Recast more internal string routines to use growable-strings
[exim.git] / src / src / exim.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8
9 /* The main function: entry point, initialization, and high-level control.
10 Also a few functions that don't naturally fit elsewhere. */
11
12
13 #include "exim.h"
14
15 #if defined(__GLIBC__) && !defined(__UCLIBC__)
16 # include <gnu/libc-version.h>
17 #endif
18
19 #ifdef USE_GNUTLS
20 # include <gnutls/gnutls.h>
21 # if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22 # define DISABLE_OCSP
23 # endif
24 #endif
25
26 extern void init_lookup_list(void);
27
28
29
30 /*************************************************
31 * Function interface to store functions *
32 *************************************************/
33
34 /* We need some real functions to pass to the PCRE regular expression library
35 for store allocation via Exim's store manager. The normal calls are actually
36 macros that pass over location information to make tracing easier. These
37 functions just interface to the standard macro calls. A good compiler will
38 optimize out the tail recursion and so not make them too expensive. There
39 are two sets of functions; one for use when we want to retain the compiled
40 regular expression for a long time; the other for short-term use. */
41
42 static void *
43 function_store_get(size_t size)
44 {
45 return store_get((int)size);
46 }
47
48 static void
49 function_dummy_free(void *block) { block = block; }
50
51 static void *
52 function_store_malloc(size_t size)
53 {
54 return store_malloc((int)size);
55 }
56
57 static void
58 function_store_free(void *block)
59 {
60 store_free(block);
61 }
62
63
64
65
66 /*************************************************
67 * Enums for cmdline interface *
68 *************************************************/
69
70 enum commandline_info { CMDINFO_NONE=0,
71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
72
73
74
75
76 /*************************************************
77 * Compile regular expression and panic on fail *
78 *************************************************/
79
80 /* This function is called when failure to compile a regular expression leads
81 to a panic exit. In other cases, pcre_compile() is called directly. In many
82 cases where this function is used, the results of the compilation are to be
83 placed in long-lived store, so we temporarily reset the store management
84 functions that PCRE uses if the use_malloc flag is set.
85
86 Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91 Returns: pointer to the compiled pattern
92 */
93
94 const pcre *
95 regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
96 {
97 int offset;
98 int options = PCRE_COPT;
99 const pcre *yield;
100 const uschar *error;
101 if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106 if (caseless) options |= PCRE_CASELESS;
107 yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
108 pcre_malloc = function_store_get;
109 pcre_free = function_dummy_free;
110 if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113 return yield;
114 }
115
116
117
118
119 /*************************************************
120 * Execute regular expression and set strings *
121 *************************************************/
122
123 /* This function runs a regular expression match, and sets up the pointers to
124 the matched substrings.
125
126 Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134 Returns: TRUE or FALSE
135 */
136
137 BOOL
138 regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
139 {
140 int ovector[3*(EXPAND_MAXN+1)];
141 uschar * s = string_copy(subject); /* de-constifying */
142 int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
143 PCRE_EOPT | options, ovector, nelem(ovector));
144 BOOL yield = n >= 0;
145 if (n == 0) n = EXPAND_MAXN + 1;
146 if (yield)
147 {
148 int nn;
149 expand_nmax = setup < 0 ? 0 : setup + 1;
150 for (nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
151 {
152 expand_nstring[expand_nmax] = s + ovector[nn];
153 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
154 }
155 expand_nmax--;
156 }
157 return yield;
158 }
159
160
161
162
163 /*************************************************
164 * Set up processing details *
165 *************************************************/
166
167 /* Save a text string for dumping when SIGUSR1 is received.
168 Do checks for overruns.
169
170 Arguments: format and arguments, as for printf()
171 Returns: nothing
172 */
173
174 void
175 set_process_info(const char *format, ...)
176 {
177 gstring gs = { .size = PROCESS_INFO_SIZE - 2, .ptr = 0, .s = process_info };
178 gstring * g;
179 int len;
180 va_list ap;
181
182 g = string_fmt_append(&gs, "%5d ", (int)getpid());
183 len = g->ptr;
184 va_start(ap, format);
185 if (!string_vformat(g, FALSE, format, ap))
186 {
187 gs.ptr = len;
188 g = string_cat(&gs, US"**** string overflowed buffer ****");
189 }
190 g = string_catn(g, US"\n", 1);
191 string_from_gstring(g);
192 process_info_len = g->ptr;
193 DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
194 va_end(ap);
195 }
196
197 /***********************************************
198 * Handler for SIGTERM *
199 ***********************************************/
200
201 static void
202 term_handler(int sig)
203 {
204 exit(1);
205 }
206
207
208 /*************************************************
209 * Handler for SIGUSR1 *
210 *************************************************/
211
212 /* SIGUSR1 causes any exim process to write to the process log details of
213 what it is currently doing. It will only be used if the OS is capable of
214 setting up a handler that causes automatic restarting of any system call
215 that is in progress at the time.
216
217 This function takes care to be signal-safe.
218
219 Argument: the signal number (SIGUSR1)
220 Returns: nothing
221 */
222
223 static void
224 usr1_handler(int sig)
225 {
226 int fd;
227
228 os_restarting_signal(sig, usr1_handler);
229
230 if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
231 {
232 /* If we are already running as the Exim user, try to create it in the
233 current process (assuming spool_directory exists). Otherwise, if we are
234 root, do the creation in an exim:exim subprocess. */
235
236 int euid = geteuid();
237 if (euid == exim_uid)
238 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
239 else if (euid == root_uid)
240 fd = log_create_as_exim(process_log_path);
241 }
242
243 /* If we are neither exim nor root, or if we failed to create the log file,
244 give up. There is not much useful we can do with errors, since we don't want
245 to disrupt whatever is going on outside the signal handler. */
246
247 if (fd < 0) return;
248
249 (void)write(fd, process_info, process_info_len);
250 (void)close(fd);
251 }
252
253
254
255 /*************************************************
256 * Timeout handler *
257 *************************************************/
258
259 /* This handler is enabled most of the time that Exim is running. The handler
260 doesn't actually get used unless alarm() has been called to set a timer, to
261 place a time limit on a system call of some kind. When the handler is run, it
262 re-enables itself.
263
264 There are some other SIGALRM handlers that are used in special cases when more
265 than just a flag setting is required; for example, when reading a message's
266 input. These are normally set up in the code module that uses them, and the
267 SIGALRM handler is reset to this one afterwards.
268
269 Argument: the signal value (SIGALRM)
270 Returns: nothing
271 */
272
273 void
274 sigalrm_handler(int sig)
275 {
276 sig = sig; /* Keep picky compilers happy */
277 sigalrm_seen = TRUE;
278 os_non_restarting_signal(SIGALRM, sigalrm_handler);
279 }
280
281
282
283 /*************************************************
284 * Sleep for a fractional time interval *
285 *************************************************/
286
287 /* This function is called by millisleep() and exim_wait_tick() to wait for a
288 period of time that may include a fraction of a second. The coding is somewhat
289 tedious. We do not expect setitimer() ever to fail, but if it does, the process
290 will wait for ever, so we panic in this instance. (There was a case of this
291 when a bug in a function that calls milliwait() caused it to pass invalid data.
292 That's when I added the check. :-)
293
294 We assume it to be not worth sleeping for under 100us; this value will
295 require revisiting as hardware advances. This avoids the issue of
296 a zero-valued timer setting meaning "never fire".
297
298 Argument: an itimerval structure containing the interval
299 Returns: nothing
300 */
301
302 static void
303 milliwait(struct itimerval *itval)
304 {
305 sigset_t sigmask;
306 sigset_t old_sigmask;
307
308 if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
309 return;
310 (void)sigemptyset(&sigmask); /* Empty mask */
311 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
312 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
313 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
314 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
315 "setitimer() failed: %s", strerror(errno));
316 (void)sigfillset(&sigmask); /* All signals */
317 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
318 (void)sigsuspend(&sigmask); /* Until SIGALRM */
319 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
320 }
321
322
323
324
325 /*************************************************
326 * Millisecond sleep function *
327 *************************************************/
328
329 /* The basic sleep() function has a granularity of 1 second, which is too rough
330 in some cases - for example, when using an increasing delay to slow down
331 spammers.
332
333 Argument: number of millseconds
334 Returns: nothing
335 */
336
337 void
338 millisleep(int msec)
339 {
340 struct itimerval itval;
341 itval.it_interval.tv_sec = 0;
342 itval.it_interval.tv_usec = 0;
343 itval.it_value.tv_sec = msec/1000;
344 itval.it_value.tv_usec = (msec % 1000) * 1000;
345 milliwait(&itval);
346 }
347
348
349
350 /*************************************************
351 * Compare microsecond times *
352 *************************************************/
353
354 /*
355 Arguments:
356 tv1 the first time
357 tv2 the second time
358
359 Returns: -1, 0, or +1
360 */
361
362 static int
363 exim_tvcmp(struct timeval *t1, struct timeval *t2)
364 {
365 if (t1->tv_sec > t2->tv_sec) return +1;
366 if (t1->tv_sec < t2->tv_sec) return -1;
367 if (t1->tv_usec > t2->tv_usec) return +1;
368 if (t1->tv_usec < t2->tv_usec) return -1;
369 return 0;
370 }
371
372
373
374
375 /*************************************************
376 * Clock tick wait function *
377 *************************************************/
378
379 /* Exim uses a time + a pid to generate a unique identifier in two places: its
380 message IDs, and in file names for maildir deliveries. Because some OS now
381 re-use pids within the same second, sub-second times are now being used.
382 However, for absolute certainty, we must ensure the clock has ticked before
383 allowing the relevant process to complete. At the time of implementation of
384 this code (February 2003), the speed of processors is such that the clock will
385 invariably have ticked already by the time a process has done its job. This
386 function prepares for the time when things are faster - and it also copes with
387 clocks that go backwards.
388
389 Arguments:
390 then_tv A timeval which was used to create uniqueness; its usec field
391 has been rounded down to the value of the resolution.
392 We want to be sure the current time is greater than this.
393 resolution The resolution that was used to divide the microseconds
394 (1 for maildir, larger for message ids)
395
396 Returns: nothing
397 */
398
399 void
400 exim_wait_tick(struct timeval *then_tv, int resolution)
401 {
402 struct timeval now_tv;
403 long int now_true_usec;
404
405 (void)gettimeofday(&now_tv, NULL);
406 now_true_usec = now_tv.tv_usec;
407 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
408
409 if (exim_tvcmp(&now_tv, then_tv) <= 0)
410 {
411 struct itimerval itval;
412 itval.it_interval.tv_sec = 0;
413 itval.it_interval.tv_usec = 0;
414 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
415 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
416
417 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
418 negative value for the microseconds is possible only in the case when "now"
419 is more than a second less than "then". That means that itval.it_value.tv_sec
420 is greater than zero. The following correction is therefore safe. */
421
422 if (itval.it_value.tv_usec < 0)
423 {
424 itval.it_value.tv_usec += 1000000;
425 itval.it_value.tv_sec -= 1;
426 }
427
428 DEBUG(D_transport|D_receive)
429 {
430 if (!f.running_in_test_harness)
431 {
432 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
433 then_tv->tv_sec, (long) then_tv->tv_usec,
434 now_tv.tv_sec, (long) now_tv.tv_usec);
435 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
436 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
437 }
438 }
439
440 milliwait(&itval);
441 }
442 }
443
444
445
446
447 /*************************************************
448 * Call fopen() with umask 777 and adjust mode *
449 *************************************************/
450
451 /* Exim runs with umask(0) so that files created with open() have the mode that
452 is specified in the open() call. However, there are some files, typically in
453 the spool directory, that are created with fopen(). They end up world-writeable
454 if no precautions are taken. Although the spool directory is not accessible to
455 the world, this is an untidiness. So this is a wrapper function for fopen()
456 that sorts out the mode of the created file.
457
458 Arguments:
459 filename the file name
460 options the fopen() options
461 mode the required mode
462
463 Returns: the fopened FILE or NULL
464 */
465
466 FILE *
467 modefopen(const uschar *filename, const char *options, mode_t mode)
468 {
469 mode_t saved_umask = umask(0777);
470 FILE *f = Ufopen(filename, options);
471 (void)umask(saved_umask);
472 if (f != NULL) (void)fchmod(fileno(f), mode);
473 return f;
474 }
475
476
477
478
479 /*************************************************
480 * Ensure stdin, stdout, and stderr exist *
481 *************************************************/
482
483 /* Some operating systems grumble if an exec() happens without a standard
484 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
485 file will be opened and will use these fd values, and then some other bit of
486 code will assume, for example, that it can write error messages to stderr.
487 This function ensures that fds 0, 1, and 2 are open if they do not already
488 exist, by connecting them to /dev/null.
489
490 This function is also used to ensure that std{in,out,err} exist at all times,
491 so that if any library that Exim calls tries to use them, it doesn't crash.
492
493 Arguments: None
494 Returns: Nothing
495 */
496
497 void
498 exim_nullstd(void)
499 {
500 int i;
501 int devnull = -1;
502 struct stat statbuf;
503 for (i = 0; i <= 2; i++)
504 {
505 if (fstat(i, &statbuf) < 0 && errno == EBADF)
506 {
507 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
508 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
509 string_open_failed(errno, "/dev/null"));
510 if (devnull != i) (void)dup2(devnull, i);
511 }
512 }
513 if (devnull > 2) (void)close(devnull);
514 }
515
516
517
518
519 /*************************************************
520 * Close unwanted file descriptors for delivery *
521 *************************************************/
522
523 /* This function is called from a new process that has been forked to deliver
524 an incoming message, either directly, or using exec.
