7c9aa0e3fff2004a6654f3ef0a26d551c70488ca
[exim.git] / src / src / exim.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8
9 /* The main function: entry point, initialization, and high-level control.
10 Also a few functions that don't naturally fit elsewhere. */
11
12
13 #include "exim.h"
14
15 #if defined(__GLIBC__) && !defined(__UCLIBC__)
16 # include <gnu/libc-version.h>
17 #endif
18
19 #ifdef USE_GNUTLS
20 # include <gnutls/gnutls.h>
21 # if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22 # define DISABLE_OCSP
23 # endif
24 #endif
25
26 extern void init_lookup_list(void);
27
28
29
30 /*************************************************
31 * Function interface to store functions *
32 *************************************************/
33
34 /* We need some real functions to pass to the PCRE regular expression library
35 for store allocation via Exim's store manager. The normal calls are actually
36 macros that pass over location information to make tracing easier. These
37 functions just interface to the standard macro calls. A good compiler will
38 optimize out the tail recursion and so not make them too expensive. There
39 are two sets of functions; one for use when we want to retain the compiled
40 regular expression for a long time; the other for short-term use. */
41
42 static void *
43 function_store_get(size_t size)
44 {
45 return store_get((int)size);
46 }
47
48 static void
49 function_dummy_free(void *block) { block = block; }
50
51 static void *
52 function_store_malloc(size_t size)
53 {
54 return store_malloc((int)size);
55 }
56
57 static void
58 function_store_free(void *block)
59 {
60 store_free(block);
61 }
62
63
64
65
66 /*************************************************
67 * Enums for cmdline interface *
68 *************************************************/
69
70 enum commandline_info { CMDINFO_NONE=0,
71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
72
73
74
75
76 /*************************************************
77 * Compile regular expression and panic on fail *
78 *************************************************/
79
80 /* This function is called when failure to compile a regular expression leads
81 to a panic exit. In other cases, pcre_compile() is called directly. In many
82 cases where this function is used, the results of the compilation are to be
83 placed in long-lived store, so we temporarily reset the store management
84 functions that PCRE uses if the use_malloc flag is set.
85
86 Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91 Returns: pointer to the compiled pattern
92 */
93
94 const pcre *
95 regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
96 {
97 int offset;
98 int options = PCRE_COPT;
99 const pcre *yield;
100 const uschar *error;
101 if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106 if (caseless) options |= PCRE_CASELESS;
107 yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
108 pcre_malloc = function_store_get;
109 pcre_free = function_dummy_free;
110 if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113 return yield;
114 }
115
116
117
118
119 /*************************************************
120 * Execute regular expression and set strings *
121 *************************************************/
122
123 /* This function runs a regular expression match, and sets up the pointers to
124 the matched substrings.
125
126 Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134 Returns: TRUE or FALSE
135 */
136
137 BOOL
138 regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
139 {
140 int ovector[3*(EXPAND_MAXN+1)];
141 uschar * s = string_copy(subject); /* de-constifying */
142 int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
143 PCRE_EOPT | options, ovector, nelem(ovector));
144 BOOL yield = n >= 0;
145 if (n == 0) n = EXPAND_MAXN + 1;
146 if (yield)
147 {
148 expand_nmax = setup < 0 ? 0 : setup + 1;
149 for (int nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
150 {
151 expand_nstring[expand_nmax] = s + ovector[nn];
152 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
153 }
154 expand_nmax--;
155 }
156 return yield;
157 }
158
159
160
161
162 /*************************************************
163 * Set up processing details *
164 *************************************************/
165
166 /* Save a text string for dumping when SIGUSR1 is received.
167 Do checks for overruns.
168
169 Arguments: format and arguments, as for printf()
170 Returns: nothing
171 */
172
173 void
174 set_process_info(const char *format, ...)
175 {
176 gstring gs = { .size = PROCESS_INFO_SIZE - 2, .ptr = 0, .s = process_info };
177 gstring * g;
178 int len;
179 va_list ap;
180
181 g = string_fmt_append(&gs, "%5d ", (int)getpid());
182 len = g->ptr;
183 va_start(ap, format);
184 if (!string_vformat(g, FALSE, format, ap))
185 {
186 gs.ptr = len;
187 g = string_cat(&gs, US"**** string overflowed buffer ****");
188 }
189 g = string_catn(g, US"\n", 1);
190 string_from_gstring(g);
191 process_info_len = g->ptr;
192 DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
193 va_end(ap);
194 }
195
196 /***********************************************
197 * Handler for SIGTERM *
198 ***********************************************/
199
200 static void
201 term_handler(int sig)
202 {
203 exit(1);
204 }
205
206
207 /*************************************************
208 * Handler for SIGUSR1 *
209 *************************************************/
210
211 /* SIGUSR1 causes any exim process to write to the process log details of
212 what it is currently doing. It will only be used if the OS is capable of
213 setting up a handler that causes automatic restarting of any system call
214 that is in progress at the time.
215
216 This function takes care to be signal-safe.
217
218 Argument: the signal number (SIGUSR1)
219 Returns: nothing
220 */
221
222 static void
223 usr1_handler(int sig)
224 {
225 int fd;
226
227 os_restarting_signal(sig, usr1_handler);
228
229 if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
230 {
231 /* If we are already running as the Exim user, try to create it in the
232 current process (assuming spool_directory exists). Otherwise, if we are
233 root, do the creation in an exim:exim subprocess. */
234
235 int euid = geteuid();
236 if (euid == exim_uid)
237 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
238 else if (euid == root_uid)
239 fd = log_create_as_exim(process_log_path);
240 }
241
242 /* If we are neither exim nor root, or if we failed to create the log file,
243 give up. There is not much useful we can do with errors, since we don't want
244 to disrupt whatever is going on outside the signal handler. */
245
246 if (fd < 0) return;
247
248 (void)write(fd, process_info, process_info_len);
249 (void)close(fd);
250 }
251
252
253
254 /*************************************************
255 * Timeout handler *
256 *************************************************/
257
258 /* This handler is enabled most of the time that Exim is running. The handler
259 doesn't actually get used unless alarm() has been called to set a timer, to
260 place a time limit on a system call of some kind. When the handler is run, it
261 re-enables itself.
262
263 There are some other SIGALRM handlers that are used in special cases when more
264 than just a flag setting is required; for example, when reading a message's
265 input. These are normally set up in the code module that uses them, and the
266 SIGALRM handler is reset to this one afterwards.
267
268 Argument: the signal value (SIGALRM)
269 Returns: nothing
270 */
271
272 void
273 sigalrm_handler(int sig)
274 {
275 sig = sig; /* Keep picky compilers happy */
276 sigalrm_seen = TRUE;
277 os_non_restarting_signal(SIGALRM, sigalrm_handler);
278 }
279
280
281
282 /*************************************************
283 * Sleep for a fractional time interval *
284 *************************************************/
285
286 /* This function is called by millisleep() and exim_wait_tick() to wait for a
287 period of time that may include a fraction of a second. The coding is somewhat
288 tedious. We do not expect setitimer() ever to fail, but if it does, the process
289 will wait for ever, so we panic in this instance. (There was a case of this
290 when a bug in a function that calls milliwait() caused it to pass invalid data.
291 That's when I added the check. :-)
292
293 We assume it to be not worth sleeping for under 100us; this value will
294 require revisiting as hardware advances. This avoids the issue of
295 a zero-valued timer setting meaning "never fire".
296
297 Argument: an itimerval structure containing the interval
298 Returns: nothing
299 */
300
301 static void
302 milliwait(struct itimerval *itval)
303 {
304 sigset_t sigmask;
305 sigset_t old_sigmask;
306
307 if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
308 return;
309 (void)sigemptyset(&sigmask); /* Empty mask */
310 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
311 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
312 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
313 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
314 "setitimer() failed: %s", strerror(errno));
315 (void)sigfillset(&sigmask); /* All signals */
316 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
317 (void)sigsuspend(&sigmask); /* Until SIGALRM */
318 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
319 }
320
321
322
323
324 /*************************************************
325 * Millisecond sleep function *
326 *************************************************/
327
328 /* The basic sleep() function has a granularity of 1 second, which is too rough
329 in some cases - for example, when using an increasing delay to slow down
330 spammers.
331
332 Argument: number of millseconds
333 Returns: nothing
334 */
335
336 void
337 millisleep(int msec)
338 {
339 struct itimerval itval;
340 itval.it_interval.tv_sec = 0;
341 itval.it_interval.tv_usec = 0;
342 itval.it_value.tv_sec = msec/1000;
343 itval.it_value.tv_usec = (msec % 1000) * 1000;
344 milliwait(&itval);
345 }
346
347
348
349 /*************************************************
350 * Compare microsecond times *
351 *************************************************/
352
353 /*
354 Arguments:
355 tv1 the first time
356 tv2 the second time
357
358 Returns: -1, 0, or +1
359 */
360
361 static int
362 exim_tvcmp(struct timeval *t1, struct timeval *t2)
363 {
364 if (t1->tv_sec > t2->tv_sec) return +1;
365 if (t1->tv_sec < t2->tv_sec) return -1;
366 if (t1->tv_usec > t2->tv_usec) return +1;
367 if (t1->tv_usec < t2->tv_usec) return -1;
368 return 0;
369 }
370
371
372
373
374 /*************************************************
375 * Clock tick wait function *
376 *************************************************/
377
378 /* Exim uses a time + a pid to generate a unique identifier in two places: its
379 message IDs, and in file names for maildir deliveries. Because some OS now
380 re-use pids within the same second, sub-second times are now being used.
381 However, for absolute certainty, we must ensure the clock has ticked before
382 allowing the relevant process to complete. At the time of implementation of
383 this code (February 2003), the speed of processors is such that the clock will
384 invariably have ticked already by the time a process has done its job. This
385 function prepares for the time when things are faster - and it also copes with
386 clocks that go backwards.
387
388 Arguments:
389 then_tv A timeval which was used to create uniqueness; its usec field
390 has been rounded down to the value of the resolution.
391 We want to be sure the current time is greater than this.
392 resolution The resolution that was used to divide the microseconds
393 (1 for maildir, larger for message ids)
394
395 Returns: nothing
396 */
397
398 void
399 exim_wait_tick(struct timeval *then_tv, int resolution)
400 {
401 struct timeval now_tv;
402 long int now_true_usec;
403
404 (void)gettimeofday(&now_tv, NULL);
405 now_true_usec = now_tv.tv_usec;
406 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
407
408 if (exim_tvcmp(&now_tv, then_tv) <= 0)
409 {
410 struct itimerval itval;
411 itval.it_interval.tv_sec = 0;
412 itval.it_interval.tv_usec = 0;
413 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
414 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
415
416 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
417 negative value for the microseconds is possible only in the case when "now"
418 is more than a second less than "then". That means that itval.it_value.tv_sec
419 is greater than zero. The following correction is therefore safe. */
420
421 if (itval.it_value.tv_usec < 0)
422 {
423 itval.it_value.tv_usec += 1000000;
424 itval.it_value.tv_sec -= 1;
425 }
426
427 DEBUG(D_transport|D_receive)
428 {
429 if (!f.running_in_test_harness)
430 {
431 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
432 then_tv->tv_sec, (long) then_tv->tv_usec,
433 now_tv.tv_sec, (long) now_tv.tv_usec);
434 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
435 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
436 }
437 }
438
439 milliwait(&itval);
440 }
441 }
442
443
444
445
446 /*************************************************
447 * Call fopen() with umask 777 and adjust mode *
448 *************************************************/
449
450 /* Exim runs with umask(0) so that files created with open() have the mode that
451 is specified in the open() call. However, there are some files, typically in
452 the spool directory, that are created with fopen(). They end up world-writeable
453 if no precautions are taken. Although the spool directory is not accessible to
454 the world, this is an untidiness. So this is a wrapper function for fopen()
455 that sorts out the mode of the created file.
456
457 Arguments:
458 filename the file name
459 options the fopen() options
460 mode the required mode
461
462 Returns: the fopened FILE or NULL
463 */
464
465 FILE *
466 modefopen(const uschar *filename, const char *options, mode_t mode)
467 {
468 mode_t saved_umask = umask(0777);
469 FILE *f = Ufopen(filename, options);
470 (void)umask(saved_umask);
471 if (f != NULL) (void)fchmod(fileno(f), mode);
472 return f;
473 }
474
475
476
477
478 /*************************************************
479 * Ensure stdin, stdout, and stderr exist *
480 *************************************************/
481
482 /* Some operating systems grumble if an exec() happens without a standard
483 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
484 file will be opened and will use these fd values, and then some other bit of
485 code will assume, for example, that it can write error messages to stderr.
486 This function ensures that fds 0, 1, and 2 are open if they do not already
487 exist, by connecting them to /dev/null.
488
489 This function is also used to ensure that std{in,out,err} exist at all times,
490 so that if any library that Exim calls tries to use them, it doesn't crash.
491
492 Arguments: None
493 Returns: Nothing
494 */
495
496 void
497 exim_nullstd(void)
498 {
499 int devnull = -1;
500 struct stat statbuf;
501 for (int i = 0; i <= 2; i++)
502 {
503 if (fstat(i, &statbuf) < 0 && errno == EBADF)
504 {
505 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
506 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
507 string_open_failed(errno, "/dev/null"));
508 if (devnull != i) (void)dup2(devnull, i);
509 }
510 }
511 if (devnull > 2) (void)close(devnull);
512 }
513
514
515
516
517 /*************************************************
518 * Close unwanted file descriptors for delivery *
519 *************************************************/
520
521 /* This function is called from a new process that has been forked to deliver
522 an incoming message, either directly, or using exec.
523
524 We want any smtp input streams to be closed in this new process. However, it
525 has been observed that using fclose() here causes trouble. When reading in -bS
526 input, duplicate copies of messages have been seen. The files will be sharing a
527 file pointer with the parent process, and it seems that fclose() (at least on
528 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
529 least sometimes. Hence we go for closing the underlying file descriptors.
530
531 If TLS is active, we want to shut down the TLS library, but without molesting
532 the parent's SSL connection.
533
534 For delivery of a non-SMTP message, we want to close stdin and stdout (and
535 stderr unless debugging) because the calling process might have set them up as
536 pipes and be waiting for them to close before it waits for the submission
537 process to terminate. If they aren't closed, they hold up the calling process
538 until the initial delivery process finishes, which is not what we want.
539
540 Exception: We do want it for synchronous delivery!
541
542 And notwithstanding all the above, if D_resolver is set, implying resolver
543 debugging, leave stdout open, because that's where the resolver writes its
544 debugging output.
545
546 When we close stderr (which implies we've also closed stdout), we also get rid
547 of any controlling terminal.
548
549 Arguments: None
550 Returns: Nothing
551 */
552
553 static void
554 close_unwanted(void)
555 {
556 if (smtp_input)
557 {
558 #ifdef SUPPORT_TLS
559 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
560 #endif
561 (void)close(fileno(smtp_in));
562 (void)close(fileno(smtp_out));
563 smtp_in = NULL;
564 }
565 else
566 {
567 (void)close(0); /* stdin */
568 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
569 if (debug_selector == 0) /* stderr */
570 {
571 if (!f.synchronous_delivery)
572 {
573 (void)close(2);
574 log_stderr = NULL;
575 }
576 (void)setsid();
577 }
578 }
579 }
580
581
582
583
584 /*************************************************
585 * Set uid and gid *
586 *************************************************/
587
588 /* This function sets a new uid and gid permanently, optionally calling
589 initgroups() to set auxiliary groups. There are some special cases when running
590 Exim in unprivileged modes. In these situations the effective uid will not be
591 root; if we already have the right effective uid/gid, and don't need to
592 initialize any groups, leave things as they are.
