75282f17301a408ea278885ae60cec92ac1113f9
[exim.git] / src / src / exim.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8
9 /* The main function: entry point, initialization, and high-level control.
10 Also a few functions that don't naturally fit elsewhere. */
11
12
13 #include "exim.h"
14
15 #if defined(__GLIBC__) && !defined(__UCLIBC__)
16 # include <gnu/libc-version.h>
17 #endif
18
19 #ifdef USE_GNUTLS
20 # include <gnutls/gnutls.h>
21 # if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22 # define DISABLE_OCSP
23 # endif
24 #endif
25
26 extern void init_lookup_list(void);
27
28
29
30 /*************************************************
31 * Function interface to store functions *
32 *************************************************/
33
34 /* We need some real functions to pass to the PCRE regular expression library
35 for store allocation via Exim's store manager. The normal calls are actually
36 macros that pass over location information to make tracing easier. These
37 functions just interface to the standard macro calls. A good compiler will
38 optimize out the tail recursion and so not make them too expensive. There
39 are two sets of functions; one for use when we want to retain the compiled
40 regular expression for a long time; the other for short-term use. */
41
42 static void *
43 function_store_get(size_t size)
44 {
45 return store_get((int)size);
46 }
47
48 static void
49 function_dummy_free(void *block) { block = block; }
50
51 static void *
52 function_store_malloc(size_t size)
53 {
54 return store_malloc((int)size);
55 }
56
57 static void
58 function_store_free(void *block)
59 {
60 store_free(block);
61 }
62
63
64
65
66 /*************************************************
67 * Enums for cmdline interface *
68 *************************************************/
69
70 enum commandline_info { CMDINFO_NONE=0,
71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
72
73
74
75
76 /*************************************************
77 * Compile regular expression and panic on fail *
78 *************************************************/
79
80 /* This function is called when failure to compile a regular expression leads
81 to a panic exit. In other cases, pcre_compile() is called directly. In many
82 cases where this function is used, the results of the compilation are to be
83 placed in long-lived store, so we temporarily reset the store management
84 functions that PCRE uses if the use_malloc flag is set.
85
86 Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91 Returns: pointer to the compiled pattern
92 */
93
94 const pcre *
95 regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
96 {
97 int offset;
98 int options = PCRE_COPT;
99 const pcre *yield;
100 const uschar *error;
101 if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106 if (caseless) options |= PCRE_CASELESS;
107 yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
108 pcre_malloc = function_store_get;
109 pcre_free = function_dummy_free;
110 if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113 return yield;
114 }
115
116
117
118
119 /*************************************************
120 * Execute regular expression and set strings *
121 *************************************************/
122
123 /* This function runs a regular expression match, and sets up the pointers to
124 the matched substrings.
125
126 Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134 Returns: TRUE or FALSE
135 */
136
137 BOOL
138 regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
139 {
140 int ovector[3*(EXPAND_MAXN+1)];
141 uschar * s = string_copy(subject); /* de-constifying */
142 int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
143 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
144 BOOL yield = n >= 0;
145 if (n == 0) n = EXPAND_MAXN + 1;
146 if (yield)
147 {
148 int nn;
149 expand_nmax = (setup < 0)? 0 : setup + 1;
150 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
151 {
152 expand_nstring[expand_nmax] = s + ovector[nn];
153 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
154 }
155 expand_nmax--;
156 }
157 return yield;
158 }
159
160
161
162
163 /*************************************************
164 * Set up processing details *
165 *************************************************/
166
167 /* Save a text string for dumping when SIGUSR1 is received.
168 Do checks for overruns.
169
170 Arguments: format and arguments, as for printf()
171 Returns: nothing
172 */
173
174 void
175 set_process_info(const char *format, ...)
176 {
177 int len = sprintf(CS process_info, "%5d ", (int)getpid());
178 va_list ap;
179 va_start(ap, format);
180 if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len - 2, format, ap))
181 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
182 len = Ustrlen(process_info);
183 process_info[len+0] = '\n';
184 process_info[len+1] = '\0';
185 process_info_len = len + 1;
186 DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
187 va_end(ap);
188 }
189
190 /***********************************************
191 * Handler for SIGTERM *
192 ***********************************************/
193
194 static void
195 term_handler(int sig)
196 {
197 exit(1);
198 }
199
200
201 /*************************************************
202 * Handler for SIGUSR1 *
203 *************************************************/
204
205 /* SIGUSR1 causes any exim process to write to the process log details of
206 what it is currently doing. It will only be used if the OS is capable of
207 setting up a handler that causes automatic restarting of any system call
208 that is in progress at the time.
209
210 This function takes care to be signal-safe.
211
212 Argument: the signal number (SIGUSR1)
213 Returns: nothing
214 */
215
216 static void
217 usr1_handler(int sig)
218 {
219 int fd;
220
221 os_restarting_signal(sig, usr1_handler);
222
223 if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
224 {
225 /* If we are already running as the Exim user, try to create it in the
226 current process (assuming spool_directory exists). Otherwise, if we are
227 root, do the creation in an exim:exim subprocess. */
228
229 int euid = geteuid();
230 if (euid == exim_uid)
231 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
232 else if (euid == root_uid)
233 fd = log_create_as_exim(process_log_path);
234 }
235
236 /* If we are neither exim nor root, or if we failed to create the log file,
237 give up. There is not much useful we can do with errors, since we don't want
238 to disrupt whatever is going on outside the signal handler. */
239
240 if (fd < 0) return;
241
242 (void)write(fd, process_info, process_info_len);
243 (void)close(fd);
244 }
245
246
247
248 /*************************************************
249 * Timeout handler *
250 *************************************************/
251
252 /* This handler is enabled most of the time that Exim is running. The handler
253 doesn't actually get used unless alarm() has been called to set a timer, to
254 place a time limit on a system call of some kind. When the handler is run, it
255 re-enables itself.
256
257 There are some other SIGALRM handlers that are used in special cases when more
258 than just a flag setting is required; for example, when reading a message's
259 input. These are normally set up in the code module that uses them, and the
260 SIGALRM handler is reset to this one afterwards.
261
262 Argument: the signal value (SIGALRM)
263 Returns: nothing
264 */
265
266 void
267 sigalrm_handler(int sig)
268 {
269 sig = sig; /* Keep picky compilers happy */
270 sigalrm_seen = TRUE;
271 os_non_restarting_signal(SIGALRM, sigalrm_handler);
272 }
273
274
275
276 /*************************************************
277 * Sleep for a fractional time interval *
278 *************************************************/
279
280 /* This function is called by millisleep() and exim_wait_tick() to wait for a
281 period of time that may include a fraction of a second. The coding is somewhat
282 tedious. We do not expect setitimer() ever to fail, but if it does, the process
283 will wait for ever, so we panic in this instance. (There was a case of this
284 when a bug in a function that calls milliwait() caused it to pass invalid data.
285 That's when I added the check. :-)
286
287 We assume it to be not worth sleeping for under 100us; this value will
288 require revisiting as hardware advances. This avoids the issue of
289 a zero-valued timer setting meaning "never fire".
290
291 Argument: an itimerval structure containing the interval
292 Returns: nothing
293 */
294
295 static void
296 milliwait(struct itimerval *itval)
297 {
298 sigset_t sigmask;
299 sigset_t old_sigmask;
300
301 if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
302 return;
303 (void)sigemptyset(&sigmask); /* Empty mask */
304 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
305 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
306 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
307 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
308 "setitimer() failed: %s", strerror(errno));
309 (void)sigfillset(&sigmask); /* All signals */
310 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
311 (void)sigsuspend(&sigmask); /* Until SIGALRM */
312 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
313 }
314
315
316
317
318 /*************************************************
319 * Millisecond sleep function *
320 *************************************************/
321
322 /* The basic sleep() function has a granularity of 1 second, which is too rough
323 in some cases - for example, when using an increasing delay to slow down
324 spammers.
325
326 Argument: number of millseconds
327 Returns: nothing
328 */
329
330 void
331 millisleep(int msec)
332 {
333 struct itimerval itval;
334 itval.it_interval.tv_sec = 0;
335 itval.it_interval.tv_usec = 0;
336 itval.it_value.tv_sec = msec/1000;
337 itval.it_value.tv_usec = (msec % 1000) * 1000;
338 milliwait(&itval);
339 }
340
341
342
343 /*************************************************
344 * Compare microsecond times *
345 *************************************************/
346
347 /*
348 Arguments:
349 tv1 the first time
350 tv2 the second time
351
352 Returns: -1, 0, or +1
353 */
354
355 static int
356 exim_tvcmp(struct timeval *t1, struct timeval *t2)
357 {
358 if (t1->tv_sec > t2->tv_sec) return +1;
359 if (t1->tv_sec < t2->tv_sec) return -1;
360 if (t1->tv_usec > t2->tv_usec) return +1;
361 if (t1->tv_usec < t2->tv_usec) return -1;
362 return 0;
363 }
364
365
366
367
368 /*************************************************
369 * Clock tick wait function *
370 *************************************************/
371
372 /* Exim uses a time + a pid to generate a unique identifier in two places: its
373 message IDs, and in file names for maildir deliveries. Because some OS now
374 re-use pids within the same second, sub-second times are now being used.
375 However, for absolute certainty, we must ensure the clock has ticked before
376 allowing the relevant process to complete. At the time of implementation of
377 this code (February 2003), the speed of processors is such that the clock will
378 invariably have ticked already by the time a process has done its job. This
379 function prepares for the time when things are faster - and it also copes with
380 clocks that go backwards.
381
382 Arguments:
383 then_tv A timeval which was used to create uniqueness; its usec field
384 has been rounded down to the value of the resolution.
385 We want to be sure the current time is greater than this.
386 resolution The resolution that was used to divide the microseconds
387 (1 for maildir, larger for message ids)
388
389 Returns: nothing
390 */
391
392 void
393 exim_wait_tick(struct timeval *then_tv, int resolution)
394 {
395 struct timeval now_tv;
396 long int now_true_usec;
397
398 (void)gettimeofday(&now_tv, NULL);
399 now_true_usec = now_tv.tv_usec;
400 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
401
402 if (exim_tvcmp(&now_tv, then_tv) <= 0)
403 {
404 struct itimerval itval;
405 itval.it_interval.tv_sec = 0;
406 itval.it_interval.tv_usec = 0;
407 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
408 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
409
410 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
411 negative value for the microseconds is possible only in the case when "now"
412 is more than a second less than "then". That means that itval.it_value.tv_sec
413 is greater than zero. The following correction is therefore safe. */
414
415 if (itval.it_value.tv_usec < 0)
416 {
417 itval.it_value.tv_usec += 1000000;
418 itval.it_value.tv_sec -= 1;
419 }
420
421 DEBUG(D_transport|D_receive)
422 {
423 if (!f.running_in_test_harness)
424 {
425 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
426 then_tv->tv_sec, (long) then_tv->tv_usec,
427 now_tv.tv_sec, (long) now_tv.tv_usec);
428 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
429 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
430 }
431 }
432
433 milliwait(&itval);
434 }
435 }
436
437
438
439
440 /*************************************************
441 * Call fopen() with umask 777 and adjust mode *
442 *************************************************/
443
444 /* Exim runs with umask(0) so that files created with open() have the mode that
445 is specified in the open() call. However, there are some files, typically in
446 the spool directory, that are created with fopen(). They end up world-writeable
447 if no precautions are taken. Although the spool directory is not accessible to
448 the world, this is an untidiness. So this is a wrapper function for fopen()
449 that sorts out the mode of the created file.
450
451 Arguments:
452 filename the file name
453 options the fopen() options
454 mode the required mode
455
456 Returns: the fopened FILE or NULL
457 */
458
459 FILE *
460 modefopen(const uschar *filename, const char *options, mode_t mode)
461 {
462 mode_t saved_umask = umask(0777);
463 FILE *f = Ufopen(filename, options);
464 (void)umask(saved_umask);
465 if (f != NULL) (void)fchmod(fileno(f), mode);
466 return f;
467 }
468
469
470
471
472 /*************************************************
473 * Ensure stdin, stdout, and stderr exist *
474 *************************************************/
475
476 /* Some operating systems grumble if an exec() happens without a standard
477 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
478 file will be opened and will use these fd values, and then some other bit of
479 code will assume, for example, that it can write error messages to stderr.
480 This function ensures that fds 0, 1, and 2 are open if they do not already
481 exist, by connecting them to /dev/null.
482
483 This function is also used to ensure that std{in,out,err} exist at all times,
484 so that if any library that Exim calls tries to use them, it doesn't crash.
485
486 Arguments: None
487 Returns: Nothing
488 */
489
490 void
491 exim_nullstd(void)
492 {
493 int i;
494 int devnull = -1;
495 struct stat statbuf;
496 for (i = 0; i <= 2; i++)
497 {
498 if (fstat(i, &statbuf) < 0 && errno == EBADF)
499 {
500 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
501 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
502 string_open_failed(errno, "/dev/null"));
503 if (devnull != i) (void)dup2(devnull, i);
504 }
505 }
506 if (devnull > 2) (void)close(devnull);
507 }
508
509
510
511
512 /*************************************************
513 * Close unwanted file descriptors for delivery *
514 *************************************************/
515
516 /* This function is called from a new process that has been forked to deliver
517 an incoming message, either directly, or using exec.
518
519 We want any smtp input streams to be closed in this new process. However, it
520 has been observed that using fclose() here causes trouble. When reading in -bS
521 input, duplicate copies of messages have been seen. The files will be sharing a
522 file pointer with the parent process, and it seems that fclose() (at least on
523 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
524 least sometimes. Hence we go for closing the underlying file descriptors.
525
526 If TLS is active, we want to shut down the TLS library, but without molesting
527 the parent's SSL connection.
528
529 For delivery of a non-SMTP message, we want to close stdin and stdout (and
530 stderr unless debugging) because the calling process might have set them up as
531 pipes and be waiting for them to close before it waits for the submission
532 process to terminate. If they aren't closed, they hold up the calling process
533 until the initial delivery process finishes, which is not what we want.
534
535 Exception: We do want it for synchronous delivery!
536
537 And notwithstanding all the above, if D_resolver is set, implying resolver
538 debugging, leave stdout open, because that's where the resolver writes its
539 debugging output.
540
541 When we close stderr (which implies we've also closed stdout), we also get rid
542 of any controlling terminal.
543
544 Arguments: None
545 Returns: Nothing
546 */
547
548 static void
549 close_unwanted(void)
550 {
551 if (smtp_input)
552 {
553 #ifdef SUPPORT_TLS
554 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
555 #endif
556 (void)close(fileno(smtp_in));
557 (void)close(fileno(smtp_out));
558 smtp_in = NULL;
559 }
560 else
561 {
562 (void)close(0); /* stdin */
563 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
564 if (debug_selector == 0) /* stderr */
565 {
566 if (!f.synchronous_delivery)
567 {
568 (void)close(2);
569 log_stderr = NULL;
570 }
571 (void)setsid();
572 }
573 }
574 }
575
576
577
578
579 /*************************************************
580 * Set uid and gid *
581 *************************************************/
582
583 /* This function sets a new uid and gid permanently, optionally calling
584 initgroups() to set auxiliary groups. There are some special cases when running
585 Exim in unprivileged modes. In these situations the effective uid will not be
586 root; if we already have the right effective uid/gid, and don't need to
587 initialize any groups, leave things as they are.