525
526 We want any smtp input streams to be closed in this new process. However, it
527 has been observed that using fclose() here causes trouble. When reading in -bS
528 input, duplicate copies of messages have been seen. The files will be sharing a
529 file pointer with the parent process, and it seems that fclose() (at least on
530 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
531 least sometimes. Hence we go for closing the underlying file descriptors.
532
533 If TLS is active, we want to shut down the TLS library, but without molesting
534 the parent's SSL connection.
535
536 For delivery of a non-SMTP message, we want to close stdin and stdout (and
537 stderr unless debugging) because the calling process might have set them up as
538 pipes and be waiting for them to close before it waits for the submission
539 process to terminate. If they aren't closed, they hold up the calling process
540 until the initial delivery process finishes, which is not what we want.
541
542 Exception: We do want it for synchronous delivery!
543
544 And notwithstanding all the above, if D_resolver is set, implying resolver
545 debugging, leave stdout open, because that's where the resolver writes its
546 debugging output.
547
548 When we close stderr (which implies we've also closed stdout), we also get rid
549 of any controlling terminal.
550
551 Arguments: None
552 Returns: Nothing
553 */
554
555 static void
556 close_unwanted(void)
557 {
558 if (smtp_input)
559 {
560 #ifdef SUPPORT_TLS
561 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
562 #endif
563 (void)close(fileno(smtp_in));
564 (void)close(fileno(smtp_out));
565 smtp_in = NULL;
566 }
567 else
568 {
569 (void)close(0); /* stdin */
570 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
571 if (debug_selector == 0) /* stderr */
572 {
573 if (!f.synchronous_delivery)
574 {
575 (void)close(2);
576 log_stderr = NULL;
577 }
578 (void)setsid();
579 }
580 }
581 }
582
583
584
585
586 /*************************************************
587 * Set uid and gid *
588 *************************************************/
589
590 /* This function sets a new uid and gid permanently, optionally calling
591 initgroups() to set auxiliary groups. There are some special cases when running
592 Exim in unprivileged modes. In these situations the effective uid will not be
593 root; if we already have the right effective uid/gid, and don't need to
594 initialize any groups, leave things as they are.
595
596 Arguments:
597 uid the uid
598 gid the gid
599 igflag TRUE if initgroups() wanted
600 msg text to use in debugging output and failure log
601
602 Returns: nothing; bombs out on failure
603 */
604
605 void
606 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
607 {
608 uid_t euid = geteuid();
609 gid_t egid = getegid();
610
611 if (euid == root_uid || euid != uid || egid != gid || igflag)
612 {
613 /* At least one OS returns +1 for initgroups failure, so just check for
614 non-zero. */
615
616 if (igflag)
617 {
618 struct passwd *pw = getpwuid(uid);
619 if (!pw)
620 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
621 "no passwd entry for uid=%ld", (long int)uid);
622
623 if (initgroups(pw->pw_name, gid) != 0)
624 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
625 (long int)uid, strerror(errno));
626 }
627
628 if (setgid(gid) < 0 || setuid(uid) < 0)
629 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
630 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
631 }
632
633 /* Debugging output included uid/gid and all groups */
634
635 DEBUG(D_uid)
636 {
637 int group_count, save_errno;
638 gid_t group_list[EXIM_GROUPLIST_SIZE];
639 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
640 (long int)geteuid(), (long int)getegid(), (long int)getpid());
641 group_count = getgroups(nelem(group_list), group_list);
642 save_errno = errno;
643 debug_printf(" auxiliary group list:");
644 if (group_count > 0)
645 {
646 int i;
647 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
648 }
649 else if (group_count < 0)
650 debug_printf(" <error: %s>", strerror(save_errno));
651 else debug_printf(" <none>");
652 debug_printf("\n");
653 }
654 }
655
656
657
658
659 /*************************************************
660 * Exit point *
661 *************************************************/
662
663 /* Exim exits via this function so that it always clears up any open
664 databases.
665
666 Arguments:
667 rc return code
668
669 Returns: does not return
670 */
671
672 void
673 exim_exit(int rc, const uschar * process)
674 {
675 search_tidyup();
676 DEBUG(D_any)
677 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
678 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
679 process ? "(" : "", process, process ? ") " : "", rc);
680 exit(rc);
681 }
682
683
684
685 /* Print error string, then die */
686 static void
687 exim_fail(const char * fmt, ...)
688 {
689 va_list ap;
690 va_start(ap, fmt);
691 vfprintf(stderr, fmt, ap);
692 exit(EXIT_FAILURE);
693 }
694
695
696
697 /*************************************************
698 * Extract port from host address *
699 *************************************************/
700
701 /* Called to extract the port from the values given to -oMa and -oMi.
702 It also checks the syntax of the address, and terminates it before the
703 port data when a port is extracted.
704
705 Argument:
706 address the address, with possible port on the end
707
708 Returns: the port, or zero if there isn't one
709 bombs out on a syntax error
710 */
711
712 static int
713 check_port(uschar *address)
714 {
715 int port = host_address_extract_port(address);
716 if (string_is_ip_address(address, NULL) == 0)
717 exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
718 return port;
719 }
720
721
722
723 /*************************************************
724 * Test/verify an address *
725 *************************************************/
726
727 /* This function is called by the -bv and -bt code. It extracts a working
728 address from a full RFC 822 address. This isn't really necessary per se, but it
729 has the effect of collapsing source routes.
730
731 Arguments:
732 s the address string
733 flags flag bits for verify_address()
734 exit_value to be set for failures
735
736 Returns: nothing
737 */
738
739 static void
740 test_address(uschar *s, int flags, int *exit_value)
741 {
742 int start, end, domain;
743 uschar *parse_error = NULL;
744 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
745 FALSE);
746 if (address == NULL)
747 {
748 fprintf(stdout, "syntax error: %s\n", parse_error);
749 *exit_value = 2;
750 }
751 else
752 {
753 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
754 -1, -1, NULL, NULL, NULL);
755 if (rc == FAIL) *exit_value = 2;
756 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
757 }
758 }
759
760
761
762 /*************************************************
763 * Show supported features *
764 *************************************************/
765
766 static void
767 show_db_version(FILE * f)
768 {
769 #ifdef DB_VERSION_STRING
770 DEBUG(D_any)
771 {
772 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
773 fprintf(f, " Runtime: %s\n",
774 db_version(NULL, NULL, NULL));
775 }
776 else
777 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
778
779 #elif defined(BTREEVERSION) && defined(HASHVERSION)
780 #ifdef USE_DB
781 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
782 #else
783 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
784 #endif
785
786 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
787 fprintf(f, "Probably ndbm\n");
788 #elif defined(USE_TDB)
789 fprintf(f, "Using tdb\n");
790 #else
791 #ifdef USE_GDBM
792 fprintf(f, "Probably GDBM (native mode)\n");
793 #else
794 fprintf(f, "Probably GDBM (compatibility mode)\n");
795 #endif
796 #endif
797 }
798
799
800 /* This function is called for -bV/--version and for -d to output the optional
801 features of the current Exim binary.
802
803 Arguments: a FILE for printing
804 Returns: nothing
805 */
806
807 static void
808 show_whats_supported(FILE * fp)
809 {
810 auth_info * authi;
811
812 DEBUG(D_any) {} else show_db_version(fp);
813
814 fprintf(fp, "Support for:");
815 #ifdef SUPPORT_CRYPTEQ
816 fprintf(fp, " crypteq");
817 #endif
818 #if HAVE_ICONV
819 fprintf(fp, " iconv()");
820 #endif
821 #if HAVE_IPV6
822 fprintf(fp, " IPv6");
823 #endif
824 #ifdef HAVE_SETCLASSRESOURCES
825 fprintf(fp, " use_setclassresources");
826 #endif
827 #ifdef SUPPORT_PAM
828 fprintf(fp, " PAM");
829 #endif
830 #ifdef EXIM_PERL
831 fprintf(fp, " Perl");
832 #endif
833 #ifdef EXPAND_DLFUNC
834 fprintf(fp, " Expand_dlfunc");
835 #endif
836 #ifdef USE_TCP_WRAPPERS
837 fprintf(fp, " TCPwrappers");
838 #endif
839 #ifdef SUPPORT_TLS
840 # ifdef USE_GNUTLS
841 fprintf(fp, " GnuTLS");
842 # else
843 fprintf(fp, " OpenSSL");
844 # endif
845 #endif
846 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
847 fprintf(fp, " translate_ip_address");
848 #endif
849 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
850 fprintf(fp, " move_frozen_messages");
851 #endif
852 #ifdef WITH_CONTENT_SCAN
853 fprintf(fp, " Content_Scanning");
854 #endif
855 #ifdef SUPPORT_DANE
856 fprintf(fp, " DANE");
857 #endif
858 #ifndef DISABLE_DKIM
859 fprintf(fp, " DKIM");
860 #endif
861 #ifndef DISABLE_DNSSEC
862 fprintf(fp, " DNSSEC");
863 #endif
864 #ifndef DISABLE_EVENT
865 fprintf(fp, " Event");
866 #endif
867 #ifdef SUPPORT_I18N
868 fprintf(fp, " I18N");
869 #endif
870 #ifndef DISABLE_OCSP
871 fprintf(fp, " OCSP");
872 #endif
873 #ifndef DISABLE_PRDR
874 fprintf(fp, " PRDR");
875 #endif
876 #ifdef SUPPORT_PROXY
877 fprintf(fp, " PROXY");
878 #endif
879 #ifdef SUPPORT_SOCKS
880 fprintf(fp, " SOCKS");
881 #endif
882 #ifdef SUPPORT_SPF
883 fprintf(fp, " SPF");
884 #endif
885 #ifdef TCP_FASTOPEN
886 deliver_init();
887 if (f.tcp_fastopen_ok) fprintf(fp, " TCP_Fast_Open");
888 #endif
889 #ifdef EXPERIMENTAL_LMDB
890 fprintf(fp, " Experimental_LMDB");
891 #endif
892 #ifdef EXPERIMENTAL_QUEUEFILE
893 fprintf(fp, " Experimental_QUEUEFILE");
894 #endif
895 #ifdef EXPERIMENTAL_SRS
896 fprintf(fp, " Experimental_SRS");
897 #endif
898 #ifdef EXPERIMENTAL_ARC
899 fprintf(fp, " Experimental_ARC");
900 #endif
901 #ifdef EXPERIMENTAL_BRIGHTMAIL
902 fprintf(fp, " Experimental_Brightmail");
903 #endif
904 #ifdef EXPERIMENTAL_DCC
905 fprintf(fp, " Experimental_DCC");
906 #endif
907 #ifdef EXPERIMENTAL_DMARC
908 fprintf(fp, " Experimental_DMARC");
909 #endif
910 #ifdef EXPERIMENTAL_DSN_INFO
911 fprintf(fp, " Experimental_DSN_info");
912 #endif
913 #ifdef EXPERIMENTAL_REQUIRETLS
914 fprintf(fp, " Experimental_REQUIRETLS");
915 #endif
916 #ifdef EXPERIMENTAL_PIPE_CONNECT
917 fprintf(fp, " Experimental_PIPE_CONNECT");
918 #endif
919 fprintf(fp, "\n");
920
921 fprintf(fp, "Lookups (built-in):");
922 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
923 fprintf(fp, " lsearch wildlsearch nwildlsearch iplsearch");
924 #endif
925 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
926 fprintf(fp, " cdb");
927 #endif
928 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
929 fprintf(fp, " dbm dbmjz dbmnz");
930 #endif
931 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
932 fprintf(fp, " dnsdb");
933 #endif
934 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
935 fprintf(fp, " dsearch");
936 #endif
937 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
938 fprintf(fp, " ibase");
939 #endif
940 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
941 fprintf(fp, " ldap ldapdn ldapm");
942 #endif
943 #ifdef EXPERIMENTAL_LMDB
944 fprintf(fp, " lmdb");
945 #endif
946 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
947 fprintf(fp, " mysql");
948 #endif
949 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
950 fprintf(fp, " nis nis0");
951 #endif
952 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
953 fprintf(fp, " nisplus");
954 #endif
955 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
956 fprintf(fp, " oracle");
957 #endif
958 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
959 fprintf(fp, " passwd");
960 #endif
961 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
962 fprintf(fp, " pgsql");
963 #endif
964 #if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
965 fprintf(fp, " redis");
966 #endif
967 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
968 fprintf(fp, " sqlite");
969 #endif
970 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
971 fprintf(fp, " testdb");
972 #endif
973 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
974 fprintf(fp, " whoson");
975 #endif
976 fprintf(fp, "\n");
977
978 auth_show_supported(fp);
979 route_show_supported(fp);
980 transport_show_supported(fp);
981
982 #ifdef WITH_CONTENT_SCAN
983 malware_show_supported(fp);
984 #endif
985
986 if (fixed_never_users[0] > 0)
987 {
988 int i;
989 fprintf(fp, "Fixed never_users: ");
990 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
991 fprintf(fp, "%d:", (unsigned int)fixed_never_users[i]);
992 fprintf(fp, "%d\n", (unsigned int)fixed_never_users[i]);
993 }
994
995 fprintf(fp, "Configure owner: %d:%d\n", config_uid, config_gid);
996
997 fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
998
999 /* Everything else is details which are only worth reporting when debugging.
1000 Perhaps the tls_version_report should move into this too. */
1001 DEBUG(D_any) do {
1002
1003 int i;
1004
1005 /* clang defines __GNUC__ (at least, for me) so test for it first */
1006 #if defined(__clang__)
1007 fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
1008 #elif defined(__GNUC__)
1009 fprintf(fp, "Compiler: GCC [%s]\n",
1010 # ifdef __VERSION__
1011 __VERSION__
1012 # else
1013 "? unknown version ?"