593
594 Arguments:
595 uid the uid
596 gid the gid
597 igflag TRUE if initgroups() wanted
598 msg text to use in debugging output and failure log
599
600 Returns: nothing; bombs out on failure
601 */
602
603 void
604 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
605 {
606 uid_t euid = geteuid();
607 gid_t egid = getegid();
608
609 if (euid == root_uid || euid != uid || egid != gid || igflag)
610 {
611 /* At least one OS returns +1 for initgroups failure, so just check for
612 non-zero. */
613
614 if (igflag)
615 {
616 struct passwd *pw = getpwuid(uid);
617 if (!pw)
618 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
619 "no passwd entry for uid=%ld", (long int)uid);
620
621 if (initgroups(pw->pw_name, gid) != 0)
622 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
623 (long int)uid, strerror(errno));
624 }
625
626 if (setgid(gid) < 0 || setuid(uid) < 0)
627 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
628 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
629 }
630
631 /* Debugging output included uid/gid and all groups */
632
633 DEBUG(D_uid)
634 {
635 int group_count, save_errno;
636 gid_t group_list[EXIM_GROUPLIST_SIZE];
637 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
638 (long int)geteuid(), (long int)getegid(), (long int)getpid());
639 group_count = getgroups(nelem(group_list), group_list);
640 save_errno = errno;
641 debug_printf(" auxiliary group list:");
642 if (group_count > 0)
643 for (int i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
644 else if (group_count < 0)
645 debug_printf(" <error: %s>", strerror(save_errno));
646 else debug_printf(" <none>");
647 debug_printf("\n");
648 }
649 }
650
651
652
653
654 /*************************************************
655 * Exit point *
656 *************************************************/
657
658 /* Exim exits via this function so that it always clears up any open
659 databases.
660
661 Arguments:
662 rc return code
663
664 Returns: does not return
665 */
666
667 void
668 exim_exit(int rc, const uschar * process)
669 {
670 search_tidyup();
671 DEBUG(D_any)
672 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
673 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
674 process ? "(" : "", process, process ? ") " : "", rc);
675 exit(rc);
676 }
677
678
679
680 /* Print error string, then die */
681 static void
682 exim_fail(const char * fmt, ...)
683 {
684 va_list ap;
685 va_start(ap, fmt);
686 vfprintf(stderr, fmt, ap);
687 exit(EXIT_FAILURE);
688 }
689
690
691
692 /*************************************************
693 * Extract port from host address *
694 *************************************************/
695
696 /* Called to extract the port from the values given to -oMa and -oMi.
697 It also checks the syntax of the address, and terminates it before the
698 port data when a port is extracted.
699
700 Argument:
701 address the address, with possible port on the end
702
703 Returns: the port, or zero if there isn't one
704 bombs out on a syntax error
705 */
706
707 static int
708 check_port(uschar *address)
709 {
710 int port = host_address_extract_port(address);
711 if (string_is_ip_address(address, NULL) == 0)
712 exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
713 return port;
714 }
715
716
717
718 /*************************************************
719 * Test/verify an address *
720 *************************************************/
721
722 /* This function is called by the -bv and -bt code. It extracts a working
723 address from a full RFC 822 address. This isn't really necessary per se, but it
724 has the effect of collapsing source routes.
725
726 Arguments:
727 s the address string
728 flags flag bits for verify_address()
729 exit_value to be set for failures
730
731 Returns: nothing
732 */
733
734 static void
735 test_address(uschar *s, int flags, int *exit_value)
736 {
737 int start, end, domain;
738 uschar *parse_error = NULL;
739 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
740 FALSE);
741 if (address == NULL)
742 {
743 fprintf(stdout, "syntax error: %s\n", parse_error);
744 *exit_value = 2;
745 }
746 else
747 {
748 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
749 -1, -1, NULL, NULL, NULL);
750 if (rc == FAIL) *exit_value = 2;
751 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
752 }
753 }
754
755
756
757 /*************************************************
758 * Show supported features *
759 *************************************************/
760
761 static void
762 show_db_version(FILE * f)
763 {
764 #ifdef DB_VERSION_STRING
765 DEBUG(D_any)
766 {
767 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
768 fprintf(f, " Runtime: %s\n",
769 db_version(NULL, NULL, NULL));
770 }
771 else
772 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
773
774 #elif defined(BTREEVERSION) && defined(HASHVERSION)
775 #ifdef USE_DB
776 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
777 #else
778 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
779 #endif
780
781 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
782 fprintf(f, "Probably ndbm\n");
783 #elif defined(USE_TDB)
784 fprintf(f, "Using tdb\n");
785 #else
786 #ifdef USE_GDBM
787 fprintf(f, "Probably GDBM (native mode)\n");
788 #else
789 fprintf(f, "Probably GDBM (compatibility mode)\n");
790 #endif
791 #endif
792 }
793
794
795 /* This function is called for -bV/--version and for -d to output the optional
796 features of the current Exim binary.
797
798 Arguments: a FILE for printing
799 Returns: nothing
800 */
801
802 static void
803 show_whats_supported(FILE * fp)
804 {
805 DEBUG(D_any) {} else show_db_version(fp);
806
807 fprintf(fp, "Support for:");
808 #ifdef SUPPORT_CRYPTEQ
809 fprintf(fp, " crypteq");
810 #endif
811 #if HAVE_ICONV
812 fprintf(fp, " iconv()");
813 #endif
814 #if HAVE_IPV6
815 fprintf(fp, " IPv6");
816 #endif
817 #ifdef HAVE_SETCLASSRESOURCES
818 fprintf(fp, " use_setclassresources");
819 #endif
820 #ifdef SUPPORT_PAM
821 fprintf(fp, " PAM");
822 #endif
823 #ifdef EXIM_PERL
824 fprintf(fp, " Perl");
825 #endif
826 #ifdef EXPAND_DLFUNC
827 fprintf(fp, " Expand_dlfunc");
828 #endif
829 #ifdef USE_TCP_WRAPPERS
830 fprintf(fp, " TCPwrappers");
831 #endif
832 #ifdef SUPPORT_TLS
833 # ifdef USE_GNUTLS
834 fprintf(fp, " GnuTLS");
835 # else
836 fprintf(fp, " OpenSSL");
837 # endif
838 #endif
839 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
840 fprintf(fp, " translate_ip_address");
841 #endif
842 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
843 fprintf(fp, " move_frozen_messages");
844 #endif
845 #ifdef WITH_CONTENT_SCAN
846 fprintf(fp, " Content_Scanning");
847 #endif
848 #ifdef SUPPORT_DANE
849 fprintf(fp, " DANE");
850 #endif
851 #ifndef DISABLE_DKIM
852 fprintf(fp, " DKIM");
853 #endif
854 #ifndef DISABLE_DNSSEC
855 fprintf(fp, " DNSSEC");
856 #endif
857 #ifndef DISABLE_EVENT
858 fprintf(fp, " Event");
859 #endif
860 #ifdef SUPPORT_I18N
861 fprintf(fp, " I18N");
862 #endif
863 #ifndef DISABLE_OCSP
864 fprintf(fp, " OCSP");
865 #endif
866 #ifndef DISABLE_PRDR
867 fprintf(fp, " PRDR");
868 #endif
869 #ifdef SUPPORT_PROXY
870 fprintf(fp, " PROXY");
871 #endif
872 #ifdef SUPPORT_SOCKS
873 fprintf(fp, " SOCKS");
874 #endif
875 #ifdef SUPPORT_SPF
876 fprintf(fp, " SPF");
877 #endif
878 #ifdef TCP_FASTOPEN
879 deliver_init();
880 if (f.tcp_fastopen_ok) fprintf(fp, " TCP_Fast_Open");
881 #endif
882 #ifdef EXPERIMENTAL_LMDB
883 fprintf(fp, " Experimental_LMDB");
884 #endif
885 #ifdef EXPERIMENTAL_QUEUEFILE
886 fprintf(fp, " Experimental_QUEUEFILE");
887 #endif
888 #ifdef EXPERIMENTAL_SRS
889 fprintf(fp, " Experimental_SRS");
890 #endif
891 #ifdef EXPERIMENTAL_ARC
892 fprintf(fp, " Experimental_ARC");
893 #endif
894 #ifdef EXPERIMENTAL_BRIGHTMAIL
895 fprintf(fp, " Experimental_Brightmail");
896 #endif
897 #ifdef EXPERIMENTAL_DCC
898 fprintf(fp, " Experimental_DCC");
899 #endif
900 #ifdef EXPERIMENTAL_DMARC
901 fprintf(fp, " Experimental_DMARC");
902 #endif
903 #ifdef EXPERIMENTAL_DSN_INFO
904 fprintf(fp, " Experimental_DSN_info");
905 #endif
906 #ifdef EXPERIMENTAL_PIPE_CONNECT
907 fprintf(fp, " Experimental_PIPE_CONNECT");
908 #endif
909 fprintf(fp, "\n");
910
911 fprintf(fp, "Lookups (built-in):");
912 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
913 fprintf(fp, " lsearch wildlsearch nwildlsearch iplsearch");
914 #endif
915 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
916 fprintf(fp, " cdb");
917 #endif
918 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
919 fprintf(fp, " dbm dbmjz dbmnz");
920 #endif
921 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
922 fprintf(fp, " dnsdb");
923 #endif
924 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
925 fprintf(fp, " dsearch");
926 #endif
927 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
928 fprintf(fp, " ibase");
929 #endif
930 #if defined(LOOKUP_JSON) && LOOKUP_JSON!=2
931 fprintf(fp, " json");
932 #endif
933 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
934 fprintf(fp, " ldap ldapdn ldapm");
935 #endif
936 #ifdef EXPERIMENTAL_LMDB
937 fprintf(fp, " lmdb");
938 #endif
939 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
940 fprintf(fp, " mysql");
941 #endif
942 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
943 fprintf(fp, " nis nis0");
944 #endif
945 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
946 fprintf(fp, " nisplus");
947 #endif
948 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
949 fprintf(fp, " oracle");
950 #endif
951 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
952 fprintf(fp, " passwd");
953 #endif
954 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
955 fprintf(fp, " pgsql");
956 #endif
957 #if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
958 fprintf(fp, " redis");
959 #endif
960 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
961 fprintf(fp, " sqlite");
962 #endif
963 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
964 fprintf(fp, " testdb");
965 #endif
966 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
967 fprintf(fp, " whoson");
968 #endif
969 fprintf(fp, "\n");
970
971 auth_show_supported(fp);
972 route_show_supported(fp);
973 transport_show_supported(fp);
974
975 #ifdef WITH_CONTENT_SCAN
976 malware_show_supported(fp);
977 #endif
978
979 if (fixed_never_users[0] > 0)
980 {
981 int i;
982 fprintf(fp, "Fixed never_users: ");
983 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
984 fprintf(fp, "%d:", (unsigned int)fixed_never_users[i]);
985 fprintf(fp, "%d\n", (unsigned int)fixed_never_users[i]);
986 }
987
988 fprintf(fp, "Configure owner: %d:%d\n", config_uid, config_gid);
989
990 fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
991
992 /* Everything else is details which are only worth reporting when debugging.
993 Perhaps the tls_version_report should move into this too. */
994 DEBUG(D_any) do {
995
996 /* clang defines __GNUC__ (at least, for me) so test for it first */
997 #if defined(__clang__)
998 fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
999 #elif defined(__GNUC__)
1000 fprintf(fp, "Compiler: GCC [%s]\n",
1001 # ifdef __VERSION__
1002 __VERSION__
1003 # else
1004 "? unknown version ?"
1005 # endif
1006 );
1007 #else
1008 fprintf(fp, "Compiler: <unknown>\n");
1009 #endif
1010
1011 #if defined(__GLIBC__) && !defined(__UCLIBC__)
1012 fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
1013 __GLIBC__, __GLIBC_MINOR__);
1014 if (__GLIBC_PREREQ(2, 1))
1015 fprintf(fp, " Runtime: %s\n",
1016 gnu_get_libc_version());
1017 #endif
1018
1019 show_db_version(fp);
1020
1021 #ifdef SUPPORT_TLS
1022 tls_version_report(fp);
1023 #endif
1024 #ifdef SUPPORT_I18N
1025 utf8_version_report(fp);
1026 #endif
1027
1028 for (auth_info * authi = auths_available; *authi->driver_name != '\0'; ++authi)
1029 if (authi->version_report)
1030 (*authi->version_report)(fp);
1031
1032 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
1033 characters; unless it's an ancient version of PCRE in which case it
1034 is not defined. */
1035 #ifndef PCRE_PRERELEASE
1036 # define PCRE_PRERELEASE
1037 #endif
1038 #define QUOTE(X) #X
1039 #define EXPAND_AND_QUOTE(X) QUOTE(X)
1040 fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
1041 " Runtime: %s\n",
1042 PCRE_MAJOR, PCRE_MINOR,
1043 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
1044 pcre_version());
1045 #undef QUOTE
1046 #undef EXPAND_AND_QUOTE
1047
1048 init_lookup_list();
1049 for (int i = 0; i < lookup_list_count; i++)
1050 if (lookup_list[i]->version_report)
1051 lookup_list[i]->version_report(fp);
1052
1053 #ifdef WHITELIST_D_MACROS
1054 fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1055 #else
1056 fprintf(fp, "WHITELIST_D_MACROS unset\n");
1057 #endif
1058 #ifdef TRUSTED_CONFIG_LIST
1059 fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1060 #else
1061 fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
1062 #endif
1063
1064 } while (0);
1065 }
1066
1067
1068 /*************************************************
1069 * Show auxiliary information about Exim *
1070 *************************************************/
1071
1072 static void
1073 show_exim_information(enum commandline_info request, FILE *stream)
1074 {
1075 switch(request)
1076 {
1077 case CMDINFO_NONE:
1078 fprintf(stream, "Oops, something went wrong.\n");
1079 return;
1080 case CMDINFO_HELP:
1081 fprintf(stream,
1082 "The -bI: flag takes a string indicating which information to provide.\n"
1083 "If the string is not recognised, you'll get this help (on stderr).\n"
1084 "\n"
1085 " exim -bI:help this information\n"
1086 " exim -bI:dscp list of known dscp value keywords\n"
1087 " exim -bI:sieve list of supported sieve extensions\n"
1088 );
1089 return;
1090 case CMDINFO_SIEVE:
1091 for (const uschar ** pp = exim_sieve_extension_list; *pp; ++pp)
1092 fprintf(stream, "%s\n", *pp);
1093 return;
1094 case CMDINFO_DSCP:
1095 dscp_list_to_stream(stream);
1096 return;
1097 }
1098 }
1099
1100
1101 /*************************************************
1102 * Quote a local part *
1103 *************************************************/
1104
1105 /* This function is used when a sender address or a From: or Sender: header
1106 line is being created from the caller's login, or from an authenticated_id. It
1107 applies appropriate quoting rules for a local part.
1108
1109 Argument: the local part
1110 Returns: the local part, quoted if necessary
1111 */
1112
1113 uschar *
1114 local_part_quote(uschar *lpart)
1115 {
1116 BOOL needs_quote = FALSE;
1117 gstring * g;
1118
1119 for (uschar * t = lpart; !needs_quote && *t != 0; t++)
1120 {
1121 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1122 (*t != '.' || t == lpart || t[1] == 0);
1123 }
1124
1125 if (!needs_quote) return lpart;
1126
1127 g = string_catn(NULL, US"\"", 1);
1128
1129 for (;;)
1130 {
1131 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1132 if (nq == NULL)
1133 {
1134 g = string_cat(g, lpart);
1135 break;
1136 }
1137 g = string_catn(g, lpart, nq - lpart);
1138 g = string_catn(g, US"\\", 1);
1139 g = string_catn(g, nq, 1);
1140 lpart = nq + 1;
1141 }
1142
1143 g = string_catn(g, US"\"", 1);
1144 return string_from_gstring(g);
1145 }
1146
1147
1148
1149 #ifdef USE_READLINE
1150 /*************************************************
1151 * Load readline() functions *
1152 *************************************************/
1153
1154 /* This function is called from testing executions that read data from stdin,
1155 but only when running as the calling user. Currently, only -be does this. The
1156 function loads the readline() function library and passes back the functions.