588
589 Arguments:
590 uid the uid
591 gid the gid
592 igflag TRUE if initgroups() wanted
593 msg text to use in debugging output and failure log
594
595 Returns: nothing; bombs out on failure
596 */
597
598 void
599 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
600 {
601 uid_t euid = geteuid();
602 gid_t egid = getegid();
603
604 if (euid == root_uid || euid != uid || egid != gid || igflag)
605 {
606 /* At least one OS returns +1 for initgroups failure, so just check for
607 non-zero. */
608
609 if (igflag)
610 {
611 struct passwd *pw = getpwuid(uid);
612 if (!pw)
613 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
614 "no passwd entry for uid=%ld", (long int)uid);
615
616 if (initgroups(pw->pw_name, gid) != 0)
617 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
618 (long int)uid, strerror(errno));
619 }
620
621 if (setgid(gid) < 0 || setuid(uid) < 0)
622 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
623 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
624 }
625
626 /* Debugging output included uid/gid and all groups */
627
628 DEBUG(D_uid)
629 {
630 int group_count, save_errno;
631 gid_t group_list[EXIM_GROUPLIST_SIZE];
632 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
633 (long int)geteuid(), (long int)getegid(), (long int)getpid());
634 group_count = getgroups(nelem(group_list), group_list);
635 save_errno = errno;
636 debug_printf(" auxiliary group list:");
637 if (group_count > 0)
638 {
639 int i;
640 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
641 }
642 else if (group_count < 0)
643 debug_printf(" <error: %s>", strerror(save_errno));
644 else debug_printf(" <none>");
645 debug_printf("\n");
646 }
647 }
648
649
650
651
652 /*************************************************
653 * Exit point *
654 *************************************************/
655
656 /* Exim exits via this function so that it always clears up any open
657 databases.
658
659 Arguments:
660 rc return code
661
662 Returns: does not return
663 */
664
665 void
666 exim_exit(int rc, const uschar * process)
667 {
668 search_tidyup();
669 DEBUG(D_any)
670 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
671 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
672 process ? "(" : "", process, process ? ") " : "", rc);
673 exit(rc);
674 }
675
676
677
678 /* Print error string, then die */
679 static void
680 exim_fail(const char * fmt, ...)
681 {
682 va_list ap;
683 va_start(ap, fmt);
684 vfprintf(stderr, fmt, ap);
685 exit(EXIT_FAILURE);
686 }
687
688
689
690 /*************************************************
691 * Extract port from host address *
692 *************************************************/
693
694 /* Called to extract the port from the values given to -oMa and -oMi.
695 It also checks the syntax of the address, and terminates it before the
696 port data when a port is extracted.
697
698 Argument:
699 address the address, with possible port on the end
700
701 Returns: the port, or zero if there isn't one
702 bombs out on a syntax error
703 */
704
705 static int
706 check_port(uschar *address)
707 {
708 int port = host_address_extract_port(address);
709 if (string_is_ip_address(address, NULL) == 0)
710 exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
711 return port;
712 }
713
714
715
716 /*************************************************
717 * Test/verify an address *
718 *************************************************/
719
720 /* This function is called by the -bv and -bt code. It extracts a working
721 address from a full RFC 822 address. This isn't really necessary per se, but it
722 has the effect of collapsing source routes.
723
724 Arguments:
725 s the address string
726 flags flag bits for verify_address()
727 exit_value to be set for failures
728
729 Returns: nothing
730 */
731
732 static void
733 test_address(uschar *s, int flags, int *exit_value)
734 {
735 int start, end, domain;
736 uschar *parse_error = NULL;
737 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
738 FALSE);
739 if (address == NULL)
740 {
741 fprintf(stdout, "syntax error: %s\n", parse_error);
742 *exit_value = 2;
743 }
744 else
745 {
746 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
747 -1, -1, NULL, NULL, NULL);
748 if (rc == FAIL) *exit_value = 2;
749 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
750 }
751 }
752
753
754
755 /*************************************************
756 * Show supported features *
757 *************************************************/
758
759 static void
760 show_db_version(FILE * f)
761 {
762 #ifdef DB_VERSION_STRING
763 DEBUG(D_any)
764 {
765 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
766 fprintf(f, " Runtime: %s\n",
767 db_version(NULL, NULL, NULL));
768 }
769 else
770 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
771
772 #elif defined(BTREEVERSION) && defined(HASHVERSION)
773 #ifdef USE_DB
774 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
775 #else
776 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
777 #endif
778
779 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
780 fprintf(f, "Probably ndbm\n");
781 #elif defined(USE_TDB)
782 fprintf(f, "Using tdb\n");
783 #else
784 #ifdef USE_GDBM
785 fprintf(f, "Probably GDBM (native mode)\n");
786 #else
787 fprintf(f, "Probably GDBM (compatibility mode)\n");
788 #endif
789 #endif
790 }
791
792
793 /* This function is called for -bV/--version and for -d to output the optional
794 features of the current Exim binary.
795
796 Arguments: a FILE for printing
797 Returns: nothing
798 */
799
800 static void
801 show_whats_supported(FILE * fp)
802 {
803 auth_info * authi;
804
805 DEBUG(D_any) {} else show_db_version(fp);
806
807 fprintf(fp, "Support for:");
808 #ifdef SUPPORT_CRYPTEQ
809 fprintf(fp, " crypteq");
810 #endif
811 #if HAVE_ICONV
812 fprintf(fp, " iconv()");
813 #endif
814 #if HAVE_IPV6
815 fprintf(fp, " IPv6");
816 #endif
817 #ifdef HAVE_SETCLASSRESOURCES
818 fprintf(fp, " use_setclassresources");
819 #endif
820 #ifdef SUPPORT_PAM
821 fprintf(fp, " PAM");
822 #endif
823 #ifdef EXIM_PERL
824 fprintf(fp, " Perl");
825 #endif
826 #ifdef EXPAND_DLFUNC
827 fprintf(fp, " Expand_dlfunc");
828 #endif
829 #ifdef USE_TCP_WRAPPERS
830 fprintf(fp, " TCPwrappers");
831 #endif
832 #ifdef SUPPORT_TLS
833 # ifdef USE_GNUTLS
834 fprintf(fp, " GnuTLS");
835 # else
836 fprintf(fp, " OpenSSL");
837 # endif
838 #endif
839 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
840 fprintf(fp, " translate_ip_address");
841 #endif
842 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
843 fprintf(fp, " move_frozen_messages");
844 #endif
845 #ifdef WITH_CONTENT_SCAN
846 fprintf(fp, " Content_Scanning");
847 #endif
848 #ifdef SUPPORT_DANE
849 fprintf(fp, " DANE");
850 #endif
851 #ifndef DISABLE_DKIM
852 fprintf(fp, " DKIM");
853 #endif
854 #ifndef DISABLE_DNSSEC
855 fprintf(fp, " DNSSEC");
856 #endif
857 #ifndef DISABLE_EVENT
858 fprintf(fp, " Event");
859 #endif
860 #ifdef SUPPORT_I18N
861 fprintf(fp, " I18N");
862 #endif
863 #ifndef DISABLE_OCSP
864 fprintf(fp, " OCSP");
865 #endif
866 #ifndef DISABLE_PRDR
867 fprintf(fp, " PRDR");
868 #endif
869 #ifdef SUPPORT_PROXY
870 fprintf(fp, " PROXY");
871 #endif
872 #ifdef SUPPORT_SOCKS
873 fprintf(fp, " SOCKS");
874 #endif
875 #ifdef SUPPORT_SPF
876 fprintf(fp, " SPF");
877 #endif
878 #ifdef TCP_FASTOPEN
879 deliver_init();
880 if (f.tcp_fastopen_ok) fprintf(fp, " TCP_Fast_Open");
881 #endif
882 #ifdef EXPERIMENTAL_LMDB
883 fprintf(fp, " Experimental_LMDB");
884 #endif
885 #ifdef EXPERIMENTAL_QUEUEFILE
886 fprintf(fp, " Experimental_QUEUEFILE");
887 #endif
888 #ifdef EXPERIMENTAL_SRS
889 fprintf(fp, " Experimental_SRS");
890 #endif
891 #ifdef EXPERIMENTAL_ARC
892 fprintf(fp, " Experimental_ARC");
893 #endif
894 #ifdef EXPERIMENTAL_BRIGHTMAIL
895 fprintf(fp, " Experimental_Brightmail");
896 #endif
897 #ifdef EXPERIMENTAL_DCC
898 fprintf(fp, " Experimental_DCC");
899 #endif
900 #ifdef EXPERIMENTAL_DMARC
901 fprintf(fp, " Experimental_DMARC");
902 #endif
903 #ifdef EXPERIMENTAL_DSN_INFO
904 fprintf(fp, " Experimental_DSN_info");
905 #endif
906 #ifdef EXPERIMENTAL_REQUIRETLS
907 fprintf(fp, " Experimental_REQUIRETLS");
908 #endif
909 fprintf(fp, "\n");
910
911 fprintf(fp, "Lookups (built-in):");
912 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
913 fprintf(fp, " lsearch wildlsearch nwildlsearch iplsearch");
914 #endif
915 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
916 fprintf(fp, " cdb");
917 #endif
918 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
919 fprintf(fp, " dbm dbmjz dbmnz");
920 #endif
921 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
922 fprintf(fp, " dnsdb");
923 #endif
924 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
925 fprintf(fp, " dsearch");
926 #endif
927 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
928 fprintf(fp, " ibase");
929 #endif
930 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
931 fprintf(fp, " ldap ldapdn ldapm");
932 #endif
933 #ifdef EXPERIMENTAL_LMDB
934 fprintf(fp, " lmdb");
935 #endif
936 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
937 fprintf(fp, " mysql");
938 #endif
939 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
940 fprintf(fp, " nis nis0");
941 #endif
942 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
943 fprintf(fp, " nisplus");
944 #endif
945 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
946 fprintf(fp, " oracle");
947 #endif
948 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
949 fprintf(fp, " passwd");
950 #endif
951 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
952 fprintf(fp, " pgsql");
953 #endif
954 #if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
955 fprintf(fp, " redis");
956 #endif
957 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
958 fprintf(fp, " sqlite");
959 #endif
960 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
961 fprintf(fp, " testdb");
962 #endif
963 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
964 fprintf(fp, " whoson");
965 #endif
966 fprintf(fp, "\n");
967
968 auth_show_supported(fp);
969 route_show_supported(fp);
970 transport_show_supported(fp);
971
972 #ifdef WITH_CONTENT_SCAN
973 malware_show_supported(fp);
974 #endif
975
976 if (fixed_never_users[0] > 0)
977 {
978 int i;
979 fprintf(fp, "Fixed never_users: ");
980 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
981 fprintf(fp, "%d:", (unsigned int)fixed_never_users[i]);
982 fprintf(fp, "%d\n", (unsigned int)fixed_never_users[i]);
983 }
984
985 fprintf(fp, "Configure owner: %d:%d\n", config_uid, config_gid);
986
987 fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
988
989 /* Everything else is details which are only worth reporting when debugging.
990 Perhaps the tls_version_report should move into this too. */
991 DEBUG(D_any) do {
992
993 int i;
994
995 /* clang defines __GNUC__ (at least, for me) so test for it first */
996 #if defined(__clang__)
997 fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
998 #elif defined(__GNUC__)
999 fprintf(fp, "Compiler: GCC [%s]\n",
1000 # ifdef __VERSION__
1001 __VERSION__
1002 # else
1003 "? unknown version ?"
1004 # endif
1005 );
1006 #else
1007 fprintf(fp, "Compiler: <unknown>\n");
1008 #endif
1009
1010 #if defined(__GLIBC__) && !defined(__UCLIBC__)
1011 fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
1012 __GLIBC__, __GLIBC_MINOR__);
1013 if (__GLIBC_PREREQ(2, 1))
1014 fprintf(fp, " Runtime: %s\n",
1015 gnu_get_libc_version());
1016 #endif
1017
1018 show_db_version(fp);
1019
1020 #ifdef SUPPORT_TLS
1021 tls_version_report(fp);
1022 #endif
1023 #ifdef SUPPORT_I18N
1024 utf8_version_report(fp);
1025 #endif
1026
1027 for (authi = auths_available; *authi->driver_name != '\0'; ++authi)
1028 if (authi->version_report)
1029 (*authi->version_report)(fp);
1030
1031 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
1032 characters; unless it's an ancient version of PCRE in which case it
1033 is not defined. */
1034 #ifndef PCRE_PRERELEASE
1035 # define PCRE_PRERELEASE
1036 #endif
1037 #define QUOTE(X) #X
1038 #define EXPAND_AND_QUOTE(X) QUOTE(X)
1039 fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
1040 " Runtime: %s\n",
1041 PCRE_MAJOR, PCRE_MINOR,
1042 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
1043 pcre_version());
1044 #undef QUOTE
1045 #undef EXPAND_AND_QUOTE
1046
1047 init_lookup_list();
1048 for (i = 0; i < lookup_list_count; i++)
1049 if (lookup_list[i]->version_report)
1050 lookup_list[i]->version_report(fp);
1051
1052 #ifdef WHITELIST_D_MACROS
1053 fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1054 #else
1055 fprintf(fp, "WHITELIST_D_MACROS unset\n");
1056 #endif
1057 #ifdef TRUSTED_CONFIG_LIST
1058 fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1059 #else
1060 fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
1061 #endif
1062
1063 } while (0);
1064 }
1065
1066
1067 /*************************************************
1068 * Show auxiliary information about Exim *
1069 *************************************************/
1070
1071 static void
1072 show_exim_information(enum commandline_info request, FILE *stream)
1073 {
1074 const uschar **pp;
1075
1076 switch(request)
1077 {
1078 case CMDINFO_NONE:
1079 fprintf(stream, "Oops, something went wrong.\n");
1080 return;
1081 case CMDINFO_HELP:
1082 fprintf(stream,
1083 "The -bI: flag takes a string indicating which information to provide.\n"
1084 "If the string is not recognised, you'll get this help (on stderr).\n"
1085 "\n"
1086 " exim -bI:help this information\n"
1087 " exim -bI:dscp list of known dscp value keywords\n"
1088 " exim -bI:sieve list of supported sieve extensions\n"
1089 );
1090 return;
1091 case CMDINFO_SIEVE:
1092 for (pp = exim_sieve_extension_list; *pp; ++pp)
1093 fprintf(stream, "%s\n", *pp);
1094 return;
1095 case CMDINFO_DSCP:
1096 dscp_list_to_stream(stream);
1097 return;
1098 }
1099 }
1100
1101
1102 /*************************************************
1103 * Quote a local part *
1104 *************************************************/
1105
1106 /* This function is used when a sender address or a From: or Sender: header
1107 line is being created from the caller's login, or from an authenticated_id. It
1108 applies appropriate quoting rules for a local part.
1109
1110 Argument: the local part
1111 Returns: the local part, quoted if necessary
1112 */
1113
1114 uschar *
1115 local_part_quote(uschar *lpart)
1116 {
1117 BOOL needs_quote = FALSE;
1118 gstring * g;
1119 uschar *t;
1120
1121 for (t = lpart; !needs_quote && *t != 0; t++)
1122 {
1123 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1124 (*t != '.' || t == lpart || t[1] == 0);
1125 }
1126
1127 if (!needs_quote) return lpart;
1128
1129 g = string_catn(NULL, US"\"", 1);
1130
1131 for (;;)
1132 {
1133 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1134 if (nq == NULL)
1135 {
1136 g = string_cat(g, lpart);
1137 break;
1138 }
1139 g = string_catn(g, lpart, nq - lpart);
1140 g = string_catn(g, US"\\", 1);
1141 g = string_catn(g, nq, 1);
1142 lpart = nq + 1;
1143 }
1144
1145 g = string_catn(g, US"\"", 1);
1146 return string_from_gstring(g);
1147 }
1148
1149
1150
1151 #ifdef USE_READLINE
1152 /*************************************************
1153 * Load readline() functions *
1154 *************************************************/
1155
1156 /* This function is called from testing executions that read data from stdin,
1157 but only when running as the calling user. Currently, only -be does this. The
1158 function loads the readline() function library and passes back the functions.