1014 # endif
1015 );
1016 #else
1017 fprintf(fp, "Compiler: <unknown>\n");
1018 #endif
1019
1020 #if defined(__GLIBC__) && !defined(__UCLIBC__)
1021 fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
1022 __GLIBC__, __GLIBC_MINOR__);
1023 if (__GLIBC_PREREQ(2, 1))
1024 fprintf(fp, " Runtime: %s\n",
1025 gnu_get_libc_version());
1026 #endif
1027
1028 show_db_version(fp);
1029
1030 #ifdef SUPPORT_TLS
1031 tls_version_report(fp);
1032 #endif
1033 #ifdef SUPPORT_I18N
1034 utf8_version_report(fp);
1035 #endif
1036
1037 for (authi = auths_available; *authi->driver_name != '\0'; ++authi)
1038 if (authi->version_report)
1039 (*authi->version_report)(fp);
1040
1041 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
1042 characters; unless it's an ancient version of PCRE in which case it
1043 is not defined. */
1044 #ifndef PCRE_PRERELEASE
1045 # define PCRE_PRERELEASE
1046 #endif
1047 #define QUOTE(X) #X
1048 #define EXPAND_AND_QUOTE(X) QUOTE(X)
1049 fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
1050 " Runtime: %s\n",
1051 PCRE_MAJOR, PCRE_MINOR,
1052 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
1053 pcre_version());
1054 #undef QUOTE
1055 #undef EXPAND_AND_QUOTE
1056
1057 init_lookup_list();
1058 for (i = 0; i < lookup_list_count; i++)
1059 if (lookup_list[i]->version_report)
1060 lookup_list[i]->version_report(fp);
1061
1062 #ifdef WHITELIST_D_MACROS
1063 fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1064 #else
1065 fprintf(fp, "WHITELIST_D_MACROS unset\n");
1066 #endif
1067 #ifdef TRUSTED_CONFIG_LIST
1068 fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1069 #else
1070 fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
1071 #endif
1072
1073 } while (0);
1074 }
1075
1076
1077 /*************************************************
1078 * Show auxiliary information about Exim *
1079 *************************************************/
1080
1081 static void
1082 show_exim_information(enum commandline_info request, FILE *stream)
1083 {
1084 const uschar **pp;
1085
1086 switch(request)
1087 {
1088 case CMDINFO_NONE:
1089 fprintf(stream, "Oops, something went wrong.\n");
1090 return;
1091 case CMDINFO_HELP:
1092 fprintf(stream,
1093 "The -bI: flag takes a string indicating which information to provide.\n"
1094 "If the string is not recognised, you'll get this help (on stderr).\n"
1095 "\n"
1096 " exim -bI:help this information\n"
1097 " exim -bI:dscp list of known dscp value keywords\n"
1098 " exim -bI:sieve list of supported sieve extensions\n"
1099 );
1100 return;
1101 case CMDINFO_SIEVE:
1102 for (pp = exim_sieve_extension_list; *pp; ++pp)
1103 fprintf(stream, "%s\n", *pp);
1104 return;
1105 case CMDINFO_DSCP:
1106 dscp_list_to_stream(stream);
1107 return;
1108 }
1109 }
1110
1111
1112 /*************************************************
1113 * Quote a local part *
1114 *************************************************/
1115
1116 /* This function is used when a sender address or a From: or Sender: header
1117 line is being created from the caller's login, or from an authenticated_id. It
1118 applies appropriate quoting rules for a local part.
1119
1120 Argument: the local part
1121 Returns: the local part, quoted if necessary
1122 */
1123
1124 uschar *
1125 local_part_quote(uschar *lpart)
1126 {
1127 BOOL needs_quote = FALSE;
1128 gstring * g;
1129 uschar *t;
1130
1131 for (t = lpart; !needs_quote && *t != 0; t++)
1132 {
1133 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1134 (*t != '.' || t == lpart || t[1] == 0);
1135 }
1136
1137 if (!needs_quote) return lpart;
1138
1139 g = string_catn(NULL, US"\"", 1);
1140
1141 for (;;)
1142 {
1143 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1144 if (nq == NULL)
1145 {
1146 g = string_cat(g, lpart);
1147 break;
1148 }
1149 g = string_catn(g, lpart, nq - lpart);
1150 g = string_catn(g, US"\\", 1);
1151 g = string_catn(g, nq, 1);
1152 lpart = nq + 1;
1153 }
1154
1155 g = string_catn(g, US"\"", 1);
1156 return string_from_gstring(g);
1157 }
1158
1159
1160
1161 #ifdef USE_READLINE
1162 /*************************************************
1163 * Load readline() functions *
1164 *************************************************/
1165
1166 /* This function is called from testing executions that read data from stdin,
1167 but only when running as the calling user. Currently, only -be does this. The
1168 function loads the readline() function library and passes back the functions.
1169 On some systems, it needs the curses library, so load that too, but try without
1170 it if loading fails. All this functionality has to be requested at build time.
1171
1172 Arguments:
1173 fn_readline_ptr pointer to where to put the readline pointer
1174 fn_addhist_ptr pointer to where to put the addhistory function
1175
1176 Returns: the dlopen handle or NULL on failure
1177 */
1178
1179 static void *
1180 set_readline(char * (**fn_readline_ptr)(const char *),
1181 void (**fn_addhist_ptr)(const char *))
1182 {
1183 void *dlhandle;
1184 void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
1185
1186 dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
1187 if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1188
1189 if (dlhandle != NULL)
1190 {
1191 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1192 * char * readline (const char *prompt);
1193 * void add_history (const char *string);
1194 */
1195 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1196 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1197 }
1198 else
1199 {
1200 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1201 }
1202
1203 return dlhandle;
1204 }
1205 #endif
1206
1207
1208
1209 /*************************************************
1210 * Get a line from stdin for testing things *
1211 *************************************************/
1212
1213 /* This function is called when running tests that can take a number of lines
1214 of input (for example, -be and -bt). It handles continuations and trailing
1215 spaces. And prompting and a blank line output on eof. If readline() is in use,
1216 the arguments are non-NULL and provide the relevant functions.
1217
1218 Arguments:
1219 fn_readline readline function or NULL
1220 fn_addhist addhist function or NULL
1221
1222 Returns: pointer to dynamic memory, or NULL at end of file
1223 */
1224
1225 static uschar *
1226 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1227 {
1228 int i;
1229 gstring * g = NULL;
1230
1231 if (!fn_readline) { printf("> "); fflush(stdout); }
1232
1233 for (i = 0;; i++)
1234 {
1235 uschar buffer[1024];
1236 uschar *p, *ss;
1237
1238 #ifdef USE_READLINE
1239 char *readline_line = NULL;
1240 if (fn_readline != NULL)
1241 {
1242 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1243 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1244 p = US readline_line;
1245 }
1246 else
1247 #endif
1248
1249 /* readline() not in use */
1250
1251 {
1252 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1253 p = buffer;
1254 }
1255
1256 /* Handle the line */
1257
1258 ss = p + (int)Ustrlen(p);
1259 while (ss > p && isspace(ss[-1])) ss--;
1260
1261 if (i > 0)
1262 {
1263 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1264 }
1265
1266 g = string_catn(g, p, ss - p);
1267
1268 #ifdef USE_READLINE
1269 if (fn_readline) free(readline_line);
1270 #endif
1271
1272 /* g can only be NULL if ss==p */
1273 if (ss == p || g->s[g->ptr-1] != '\\')
1274 break;
1275
1276 --g->ptr;
1277 (void) string_from_gstring(g);
1278 }
1279
1280 if (!g) printf("\n");
1281 return string_from_gstring(g);
1282 }
1283
1284
1285
1286 /*************************************************
1287 * Output usage information for the program *
1288 *************************************************/
1289
1290 /* This function is called when there are no recipients
1291 or a specific --help argument was added.
1292
1293 Arguments:
1294 progname information on what name we were called by
1295
1296 Returns: DOES NOT RETURN
1297 */
1298
1299 static void
1300 exim_usage(uschar *progname)
1301 {
1302
1303 /* Handle specific program invocation variants */
1304 if (Ustrcmp(progname, US"-mailq") == 0)
1305 exim_fail(
1306 "mailq - list the contents of the mail queue\n\n"
1307 "For a list of options, see the Exim documentation.\n");
1308
1309 /* Generic usage - we output this whatever happens */
1310 exim_fail(
1311 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1312 "not directly from a shell command line. Options and/or arguments control\n"
1313 "what it does when called. For a list of options, see the Exim documentation.\n");
1314 }
1315
1316
1317
1318 /*************************************************
1319 * Validate that the macros given are okay *
1320 *************************************************/
1321
1322 /* Typically, Exim will drop privileges if macros are supplied. In some
1323 cases, we want to not do so.
1324
1325 Arguments: opt_D_used - true if the commandline had a "-D" option
1326 Returns: true if trusted, false otherwise
1327 */
1328
1329 static BOOL
1330 macros_trusted(BOOL opt_D_used)
1331 {
1332 #ifdef WHITELIST_D_MACROS
1333 macro_item *m;
1334 uschar *whitelisted, *end, *p, **whites, **w;
1335 int white_count, i, n;
1336 size_t len;
1337 BOOL prev_char_item, found;
1338 #endif
1339
1340 if (!opt_D_used)
1341 return TRUE;
1342 #ifndef WHITELIST_D_MACROS
1343 return FALSE;
1344 #else
1345
1346 /* We only trust -D overrides for some invoking users:
1347 root, the exim run-time user, the optional config owner user.
1348 I don't know why config-owner would be needed, but since they can own the
1349 config files anyway, there's no security risk to letting them override -D. */
1350 if ( ! ((real_uid == root_uid)
1351 || (real_uid == exim_uid)
1352 #ifdef CONFIGURE_OWNER
1353 || (real_uid == config_uid)
1354 #endif
1355 ))
1356 {
1357 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1358 return FALSE;
1359 }
1360
1361 /* Get a list of macros which are whitelisted */
1362 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1363 prev_char_item = FALSE;
1364 white_count = 0;
1365 for (p = whitelisted; *p != '\0'; ++p)
1366 {
1367 if (*p == ':' || isspace(*p))
1368 {
1369 *p = '\0';
1370 if (prev_char_item)
1371 ++white_count;
1372 prev_char_item = FALSE;
1373 continue;
1374 }
1375 if (!prev_char_item)
1376 prev_char_item = TRUE;
1377 }
1378 end = p;
1379 if (prev_char_item)
1380 ++white_count;
1381 if (!white_count)
1382 return FALSE;
1383 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1384 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1385 {
1386 if (*p != '\0')
1387 {
1388 whites[i++] = p;
1389 if (i == white_count)
1390 break;
1391 while (*p != '\0' && p < end)
1392 ++p;
1393 }
1394 }
1395 whites[i] = NULL;
1396
1397 /* The list of commandline macros should be very short.
1398 Accept the N*M complexity. */
1399 for (m = macros_user; m; m = m->next) if (m->command_line)
1400 {
1401 found = FALSE;
1402 for (w = whites; *w; ++w)
1403 if (Ustrcmp(*w, m->name) == 0)
1404 {
1405 found = TRUE;
1406 break;
1407 }
1408 if (!found)
1409 return FALSE;
1410 if (!m->replacement)
1411 continue;
1412 if ((len = m->replen) == 0)
1413 continue;
1414 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1415 0, PCRE_EOPT, NULL, 0);
1416 if (n < 0)
1417 {
1418 if (n != PCRE_ERROR_NOMATCH)
1419 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1420 return FALSE;
1421 }
1422 }
1423 DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
1424 return TRUE;
1425 #endif
1426 }
1427
1428
1429 /*************************************************
1430 * Expansion testing *
1431 *************************************************/
1432
1433 /* Expand and print one item, doing macro-processing.
1434
1435 Arguments:
1436 item line for expansion
1437 */
1438
1439 static void
1440 expansion_test_line(uschar * line)
1441 {
1442 int len;
1443 BOOL dummy_macexp;
1444
1445 Ustrncpy(big_buffer, line, big_buffer_size);
1446 big_buffer[big_buffer_size-1] = '\0';
1447 len = Ustrlen(big_buffer);
1448
1449 (void) macros_expand(0, &len, &dummy_macexp);
1450
1451 if (isupper(big_buffer[0]))
1452 {
1453 if (macro_read_assignment(big_buffer))
1454 printf("Defined macro '%s'\n", mlast->name);
1455 }
1456 else
1457 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1458 else printf("Failed: %s\n", expand_string_message);
1459 }
1460
1461
1462
1463 /*************************************************
1464 * Entry point and high-level code *
1465 *************************************************/
1466
1467 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1468 the appropriate action. All the necessary functions are present in the one
1469 binary. I originally thought one should split it up, but it turns out that so
1470 much of the apparatus is needed in each chunk that one might as well just have
1471 it all available all the time, which then makes the coding easier as well.