1157 On some systems, it needs the curses library, so load that too, but try without
1158 it if loading fails. All this functionality has to be requested at build time.
1159
1160 Arguments:
1161 fn_readline_ptr pointer to where to put the readline pointer
1162 fn_addhist_ptr pointer to where to put the addhistory function
1163
1164 Returns: the dlopen handle or NULL on failure
1165 */
1166
1167 static void *
1168 set_readline(char * (**fn_readline_ptr)(const char *),
1169 void (**fn_addhist_ptr)(const char *))
1170 {
1171 void *dlhandle;
1172 void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
1173
1174 dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
1175 if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1176
1177 if (dlhandle != NULL)
1178 {
1179 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1180 * char * readline (const char *prompt);
1181 * void add_history (const char *string);
1182 */
1183 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1184 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1185 }
1186 else
1187 {
1188 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1189 }
1190
1191 return dlhandle;
1192 }
1193 #endif
1194
1195
1196
1197 /*************************************************
1198 * Get a line from stdin for testing things *
1199 *************************************************/
1200
1201 /* This function is called when running tests that can take a number of lines
1202 of input (for example, -be and -bt). It handles continuations and trailing
1203 spaces. And prompting and a blank line output on eof. If readline() is in use,
1204 the arguments are non-NULL and provide the relevant functions.
1205
1206 Arguments:
1207 fn_readline readline function or NULL
1208 fn_addhist addhist function or NULL
1209
1210 Returns: pointer to dynamic memory, or NULL at end of file
1211 */
1212
1213 static uschar *
1214 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1215 {
1216 gstring * g = NULL;
1217
1218 if (!fn_readline) { printf("> "); fflush(stdout); }
1219
1220 for (int i = 0;; i++)
1221 {
1222 uschar buffer[1024];
1223 uschar *p, *ss;
1224
1225 #ifdef USE_READLINE
1226 char *readline_line = NULL;
1227 if (fn_readline != NULL)
1228 {
1229 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1230 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1231 p = US readline_line;
1232 }
1233 else
1234 #endif
1235
1236 /* readline() not in use */
1237
1238 {
1239 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1240 p = buffer;
1241 }
1242
1243 /* Handle the line */
1244
1245 ss = p + (int)Ustrlen(p);
1246 while (ss > p && isspace(ss[-1])) ss--;
1247
1248 if (i > 0)
1249 {
1250 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1251 }
1252
1253 g = string_catn(g, p, ss - p);
1254
1255 #ifdef USE_READLINE
1256 if (fn_readline) free(readline_line);
1257 #endif
1258
1259 /* g can only be NULL if ss==p */
1260 if (ss == p || g->s[g->ptr-1] != '\\')
1261 break;
1262
1263 --g->ptr;
1264 (void) string_from_gstring(g);
1265 }
1266
1267 if (!g) printf("\n");
1268 return string_from_gstring(g);
1269 }
1270
1271
1272
1273 /*************************************************
1274 * Output usage information for the program *
1275 *************************************************/
1276
1277 /* This function is called when there are no recipients
1278 or a specific --help argument was added.
1279
1280 Arguments:
1281 progname information on what name we were called by
1282
1283 Returns: DOES NOT RETURN
1284 */
1285
1286 static void
1287 exim_usage(uschar *progname)
1288 {
1289
1290 /* Handle specific program invocation variants */
1291 if (Ustrcmp(progname, US"-mailq") == 0)
1292 exim_fail(
1293 "mailq - list the contents of the mail queue\n\n"
1294 "For a list of options, see the Exim documentation.\n");
1295
1296 /* Generic usage - we output this whatever happens */
1297 exim_fail(
1298 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1299 "not directly from a shell command line. Options and/or arguments control\n"
1300 "what it does when called. For a list of options, see the Exim documentation.\n");
1301 }
1302
1303
1304
1305 /*************************************************
1306 * Validate that the macros given are okay *
1307 *************************************************/
1308
1309 /* Typically, Exim will drop privileges if macros are supplied. In some
1310 cases, we want to not do so.
1311
1312 Arguments: opt_D_used - true if the commandline had a "-D" option
1313 Returns: true if trusted, false otherwise
1314 */
1315
1316 static BOOL
1317 macros_trusted(BOOL opt_D_used)
1318 {
1319 #ifdef WHITELIST_D_MACROS
1320 uschar *whitelisted, *end, *p, **whites;
1321 int white_count, i, n;
1322 size_t len;
1323 BOOL prev_char_item, found;
1324 #endif
1325
1326 if (!opt_D_used)
1327 return TRUE;
1328 #ifndef WHITELIST_D_MACROS
1329 return FALSE;
1330 #else
1331
1332 /* We only trust -D overrides for some invoking users:
1333 root, the exim run-time user, the optional config owner user.
1334 I don't know why config-owner would be needed, but since they can own the
1335 config files anyway, there's no security risk to letting them override -D. */
1336 if ( ! ((real_uid == root_uid)
1337 || (real_uid == exim_uid)
1338 #ifdef CONFIGURE_OWNER
1339 || (real_uid == config_uid)
1340 #endif
1341 ))
1342 {
1343 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1344 return FALSE;
1345 }
1346
1347 /* Get a list of macros which are whitelisted */
1348 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1349 prev_char_item = FALSE;
1350 white_count = 0;
1351 for (p = whitelisted; *p != '\0'; ++p)
1352 {
1353 if (*p == ':' || isspace(*p))
1354 {
1355 *p = '\0';
1356 if (prev_char_item)
1357 ++white_count;
1358 prev_char_item = FALSE;
1359 continue;
1360 }
1361 if (!prev_char_item)
1362 prev_char_item = TRUE;
1363 }
1364 end = p;
1365 if (prev_char_item)
1366 ++white_count;
1367 if (!white_count)
1368 return FALSE;
1369 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1370 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1371 {
1372 if (*p != '\0')
1373 {
1374 whites[i++] = p;
1375 if (i == white_count)
1376 break;
1377 while (*p != '\0' && p < end)
1378 ++p;
1379 }
1380 }
1381 whites[i] = NULL;
1382
1383 /* The list of commandline macros should be very short.
1384 Accept the N*M complexity. */
1385 for (macro_item * m = macros_user; m; m = m->next) if (m->command_line)
1386 {
1387 found = FALSE;
1388 for (uschar ** w = whites; *w; ++w)
1389 if (Ustrcmp(*w, m->name) == 0)
1390 {
1391 found = TRUE;
1392 break;
1393 }
1394 if (!found)
1395 return FALSE;
1396 if (!m->replacement)
1397 continue;
1398 if ((len = m->replen) == 0)
1399 continue;
1400 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1401 0, PCRE_EOPT, NULL, 0);
1402 if (n < 0)
1403 {
1404 if (n != PCRE_ERROR_NOMATCH)
1405 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1406 return FALSE;
1407 }
1408 }
1409 DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
1410 return TRUE;
1411 #endif
1412 }
1413
1414
1415 /*************************************************
1416 * Expansion testing *
1417 *************************************************/
1418
1419 /* Expand and print one item, doing macro-processing.
1420
1421 Arguments:
1422 item line for expansion
1423 */
1424
1425 static void
1426 expansion_test_line(uschar * line)
1427 {
1428 int len;
1429 BOOL dummy_macexp;
1430
1431 Ustrncpy(big_buffer, line, big_buffer_size);
1432 big_buffer[big_buffer_size-1] = '\0';
1433 len = Ustrlen(big_buffer);
1434
1435 (void) macros_expand(0, &len, &dummy_macexp);
1436
1437 if (isupper(big_buffer[0]))
1438 {
1439 if (macro_read_assignment(big_buffer))
1440 printf("Defined macro '%s'\n", mlast->name);
1441 }
1442 else
1443 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1444 else printf("Failed: %s\n", expand_string_message);
1445 }
1446
1447
1448
1449 /*************************************************
1450 * Entry point and high-level code *
1451 *************************************************/
1452
1453 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1454 the appropriate action. All the necessary functions are present in the one
1455 binary. I originally thought one should split it up, but it turns out that so
1456 much of the apparatus is needed in each chunk that one might as well just have
1457 it all available all the time, which then makes the coding easier as well.
1458
1459 Arguments:
1460 argc count of entries in argv
1461 argv argument strings, with argv[0] being the program name
1462
1463 Returns: EXIT_SUCCESS if terminated successfully
1464 EXIT_FAILURE otherwise, except when a message has been sent
1465 to the sender, and -oee was given
1466 */
1467
1468 int
1469 main(int argc, char **cargv)
1470 {
1471 uschar **argv = USS cargv;
1472 int arg_receive_timeout = -1;
1473 int arg_smtp_receive_timeout = -1;
1474 int arg_error_handling = error_handling;
1475 int filter_sfd = -1;
1476 int filter_ufd = -1;
1477 int group_count;
1478 int i, rv;
1479 int list_queue_option = 0;
1480 int msg_action = 0;
1481 int msg_action_arg = -1;
1482 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1483 int queue_only_reason = 0;
1484 #ifdef EXIM_PERL
1485 int perl_start_option = 0;
1486 #endif
1487 int recipients_arg = argc;
1488 int sender_address_domain = 0;
1489 int test_retry_arg = -1;
1490 int test_rewrite_arg = -1;
1491 gid_t original_egid;
1492 BOOL arg_queue_only = FALSE;
1493 BOOL bi_option = FALSE;
1494 BOOL checking = FALSE;
1495 BOOL count_queue = FALSE;
1496 BOOL expansion_test = FALSE;
1497 BOOL extract_recipients = FALSE;
1498 BOOL flag_G = FALSE;
1499 BOOL flag_n = FALSE;
1500 BOOL forced_delivery = FALSE;
1501 BOOL f_end_dot = FALSE;
1502 BOOL deliver_give_up = FALSE;
1503 BOOL list_queue = FALSE;
1504 BOOL list_options = FALSE;
1505 BOOL list_config = FALSE;
1506 BOOL local_queue_only;
1507 BOOL more = TRUE;
1508 BOOL one_msg_action = FALSE;
1509 BOOL opt_D_used = FALSE;
1510 BOOL queue_only_set = FALSE;
1511 BOOL receiving_message = TRUE;
1512 BOOL sender_ident_set = FALSE;
1513 BOOL session_local_queue_only;
1514 BOOL unprivileged;
1515 BOOL removed_privilege = FALSE;
1516 BOOL usage_wanted = FALSE;
1517 BOOL verify_address_mode = FALSE;
1518 BOOL verify_as_sender = FALSE;
1519 BOOL version_printed = FALSE;
1520 uschar *alias_arg = NULL;
1521 uschar *called_as = US"";
1522 uschar *cmdline_syslog_name = NULL;
1523 uschar *start_queue_run_id = NULL;
1524 uschar *stop_queue_run_id = NULL;
1525 uschar *expansion_test_message = NULL;
1526 uschar *ftest_domain = NULL;
1527 uschar *ftest_localpart = NULL;
1528 uschar *ftest_prefix = NULL;
1529 uschar *ftest_suffix = NULL;
1530 uschar *log_oneline = NULL;
1531 uschar *malware_test_file = NULL;
1532 uschar *real_sender_address;
1533 uschar *originator_home = US"/";
1534 size_t sz;
1535 void *reset_point;
1536
1537 struct passwd *pw;
1538 struct stat statbuf;
1539 pid_t passed_qr_pid = (pid_t)0;
1540 int passed_qr_pipe = -1;
1541 gid_t group_list[EXIM_GROUPLIST_SIZE];
1542
1543 /* For the -bI: flag */
1544 enum commandline_info info_flag = CMDINFO_NONE;
1545 BOOL info_stdout = FALSE;
1546
1547 /* Possible options for -R and -S */
1548
1549 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1550
1551 /* Need to define this in case we need to change the environment in order
1552 to get rid of a bogus time zone. We have to make it char rather than uschar
1553 because some OS define it in /usr/include/unistd.h. */
1554
1555 extern char **environ;
1556
1557 /* If the Exim user and/or group and/or the configuration file owner/group were
1558 defined by ref:name at build time, we must now find the actual uid/gid values.
1559 This is a feature to make the lives of binary distributors easier. */
1560
1561 #ifdef EXIM_USERNAME
1562 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1563 {
1564 if (exim_uid == 0)
1565 exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
1566
1567 /* If ref:name uses a number as the name, route_finduser() returns
1568 TRUE with exim_uid set and pw coerced to NULL. */
1569 if (pw)
1570 exim_gid = pw->pw_gid;
1571 #ifndef EXIM_GROUPNAME
1572 else
1573 exim_fail(
1574 "exim: ref:name should specify a usercode, not a group.\n"
1575 "exim: can't let you get away with it unless you also specify a group.\n");
1576 #endif
1577 }
1578 else
1579 exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
1580 #endif
1581
1582 #ifdef EXIM_GROUPNAME
1583 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1584 exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
1585 #endif
1586
1587 #ifdef CONFIGURE_OWNERNAME
1588 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1589 exim_fail("exim: failed to find uid for user name \"%s\"\n",
1590 CONFIGURE_OWNERNAME);
1591 #endif
1592
1593 /* We default the system_filter_user to be the Exim run-time user, as a
1594 sane non-root value. */
1595 system_filter_uid = exim_uid;
1596
1597 #ifdef CONFIGURE_GROUPNAME
1598 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1599 exim_fail("exim: failed to find gid for group name \"%s\"\n",
1600 CONFIGURE_GROUPNAME);
1601 #endif
1602
1603 /* In the Cygwin environment, some initialization used to need doing.
1604 It was fudged in by means of this macro; now no longer but we'll leave
1605 it in case of others. */
1606
1607 #ifdef OS_INIT
1608 OS_INIT
1609 #endif
1610
1611 /* Check a field which is patched when we are running Exim within its
1612 testing harness; do a fast initial check, and then the whole thing. */
1613
1614 f.running_in_test_harness =
1615 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1616 if (f.running_in_test_harness)
1617 debug_store = TRUE;
1618
1619 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1620 at the start of a program; however, it seems that some environments do not
1621 follow this. A "strange" locale can affect the formatting of timestamps, so we
1622 make quite sure. */
1623
1624 setlocale(LC_ALL, "C");
1625
1626 /* Set up the default handler for timing using alarm(). */
1627
1628 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1629
1630 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1631 because store_malloc writes a log entry on failure. */
1632
1633 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
1634 exim_fail("exim: failed to get store for log buffer\n");
1635
1636 /* Initialize the default log options. */
1637
1638 bits_set(log_selector, log_selector_size, log_default);
1639
1640 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1641 NULL when the daemon is run and the file is closed. We have to use this
1642 indirection, because some systems don't allow writing to the variable "stderr".
1643 */
1644
1645 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1646
1647 /* Arrange for the PCRE regex library to use our store functions. Note that
1648 the normal calls are actually macros that add additional arguments for
1649 debugging purposes so we have to assign specially constructed functions here.