1159 On some systems, it needs the curses library, so load that too, but try without
1160 it if loading fails. All this functionality has to be requested at build time.
1161
1162 Arguments:
1163 fn_readline_ptr pointer to where to put the readline pointer
1164 fn_addhist_ptr pointer to where to put the addhistory function
1165
1166 Returns: the dlopen handle or NULL on failure
1167 */
1168
1169 static void *
1170 set_readline(char * (**fn_readline_ptr)(const char *),
1171 void (**fn_addhist_ptr)(const char *))
1172 {
1173 void *dlhandle;
1174 void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
1175
1176 dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
1177 if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1178
1179 if (dlhandle != NULL)
1180 {
1181 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1182 * char * readline (const char *prompt);
1183 * void add_history (const char *string);
1184 */
1185 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1186 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1187 }
1188 else
1189 {
1190 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1191 }
1192
1193 return dlhandle;
1194 }
1195 #endif
1196
1197
1198
1199 /*************************************************
1200 * Get a line from stdin for testing things *
1201 *************************************************/
1202
1203 /* This function is called when running tests that can take a number of lines
1204 of input (for example, -be and -bt). It handles continuations and trailing
1205 spaces. And prompting and a blank line output on eof. If readline() is in use,
1206 the arguments are non-NULL and provide the relevant functions.
1207
1208 Arguments:
1209 fn_readline readline function or NULL
1210 fn_addhist addhist function or NULL
1211
1212 Returns: pointer to dynamic memory, or NULL at end of file
1213 */
1214
1215 static uschar *
1216 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1217 {
1218 int i;
1219 gstring * g = NULL;
1220
1221 if (!fn_readline) { printf("> "); fflush(stdout); }
1222
1223 for (i = 0;; i++)
1224 {
1225 uschar buffer[1024];
1226 uschar *p, *ss;
1227
1228 #ifdef USE_READLINE
1229 char *readline_line = NULL;
1230 if (fn_readline != NULL)
1231 {
1232 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1233 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1234 p = US readline_line;
1235 }
1236 else
1237 #endif
1238
1239 /* readline() not in use */
1240
1241 {
1242 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1243 p = buffer;
1244 }
1245
1246 /* Handle the line */
1247
1248 ss = p + (int)Ustrlen(p);
1249 while (ss > p && isspace(ss[-1])) ss--;
1250
1251 if (i > 0)
1252 {
1253 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1254 }
1255
1256 g = string_catn(g, p, ss - p);
1257
1258 #ifdef USE_READLINE
1259 if (fn_readline) free(readline_line);
1260 #endif
1261
1262 /* g can only be NULL if ss==p */
1263 if (ss == p || g->s[g->ptr-1] != '\\')
1264 break;
1265
1266 --g->ptr;
1267 (void) string_from_gstring(g);
1268 }
1269
1270 if (!g) printf("\n");
1271 return string_from_gstring(g);
1272 }
1273
1274
1275
1276 /*************************************************
1277 * Output usage information for the program *
1278 *************************************************/
1279
1280 /* This function is called when there are no recipients
1281 or a specific --help argument was added.
1282
1283 Arguments:
1284 progname information on what name we were called by
1285
1286 Returns: DOES NOT RETURN
1287 */
1288
1289 static void
1290 exim_usage(uschar *progname)
1291 {
1292
1293 /* Handle specific program invocation variants */
1294 if (Ustrcmp(progname, US"-mailq") == 0)
1295 exim_fail(
1296 "mailq - list the contents of the mail queue\n\n"
1297 "For a list of options, see the Exim documentation.\n");
1298
1299 /* Generic usage - we output this whatever happens */
1300 exim_fail(
1301 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1302 "not directly from a shell command line. Options and/or arguments control\n"
1303 "what it does when called. For a list of options, see the Exim documentation.\n");
1304 }
1305
1306
1307
1308 /*************************************************
1309 * Validate that the macros given are okay *
1310 *************************************************/
1311
1312 /* Typically, Exim will drop privileges if macros are supplied. In some
1313 cases, we want to not do so.
1314
1315 Arguments: opt_D_used - true if the commandline had a "-D" option
1316 Returns: true if trusted, false otherwise
1317 */
1318
1319 static BOOL
1320 macros_trusted(BOOL opt_D_used)
1321 {
1322 #ifdef WHITELIST_D_MACROS
1323 macro_item *m;
1324 uschar *whitelisted, *end, *p, **whites, **w;
1325 int white_count, i, n;
1326 size_t len;
1327 BOOL prev_char_item, found;
1328 #endif
1329
1330 if (!opt_D_used)
1331 return TRUE;
1332 #ifndef WHITELIST_D_MACROS
1333 return FALSE;
1334 #else
1335
1336 /* We only trust -D overrides for some invoking users:
1337 root, the exim run-time user, the optional config owner user.
1338 I don't know why config-owner would be needed, but since they can own the
1339 config files anyway, there's no security risk to letting them override -D. */
1340 if ( ! ((real_uid == root_uid)
1341 || (real_uid == exim_uid)
1342 #ifdef CONFIGURE_OWNER
1343 || (real_uid == config_uid)
1344 #endif
1345 ))
1346 {
1347 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1348 return FALSE;
1349 }
1350
1351 /* Get a list of macros which are whitelisted */
1352 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1353 prev_char_item = FALSE;
1354 white_count = 0;
1355 for (p = whitelisted; *p != '\0'; ++p)
1356 {
1357 if (*p == ':' || isspace(*p))
1358 {
1359 *p = '\0';
1360 if (prev_char_item)
1361 ++white_count;
1362 prev_char_item = FALSE;
1363 continue;
1364 }
1365 if (!prev_char_item)
1366 prev_char_item = TRUE;
1367 }
1368 end = p;
1369 if (prev_char_item)
1370 ++white_count;
1371 if (!white_count)
1372 return FALSE;
1373 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1374 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1375 {
1376 if (*p != '\0')
1377 {
1378 whites[i++] = p;
1379 if (i == white_count)
1380 break;
1381 while (*p != '\0' && p < end)
1382 ++p;
1383 }
1384 }
1385 whites[i] = NULL;
1386
1387 /* The list of commandline macros should be very short.
1388 Accept the N*M complexity. */
1389 for (m = macros_user; m; m = m->next) if (m->command_line)
1390 {
1391 found = FALSE;
1392 for (w = whites; *w; ++w)
1393 if (Ustrcmp(*w, m->name) == 0)
1394 {
1395 found = TRUE;
1396 break;
1397 }
1398 if (!found)
1399 return FALSE;
1400 if (!m->replacement)
1401 continue;
1402 if ((len = m->replen) == 0)
1403 continue;
1404 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1405 0, PCRE_EOPT, NULL, 0);
1406 if (n < 0)
1407 {
1408 if (n != PCRE_ERROR_NOMATCH)
1409 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1410 return FALSE;
1411 }
1412 }
1413 DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
1414 return TRUE;
1415 #endif
1416 }
1417
1418
1419 /*************************************************
1420 * Expansion testing *
1421 *************************************************/
1422
1423 /* Expand and print one item, doing macro-processing.
1424
1425 Arguments:
1426 item line for expansion
1427 */
1428
1429 static void
1430 expansion_test_line(uschar * line)
1431 {
1432 int len;
1433 BOOL dummy_macexp;
1434
1435 Ustrncpy(big_buffer, line, big_buffer_size);
1436 big_buffer[big_buffer_size-1] = '\0';
1437 len = Ustrlen(big_buffer);
1438
1439 (void) macros_expand(0, &len, &dummy_macexp);
1440
1441 if (isupper(big_buffer[0]))
1442 {
1443 if (macro_read_assignment(big_buffer))
1444 printf("Defined macro '%s'\n", mlast->name);
1445 }
1446 else
1447 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1448 else printf("Failed: %s\n", expand_string_message);
1449 }
1450
1451
1452
1453 /*************************************************
1454 * Entry point and high-level code *
1455 *************************************************/
1456
1457 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1458 the appropriate action. All the necessary functions are present in the one
1459 binary. I originally thought one should split it up, but it turns out that so
1460 much of the apparatus is needed in each chunk that one might as well just have
1461 it all available all the time, which then makes the coding easier as well.
1462
1463 Arguments:
1464 argc count of entries in argv
1465 argv argument strings, with argv[0] being the program name
1466
1467 Returns: EXIT_SUCCESS if terminated successfully
1468 EXIT_FAILURE otherwise, except when a message has been sent
1469 to the sender, and -oee was given
1470 */
1471
1472 int
1473 main(int argc, char **cargv)
1474 {
1475 uschar **argv = USS cargv;
1476 int arg_receive_timeout = -1;
1477 int arg_smtp_receive_timeout = -1;
1478 int arg_error_handling = error_handling;
1479 int filter_sfd = -1;
1480 int filter_ufd = -1;
1481 int group_count;
1482 int i, rv;
1483 int list_queue_option = 0;
1484 int msg_action = 0;
1485 int msg_action_arg = -1;
1486 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1487 int queue_only_reason = 0;
1488 #ifdef EXIM_PERL
1489 int perl_start_option = 0;
1490 #endif
1491 int recipients_arg = argc;
1492 int sender_address_domain = 0;
1493 int test_retry_arg = -1;
1494 int test_rewrite_arg = -1;
1495 BOOL arg_queue_only = FALSE;
1496 BOOL bi_option = FALSE;
1497 BOOL checking = FALSE;
1498 BOOL count_queue = FALSE;
1499 BOOL expansion_test = FALSE;
1500 BOOL extract_recipients = FALSE;
1501 BOOL flag_G = FALSE;
1502 BOOL flag_n = FALSE;
1503 BOOL forced_delivery = FALSE;
1504 BOOL f_end_dot = FALSE;
1505 BOOL deliver_give_up = FALSE;
1506 BOOL list_queue = FALSE;
1507 BOOL list_options = FALSE;
1508 BOOL list_config = FALSE;
1509 BOOL local_queue_only;
1510 BOOL more = TRUE;
1511 BOOL one_msg_action = FALSE;
1512 BOOL opt_D_used = FALSE;
1513 BOOL queue_only_set = FALSE;
1514 BOOL receiving_message = TRUE;
1515 BOOL sender_ident_set = FALSE;
1516 BOOL session_local_queue_only;
1517 BOOL unprivileged;
1518 BOOL removed_privilege = FALSE;
1519 BOOL usage_wanted = FALSE;
1520 BOOL verify_address_mode = FALSE;
1521 BOOL verify_as_sender = FALSE;
1522 BOOL version_printed = FALSE;
1523 uschar *alias_arg = NULL;
1524 uschar *called_as = US"";
1525 uschar *cmdline_syslog_name = NULL;
1526 uschar *start_queue_run_id = NULL;
1527 uschar *stop_queue_run_id = NULL;
1528 uschar *expansion_test_message = NULL;
1529 uschar *ftest_domain = NULL;
1530 uschar *ftest_localpart = NULL;
1531 uschar *ftest_prefix = NULL;
1532 uschar *ftest_suffix = NULL;
1533 uschar *log_oneline = NULL;
1534 uschar *malware_test_file = NULL;
1535 uschar *real_sender_address;
1536 uschar *originator_home = US"/";
1537 size_t sz;
1538 void *reset_point;
1539
1540 struct passwd *pw;
1541 struct stat statbuf;
1542 pid_t passed_qr_pid = (pid_t)0;
1543 int passed_qr_pipe = -1;
1544 gid_t group_list[EXIM_GROUPLIST_SIZE];
1545
1546 /* For the -bI: flag */
1547 enum commandline_info info_flag = CMDINFO_NONE;
1548 BOOL info_stdout = FALSE;
1549
1550 /* Possible options for -R and -S */
1551
1552 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1553
1554 /* Need to define this in case we need to change the environment in order
1555 to get rid of a bogus time zone. We have to make it char rather than uschar
1556 because some OS define it in /usr/include/unistd.h. */
1557
1558 extern char **environ;
1559
1560 /* If the Exim user and/or group and/or the configuration file owner/group were
1561 defined by ref:name at build time, we must now find the actual uid/gid values.
1562 This is a feature to make the lives of binary distributors easier. */
1563
1564 #ifdef EXIM_USERNAME
1565 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1566 {
1567 if (exim_uid == 0)
1568 exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
1569
1570 /* If ref:name uses a number as the name, route_finduser() returns
1571 TRUE with exim_uid set and pw coerced to NULL. */
1572 if (pw)
1573 exim_gid = pw->pw_gid;
1574 #ifndef EXIM_GROUPNAME
1575 else
1576 exim_fail(
1577 "exim: ref:name should specify a usercode, not a group.\n"
1578 "exim: can't let you get away with it unless you also specify a group.\n");
1579 #endif
1580 }
1581 else
1582 exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
1583 #endif
1584
1585 #ifdef EXIM_GROUPNAME
1586 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1587 exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
1588 #endif
1589
1590 #ifdef CONFIGURE_OWNERNAME
1591 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1592 exim_fail("exim: failed to find uid for user name \"%s\"\n",
1593 CONFIGURE_OWNERNAME);
1594 #endif
1595
1596 /* We default the system_filter_user to be the Exim run-time user, as a
1597 sane non-root value. */
1598 system_filter_uid = exim_uid;
1599
1600 #ifdef CONFIGURE_GROUPNAME
1601 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1602 exim_fail("exim: failed to find gid for group name \"%s\"\n",
1603 CONFIGURE_GROUPNAME);
1604 #endif
1605
1606 /* In the Cygwin environment, some initialization used to need doing.
1607 It was fudged in by means of this macro; now no longer but we'll leave
1608 it in case of others. */
1609
1610 #ifdef OS_INIT
1611 OS_INIT
1612 #endif
1613
1614 /* Check a field which is patched when we are running Exim within its
1615 testing harness; do a fast initial check, and then the whole thing. */
1616
1617 f.running_in_test_harness =
1618 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1619 if (f.running_in_test_harness)
1620 debug_store = TRUE;
1621
1622 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1623 at the start of a program; however, it seems that some environments do not
1624 follow this. A "strange" locale can affect the formatting of timestamps, so we
1625 make quite sure. */
1626
1627 setlocale(LC_ALL, "C");
1628
1629 /* Set up the default handler for timing using alarm(). */
1630
1631 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1632
1633 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1634 because store_malloc writes a log entry on failure. */
1635
1636 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
1637 exim_fail("exim: failed to get store for log buffer\n");
1638
1639 /* Initialize the default log options. */
1640
1641 bits_set(log_selector, log_selector_size, log_default);
1642
1643 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1644 NULL when the daemon is run and the file is closed. We have to use this
1645 indirection, because some systems don't allow writing to the variable "stderr".
1646 */
1647
1648 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1649
1650 /* Arrange for the PCRE regex library to use our store functions. Note that
1651 the normal calls are actually macros that add additional arguments for
1652 debugging purposes so we have to assign specially constructed functions here.