1472
1473 Arguments:
1474 argc count of entries in argv
1475 argv argument strings, with argv[0] being the program name
1476
1477 Returns: EXIT_SUCCESS if terminated successfully
1478 EXIT_FAILURE otherwise, except when a message has been sent
1479 to the sender, and -oee was given
1480 */
1481
1482 int
1483 main(int argc, char **cargv)
1484 {
1485 uschar **argv = USS cargv;
1486 int arg_receive_timeout = -1;
1487 int arg_smtp_receive_timeout = -1;
1488 int arg_error_handling = error_handling;
1489 int filter_sfd = -1;
1490 int filter_ufd = -1;
1491 int group_count;
1492 int i, rv;
1493 int list_queue_option = 0;
1494 int msg_action = 0;
1495 int msg_action_arg = -1;
1496 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1497 int queue_only_reason = 0;
1498 #ifdef EXIM_PERL
1499 int perl_start_option = 0;
1500 #endif
1501 int recipients_arg = argc;
1502 int sender_address_domain = 0;
1503 int test_retry_arg = -1;
1504 int test_rewrite_arg = -1;
1505 gid_t original_egid;
1506 BOOL arg_queue_only = FALSE;
1507 BOOL bi_option = FALSE;
1508 BOOL checking = FALSE;
1509 BOOL count_queue = FALSE;
1510 BOOL expansion_test = FALSE;
1511 BOOL extract_recipients = FALSE;
1512 BOOL flag_G = FALSE;
1513 BOOL flag_n = FALSE;
1514 BOOL forced_delivery = FALSE;
1515 BOOL f_end_dot = FALSE;
1516 BOOL deliver_give_up = FALSE;
1517 BOOL list_queue = FALSE;
1518 BOOL list_options = FALSE;
1519 BOOL list_config = FALSE;
1520 BOOL local_queue_only;
1521 BOOL more = TRUE;
1522 BOOL one_msg_action = FALSE;
1523 BOOL opt_D_used = FALSE;
1524 BOOL queue_only_set = FALSE;
1525 BOOL receiving_message = TRUE;
1526 BOOL sender_ident_set = FALSE;
1527 BOOL session_local_queue_only;
1528 BOOL unprivileged;
1529 BOOL removed_privilege = FALSE;
1530 BOOL usage_wanted = FALSE;
1531 BOOL verify_address_mode = FALSE;
1532 BOOL verify_as_sender = FALSE;
1533 BOOL version_printed = FALSE;
1534 uschar *alias_arg = NULL;
1535 uschar *called_as = US"";
1536 uschar *cmdline_syslog_name = NULL;
1537 uschar *start_queue_run_id = NULL;
1538 uschar *stop_queue_run_id = NULL;
1539 uschar *expansion_test_message = NULL;
1540 uschar *ftest_domain = NULL;
1541 uschar *ftest_localpart = NULL;
1542 uschar *ftest_prefix = NULL;
1543 uschar *ftest_suffix = NULL;
1544 uschar *log_oneline = NULL;
1545 uschar *malware_test_file = NULL;
1546 uschar *real_sender_address;
1547 uschar *originator_home = US"/";
1548 size_t sz;
1549 void *reset_point;
1550
1551 struct passwd *pw;
1552 struct stat statbuf;
1553 pid_t passed_qr_pid = (pid_t)0;
1554 int passed_qr_pipe = -1;
1555 gid_t group_list[EXIM_GROUPLIST_SIZE];
1556
1557 /* For the -bI: flag */
1558 enum commandline_info info_flag = CMDINFO_NONE;
1559 BOOL info_stdout = FALSE;
1560
1561 /* Possible options for -R and -S */
1562
1563 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1564
1565 /* Need to define this in case we need to change the environment in order
1566 to get rid of a bogus time zone. We have to make it char rather than uschar
1567 because some OS define it in /usr/include/unistd.h. */
1568
1569 extern char **environ;
1570
1571 /* If the Exim user and/or group and/or the configuration file owner/group were
1572 defined by ref:name at build time, we must now find the actual uid/gid values.
1573 This is a feature to make the lives of binary distributors easier. */
1574
1575 #ifdef EXIM_USERNAME
1576 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1577 {
1578 if (exim_uid == 0)
1579 exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
1580
1581 /* If ref:name uses a number as the name, route_finduser() returns
1582 TRUE with exim_uid set and pw coerced to NULL. */
1583 if (pw)
1584 exim_gid = pw->pw_gid;
1585 #ifndef EXIM_GROUPNAME
1586 else
1587 exim_fail(
1588 "exim: ref:name should specify a usercode, not a group.\n"
1589 "exim: can't let you get away with it unless you also specify a group.\n");
1590 #endif
1591 }
1592 else
1593 exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
1594 #endif
1595
1596 #ifdef EXIM_GROUPNAME
1597 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1598 exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
1599 #endif
1600
1601 #ifdef CONFIGURE_OWNERNAME
1602 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1603 exim_fail("exim: failed to find uid for user name \"%s\"\n",
1604 CONFIGURE_OWNERNAME);
1605 #endif
1606
1607 /* We default the system_filter_user to be the Exim run-time user, as a
1608 sane non-root value. */
1609 system_filter_uid = exim_uid;
1610
1611 #ifdef CONFIGURE_GROUPNAME
1612 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1613 exim_fail("exim: failed to find gid for group name \"%s\"\n",
1614 CONFIGURE_GROUPNAME);
1615 #endif
1616
1617 /* In the Cygwin environment, some initialization used to need doing.
1618 It was fudged in by means of this macro; now no longer but we'll leave
1619 it in case of others. */
1620
1621 #ifdef OS_INIT
1622 OS_INIT
1623 #endif
1624
1625 /* Check a field which is patched when we are running Exim within its
1626 testing harness; do a fast initial check, and then the whole thing. */
1627
1628 f.running_in_test_harness =
1629 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1630 if (f.running_in_test_harness)
1631 debug_store = TRUE;
1632
1633 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1634 at the start of a program; however, it seems that some environments do not
1635 follow this. A "strange" locale can affect the formatting of timestamps, so we
1636 make quite sure. */
1637
1638 setlocale(LC_ALL, "C");
1639
1640 /* Set up the default handler for timing using alarm(). */
1641
1642 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1643
1644 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1645 because store_malloc writes a log entry on failure. */
1646
1647 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
1648 exim_fail("exim: failed to get store for log buffer\n");
1649
1650 /* Initialize the default log options. */
1651
1652 bits_set(log_selector, log_selector_size, log_default);
1653
1654 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1655 NULL when the daemon is run and the file is closed. We have to use this
1656 indirection, because some systems don't allow writing to the variable "stderr".
1657 */
1658
1659 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1660
1661 /* Arrange for the PCRE regex library to use our store functions. Note that
1662 the normal calls are actually macros that add additional arguments for
1663 debugging purposes so we have to assign specially constructed functions here.
1664 The default is to use store in the stacking pool, but this is overridden in the
1665 regex_must_compile() function. */
1666
1667 pcre_malloc = function_store_get;
1668 pcre_free = function_dummy_free;
1669
1670 /* Ensure there is a big buffer for temporary use in several places. It is put
1671 in malloc store so that it can be freed for enlargement if necessary. */
1672
1673 big_buffer = store_malloc(big_buffer_size);
1674
1675 /* Set up the handler for the data request signal, and set the initial
1676 descriptive text. */
1677
1678 set_process_info("initializing");
1679 os_restarting_signal(SIGUSR1, usr1_handler);
1680
1681 /* If running in a dockerized environment, the TERM signal is only
1682 delegated to the PID 1 if we request it by setting an signal handler */
1683 if (getpid() == 1) signal(SIGTERM, term_handler);
1684
1685 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1686 in the daemon code. For the rest of Exim's uses, we ignore it. */
1687
1688 signal(SIGHUP, SIG_IGN);
1689
1690 /* We don't want to die on pipe errors as the code is written to handle
1691 the write error instead. */
1692
1693 signal(SIGPIPE, SIG_IGN);
1694
1695 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1696 set to SIG_IGN. This causes subprocesses that complete before the parent
1697 process waits for them not to hang around, so when Exim calls wait(), nothing
1698 is there. The wait() code has been made robust against this, but let's ensure
1699 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1700 ending status. We use sigaction rather than plain signal() on those OS where
1701 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1702 problem on AIX with this.) */
1703
1704 #ifdef SA_NOCLDWAIT
1705 {
1706 struct sigaction act;
1707 act.sa_handler = SIG_DFL;
1708 sigemptyset(&(act.sa_mask));
1709 act.sa_flags = 0;
1710 sigaction(SIGCHLD, &act, NULL);
1711 }
1712 #else
1713 signal(SIGCHLD, SIG_DFL);
1714 #endif
1715
1716 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1717 SIGHUP. */
1718
1719 sighup_argv = argv;
1720
1721 /* Set up the version number. Set up the leading 'E' for the external form of
1722 message ids, set the pointer to the internal form, and initialize it to
1723 indicate no message being processed. */
1724
1725 version_init();
1726 message_id_option[0] = '-';
1727 message_id_external = message_id_option + 1;
1728 message_id_external[0] = 'E';
1729 message_id = message_id_external + 1;
1730 message_id[0] = 0;
1731
1732 /* Set the umask to zero so that any files Exim creates using open() are
1733 created with the modes that it specifies. NOTE: Files created with fopen() have
1734 a problem, which was not recognized till rather late (February 2006). With this
1735 umask, such files will be world writeable. (They are all content scanning files
1736 in the spool directory, which isn't world-accessible, so this is not a
1737 disaster, but it's untidy.) I don't want to change this overall setting,
1738 however, because it will interact badly with the open() calls. Instead, there's
1739 now a function called modefopen() that fiddles with the umask while calling
1740 fopen(). */
1741
1742 (void)umask(0);
1743
1744 /* Precompile the regular expression for matching a message id. Keep this in
1745 step with the code that generates ids in the accept.c module. We need to do
1746 this here, because the -M options check their arguments for syntactic validity
1747 using mac_ismsgid, which uses this. */
1748
1749 regex_ismsgid =
1750 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1751
1752 /* Precompile the regular expression that is used for matching an SMTP error
1753 code, possibly extended, at the start of an error message. Note that the
1754 terminating whitespace character is included. */
1755
1756 regex_smtp_code =
1757 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1758 FALSE, TRUE);
1759
1760 #ifdef WHITELIST_D_MACROS
1761 /* Precompile the regular expression used to filter the content of macros
1762 given to -D for permissibility. */
1763
1764 regex_whitelisted_macro =
1765 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1766 #endif
1767
1768 for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1769
1770 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1771 this seems to be a generally accepted convention, since one finds symbolic
1772 links called "mailq" in standard OS configurations. */
1773
1774 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1775 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1776 {
1777 list_queue = TRUE;
1778 receiving_message = FALSE;
1779 called_as = US"-mailq";
1780 }
1781
1782 /* If the program is called as "rmail" treat it as equivalent to
1783 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1784 i.e. preventing a single dot on a line from terminating the message, and
1785 returning with zero return code, even in cases of error (provided an error
1786 message has been sent). */
1787
1788 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1789 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1790 {
1791 f.dot_ends = FALSE;
1792 called_as = US"-rmail";
1793 errors_sender_rc = EXIT_SUCCESS;
1794 }
1795
1796 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1797 this is a smail convention. */
1798
1799 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1800 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1801 {
1802 smtp_input = smtp_batched_input = TRUE;
1803 called_as = US"-rsmtp";
1804 }
1805
1806 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1807 this is a smail convention. */
1808
1809 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1810 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1811 {
1812 queue_interval = 0;
1813 receiving_message = FALSE;
1814 called_as = US"-runq";
1815 }
1816
1817 /* If the program is called as "newaliases" treat it as equivalent to
1818 "exim -bi"; this is a sendmail convention. */
1819
1820 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1821 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1822 {
1823 bi_option = TRUE;
1824 receiving_message = FALSE;
1825 called_as = US"-newaliases";
1826 }
1827
1828 /* Save the original effective uid for a couple of uses later. It should
1829 normally be root, but in some esoteric environments it may not be. */
1830
1831 original_euid = geteuid();
1832 original_egid = getegid();
1833
1834 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1835 to be the same as the real ones. This makes a difference only if Exim is setuid
1836 (or setgid) to something other than root, which could be the case in some
1837 special configurations. */
1838
1839 real_uid = getuid();
1840 real_gid = getgid();
1841
1842 if (real_uid == root_uid)
1843 {
1844 if ((rv = setgid(real_gid)))
1845 exim_fail("exim: setgid(%ld) failed: %s\n",
1846 (long int)real_gid, strerror(errno));
1847 if ((rv = setuid(real_uid)))
1848 exim_fail("exim: setuid(%ld) failed: %s\n",
1849 (long int)real_uid, strerror(errno));
1850 }
1851
1852 /* If neither the original real uid nor the original euid was root, Exim is
1853 running in an unprivileged state. */
1854
1855 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1856
1857 /* Scan the program's arguments. Some can be dealt with right away; others are
1858 simply recorded for checking and handling afterwards. Do a high-level switch
1859 on the second character (the one after '-'), to save some effort. */
1860
1861 for (i = 1; i < argc; i++)
1862 {
1863 BOOL badarg = FALSE;
1864 uschar *arg = argv[i];
1865 uschar *argrest;
1866 int switchchar;
1867
1868 /* An argument not starting with '-' is the start of a recipients list;
1869 break out of the options-scanning loop. */
1870
1871 if (arg[0] != '-')
1872 {
1873 recipients_arg = i;
1874 break;
1875 }
1876
1877 /* An option consisting of -- terminates the options */
1878
1879 if (Ustrcmp(arg, "--") == 0)
1880 {
1881 recipients_arg = i + 1;
1882 break;
1883 }
1884
1885 /* Handle flagged options */
1886
1887 switchchar = arg[1];
1888 argrest = arg+2;
1889
1890 /* Make all -ex options synonymous with -oex arguments, since that
1891 is assumed by various callers. Also make -qR options synonymous with -R
1892 options, as that seems to be required as well. Allow for -qqR too, and
1893 the same for -S options. */
1894
1895 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1896 Ustrncmp(arg+1, "qR", 2) == 0 ||
1897 Ustrncmp(arg+1, "qS", 2) == 0)
1898 {
1899 switchchar = arg[2];
1900 argrest++;
1901 }
1902 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1903 {
1904 switchchar = arg[3];
1905 argrest += 2;
1906 f.queue_2stage = TRUE;
1907 }
1908
1909 /* Make -r synonymous with -f, since it is a documented alias */
1910
1911 else if (arg[1] == 'r') switchchar = 'f';
1912
1913 /* Make -ov synonymous with -v */
1914
1915 else if (Ustrcmp(arg, "-ov") == 0)
1916 {
1917 switchchar = 'v';
1918 argrest++;
1919 }
1920
1921 /* deal with --option_aliases */
1922 else if (switchchar == '-')
1923 {
1924 if (Ustrcmp(argrest, "help") == 0)
1925 {
1926 usage_wanted = TRUE;
1927 break;
1928 }
1929 else if (Ustrcmp(argrest, "version") == 0)
1930 {
1931 switchchar = 'b';
1932 argrest = US"V";
1933 }
1934 }
1935
1936 /* High-level switch on active initial letter */
1937
1938 switch(switchchar)
1939 {
1940
1941 /* sendmail uses -Ac and -Am to control which .cf file is used;
1942 we ignore them. */
1943 case 'A':
1944 if (*argrest == '\0') { badarg = TRUE; break; }
1945 else
1946 {
1947 BOOL ignore = FALSE;
1948 switch (*argrest)
1949 {
1950 case 'c':
1951 case 'm':
1952 if (*(argrest + 1) == '\0')
1953 ignore = TRUE;
1954 break;
1955 }
1956 if (!ignore) { badarg = TRUE; break; }
1957 }
1958 break;
1959
1960 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1961 so has no need of it. */
1962
1963 case 'B':
1964 if (*argrest == 0) i++; /* Skip over the type */
1965 break;
1966
1967
1968 case 'b':
1969 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1970
1971 /* -bd: Run in daemon mode, awaiting SMTP connections.