1650 The default is to use store in the stacking pool, but this is overridden in the
1651 regex_must_compile() function. */
1652
1653 pcre_malloc = function_store_get;
1654 pcre_free = function_dummy_free;
1655
1656 /* Ensure there is a big buffer for temporary use in several places. It is put
1657 in malloc store so that it can be freed for enlargement if necessary. */
1658
1659 big_buffer = store_malloc(big_buffer_size);
1660
1661 /* Set up the handler for the data request signal, and set the initial
1662 descriptive text. */
1663
1664 set_process_info("initializing");
1665 os_restarting_signal(SIGUSR1, usr1_handler);
1666
1667 /* If running in a dockerized environment, the TERM signal is only
1668 delegated to the PID 1 if we request it by setting an signal handler */
1669 if (getpid() == 1) signal(SIGTERM, term_handler);
1670
1671 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1672 in the daemon code. For the rest of Exim's uses, we ignore it. */
1673
1674 signal(SIGHUP, SIG_IGN);
1675
1676 /* We don't want to die on pipe errors as the code is written to handle
1677 the write error instead. */
1678
1679 signal(SIGPIPE, SIG_IGN);
1680
1681 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1682 set to SIG_IGN. This causes subprocesses that complete before the parent
1683 process waits for them not to hang around, so when Exim calls wait(), nothing
1684 is there. The wait() code has been made robust against this, but let's ensure
1685 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1686 ending status. We use sigaction rather than plain signal() on those OS where
1687 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1688 problem on AIX with this.) */
1689
1690 #ifdef SA_NOCLDWAIT
1691 {
1692 struct sigaction act;
1693 act.sa_handler = SIG_DFL;
1694 sigemptyset(&(act.sa_mask));
1695 act.sa_flags = 0;
1696 sigaction(SIGCHLD, &act, NULL);
1697 }
1698 #else
1699 signal(SIGCHLD, SIG_DFL);
1700 #endif
1701
1702 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1703 SIGHUP. */
1704
1705 sighup_argv = argv;
1706
1707 /* Set up the version number. Set up the leading 'E' for the external form of
1708 message ids, set the pointer to the internal form, and initialize it to
1709 indicate no message being processed. */
1710
1711 version_init();
1712 message_id_option[0] = '-';
1713 message_id_external = message_id_option + 1;
1714 message_id_external[0] = 'E';
1715 message_id = message_id_external + 1;
1716 message_id[0] = 0;
1717
1718 /* Set the umask to zero so that any files Exim creates using open() are
1719 created with the modes that it specifies. NOTE: Files created with fopen() have
1720 a problem, which was not recognized till rather late (February 2006). With this
1721 umask, such files will be world writeable. (They are all content scanning files
1722 in the spool directory, which isn't world-accessible, so this is not a
1723 disaster, but it's untidy.) I don't want to change this overall setting,
1724 however, because it will interact badly with the open() calls. Instead, there's
1725 now a function called modefopen() that fiddles with the umask while calling
1726 fopen(). */
1727
1728 (void)umask(0);
1729
1730 /* Precompile the regular expression for matching a message id. Keep this in
1731 step with the code that generates ids in the accept.c module. We need to do
1732 this here, because the -M options check their arguments for syntactic validity
1733 using mac_ismsgid, which uses this. */
1734
1735 regex_ismsgid =
1736 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1737
1738 /* Precompile the regular expression that is used for matching an SMTP error
1739 code, possibly extended, at the start of an error message. Note that the
1740 terminating whitespace character is included. */
1741
1742 regex_smtp_code =
1743 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1744 FALSE, TRUE);
1745
1746 #ifdef WHITELIST_D_MACROS
1747 /* Precompile the regular expression used to filter the content of macros
1748 given to -D for permissibility. */
1749
1750 regex_whitelisted_macro =
1751 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1752 #endif
1753
1754 for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1755
1756 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1757 this seems to be a generally accepted convention, since one finds symbolic
1758 links called "mailq" in standard OS configurations. */
1759
1760 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1761 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1762 {
1763 list_queue = TRUE;
1764 receiving_message = FALSE;
1765 called_as = US"-mailq";
1766 }
1767
1768 /* If the program is called as "rmail" treat it as equivalent to
1769 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1770 i.e. preventing a single dot on a line from terminating the message, and
1771 returning with zero return code, even in cases of error (provided an error
1772 message has been sent). */
1773
1774 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1775 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1776 {
1777 f.dot_ends = FALSE;
1778 called_as = US"-rmail";
1779 errors_sender_rc = EXIT_SUCCESS;
1780 }
1781
1782 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1783 this is a smail convention. */
1784
1785 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1786 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1787 {
1788 smtp_input = smtp_batched_input = TRUE;
1789 called_as = US"-rsmtp";
1790 }
1791
1792 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1793 this is a smail convention. */
1794
1795 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1796 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1797 {
1798 queue_interval = 0;
1799 receiving_message = FALSE;
1800 called_as = US"-runq";
1801 }
1802
1803 /* If the program is called as "newaliases" treat it as equivalent to
1804 "exim -bi"; this is a sendmail convention. */
1805
1806 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1807 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1808 {
1809 bi_option = TRUE;
1810 receiving_message = FALSE;
1811 called_as = US"-newaliases";
1812 }
1813
1814 /* Save the original effective uid for a couple of uses later. It should
1815 normally be root, but in some esoteric environments it may not be. */
1816
1817 original_euid = geteuid();
1818 original_egid = getegid();
1819
1820 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1821 to be the same as the real ones. This makes a difference only if Exim is setuid
1822 (or setgid) to something other than root, which could be the case in some
1823 special configurations. */
1824
1825 real_uid = getuid();
1826 real_gid = getgid();
1827
1828 if (real_uid == root_uid)
1829 {
1830 if ((rv = setgid(real_gid)))
1831 exim_fail("exim: setgid(%ld) failed: %s\n",
1832 (long int)real_gid, strerror(errno));
1833 if ((rv = setuid(real_uid)))
1834 exim_fail("exim: setuid(%ld) failed: %s\n",
1835 (long int)real_uid, strerror(errno));
1836 }
1837
1838 /* If neither the original real uid nor the original euid was root, Exim is
1839 running in an unprivileged state. */
1840
1841 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1842
1843 /* Scan the program's arguments. Some can be dealt with right away; others are
1844 simply recorded for checking and handling afterwards. Do a high-level switch
1845 on the second character (the one after '-'), to save some effort. */
1846
1847 for (i = 1; i < argc; i++)
1848 {
1849 BOOL badarg = FALSE;
1850 uschar *arg = argv[i];
1851 uschar *argrest;
1852 int switchchar;
1853
1854 /* An argument not starting with '-' is the start of a recipients list;
1855 break out of the options-scanning loop. */
1856
1857 if (arg[0] != '-')
1858 {
1859 recipients_arg = i;
1860 break;
1861 }
1862
1863 /* An option consisting of -- terminates the options */
1864
1865 if (Ustrcmp(arg, "--") == 0)
1866 {
1867 recipients_arg = i + 1;
1868 break;
1869 }
1870
1871 /* Handle flagged options */
1872
1873 switchchar = arg[1];
1874 argrest = arg+2;
1875
1876 /* Make all -ex options synonymous with -oex arguments, since that
1877 is assumed by various callers. Also make -qR options synonymous with -R
1878 options, as that seems to be required as well. Allow for -qqR too, and
1879 the same for -S options. */
1880
1881 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1882 Ustrncmp(arg+1, "qR", 2) == 0 ||
1883 Ustrncmp(arg+1, "qS", 2) == 0)
1884 {
1885 switchchar = arg[2];
1886 argrest++;
1887 }
1888 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1889 {
1890 switchchar = arg[3];
1891 argrest += 2;
1892 f.queue_2stage = TRUE;
1893 }
1894
1895 /* Make -r synonymous with -f, since it is a documented alias */
1896
1897 else if (arg[1] == 'r') switchchar = 'f';
1898
1899 /* Make -ov synonymous with -v */
1900
1901 else if (Ustrcmp(arg, "-ov") == 0)
1902 {
1903 switchchar = 'v';
1904 argrest++;
1905 }
1906
1907 /* deal with --option_aliases */
1908 else if (switchchar == '-')
1909 {
1910 if (Ustrcmp(argrest, "help") == 0)
1911 {
1912 usage_wanted = TRUE;
1913 break;
1914 }
1915 else if (Ustrcmp(argrest, "version") == 0)
1916 {
1917 switchchar = 'b';
1918 argrest = US"V";
1919 }
1920 }
1921
1922 /* High-level switch on active initial letter */
1923
1924 switch(switchchar)
1925 {
1926
1927 /* sendmail uses -Ac and -Am to control which .cf file is used;
1928 we ignore them. */
1929 case 'A':
1930 if (*argrest == '\0') { badarg = TRUE; break; }
1931 else
1932 {
1933 BOOL ignore = FALSE;
1934 switch (*argrest)
1935 {
1936 case 'c':
1937 case 'm':
1938 if (*(argrest + 1) == '\0')
1939 ignore = TRUE;
1940 break;
1941 }
1942 if (!ignore) { badarg = TRUE; break; }
1943 }
1944 break;
1945
1946 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1947 so has no need of it. */
1948
1949 case 'B':
1950 if (*argrest == 0) i++; /* Skip over the type */
1951 break;
1952
1953
1954 case 'b':
1955 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1956
1957 /* -bd: Run in daemon mode, awaiting SMTP connections.
1958 -bdf: Ditto, but in the foreground.
1959 */
1960
1961 if (*argrest == 'd')
1962 {
1963 f.daemon_listen = TRUE;
1964 if (*(++argrest) == 'f') f.background_daemon = FALSE;
1965 else if (*argrest != 0) { badarg = TRUE; break; }
1966 }
1967
1968 /* -be: Run in expansion test mode
1969 -bem: Ditto, but read a message from a file first
1970 */
1971
1972 else if (*argrest == 'e')
1973 {
1974 expansion_test = checking = TRUE;
1975 if (argrest[1] == 'm')
1976 {
1977 if (++i >= argc) { badarg = TRUE; break; }
1978 expansion_test_message = argv[i];
1979 argrest++;
1980 }
1981 if (argrest[1] != 0) { badarg = TRUE; break; }
1982 }
1983
1984 /* -bF: Run system filter test */
1985
1986 else if (*argrest == 'F')
1987 {
1988 filter_test |= checking = FTEST_SYSTEM;
1989 if (*(++argrest) != 0) { badarg = TRUE; break; }
1990 if (++i < argc) filter_test_sfile = argv[i]; else
1991 exim_fail("exim: file name expected after %s\n", argv[i-1]);
1992 }
1993
1994 /* -bf: Run user filter test
1995 -bfd: Set domain for filter testing
1996 -bfl: Set local part for filter testing
1997 -bfp: Set prefix for filter testing
1998 -bfs: Set suffix for filter testing
1999 */
2000
2001 else if (*argrest == 'f')
2002 {
2003 if (*(++argrest) == 0)
2004 {
2005 filter_test |= checking = FTEST_USER;
2006 if (++i < argc) filter_test_ufile = argv[i]; else
2007 exim_fail("exim: file name expected after %s\n", argv[i-1]);
2008 }
2009 else
2010 {
2011 if (++i >= argc)
2012 exim_fail("exim: string expected after %s\n", arg);
2013 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2014 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2015 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2016 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2017 else { badarg = TRUE; break; }
2018 }
2019 }
2020
2021 /* -bh: Host checking - an IP address must follow. */
2022
2023 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2024 {
2025 if (++i >= argc) { badarg = TRUE; break; }
2026 sender_host_address = argv[i];
2027 host_checking = checking = f.log_testing_mode = TRUE;
2028 f.host_checking_callout = argrest[1] == 'c';
2029 message_logs = FALSE;
2030 }
2031
2032 /* -bi: This option is used by sendmail to initialize *the* alias file,
2033 though it has the -oA option to specify a different file. Exim has no
2034 concept of *the* alias file, but since Sun's YP make script calls
2035 sendmail this way, some support must be provided. */
2036
2037 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2038
2039 /* -bI: provide information, of the type to follow after a colon.
2040 This is an Exim flag. */
2041
2042 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2043 {
2044 uschar *p = &argrest[2];
2045 info_flag = CMDINFO_HELP;
2046 if (Ustrlen(p))
2047 {
2048 if (strcmpic(p, CUS"sieve") == 0)
2049 {
2050 info_flag = CMDINFO_SIEVE;
2051 info_stdout = TRUE;
2052 }
2053 else if (strcmpic(p, CUS"dscp") == 0)
2054 {
2055 info_flag = CMDINFO_DSCP;
2056 info_stdout = TRUE;
2057 }
2058 else if (strcmpic(p, CUS"help") == 0)
2059 {
2060 info_stdout = TRUE;
2061 }
2062 }
2063 }
2064
2065 /* -bm: Accept and deliver message - the default option. Reinstate
2066 receiving_message, which got turned off for all -b options. */
2067
2068 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2069
2070 /* -bmalware: test the filename given for malware */
2071
2072 else if (Ustrcmp(argrest, "malware") == 0)
2073 {
2074 if (++i >= argc) { badarg = TRUE; break; }
2075 checking = TRUE;
2076 malware_test_file = argv[i];
2077 }
2078
2079 /* -bnq: For locally originating messages, do not qualify unqualified
2080 addresses. In the envelope, this causes errors; in header lines they
2081 just get left. */
2082
2083 else if (Ustrcmp(argrest, "nq") == 0)
2084 {
2085 f.allow_unqualified_sender = FALSE;
2086 f.allow_unqualified_recipient = FALSE;
2087 }
2088
2089 /* -bpxx: List the contents of the mail queue, in various forms. If
2090 the option is -bpc, just a queue count is needed. Otherwise, if the
2091 first letter after p is r, then order is random. */
2092
2093 else if (*argrest == 'p')
2094 {
2095 if (*(++argrest) == 'c')
2096 {
2097 count_queue = TRUE;
2098 if (*(++argrest) != 0) badarg = TRUE;
2099 break;
2100 }
2101
2102 if (*argrest == 'r')
2103 {
2104 list_queue_option = 8;
2105 argrest++;
2106 }
2107 else list_queue_option = 0;
2108
2109 list_queue = TRUE;
2110
2111 /* -bp: List the contents of the mail queue, top-level only */
2112
2113 if (*argrest == 0) {}
2114
2115 /* -bpu: List the contents of the mail queue, top-level undelivered */
2116
2117 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2118
2119 /* -bpa: List the contents of the mail queue, including all delivered */
2120
2121 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2122
2123 /* Unknown after -bp[r] */
2124
2125 else
2126 {
2127 badarg = TRUE;
2128 break;
2129 }
2130 }
2131
2132
2133 /* -bP: List the configuration variables given as the address list.