1653 The default is to use store in the stacking pool, but this is overridden in the
1654 regex_must_compile() function. */
1655
1656 pcre_malloc = function_store_get;
1657 pcre_free = function_dummy_free;
1658
1659 /* Ensure there is a big buffer for temporary use in several places. It is put
1660 in malloc store so that it can be freed for enlargement if necessary. */
1661
1662 big_buffer = store_malloc(big_buffer_size);
1663
1664 /* Set up the handler for the data request signal, and set the initial
1665 descriptive text. */
1666
1667 set_process_info("initializing");
1668 os_restarting_signal(SIGUSR1, usr1_handler);
1669
1670 /* If running in a dockerized environment, the TERM signal is only
1671 delegated to the PID 1 if we request it by setting an signal handler */
1672 if (getpid() == 1) signal(SIGTERM, term_handler);
1673
1674 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1675 in the daemon code. For the rest of Exim's uses, we ignore it. */
1676
1677 signal(SIGHUP, SIG_IGN);
1678
1679 /* We don't want to die on pipe errors as the code is written to handle
1680 the write error instead. */
1681
1682 signal(SIGPIPE, SIG_IGN);
1683
1684 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1685 set to SIG_IGN. This causes subprocesses that complete before the parent
1686 process waits for them not to hang around, so when Exim calls wait(), nothing
1687 is there. The wait() code has been made robust against this, but let's ensure
1688 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1689 ending status. We use sigaction rather than plain signal() on those OS where
1690 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1691 problem on AIX with this.) */
1692
1693 #ifdef SA_NOCLDWAIT
1694 {
1695 struct sigaction act;
1696 act.sa_handler = SIG_DFL;
1697 sigemptyset(&(act.sa_mask));
1698 act.sa_flags = 0;
1699 sigaction(SIGCHLD, &act, NULL);
1700 }
1701 #else
1702 signal(SIGCHLD, SIG_DFL);
1703 #endif
1704
1705 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1706 SIGHUP. */
1707
1708 sighup_argv = argv;
1709
1710 /* Set up the version number. Set up the leading 'E' for the external form of
1711 message ids, set the pointer to the internal form, and initialize it to
1712 indicate no message being processed. */
1713
1714 version_init();
1715 message_id_option[0] = '-';
1716 message_id_external = message_id_option + 1;
1717 message_id_external[0] = 'E';
1718 message_id = message_id_external + 1;
1719 message_id[0] = 0;
1720
1721 /* Set the umask to zero so that any files Exim creates using open() are
1722 created with the modes that it specifies. NOTE: Files created with fopen() have
1723 a problem, which was not recognized till rather late (February 2006). With this
1724 umask, such files will be world writeable. (They are all content scanning files
1725 in the spool directory, which isn't world-accessible, so this is not a
1726 disaster, but it's untidy.) I don't want to change this overall setting,
1727 however, because it will interact badly with the open() calls. Instead, there's
1728 now a function called modefopen() that fiddles with the umask while calling
1729 fopen(). */
1730
1731 (void)umask(0);
1732
1733 /* Precompile the regular expression for matching a message id. Keep this in
1734 step with the code that generates ids in the accept.c module. We need to do
1735 this here, because the -M options check their arguments for syntactic validity
1736 using mac_ismsgid, which uses this. */
1737
1738 regex_ismsgid =
1739 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1740
1741 /* Precompile the regular expression that is used for matching an SMTP error
1742 code, possibly extended, at the start of an error message. Note that the
1743 terminating whitespace character is included. */
1744
1745 regex_smtp_code =
1746 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1747 FALSE, TRUE);
1748
1749 #ifdef WHITELIST_D_MACROS
1750 /* Precompile the regular expression used to filter the content of macros
1751 given to -D for permissibility. */
1752
1753 regex_whitelisted_macro =
1754 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1755 #endif
1756
1757 for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1758
1759 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1760 this seems to be a generally accepted convention, since one finds symbolic
1761 links called "mailq" in standard OS configurations. */
1762
1763 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1764 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1765 {
1766 list_queue = TRUE;
1767 receiving_message = FALSE;
1768 called_as = US"-mailq";
1769 }
1770
1771 /* If the program is called as "rmail" treat it as equivalent to
1772 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1773 i.e. preventing a single dot on a line from terminating the message, and
1774 returning with zero return code, even in cases of error (provided an error
1775 message has been sent). */
1776
1777 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1778 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1779 {
1780 f.dot_ends = FALSE;
1781 called_as = US"-rmail";
1782 errors_sender_rc = EXIT_SUCCESS;
1783 }
1784
1785 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1786 this is a smail convention. */
1787
1788 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1789 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1790 {
1791 smtp_input = smtp_batched_input = TRUE;
1792 called_as = US"-rsmtp";
1793 }
1794
1795 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1796 this is a smail convention. */
1797
1798 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1799 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1800 {
1801 queue_interval = 0;
1802 receiving_message = FALSE;
1803 called_as = US"-runq";
1804 }
1805
1806 /* If the program is called as "newaliases" treat it as equivalent to
1807 "exim -bi"; this is a sendmail convention. */
1808
1809 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1810 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1811 {
1812 bi_option = TRUE;
1813 receiving_message = FALSE;
1814 called_as = US"-newaliases";
1815 }
1816
1817 /* Save the original effective uid for a couple of uses later. It should
1818 normally be root, but in some esoteric environments it may not be. */
1819
1820 original_euid = geteuid();
1821
1822 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1823 to be the same as the real ones. This makes a difference only if Exim is setuid
1824 (or setgid) to something other than root, which could be the case in some
1825 special configurations. */
1826
1827 real_uid = getuid();
1828 real_gid = getgid();
1829
1830 if (real_uid == root_uid)
1831 {
1832 if ((rv = setgid(real_gid)))
1833 exim_fail("exim: setgid(%ld) failed: %s\n",
1834 (long int)real_gid, strerror(errno));
1835 if ((rv = setuid(real_uid)))
1836 exim_fail("exim: setuid(%ld) failed: %s\n",
1837 (long int)real_uid, strerror(errno));
1838 }
1839
1840 /* If neither the original real uid nor the original euid was root, Exim is
1841 running in an unprivileged state. */
1842
1843 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1844
1845 /* Scan the program's arguments. Some can be dealt with right away; others are
1846 simply recorded for checking and handling afterwards. Do a high-level switch
1847 on the second character (the one after '-'), to save some effort. */
1848
1849 for (i = 1; i < argc; i++)
1850 {
1851 BOOL badarg = FALSE;
1852 uschar *arg = argv[i];
1853 uschar *argrest;
1854 int switchchar;
1855
1856 /* An argument not starting with '-' is the start of a recipients list;
1857 break out of the options-scanning loop. */
1858
1859 if (arg[0] != '-')
1860 {
1861 recipients_arg = i;
1862 break;
1863 }
1864
1865 /* An option consisting of -- terminates the options */
1866
1867 if (Ustrcmp(arg, "--") == 0)
1868 {
1869 recipients_arg = i + 1;
1870 break;
1871 }
1872
1873 /* Handle flagged options */
1874
1875 switchchar = arg[1];
1876 argrest = arg+2;
1877
1878 /* Make all -ex options synonymous with -oex arguments, since that
1879 is assumed by various callers. Also make -qR options synonymous with -R
1880 options, as that seems to be required as well. Allow for -qqR too, and
1881 the same for -S options. */
1882
1883 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1884 Ustrncmp(arg+1, "qR", 2) == 0 ||
1885 Ustrncmp(arg+1, "qS", 2) == 0)
1886 {
1887 switchchar = arg[2];
1888 argrest++;
1889 }
1890 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1891 {
1892 switchchar = arg[3];
1893 argrest += 2;
1894 f.queue_2stage = TRUE;
1895 }
1896
1897 /* Make -r synonymous with -f, since it is a documented alias */
1898
1899 else if (arg[1] == 'r') switchchar = 'f';
1900
1901 /* Make -ov synonymous with -v */
1902
1903 else if (Ustrcmp(arg, "-ov") == 0)
1904 {
1905 switchchar = 'v';
1906 argrest++;
1907 }
1908
1909 /* deal with --option_aliases */
1910 else if (switchchar == '-')
1911 {
1912 if (Ustrcmp(argrest, "help") == 0)
1913 {
1914 usage_wanted = TRUE;
1915 break;
1916 }
1917 else if (Ustrcmp(argrest, "version") == 0)
1918 {
1919 switchchar = 'b';
1920 argrest = US"V";
1921 }
1922 }
1923
1924 /* High-level switch on active initial letter */
1925
1926 switch(switchchar)
1927 {
1928
1929 /* sendmail uses -Ac and -Am to control which .cf file is used;
1930 we ignore them. */
1931 case 'A':
1932 if (*argrest == '\0') { badarg = TRUE; break; }
1933 else
1934 {
1935 BOOL ignore = FALSE;
1936 switch (*argrest)
1937 {
1938 case 'c':
1939 case 'm':
1940 if (*(argrest + 1) == '\0')
1941 ignore = TRUE;
1942 break;
1943 }
1944 if (!ignore) { badarg = TRUE; break; }
1945 }
1946 break;
1947
1948 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1949 so has no need of it. */
1950
1951 case 'B':
1952 if (*argrest == 0) i++; /* Skip over the type */
1953 break;
1954
1955
1956 case 'b':
1957 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1958
1959 /* -bd: Run in daemon mode, awaiting SMTP connections.
1960 -bdf: Ditto, but in the foreground.
1961 */
1962
1963 if (*argrest == 'd')
1964 {
1965 f.daemon_listen = TRUE;
1966 if (*(++argrest) == 'f') f.background_daemon = FALSE;
1967 else if (*argrest != 0) { badarg = TRUE; break; }
1968 }
1969
1970 /* -be: Run in expansion test mode
1971 -bem: Ditto, but read a message from a file first
1972 */
1973
1974 else if (*argrest == 'e')
1975 {
1976 expansion_test = checking = TRUE;
1977 if (argrest[1] == 'm')
1978 {
1979 if (++i >= argc) { badarg = TRUE; break; }
1980 expansion_test_message = argv[i];
1981 argrest++;
1982 }
1983 if (argrest[1] != 0) { badarg = TRUE; break; }
1984 }
1985
1986 /* -bF: Run system filter test */
1987
1988 else if (*argrest == 'F')
1989 {
1990 filter_test |= checking = FTEST_SYSTEM;
1991 if (*(++argrest) != 0) { badarg = TRUE; break; }
1992 if (++i < argc) filter_test_sfile = argv[i]; else
1993 exim_fail("exim: file name expected after %s\n", argv[i-1]);
1994 }
1995
1996 /* -bf: Run user filter test
1997 -bfd: Set domain for filter testing
1998 -bfl: Set local part for filter testing
1999 -bfp: Set prefix for filter testing
2000 -bfs: Set suffix for filter testing
2001 */
2002
2003 else if (*argrest == 'f')
2004 {
2005 if (*(++argrest) == 0)
2006 {
2007 filter_test |= checking = FTEST_USER;
2008 if (++i < argc) filter_test_ufile = argv[i]; else
2009 exim_fail("exim: file name expected after %s\n", argv[i-1]);
2010 }
2011 else
2012 {
2013 if (++i >= argc)
2014 exim_fail("exim: string expected after %s\n", arg);
2015 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2016 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2017 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2018 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2019 else { badarg = TRUE; break; }
2020 }
2021 }
2022
2023 /* -bh: Host checking - an IP address must follow. */
2024
2025 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2026 {
2027 if (++i >= argc) { badarg = TRUE; break; }
2028 sender_host_address = argv[i];
2029 host_checking = checking = f.log_testing_mode = TRUE;
2030 f.host_checking_callout = argrest[1] == 'c';
2031 message_logs = FALSE;
2032 }
2033
2034 /* -bi: This option is used by sendmail to initialize *the* alias file,
2035 though it has the -oA option to specify a different file. Exim has no
2036 concept of *the* alias file, but since Sun's YP make script calls
2037 sendmail this way, some support must be provided. */
2038
2039 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2040
2041 /* -bI: provide information, of the type to follow after a colon.
2042 This is an Exim flag. */
2043
2044 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2045 {
2046 uschar *p = &argrest[2];
2047 info_flag = CMDINFO_HELP;
2048 if (Ustrlen(p))
2049 {
2050 if (strcmpic(p, CUS"sieve") == 0)
2051 {
2052 info_flag = CMDINFO_SIEVE;
2053 info_stdout = TRUE;
2054 }
2055 else if (strcmpic(p, CUS"dscp") == 0)
2056 {
2057 info_flag = CMDINFO_DSCP;
2058 info_stdout = TRUE;
2059 }
2060 else if (strcmpic(p, CUS"help") == 0)
2061 {
2062 info_stdout = TRUE;
2063 }
2064 }
2065 }
2066
2067 /* -bm: Accept and deliver message - the default option. Reinstate
2068 receiving_message, which got turned off for all -b options. */
2069
2070 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2071
2072 /* -bmalware: test the filename given for malware */
2073
2074 else if (Ustrcmp(argrest, "malware") == 0)
2075 {
2076 if (++i >= argc) { badarg = TRUE; break; }
2077 checking = TRUE;
2078 malware_test_file = argv[i];
2079 }
2080
2081 /* -bnq: For locally originating messages, do not qualify unqualified
2082 addresses. In the envelope, this causes errors; in header lines they
2083 just get left. */
2084
2085 else if (Ustrcmp(argrest, "nq") == 0)
2086 {
2087 f.allow_unqualified_sender = FALSE;
2088 f.allow_unqualified_recipient = FALSE;
2089 }
2090
2091 /* -bpxx: List the contents of the mail queue, in various forms. If
2092 the option is -bpc, just a queue count is needed. Otherwise, if the
2093 first letter after p is r, then order is random. */
2094
2095 else if (*argrest == 'p')
2096 {
2097 if (*(++argrest) == 'c')
2098 {
2099 count_queue = TRUE;
2100 if (*(++argrest) != 0) badarg = TRUE;
2101 break;
2102 }
2103
2104 if (*argrest == 'r')
2105 {
2106 list_queue_option = 8;
2107 argrest++;
2108 }
2109 else list_queue_option = 0;
2110
2111 list_queue = TRUE;
2112
2113 /* -bp: List the contents of the mail queue, top-level only */
2114
2115 if (*argrest == 0) {}
2116
2117 /* -bpu: List the contents of the mail queue, top-level undelivered */
2118
2119 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2120
2121 /* -bpa: List the contents of the mail queue, including all delivered */
2122
2123 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2124
2125 /* Unknown after -bp[r] */
2126
2127 else
2128 {
2129 badarg = TRUE;
2130 break;
2131 }
2132 }
2133
2134
2135 /* -bP: List the configuration variables given as the address list.
