_ident = argv[++i];
2806 }
2807
2808 /* Else a bad argument */
2809
2810 else
2811 {
2812 badarg = TRUE;
2813 break;
2814 }
2815 }
2816
2817 /* -om: Me-too flag for aliases. Exim always does this. Some programs
2818 seem to call this as -m (undocumented), so that is also accepted (see
2819 above). */
2820
2821 else if (Ustrcmp(argrest, "m") == 0) {}
2822
2823 /* -oo: An ancient flag for old-style addresses which still seems to
2824 crop up in some calls (see in SCO). */
2825
2826 else if (Ustrcmp(argrest, "o") == 0) {}
2827
2828 /* -oP <name>: set pid file path for daemon */
2829
2830 else if (Ustrcmp(argrest, "P") == 0)
2831 override_pid_file_path = argv[++i];
2832
2833 /* -or <n>: set timeout for non-SMTP acceptance
2834 -os <n>: set timeout for SMTP acceptance */
2835
2836 else if (*argrest == 'r' || *argrest == 's')
2837 {
2838 int *tp = (*argrest == 'r')?
2839 &arg_receive_timeout : &arg_smtp_receive_timeout;
2840 if (argrest[1] == 0)
2841 {
2842 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
2843 }
2844 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
2845 if (*tp < 0)
2846 {
2847 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2848 exit(EXIT_FAILURE);
2849 }
2850 }
2851
2852 /* -oX <list>: Override local_interfaces and/or default daemon ports */
2853
2854 else if (Ustrcmp(argrest, "X") == 0)
2855 override_local_interfaces = argv[++i];
2856
2857 /* Unknown -o argument */
2858
2859 else badarg = TRUE;
2860 break;
2861
2862
2863 /* -ps: force Perl startup; -pd force delayed Perl startup */
2864
2865 case 'p':
2866 #ifdef EXIM_PERL
2867 if (*argrest == 's' && argrest[1] == 0)
2868 {
2869 perl_start_option = 1;
2870 break;
2871 }
2872 if (*argrest == 'd' && argrest[1] == 0)
2873 {
2874 perl_start_option = -1;
2875 break;
2876 }
2877 #endif
2878
2879 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
2880 which sets the host protocol and host name */
2881
2882 if (*argrest == 0)
2883 {
2884 if (i+1 < argc) argrest = argv[++i]; else
2885 { badarg = TRUE; break; }
2886 }
2887
2888 if (*argrest != 0)
2889 {
2890 uschar *hn = Ustrchr(argrest, ':');
2891 if (hn == NULL)
2892 {
2893 received_protocol = argrest;
2894 }
2895 else
2896 {
2897 received_protocol = string_copyn(argrest, hn - argrest);
2898 sender_host_name = hn + 1;
2899 }
2900 }
2901 break;
2902
2903
2904 case 'q':
2905 receiving_message = FALSE;
2906 if (queue_interval >= 0)
2907 {
2908 fprintf(stderr, "exim: -q specified more than once\n");
2909 exit(EXIT_FAILURE);
2910 }
2911
2912 /* -qq...: Do queue runs in a 2-stage manner */
2913
2914 if (*argrest == 'q')
2915 {
2916 queue_2stage = TRUE;
2917 argrest++;
2918 }
2919
2920 /* -qi...: Do only first (initial) deliveries */
2921
2922 if (*argrest == 'i')
2923 {
2924 queue_run_first_delivery = TRUE;
2925 argrest++;
2926 }
2927
2928 /* -qf...: Run the queue, forcing deliveries
2929 -qff..: Ditto, forcing thawing as well */
2930
2931 if (*argrest == 'f')
2932 {
2933 queue_run_force = TRUE;
2934 if (*(++argrest) == 'f')
2935 {
2936 deliver_force_thaw = TRUE;
2937 argrest++;
2938 }
2939 }
2940
2941 /* -q[f][f]l...: Run the queue only on local deliveries */
2942
2943 if (*argrest == 'l')
2944 {
2945 queue_run_local = TRUE;
2946 argrest++;
2947 }
2948
2949 /* -q[f][f][l]: Run the queue, optionally forced, optionally local only,
2950 optionally starting from a given message id. */
2951
2952 if (*argrest == 0 &&
2953 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
2954 {
2955 queue_interval = 0;
2956 if (i+1 < argc && mac_ismsgid(argv[i+1]))
2957 start_queue_run_id = argv[++i];
2958 if (i+1 < argc && mac_ismsgid(argv[i+1]))
2959 stop_queue_run_id = argv[++i];
2960 }
2961
2962 /* -q[f][f][l]<n>: Run the queue at regular intervals, optionally forced,
2963 optionally local only. */
2964
2965 else
2966 {
2967 if (*argrest != 0)
2968 queue_interval = readconf_readtime(argrest, 0, FALSE);
2969 else
2970 queue_interval = readconf_readtime(argv[++i], 0, FALSE);
2971 if (queue_interval <= 0)
2972 {
2973 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2974 exit(EXIT_FAILURE);
2975 }
2976 }
2977 break;
2978
2979
2980 case 'R': /* Synonymous with -qR... */
2981 receiving_message = FALSE;
2982
2983 /* -Rf: As -R (below) but force all deliveries,
2984 -Rff: Ditto, but also thaw all frozen messages,
2985 -Rr: String is regex
2986 -Rrf: Regex and force
2987 -Rrff: Regex and force and thaw
2988
2989 in all cases provided there are no further characters in this
2990 argument. */
2991
2992 if (*argrest != 0)
2993 {
2994 int i;
2995 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
2996 {
2997 if (Ustrcmp(argrest, rsopts[i]) == 0)
2998 {
2999 if (i != 2) queue_run_force = TRUE;
3000 if (i >= 2) deliver_selectstring_regex = TRUE;
3001 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3002 argrest += Ustrlen(rsopts[i]);
3003 }
3004 }
3005 }
3006
3007 /* -R: Set string to match in addresses for forced queue run to
3008 pick out particular messages. */
3009
3010 if (*argrest == 0)
3011 {
3012 if (i+1 < argc) deliver_selectstring = argv[++i]; else
3013 {
3014 fprintf(stderr, "exim: string expected after -R\n");
3015 exit(EXIT_FAILURE);
3016 }
3017 }
3018 else deliver_selectstring = argrest;
3019 break;
3020
3021
3022 /* -r: an obsolete synonym for -f (see above) */
3023
3024
3025 /* -S: Like -R but works on sender. */
3026
3027 case 'S': /* Synonymous with -qS... */