1972 -bdf: Ditto, but in the foreground.
1973 */
1974
1975 if (*argrest == 'd')
1976 {
1977 f.daemon_listen = TRUE;
1978 if (*(++argrest) == 'f') f.background_daemon = FALSE;
1979 else if (*argrest != 0) { badarg = TRUE; break; }
1980 }
1981
1982 /* -be: Run in expansion test mode
1983 -bem: Ditto, but read a message from a file first
1984 */
1985
1986 else if (*argrest == 'e')
1987 {
1988 expansion_test = checking = TRUE;
1989 if (argrest[1] == 'm')
1990 {
1991 if (++i >= argc) { badarg = TRUE; break; }
1992 expansion_test_message = argv[i];
1993 argrest++;
1994 }
1995 if (argrest[1] != 0) { badarg = TRUE; break; }
1996 }
1997
1998 /* -bF: Run system filter test */
1999
2000 else if (*argrest == 'F')
2001 {
2002 filter_test |= checking = FTEST_SYSTEM;
2003 if (*(++argrest) != 0) { badarg = TRUE; break; }
2004 if (++i < argc) filter_test_sfile = argv[i]; else
2005 exim_fail("exim: file name expected after %s\n", argv[i-1]);
2006 }
2007
2008 /* -bf: Run user filter test
2009 -bfd: Set domain for filter testing
2010 -bfl: Set local part for filter testing
2011 -bfp: Set prefix for filter testing
2012 -bfs: Set suffix for filter testing
2013 */
2014
2015 else if (*argrest == 'f')
2016 {
2017 if (*(++argrest) == 0)
2018 {
2019 filter_test |= checking = FTEST_USER;
2020 if (++i < argc) filter_test_ufile = argv[i]; else
2021 exim_fail("exim: file name expected after %s\n", argv[i-1]);
2022 }
2023 else
2024 {
2025 if (++i >= argc)
2026 exim_fail("exim: string expected after %s\n", arg);
2027 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2028 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2029 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2030 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2031 else { badarg = TRUE; break; }
2032 }
2033 }
2034
2035 /* -bh: Host checking - an IP address must follow. */
2036
2037 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2038 {
2039 if (++i >= argc) { badarg = TRUE; break; }
2040 sender_host_address = argv[i];
2041 host_checking = checking = f.log_testing_mode = TRUE;
2042 f.host_checking_callout = argrest[1] == 'c';
2043 message_logs = FALSE;
2044 }
2045
2046 /* -bi: This option is used by sendmail to initialize *the* alias file,
2047 though it has the -oA option to specify a different file. Exim has no
2048 concept of *the* alias file, but since Sun's YP make script calls
2049 sendmail this way, some support must be provided. */
2050
2051 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2052
2053 /* -bI: provide information, of the type to follow after a colon.
2054 This is an Exim flag. */
2055
2056 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2057 {
2058 uschar *p = &argrest[2];
2059 info_flag = CMDINFO_HELP;
2060 if (Ustrlen(p))
2061 {
2062 if (strcmpic(p, CUS"sieve") == 0)
2063 {
2064 info_flag = CMDINFO_SIEVE;
2065 info_stdout = TRUE;
2066 }
2067 else if (strcmpic(p, CUS"dscp") == 0)
2068 {
2069 info_flag = CMDINFO_DSCP;
2070 info_stdout = TRUE;
2071 }
2072 else if (strcmpic(p, CUS"help") == 0)
2073 {
2074 info_stdout = TRUE;
2075 }
2076 }
2077 }
2078
2079 /* -bm: Accept and deliver message - the default option. Reinstate
2080 receiving_message, which got turned off for all -b options. */
2081
2082 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2083
2084 /* -bmalware: test the filename given for malware */
2085
2086 else if (Ustrcmp(argrest, "malware") == 0)
2087 {
2088 if (++i >= argc) { badarg = TRUE; break; }
2089 checking = TRUE;
2090 malware_test_file = argv[i];
2091 }
2092
2093 /* -bnq: For locally originating messages, do not qualify unqualified
2094 addresses. In the envelope, this causes errors; in header lines they
2095 just get left. */
2096
2097 else if (Ustrcmp(argrest, "nq") == 0)
2098 {
2099 f.allow_unqualified_sender = FALSE;
2100 f.allow_unqualified_recipient = FALSE;
2101 }
2102
2103 /* -bpxx: List the contents of the mail queue, in various forms. If
2104 the option is -bpc, just a queue count is needed. Otherwise, if the
2105 first letter after p is r, then order is random. */
2106
2107 else if (*argrest == 'p')
2108 {
2109 if (*(++argrest) == 'c')
2110 {
2111 count_queue = TRUE;
2112 if (*(++argrest) != 0) badarg = TRUE;
2113 break;
2114 }
2115
2116 if (*argrest == 'r')
2117 {
2118 list_queue_option = 8;
2119 argrest++;
2120 }
2121 else list_queue_option = 0;
2122
2123 list_queue = TRUE;
2124
2125 /* -bp: List the contents of the mail queue, top-level only */
2126
2127 if (*argrest == 0) {}
2128
2129 /* -bpu: List the contents of the mail queue, top-level undelivered */
2130
2131 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2132
2133 /* -bpa: List the contents of the mail queue, including all delivered */
2134
2135 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2136
2137 /* Unknown after -bp[r] */
2138
2139 else
2140 {
2141 badarg = TRUE;
2142 break;
2143 }
2144 }
2145
2146
2147 /* -bP: List the configuration variables given as the address list.
2148 Force -v, so configuration errors get displayed. */
2149
2150 else if (Ustrcmp(argrest, "P") == 0)
2151 {
2152 /* -bP config: we need to setup here, because later,
2153 * when list_options is checked, the config is read already */
2154 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2155 {
2156 list_config = TRUE;
2157 readconf_save_config(version_string);
2158 }
2159 else
2160 {
2161 list_options = TRUE;
2162 debug_selector |= D_v;
2163 debug_file = stderr;
2164 }
2165 }
2166
2167 /* -brt: Test retry configuration lookup */
2168
2169 else if (Ustrcmp(argrest, "rt") == 0)
2170 {
2171 checking = TRUE;
2172 test_retry_arg = i + 1;
2173 goto END_ARG;
2174 }
2175
2176 /* -brw: Test rewrite configuration */
2177
2178 else if (Ustrcmp(argrest, "rw") == 0)
2179 {
2180 checking = TRUE;
2181 test_rewrite_arg = i + 1;
2182 goto END_ARG;
2183 }
2184
2185 /* -bS: Read SMTP commands on standard input, but produce no replies -
2186 all errors are reported by sending messages. */
2187
2188 else if (Ustrcmp(argrest, "S") == 0)
2189 smtp_input = smtp_batched_input = receiving_message = TRUE;
2190
2191 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2192 on standard output. */
2193
2194 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2195
2196 /* -bt: address testing mode */
2197
2198 else if (Ustrcmp(argrest, "t") == 0)
2199 f.address_test_mode = checking = f.log_testing_mode = TRUE;
2200
2201 /* -bv: verify addresses */
2202
2203 else if (Ustrcmp(argrest, "v") == 0)
2204 verify_address_mode = checking = f.log_testing_mode = TRUE;
2205
2206 /* -bvs: verify sender addresses */
2207
2208 else if (Ustrcmp(argrest, "vs") == 0)
2209 {
2210 verify_address_mode = checking = f.log_testing_mode = TRUE;
2211 verify_as_sender = TRUE;
2212 }
2213
2214 /* -bV: Print version string and support details */
2215
2216 else if (Ustrcmp(argrest, "V") == 0)
2217 {
2218 printf("Exim version %s #%s built %s\n", version_string,
2219 version_cnumber, version_date);
2220 printf("%s\n", CS version_copyright);
2221 version_printed = TRUE;
2222 show_whats_supported(stdout);
2223 f.log_testing_mode = TRUE;
2224 }
2225
2226 /* -bw: inetd wait mode, accept a listening socket as stdin */
2227
2228 else if (*argrest == 'w')
2229 {
2230 f.inetd_wait_mode = TRUE;
2231 f.background_daemon = FALSE;
2232 f.daemon_listen = TRUE;
2233 if (*(++argrest) != '\0')
2234 if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
2235 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
2236 }
2237
2238 else badarg = TRUE;
2239 break;
2240
2241
2242 /* -C: change configuration file list; ignore if it isn't really
2243 a change! Enforce a prefix check if required. */
2244
2245 case 'C':
2246 if (*argrest == 0)
2247 {
2248 if(++i < argc) argrest = argv[i]; else
2249 { badarg = TRUE; break; }
2250 }
2251 if (Ustrcmp(config_main_filelist, argrest) != 0)
2252 {
2253 #ifdef ALT_CONFIG_PREFIX
2254 int sep = 0;
2255 int len = Ustrlen(ALT_CONFIG_PREFIX);
2256 const uschar *list = argrest;
2257 uschar *filename;
2258 while((filename = string_nextinlist(&list, &sep, big_buffer,
2259 big_buffer_size)) != NULL)
2260 {
2261 if ((Ustrlen(filename) < len ||
2262 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2263 Ustrstr(filename, "/../") != NULL) &&
2264 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2265 exim_fail("-C Permission denied\n");
2266 }
2267 #endif
2268 if (real_uid != root_uid)
2269 {
2270 #ifdef TRUSTED_CONFIG_LIST
2271
2272 if (real_uid != exim_uid
2273 #ifdef CONFIGURE_OWNER
2274 && real_uid != config_uid
2275 #endif
2276 )
2277 f.trusted_config = FALSE;
2278 else
2279 {
2280 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2281 if (trust_list)
2282 {
2283 struct stat statbuf;
2284
2285 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2286 (statbuf.st_uid != root_uid /* owner not root */
2287 #ifdef CONFIGURE_OWNER
2288 && statbuf.st_uid != config_uid /* owner not the special one */
2289 #endif
2290 ) || /* or */
2291 (statbuf.st_gid != root_gid /* group not root */
2292 #ifdef CONFIGURE_GROUP
2293 && statbuf.st_gid != config_gid /* group not the special one */
2294 #endif
2295 && (statbuf.st_mode & 020) != 0 /* group writeable */
2296 ) || /* or */
2297 (statbuf.st_mode & 2) != 0) /* world writeable */
2298 {
2299 f.trusted_config = FALSE;
2300 fclose(trust_list);
2301 }
2302 else
2303 {
2304 /* Well, the trust list at least is up to scratch... */
2305 void *reset_point = store_get(0);
2306 uschar *trusted_configs[32];
2307 int nr_configs = 0;
2308 int i = 0;
2309
2310 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2311 {
2312 uschar *start = big_buffer, *nl;
2313 while (*start && isspace(*start))
2314 start++;
2315 if (*start != '/')
2316 continue;
2317 nl = Ustrchr(start, '\n');
2318 if (nl)
2319 *nl = 0;
2320 trusted_configs[nr_configs++] = string_copy(start);
2321 if (nr_configs == 32)
2322 break;
2323 }
2324 fclose(trust_list);
2325
2326 if (nr_configs)
2327 {
2328 int sep = 0;
2329 const uschar *list = argrest;
2330 uschar *filename;
2331 while (f.trusted_config && (filename = string_nextinlist(&list,
2332 &sep, big_buffer, big_buffer_size)) != NULL)
2333 {
2334 for (i=0; i < nr_configs; i++)
2335 {
2336 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2337 break;
2338 }
2339 if (i == nr_configs)
2340 {
2341 f.trusted_config = FALSE;
2342 break;
2343 }
2344 }
2345 store_reset(reset_point);
2346 }
2347 else
2348 {
2349 /* No valid prefixes found in trust_list file. */
2350 f.trusted_config = FALSE;
2351 }
2352 }
2353 }
2354 else
2355 {
2356 /* Could not open trust_list file. */
2357 f.trusted_config = FALSE;
2358 }
2359 }
2360 #else
2361 /* Not root; don't trust config */
2362 f.trusted_config = FALSE;
2363 #endif
2364 }
2365
2366 config_main_filelist = argrest;
2367 f.config_changed = TRUE;
2368 }
2369 break;
2370
2371
2372 /* -D: set up a macro definition */
2373
2374 case 'D':
2375 #ifdef DISABLE_D_OPTION
2376 exim_fail("exim: -D is not available in this Exim binary\n");
2377 #else
2378 {
2379 int ptr = 0;
2380 macro_item *m;
2381 uschar name[24];
2382 uschar *s = argrest;
2383
2384 opt_D_used = TRUE;
2385 while (isspace(*s)) s++;
2386
2387 if (*s < 'A' || *s > 'Z')
2388 exim_fail("exim: macro name set by -D must start with "
2389 "an upper case letter\n");
2390
2391 while (isalnum(*s) || *s == '_')
2392 {
2393 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2394 s++;
2395 }
2396 name[ptr] = 0;
2397 if (ptr == 0) { badarg = TRUE; break; }
2398 while (isspace(*s)) s++;
2399 if (*s != 0)
2400 {
2401 if (*s++ != '=') { badarg = TRUE; break; }
2402 while (isspace(*s)) s++;
2403 }
2404
2405 for (m = macros_user; m; m = m->next)
2406 if (Ustrcmp(m->name, name) == 0)
2407 exim_fail("exim: duplicated -D in command line\n");