2136 Force -v, so configuration errors get displayed. */
2137
2138 else if (Ustrcmp(argrest, "P") == 0)
2139 {
2140 /* -bP config: we need to setup here, because later,
2141 * when list_options is checked, the config is read already */
2142 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2143 {
2144 list_config = TRUE;
2145 readconf_save_config(version_string);
2146 }
2147 else
2148 {
2149 list_options = TRUE;
2150 debug_selector |= D_v;
2151 debug_file = stderr;
2152 }
2153 }
2154
2155 /* -brt: Test retry configuration lookup */
2156
2157 else if (Ustrcmp(argrest, "rt") == 0)
2158 {
2159 checking = TRUE;
2160 test_retry_arg = i + 1;
2161 goto END_ARG;
2162 }
2163
2164 /* -brw: Test rewrite configuration */
2165
2166 else if (Ustrcmp(argrest, "rw") == 0)
2167 {
2168 checking = TRUE;
2169 test_rewrite_arg = i + 1;
2170 goto END_ARG;
2171 }
2172
2173 /* -bS: Read SMTP commands on standard input, but produce no replies -
2174 all errors are reported by sending messages. */
2175
2176 else if (Ustrcmp(argrest, "S") == 0)
2177 smtp_input = smtp_batched_input = receiving_message = TRUE;
2178
2179 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2180 on standard output. */
2181
2182 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2183
2184 /* -bt: address testing mode */
2185
2186 else if (Ustrcmp(argrest, "t") == 0)
2187 f.address_test_mode = checking = f.log_testing_mode = TRUE;
2188
2189 /* -bv: verify addresses */
2190
2191 else if (Ustrcmp(argrest, "v") == 0)
2192 verify_address_mode = checking = f.log_testing_mode = TRUE;
2193
2194 /* -bvs: verify sender addresses */
2195
2196 else if (Ustrcmp(argrest, "vs") == 0)
2197 {
2198 verify_address_mode = checking = f.log_testing_mode = TRUE;
2199 verify_as_sender = TRUE;
2200 }
2201
2202 /* -bV: Print version string and support details */
2203
2204 else if (Ustrcmp(argrest, "V") == 0)
2205 {
2206 printf("Exim version %s #%s built %s\n", version_string,
2207 version_cnumber, version_date);
2208 printf("%s\n", CS version_copyright);
2209 version_printed = TRUE;
2210 show_whats_supported(stdout);
2211 f.log_testing_mode = TRUE;
2212 }
2213
2214 /* -bw: inetd wait mode, accept a listening socket as stdin */
2215
2216 else if (*argrest == 'w')
2217 {
2218 f.inetd_wait_mode = TRUE;
2219 f.background_daemon = FALSE;
2220 f.daemon_listen = TRUE;
2221 if (*(++argrest) != '\0')
2222 if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
2223 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
2224 }
2225
2226 else badarg = TRUE;
2227 break;
2228
2229
2230 /* -C: change configuration file list; ignore if it isn't really
2231 a change! Enforce a prefix check if required. */
2232
2233 case 'C':
2234 if (*argrest == 0)
2235 {
2236 if(++i < argc) argrest = argv[i]; else
2237 { badarg = TRUE; break; }
2238 }
2239 if (Ustrcmp(config_main_filelist, argrest) != 0)
2240 {
2241 #ifdef ALT_CONFIG_PREFIX
2242 int sep = 0;
2243 int len = Ustrlen(ALT_CONFIG_PREFIX);
2244 const uschar *list = argrest;
2245 uschar *filename;
2246 while((filename = string_nextinlist(&list, &sep, big_buffer,
2247 big_buffer_size)) != NULL)
2248 {
2249 if ((Ustrlen(filename) < len ||
2250 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2251 Ustrstr(filename, "/../") != NULL) &&
2252 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2253 exim_fail("-C Permission denied\n");
2254 }
2255 #endif
2256 if (real_uid != root_uid)
2257 {
2258 #ifdef TRUSTED_CONFIG_LIST
2259
2260 if (real_uid != exim_uid
2261 #ifdef CONFIGURE_OWNER
2262 && real_uid != config_uid
2263 #endif
2264 )
2265 f.trusted_config = FALSE;
2266 else
2267 {
2268 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2269 if (trust_list)
2270 {
2271 struct stat statbuf;
2272
2273 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2274 (statbuf.st_uid != root_uid /* owner not root */
2275 #ifdef CONFIGURE_OWNER
2276 && statbuf.st_uid != config_uid /* owner not the special one */
2277 #endif
2278 ) || /* or */
2279 (statbuf.st_gid != root_gid /* group not root */
2280 #ifdef CONFIGURE_GROUP
2281 && statbuf.st_gid != config_gid /* group not the special one */
2282 #endif
2283 && (statbuf.st_mode & 020) != 0 /* group writeable */
2284 ) || /* or */
2285 (statbuf.st_mode & 2) != 0) /* world writeable */
2286 {
2287 f.trusted_config = FALSE;
2288 fclose(trust_list);
2289 }
2290 else
2291 {
2292 /* Well, the trust list at least is up to scratch... */
2293 void *reset_point = store_get(0);
2294 uschar *trusted_configs[32];
2295 int nr_configs = 0;
2296 int i = 0;
2297
2298 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2299 {
2300 uschar *start = big_buffer, *nl;
2301 while (*start && isspace(*start))
2302 start++;
2303 if (*start != '/')
2304 continue;
2305 nl = Ustrchr(start, '\n');
2306 if (nl)
2307 *nl = 0;
2308 trusted_configs[nr_configs++] = string_copy(start);
2309 if (nr_configs == 32)
2310 break;
2311 }
2312 fclose(trust_list);
2313
2314 if (nr_configs)
2315 {
2316 int sep = 0;
2317 const uschar *list = argrest;
2318 uschar *filename;
2319 while (f.trusted_config && (filename = string_nextinlist(&list,
2320 &sep, big_buffer, big_buffer_size)) != NULL)
2321 {
2322 for (i=0; i < nr_configs; i++)
2323 {
2324 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2325 break;
2326 }
2327 if (i == nr_configs)
2328 {
2329 f.trusted_config = FALSE;
2330 break;
2331 }
2332 }
2333 store_reset(reset_point);
2334 }
2335 else
2336 {
2337 /* No valid prefixes found in trust_list file. */
2338 f.trusted_config = FALSE;
2339 }
2340 }
2341 }
2342 else
2343 {
2344 /* Could not open trust_list file. */
2345 f.trusted_config = FALSE;
2346 }
2347 }
2348 #else
2349 /* Not root; don't trust config */
2350 f.trusted_config = FALSE;
2351 #endif
2352 }
2353
2354 config_main_filelist = argrest;
2355 f.config_changed = TRUE;
2356 }
2357 break;
2358
2359
2360 /* -D: set up a macro definition */
2361
2362 case 'D':
2363 #ifdef DISABLE_D_OPTION
2364 exim_fail("exim: -D is not available in this Exim binary\n");
2365 #else
2366 {
2367 int ptr = 0;
2368 macro_item *m;
2369 uschar name[24];
2370 uschar *s = argrest;
2371
2372 opt_D_used = TRUE;
2373 while (isspace(*s)) s++;
2374
2375 if (*s < 'A' || *s > 'Z')
2376 exim_fail("exim: macro name set by -D must start with "
2377 "an upper case letter\n");
2378
2379 while (isalnum(*s) || *s == '_')
2380 {
2381 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2382 s++;
2383 }
2384 name[ptr] = 0;
2385 if (ptr == 0) { badarg = TRUE; break; }
2386 while (isspace(*s)) s++;
2387 if (*s != 0)
2388 {
2389 if (*s++ != '=') { badarg = TRUE; break; }
2390 while (isspace(*s)) s++;
2391 }
2392
2393 for (m = macros_user; m; m = m->next)
2394 if (Ustrcmp(m->name, name) == 0)
2395 exim_fail("exim: duplicated -D in command line\n");
2396
2397 m = macro_create(name, s, TRUE);
2398
2399 if (clmacro_count >= MAX_CLMACROS)
2400 exim_fail("exim: too many -D options on command line\n");
2401 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2402 m->replacement);
2403 }
2404 #endif
2405 break;
2406
2407 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2408 The latter is now a no-op, retained for compatibility only. If -dd is used,
2409 debugging subprocesses of the daemon is disabled. */
2410
2411 case 'd':
2412 if (Ustrcmp(argrest, "ropcr") == 0)
2413 {
2414 /* drop_cr = TRUE; */
2415 }
2416
2417 /* Use an intermediate variable so that we don't set debugging while
2418 decoding the debugging bits. */
2419
2420 else
2421 {
2422 unsigned int selector = D_default;
2423 debug_selector = 0;
2424 debug_file = NULL;
2425 if (*argrest == 'd')
2426 {
2427 f.debug_daemon = TRUE;
2428 argrest++;
2429 }
2430 if (*argrest != 0)
2431 decode_bits(&selector, 1, debug_notall, argrest,
2432 debug_options, debug_options_count, US"debug", 0);
2433 debug_selector = selector;
2434 }
2435 break;
2436
2437
2438 /* -E: This is a local error message. This option is not intended for
2439 external use at all, but is not restricted to trusted callers because it
2440 does no harm (just suppresses certain error messages) and if Exim is run
2441 not setuid root it won't always be trusted when it generates error
2442 messages using this option. If there is a message id following -E, point
2443 message_reference at it, for logging. */
2444
2445 case 'E':
2446 f.local_error_message = TRUE;
2447 if (mac_ismsgid(argrest)) message_reference = argrest;
2448 break;
2449
2450
2451 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2452 option, so it looks as if historically the -oex options are also callable
2453 without the leading -o. So we have to accept them. Before the switch,
2454 anything starting -oe has been converted to -e. Exim does not support all
2455 of the sendmail error options. */
2456
2457 case 'e':
2458 if (Ustrcmp(argrest, "e") == 0)
2459 {
2460 arg_error_handling = ERRORS_SENDER;
2461 errors_sender_rc = EXIT_SUCCESS;
2462 }
2463 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2464 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2465 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2466 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2467 else badarg = TRUE;
2468 break;
2469
2470
2471 /* -F: Set sender's full name, used instead of the gecos entry from
2472 the password file. Since users can usually alter their gecos entries,
2473 there's no security involved in using this instead. The data can follow
2474 the -F or be in the next argument. */
2475
2476 case 'F':
2477 if (*argrest == 0)
2478 {
2479 if(++i < argc) argrest = argv[i]; else
2480 { badarg = TRUE; break; }
2481 }
2482 originator_name = argrest;
2483 f.sender_name_forced = TRUE;
2484 break;
2485
2486
2487 /* -f: Set sender's address - this value is only actually used if Exim is
2488 run by a trusted user, or if untrusted_set_sender is set and matches the
2489 address, except that the null address can always be set by any user. The
2490 test for this happens later, when the value given here is ignored when not
2491 permitted. For an untrusted user, the actual sender is still put in Sender:
2492 if it doesn't match the From: header (unless no_local_from_check is set).
2493 The data can follow the -f or be in the next argument. The -r switch is an
2494 obsolete form of -f but since there appear to be programs out there that
2495 use anything that sendmail has ever supported, better accept it - the
2496 synonymizing is done before the switch above.
2497
2498 At this stage, we must allow domain literal addresses, because we don't
2499 know what the setting of allow_domain_literals is yet. Ditto for trailing
2500 dots and strip_trailing_dot. */
2501
2502 case 'f':
2503 {
2504 int dummy_start, dummy_end;
2505 uschar *errmess;
2506 if (*argrest == 0)
2507 {
2508 if (i+1 < argc) argrest = argv[++i]; else
2509 { badarg = TRUE; break; }
2510 }
2511 if (*argrest == 0)
2512 sender_address = string_sprintf(""); /* Ensure writeable memory */
2513 else
2514 {
2515 uschar *temp = argrest + Ustrlen(argrest) - 1;
2516 while (temp >= argrest && isspace(*temp)) temp--;
2517 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2518 allow_domain_literals = TRUE;
2519 strip_trailing_dot = TRUE;
2520 #ifdef SUPPORT_I18N
2521 allow_utf8_domains = TRUE;
2522 #endif
2523 sender_address = parse_extract_address(argrest, &errmess,
2524 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
2525 #ifdef SUPPORT_I18N
2526 message_smtputf8 = string_is_utf8(sender_address);
2527 allow_utf8_domains = FALSE;
2528 #endif
2529 allow_domain_literals = FALSE;
2530 strip_trailing_dot = FALSE;
2531 if (!sender_address)
2532 exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
2533 }
2534 f.sender_address_forced = TRUE;
2535 }
2536 break;
2537
2538 /* -G: sendmail invocation to specify that it's a gateway submission and
2539 sendmail may complain about problems instead of fixing them.
2540 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2541 not at this time complain about problems. */
2542
2543 case 'G':
2544 flag_G = TRUE;
2545 break;
2546
2547 /* -h: Set the hop count for an incoming message. Exim does not currently
2548 support this; it always computes it by counting the Received: headers.
2549 To put it in will require a change to the spool header file format. */
2550
2551 case 'h':
2552 if (*argrest == 0)
2553 {
2554 if(++i < argc) argrest = argv[i]; else
2555 { badarg = TRUE; break; }
2556 }
2557 if (!isdigit(*argrest)) badarg = TRUE;
2558 break;
2559
2560
2561 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2562 not to be documented for sendmail but mailx (at least) uses it) */
2563
2564 case 'i':
2565 if (*argrest == 0) f.dot_ends = FALSE; else badarg = TRUE;
2566 break;
2567
2568
2569 /* -L: set the identifier used for syslog; equivalent to setting
2570 syslog_processname in the config file, but needs to be an admin option. */
2571
2572 case 'L':
2573 if (*argrest == '\0')
2574 {
2575 if(++i < argc) argrest = argv[i]; else
2576 { badarg = TRUE; break; }
2577 }
2578 if ((sz = Ustrlen(argrest)) > 32)
2579 exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
2580 if (sz < 1)
2581 exim_fail("exim: the -L syslog name is too short\n");
2582 cmdline_syslog_name = argrest;
2583 break;
2584
2585 case 'M':
2586 receiving_message = FALSE;
2587
2588 /* -MC: continue delivery of another message via an existing open
2589 file descriptor. This option is used for an internal call by the
2590 smtp transport when there is a pending message waiting to go to an
2591 address to which it has got a connection. Five subsequent arguments are
2592 required: transport name, host name, IP address, sequence number, and
2593 message_id. Transports may decline to create new processes if the sequence
2594 number gets too big. The channel is stdin. This (-MC) must be the last
2595 argument. There's a subsequent check that the real-uid is privileged.
2596
2597 If we are running in the test harness. delay for a bit, to let the process
2598 that set this one up complete. This makes for repeatability of the logging,
2599 etc. output. */
2600
2601 if (Ustrcmp(argrest, "C") == 0)
2602 {
2603 union sockaddr_46 interface_sock;
2604 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2605
2606 if (argc != i + 6)
2607 exim_fail("exim: too many or too few arguments after -MC\n");
2608
2609 if (msg_action_arg >= 0)
2610 exim_fail("exim: incompatible arguments\n");
2611
2612 continue_transport = argv[++i];
2613 continue_hostname = argv[++i];
2614 continue_host_address = argv[++i];
2615 continue_sequence = Uatoi(argv[++i]);
2616 msg_action = MSG_DELIVER;
2617 msg_action_arg = ++i;
2618 forced_delivery = TRUE;
2619 queue_run_pid = passed_qr_pid;
2620 queue_run_pipe = passed_qr_pipe;
2621
2622 if (!mac_ismsgid(argv[i]))
2623 exim_fail("exim: malformed message id %s after -MC option\n",
2624 argv[i]);
2625
2626 /* Set up $sending_ip_address and $sending_port, unless proxied */
2627
2628 if (!continue_proxy_cipher)
2629 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2630 &size) == 0)
2631 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2632 &sending_port);
2633 else
2634 exim_fail("exim: getsockname() failed after -MC option: %s\n",
2635 strerror(errno));
2636
2637 if (f.running_in_test_harness) millisleep(500);
2638 break;
2639 }
2640
2641 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2642 {
2643 switch(argrest[1])
2644 {
2645 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2646 precedes -MC (see above). The flag indicates that the host to which
2647 Exim is connected has accepted an AUTH sequence. */
2648
2649 case 'A': f.smtp_authenticated = TRUE; break;
2650
2651 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2652 that exim is connected to supports the esmtp extension DSN */
2653
2654 case 'D': smtp_peer_options |= OPTION_DSN; break;
2655
2656 /* -MCG: set the queue name, to a non-default value */
2657
2658 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2659 else badarg = TRUE;
2660 break;
2661
2662 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2663
2664 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
2665
2666 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2667 it preceded -MC (see above) */
2668
2669 case 'P': smtp_peer_options |= OPTION_PIPE; break;
2670
2671 /* -MCQ: pass on the pid of the queue-running process that started
2672 this chain of deliveries and the fd of its synchronizing pipe; this
2673 is useful only when it precedes -MC (see above) */
2674
2675 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2676 else badarg = TRUE;
2677 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2678 else badarg = TRUE;
2679 break;
2680
2681 /* -MCS: set the smtp_use_size flag; this is useful only when it
2682 precedes -MC (see above) */
2683
2684 case 'S': smtp_peer_options |= OPTION_SIZE; break;
2685
2686 #ifdef SUPPORT_TLS
2687 /* -MCt: similar to -MCT below but the connection is still open
2688 via a proxy proces which handles the TLS context and coding.