3028 receiving_message = FALSE;
3029
3030 /* -Sf: As -S (below) but force all deliveries,
3031 -Sff: Ditto, but also thaw all frozen messages,
3032 -Sr: String is regex
3033 -Srf: Regex and force
3034 -Srff: Regex and force and thaw
3035
3036 in all cases provided there are no further characters in this
3037 argument. */
3038
3039 if (*argrest != 0)
3040 {
3041 int i;
3042 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3043 {
3044 if (Ustrcmp(argrest, rsopts[i]) == 0)
3045 {
3046 if (i != 2) queue_run_force = TRUE;
3047 if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3048 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3049 argrest += Ustrlen(rsopts[i]);
3050 }
3051 }
3052 }
3053
3054 /* -S: Set string to match in addresses for forced queue run to
3055 pick out particular messages. */
3056
3057 if (*argrest == 0)
3058 {
3059 if (i+1 < argc) deliver_selectstring_sender = argv[++i]; else
3060 {
3061 fprintf(stderr, "exim: string expected after -S\n");
3062 exit(EXIT_FAILURE);
3063 }
3064 }
3065 else deliver_selectstring_sender = argrest;
3066 break;
3067
3068 /* -Tqt is an option that is exclusively for use by the testing suite.
3069 It is not recognized in other circumstances. It allows for the setting up
3070 of explicit "queue times" so that various warning/retry things can be
3071 tested. Otherwise variability of clock ticks etc. cause problems. */
3072
3073 case 'T':
3074 if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3075 fudged_queue_times = argv[++i];
3076 else badarg = TRUE;
3077 break;
3078
3079
3080 /* -t: Set flag to extract recipients from body of message. */
3081
3082 case 't':
3083 if (*argrest == 0) extract_recipients = TRUE;
3084
3085 /* -ti: Set flag to extract recipients from body of message, and also
3086 specify that dot does not end the message. */
3087
3088 else if (Ustrcmp(argrest, "i") == 0)
3089 {
3090 extract_recipients = TRUE;
3091 dot_ends = FALSE;
3092 }
3093
3094 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3095
3096 #ifdef SUPPORT_TLS
3097 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE;
3098 #endif
3099
3100 else badarg = TRUE;
3101 break;
3102
3103
3104 /* -U: This means "initial user submission" in sendmail, apparently. The
3105 doc claims that in future sendmail may refuse syntactically invalid
3106 messages instead of fixing them. For the moment, we just ignore it. */
3107
3108 case 'U':
3109 break;
3110
3111
3112 /* -v: verify things - this is a very low-level debugging */
3113
3114 case 'v':
3115 if (*argrest == 0)
3116 {
3117 debug_selector |= D_v;
3118 debug_file = stderr;
3119 }
3120 else badarg = TRUE;
3121 break;
3122
3123
3124 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3125
3126 The -x flag tells the sendmail command that mail from a local
3127 mail program has National Language Support (NLS) extended characters
3128 in the body of the mail item. The sendmail command can send mail with
3129 extended NLS characters across networks that normally corrupts these
3130 8-bit characters.
3131
3132 As Exim is 8-bit clean, it just ignores this flag. */
3133
3134 case 'x':
3135 if (*argrest != 0) badarg = TRUE;
3136 break;
3137
3138 /* All other initial characters are errors */
3139
3140 default:
3141 badarg = TRUE;
3142 break;
3143 } /* End of high-level switch statement */
3144
3145 /* Failed to recognize the option, or syntax error */
3146
3147 if (badarg)
3148 {
3149 fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3150 "option %s\n", arg);
3151 exit(EXIT_FAILURE);
3152 }
3153 }
3154
3155
3156 /* If -R or -S have been specified without -q, assume a single queue run. */
3157
3158 if ((deliver_selectstring != NULL || deliver_selectstring_sender != NULL) &&
3159 queue_interval < 0) queue_interval = 0;
3160
3161
3162 END_ARG:
3163 /* If usage_wanted is set we call the usage function - which never returns */
3164 if (usage_wanted) exim_usage(called_as);
3165
3166 /* Arguments have been processed. Check for incompatibilities. */
3167 if ((
3168 (smtp_input || extract_recipients || recipients_arg < argc) &&
3169 (daemon_listen || queue_interval >= 0 || bi_option ||
3170 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3171 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3172 ) ||
3173 (
3174 msg_action_arg > 0 &&
3175 (daemon_listen || queue_interval >= 0 || list_options ||
3176 (checking && msg_action != MSG_LOAD) ||
3177 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3178 ) ||
3179 (
3180 (daemon_listen || queue_interval >= 0) &&
3181 (sender_address != NULL || list_options || list_queue || checking ||
3182 bi_option)
3183 ) ||
3184 (
3185 daemon_listen && queue_interval == 0
3186 ) ||
3187 (
3188 list_options &&
3189 (checking || smtp_input || extract_recipients ||
3190 filter_test != FTEST_NONE || bi_option)
3191 ) ||
3192 (
3193 verify_address_mode &&
3194 (address_test_mode || smtp_input || extract_recipients ||
3195 filter_test != FTEST_NONE || bi_option)
3196 ) ||
3197 (
3198 address_test_mode && (smtp_input || extract_recipients ||
3199 filter_test != FTEST_NONE || bi_option)
3200 ) ||
3201 (
3202 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3203 extract_recipients)
3204 ) ||
3205 (
3206 deliver_selectstring != NULL && queue_interval < 0
3207 ) ||
3208 (
3209 msg_action == MSG_LOAD &&
3210 (!expansion_test || expansion_test_message != NULL)
3211 )
3212 )
3213 {