2134 Force -v, so configuration errors get displayed. */
2135
2136 else if (Ustrcmp(argrest, "P") == 0)
2137 {
2138 /* -bP config: we need to setup here, because later,
2139 * when list_options is checked, the config is read already */
2140 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2141 {
2142 list_config = TRUE;
2143 readconf_save_config(version_string);
2144 }
2145 else
2146 {
2147 list_options = TRUE;
2148 debug_selector |= D_v;
2149 debug_file = stderr;
2150 }
2151 }
2152
2153 /* -brt: Test retry configuration lookup */
2154
2155 else if (Ustrcmp(argrest, "rt") == 0)
2156 {
2157 checking = TRUE;
2158 test_retry_arg = i + 1;
2159 goto END_ARG;
2160 }
2161
2162 /* -brw: Test rewrite configuration */
2163
2164 else if (Ustrcmp(argrest, "rw") == 0)
2165 {
2166 checking = TRUE;
2167 test_rewrite_arg = i + 1;
2168 goto END_ARG;
2169 }
2170
2171 /* -bS: Read SMTP commands on standard input, but produce no replies -
2172 all errors are reported by sending messages. */
2173
2174 else if (Ustrcmp(argrest, "S") == 0)
2175 smtp_input = smtp_batched_input = receiving_message = TRUE;
2176
2177 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2178 on standard output. */
2179
2180 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2181
2182 /* -bt: address testing mode */
2183
2184 else if (Ustrcmp(argrest, "t") == 0)
2185 f.address_test_mode = checking = f.log_testing_mode = TRUE;
2186
2187 /* -bv: verify addresses */
2188
2189 else if (Ustrcmp(argrest, "v") == 0)
2190 verify_address_mode = checking = f.log_testing_mode = TRUE;
2191
2192 /* -bvs: verify sender addresses */
2193
2194 else if (Ustrcmp(argrest, "vs") == 0)
2195 {
2196 verify_address_mode = checking = f.log_testing_mode = TRUE;
2197 verify_as_sender = TRUE;
2198 }
2199
2200 /* -bV: Print version string and support details */
2201
2202 else if (Ustrcmp(argrest, "V") == 0)
2203 {
2204 printf("Exim version %s #%s built %s\n", version_string,
2205 version_cnumber, version_date);
2206 printf("%s\n", CS version_copyright);
2207 version_printed = TRUE;
2208 show_whats_supported(stdout);
2209 f.log_testing_mode = TRUE;
2210 }
2211
2212 /* -bw: inetd wait mode, accept a listening socket as stdin */
2213
2214 else if (*argrest == 'w')
2215 {
2216 f.inetd_wait_mode = TRUE;
2217 f.background_daemon = FALSE;
2218 f.daemon_listen = TRUE;
2219 if (*(++argrest) != '\0')
2220 if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
2221 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
2222 }
2223
2224 else badarg = TRUE;
2225 break;
2226
2227
2228 /* -C: change configuration file list; ignore if it isn't really
2229 a change! Enforce a prefix check if required. */
2230
2231 case 'C':
2232 if (*argrest == 0)
2233 {
2234 if(++i < argc) argrest = argv[i]; else
2235 { badarg = TRUE; break; }
2236 }
2237 if (Ustrcmp(config_main_filelist, argrest) != 0)
2238 {
2239 #ifdef ALT_CONFIG_PREFIX
2240 int sep = 0;
2241 int len = Ustrlen(ALT_CONFIG_PREFIX);
2242 const uschar *list = argrest;
2243 uschar *filename;
2244 while((filename = string_nextinlist(&list, &sep, big_buffer,
2245 big_buffer_size)) != NULL)
2246 {
2247 if ((Ustrlen(filename) < len ||
2248 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2249 Ustrstr(filename, "/../") != NULL) &&
2250 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2251 exim_fail("-C Permission denied\n");
2252 }
2253 #endif
2254 if (real_uid != root_uid)
2255 {
2256 #ifdef TRUSTED_CONFIG_LIST
2257
2258 if (real_uid != exim_uid
2259 #ifdef CONFIGURE_OWNER
2260 && real_uid != config_uid
2261 #endif
2262 )
2263 f.trusted_config = FALSE;
2264 else
2265 {
2266 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2267 if (trust_list)
2268 {
2269 struct stat statbuf;
2270
2271 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2272 (statbuf.st_uid != root_uid /* owner not root */
2273 #ifdef CONFIGURE_OWNER
2274 && statbuf.st_uid != config_uid /* owner not the special one */
2275 #endif
2276 ) || /* or */
2277 (statbuf.st_gid != root_gid /* group not root */
2278 #ifdef CONFIGURE_GROUP
2279 && statbuf.st_gid != config_gid /* group not the special one */
2280 #endif
2281 && (statbuf.st_mode & 020) != 0 /* group writeable */
2282 ) || /* or */
2283 (statbuf.st_mode & 2) != 0) /* world writeable */
2284 {
2285 f.trusted_config = FALSE;
2286 fclose(trust_list);
2287 }
2288 else
2289 {
2290 /* Well, the trust list at least is up to scratch... */
2291 void *reset_point = store_get(0);
2292 uschar *trusted_configs[32];
2293 int nr_configs = 0;
2294 int i = 0;
2295
2296 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2297 {
2298 uschar *start = big_buffer, *nl;
2299 while (*start && isspace(*start))
2300 start++;
2301 if (*start != '/')
2302 continue;
2303 nl = Ustrchr(start, '\n');
2304 if (nl)
2305 *nl = 0;
2306 trusted_configs[nr_configs++] = string_copy(start);
2307 if (nr_configs == 32)
2308 break;
2309 }
2310 fclose(trust_list);
2311
2312 if (nr_configs)
2313 {
2314 int sep = 0;
2315 const uschar *list = argrest;
2316 uschar *filename;
2317 while (f.trusted_config && (filename = string_nextinlist(&list,
2318 &sep, big_buffer, big_buffer_size)) != NULL)
2319 {
2320 for (i=0; i < nr_configs; i++)
2321 {
2322 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2323 break;
2324 }
2325 if (i == nr_configs)
2326 {
2327 f.trusted_config = FALSE;
2328 break;
2329 }
2330 }
2331 store_reset(reset_point);
2332 }
2333 else
2334 {
2335 /* No valid prefixes found in trust_list file. */
2336 f.trusted_config = FALSE;
2337 }
2338 }
2339 }
2340 else
2341 {
2342 /* Could not open trust_list file. */
2343 f.trusted_config = FALSE;
2344 }
2345 }
2346 #else
2347 /* Not root; don't trust config */
2348 f.trusted_config = FALSE;
2349 #endif
2350 }
2351
2352 config_main_filelist = argrest;
2353 f.config_changed = TRUE;
2354 }
2355 break;
2356
2357
2358 /* -D: set up a macro definition */
2359
2360 case 'D':
2361 #ifdef DISABLE_D_OPTION
2362 exim_fail("exim: -D is not available in this Exim binary\n");
2363 #else
2364 {
2365 int ptr = 0;
2366 macro_item *m;
2367 uschar name[24];
2368 uschar *s = argrest;
2369
2370 opt_D_used = TRUE;
2371 while (isspace(*s)) s++;
2372
2373 if (*s < 'A' || *s > 'Z')
2374 exim_fail("exim: macro name set by -D must start with "
2375 "an upper case letter\n");
2376
2377 while (isalnum(*s) || *s == '_')
2378 {
2379 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2380 s++;
2381 }
2382 name[ptr] = 0;
2383 if (ptr == 0) { badarg = TRUE; break; }
2384 while (isspace(*s)) s++;
2385 if (*s != 0)
2386 {
2387 if (*s++ != '=') { badarg = TRUE; break; }
2388 while (isspace(*s)) s++;
2389 }
2390
2391 for (m = macros_user; m; m = m->next)
2392 if (Ustrcmp(m->name, name) == 0)
2393 exim_fail("exim: duplicated -D in command line\n");
2394
2395 m = macro_create(name, s, TRUE);
2396
2397 if (clmacro_count >= MAX_CLMACROS)
2398 exim_fail("exim: too many -D options on command line\n");
2399 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2400 m->replacement);
2401 }
2402 #endif
2403 break;
2404
2405 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2406 The latter is now a no-op, retained for compatibility only. If -dd is used,
2407 debugging subprocesses of the daemon is disabled. */
2408
2409 case 'd':
2410 if (Ustrcmp(argrest, "ropcr") == 0)
2411 {
2412 /* drop_cr = TRUE; */
2413 }
2414
2415 /* Use an intermediate variable so that we don't set debugging while
2416 decoding the debugging bits. */
2417
2418 else
2419 {
2420 unsigned int selector = D_default;
2421 debug_selector = 0;
2422 debug_file = NULL;
2423 if (*argrest == 'd')
2424 {
2425 f.debug_daemon = TRUE;
2426 argrest++;
2427 }
2428 if (*argrest != 0)
2429 decode_bits(&selector, 1, debug_notall, argrest,
2430 debug_options, debug_options_count, US"debug", 0);
2431 debug_selector = selector;
2432 }
2433 break;
2434
2435
2436 /* -E: This is a local error message. This option is not intended for
2437 external use at all, but is not restricted to trusted callers because it
2438 does no harm (just suppresses certain error messages) and if Exim is run
2439 not setuid root it won't always be trusted when it generates error
2440 messages using this option. If there is a message id following -E, point
2441 message_reference at it, for logging. */
2442
2443 case 'E':
2444 f.local_error_message = TRUE;
2445 if (mac_ismsgid(argrest)) message_reference = argrest;
2446 break;
2447
2448
2449 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2450 option, so it looks as if historically the -oex options are also callable
2451 without the leading -o. So we have to accept them. Before the switch,
2452 anything starting -oe has been converted to -e. Exim does not support all
2453 of the sendmail error options. */
2454
2455 case 'e':
2456 if (Ustrcmp(argrest, "e") == 0)
2457 {
2458 arg_error_handling = ERRORS_SENDER;
2459 errors_sender_rc = EXIT_SUCCESS;
2460 }
2461 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2462 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2463 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2464 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2465 else badarg = TRUE;
2466 break;
2467
2468
2469 /* -F: Set sender's full name, used instead of the gecos entry from
2470 the password file. Since users can usually alter their gecos entries,
2471 there's no security involved in using this instead. The data can follow
2472 the -F or be in the next argument. */
2473
2474 case 'F':
2475 if (*argrest == 0)
2476 {
2477 if(++i < argc) argrest = argv[i]; else
2478 { badarg = TRUE; break; }
2479 }
2480 originator_name = argrest;
2481 f.sender_name_forced = TRUE;
2482 break;
2483
2484
2485 /* -f: Set sender's address - this value is only actually used if Exim is
2486 run by a trusted user, or if untrusted_set_sender is set and matches the
2487 address, except that the null address can always be set by any user. The
2488 test for this happens later, when the value given here is ignored when not
2489 permitted. For an untrusted user, the actual sender is still put in Sender:
2490 if it doesn't match the From: header (unless no_local_from_check is set).
2491 The data can follow the -f or be in the next argument. The -r switch is an
2492 obsolete form of -f but since there appear to be programs out there that
2493 use anything that sendmail has ever supported, better accept it - the
2494 synonymizing is done before the switch above.
2495
2496 At this stage, we must allow domain literal addresses, because we don't
2497 know what the setting of allow_domain_literals is yet. Ditto for trailing
2498 dots and strip_trailing_dot. */
2499
2500 case 'f':
2501 {
2502 int dummy_start, dummy_end;
2503 uschar *errmess;
2504 if (*argrest == 0)
2505 {
2506 if (i+1 < argc) argrest = argv[++i]; else
2507 { badarg = TRUE; break; }
2508 }
2509 if (*argrest == 0)
2510 sender_address = string_sprintf(""); /* Ensure writeable memory */
2511 else
2512 {
2513 uschar *temp = argrest + Ustrlen(argrest) - 1;
2514 while (temp >= argrest && isspace(*temp)) temp--;
2515 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2516 allow_domain_literals = TRUE;
2517 strip_trailing_dot = TRUE;
2518 #ifdef SUPPORT_I18N
2519 allow_utf8_domains = TRUE;
2520 #endif
2521 sender_address = parse_extract_address(argrest, &errmess,
2522 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
2523 #ifdef SUPPORT_I18N
2524 message_smtputf8 = string_is_utf8(sender_address);
2525 allow_utf8_domains = FALSE;
2526 #endif
2527 allow_domain_literals = FALSE;
2528 strip_trailing_dot = FALSE;
2529 if (!sender_address)
2530 exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
2531 }
2532 f.sender_address_forced = TRUE;
2533 }
2534 break;
2535
2536 /* -G: sendmail invocation to specify that it's a gateway submission and
2537 sendmail may complain about problems instead of fixing them.
2538 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2539 not at this time complain about problems. */
2540
2541 case 'G':
2542 flag_G = TRUE;
2543 break;
2544
2545 /* -h: Set the hop count for an incoming message. Exim does not currently
2546 support this; it always computes it by counting the Received: headers.
2547 To put it in will require a change to the spool header file format. */
2548
2549 case 'h':
2550 if (*argrest == 0)
2551 {
2552 if(++i < argc) argrest = argv[i]; else
2553 { badarg = TRUE; break; }
2554 }
2555 if (!isdigit(*argrest)) badarg = TRUE;
2556 break;
2557
2558
2559 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2560 not to be documented for sendmail but mailx (at least) uses it) */
2561
2562 case 'i':
2563 if (*argrest == 0) f.dot_ends = FALSE; else badarg = TRUE;
2564 break;
2565
2566
2567 /* -L: set the identifier used for syslog; equivalent to setting
2568 syslog_processname in the config file, but needs to be an admin option. */
2569
2570 case 'L':
2571 if (*argrest == '\0')
2572 {
2573 if(++i < argc) argrest = argv[i]; else
2574 { badarg = TRUE; break; }
2575 }
2576 if ((sz = Ustrlen(argrest)) > 32)
2577 exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
2578 if (sz < 1)
2579 exim_fail("exim: the -L syslog name is too short\n");
2580 cmdline_syslog_name = argrest;
2581 break;
2582
2583 case 'M':
2584 receiving_message = FALSE;
2585
2586 /* -MC: continue delivery of another message via an existing open
2587 file descriptor. This option is used for an internal call by the
2588 smtp transport when there is a pending message waiting to go to an
2589 address to which it has got a connection. Five subsequent arguments are
2590 required: transport name, host name, IP address, sequence number, and
2591 message_id. Transports may decline to create new processes if the sequence
2592 number gets too big. The channel is stdin. This (-MC) must be the last
2593 argument. There's a subsequent check that the real-uid is privileged.
2594
2595 If we are running in the test harness. delay for a bit, to let the process
2596 that set this one up complete. This makes for repeatability of the logging,
2597 etc. output. */
2598
2599 if (Ustrcmp(argrest, "C") == 0)
2600 {
2601 union sockaddr_46 interface_sock;
2602 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2603
2604 if (argc != i + 6)
2605 exim_fail("exim: too many or too few arguments after -MC\n");
2606
2607 if (msg_action_arg >= 0)
2608 exim_fail("exim: incompatible arguments\n");
2609
2610 continue_transport = argv[++i];
2611 continue_hostname = argv[++i];
2612 continue_host_address = argv[++i];
2613 continue_sequence = Uatoi(argv[++i]);
2614 msg_action = MSG_DELIVER;
2615 msg_action_arg = ++i;
2616 forced_delivery = TRUE;
2617 queue_run_pid = passed_qr_pid;
2618 queue_run_pipe = passed_qr_pipe;
2619
2620 if (!mac_ismsgid(argv[i]))
2621 exim_fail("exim: malformed message id %s after -MC option\n",
2622 argv[i]);
2623
2624 /* Set up $sending_ip_address and $sending_port, unless proxied */
2625
2626 if (!continue_proxy_cipher)
2627 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2628 &size) == 0)
2629 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2630 &sending_port);
2631 else
2632 exim_fail("exim: getsockname() failed after -MC option: %s\n",
2633 strerror(errno));
2634
2635 if (f.running_in_test_harness) millisleep(500);
2636 break;
2637 }
2638
2639 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2640 {
2641 switch(argrest[1])
2642 {
2643 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2644 precedes -MC (see above). The flag indicates that the host to which
2645 Exim is connected has accepted an AUTH sequence. */
2646
2647 case 'A': f.smtp_authenticated = TRUE; break;
2648
2649 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2650 that exim is connected to supports the esmtp extension DSN */
2651
2652 case 'D': smtp_peer_options |= OPTION_DSN; break;
2653
2654 /* -MCG: set the queue name, to a non-default value */
2655
2656 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2657 else badarg = TRUE;
2658 break;
2659
2660 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2661
2662 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
2663
2664 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2665 it preceded -MC (see above) */
2666
2667 case 'P': smtp_peer_options |= OPTION_PIPE; break;
2668
2669 /* -MCQ: pass on the pid of the queue-running process that started
2670 this chain of deliveries and the fd of its synchronizing pipe; this
2671 is useful only when it precedes -MC (see above) */
2672
2673 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2674 else badarg = TRUE;
2675 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2676 else badarg = TRUE;
2677 break;
2678
2679 /* -MCS: set the smtp_use_size flag; this is useful only when it
2680 precedes -MC (see above) */
2681
2682 case 'S': smtp_peer_options |= OPTION_SIZE; break;
2683
2684 #ifdef SUPPORT_TLS
2685 /* -MCt: similar to -MCT below but the connection is still open
2686 via a proxy process which handles the TLS context and coding.