2689 Require three arguments for the proxied local address and port,
2690 and the TLS cipher. */
2691
2692 case 't': if (++i < argc) sending_ip_address = argv[i];
2693 else badarg = TRUE;
2694 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2695 else badarg = TRUE;
2696 if (++i < argc) continue_proxy_cipher = argv[i];
2697 else badarg = TRUE;
2698 /*FALLTHROUGH*/
2699
2700 /* -MCT: set the tls_offered flag; this is useful only when it
2701 precedes -MC (see above). The flag indicates that the host to which
2702 Exim is connected has offered TLS support. */
2703
2704 case 'T': smtp_peer_options |= OPTION_TLS; break;
2705 #endif
2706
2707 default: badarg = TRUE; break;
2708 }
2709 break;
2710 }
2711
2712 #if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
2713 /* -MS set REQUIRETLS on (new) message */
2714
2715 else if (*argrest == 'S')
2716 {
2717 tls_requiretls |= REQUIRETLS_MSG;
2718 break;
2719 }
2720 #endif
2721
2722 /* -M[x]: various operations on the following list of message ids:
2723 -M deliver the messages, ignoring next retry times and thawing
2724 -Mc deliver the messages, checking next retry times, no thawing
2725 -Mf freeze the messages
2726 -Mg give up on the messages
2727 -Mt thaw the messages
2728 -Mrm remove the messages
2729 In the above cases, this must be the last option. There are also the
2730 following options which are followed by a single message id, and which
2731 act on that message. Some of them use the "recipient" addresses as well.
2732 -Mar add recipient(s)
2733 -Mmad mark all recipients delivered
2734 -Mmd mark recipients(s) delivered
2735 -Mes edit sender
2736 -Mset load a message for use with -be
2737 -Mvb show body
2738 -Mvc show copy (of whole message, in RFC 2822 format)
2739 -Mvh show header
2740 -Mvl show log
2741 */
2742
2743 else if (*argrest == 0)
2744 {
2745 msg_action = MSG_DELIVER;
2746 forced_delivery = f.deliver_force_thaw = TRUE;
2747 }
2748 else if (Ustrcmp(argrest, "ar") == 0)
2749 {
2750 msg_action = MSG_ADD_RECIPIENT;
2751 one_msg_action = TRUE;
2752 }
2753 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2754 else if (Ustrcmp(argrest, "es") == 0)
2755 {
2756 msg_action = MSG_EDIT_SENDER;
2757 one_msg_action = TRUE;
2758 }
2759 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2760 else if (Ustrcmp(argrest, "g") == 0)
2761 {
2762 msg_action = MSG_DELIVER;
2763 deliver_give_up = TRUE;
2764 }
2765 else if (Ustrcmp(argrest, "mad") == 0)
2766 {
2767 msg_action = MSG_MARK_ALL_DELIVERED;
2768 }
2769 else if (Ustrcmp(argrest, "md") == 0)
2770 {
2771 msg_action = MSG_MARK_DELIVERED;
2772 one_msg_action = TRUE;
2773 }
2774 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2775 else if (Ustrcmp(argrest, "set") == 0)
2776 {
2777 msg_action = MSG_LOAD;
2778 one_msg_action = TRUE;
2779 }
2780 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2781 else if (Ustrcmp(argrest, "vb") == 0)
2782 {
2783 msg_action = MSG_SHOW_BODY;
2784 one_msg_action = TRUE;
2785 }
2786 else if (Ustrcmp(argrest, "vc") == 0)
2787 {
2788 msg_action = MSG_SHOW_COPY;
2789 one_msg_action = TRUE;
2790 }
2791 else if (Ustrcmp(argrest, "vh") == 0)
2792 {
2793 msg_action = MSG_SHOW_HEADER;
2794 one_msg_action = TRUE;
2795 }
2796 else if (Ustrcmp(argrest, "vl") == 0)
2797 {
2798 msg_action = MSG_SHOW_LOG;
2799 one_msg_action = TRUE;
2800 }
2801 else { badarg = TRUE; break; }
2802
2803 /* All the -Mxx options require at least one message id. */
2804
2805 msg_action_arg = i + 1;
2806 if (msg_action_arg >= argc)
2807 exim_fail("exim: no message ids given after %s option\n", arg);
2808
2809 /* Some require only message ids to follow */
2810
2811 if (!one_msg_action)
2812 {
2813 int j;
2814 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2815 exim_fail("exim: malformed message id %s after %s option\n",
2816 argv[j], arg);
2817 goto END_ARG; /* Remaining args are ids */
2818 }
2819
2820 /* Others require only one message id, possibly followed by addresses,
2821 which will be handled as normal arguments. */
2822
2823 else
2824 {
2825 if (!mac_ismsgid(argv[msg_action_arg]))
2826 exim_fail("exim: malformed message id %s after %s option\n",
2827 argv[msg_action_arg], arg);
2828 i++;
2829 }
2830 break;
2831
2832
2833 /* Some programs seem to call the -om option without the leading o;
2834 for sendmail it askes for "me too". Exim always does this. */
2835
2836 case 'm':
2837 if (*argrest != 0) badarg = TRUE;
2838 break;
2839
2840
2841 /* -N: don't do delivery - a debugging option that stops transports doing
2842 their thing. It implies debugging at the D_v level. */
2843
2844 case 'N':
2845 if (*argrest == 0)
2846 {
2847 f.dont_deliver = TRUE;
2848 debug_selector |= D_v;
2849 debug_file = stderr;
2850 }
2851 else badarg = TRUE;
2852 break;
2853
2854
2855 /* -n: This means "don't alias" in sendmail, apparently.
2856 For normal invocations, it has no effect.
2857 It may affect some other options. */
2858
2859 case 'n':
2860 flag_n = TRUE;
2861 break;
2862
2863 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2864 option to the specified value. This form uses long names. We need to handle
2865 -O option=value and -Ooption=value. */
2866
2867 case 'O':
2868 if (*argrest == 0)
2869 {
2870 if (++i >= argc)
2871 exim_fail("exim: string expected after -O\n");
2872 }
2873 break;
2874
2875 case 'o':
2876
2877 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2878 file" option). */
2879
2880 if (*argrest == 'A')
2881 {
2882 alias_arg = argrest + 1;
2883 if (alias_arg[0] == 0)
2884 {
2885 if (i+1 < argc) alias_arg = argv[++i]; else
2886 exim_fail("exim: string expected after -oA\n");
2887 }
2888 }
2889
2890 /* -oB: Set a connection message max value for remote deliveries */
2891
2892 else if (*argrest == 'B')
2893 {
2894 uschar *p = argrest + 1;
2895 if (p[0] == 0)
2896 {
2897 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2898 {
2899 connection_max_messages = 1;
2900 p = NULL;
2901 }
2902 }
2903
2904 if (p != NULL)
2905 {
2906 if (!isdigit(*p))
2907 exim_fail("exim: number expected after -oB\n");
2908 connection_max_messages = Uatoi(p);
2909 }
2910 }
2911
2912 /* -odb: background delivery */
2913
2914 else if (Ustrcmp(argrest, "db") == 0)
2915 {
2916 f.synchronous_delivery = FALSE;
2917 arg_queue_only = FALSE;
2918 queue_only_set = TRUE;
2919 }
2920
2921 /* -odf: foreground delivery (smail-compatible option); same effect as
2922 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2923 */
2924
2925 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2926 {
2927 f.synchronous_delivery = TRUE;
2928 arg_queue_only = FALSE;
2929 queue_only_set = TRUE;
2930 }
2931
2932 /* -odq: queue only */
2933
2934 else if (Ustrcmp(argrest, "dq") == 0)
2935 {
2936 f.synchronous_delivery = FALSE;
2937 arg_queue_only = TRUE;
2938 queue_only_set = TRUE;
2939 }
2940
2941 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2942 but no remote delivery */
2943
2944 else if (Ustrcmp(argrest, "dqs") == 0)
2945 {
2946 f.queue_smtp = TRUE;
2947 arg_queue_only = FALSE;
2948 queue_only_set = TRUE;
2949 }
2950
2951 /* -oex: Sendmail error flags. As these are also accepted without the
2952 leading -o prefix, for compatibility with vacation and other callers,
2953 they are handled with -e above. */
2954
2955 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2956 -oitrue: Another sendmail syntax for the same */
2957
2958 else if (Ustrcmp(argrest, "i") == 0 ||
2959 Ustrcmp(argrest, "itrue") == 0)
2960 f.dot_ends = FALSE;
2961
2962 /* -oM*: Set various characteristics for an incoming message; actually
2963 acted on for trusted callers only. */
2964
2965 else if (*argrest == 'M')
2966 {
2967 if (i+1 >= argc)
2968 exim_fail("exim: data expected after -o%s\n", argrest);
2969
2970 /* -oMa: Set sender host address */
2971
2972 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2973
2974 /* -oMaa: Set authenticator name */
2975
2976 else if (Ustrcmp(argrest, "Maa") == 0)
2977 sender_host_authenticated = argv[++i];
2978
2979 /* -oMas: setting authenticated sender */
2980
2981 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2982
2983 /* -oMai: setting authenticated id */
2984
2985 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2986
2987 /* -oMi: Set incoming interface address */
2988
2989 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2990
2991 /* -oMm: Message reference */
2992
2993 else if (Ustrcmp(argrest, "Mm") == 0)
2994 {
2995 if (!mac_ismsgid(argv[i+1]))
2996 exim_fail("-oMm must be a valid message ID\n");
2997 if (!f.trusted_config)
2998 exim_fail("-oMm must be called by a trusted user/config\n");
2999 message_reference = argv[++i];
3000 }
3001
3002 /* -oMr: Received protocol */
3003
3004 else if (Ustrcmp(argrest, "Mr") == 0)
3005
3006 if (received_protocol)
3007 exim_fail("received_protocol is set already\n");
3008 else
3009 received_protocol = argv[++i];
3010
3011 /* -oMs: Set sender host name */
3012
3013 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3014
3015 /* -oMt: Set sender ident */
3016
3017 else if (Ustrcmp(argrest, "Mt") == 0)
3018 {
3019 sender_ident_set = TRUE;
3020 sender_ident = argv[++i];
3021 }
3022
3023 /* Else a bad argument */
3024
3025 else
3026 {
3027 badarg = TRUE;
3028 break;
3029 }
3030 }
3031
3032 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3033 seem to call this as -m (undocumented), so that is also accepted (see
3034 above). */
3035
3036 else if (Ustrcmp(argrest, "m") == 0) {}
3037
3038 /* -oo: An ancient flag for old-style addresses which still seems to
3039 crop up in some calls (see in SCO). */
3040
3041 else if (Ustrcmp(argrest, "o") == 0) {}
3042
3043 /* -oP <name>: set pid file path for daemon */
3044
3045 else if (Ustrcmp(argrest, "P") == 0)
3046 override_pid_file_path = argv[++i];
3047
3048 /* -or <n>: set timeout for non-SMTP acceptance
3049 -os <n>: set timeout for SMTP acceptance */
3050
3051 else if (*argrest == 'r' || *argrest == 's')
3052 {
3053 int *tp = (*argrest == 'r')?
3054 &arg_receive_timeout : &arg_smtp_receive_timeout;
3055 if (argrest[1] == 0)
3056 {
3057 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3058 }
3059 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3060 if (*tp < 0)
3061 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3062 }
3063
3064 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3065
3066 else if (Ustrcmp(argrest, "X") == 0)
3067 override_local_interfaces = argv[++i];
3068
3069 /* Unknown -o argument */
3070
3071 else badarg = TRUE;
3072 break;
3073
3074
3075 /* -ps: force Perl startup; -pd force delayed Perl startup */
3076
3077 case 'p':
3078 #ifdef EXIM_PERL
3079 if (*argrest == 's' && argrest[1] == 0)
3080 {
3081 perl_start_option = 1;
3082 break;
3083 }
3084 if (*argrest == 'd' && argrest[1] == 0)
3085 {
3086 perl_start_option = -1;
3087 break;
3088 }
3089 #endif
3090
3091 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3092 which sets the host protocol and host name */
3093
3094 if (*argrest == 0)
3095 if (i+1 < argc)
3096 argrest = argv[++i];
3097 else
3098 { badarg = TRUE; break; }
3099
3100 if (*argrest != 0)
3101 {
3102 uschar *hn;
3103
3104 if (received_protocol)
3105 exim_fail("received_protocol is set already\n");
3106
3107 hn = Ustrchr(argrest, ':');
3108 if (hn == NULL)
3109 received_protocol = argrest;
3110 else
3111 {
3112 int old_pool = store_pool;
3113 store_pool = POOL_PERM;
3114 received_protocol = string_copyn(argrest, hn - argrest);
3115 store_pool = old_pool;
3116 sender_host_name = hn + 1;
3117 }
3118 }
3119 break;
3120
3121
3122 case 'q':
3123 receiving_message = FALSE;
3124 if (queue_interval >= 0)
3125 exim_fail("exim: -q specified more than once\n");
3126
3127 /* -qq...: Do queue runs in a 2-stage manner */
3128
3129 if (*argrest == 'q')
3130 {
3131 f.queue_2stage = TRUE;
3132 argrest++;
3133 }
3134
3135 /* -qi...: Do only first (initial) deliveries */
3136
3137 if (*argrest == 'i')
3138 {
3139 f.queue_run_first_delivery = TRUE;
3140 argrest++;
3141 }
3142
3143 /* -qf...: Run the queue, forcing deliveries
3144 -qff..: Ditto, forcing thawing as well */
3145
3146 if (*argrest == 'f')
3147 {
3148 f.queue_run_force = TRUE;
3149 if (*++argrest == 'f')
3150 {
3151 f.deliver_force_thaw = TRUE;
3152 argrest++;
3153 }
3154 }
3155
3156 /* -q[f][f]l...: Run the queue only on local deliveries */
3157
3158 if (*argrest == 'l')
3159 {
3160 f.queue_run_local = TRUE;
3161 argrest++;
3162 }
3163
3164 /* -q[f][f][l][G<name>]... Work on the named queue */
3165
3166 if (*argrest == 'G')
3167 {
3168 int i;
3169 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3170 queue_name = string_copyn(argrest, i);
3171 argrest += i;
3172 if (*argrest == '/') argrest++;
3173 }
3174
3175 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3176 only, optionally named, optionally starting from a given message id. */
3177
3178 if (*argrest == 0 &&
3179 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3180 {
3181 queue_interval = 0;
3182 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3183 start_queue_run_id = argv[++i];
3184 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3185 stop_queue_run_id = argv[++i];
3186 }
3187
3188 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3189 forced, optionally local only, optionally named. */
3190
3191 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3192 0, FALSE)) <= 0)
3193 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3194 break;
3195
3196
3197 case 'R': /* Synonymous with -qR... */
3198 receiving_message = FALSE;
3199
3200 /* -Rf: As -R (below) but force all deliveries,
3201 -Rff: Ditto, but also thaw all frozen messages,
3202 -Rr: String is regex
3203 -Rrf: Regex and force
3204 -Rrff: Regex and force and thaw
3205
3206 in all cases provided there are no further characters in this
3207 argument. */
3208
3209 if (*argrest != 0)
3210 {
3211 int i;
3212 for (i = 0; i < nelem(rsopts); i++)
3213 if (Ustrcmp(argrest, rsopts[i]) == 0)
3214 {
3215 if (i != 2) f.queue_run_force = TRUE;
3216 if (i >= 2) f.deliver_selectstring_regex = TRUE;
3217 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3218 argrest += Ustrlen(rsopts[i]);
3219 }
3220 }
3221
3222 /* -R: Set string to match in addresses for forced queue run to
3223 pick out particular messages. */
3224
3225 if (*argrest)
3226 deliver_selectstring = argrest;
3227 else if (i+1 < argc)
3228 deliver_selectstring = argv[++i];
3229 else
3230 exim_fail("exim: string expected after -R\n");
3231 break;
3232
3233
3234 /* -r: an obsolete synonym for -f (see above) */
3235
3236
3237 /* -S: Like -R but works on sender. */
3238
3239 case 'S': /* Synonymous with -qS... */
3240 receiving_message = FALSE;
3241
3242 /* -Sf: As -S (below) but force all deliveries,
3243 -Sff: Ditto, but also thaw all frozen messages,
3244 -Sr: String is regex
3245 -Srf: Regex and force
3246 -Srff: Regex and force and thaw
3247
3248 in all cases provided there are no further characters in this
3249 argument. */
3250
3251 if (*argrest)
3252 {
3253 int i;
3254 for (i = 0; i < nelem(rsopts); i++)
3255 if (Ustrcmp(argrest, rsopts[i]) == 0)
3256 {
3257 if (i != 2) f.queue_run_force = TRUE;
3258 if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
3259 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3260 argrest += Ustrlen(rsopts[i]);
3261 }
3262 }
3263
3264 /* -S: Set string to match in addresses for forced queue run to
3265 pick out particular messages. */
3266
3267 if (*argrest)
3268 deliver_selectstring_sender = argrest;
3269 else if (i+1 < argc)
3270 deliver_selectstring_sender = argv[++i];
3271 else
3272 exim_fail("exim: string expected after -S\n");
3273 break;
3274
3275 /* -Tqt is an option that is exclusively for use by the testing suite.