3214 fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3215 exit(EXIT_FAILURE);
3216 }
3217
3218 /* If debugging is set up, set the file and the file descriptor to pass on to
3219 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3220 to run in the foreground. */
3221
3222 if (debug_selector != 0)
3223 {
3224 debug_file = stderr;
3225 debug_fd = fileno(debug_file);
3226 background_daemon = FALSE;
3227 if (running_in_test_harness) millisleep(100); /* lets caller finish */
3228 if (debug_selector != D_v) /* -v only doesn't show this */
3229 {
3230 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3231 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3232 debug_selector);
3233 if (!version_printed)
3234 show_whats_supported(stderr);
3235 }
3236 }
3237
3238 /* When started with root privilege, ensure that the limits on the number of
3239 open files and the number of processes (where that is accessible) are
3240 sufficiently large, or are unset, in case Exim has been called from an
3241 environment where the limits are screwed down. Not all OS have the ability to
3242 change some of these limits. */
3243
3244 if (unprivileged)
3245 {
3246 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3247 }
3248 else
3249 {
3250 struct rlimit rlp;
3251
3252 #ifdef RLIMIT_NOFILE
3253 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3254 {
3255 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3256 strerror(errno));
3257 rlp.rlim_cur = rlp.rlim_max = 0;
3258 }
3259
3260 /* I originally chose 1000 as a nice big number that was unlikely to
3261 be exceeded. It turns out that some older OS have a fixed upper limit of
3262 256. */
3263
3264 if (rlp.rlim_cur < 1000)
3265 {
3266 rlp.rlim_cur = rlp.rlim_max = 1000;
3267 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3268 {
3269 rlp.rlim_cur = rlp.rlim_max = 256;
3270 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3271 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3272 strerror(errno));
3273 }
3274 }
3275 #endif
3276
3277 #ifdef RLIMIT_NPROC
3278 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3279 {
3280 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3281 strerror(errno));
3282 rlp.rlim_cur = rlp.rlim_max = 0;
3283 }
3284
3285 #ifdef RLIM_INFINITY
3286 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3287 {
3288 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3289 #else
3290 if (rlp.rlim_cur < 1000)
3291 {
3292 rlp.rlim_cur = rlp.rlim_max = 1000;
3293 #endif
3294 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3295 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3296 strerror(errno));
3297 }
3298 #endif
3299 }
3300
3301 /* Exim is normally entered as root (but some special configurations are
3302 possible that don't do this). However, it always spins off sub-processes that
3303 set their uid and gid as required for local delivery. We don't want to pass on
3304 any extra groups that root may belong to, so we want to get rid of them all at
3305 this point.
3306
3307 We need to obey setgroups() at this stage, before possibly giving up root
3308 privilege for a changed configuration file, but later on we might need to
3309 check on the additional groups for the admin user privilege - can't do that
3310 till after reading the config, which might specify the exim gid. Therefore,
3311 save the group list here first. */
3312
3313 group_count = getgroups(NGROUPS_MAX, group_list);
3314 if (group_count < 0)
3315 {
3316 fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
3317 exit(EXIT_FAILURE);
3318 }
3319
3320 /* There is a fundamental difference in some BSD systems in the matter of
3321 groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3322 known not to be different. On the "different" systems there is a single group
3323 list, and the first entry in it is the current group. On all other versions of
3324 Unix there is a supplementary group list, which is in *addition* to the current
3325 group. Consequently, to get rid of all extraneous groups on a "standard" system
3326 you pass over 0 groups to setgroups(), while on a "different" system you pass
3327 over a single group - the current group, which is always the first group in the
3328 list. Calling setgroups() with zero groups on a "different" system results in
3329 an error return. The following code should cope with both types of system.
3330
3331 However, if this process isn't running as root, setgroups() can't be used
3332 since you have to be root to run it, even if throwing away groups. Not being
3333 root here happens only in some unusual configurations. We just ignore the
3334 error. */
3335
3336 if (setgroups(0, NULL) != 0)
3337 {
3338 if (setgroups(1, group_list) != 0 && !unprivileged)
3339 {
3340 fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3341 exit(EXIT_FAILURE);
3342 }
3343 }
3344
3345 /* If the configuration file name has been altered by an argument on the
3346 command line (either a new file name or a macro definition) and the caller is
3347 not root, or if this is a filter testing run, remove any setuid privilege the
3348 program has and run as the underlying user.
3349
3350 The exim user is locked out of this, which severely restricts the use of -C
3351 for some purposes.
3352
3353 Otherwise, set the real ids to the effective values (should be root unless run
3354 from inetd, which it can either be root or the exim uid, if one is configured).