2408
2409 m = macro_create(name, s, TRUE);
2410
2411 if (clmacro_count >= MAX_CLMACROS)
2412 exim_fail("exim: too many -D options on command line\n");
2413 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2414 m->replacement);
2415 }
2416 #endif
2417 break;
2418
2419 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2420 The latter is now a no-op, retained for compatibility only. If -dd is used,
2421 debugging subprocesses of the daemon is disabled. */
2422
2423 case 'd':
2424 if (Ustrcmp(argrest, "ropcr") == 0)
2425 {
2426 /* drop_cr = TRUE; */
2427 }
2428
2429 /* Use an intermediate variable so that we don't set debugging while
2430 decoding the debugging bits. */
2431
2432 else
2433 {
2434 unsigned int selector = D_default;
2435 debug_selector = 0;
2436 debug_file = NULL;
2437 if (*argrest == 'd')
2438 {
2439 f.debug_daemon = TRUE;
2440 argrest++;
2441 }
2442 if (*argrest != 0)
2443 decode_bits(&selector, 1, debug_notall, argrest,
2444 debug_options, debug_options_count, US"debug", 0);
2445 debug_selector = selector;
2446 }
2447 break;
2448
2449
2450 /* -E: This is a local error message. This option is not intended for
2451 external use at all, but is not restricted to trusted callers because it
2452 does no harm (just suppresses certain error messages) and if Exim is run
2453 not setuid root it won't always be trusted when it generates error
2454 messages using this option. If there is a message id following -E, point
2455 message_reference at it, for logging. */
2456
2457 case 'E':
2458 f.local_error_message = TRUE;
2459 if (mac_ismsgid(argrest)) message_reference = argrest;
2460 break;
2461
2462
2463 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2464 option, so it looks as if historically the -oex options are also callable
2465 without the leading -o. So we have to accept them. Before the switch,
2466 anything starting -oe has been converted to -e. Exim does not support all
2467 of the sendmail error options. */
2468
2469 case 'e':
2470 if (Ustrcmp(argrest, "e") == 0)
2471 {
2472 arg_error_handling = ERRORS_SENDER;
2473 errors_sender_rc = EXIT_SUCCESS;
2474 }
2475 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2476 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2477 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2478 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2479 else badarg = TRUE;
2480 break;
2481
2482
2483 /* -F: Set sender's full name, used instead of the gecos entry from
2484 the password file. Since users can usually alter their gecos entries,
2485 there's no security involved in using this instead. The data can follow
2486 the -F or be in the next argument. */
2487
2488 case 'F':
2489 if (*argrest == 0)
2490 {
2491 if(++i < argc) argrest = argv[i]; else
2492 { badarg = TRUE; break; }
2493 }
2494 originator_name = argrest;
2495 f.sender_name_forced = TRUE;
2496 break;
2497
2498
2499 /* -f: Set sender's address - this value is only actually used if Exim is
2500 run by a trusted user, or if untrusted_set_sender is set and matches the
2501 address, except that the null address can always be set by any user. The
2502 test for this happens later, when the value given here is ignored when not
2503 permitted. For an untrusted user, the actual sender is still put in Sender:
2504 if it doesn't match the From: header (unless no_local_from_check is set).
2505 The data can follow the -f or be in the next argument. The -r switch is an
2506 obsolete form of -f but since there appear to be programs out there that
2507 use anything that sendmail has ever supported, better accept it - the
2508 synonymizing is done before the switch above.
2509
2510 At this stage, we must allow domain literal addresses, because we don't
2511 know what the setting of allow_domain_literals is yet. Ditto for trailing
2512 dots and strip_trailing_dot. */
2513
2514 case 'f':
2515 {
2516 int dummy_start, dummy_end;
2517 uschar *errmess;
2518 if (*argrest == 0)
2519 {
2520 if (i+1 < argc) argrest = argv[++i]; else
2521 { badarg = TRUE; break; }
2522 }
2523 if (*argrest == 0)
2524 sender_address = string_sprintf(""); /* Ensure writeable memory */
2525 else
2526 {
2527 uschar *temp = argrest + Ustrlen(argrest) - 1;
2528 while (temp >= argrest && isspace(*temp)) temp--;
2529 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2530 allow_domain_literals = TRUE;
2531 strip_trailing_dot = TRUE;
2532 #ifdef SUPPORT_I18N
2533 allow_utf8_domains = TRUE;
2534 #endif
2535 sender_address = parse_extract_address(argrest, &errmess,
2536 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
2537 #ifdef SUPPORT_I18N
2538 message_smtputf8 = string_is_utf8(sender_address);
2539 allow_utf8_domains = FALSE;
2540 #endif
2541 allow_domain_literals = FALSE;
2542 strip_trailing_dot = FALSE;
2543 if (!sender_address)
2544 exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
2545 }
2546 f.sender_address_forced = TRUE;
2547 }
2548 break;
2549
2550 /* -G: sendmail invocation to specify that it's a gateway submission and
2551 sendmail may complain about problems instead of fixing them.
2552 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2553 not at this time complain about problems. */
2554
2555 case 'G':
2556 flag_G = TRUE;
2557 break;
2558
2559 /* -h: Set the hop count for an incoming message. Exim does not currently
2560 support this; it always computes it by counting the Received: headers.
2561 To put it in will require a change to the spool header file format. */
2562
2563 case 'h':
2564 if (*argrest == 0)
2565 {
2566 if(++i < argc) argrest = argv[i]; else
2567 { badarg = TRUE; break; }
2568 }
2569 if (!isdigit(*argrest)) badarg = TRUE;
2570 break;
2571
2572
2573 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2574 not to be documented for sendmail but mailx (at least) uses it) */
2575
2576 case 'i':
2577 if (*argrest == 0) f.dot_ends = FALSE; else badarg = TRUE;
2578 break;
2579
2580
2581 /* -L: set the identifier used for syslog; equivalent to setting
2582 syslog_processname in the config file, but needs to be an admin option. */
2583
2584 case 'L':
2585 if (*argrest == '\0')
2586 {
2587 if(++i < argc) argrest = argv[i]; else
2588 { badarg = TRUE; break; }
2589 }
2590 if ((sz = Ustrlen(argrest)) > 32)
2591 exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
2592 if (sz < 1)
2593 exim_fail("exim: the -L syslog name is too short\n");
2594 cmdline_syslog_name = argrest;
2595 break;
2596
2597 case 'M':
2598 receiving_message = FALSE;
2599
2600 /* -MC: continue delivery of another message via an existing open
2601 file descriptor. This option is used for an internal call by the
2602 smtp transport when there is a pending message waiting to go to an
2603 address to which it has got a connection. Five subsequent arguments are
2604 required: transport name, host name, IP address, sequence number, and
2605 message_id. Transports may decline to create new processes if the sequence
2606 number gets too big. The channel is stdin. This (-MC) must be the last
2607 argument. There's a subsequent check that the real-uid is privileged.
2608
2609 If we are running in the test harness. delay for a bit, to let the process
2610 that set this one up complete. This makes for repeatability of the logging,
2611 etc. output. */
2612
2613 if (Ustrcmp(argrest, "C") == 0)
2614 {
2615 union sockaddr_46 interface_sock;
2616 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2617
2618 if (argc != i + 6)
2619 exim_fail("exim: too many or too few arguments after -MC\n");
2620
2621 if (msg_action_arg >= 0)
2622 exim_fail("exim: incompatible arguments\n");
2623
2624 continue_transport = argv[++i];
2625 continue_hostname = argv[++i];
2626 continue_host_address = argv[++i];
2627 continue_sequence = Uatoi(argv[++i]);
2628 msg_action = MSG_DELIVER;
2629 msg_action_arg = ++i;
2630 forced_delivery = TRUE;
2631 queue_run_pid = passed_qr_pid;
2632 queue_run_pipe = passed_qr_pipe;
2633
2634 if (!mac_ismsgid(argv[i]))
2635 exim_fail("exim: malformed message id %s after -MC option\n",
2636 argv[i]);
2637
2638 /* Set up $sending_ip_address and $sending_port, unless proxied */
2639
2640 if (!continue_proxy_cipher)
2641 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2642 &size) == 0)
2643 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2644 &sending_port);
2645 else
2646 exim_fail("exim: getsockname() failed after -MC option: %s\n",
2647 strerror(errno));
2648
2649 if (f.running_in_test_harness) millisleep(500);
2650 break;
2651 }
2652
2653 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2654 {
2655 switch(argrest[1])
2656 {
2657 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2658 precedes -MC (see above). The flag indicates that the host to which
2659 Exim is connected has accepted an AUTH sequence. */
2660
2661 case 'A': f.smtp_authenticated = TRUE; break;
2662
2663 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2664 that exim is connected to supports the esmtp extension DSN */
2665
2666 case 'D': smtp_peer_options |= OPTION_DSN; break;
2667
2668 /* -MCG: set the queue name, to a non-default value */
2669
2670 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2671 else badarg = TRUE;
2672 break;
2673
2674 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2675
2676 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
2677
2678 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2679 it preceded -MC (see above) */
2680
2681 case 'P': smtp_peer_options |= OPTION_PIPE; break;
2682
2683 /* -MCQ: pass on the pid of the queue-running process that started
2684 this chain of deliveries and the fd of its synchronizing pipe; this
2685 is useful only when it precedes -MC (see above) */
2686
2687 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2688 else badarg = TRUE;
2689 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2690 else badarg = TRUE;
2691 break;
2692
2693 /* -MCS: set the smtp_use_size flag; this is useful only when it
2694 precedes -MC (see above) */
2695
2696 case 'S': smtp_peer_options |= OPTION_SIZE; break;
2697
2698 #ifdef SUPPORT_TLS
2699 /* -MCt: similar to -MCT below but the connection is still open
2700 via a proxy proces which handles the TLS context and coding.
2701 Require three arguments for the proxied local address and port,
2702 and the TLS cipher. */
2703
2704 case 't': if (++i < argc) sending_ip_address = argv[i];
2705 else badarg = TRUE;
2706 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2707 else badarg = TRUE;
2708 if (++i < argc) continue_proxy_cipher = argv[i];
2709 else badarg = TRUE;
2710 /*FALLTHROUGH*/
2711
2712 /* -MCT: set the tls_offered flag; this is useful only when it
2713 precedes -MC (see above). The flag indicates that the host to which
2714 Exim is connected has offered TLS support. */
2715
2716 case 'T': smtp_peer_options |= OPTION_TLS; break;
2717 #endif
2718
2719 default: badarg = TRUE; break;
2720 }
2721 break;
2722 }
2723
2724 #if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
2725 /* -MS set REQUIRETLS on (new) message */
2726
2727 else if (*argrest == 'S')
2728 {
2729 tls_requiretls |= REQUIRETLS_MSG;
2730 break;
2731 }
2732 #endif
2733
2734 /* -M[x]: various operations on the following list of message ids:
2735 -M deliver the messages, ignoring next retry times and thawing
2736 -Mc deliver the messages, checking next retry times, no thawing
2737 -Mf freeze the messages
2738 -Mg give up on the messages
2739 -Mt thaw the messages
2740 -Mrm remove the messages
2741 In the above cases, this must be the last option. There are also the
2742 following options which are followed by a single message id, and which
2743 act on that message. Some of them use the "recipient" addresses as well.