3276 It is not recognized in other circumstances. It allows for the setting up
3277 of explicit "queue times" so that various warning/retry things can be
3278 tested. Otherwise variability of clock ticks etc. cause problems. */
3279
3280 case 'T':
3281 if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3282 fudged_queue_times = argv[++i];
3283 else badarg = TRUE;
3284 break;
3285
3286
3287 /* -t: Set flag to extract recipients from body of message. */
3288
3289 case 't':
3290 if (*argrest == 0) extract_recipients = TRUE;
3291
3292 /* -ti: Set flag to extract recipients from body of message, and also
3293 specify that dot does not end the message. */
3294
3295 else if (Ustrcmp(argrest, "i") == 0)
3296 {
3297 extract_recipients = TRUE;
3298 f.dot_ends = FALSE;
3299 }
3300
3301 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3302
3303 #ifdef SUPPORT_TLS
3304 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
3305 #endif
3306
3307 else badarg = TRUE;
3308 break;
3309
3310
3311 /* -U: This means "initial user submission" in sendmail, apparently. The
3312 doc claims that in future sendmail may refuse syntactically invalid
3313 messages instead of fixing them. For the moment, we just ignore it. */
3314
3315 case 'U':
3316 break;
3317
3318
3319 /* -v: verify things - this is a very low-level debugging */
3320
3321 case 'v':
3322 if (*argrest == 0)
3323 {
3324 debug_selector |= D_v;
3325 debug_file = stderr;
3326 }
3327 else badarg = TRUE;
3328 break;
3329
3330
3331 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3332
3333 The -x flag tells the sendmail command that mail from a local
3334 mail program has National Language Support (NLS) extended characters
3335 in the body of the mail item. The sendmail command can send mail with
3336 extended NLS characters across networks that normally corrupts these
3337 8-bit characters.
3338
3339 As Exim is 8-bit clean, it just ignores this flag. */
3340
3341 case 'x':
3342 if (*argrest != 0) badarg = TRUE;
3343 break;
3344
3345 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3346 logs to that file. We swallow the parameter and otherwise ignore it. */
3347
3348 case 'X':
3349 if (*argrest == '\0')
3350 if (++i >= argc)
3351 exim_fail("exim: string expected after -X\n");
3352 break;
3353
3354 case 'z':
3355 if (*argrest == '\0')
3356 if (++i < argc)
3357 log_oneline = argv[i];
3358 else
3359 exim_fail("exim: file name expected after %s\n", argv[i-1]);
3360 break;
3361
3362 /* All other initial characters are errors */
3363
3364 default:
3365 badarg = TRUE;
3366 break;
3367 } /* End of high-level switch statement */
3368
3369 /* Failed to recognize the option, or syntax error */
3370
3371 if (badarg)
3372 exim_fail("exim abandoned: unknown, malformed, or incomplete "
3373 "option %s\n", arg);
3374 }
3375
3376
3377 /* If -R or -S have been specified without -q, assume a single queue run. */
3378
3379 if ( (deliver_selectstring || deliver_selectstring_sender)
3380 && queue_interval < 0)
3381 queue_interval = 0;
3382
3383
3384 END_ARG:
3385 /* If usage_wanted is set we call the usage function - which never returns */
3386 if (usage_wanted) exim_usage(called_as);
3387
3388 /* Arguments have been processed. Check for incompatibilities. */
3389 if ((
3390 (smtp_input || extract_recipients || recipients_arg < argc) &&
3391 (f.daemon_listen || queue_interval >= 0 || bi_option ||
3392 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3393 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3394 ) ||
3395 (
3396 msg_action_arg > 0 &&
3397 (f.daemon_listen || queue_interval > 0 || list_options ||
3398 (checking && msg_action != MSG_LOAD) ||
3399 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3400 ) ||
3401 (
3402 (f.daemon_listen || queue_interval > 0) &&
3403 (sender_address != NULL || list_options || list_queue || checking ||
3404 bi_option)
3405 ) ||
3406 (
3407 f.daemon_listen && queue_interval == 0
3408 ) ||
3409 (
3410 f.inetd_wait_mode && queue_interval >= 0
3411 ) ||
3412 (
3413 list_options &&
3414 (checking || smtp_input || extract_recipients ||
3415 filter_test != FTEST_NONE || bi_option)
3416 ) ||
3417 (
3418 verify_address_mode &&
3419 (f.address_test_mode || smtp_input || extract_recipients ||
3420 filter_test != FTEST_NONE || bi_option)
3421 ) ||
3422 (
3423 f.address_test_mode && (smtp_input || extract_recipients ||
3424 filter_test != FTEST_NONE || bi_option)
3425 ) ||
3426 (
3427 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3428 extract_recipients)
3429 ) ||
3430 (
3431 deliver_selectstring != NULL && queue_interval < 0
3432 ) ||
3433 (
3434 msg_action == MSG_LOAD &&
3435 (!expansion_test || expansion_test_message != NULL)
3436 )
3437 )
3438 exim_fail("exim: incompatible command-line options or arguments\n");
3439
3440 /* If debugging is set up, set the file and the file descriptor to pass on to
3441 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3442 to run in the foreground. */
3443
3444 if (debug_selector != 0)
3445 {
3446 debug_file = stderr;
3447 debug_fd = fileno(debug_file);
3448 f.background_daemon = FALSE;
3449 if (f.running_in_test_harness) millisleep(100); /* lets caller finish */
3450 if (debug_selector != D_v) /* -v only doesn't show this */
3451 {
3452 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3453 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3454 debug_selector);
3455 if (!version_printed)
3456 show_whats_supported(stderr);
3457 }
3458 }
3459
3460 /* When started with root privilege, ensure that the limits on the number of
3461 open files and the number of processes (where that is accessible) are
3462 sufficiently large, or are unset, in case Exim has been called from an
3463 environment where the limits are screwed down. Not all OS have the ability to
3464 change some of these limits. */
3465
3466 if (unprivileged)
3467 {
3468 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3469 }
3470 else
3471 {
3472 struct rlimit rlp;
3473
3474 #ifdef RLIMIT_NOFILE
3475 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3476 {
3477 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3478 strerror(errno));
3479 rlp.rlim_cur = rlp.rlim_max = 0;
3480 }
3481
3482 /* I originally chose 1000 as a nice big number that was unlikely to
3483 be exceeded. It turns out that some older OS have a fixed upper limit of
3484 256. */
3485
3486 if (rlp.rlim_cur < 1000)
3487 {
3488 rlp.rlim_cur = rlp.rlim_max = 1000;
3489 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3490 {
3491 rlp.rlim_cur = rlp.rlim_max = 256;
3492 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3493 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3494 strerror(errno));
3495 }
3496 }
3497 #endif
3498
3499 #ifdef RLIMIT_NPROC
3500 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3501 {
3502 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3503 strerror(errno));
3504 rlp.rlim_cur = rlp.rlim_max = 0;
3505 }
3506
3507 #ifdef RLIM_INFINITY
3508 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3509 {
3510 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3511 #else
3512 if (rlp.rlim_cur < 1000)
3513 {
3514 rlp.rlim_cur = rlp.rlim_max = 1000;
3515 #endif
3516 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3517 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3518 strerror(errno));
3519 }
3520 #endif
3521 }
3522
3523 /* Exim is normally entered as root (but some special configurations are
3524 possible that don't do this). However, it always spins off sub-processes that
3525 set their uid and gid as required for local delivery. We don't want to pass on
3526 any extra groups that root may belong to, so we want to get rid of them all at
3527 this point.
3528
3529 We need to obey setgroups() at this stage, before possibly giving up root
3530 privilege for a changed configuration file, but later on we might need to
3531 check on the additional groups for the admin user privilege - can't do that
3532 till after reading the config, which might specify the exim gid. Therefore,
3533 save the group list here first. */
3534
3535 if ((group_count = getgroups(nelem(group_list), group_list)) < 0)
3536 exim_fail("exim: getgroups() failed: %s\n", strerror(errno));
3537
3538 /* There is a fundamental difference in some BSD systems in the matter of
3539 groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3540 known not to be different. On the "different" systems there is a single group
3541 list, and the first entry in it is the current group. On all other versions of
3542 Unix there is a supplementary group list, which is in *addition* to the current
3543 group. Consequently, to get rid of all extraneous groups on a "standard" system
3544 you pass over 0 groups to setgroups(), while on a "different" system you pass
3545 over a single group - the current group, which is always the first group in the
3546 list. Calling setgroups() with zero groups on a "different" system results in
3547 an error return. The following code should cope with both types of system.
3548
3549 However, if this process isn't running as root, setgroups() can't be used
3550 since you have to be root to run it, even if throwing away groups. Not being
3551 root here happens only in some unusual configurations. We just ignore the
3552 error. */
3553
3554 if (setgroups(0, NULL) != 0 && setgroups(1, group_list) != 0 && !unprivileged)
3555 exim_fail("exim: setgroups() failed: %s\n", strerror(errno));
3556
3557 /* If the configuration file name has been altered by an argument on the
3558 command line (either a new file name or a macro definition) and the caller is
3559 not root, or if this is a filter testing run, remove any setuid privilege the
3560 program has and run as the underlying user.
3561
3562 The exim user is locked out of this, which severely restricts the use of -C
3563 for some purposes.
3564
3565 Otherwise, set the real ids to the effective values (should be root unless run
3566 from inetd, which it can either be root or the exim uid, if one is configured).
3567
3568 There is a private mechanism for bypassing some of this, in order to make it
3569 possible to test lots of configurations automatically, without having either to
3570 recompile each time, or to patch in an actual configuration file name and other
3571 values (such as the path name). If running in the test harness, pretend that
3572 configuration file changes and macro definitions haven't happened. */
3573
3574 if (( /* EITHER */
3575 (!f.trusted_config || /* Config changed, or */
3576 !macros_trusted(opt_D_used)) && /* impermissible macros and */
3577 real_uid != root_uid && /* Not root, and */
3578 !f.running_in_test_harness /* Not fudged */
3579 ) || /* OR */
3580 expansion_test /* expansion testing */
3581 || /* OR */
3582 filter_test != FTEST_NONE) /* Filter testing */
3583 {
3584 setgroups(group_count, group_list);
3585 exim_setugid(real_uid, real_gid, FALSE,
3586 US"-C, -D, -be or -bf forces real uid");
3587 removed_privilege = TRUE;
3588
3589 /* In the normal case when Exim is called like this, stderr is available
3590 and should be used for any logging information because attempts to write
3591 to the log will usually fail. To arrange this, we unset really_exim. However,
3592 if no stderr is available there is no point - we might as well have a go
3593 at the log (if it fails, syslog will be written).
3594
3595 Note that if the invoker is Exim, the logs remain available. Messing with
3596 this causes unlogged successful deliveries. */
3597
3598 if (log_stderr && real_uid != exim_uid)
3599 f.really_exim = FALSE;
3600 }
3601
3602 /* Privilege is to be retained for the moment. It may be dropped later,
3603 depending on the job that this Exim process has been asked to do. For now, set
3604 the real uid to the effective so that subsequent re-execs of Exim are done by a
3605 privileged user. */
3606
3607 else
3608 exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3609
3610 /* If testing a filter, open the file(s) now, before wasting time doing other
3611 setups and reading the message. */
3612
3613 if (filter_test & FTEST_SYSTEM)
3614 if ((filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0)) < 0)
3615 exim_fail("exim: failed to open %s: %s\n", filter_test_sfile,
3616 strerror(errno));
3617
3618 if (filter_test & FTEST_USER)
3619 if ((filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0)) < 0)
3620 exim_fail("exim: failed to open %s: %s\n", filter_test_ufile,
3621 strerror(errno));
3622
3623 /* Initialise lookup_list
3624 If debugging, already called above via version reporting.
3625 In either case, we initialise the list of available lookups while running
3626 as root. All dynamically modules are loaded from a directory which is
3627 hard-coded into the binary and is code which, if not a module, would be
3628 part of Exim already. Ability to modify the content of the directory
3629 is equivalent to the ability to modify a setuid binary!
3630
3631 This needs to happen before we read the main configuration. */
3632 init_lookup_list();
3633
3634 #ifdef SUPPORT_I18N
3635 if (f.running_in_test_harness) smtputf8_advertise_hosts = NULL;
3636 #endif
3637
3638 /* Read the main runtime configuration data; this gives up if there
3639 is a failure. It leaves the configuration file open so that the subsequent
3640 configuration data for delivery can be read if needed.
3641
3642 NOTE: immediatly after opening the configuration file we change the working
3643 directory to "/"! Later we change to $spool_directory. We do it there, because
3644 during readconf_main() some expansion takes place already. */
3645
3646 /* Store the initial cwd before we change directories. Can be NULL if the
3647 dir has already been unlinked. */
3648 initial_cwd = os_getcwd(NULL, 0);
3649
3650 /* checking:
3651 -be[m] expansion test -
3652 -b[fF] filter test new
3653 -bh[c] host test -
3654 -bmalware malware_test_file new
3655 -brt retry test new
3656 -brw rewrite test new
3657 -bt address test -
3658 -bv[s] address verify -
3659 list_options:
3660 -bP <option> (except -bP config, which sets list_config)
3661
3662 If any of these options is set, we suppress warnings about configuration
3663 issues (currently about tls_advertise_hosts and keep_environment not being
3664 defined) */
3665
3666 readconf_main(checking || list_options);
3667
3668
3669 /* Now in directory "/" */
3670
3671 if (cleanup_environment() == FALSE)
3672 log_write(0, LOG_PANIC_DIE, "Can't cleanup environment");
3673
3674
3675 /* If an action on specific messages is requested, or if a daemon or queue
3676 runner is being started, we need to know if Exim was called by an admin user.