3355
3356 There is a private mechanism for bypassing some of this, in order to make it
3357 possible to test lots of configurations automatically, without having either to
3358 recompile each time, or to patch in an actual configuration file name and other
3359 values (such as the path name). If running in the test harness, pretend that
3360 configuration file changes and macro definitions haven't happened. */
3361
3362 if (( /* EITHER */
3363 (!trusted_config || /* Config changed, or */
3364 !macros_trusted()) && /* impermissible macros and */
3365 real_uid != root_uid && /* Not root, and */
3366 !running_in_test_harness /* Not fudged */
3367 ) || /* OR */
3368 expansion_test /* expansion testing */
3369 || /* OR */
3370 filter_test != FTEST_NONE) /* Filter testing */
3371 {
3372 setgroups(group_count, group_list);
3373 exim_setugid(real_uid, real_gid, FALSE,
3374 US"-C, -D, -be or -bf forces real uid");
3375 removed_privilege = TRUE;
3376
3377 /* In the normal case when Exim is called like this, stderr is available
3378 and should be used for any logging information because attempts to write
3379 to the log will usually fail. To arrange this, we unset really_exim. However,
3380 if no stderr is available there is no point - we might as well have a go
3381 at the log (if it fails, syslog will be written).
3382
3383 Note that if the invoker is Exim, the logs remain available. Messing with
3384 this causes unlogged successful deliveries. */
3385
3386 if ((log_stderr != NULL) && (real_uid != exim_uid))
3387 really_exim = FALSE;
3388 }
3389
3390 /* Privilege is to be retained for the moment. It may be dropped later,
3391 depending on the job that this Exim process has been asked to do. For now, set
3392 the real uid to the effective so that subsequent re-execs of Exim are done by a
3393 privileged user. */
3394
3395 else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3396
3397 /* If testing a filter, open the file(s) now, before wasting time doing other
3398 setups and reading the message. */
3399
3400 if ((filter_test & FTEST_SYSTEM) != 0)
3401 {
3402 filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3403 if (filter_sfd < 0)
3404 {
3405 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3406 strerror(errno));
3407 return EXIT_FAILURE;
3408 }
3409 }
3410
3411 if ((filter_test & FTEST_USER) != 0)
3412 {
3413 filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3414 if (filter_ufd < 0)
3415 {
3416 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
3417 strerror(errno));
3418 return EXIT_FAILURE;
3419 }
3420 }
3421
3422 /* Read the main runtime configuration data; this gives up if there
3423 is a failure. It leaves the configuration file open so that the subsequent
3424 configuration data for delivery can be read if needed. */
3425
3426 readconf_main();
3427
3428 /* Handle the decoding of logging options. */
3429
3430 decode_bits(&log_write_selector, &log_extra_selector, 0, 0,
3431 log_selector_string, log_options, log_options_count, US"log", 0);
3432
3433 DEBUG(D_any)
3434 {
3435 debug_printf("configuration file is %s\n", config_main_filename);
3436 debug_printf("log selectors = %08x %08x\n", log_write_selector,
3437 log_extra_selector);
3438 }
3439
3440 /* If domain literals are not allowed, check the sender address that was
3441 supplied with -f. Ditto for a stripped trailing dot. */
3442
3443 if (sender_address != NULL)
3444 {
3445 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3446 {
3447 fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
3448 "allowed\n", sender_address);
3449 return EXIT_FAILURE;
3450 }
3451 if (f_end_dot && !strip_trailing_dot)
3452 {
3453 fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed "
3454 "(trailing dot not allowed)\n", sender_address);
3455 return EXIT_FAILURE;
3456 }
3457 }
3458
3459 /* Paranoia check of maximum lengths of certain strings. There is a check
3460 on the length of the log file path in log.c, which will come into effect
3461 if there are any calls to write the log earlier than this. However, if we
3462 get this far but the string is very long, it is better to stop now than to
3463 carry on and (e.g.) receive a message and then have to collapse. The call to
3464 log_write() from here will cause the ultimate panic collapse if the complete
3465 file name exceeds the buffer length. */
3466
3467 if (Ustrlen(log_file_path) > 200)
3468 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3469 "log_file_path is longer than 200 chars: aborting");
3470
3471 if (Ustrlen(pid_file_path) > 200)
3472 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3473 "pid_file_path is longer than 200 chars: aborting");
3474
3475 if (Ustrlen(spool_directory) > 200)
3476 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3477 "spool_directory is longer than 200 chars: aborting");
3478
3479 /* Length check on the process name given to syslog for its TAG field,
3480 which is only permitted to be 32 characters or less. See RFC 3164. */
3481
3482 if (Ustrlen(syslog_processname) > 32)
3483 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3484 "syslog_processname is longer than 32 chars: aborting");
3485
3486 /* In some operating systems, the environment variable TMPDIR controls where
3487 temporary files are created; Exim doesn't use these (apart from when delivering
3488 to MBX mailboxes), but called libraries such as DBM libraries may require them.
3489 If TMPDIR is found in the environment, reset it to the value defined in the
3490 TMPDIR macro, if this macro is defined. */
3491
3492 #ifdef TMPDIR
3493 {
3494 uschar **p;
3495 for (p = USS environ; *p != NULL; p++)
3496 {
3497 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 &&
3498 Ustrcmp(*p+7, TMPDIR) != 0)
3499 {
3500 uschar *newp = malloc(Ustrlen(TMPDIR) + 8);
3501 sprintf(CS newp, "TMPDIR=%s", TMPDIR);
3502 *p = newp;
3503 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", TMPDIR);
3504 }
3505 }
3506 }
3507 #endif
3508
3509 /* Timezone handling. If timezone_string is "utc", set a flag to cause all
3510 timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3511 we may need to get rid of a bogus timezone setting. This can arise when Exim is
3512 called by a user who has set the TZ variable. This then affects the timestamps
3513 in log files and in Received: headers, and any created Date: header lines. The
3514 required timezone is settable in the configuration file, so nothing can be done
3515 about this earlier - but hopefully nothing will normally be logged earlier than
3516 this. We have to make a new environment if TZ is wrong, but don't bother if
3517 timestamps_utc is set, because then all times are in UTC anyway. */
3518
3519 if (timezone_string != NULL && strcmpic(timezone_string, US"UTC") == 0)
3520 {
3521 timestamps_utc = TRUE;
3522 }
3523 else
3524 {
3525 uschar *envtz = US getenv("TZ");
3526 if ((envtz == NULL && timezone_string != NULL) ||
3527 (envtz != NULL &&
3528 (timezone_string == NULL ||
3529 Ustrcmp(timezone_string, envtz) != 0)))
3530 {
3531 uschar **p = USS environ;
3532 uschar **new;
3533 uschar **newp;
3534 int count = 0;
3535 while (*p++ != NULL) count++;
3536 if (envtz == NULL) count++;
3537 newp = new = malloc(sizeof(uschar *) * (count + 1));
3538 for (p = USS environ; *p != NULL; p++)
3539 {
3540 if (Ustrncmp(*p, "TZ=", 3) == 0) continue;
3541 *newp++ = *p;
3542 }
3543 if (timezone_string != NULL)
3544 {
3545 *newp = malloc(Ustrlen(timezone_string) + 4);
3546 sprintf(CS *newp++, "TZ=%s", timezone_string);
3547 }
3548 *newp = NULL;
3549 environ = CSS new;
3550 tzset();
3551 DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3552 tod_stamp(tod_log));
3553 }
3554 }
3555
3556 /* Handle the case when we have removed the setuid privilege because of -C or
3557 -D. This means that the caller of Exim was not root.