2687 Require three arguments for the proxied local address and port,
2688 and the TLS cipher. */
2689
2690 case 't': if (++i < argc) sending_ip_address = argv[i];
2691 else badarg = TRUE;
2692 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2693 else badarg = TRUE;
2694 if (++i < argc) continue_proxy_cipher = argv[i];
2695 else badarg = TRUE;
2696 /*FALLTHROUGH*/
2697
2698 /* -MCT: set the tls_offered flag; this is useful only when it
2699 precedes -MC (see above). The flag indicates that the host to which
2700 Exim is connected has offered TLS support. */
2701
2702 case 'T': smtp_peer_options |= OPTION_TLS; break;
2703 #endif
2704
2705 default: badarg = TRUE; break;
2706 }
2707 break;
2708 }
2709
2710 /* -M[x]: various operations on the following list of message ids:
2711 -M deliver the messages, ignoring next retry times and thawing
2712 -Mc deliver the messages, checking next retry times, no thawing
2713 -Mf freeze the messages
2714 -Mg give up on the messages
2715 -Mt thaw the messages
2716 -Mrm remove the messages
2717 In the above cases, this must be the last option. There are also the
2718 following options which are followed by a single message id, and which
2719 act on that message. Some of them use the "recipient" addresses as well.
2720 -Mar add recipient(s)
2721 -Mmad mark all recipients delivered
2722 -Mmd mark recipients(s) delivered
2723 -Mes edit sender
2724 -Mset load a message for use with -be
2725 -Mvb show body
2726 -Mvc show copy (of whole message, in RFC 2822 format)
2727 -Mvh show header
2728 -Mvl show log
2729 */
2730
2731 else if (*argrest == 0)
2732 {
2733 msg_action = MSG_DELIVER;
2734 forced_delivery = f.deliver_force_thaw = TRUE;
2735 }
2736 else if (Ustrcmp(argrest, "ar") == 0)
2737 {
2738 msg_action = MSG_ADD_RECIPIENT;
2739 one_msg_action = TRUE;
2740 }
2741 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2742 else if (Ustrcmp(argrest, "es") == 0)
2743 {
2744 msg_action = MSG_EDIT_SENDER;
2745 one_msg_action = TRUE;
2746 }
2747 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2748 else if (Ustrcmp(argrest, "g") == 0)
2749 {
2750 msg_action = MSG_DELIVER;
2751 deliver_give_up = TRUE;
2752 }
2753 else if (Ustrcmp(argrest, "mad") == 0)
2754 {
2755 msg_action = MSG_MARK_ALL_DELIVERED;
2756 }
2757 else if (Ustrcmp(argrest, "md") == 0)
2758 {
2759 msg_action = MSG_MARK_DELIVERED;
2760 one_msg_action = TRUE;
2761 }
2762 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2763 else if (Ustrcmp(argrest, "set") == 0)
2764 {
2765 msg_action = MSG_LOAD;
2766 one_msg_action = TRUE;
2767 }
2768 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2769 else if (Ustrcmp(argrest, "vb") == 0)
2770 {
2771 msg_action = MSG_SHOW_BODY;
2772 one_msg_action = TRUE;
2773 }
2774 else if (Ustrcmp(argrest, "vc") == 0)
2775 {
2776 msg_action = MSG_SHOW_COPY;
2777 one_msg_action = TRUE;
2778 }
2779 else if (Ustrcmp(argrest, "vh") == 0)
2780 {
2781 msg_action = MSG_SHOW_HEADER;
2782 one_msg_action = TRUE;
2783 }
2784 else if (Ustrcmp(argrest, "vl") == 0)
2785 {
2786 msg_action = MSG_SHOW_LOG;
2787 one_msg_action = TRUE;
2788 }
2789 else { badarg = TRUE; break; }
2790
2791 /* All the -Mxx options require at least one message id. */
2792
2793 msg_action_arg = i + 1;
2794 if (msg_action_arg >= argc)
2795 exim_fail("exim: no message ids given after %s option\n", arg);
2796
2797 /* Some require only message ids to follow */
2798
2799 if (!one_msg_action)
2800 {
2801 for (int j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2802 exim_fail("exim: malformed message id %s after %s option\n",
2803 argv[j], arg);
2804 goto END_ARG; /* Remaining args are ids */
2805 }
2806
2807 /* Others require only one message id, possibly followed by addresses,
2808 which will be handled as normal arguments. */
2809
2810 else
2811 {
2812 if (!mac_ismsgid(argv[msg_action_arg]))
2813 exim_fail("exim: malformed message id %s after %s option\n",
2814 argv[msg_action_arg], arg);
2815 i++;
2816 }
2817 break;
2818
2819
2820 /* Some programs seem to call the -om option without the leading o;
2821 for sendmail it askes for "me too". Exim always does this. */
2822
2823 case 'm':
2824 if (*argrest != 0) badarg = TRUE;
2825 break;
2826
2827
2828 /* -N: don't do delivery - a debugging option that stops transports doing
2829 their thing. It implies debugging at the D_v level. */
2830
2831 case 'N':
2832 if (*argrest == 0)
2833 {
2834 f.dont_deliver = TRUE;
2835 debug_selector |= D_v;
2836 debug_file = stderr;
2837 }
2838 else badarg = TRUE;
2839 break;
2840
2841
2842 /* -n: This means "don't alias" in sendmail, apparently.
2843 For normal invocations, it has no effect.
2844 It may affect some other options. */
2845
2846 case 'n':
2847 flag_n = TRUE;
2848 break;
2849
2850 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2851 option to the specified value. This form uses long names. We need to handle
2852 -O option=value and -Ooption=value. */
2853
2854 case 'O':
2855 if (*argrest == 0)
2856 {
2857 if (++i >= argc)
2858 exim_fail("exim: string expected after -O\n");
2859 }
2860 break;
2861
2862 case 'o':
2863
2864 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2865 file" option). */
2866
2867 if (*argrest == 'A')
2868 {
2869 alias_arg = argrest + 1;
2870 if (alias_arg[0] == 0)
2871 {
2872 if (i+1 < argc) alias_arg = argv[++i]; else
2873 exim_fail("exim: string expected after -oA\n");
2874 }
2875 }
2876
2877 /* -oB: Set a connection message max value for remote deliveries */
2878
2879 else if (*argrest == 'B')
2880 {
2881 uschar *p = argrest + 1;
2882 if (p[0] == 0)
2883 {
2884 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2885 {
2886 connection_max_messages = 1;
2887 p = NULL;
2888 }
2889 }
2890
2891 if (p != NULL)
2892 {
2893 if (!isdigit(*p))
2894 exim_fail("exim: number expected after -oB\n");
2895 connection_max_messages = Uatoi(p);
2896 }
2897 }
2898
2899 /* -odb: background delivery */
2900
2901 else if (Ustrcmp(argrest, "db") == 0)
2902 {
2903 f.synchronous_delivery = FALSE;
2904 arg_queue_only = FALSE;
2905 queue_only_set = TRUE;
2906 }
2907
2908 /* -odf: foreground delivery (smail-compatible option); same effect as
2909 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2910 */
2911
2912 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2913 {
2914 f.synchronous_delivery = TRUE;
2915 arg_queue_only = FALSE;
2916 queue_only_set = TRUE;
2917 }
2918
2919 /* -odq: queue only */
2920
2921 else if (Ustrcmp(argrest, "dq") == 0)
2922 {
2923 f.synchronous_delivery = FALSE;
2924 arg_queue_only = TRUE;
2925 queue_only_set = TRUE;
2926 }
2927
2928 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2929 but no remote delivery */
2930
2931 else if (Ustrcmp(argrest, "dqs") == 0)
2932 {
2933 f.queue_smtp = TRUE;
2934 arg_queue_only = FALSE;
2935 queue_only_set = TRUE;
2936 }
2937
2938 /* -oex: Sendmail error flags. As these are also accepted without the
2939 leading -o prefix, for compatibility with vacation and other callers,
2940 they are handled with -e above. */
2941
2942 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2943 -oitrue: Another sendmail syntax for the same */
2944
2945 else if (Ustrcmp(argrest, "i") == 0 ||
2946 Ustrcmp(argrest, "itrue") == 0)
2947 f.dot_ends = FALSE;
2948
2949 /* -oM*: Set various characteristics for an incoming message; actually
2950 acted on for trusted callers only. */
2951
2952 else if (*argrest == 'M')
2953 {
2954 if (i+1 >= argc)
2955 exim_fail("exim: data expected after -o%s\n", argrest);
2956
2957 /* -oMa: Set sender host address */
2958
2959 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2960
2961 /* -oMaa: Set authenticator name */
2962
2963 else if (Ustrcmp(argrest, "Maa") == 0)
2964 sender_host_authenticated = argv[++i];
2965
2966 /* -oMas: setting authenticated sender */
2967
2968 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2969
2970 /* -oMai: setting authenticated id */
2971
2972 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2973
2974 /* -oMi: Set incoming interface address */
2975
2976 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2977
2978 /* -oMm: Message reference */
2979
2980 else if (Ustrcmp(argrest, "Mm") == 0)
2981 {
2982 if (!mac_ismsgid(argv[i+1]))
2983 exim_fail("-oMm must be a valid message ID\n");
2984 if (!f.trusted_config)
2985 exim_fail("-oMm must be called by a trusted user/config\n");
2986 message_reference = argv[++i];
2987 }
2988
2989 /* -oMr: Received protocol */
2990
2991 else if (Ustrcmp(argrest, "Mr") == 0)
2992
2993 if (received_protocol)
2994 exim_fail("received_protocol is set already\n");
2995 else
2996 received_protocol = argv[++i];
2997
2998 /* -oMs: Set sender host name */
2999
3000 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3001
3002 /* -oMt: Set sender ident */
3003
3004 else if (Ustrcmp(argrest, "Mt") == 0)
3005 {
3006 sender_ident_set = TRUE;
3007 sender_ident = argv[++i];
3008 }
3009
3010 /* Else a bad argument */
3011
3012 else
3013 {
3014 badarg = TRUE;
3015 break;
3016 }
3017 }
3018
3019 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3020 seem to call this as -m (undocumented), so that is also accepted (see
3021 above). */
3022
3023 else if (Ustrcmp(argrest, "m") == 0) {}
3024
3025 /* -oo: An ancient flag for old-style addresses which still seems to
3026 crop up in some calls (see in SCO). */
3027
3028 else if (Ustrcmp(argrest, "o") == 0) {}
3029
3030 /* -oP <name>: set pid file path for daemon */
3031
3032 else if (Ustrcmp(argrest, "P") == 0)
3033 override_pid_file_path = argv[++i];
3034
3035 /* -or <n>: set timeout for non-SMTP acceptance
3036 -os <n>: set timeout for SMTP acceptance */
3037
3038 else if (*argrest == 'r' || *argrest == 's')
3039 {
3040 int *tp = (*argrest == 'r')?
3041 &arg_receive_timeout : &arg_smtp_receive_timeout;
3042 if (argrest[1] == 0)
3043 {
3044 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3045 }
3046 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3047 if (*tp < 0)
3048 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3049 }
3050
3051 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3052
3053 else if (Ustrcmp(argrest, "X") == 0)
3054 override_local_interfaces = argv[++i];
3055
3056 /* Unknown -o argument */
3057
3058 else badarg = TRUE;
3059 break;
3060
3061
3062 /* -ps: force Perl startup; -pd force delayed Perl startup */
3063
3064 case 'p':
3065 #ifdef EXIM_PERL
3066 if (*argrest == 's' && argrest[1] == 0)
3067 {
3068 perl_start_option = 1;
3069 break;
3070 }
3071 if (*argrest == 'd' && argrest[1] == 0)
3072 {
3073 perl_start_option = -1;
3074 break;
3075 }
3076 #endif
3077
3078 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3079 which sets the host protocol and host name */
3080
3081 if (*argrest == 0)
3082 if (i+1 < argc)
3083 argrest = argv[++i];
3084 else
3085 { badarg = TRUE; break; }
3086
3087 if (*argrest != 0)
3088 {
3089 uschar *hn;
3090
3091 if (received_protocol)
3092 exim_fail("received_protocol is set already\n");
3093
3094 hn = Ustrchr(argrest, ':');
3095 if (hn == NULL)
3096 received_protocol = argrest;
3097 else
3098 {
3099 int old_pool = store_pool;
3100 store_pool = POOL_PERM;
3101 received_protocol = string_copyn(argrest, hn - argrest);
3102 store_pool = old_pool;
3103 sender_host_name = hn + 1;
3104 }
3105 }
3106 break;
3107
3108
3109 case 'q':
3110 receiving_message = FALSE;
3111 if (queue_interval >= 0)
3112 exim_fail("exim: -q specified more than once\n");
3113
3114 /* -qq...: Do queue runs in a 2-stage manner */
3115
3116 if (*argrest == 'q')
3117 {
3118 f.queue_2stage = TRUE;
3119 argrest++;
3120 }
3121
3122 /* -qi...: Do only first (initial) deliveries */
3123
3124 if (*argrest == 'i')
3125 {
3126 f.queue_run_first_delivery = TRUE;
3127 argrest++;
3128 }
3129
3130 /* -qf...: Run the queue, forcing deliveries
3131 -qff..: Ditto, forcing thawing as well */
3132
3133 if (*argrest == 'f')
3134 {
3135 f.queue_run_force = TRUE;
3136 if (*++argrest == 'f')
3137 {
3138 f.deliver_force_thaw = TRUE;
3139 argrest++;
3140 }
3141 }
3142
3143 /* -q[f][f]l...: Run the queue only on local deliveries */
3144
3145 if (*argrest == 'l')
3146 {
3147 f.queue_run_local = TRUE;
3148 argrest++;
3149 }
3150
3151 /* -q[f][f][l][G<name>]... Work on the named queue */
3152
3153 if (*argrest == 'G')
3154 {
3155 int i;
3156 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3157 queue_name = string_copyn(argrest, i);
3158 argrest += i;
3159 if (*argrest == '/') argrest++;
3160 }
3161
3162 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3163 only, optionally named, optionally starting from a given message id. */
3164
3165 if (*argrest == 0 &&
3166 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3167 {
3168 queue_interval = 0;
3169 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3170 start_queue_run_id = argv[++i];
3171 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3172 stop_queue_run_id = argv[++i];
3173 }
3174
3175 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3176 forced, optionally local only, optionally named. */
3177
3178 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3179 0, FALSE)) <= 0)
3180 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3181 break;
3182
3183
3184 case 'R': /* Synonymous with -qR... */
3185 receiving_message = FALSE;
3186
3187 /* -Rf: As -R (below) but force all deliveries,
3188 -Rff: Ditto, but also thaw all frozen messages,
3189 -Rr: String is regex
3190 -Rrf: Regex and force
3191 -Rrff: Regex and force and thaw
3192
3193 in all cases provided there are no further characters in this
3194 argument. */
3195
3196 if (*argrest != 0)
3197 for (int i = 0; i < nelem(rsopts); i++)
3198 if (Ustrcmp(argrest, rsopts[i]) == 0)
3199 {
3200 if (i != 2) f.queue_run_force = TRUE;
3201 if (i >= 2) f.deliver_selectstring_regex = TRUE;
3202 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3203 argrest += Ustrlen(rsopts[i]);
3204 }
3205
3206 /* -R: Set string to match in addresses for forced queue run to
3207 pick out particular messages. */
3208
3209 if (*argrest)
3210 deliver_selectstring = argrest;
3211 else if (i+1 < argc)
3212 deliver_selectstring = argv[++i];
3213 else
3214 exim_fail("exim: string expected after -R\n");
3215 break;
3216
3217
3218 /* -r: an obsolete synonym for -f (see above) */
3219
3220
3221 /* -S: Like -R but works on sender. */
3222
3223 case 'S': /* Synonymous with -qS... */
3224 receiving_message = FALSE;
3225
3226 /* -Sf: As -S (below) but force all deliveries,
3227 -Sff: Ditto, but also thaw all frozen messages,
3228 -Sr: String is regex
3229 -Srf: Regex and force
3230 -Srff: Regex and force and thaw
3231
3232 in all cases provided there are no further characters in this
3233 argument. */
3234
3235 if (*argrest)
3236 for (int i = 0; i < nelem(rsopts); i++)
3237 if (Ustrcmp(argrest, rsopts[i]) == 0)
3238 {
3239 if (i != 2) f.queue_run_force = TRUE;
3240 if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
3241 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3242 argrest += Ustrlen(rsopts[i]);
3243 }
3244
3245 /* -S: Set string to match in addresses for forced queue run to
3246 pick out particular messages. */
3247
3248 if (*argrest)
3249 deliver_selectstring_sender = argrest;
3250 else if (i+1 < argc)
3251 deliver_selectstring_sender = argv[++i];
3252 else
3253 exim_fail("exim: string expected after -S\n");
3254 break;
3255
3256 /* -Tqt is an option that is exclusively for use by the testing suite.