3677 This is the case if the real user is root or exim, or if the real group is
3678 exim, or if one of the supplementary groups is exim or a group listed in
3679 admin_groups. We don't fail all message actions immediately if not admin_user,
3680 since some actions can be performed by non-admin users. Instead, set admin_user
3681 for later interrogation. */
3682
3683 if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3684 f.admin_user = TRUE;
3685 else
3686 {
3687 int i, j;
3688 for (i = 0; i < group_count && !f.admin_user; i++)
3689 if (group_list[i] == exim_gid)
3690 f.admin_user = TRUE;
3691 else if (admin_groups)
3692 for (j = 1; j <= (int)admin_groups[0] && !f.admin_user; j++)
3693 if (admin_groups[j] == group_list[i])
3694 f.admin_user = TRUE;
3695 }
3696
3697 /* Another group of privileged users are the trusted users. These are root,
3698 exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3699 are permitted to specify sender_addresses with -f on the command line, and
3700 other message parameters as well. */
3701
3702 if (real_uid == root_uid || real_uid == exim_uid)
3703 f.trusted_caller = TRUE;
3704 else
3705 {
3706 int i, j;
3707
3708 if (trusted_users)
3709 for (i = 1; i <= (int)trusted_users[0] && !f.trusted_caller; i++)
3710 if (trusted_users[i] == real_uid)
3711 f.trusted_caller = TRUE;
3712
3713 if (trusted_groups)
3714 for (i = 1; i <= (int)trusted_groups[0] && !f.trusted_caller; i++)
3715 if (trusted_groups[i] == real_gid)
3716 f.trusted_caller = TRUE;
3717 else for (j = 0; j < group_count && !f.trusted_caller; j++)
3718 if (trusted_groups[i] == group_list[j])
3719 f.trusted_caller = TRUE;
3720 }
3721
3722 /* At this point, we know if the user is privileged and some command-line
3723 options become possibly impermissible, depending upon the configuration file. */
3724
3725 if (checking && commandline_checks_require_admin && !f.admin_user)
3726 exim_fail("exim: those command-line flags are set to require admin\n");
3727
3728 /* Handle the decoding of logging options. */
3729
3730 decode_bits(log_selector, log_selector_size, log_notall,
3731 log_selector_string, log_options, log_options_count, US"log", 0);
3732
3733 DEBUG(D_any)
3734 {
3735 int i;
3736 debug_printf("configuration file is %s\n", config_main_filename);
3737 debug_printf("log selectors =");
3738 for (i = 0; i < log_selector_size; i++)
3739 debug_printf(" %08x", log_selector[i]);
3740 debug_printf("\n");
3741 }
3742
3743 /* If domain literals are not allowed, check the sender address that was
3744 supplied with -f. Ditto for a stripped trailing dot. */
3745
3746 if (sender_address)
3747 {
3748 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3749 exim_fail("exim: bad -f address \"%s\": domain literals not "
3750 "allowed\n", sender_address);
3751 if (f_end_dot && !strip_trailing_dot)
3752 exim_fail("exim: bad -f address \"%s.\": domain is malformed "
3753 "(trailing dot not allowed)\n", sender_address);
3754 }
3755
3756 /* See if an admin user overrode our logging. */
3757
3758 if (cmdline_syslog_name)
3759 if (f.admin_user)
3760 {
3761 syslog_processname = cmdline_syslog_name;
3762 log_file_path = string_copy(CUS"syslog");
3763 }
3764 else
3765 /* not a panic, non-privileged users should not be able to spam paniclog */
3766 exim_fail(
3767 "exim: you lack sufficient privilege to specify syslog process name\n");
3768
3769 /* Paranoia check of maximum lengths of certain strings. There is a check
3770 on the length of the log file path in log.c, which will come into effect
3771 if there are any calls to write the log earlier than this. However, if we
3772 get this far but the string is very long, it is better to stop now than to
3773 carry on and (e.g.) receive a message and then have to collapse. The call to
3774 log_write() from here will cause the ultimate panic collapse if the complete
3775 file name exceeds the buffer length. */
3776
3777 if (Ustrlen(log_file_path) > 200)
3778 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3779 "log_file_path is longer than 200 chars: aborting");
3780
3781 if (Ustrlen(pid_file_path) > 200)
3782 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3783 "pid_file_path is longer than 200 chars: aborting");
3784
3785 if (Ustrlen(spool_directory) > 200)
3786 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3787 "spool_directory is longer than 200 chars: aborting");
3788
3789 /* Length check on the process name given to syslog for its TAG field,
3790 which is only permitted to be 32 characters or less. See RFC 3164. */
3791
3792 if (Ustrlen(syslog_processname) > 32)
3793 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3794 "syslog_processname is longer than 32 chars: aborting");
3795
3796 if (log_oneline)
3797 if (f.admin_user)
3798 {
3799 log_write(0, LOG_MAIN, "%s", log_oneline);
3800 return EXIT_SUCCESS;
3801 }
3802 else
3803 return EXIT_FAILURE;
3804
3805 /* In some operating systems, the environment variable TMPDIR controls where
3806 temporary files are created; Exim doesn't use these (apart from when delivering
3807 to MBX mailboxes), but called libraries such as DBM libraries may require them.
3808 If TMPDIR is found in the environment, reset it to the value defined in the
3809 EXIM_TMPDIR macro, if this macro is defined. For backward compatibility this
3810 macro may be called TMPDIR in old "Local/Makefile"s. It's converted to
3811 EXIM_TMPDIR by the build scripts.
3812 */
3813
3814 #ifdef EXIM_TMPDIR
3815 {
3816 uschar **p;
3817 if (environ) for (p = USS environ; *p; p++)
3818 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 && Ustrcmp(*p+7, EXIM_TMPDIR) != 0)
3819 {
3820 uschar * newp = store_malloc(Ustrlen(EXIM_TMPDIR) + 8);
3821 sprintf(CS newp, "TMPDIR=%s", EXIM_TMPDIR);
3822 *p = newp;
3823 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", EXIM_TMPDIR);
3824 }
3825 }
3826 #endif
3827
3828 /* Timezone handling. If timezone_string is "utc", set a flag to cause all
3829 timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3830 we may need to get rid of a bogus timezone setting. This can arise when Exim is
3831 called by a user who has set the TZ variable. This then affects the timestamps
3832 in log files and in Received: headers, and any created Date: header lines. The
3833 required timezone is settable in the configuration file, so nothing can be done
3834 about this earlier - but hopefully nothing will normally be logged earlier than
3835 this. We have to make a new environment if TZ is wrong, but don't bother if
3836 timestamps_utc is set, because then all times are in UTC anyway. */
3837
3838 if (timezone_string && strcmpic(timezone_string, US"UTC") == 0)
3839 f.timestamps_utc = TRUE;
3840 else
3841 {
3842 uschar *envtz = US getenv("TZ");
3843 if (envtz
3844 ? !timezone_string || Ustrcmp(timezone_string, envtz) != 0
3845 : timezone_string != NULL
3846 )
3847 {
3848 uschar **p = USS environ;
3849 uschar **new;
3850 uschar **newp;
3851 int count = 0;
3852 if (environ) while (*p++) count++;
3853 if (!envtz) count++;
3854 newp = new = store_malloc(sizeof(uschar *) * (count + 1));
3855 if (environ) for (p = USS environ; *p; p++)
3856 if (Ustrncmp(*p, "TZ=", 3) != 0) *newp++ = *p;
3857 if (timezone_string)
3858 {
3859 *newp = store_malloc(Ustrlen(timezone_string) + 4);
3860 sprintf(CS *newp++, "TZ=%s", timezone_string);
3861 }
3862 *newp = NULL;
3863 environ = CSS new;
3864 tzset();
3865 DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3866 tod_stamp(tod_log));
3867 }
3868 }
3869
3870 /* Handle the case when we have removed the setuid privilege because of -C or
3871 -D. This means that the caller of Exim was not root.
3872
3873 There is a problem if we were running as the Exim user. The sysadmin may
3874 expect this case to retain privilege because "the binary was called by the
3875 Exim user", but it hasn't, because either the -D option set macros, or the
3876 -C option set a non-trusted configuration file. There are two possibilities:
3877
3878 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3879 to do message deliveries. Thus, the fact that it is running as a
3880 non-privileged user is plausible, and might be wanted in some special
3881 configurations. However, really_exim will have been set false when
3882 privilege was dropped, to stop Exim trying to write to its normal log
3883 files. Therefore, re-enable normal log processing, assuming the sysadmin
3884 has set up the log directory correctly.
3885
3886 (2) If deliver_drop_privilege is not set, the configuration won't work as
3887 apparently intended, and so we log a panic message. In order to retain
3888 root for -C or -D, the caller must either be root or be invoking a
3889 trusted configuration file (when deliver_drop_privilege is false). */
3890
3891 if ( removed_privilege
3892 && (!f.trusted_config || opt_D_used)
3893 && real_uid == exim_uid)
3894 if (deliver_drop_privilege)
3895 f.really_exim = TRUE; /* let logging work normally */
3896 else
3897 log_write(0, LOG_MAIN|LOG_PANIC,
3898 "exim user lost privilege for using %s option",
3899 f.trusted_config? "-D" : "-C");
3900
3901 /* Start up Perl interpreter if Perl support is configured and there is a
3902 perl_startup option, and the configuration or the command line specifies
3903 initializing starting. Note that the global variables are actually called
3904 opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3905
3906 #ifdef EXIM_PERL
3907 if (perl_start_option != 0)
3908 opt_perl_at_start = (perl_start_option > 0);
3909 if (opt_perl_at_start && opt_perl_startup != NULL)
3910 {
3911 uschar *errstr;
3912 DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3913 if ((errstr = init_perl(opt_perl_startup)))
3914 exim_fail("exim: error in perl_startup code: %s\n", errstr);
3915 opt_perl_started = TRUE;
3916 }
3917 #endif /* EXIM_PERL */
3918
3919 /* Log the arguments of the call if the configuration file said so. This is
3920 a debugging feature for finding out what arguments certain MUAs actually use.
3921 Don't attempt it if logging is disabled, or if listing variables or if
3922 verifying/testing addresses or expansions. */
3923
3924 if ( (debug_selector & D_any || LOGGING(arguments))
3925 && f.really_exim && !list_options && !checking)
3926 {
3927 int i;
3928 uschar *p = big_buffer;
3929 Ustrcpy(p, "cwd= (failed)");
3930
3931 if (!initial_cwd)
3932 p += 13;
3933 else
3934 {
3935 Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
3936 p += 4 + Ustrlen(initial_cwd);
3937 /* in case p is near the end and we don't provide enough space for
3938 * string_format to be willing to write. */
3939 *p = '\0';
3940 }
3941
3942 (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3943 while (*p) p++;
3944 for (i = 0; i < argc; i++)
3945 {
3946 int len = Ustrlen(argv[i]);
3947 const uschar *printing;
3948 uschar *quote;
3949 if (p + len + 8 >= big_buffer + big_buffer_size)
3950 {
3951 Ustrcpy(p, " ...");
3952 log_write(0, LOG_MAIN, "%s", big_buffer);
3953 Ustrcpy(big_buffer, "...");
3954 p = big_buffer + 3;
3955 }
3956 printing = string_printing(argv[i]);
3957 if (printing[0] == 0) quote = US"\""; else
3958 {
3959 const uschar *pp = printing;
3960 quote = US"";
3961 while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3962 }
3963 p += sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3964 (p - big_buffer) - 4), printing, quote);
3965 }
3966
3967 if (LOGGING(arguments))
3968 log_write(0, LOG_MAIN, "%s", big_buffer);
3969 else
3970 debug_printf("%s\n", big_buffer);
3971 }
3972
3973 /* Set the working directory to be the top-level spool directory. We don't rely
3974 on this in the code, which always uses fully qualified names, but it's useful
3975 for core dumps etc. Don't complain if it fails - the spool directory might not
3976 be generally accessible and calls with the -C option (and others) have lost
3977 privilege by now. Before the chdir, we try to ensure that the directory exists.
3978 */
3979
3980 if (Uchdir(spool_directory) != 0)
3981 {
3982 int dummy;
3983 (void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
3984 dummy = /* quieten compiler */ Uchdir(spool_directory);
3985 dummy = dummy; /* yet more compiler quietening, sigh */
3986 }
3987
3988 /* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3989 alias file. Exim doesn't have such a concept, but this call is screwed into
3990 Sun's YP makefiles. Handle this by calling a configured script, as the real
3991 user who called Exim. The -oA option can be used to pass an argument to the
3992 script. */
3993
3994 if (bi_option)
3995 {
3996 (void)fclose(config_file);
3997 if (bi_command != NULL)
3998 {
3999 int i = 0;
4000 uschar *argv[3];
4001 argv[i++] = bi_command;
4002 if (alias_arg != NULL) argv[i++] = alias_arg;
4003 argv[i++] = NULL;
4004
4005 setgroups(group_count, group_list);
4006 exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
4007
4008 DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
4009 (argv[1] == NULL)? US"" : argv[1]);
4010
4011 execv(CS argv[0], (char *const *)argv);
4012 exim_fail("exim: exec failed: %s\n", strerror(errno));
4013 }
4014 else
4015 {
4016 DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
4017 exit(EXIT_SUCCESS);
4018 }
4019 }
4020
4021 /* We moved the admin/trusted check to be immediately after reading the
4022 configuration file. We leave these prints here to ensure that syslog setup,
4023 logfile setup, and so on has already happened. */
4024
4025 if (f.trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
4026 if (f.admin_user) DEBUG(D_any) debug_printf("admin user\n");
4027
4028 /* Only an admin user may start the daemon or force a queue run in the default
4029 configuration, but the queue run restriction can be relaxed. Only an admin
4030 user may request that a message be returned to its sender forthwith. Only an
4031 admin user may specify a debug level greater than D_v (because it might show
4032 passwords, etc. in lookup queries). Only an admin user may request a queue
4033 count. Only an admin user can use the test interface to scan for email
4034 (because Exim will be in the spool dir and able to look at mails). */
4035
4036 if (!f.admin_user)
4037 {
4038 BOOL debugset = (debug_selector & ~D_v) != 0;
4039 if (deliver_give_up || f.daemon_listen || malware_test_file ||
4040 (count_queue && queue_list_requires_admin) ||
4041 (list_queue && queue_list_requires_admin) ||
4042 (queue_interval >= 0 && prod_requires_admin) ||
4043 (debugset && !f.running_in_test_harness))
4044 exim_fail("exim:%s permission denied\n", debugset? " debugging" : "");
4045 }
4046
4047 /* If the real user is not root or the exim uid, the argument for passing
4048 in an open TCP/IP connection for another message is not permitted, nor is
4049 running with the -N option for any delivery action, unless this call to exim is
4050 one that supplied an input message, or we are using a patched exim for
4051 regression testing. */
4052
4053 if (real_uid != root_uid && real_uid != exim_uid &&
4054 (continue_hostname != NULL ||
4055 (f.dont_deliver &&
4056 (queue_interval >= 0 || f.daemon_listen || msg_action_arg > 0)
4057 )) && !f.running_in_test_harness)
4058 exim_fail("exim: Permission denied\n");
4059
4060 /* If the caller is not trusted, certain arguments are ignored when running for
4061 real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
4062 Note that authority for performing certain actions on messages is tested in the
4063 queue_action() function. */
4064
4065 if (!f.trusted_caller && !checking)
4066 {
4067 sender_host_name = sender_host_address = interface_address =
4068 sender_ident = received_protocol = NULL;
4069 sender_host_port = interface_port = 0;
4070 sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
4071 }
4072
4073 /* If a sender host address is set, extract the optional port number off the
4074 end of it and check its syntax. Do the same thing for the interface address.
4075 Exim exits if the syntax is bad. */
4076
4077 else
4078 {
4079 if (sender_host_address != NULL)
4080 sender_host_port = check_port(sender_host_address);
4081 if (interface_address != NULL)
4082 interface_port = check_port(interface_address);
4083 }
4084
4085 /* If the caller is trusted, then they can use -G to suppress_local_fixups. */
4086 if (flag_G)
4087 {
4088 if (f.trusted_caller)
4089 {
4090 f.suppress_local_fixups = f.suppress_local_fixups_default = TRUE;
4091 DEBUG(D_acl) debug_printf("suppress_local_fixups forced on by -G\n");
4092 }
4093 else
4094 exim_fail("exim: permission denied (-G requires a trusted user)\n");
4095 }
4096
4097 /* If an SMTP message is being received check to see if the standard input is a
4098 TCP/IP socket. If it is, we assume that Exim was called from inetd if the
4099 caller is roo