3558
3559 There is a problem if we were running as the Exim user. The sysadmin may
3560 expect this case to retain privilege because "the binary was called by the
3561 Exim user", but it hasn't, because either the -D option set macros, or the
3562 -C option set a non-trusted configuration file. There are two possibilities:
3563
3564 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3565 to do message deliveries. Thus, the fact that it is running as a
3566 non-privileged user is plausible, and might be wanted in some special
3567 configurations. However, really_exim will have been set false when
3568 privilege was dropped, to stop Exim trying to write to its normal log
3569 files. Therefore, re-enable normal log processing, assuming the sysadmin
3570 has set up the log directory correctly.
3571
3572 (2) If deliver_drop_privilege is not set, the configuration won't work as
3573 apparently intended, and so we log a panic message. In order to retain
3574 root for -C or -D, the caller must either be root or be invoking a
3575 trusted configuration file (when deliver_drop_privilege is false). */
3576
3577 if (removed_privilege && (!trusted_config || macros != NULL) &&
3578 real_uid == exim_uid)
3579 {
3580 if (deliver_drop_privilege)
3581 really_exim = TRUE; /* let logging work normally */
3582 else
3583 log_write(0, LOG_MAIN|LOG_PANIC,
3584 "exim user lost privilege for using %s option",
3585 trusted_config? "-D" : "-C");
3586 }
3587
3588 /* Start up Perl interpreter if Perl support is configured and there is a
3589 perl_startup option, and the configuration or the command line specifies
3590 initializing starting. Note that the global variables are actually called
3591 opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3592
3593 #ifdef EXIM_PERL
3594 if (perl_start_option != 0)
3595 opt_perl_at_start = (perl_start_option > 0);
3596 if (opt_perl_at_start && opt_perl_startup != NULL)
3597 {
3598 uschar *errstr;
3599 DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3600 errstr = init_perl(opt_perl_startup);
3601 if (errstr != NULL)
3602 {
3603 fprintf(stderr, "exim: error in perl_startup code: %s\n", errstr);
3604 return EXIT_FAILURE;
3605 }
3606 opt_perl_started = TRUE;
3607 }
3608 #endif /* EXIM_PERL */
3609
3610 /* Initialise lookup_list
3611 If debugging, already called above via version reporting.
3612 This does mean that debugging causes the list to be initialised while root.
3613 This *should* be harmless -- all modules are loaded from a fixed dir and
3614 it's code that would, if not a module, be part of Exim already. */
3615 init_lookup_list();
3616
3617 /* Log the arguments of the call if the configuration file said so. This is
3618 a debugging feature for finding out what arguments certain MUAs actually use.
3619 Don't attempt it if logging is disabled, or if listing variables or if
3620 verifying/testing addresses or expansions. */
3621
3622 if (((debug_selector & D_any) != 0 || (log_extra_selector & LX_arguments) != 0)
3623 && really_exim && !list_options && !checking)
3624 {
3625 int i;
3626 uschar *p = big_buffer;
3627 Ustrcpy(p, "cwd=");
3628 (void)getcwd(CS p+4, big_buffer_size - 4);
3629 while (*p) p++;
3630 (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3631 while (*p) p++;
3632 for (i = 0; i < argc; i++)
3633 {
3634 int len = Ustrlen(argv[i]);
3635 uschar *printing;
3636 uschar *quote;
3637 if (p + len + 8 >= big_buffer + big_buffer_size)
3638 {
3639 Ustrcpy(p, " ...");
3640 log_write(0, LOG_MAIN, "%s", big_buffer);
3641 Ustrcpy(big_buffer, "...");
3642 p = big_buffer + 3;
3643 }
3644 printing = string_printing(argv[i]);
3645 if (printing[0] == 0) quote = US"\""; else
3646 {
3647 uschar *pp = printing;
3648 quote = US"";
3649 while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3650 }
3651 sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3652 (p - big_buffer) - 4), printing, quote);
3653 while (*p) p++;
3654 }
3655
3656 if ((log_extra_selector & LX_arguments) != 0)
3657 log_write(0, LOG_MAIN, "%s", big_buffer);
3658 else
3659 debug_printf("%s\n", big_buffer);
3660 }
3661
3662 /* Set the working directory to be the top-level spool directory. We don't rely
3663 on this in the code, which always uses fully qualified names, but it's useful
3664 for core dumps etc. Don't complain if it fails - the spool directory might not
3665 be generally accessible and calls with the -C option (and others) have lost
3666 privilege by now. Before the chdir, we try to ensure that the directory exists.