2744 -Mar add recipient(s)
2745 -Mmad mark all recipients delivered
2746 -Mmd mark recipients(s) delivered
2747 -Mes edit sender
2748 -Mset load a message for use with -be
2749 -Mvb show body
2750 -Mvc show copy (of whole message, in RFC 2822 format)
2751 -Mvh show header
2752 -Mvl show log
2753 */
2754
2755 else if (*argrest == 0)
2756 {
2757 msg_action = MSG_DELIVER;
2758 forced_delivery = f.deliver_force_thaw = TRUE;
2759 }
2760 else if (Ustrcmp(argrest, "ar") == 0)
2761 {
2762 msg_action = MSG_ADD_RECIPIENT;
2763 one_msg_action = TRUE;
2764 }
2765 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2766 else if (Ustrcmp(argrest, "es") == 0)
2767 {
2768 msg_action = MSG_EDIT_SENDER;
2769 one_msg_action = TRUE;
2770 }
2771 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2772 else if (Ustrcmp(argrest, "g") == 0)
2773 {
2774 msg_action = MSG_DELIVER;
2775 deliver_give_up = TRUE;
2776 }
2777 else if (Ustrcmp(argrest, "mad") == 0)
2778 {
2779 msg_action = MSG_MARK_ALL_DELIVERED;
2780 }
2781 else if (Ustrcmp(argrest, "md") == 0)
2782 {
2783 msg_action = MSG_MARK_DELIVERED;
2784 one_msg_action = TRUE;
2785 }
2786 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2787 else if (Ustrcmp(argrest, "set") == 0)
2788 {
2789 msg_action = MSG_LOAD;
2790 one_msg_action = TRUE;
2791 }
2792 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2793 else if (Ustrcmp(argrest, "vb") == 0)
2794 {
2795 msg_action = MSG_SHOW_BODY;
2796 one_msg_action = TRUE;
2797 }
2798 else if (Ustrcmp(argrest, "vc") == 0)
2799 {
2800 msg_action = MSG_SHOW_COPY;
2801 one_msg_action = TRUE;
2802 }
2803 else if (Ustrcmp(argrest, "vh") == 0)
2804 {
2805 msg_action = MSG_SHOW_HEADER;
2806 one_msg_action = TRUE;
2807 }
2808 else if (Ustrcmp(argrest, "vl") == 0)
2809 {
2810 msg_action = MSG_SHOW_LOG;
2811 one_msg_action = TRUE;
2812 }
2813 else { badarg = TRUE; break; }
2814
2815 /* All the -Mxx options require at least one message id. */
2816
2817 msg_action_arg = i + 1;
2818 if (msg_action_arg >= argc)
2819 exim_fail("exim: no message ids given after %s option\n", arg);
2820
2821 /* Some require only message ids to follow */
2822
2823 if (!one_msg_action)
2824 {
2825 int j;
2826 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2827 exim_fail("exim: malformed message id %s after %s option\n",
2828 argv[j], arg);
2829 goto END_ARG; /* Remaining args are ids */
2830 }
2831
2832 /* Others require only one message id, possibly followed by addresses,
2833 which will be handled as normal arguments. */
2834
2835 else
2836 {
2837 if (!mac_ismsgid(argv[msg_action_arg]))
2838 exim_fail("exim: malformed message id %s after %s option\n",
2839 argv[msg_action_arg], arg);
2840 i++;
2841 }
2842 break;
2843
2844
2845 /* Some programs seem to call the -om option without the leading o;
2846 for sendmail it askes for "me too". Exim always does this. */
2847
2848 case 'm':
2849 if (*argrest != 0) badarg = TRUE;
2850 break;
2851
2852
2853 /* -N: don't do delivery - a debugging option that stops transports doing
2854 their thing. It implies debugging at the D_v level. */
2855
2856 case 'N':
2857 if (*argrest == 0)
2858 {
2859 f.dont_deliver = TRUE;
2860 debug_selector |= D_v;
2861 debug_file = stderr;
2862 }
2863 else badarg = TRUE;
2864 break;
2865
2866
2867 /* -n: This means "don't alias" in sendmail, apparently.
2868 For normal invocations, it has no effect.
2869 It may affect some other options. */
2870
2871 case 'n':
2872 flag_n = TRUE;
2873 break;
2874
2875 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2876 option to the specified value. This form uses long names. We need to handle
2877 -O option=value and -Ooption=value. */
2878
2879 case 'O':
2880 if (*argrest == 0)
2881 {
2882 if (++i >= argc)
2883 exim_fail("exim: string expected after -O\n");
2884 }
2885 break;
2886
2887 case 'o':
2888
2889 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2890 file" option). */
2891
2892 if (*argrest == 'A')
2893 {
2894 alias_arg = argrest + 1;
2895 if (alias_arg[0] == 0)
2896 {
2897 if (i+1 < argc) alias_arg = argv[++i]; else
2898 exim_fail("exim: string expected after -oA\n");
2899 }
2900 }
2901
2902 /* -oB: Set a connection message max value for remote deliveries */
2903
2904 else if (*argrest == 'B')
2905 {
2906 uschar *p = argrest + 1;
2907 if (p[0] == 0)
2908 {
2909 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2910 {
2911 connection_max_messages = 1;
2912 p = NULL;
2913 }
2914 }
2915
2916 if (p != NULL)
2917 {
2918 if (!isdigit(*p))
2919 exim_fail("exim: number expected after -oB\n");
2920 connection_max_messages = Uatoi(p);
2921 }
2922 }
2923
2924 /* -odb: background delivery */
2925
2926 else if (Ustrcmp(argrest, "db") == 0)
2927 {
2928 f.synchronous_delivery = FALSE;
2929 arg_queue_only = FALSE;
2930 queue_only_set = TRUE;
2931 }
2932
2933 /* -odf: foreground delivery (smail-compatible option); same effect as
2934 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2935 */
2936
2937 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2938 {
2939 f.synchronous_delivery = TRUE;
2940 arg_queue_only = FALSE;
2941 queue_only_set = TRUE;
2942 }
2943
2944 /* -odq: queue only */
2945
2946 else if (Ustrcmp(argrest, "dq") == 0)
2947 {
2948 f.synchronous_delivery = FALSE;
2949 arg_queue_only = TRUE;
2950 queue_only_set = TRUE;
2951 }
2952
2953 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2954 but no remote delivery */
2955
2956 else if (Ustrcmp(argrest, "dqs") == 0)
2957 {
2958 f.queue_smtp = TRUE;
2959 arg_queue_only = FALSE;
2960 queue_only_set = TRUE;
2961 }
2962
2963 /* -oex: Sendmail error flags. As these are also accepted without the
2964 leading -o prefix, for compatibility with vacation and other callers,
2965 they are handled with -e above. */
2966
2967 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2968 -oitrue: Another sendmail syntax for the same */
2969
2970 else if (Ustrcmp(argrest, "i") == 0 ||
2971 Ustrcmp(argrest, "itrue") == 0)
2972 f.dot_ends = FALSE;
2973
2974 /* -oM*: Set various characteristics for an incoming message; actually
2975 acted on for trusted callers only. */
2976
2977 else if (*argrest == 'M')
2978 {
2979 if (i+1 >= argc)
2980 exim_fail("exim: data expected after -o%s\n", argrest);
2981
2982 /* -oMa: Set sender host address */
2983
2984 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2985
2986 /* -oMaa: Set authenticator name */
2987
2988 else if (Ustrcmp(argrest, "Maa") == 0)
2989 sender_host_authenticated = argv[++i];
2990
2991 /* -oMas: setting authenticated sender */
2992
2993 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2994
2995 /* -oMai: setting authenticated id */
2996
2997 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2998
2999 /* -oMi: Set incoming interface address */
3000
3001 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
3002
3003 /* -oMm: Message reference */
3004
3005 else if (Ustrcmp(argrest, "Mm") == 0)
3006 {
3007 if (!mac_ismsgid(argv[i+1]))
3008 exim_fail("-oMm must be a valid message ID\n");
3009 if (!f.trusted_config)
3010 exim_fail("-oMm must be called by a trusted user/config\n");
3011 message_reference = argv[++i];
3012 }
3013
3014 /* -oMr: Received protocol */
3015
3016 else if (Ustrcmp(argrest, "Mr") == 0)
3017
3018 if (received_protocol)
3019 exim_fail("received_protocol is set already\n");
3020 else
3021 received_protocol = argv[++i];
3022
3023 /* -oMs: Set sender host name */
3024
3025 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3026
3027 /* -oMt: Set sender ident */
3028
3029 else if (Ustrcmp(argrest, "Mt") == 0)
3030 {
3031 sender_ident_set = TRUE;
3032 sender_ident = argv[++i];
3033 }
3034
3035 /* Else a bad argument */
3036
3037 else
3038 {
3039 badarg = TRUE;
3040 break;
3041 }
3042 }
3043
3044 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3045 seem to call this as -m (undocumented), so that is also accepted (see
3046 above). */
3047
3048 else if (Ustrcmp(argrest, "m") == 0) {}
3049
3050 /* -oo: An ancient flag for old-style addresses which still seems to
3051 crop up in some calls (see in SCO). */
3052
3053 else if (Ustrcmp(argrest, "o") == 0) {}
3054
3055 /* -oP <name>: set pid file path for daemon */
3056
3057 else if (Ustrcmp(argrest, "P") == 0)
3058 override_pid_file_path = argv[++i];
3059
3060 /* -or <n>: set timeout for non-SMTP acceptance
3061 -os <n>: set timeout for SMTP acceptance */
3062
3063 else if (*argrest == 'r' || *argrest == 's')
3064 {
3065 int *tp = (*argrest == 'r')?
3066 &arg_receive_timeout : &arg_smtp_receive_timeout;
3067 if (argrest[1] == 0)
3068 {
3069 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3070 }
3071 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3072 if (*tp < 0)
3073 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3074 }
3075
3076 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3077
3078 else if (Ustrcmp(argrest, "X") == 0)
3079 override_local_interfaces = argv[++i];
3080
3081 /* Unknown -o argument */
3082
3083 else badarg = TRUE;
3084 break;
3085
3086
3087 /* -ps: force Perl startup; -pd force delayed Perl startup */
3088
3089 case 'p':
3090 #ifdef EXIM_PERL
3091 if (*argrest == 's' && argrest[1] == 0)
3092 {
3093 perl_start_option = 1;
3094 break;
3095 }
3096 if (*argrest == 'd' && argrest[1] == 0)
3097 {
3098 perl_start_option = -1;
3099 break;
3100 }
3101 #endif
3102
3103 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3104 which sets the host protocol and host name */
3105
3106 if (*argrest == 0)
3107 if (i+1 < argc)
3108 argrest = argv[++i];
3109 else
3110 { badarg = TRUE; break; }
3111
3112 if (*argrest != 0)
3113 {
3114 uschar *hn;
3115
3116 if (received_protocol)
3117 exim_fail("received_protocol is set already\n");
3118
3119 hn = Ustrchr(argrest, ':');
3120 if (hn == NULL)
3121 received_protocol = argrest;
3122 else
3123 {
3124 int old_pool = store_pool;
3125 store_pool = POOL_PERM;
3126 received_protocol = string_copyn(argrest, hn - argrest);
3127 store_pool = old_pool;
3128 sender_host_name = hn + 1;
3129 }
3130 }
3131 break;
3132
3133
3134 case 'q':
3135 receiving_message = FALSE;
3136 if (queue_interval >= 0)
3137 exim_fail("exim: -q specified more than once\n");
3138
3139 /* -qq...: Do queue runs in a 2-stage manner */
3140
3141 if (*argrest == 'q')
3142 {
3143 f.queue_2stage = TRUE;
3144 argrest++;
3145 }
3146
3147 /* -qi...: Do only first (initial) deliveries */
3148
3149 if (*argrest == 'i')
3150 {
3151 f.queue_run_first_delivery = TRUE;
3152 argrest++;
3153 }
3154
3155 /* -qf...: Run the queue, forcing deliveries
3156 -qff..: Ditto, forcing thawing as well */
3157
3158 if (*argrest == 'f')
3159 {
3160 f.queue_run_force = TRUE;
3161 if (*++argrest == 'f')
3162 {
3163 f.deliver_force_thaw = TRUE;
3164 argrest++;
3165 }
3166 }
3167
3168 /* -q[f][f]l...: Run the queue only on local deliveries */
3169
3170 if (*argrest == 'l')
3171 {
3172 f.queue_run_local = TRUE;
3173 argrest++;
3174 }
3175
3176 /* -q[f][f][l][G<name>]... Work on the named queue */
3177
3178 if (*argrest == 'G')
3179 {
3180 int i;
3181 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3182 queue_name = string_copyn(argrest, i);
3183 argrest += i;
3184 if (*argrest == '/') argrest++;
3185 }
3186
3187 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3188 only, optionally named, optionally starting from a given message id. */
3189
3190 if (*argrest == 0 &&
3191 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3192 {
3193 queue_interval = 0;
3194 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3195 start_queue_run_id = argv[++i];
3196 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3197 stop_queue_run_id = argv[++i];
3198 }
3199
3200 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3201 forced, optionally local only, optionally named. */
3202
3203 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3204 0, FALSE)) <= 0)
3205 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3206 break;
3207
3208
3209 case 'R': /* Synonymous with -qR... */
3210 receiving_message = FALSE;
3211
3212 /* -Rf: As -R (below) but force all deliveries,
3213 -Rff: Ditto, but also thaw all frozen messages,
3214 -Rr: String is regex
3215 -Rrf: Regex and force
3216 -Rrff: Regex and force and thaw
3217
3218 in all cases provided there are no further characters in this
3219 argument. */
3220
3221 if (*argrest != 0)
3222 {
3223 int i;
3224 for (i = 0; i < nelem(rsopts); i++)
3225 if (Ustrcmp(argrest, rsopts[i]) == 0)
3226 {
3227 if (i != 2) f.queue_run_force = TRUE;
3228 if (i >= 2) f.deliver_selectstring_regex = TRUE;
3229 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3230 argrest += Ustrlen(rsopts[i]);
3231 }
3232 }
3233
3234 /* -R: Set string to match in addresses for forced queue run to
3235 pick out particular messages. */
3236
3237 if (*argrest)
3238 deliver_selectstring = argrest;
3239 else if (i+1 < argc)
3240 deliver_selectstring = argv[++i];
3241 else
3242 exim_fail("exim: string expected after -R\n");
3243 break;
3244
3245
3246 /* -r: an obsolete synonym for -f (see above) */
3247
3248
3249 /* -S: Like -R but works on sender. */
3250
3251 case 'S': /* Synonymous with -qS... */
3252 receiving_message = FALSE;
3253
3254 /* -Sf: As -S (below) but force all deliveries,
3255 -Sff: Ditto, but also thaw all frozen messages,
3256 -Sr: String is regex
3257 -Srf: Regex and force
3258 -Srff: Regex and force and thaw
3259
3260 in all cases provided there are no further characters in this
3261 argument. */
3262
3263 if (*argrest)
3264 {
3265 int i;
3266 for (i = 0; i < nelem(rsopts); i++)
3267 if (Ustrcmp(argrest, rsopts[i]) == 0)
3268 {
3269 if (i != 2) f.queue_run_force = TRUE;
3270 if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
3271 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3272 argrest += Ustrlen(rsopts[i]);
3273 }
3274 }
3275
3276 /* -S: Set string to match in addresses for forced queue run to
3277 pick out particular messages. */
3278
3279 if (*argrest)
3280 deliver_selectstring_sender = argrest;
3281 else if (i+1 < argc)
3282 deliver_selectstring_sender = argv[++i];
3283 else
3284 exim_fail("exim: string expected after -S\n");
3285 break;
3286
3287 /* -Tqt is an option that is exclusively for use by the testing suite.