3257 It is not recognized in other circumstances. It allows for the setting up
3258 of explicit "queue times" so that various warning/retry things can be
3259 tested. Otherwise variability of clock ticks etc. cause problems. */
3260
3261 case 'T':
3262 if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3263 fudged_queue_times = argv[++i];
3264 else badarg = TRUE;
3265 break;
3266
3267
3268 /* -t: Set flag to extract recipients from body of message. */
3269
3270 case 't':
3271 if (*argrest == 0) extract_recipients = TRUE;
3272
3273 /* -ti: Set flag to extract recipients from body of message, and also
3274 specify that dot does not end the message. */
3275
3276 else if (Ustrcmp(argrest, "i") == 0)
3277 {
3278 extract_recipients = TRUE;
3279 f.dot_ends = FALSE;
3280 }
3281
3282 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3283
3284 #ifdef SUPPORT_TLS
3285 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
3286 #endif
3287
3288 else badarg = TRUE;
3289 break;
3290
3291
3292 /* -U: This means "initial user submission" in sendmail, apparently. The
3293 doc claims that in future sendmail may refuse syntactically invalid
3294 messages instead of fixing them. For the moment, we just ignore it. */
3295
3296 case 'U':
3297 break;
3298
3299
3300 /* -v: verify things - this is a very low-level debugging */
3301
3302 case 'v':
3303 if (*argrest == 0)
3304 {
3305 debug_selector |= D_v;
3306 debug_file = stderr;
3307 }
3308 else badarg = TRUE;
3309 break;
3310
3311
3312 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3313
3314 The -x flag tells the sendmail command that mail from a local
3315 mail program has National Language Support (NLS) extended characters
3316 in the body of the mail item. The sendmail command can send mail with
3317 extended NLS characters across networks that normally corrupts these
3318 8-bit characters.
3319
3320 As Exim is 8-bit clean, it just ignores this flag. */
3321
3322 case 'x':
3323 if (*argrest != 0) badarg = TRUE;
3324 break;
3325
3326 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3327 logs to that file. We swallow the parameter and otherwise ignore it. */
3328
3329 case 'X':
3330 if (*argrest == '\0')
3331 if (++i >= argc)
3332 exim_fail("exim: string expected after -X\n");
3333 break;
3334
3335 case 'z':
3336 if (*argrest == '\0')
3337 if (++i < argc)
3338 log_oneline = argv[i];
3339 else
3340 exim_fail("exim: file name expected after %s\n", argv[i-1]);
3341 break;
3342
3343 /* All other initial characters are errors */
3344
3345 default:
3346 badarg = TRUE;
3347 break;
3348 } /* End of high-level switch statement */
3349
3350 /* Failed to recognize the option, or syntax error */
3351
3352 if (badarg)
3353 exim_fail("exim abandoned: unknown, malformed, or incomplete "
3354 "option %s\n", arg);
3355 }
3356
3357
3358 /* If -R or -S have been specified without -q, assume a single queue run. */
3359
3360 if ( (deliver_selectstring || deliver_selectstring_sender)
3361 && queue_interval < 0)
3362 queue_interval = 0;
3363
3364
3365 END_ARG:
3366 /* If usage_wanted is set we call the usage function - which never returns */
3367 if (usage_wanted) exim_usage(called_as);
3368
3369 /* Arguments have been processed. Check for incompatibilities. */
3370 if ((
3371 (smtp_input || extract_recipients || recipients_arg < argc) &&
3372 (f.daemon_listen || queue_interval >= 0 || bi_option ||
3373 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3374 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3375 ) ||
3376 (
3377 msg_action_arg > 0 &&
3378 (f.daemon_listen || queue_interval > 0 || list_options ||
3379 (checking && msg_action != MSG_LOAD) ||
3380 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3381 ) ||
3382 (
3383 (f.daemon_listen || queue_interval > 0) &&
3384 (sender_address != NULL || list_options || list_queue || checking ||
3385 bi_option)
3386 ) ||
3387 (
3388 f.daemon_listen && queue_interval == 0
3389 ) ||
3390 (
3391 f.inetd_wait_mode && queue_interval >= 0
3392 ) ||
3393 (
3394 list_options &&
3395 (checking || smtp_input || extract_recipients ||
3396 filter_test != FTEST_NONE || bi_option)
3397 ) ||
3398 (
3399 verify_address_mode &&
3400 (f.address_test_mode || smtp_input || extract_recipients ||
3401 filter_test != FTEST_NONE || bi_option)
3402 ) ||
3403 (
3404 f.address_test_mode && (smtp_input || extract_recipients ||
3405 filter_test != FTEST_NONE || bi_option)
3406 ) ||
3407 (
3408 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3409 extract_recipients)
3410 ) ||
3411 (
3412 deliver_selectstring != NULL && queue_interval < 0
3413 ) ||
3414 (
3415 msg_action == MSG_LOAD &&
3416 (!expansion_test || expansion_test_message != NULL)
3417 )
3418 )
3419 exim_fail("exim: incompatible command-line options or arguments\n");
3420
3421 /* If debugging is set up, set the file and the file descriptor to pass on to
3422 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3423 to run in the foreground. */
3424
3425 if (debug_selector != 0)
3426 {
3427 debug_file = stderr;
3428 debug_fd = fileno(debug_file);
3429 f.background_daemon = FALSE;
3430 if (f.running_in_test_harness) millisleep(100); /* lets caller finish */
3431 if (debug_selector != D_v) /* -v only doesn't show this */
3432 {
3433 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3434 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3435 debug_selector);
3436 if (!version_printed)
3437 show_whats_supported(stderr);
3438 }
3439 }
3440
3441 /* When started with root privilege, ensure that the limits on the number of
3442 open files and the number of processes (where that is accessible) are
3443 sufficiently large, or are unset, in case Exim has been called from an
3444 environment where the limits are screwed down. Not all OS have the ability to
3445 change some of these limits. */
3446
3447 if (unprivileged)
3448 {
3449 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3450 }
3451 else
3452 {
3453 struct rlimit rlp;
3454
3455 #ifdef RLIMIT_NOFILE
3456 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3457 {
3458 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3459 strerror(errno));
3460 rlp.rlim_cur = rlp.rlim_max = 0;
3461 }
3462
3463 /* I originally chose 1000 as a nice big number that was unlikely to
3464 be exceeded. It turns out that some older OS have a fixed upper limit of
3465 256. */
3466
3467 if (rlp.rlim_cur < 1000)
3468 {
3469 rlp.rlim_cur = rlp.rlim_max = 1000;
3470 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3471 {
3472 rlp.rlim_cur = rlp.rlim_max = 256;
3473 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3474 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3475 strerror(errno));
3476 }
3477 }
3478 #endif
3479
3480 #ifdef RLIMIT_NPROC
3481 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3482 {
3483 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3484 strerror(errno));
3485 rlp.rlim_cur = rlp.rlim_max = 0;
3486 }
3487
3488 #ifdef RLIM_INFINITY
3489 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3490 {
3491 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3492 #else
3493 if (rlp.rlim_cur < 1000)
3494 {
3495 rlp.rlim_cur = rlp.rlim_max = 1000;
3496 #endif
3497 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3498 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3499 strerror(errno));
3500 }
3501 #endif
3502 }
3503
3504 /* Exim is normally entered as root (but some special configurations are
3505 possible that don't do this). However, it always spins off sub-processes that
3506 set their uid and gid as required for local delivery. We don't want to pass on
3507 any extra groups that root may belong to, so we want to get rid of them all at
3508 this point.
3509
3510 We need to obey setgroups() at this stage, before possibly giving up root
3511 privilege for a changed configuration file, but later on we might need to
3512 check on the additional groups for the admin user privilege - can't do that
3513 till after reading the config, which might specify the exim gid. Therefore,
3514 save the group list here first. */
3515
3516 if ((group_count = getgroups(nelem(group_list), group_list)) < 0)
3517 exim_fail("exim: getgroups() failed: %s\n", strerror(errno));
3518
3519 /* There is a fundamental difference in some BSD systems in the matter of
3520 groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3521 known not to be different. On the "different" systems there is a single group
3522 list, and the first entry in it is the current group. On all other versions of
3523 Unix there is a supplementary group list, which is in *addition* to the current
3524 group. Consequently, to get rid of all extraneous groups on a "standard" system
3525 you pass over 0 groups to setgroups(), while on a "different" system you pass
3526 over a single group - the current group, which is always the first group in the
3527 list. Calling setgroups() with zero groups on a "different" system results in
3528 an error return. The following code should cope with both types of system.
3529
3530 Unfortunately, recent MacOS, which should be a FreeBSD, "helpfully" succeeds
3531 the "setgroups() with zero groups" - and changes the egid.
3532 Thanks to that we had to stash the original_egid above, for use below
3533 in the call to exim_setugid().
3534
3535 However, if this process isn't running as root, setgroups() can't be used
3536 since you have to be root to run it, even if throwing away groups. Not being
3537 root here happens only in some unusual configurations. We just ignore the
3538 error. */
3539
3540 if (setgroups(0, NULL) != 0 && setgroups(1, group_list) != 0 && !unprivileged)
3541 exim_fail("exim: setgroups() failed: %s\n", strerror(errno));
3542
3543 /* If the configuration file name has been altered by an argument on the
3544 command line (either a new file name or a macro definition) and the caller is
3545 not root, or if this is a filter testing run, remove any setuid privilege the
3546 program has and run as the underlying user.
3547
3548 The exim user is locked out of this, which severely restricts the use of -C
3549 for some purposes.
3550
3551 Otherwise, set the real ids to the effective values (should be root unless run
3552 from inetd, which it can either be root or the exim uid, if one is configured).
3553
3554 There is a private mechanism for bypassing some of this, in order to make it
3555 possible to test lots of configurations automatically, without having either to
3556 recompile each time, or to patch in an actual configuration file name and other
3557 values (such as the path name). If running in the test harness, pretend that
3558 configuration file changes and macro definitions haven't happened. */
3559
3560 if (( /* EITHER */
3561 (!f.trusted_config || /* Config changed, or */
3562 !macros_trusted(opt_D_used)) && /* impermissible macros and */
3563 real_uid != root_uid && /* Not root, and */
3564 !f.running_in_test_harness /* Not fudged */
3565 ) || /* OR */
3566 expansion_test /* expansion testing */
3567 || /* OR */
3568 filter_test != FTEST_NONE) /* Filter testing */
3569 {
3570 setgroups(group_count, group_list);
3571 exim_setugid(real_uid, real_gid, FALSE,
3572 US"-C, -D, -be or -bf forces real uid");
3573 removed_privilege = TRUE;
3574
3575 /* In the normal case when Exim is called like this, stderr is available
3576 and should be used for any logging information because attempts to write
3577 to the log will usually fail. To arrange this, we unset really_exim. However,
3578 if no stderr is available there is no point - we might as well have a go
3579 at the log (if it fails, syslog will be written).
3580
3581 Note that if the invoker is Exim, the logs remain available. Messing with
3582 this causes unlogged successful deliveries. */
3583
3584 if (log_stderr && real_uid != exim_uid)
3585 f.really_exim = FALSE;
3586 }
3587
3588 /* Privilege is to be retained for the moment. It may be dropped later,
3589 depending on the job that this Exim process has been asked to do. For now, set
3590 the real uid to the effective so that subsequent re-execs of Exim are done by a
3591 privileged user. */
3592
3593 else
3594 exim_setugid(geteuid(), original_egid, FALSE, US"forcing real = effective");
3595
3596 /* If testing a filter, open the file(s) now, before wasting time doing other
3597 setups and reading the message. */
3598
3599 if (filter_test & FTEST_SYSTEM)
3600 if ((filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0)) < 0)
3601 exim_fail("exim: failed to open %s: %s\n", filter_test_sfile,
3602 strerror(errno));
3603
3604 if (filter_test & FTEST_USER)
3605 if ((filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0)) < 0)
3606 exim_fail("exim: failed to open %s: %s\n", filter_test_ufile,
3607 strerror(errno));
3608
3609 /* Initialise lookup_list
3610 If debugging, already called above via version reporting.
3611 In either case, we initialise the list of available lookups while running
3612 as root. All dynamically modules are loaded from a directory which is
3613 hard-coded into the binary and is code which, if not a module, would be
3614 part of Exim already. Ability to modify the content of the directory
3615 is equivalent to the ability to modify a setuid binary!
3616
3617 This needs to happen before we read the main configuration. */
3618 init_lookup_list();
3619
3620 #ifdef SUPPORT_I18N
3621 if (f.running_in_test_harness) smtputf8_advertise_hosts = NULL;
3622 #endif
3623
3624 /* Read the main runtime configuration data; this gives up if there
3625 is a failure. It leaves the configuration file open so that the subsequent
3626 configuration data for delivery can be read if needed.
3627
3628 NOTE: immediately after opening the configuration file we change the working
3629 directory to "/"! Later we change to $spool_directory. We do it there, because
3630 during readconf_main() some expansion takes place already. */
3631
3632 /* Store the initial cwd before we change directories. Can be NULL if the
3633 dir has already been unlinked. */
3634 initial_cwd = os_getcwd(NULL, 0);
3635
3636 /* checking:
3637 -be[m] expansion test -
3638 -b[fF] filter test new
3639 -bh[c] host test -
3640 -bmalware malware_test_file new
3641 -brt retry test new
3642 -brw rewrite test new
3643 -bt address test -
3644 -bv[s] address verify -
3645 list_options:
3646 -bP <option> (except -bP config, which sets list_config)
3647
3648 If any of these options is set, we suppress warnings about configuration
3649 issues (currently about tls_advertise_hosts and keep_environment not being
3650 defined) */
3651
3652 readconf_main(checking || list_options);
3653
3654
3655 /* Now in directory "/" */
3656
3657 if (cleanup_environment() == FALSE)
3658 log_write(0, LOG_PANIC_DIE, "Can't cleanup environment");
3659
3660
3661 /* If an action on specific messages is requested, or if a daemon or queue
3662 runner is being started, we need to know if Exim was called by an admin user.