3667 */
3668
3669 if (Uchdir(spool_directory) != 0)
3670 {
3671 (void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
3672 (void)Uchdir(spool_directory);
3673 }
3674
3675 /* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3676 alias file. Exim doesn't have such a concept, but this call is screwed into
3677 Sun's YP makefiles. Handle this by calling a configured script, as the real
3678 user who called Exim. The -oA option can be used to pass an argument to the
3679 script. */
3680
3681 if (bi_option)
3682 {
3683 (void)fclose(config_file);
3684 if (bi_command != NULL)
3685 {
3686 int i = 0;
3687 uschar *argv[3];
3688 argv[i++] = bi_command;
3689 if (alias_arg != NULL) argv[i++] = alias_arg;
3690 argv[i++] = NULL;
3691
3692 setgroups(group_count, group_list);
3693 exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
3694
3695 DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
3696 (argv[1] == NULL)? US"" : argv[1]);
3697
3698 execv(CS argv[0], (char *const *)argv);
3699 fprintf(stderr, "exim: exec failed: %s\n", strerror(errno));
3700 exit(EXIT_FAILURE);
3701 }
3702 else
3703 {
3704 DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
3705 exit(EXIT_SUCCESS);
3706 }
3707 }
3708
3709 /* If an action on specific messages is requested, or if a daemon or queue
3710 runner is being started, we need to know if Exim was called by an admin user.
3711 This is the case if the real user is root or exim, or if the real group is
3712 exim, or if one of the supplementary groups is exim or a group listed in
3713 admin_groups. We don't fail all message actions immediately if not admin_user,
3714 since some actions can be performed by non-admin users. Instead, set admin_user
3715 for later interrogation. */
3716
3717 if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3718 admin_user = TRUE;
3719 else
3720 {
3721 int i, j;
3722 for (i = 0; i < group_count; i++)
3723 {
3724 if (group_list[i] == exim_gid) admin_user = TRUE;
3725 else if (admin_groups != NULL)
3726 {
3727 for (j = 1; j <= (int)(admin_groups[0]); j++)
3728 if (admin_groups[j] == group_list[i])
3729 { admin_user = TRUE; break; }
3730 }
3731 if (admin_user) break;
3732 }
3733 }
3734
3735 /* Another group of privileged users are the trusted users. These are root,
3736 exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3737 are permitted to specify sender_addresses with -f on the command line, and
3738 other message parameters as well. */
3739
3740 if (real_uid == root_uid || real_uid == exim_uid)
3741 trusted_caller = TRUE;
3742 else
3743 {
3744 int i, j;
3745
3746 if (trusted_users != NULL)
3747 {
3748 for (i = 1; i <= (int)(trusted_users[0]); i++)
3749 if (trusted_users[i] == real_uid)
3750 { trusted_caller = TRUE; break; }
3751 }
3752
3753 if (!trusted_caller && trusted_groups != NULL)
3754 {
3755 for (i = 1; i <= (int)(trusted_groups[0]); i++)
3756 {
3757 if (trusted_groups[i] == real_gid)
3758 trusted_caller = TRUE;
3759 else for (j = 0; j < group_count; j++)
3760 {
3761 if (trusted_groups[i] == group_list[j])
3762 { trusted_caller = TRUE; break; }
3763 }
3764 if (trusted_caller) break;
3765 }
3766 }
3767 }
3768
3769 if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
3770 if (admin_user) DEBUG(D_any) debug_printf("admin user\n");
3771
3772 /* Only an admin user may start the daemon or force a queue run in the default
3773 configuration, but the queue run restriction can be relaxed. Only an admin
3774 user may request that a message be returned to its sender forthwith. Only an
3775 admin user may specify a debug level greater than D_v (because it might show
3776 passwords, etc. in lookup queries). Only an admin user may request a queue
3777 count. Only an admin user can use the test interface to scan for email
3778 (because Exim will be in the spool dir and able to look at mails). */
3779
3780 if (!admin_user)
3781 {
3782 BOOL debugset = (debug_selector & ~D_v) != 0;
3783 if (deliver_give_up || daemon_listen || malware_test_file ||
3784 (count_queue && queue_list_requires_admin) ||
3785 (list_queue && queue_list_requires_admin) ||
3786 (queue_interval >= 0 && prod_requires_admin) ||
3787 (debugset && !running_in_test_harness))
3788 {
3789 fprintf(stderr, "exim:%s permission denied\n", debugset? " debugging" : "");
3790 exit(EXIT_FAILURE);
3791 }
3792 }
3793
3794 /* If the real user is not root or the exim uid, the argument for passing
3795 in an open TCP/IP connection for another message is not permitted, nor is
3796 running with the -N option for any delivery action, unless this call to exim is
3797 one that supplied an input message, or we are using a patched exim for
3798 regression testing. */
3799
3800 if (real_uid != root_uid && real_uid != exim_uid &&
3801 (continue_hostname != NULL ||
3802 (dont_deliver &&
3803 (queue_interval >= 0 || daemon_listen || msg_action_arg > 0)
3804 )) && !running_in_test_harness)
3805 {
3806 fprintf(stderr, "exim: Permission denied\n");
3807 return EXIT_FAILURE;
3808 }
3809
3810 /* If the caller is not trusted, certain arguments are ignored when running for
3811 real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
3812 Note that authority for performing certain actions on messages is tested in the
3813 queue_action() function. */
3814
3815 if (!trusted_caller && !checking && filter_test == FTEST_NONE)
3816 {
3817 sender_host_name = sender_host_address = interface_address =
3818 sender_ident = received_protocol = NULL;
3819 sender_host_port = interface_port = 0;
3820 sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
3821 }
3822
3823 /* If a sender host address is set, extract the optional port number off the
3824 end of it and check its syntax. Do the same thing for the interface address.
3825 Exim exits if the syntax is bad. */
3826
3827 else
3828 {
3829 if (sender_host_address != NULL)
3830 sender_host_port = check_port(sender_host_address);
3831 if (interface_address != NULL)
3832 interface_port = check_port(interface_address);
3833 }
3834
3835 /* If an SMTP message is being received check to see if the standard input is a
3836 TCP/IP socket. If it is, we assume that Exim was called from inetd if the
3837 caller is root or the Exim user, or if the port is a privileged one. Otherwise,
3838 barf. */
3839
3840 if (smtp_input)
3841 {
3842 union sockaddr_46 inetd_sock;
3843 EXIM_SOCKLEN_T size = sizeof(inetd_sock);
3844 if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0)
3845 {
3846 int family = ((struct sockaddr *)(&inetd_sock))->sa_family;
3847 if (family == AF_INET || family == AF_INET6)
3848 {
3849 union sockaddr_46 interface_sock;
3850 size = sizeof(interface_sock);
3851
3852 if (getsockname(0, (struct sockaddr *)(&interface_sock), &size) == 0)
3853 interface_address = host_ntoa(-1, &interface_sock, NULL,
3854 &interface_port);
3855
3856 if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE;
3857
3858 if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
3859 {
3860 is_inetd = TRUE;
3861 sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock),
3862 NULL, &sender_host_port);
3863 if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from "
3864 "inetd is not supported when mua_wrapper is set");
3865 }
3866 else
3867 {
3868 fprintf(stderr,
3869 "exim: Permission denied (unprivileged user, unprivileged port)\n");
3870 return EXIT_FAILURE;
3871 }
3872 }
3873 }
3874 }
3875
3876 /* If the load average is going to be needed while receiving a message, get it
3877 now for those OS that require the first call to os_getloadavg() to be done as
3878 root. There will be further calls later for each message received. */
3879
3880 #ifdef LOAD_AVG_NEEDS_ROOT
3881 if (receiving_message &&
3882 (queue_only_load >= 0 ||
3883 (is_inetd && smtp_load_reserve >= 0)
3884 ))
3885 {
3886 load_average = OS_GETLOADAVG();
3887 }
3888 #endif
3889
3890 /* The queue_only configuration option can be overridden by -odx on the command
3891 line, except that if queue_only_override is false, queue_only cannot be unset
3892 from the command line. */
3893
3894 if (queue_only_set && (queue_only_override || arg_queue_only))
3895 queue_only = arg_queue_only;
3896
3897 /* The receive_timeout and smtp_receive_timeout options can be overridden by
3898 -or and -os. */
3899
3900 if (arg_receive_timeout >= 0) receive_timeout = arg_receive_timeout;
3901 if (arg_smtp_receive_timeout >= 0)
3902 smtp_receive_timeout = arg_smtp_receive_timeout;
3903
3904 /* If Exim was started with root privilege, unless we have already removed the
3905 root privilege above as a result of -C, -D, -be, -bf or -bF, remove it now
3906 except when starting the daemon or doing some kind of delivery or address
3907 testing (-bt). These are the only cases when root need to be retained. We run
3908 as exim for -bv and -bh. However, if deliver_drop_privilege is set, root is
3909 retained only for starting the daemon. We always do the initgroups() in this
3910 situation (controlled by the TRUE below), in order to be as close as possible
3911 to the state Exim usually runs in. */
3912
3913 if (!unprivileged && /* originally had root AND */
3914 !removed_privilege && /* still got root AND */
3915 !daemon_listen && /* not starting the daemon */
3916 queue_interval <= 0 && /* (either kind of daemon) */
3917 ( /* AND EITHER */
3918 deliver_drop_privilege || /* requested unprivileged */
3919 ( /* OR */
3920 queue_interval < 0 && /* not running the queue */
3921 (msg_action_arg < 0 || /* and */
3922 msg_action != MSG_DELIVER) && /* not delivering and */
3923 (!checking || !address_test_mode) /* not address checking */
3924 )
3925 ))
3926 {
3927 exim_setugid(exim_uid, exim_gid, TRUE, US"privilege not needed");
3928 }
3929
3930 /* When we are retaining a privileged uid, we still change to the exim gid. */
3931
3932 else
3933 {
3934 int rv;
3935 rv = setgid(exim_gid);
3936 /* Impact of failure is that some stuff might end up with an incorrect group.