3663 This is the case if the real user is root or exim, or if the real group is
3664 exim, or if one of the supplementary groups is exim or a group listed in
3665 admin_groups. We don't fail all message actions immediately if not admin_user,
3666 since some actions can be performed by non-admin users. Instead, set admin_user
3667 for later interrogation. */
3668
3669 if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3670 f.admin_user = TRUE;
3671 else
3672 for (int i = 0; i < group_count && !f.admin_user; i++)
3673 if (group_list[i] == exim_gid)
3674 f.admin_user = TRUE;
3675 else if (admin_groups)
3676 for (int j = 1; j <= (int)admin_groups[0] && !f.admin_user; j++)
3677 if (admin_groups[j] == group_list[i])
3678 f.admin_user = TRUE;
3679
3680 /* Another group of privileged users are the trusted users. These are root,
3681 exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3682 are permitted to specify sender_addresses with -f on the command line, and
3683 other message parameters as well. */
3684
3685 if (real_uid == root_uid || real_uid == exim_uid)
3686 f.trusted_caller = TRUE;
3687 else
3688 {
3689 if (trusted_users)
3690 for (int i = 1; i <= (int)trusted_users[0] && !f.trusted_caller; i++)
3691 if (trusted_users[i] == real_uid)
3692 f.trusted_caller = TRUE;
3693
3694 if (trusted_groups)
3695 for (int i = 1; i <= (int)trusted_groups[0] && !f.trusted_caller; i++)
3696 if (trusted_groups[i] == real_gid)
3697 f.trusted_caller = TRUE;
3698 else for (int j = 0; j < group_count && !f.trusted_caller; j++)
3699 if (trusted_groups[i] == group_list[j])
3700 f.trusted_caller = TRUE;
3701 }
3702
3703 /* At this point, we know if the user is privileged and some command-line
3704 options become possibly impermissible, depending upon the configuration file. */
3705
3706 if (checking && commandline_checks_require_admin && !f.admin_user)
3707 exim_fail("exim: those command-line flags are set to require admin\n");
3708
3709 /* Handle the decoding of logging options. */
3710
3711 decode_bits(log_selector, log_selector_size, log_notall,
3712 log_selector_string, log_options, log_options_count, US"log", 0);
3713
3714 DEBUG(D_any)
3715 {
3716 debug_printf("configuration file is %s\n", config_main_filename);
3717 debug_printf("log selectors =");
3718 for (int i = 0; i < log_selector_size; i++)
3719 debug_printf(" %08x", log_selector[i]);
3720 debug_printf("\n");
3721 }
3722
3723 /* If domain literals are not allowed, check the sender address that was
3724 supplied with -f. Ditto for a stripped trailing dot. */
3725
3726 if (sender_address)
3727 {
3728 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3729 exim_fail("exim: bad -f address \"%s\": domain literals not "
3730 "allowed\n", sender_address);
3731 if (f_end_dot && !strip_trailing_dot)
3732 exim_fail("exim: bad -f address \"%s.\": domain is malformed "
3733 "(trailing dot not allowed)\n", sender_address);
3734 }
3735
3736 /* See if an admin user overrode our logging. */
3737
3738 if (cmdline_syslog_name)
3739 if (f.admin_user)
3740 {
3741 syslog_processname = cmdline_syslog_name;
3742 log_file_path = string_copy(CUS"syslog");
3743 }
3744 else
3745 /* not a panic, non-privileged users should not be able to spam paniclog */
3746 exim_fail(
3747 "exim: you lack sufficient privilege to specify syslog process name\n");
3748
3749 /* Paranoia check of maximum lengths of certain strings. There is a check
3750 on the length of the log file path in log.c, which will come into effect
3751 if there are any calls to write the log earlier than this. However, if we
3752 get this far but the string is very long, it is better to stop now than to
3753 carry on and (e.g.) receive a message and then have to collapse. The call to
3754 log_write() from here will cause the ultimate panic collapse if the complete
3755 file name exceeds the buffer length. */
3756
3757 if (Ustrlen(log_file_path) > 200)
3758 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3759 "log_file_path is longer than 200 chars: aborting");
3760
3761 if (Ustrlen(pid_file_path) > 200)
3762 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3763 "pid_file_path is longer than 200 chars: aborting");
3764
3765 if (Ustrlen(spool_directory) > 200)
3766 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3767 "spool_directory is longer than 200 chars: aborting");
3768
3769 /* Length check on the process name given to syslog for its TAG field,
3770 which is only permitted to be 32 characters or less. See RFC 3164. */
3771
3772 if (Ustrlen(syslog_processname) > 32)
3773 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3774 "syslog_processname is longer than 32 chars: aborting");
3775
3776 if (log_oneline)
3777 if (f.admin_user)
3778 {
3779 log_write(0, LOG_MAIN, "%s", log_oneline);
3780 return EXIT_SUCCESS;
3781 }
3782 else
3783 return EXIT_FAILURE;
3784
3785 /* In some operating systems, the environment variable TMPDIR controls where
3786 temporary files are created; Exim doesn't use these (apart from when delivering
3787 to MBX mailboxes), but called libraries such as DBM libraries may require them.
3788 If TMPDIR is found in the environment, reset it to the value defined in the
3789 EXIM_TMPDIR macro, if this macro is defined. For backward compatibility this
3790 macro may be called TMPDIR in old "Local/Makefile"s. It's converted to
3791 EXIM_TMPDIR by the build scripts.
3792 */
3793
3794 #ifdef EXIM_TMPDIR
3795 if (environ) for (uschar ** p = USS environ; *p; p++)
3796 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 && Ustrcmp(*p+7, EXIM_TMPDIR) != 0)
3797 {
3798 uschar * newp = store_malloc(Ustrlen(EXIM_TMPDIR) + 8);
3799 sprintf(CS newp, "TMPDIR=%s", EXIM_TMPDIR);
3800 *p = newp;
3801 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", EXIM_TMPDIR);
3802 }
3803 #endif
3804
3805 /* Timezone handling. If timezone_string is "utc", set a flag to cause all
3806 timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3807 we may need to get rid of a bogus timezone setting. This can arise when Exim is
3808 called by a user who has set the TZ variable. This then affects the timestamps
3809 in log files and in Received: headers, and any created Date: header lines. The
3810 required timezone is settable in the configuration file, so nothing can be done
3811 about this earlier - but hopefully nothing will normally be logged earlier than
3812 this. We have to make a new environment if TZ is wrong, but don't bother if
3813 timestamps_utc is set, because then all times are in UTC anyway. */
3814
3815 if (timezone_string && strcmpic(timezone_string, US"UTC") == 0)
3816 f.timestamps_utc = TRUE;
3817 else
3818 {
3819 uschar *envtz = US getenv("TZ");
3820 if (envtz
3821 ? !timezone_string || Ustrcmp(timezone_string, envtz) != 0
3822 : timezone_string != NULL
3823 )
3824 {
3825 uschar **p = USS environ;
3826 uschar **new;
3827 uschar **newp;
3828 int count = 0;
3829 if (environ) while (*p++) count++;
3830 if (!envtz) count++;
3831 newp = new = store_malloc(sizeof(uschar *) * (count + 1));
3832 if (environ) for (p = USS environ; *p; p++)
3833 if (Ustrncmp(*p, "TZ=", 3) != 0) *newp++ = *p;
3834 if (timezone_string)
3835 {
3836 *newp = store_malloc(Ustrlen(timezone_string) + 4);
3837 sprintf(CS *newp++, "TZ=%s", timezone_string);
3838 }
3839 *newp = NULL;
3840 environ = CSS new;
3841 tzset();
3842 DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3843 tod_stamp(tod_log));
3844 }
3845 }
3846
3847 /* Handle the case when we have removed the setuid privilege because of -C or
3848 -D. This means that the caller of Exim was not root.
3849
3850 There is a problem if we were running as the Exim user. The sysadmin may
3851 expect this case to retain privilege because "the binary was called by the
3852 Exim user", but it hasn't, because either the -D option set macros, or the
3853 -C option set a non-trusted configuration file. There are two possibilities:
3854
3855 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3856 to do message deliveries. Thus, the fact that it is running as a
3857 non-privileged user is plausible, and might be wanted in some special
3858 configurations. However, really_exim will have been set false when
3859 privilege was dropped, to stop Exim trying to write to its normal log
3860 files. Therefore, re-enable normal log processing, assuming the sysadmin
3861 has set up the log directory correctly.
3862
3863 (2) If deliver_drop_privilege is not set, the configuration won't work as
3864 apparently intended, and so we log a panic message. In order to retain
3865 root for -C or -D, the caller must either be root or be invoking a
3866 trusted configuration file (when deliver_drop_privilege is false). */
3867
3868 if ( removed_privilege
3869 && (!f.trusted_config || opt_D_used)
3870 && real_uid == exim_uid)
3871 if (deliver_drop_privilege)
3872 f.really_exim = TRUE; /* let logging work normally */
3873 else
3874 log_write(0, LOG_MAIN|LOG_PANIC,
3875 "exim user lost privilege for using %s option",
3876 f.trusted_config? "-D" : "-C");
3877
3878 /* Start up Perl interpreter if Perl support is configured and there is a
3879 perl_startup option, and the configuration or the command line specifies
3880 initializing starting. Note that the global variables are actually called
3881 opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3882
3883 #ifdef EXIM_PERL
3884 if (perl_start_option != 0)
3885 opt_perl_at_start = (perl_start_option > 0);
3886 if (opt_perl_at_start && opt_perl_startup != NULL)
3887 {
3888 uschar *errstr;
3889 DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3890 if ((errstr = init_perl(opt_perl_startup)))
3891 exim_fail("exim: error in perl_startup code: %s\n", errstr);
3892 opt_perl_started = TRUE;
3893 }
3894 #endif /* EXIM_PERL */
3895
3896 /* Log the arguments of the call if the configuration file said so. This is
3897 a debugging feature for finding out what arguments certain MUAs actually use.
3898 Don't attempt it if logging is disabled, or if listing variables or if
3899 verifying/testing addresses or expansions. */
3900
3901 if ( (debug_selector & D_any || LOGGING(arguments))
3902 && f.really_exim && !list_options && !checking)
3903 {
3904 uschar *p = big_buffer;
3905 Ustrcpy(p, "cwd= (failed)");
3906
3907 if (!initial_cwd)
3908 p += 13;
3909 else
3910 {
3911 Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
3912 p += 4 + Ustrlen(initial_cwd);
3913 /* in case p is near the end and we don't provide enough space for
3914 * string_format to be willing to write. */
3915 *p = '\0';
3916 }
3917
3918 (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3919 while (*p) p++;
3920 for (int i = 0; i < argc; i++)
3921 {
3922 int len = Ustrlen(argv[i]);
3923 const uschar *printing;
3924 uschar *quote;
3925 if (p + len + 8 >= big_buffer + big_buffer_size)
3926 {
3927 Ustrcpy(p, " ...");
3928 log_write(0, LOG_MAIN, "%s", big_buffer);
3929 Ustrcpy(big_buffer, "...");
3930 p = big_buffer + 3;
3931 }
3932 printing = string_printing(argv[i]);
3933 if (printing[0] == 0) quote = US"\""; else
3934 {
3935 const uschar *pp = printing;
3936 quote = US"";
3937 while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3938 }
3939 p += sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3940 (p - big_buffer) - 4), printing, quote);
3941 }
3942
3943 if (LOGGING(arguments))
3944 log_write(0, LOG_MAIN, "%s", big_buffer);
3945 else
3946 debug_printf("%s\n", big_buffer);
3947 }
3948
3949 /* Set the working directory to be the top-level spool directory. We don't rely
3950 on this in the code, which always uses fully qualified names, but it's useful
3951 for core dumps etc. Don't complain if it fails - the spool directory might not
3952 be generally accessible and calls with the -C option (and others) have lost
3953 privilege by now. Before the chdir, we try to ensure that the directory exists.
3954 */
3955
3956 if (Uchdir(spool_directory) != 0)
3957 {
3958 int dummy;
3959 (void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
3960 dummy = /* quieten compiler */ Uchdir(spool_directory);
3961 dummy = dummy; /* yet more compiler quietening, sigh */
3962 }
3963
3964 /* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3965 alias file. Exim doesn't have such a concept, but this call is screwed into
3966 Sun's YP makefiles. Handle this by calling a configured script, as the real
3967 user who called Exim. The -oA option can be used to pass an argument to the
3968 script. */
3969
3970 if (bi_option)
3971 {
3972 (void)fclose(config_file);
3973 if (bi_command != NULL)
3974 {
3975 int i = 0;
3976 uschar *argv[3];
3977 argv[i++] = bi_command;
3978 if (alias_arg != NULL) argv[i++] = alias_arg;
3979 argv[i++] = NULL;
3980
3981 setgroups(group_count, group_list);
3982 exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
3983
3984 DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
3985 (argv[1] == NULL)? US"" : argv[1]);
3986
3987 execv(CS argv[0], (char *const *)argv);
3988 exim_fail("exim: exec failed: %s\n", strerror(errno));
3989 }
3990 else
3991 {
3992 DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
3993 exit(EXIT_SUCCESS);
3994 }
3995 }
3996
3997 /* We moved the admin/trusted check to be immediately after reading the
3998 configuration file. We leave these prints here to ensure that syslog setup,
3999 logfile setup, and so on has already happened. */
4000
4001 if (f.trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
4002 if (f.admin_user) DEBUG(D_any) debug_printf("admin user\n");
4003
4004 /* Only an admin user may start the daemon or force a queue run in the default
4005 configuration, but the queue run restriction can be relaxed. Only an admin
4006 user may request that a message be returned to its sender forthwith. Only an
4007 admin user may specify a debug level greater than D_v (because it might show
4008 passwords, etc. in lookup queries). Only an admin user may request a queue
4009 count. Only an admin user can use the test interface to scan for email
4010 (because Exim will be in the spool dir and able to look at mails). */
4011
4012 if (!f.admin_user)
4013 {
4014 BOOL debugset = (debug_selector & ~D_v) != 0;
4015 if (deliver_give_up || f.daemon_listen || malware_test_file ||
4016 (count_queue && queue_list_requires_admin) ||
4017 (list_queue && queue_list_requires_admin) ||
4018 (queue_interval >= 0 && prod_requires_admin) ||
4019 (debugset && !f.running_in_test_harness))
4020 exim_fail("exim:%s permission denied\n", debugset? " debugging" : "");
4021 }
4022
4023 /* If the real user is not root or the exim uid, the argument for passing
4024 in an open TCP/IP connection for another message is not permitted, nor is
4025 running with the -N option for any delivery action, unless this call to exim is
4026 one that supplied an input message, or we are using a patched exim for
4027 regression testing. */
4028
4029 if (real_uid != root_uid && real_uid != exim_uid &&
4030 (continue_hostname != NULL ||
4031 (f.dont_deliver &&
4032 (queue_interval >= 0 || f.daemon_listen || msg_action_arg > 0)
4033 )) && !f.running_in_test_harness)
4034 exim_fail("exim: Permission denied\n");
4035
4036 /* If the caller is not trusted, certain arguments are ignored when running for
4037 real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
4038 Note that authority for performing certain actions on messages is tested in the
4039 queue_action() function. */
4040
4041 if (!f.trusted_caller && !checking)
4042 {
4043 sender_host_name = sender_host_address = interface_address =
4044 sender_ident = received_protocol = NULL;
4045 sender_host_port = interface_port = 0;
4046 sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
4047 }
4048
4049 /* If a sender host address is set, extract the optional port number off the
4050 end of it and check its syntax. Do the same thing for the interface address.
4051 Exim exits if the syntax is bad. */
4052
4053 else
4054 {
4055 if (sender_host_address != NULL)
4056 sender_host_port = check_port(sender_host_address);
4057 if (interface_address != NULL)
4058 interface_port = check_port(interface_address);
4059 }
4060
4061 /* If the caller is trusted, then they can use -G to suppress_local_fixups. */
4062 if (flag_G)
4063 {
4064 if (f.trusted_caller)
4065 {
4066 f.suppress_local_fixups = f.suppress_local_fixups_default = TRUE;
4067 DEBUG(D_acl) debug_printf("suppress_local_fixups forced on by -G\n");
4068 }
4069 else
4070 exim_fail("exim: permission denied (-G requires a trusted user)\n");
4071 }
4072
4073 /* If an SMTP message is being received check to see if the standard input is a
4074 TCP/IP socket. If it is, we assume that Exim was called from inetd if the
4075 caller is root or the Exim user, or if the port is a privileged one. Otherwise,
4076 barf. */
4077
4078 if (smtp_input)
4079 {
4080 union sockaddr_46 inetd_sock;
4081 EXIM_SOCKLEN_T size = sizeof(inetd_sock);
4082 if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0)
4083 {
4084 int family = ((struct sockaddr *)(&inetd_sock))->sa_family;
4085 if (family == AF_INET || family == AF_INET6)
4086 {
4087 union sockaddr_46 interface_sock;
4088 size = sizeof(interface_sock);
4089
4090 if (getsockname(0