3937 We track this for failures from root, since any attempt to change privilege
3938 by root should succeed and failures should be examined. For non-root,
3939 there's no security risk. For me, it's { exim -bV } on a just-built binary,
3940 no need to complain then. */
3941 if (rv == -1)
3942 {
3943 if (!(unprivileged || removed_privilege))
3944 {
3945 fprintf(stderr,
3946 "exim: changing group failed: %s\n", strerror(errno));
3947 exit(EXIT_FAILURE);
3948 }
3949 else
3950 DEBUG(D_any) debug_printf("changing group to %ld failed: %s\n",
3951 (long int)exim_gid, strerror(errno));
3952 }
3953 }
3954
3955 /* Handle a request to scan a file for malware */
3956 if (malware_test_file)
3957 {
3958 #ifdef WITH_CONTENT_SCAN
3959 int result;
3960 set_process_info("scanning file for malware");
3961 result = malware_in_file(malware_test_file);
3962 if (result == FAIL)
3963 {
3964 printf("No malware found.\n");
3965 exit(EXIT_SUCCESS);
3966 }
3967 if (result != OK)
3968 {
3969 printf("Malware lookup returned non-okay/fail: %d\n", result);
3970 exit(EXIT_FAILURE);
3971 }
3972 if (malware_name)
3973 printf("Malware found: %s\n", malware_name);
3974 else
3975 printf("Malware scan detected malware of unknown name.\n");
3976 #else
3977 printf("Malware scanning not enabled at compile time.\n");
3978 #endif
3979 exit(EXIT_FAILURE);
3980 }
3981
3982 /* Handle a request to list the delivery queue */
3983
3984 if (list_queue)
3985 {
3986 set_process_info("listing the queue");
3987 queue_list(list_queue_option, argv + recipients_arg, argc - recipients_arg);
3988 exit(EXIT_SUCCESS);
3989 }
3990
3991 /* Handle a request to count the delivery queue */
3992
3993 if (count_queue)
3994 {
3995 set_process_info("counting the queue");
3996 queue_count();
3997 exit(EXIT_SUCCESS);
3998 }
3999
4000 /* Handle actions on specific messages, except for the force delivery and
4001 message load actions, which are done below. Some actions take a whole list of
4002 message ids, which are known to continue up to the end of the arguments. Others
4003 take a single message id and then operate on the recipients list. */
4004
4005 if (msg_action_arg > 0 && msg_action != MSG_DELIVER && msg_action != MSG_LOAD)
4006 {
4007 int yield = EXIT_SUCCESS;
4008 set_process_info("acting on specified messages");
4009
4010 if (!one_msg_action)
4011 {
4012 for (i = msg_action_arg; i < argc; i++)
4013 if (!queue_action(argv[i], msg_action, NULL, 0, 0))
4014 yield = EXIT_FAILURE;
4015 }
4016
4017 else if (!queue_action(argv[msg_action_arg], msg_action, argv, argc,
4018 recipients_arg)) yield = EXIT_FAILURE;
4019 exit(yield);
4020 }
4021
4022 /* All the modes below here require the remaining configuration sections
4023 to be read, except that we can skip over the ACL setting when delivering
4024 specific messages, or doing a queue run. (For various testing cases we could
4025 skip too, but as they are rare, it doesn't really matter.) The argument is TRUE
4026 for skipping. */
4027
4028 readconf_rest(msg_action_arg > 0 || (queue_interval == 0 && !daemon_listen));
4029
4030 /* The configuration data will have been read into POOL_PERM because we won't
4031 ever want to reset back past it. Change the current pool to POOL_MAIN. In fact,
4032 this is just a bit of pedantic tidiness. It wouldn't really matter if the
4033 configuration were read into POOL_MAIN, because we don't do any resets till
4034 later on. However, it seems right, and it does ensure that both pools get used.
4035 */
4036
4037 store_pool = POOL_MAIN;
4038
4039 /* Handle the -brt option. This is for checking out retry configurations.
4040 The next three arguments are a domain name or a complete address, and
4041 optionally two error numbers. All it does is to call the function that
4042 scans the retry configuration data. */
4043
4044 if (test_retry_arg >= 0)
4045 {
4046 retry_config *yield;
4047 int basic_errno = 0;
4048 int more_errno = 0;
4049 uschar *s1, *s2;
4050
4051 if (test_retry_arg >= argc)
4052 {
4053 printf("-brt needs a domain or address argument\n");
4054 exim_exit(EXIT_FAILURE);
4055 }
4056 s1 = argv[test_retry_arg++];
4057 s2 = NULL;
4058
4059 /* If the first argument contains no @ and no . it might be a local user
4060 or it might be a single-component name. Treat as a domain. */
4061
4062 if (Ustrchr(s1, '@') == NULL && Ustrchr(s1, '.') == NULL)
4063 {
4064 printf("Warning: \"%s\" contains no '@' and no '.' characters. It is "
4065 "being \ntreated as a one-component domain, not as a local part.\n\n",
4066 s1);
4067 }
4068
4069 /* There may be an optional second domain arg. */
4070
4071 if (test_retry_arg < argc && Ustrchr(argv[test_retry_arg], '.') != NULL)
4072 s2 = argv[test_retry_arg++];
4073
4074 /* The final arg is an error name */
4075
4076 if (test_retry_arg < argc)
4077 {
4078 uschar *ss = argv[test_retry_arg];
4079 uschar *error =
4080 readconf_retry_error(ss, ss + Ustrlen(ss), &basic_errno, &more_errno);
4081 if (error != NULL)
4082 {
4083 printf("%s\n", CS error);
4084 return EXIT_FAILURE;
4085 }
4086
4087 /* For the {MAIL,RCPT,DATA}_4xx errors, a value of 255 means "any", and a
4088 code > 100 as an error is for matching codes to the decade. Turn them into
4089 a real error code, off the decade. */
4090
4091 if (basic_errno == ERRNO_MAIL4XX ||
4092 basic_errno == ERRNO_RCPT4XX ||
4093 basic_errno == ERRNO_DATA4XX)
4094 {
4095 int code = (more_errno >> 8) & 255;
4096 if (code == 255)
4097 more_errno = (more_errno & 0xffff00ff) | (21 << 8);
4098 else if (code > 100)
4099 more_errno = (more_errno & 0xffff00ff) | ((code - 96) << 8);
4100 }
4101 }
4102
4103 yield = retry_find_config(s1, s2, basic_errno, more_errno);
4104 if (yield == NULL) printf("No retry information found\n"); else
4105 {
4106 retry_rule *r;
4107 more_errno = yield->more_errno;
4108 printf("Retry rule: %s ", yield->pattern);
4109
4110 if (yield->basic_errno == ERRNO_EXIMQUOTA)
4111 {
4112 printf("quota%s%s ",
4113 (more_errno > 0)? "_" : "",
4114 (more_errno > 0)? readconf_printtime(more_errno) : US"");
4115 }
4116 else if (yield->basic_errno == ECONNREFUSED)
4117 {
4118 printf("refused%s%s ",
4119 (more_errno > 0)? "_" : "",
4120 (more_errno == 'M')? "MX" :
4121