3288 It is not recognized in other circumstances. It allows for the setting up
3289 of explicit "queue times" so that various warning/retry things can be
3290 tested. Otherwise variability of clock ticks etc. cause problems. */
3291
3292 case 'T':
3293 if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3294 fudged_queue_times = argv[++i];
3295 else badarg = TRUE;
3296 break;
3297
3298
3299 /* -t: Set flag to extract recipients from body of message. */
3300
3301 case 't':
3302 if (*argrest == 0) extract_recipients = TRUE;
3303
3304 /* -ti: Set flag to extract recipients from body of message, and also
3305 specify that dot does not end the message. */
3306
3307 else if (Ustrcmp(argrest, "i") == 0)
3308 {
3309 extract_recipients = TRUE;
3310 f.dot_ends = FALSE;
3311 }
3312
3313 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3314
3315 #ifdef SUPPORT_TLS
3316 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
3317 #endif
3318
3319 else badarg = TRUE;
3320 break;
3321
3322
3323 /* -U: This means "initial user submission" in sendmail, apparently. The
3324 doc claims that in future sendmail may refuse syntactically invalid
3325 messages instead of fixing them. For the moment, we just ignore it. */
3326
3327 case 'U':
3328 break;
3329
3330
3331 /* -v: verify things - this is a very low-level debugging */
3332
3333 case 'v':
3334 if (*argrest == 0)
3335 {
3336 debug_selector |= D_v;
3337 debug_file = stderr;
3338 }
3339 else badarg = TRUE;
3340 break;
3341
3342
3343 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3344
3345 The -x flag tells the sendmail command that mail from a local
3346 mail program has National Language Support (NLS) extended characters
3347 in the body of the mail item. The sendmail command can send mail with
3348 extended NLS characters across networks that normally corrupts these
3349 8-bit characters.
3350
3351 As Exim is 8-bit clean, it just ignores this flag. */
3352
3353 case 'x':
3354 if (*argrest != 0) badarg = TRUE;
3355 break;
3356
3357 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3358 logs to that file. We swallow the parameter and otherwise ignore it. */
3359
3360 case 'X':
3361 if (*argrest == '\0')
3362 if (++i >= argc)
3363 exim_fail("exim: string expected after -X\n");
3364 break;
3365
3366 case 'z':
3367 if (*argrest == '\0')
3368 if (++i < argc)
3369 log_oneline = argv[i];
3370 else
3371 exim_fail("exim: file name expected after %s\n", argv[i-1]);
3372 break;
3373
3374 /* All other initial characters are errors */
3375
3376 default:
3377 badarg = TRUE;
3378 break;
3379 } /* End of high-level switch statement */
3380
3381 /* Failed to recognize the option, or syntax error */
3382
3383 if (badarg)
3384 exim_fail("exim abandoned: unknown, malformed, or incomplete "
3385 "option %s\n", arg);
3386 }
3387
3388
3389 /* If -R or -S have been specified without -q, assume a single queue run. */
3390
3391 if ( (deliver_selectstring || deliver_selectstring_sender)
3392 && queue_interval < 0)
3393 queue_interval = 0;
3394
3395
3396 END_ARG:
3397 /* If usage_wanted is set we call the usage function - which never returns */
3398 if (usage_wanted) exim_usage(called_as);
3399
3400 /* Arguments have been processed. Check for incompatibilities. */
3401 if ((
3402 (smtp_input || extract_recipients || recipients_arg < argc) &&
3403 (f.daemon_listen || queue_interval >= 0 || bi_option ||
3404 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3405 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3406 ) ||
3407 (
3408 msg_action_arg > 0 &&
3409 (f.daemon_listen || queue_interval > 0 || list_options ||
3410 (checking && msg_action != MSG_LOAD) ||
3411 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3412 ) ||
3413 (
3414 (f.daemon_listen || queue_interval > 0) &&
3415 (sender_address != NULL || list_options || list_queue || checking ||
3416 bi_option)
3417 ) ||
3418 (
3419 f.daemon_listen && queue_interval == 0
3420 ) ||
3421 (
3422 f.inetd_wait_mode && queue_interval >= 0
3423 ) ||
3424 (
3425 list_options &&
3426 (checking || smtp_input || extract_recipients ||
3427 filter_test != FTEST_NONE || bi_option)
3428 ) ||
3429 (
3430 verify_address_mode &&
3431 (f.address_test_mode || smtp_input || extract_recipients ||
3432 filter_test != FTEST_NONE || bi_option)
3433 ) ||
3434 (
3435 f.address_test_mode && (smtp_input || extract_recipients ||
3436 filter_test != FTEST_NONE || bi_option)
3437 ) ||
3438 (
3439 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3440 extract_recipients)
3441 ) ||
3442 (
3443 deliver_selectstring != NULL && queue_interval < 0
3444 ) ||
3445 (
3446 msg_action == MSG_LOAD &&
3447 (!expansion_test || expansion_test_message != NULL)
3448 )
3449 )
3450 exim_fail("exim: incompatible command-line options or arguments\n");
3451
3452 /* If debugging is set up, set the file and the file descriptor to pass on to
3453 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3454 to run in the foreground. */
3455
3456 if (debug_selector != 0)
3457 {
3458 debug_file = stderr;
3459 debug_fd = fileno(debug_file);
3460 f.background_daemon = FALSE;
3461 if (f.running_in_test_harness) millisleep(100); /* lets caller finish */
3462 if (debug_selector != D_v) /* -v only doesn't show this */
3463 {
3464 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3465 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3466 debug_selector);
3467 if (!version_printed)
3468 show_whats_supported(stderr);
3469 }
3470 }
3471
3472 /* When started with root privilege, ensure that the limits on the number of
3473 open files and the number of processes (where that is accessible) are
3474 sufficiently large, or are unset, in case Exim has been called from an
3475 environment where the limits are screwed down. Not all OS have the ability to
3476 change some of these limits. */
3477
3478 if (unprivileged)
3479 {
3480 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3481 }
3482 else
3483 {
3484 struct rlimit rlp;
3485
3486 #ifdef RLIMIT_NOFILE
3487 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3488 {
3489 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3490 strerror(errno));
3491 rlp.rlim_cur = rlp.rlim_max = 0;
3492 }
3493
3494 /* I originally chose 1000 as a nice big number that was unlikely to
3495 be exceeded. It turns out that some older OS have a fixed upper limit of
3496 256. */
3497
3498 if (rlp.rlim_cur < 1000)
3499 {
3500 rlp.rlim_cur = rlp.rlim_max = 1000;
3501 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3502 {
3503 rlp.rlim_cur = rlp.rlim_max = 256;
3504 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3505 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3506 strerror(errno));
3507 }
3508 }
3509 #endif
3510
3511 #ifdef RLIMIT_NPROC
3512 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3513 {
3514 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3515 strerror(errno));
3516 rlp.rlim_cur = rlp.rlim_max = 0;
3517 }
3518
3519 #ifdef RLIM_INFINITY
3520 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3521 {
3522 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3523 #else
3524 if (rlp.rlim_cur < 1000)
3525 {
3526 rlp.rlim_cur = rlp.rlim_max = 1000;
3527 #endif
3528 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3529 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3530 strerror(errno));
3531 }
3532 #endif
3533 }
3534
3535 /* Exim is normally entered as root (but some special configurations are
3536 possible that don't do this). However, it always spins off sub-processes that
3537 set their uid and gid as required for local delivery. We don't want to pass on
3538 any extra groups that root may belong to, so we want to get rid of them all at
3539 this point.
3540
3541 We need to obey setgroups() at this stage, before possibly giving up root
3542 privilege for a changed configuration file, but later on we might need to
3543 check on the additional groups for the admin user privilege - can't do that
3544 till after reading the config, which might specify the exim gid. Therefore,
3545 save the group list here first. */
3546
3547 if ((group_count = getgroups(nelem(group_list), group_list)) < 0)
3548 exim_fail("exim: getgroups() failed: %s\n", strerror(errno));
3549
3550 /* There is a fundamental difference in some BSD systems in the matter of
3551 groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3552 known not to be different. On the "different" systems there is a single group
3553 list, and the first entry in it is the current group. On all other versions of
3554 Unix there is a supplementary group list, which is in *addition* to the current
3555 group. Consequently, to get rid of all extraneous groups on a "standard" system
3556 you pass over 0 groups to setgroups(), while on a "different" system you pass
3557 over a single group - the current group, which is always the first group in the
3558 list. Calling setgroups() with zero groups on a "different" system results in
3559 an error return. The following code should cope with both types of system.
3560
3561 Unfortunately, recent MacOS, which should be a FreeBSD, "helpfully" succeeds
3562 the "setgroups() with zero groups" - and changes the egid.
3563 Thanks to that we had to stash the original_egid above, for use below
3564 in the call to exim_setugid().
3565
3566 However, if this process isn't running as root, setgroups() can't be used
3567 since you have to be root to run it, even if throwing away groups. Not being
3568 root here happens only in some unusual configurations. We just ignore the
3569 error. */
3570
3571 if (setgroups(0, NULL) != 0 && setgroups(1, group_list) != 0 && !unprivileged)
3572 exim_fail("exim: setgroups() failed: %s\n", strerror(errno));
3573
3574 /* If the configuration file name has been altered by an argument on the
3575 command line (either a new file name or a macro definition) and the caller is
3576 not root, or if this is a filter testing run, remove any setuid privilege the
3577 program has and run as the underlying user.
3578
3579 The exim user is locked out of this, which severely restricts the use of -C
3580 for some purposes.
3581
3582 Otherwise, set the real ids to the effective values (should be root unless run
3583 from inetd, which it can either be root or the exim uid, if one is configured).
3584
3585 There is a private mechanism for bypassing some of this, in order to make it
3586 possible to test lots of configurations automatically, without having either to
3587 recompile each time, or to patch in an actual configuration file name and other
3588 values (such as the path name). If running in the test harness, pretend that
3589 configuration file changes and macro definitions haven't happened. */
3590
3591 if (( /* EITHER */
3592 (!f.trusted_config || /* Config changed, or */
3593 !macros_trusted(opt_D_used)) && /* impermissible macros and */
3594 real_uid != root_uid && /* Not root, and */
3595 !f.running_in_test_harness /* Not fudged */
3596 ) || /* OR */
3597 expansion_test /* expansion testing */
3598 || /* OR */
3599 filter_test != FTEST_NONE) /* Filter testing */
3600 {
3601 setgroups(group_count, group_list);
3602 exim_setugid(real_uid, real_gid, FALSE,
3603 US"-C, -D, -be or -bf forces real uid");
3604 removed_privilege = TRUE;
3605
3606 /* In the normal case when Exim is called like this, stderr is available
3607 and should be used for any logging information because attempts to write
3608 to the log will usually fail. To arrange this, we unset really_exim. However,
3609 if no stderr is available there is no point - we might as well have a go
3610 at the log (if it fails, syslog will be written).
3611
3612 Note that if the invoker is Exim, the logs remain available. Messing with
3613 this causes unlogged successful deliveries. */
3614
3615 if (log_stderr && real_uid != exim_uid)
3616 f.really_exim = FALSE;
3617 }
3618
3619 /* Privilege is to be retained for the moment. It may be dropped later,
3620 depending on the job that this Exim process has been asked to do. For now, set
3621 the real uid to the effective so that subsequent re-execs of Exim are done by a
3622 privileged user. */
3623
3624 else
3625 exim_setugid(geteuid(), original_egid, FALSE, US"forcing real = effective");
3626
3627 /* If testing a filter, open the file(s) now, before wasting time doing other
3628 setups and reading the message. */
3629
3630 if (filter_test & FTEST_SYSTEM)
3631 if ((filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0)) < 0)
3632 exim_fail("exim: failed to open %s: %s\n", filter_test_sfile,
3633 strerror(errno));
3634
3635 if (filter_test & FTEST_USER)
3636 if ((filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0)) < 0)
3637 exim_fail("exim: failed to open %s: %s\n", filter_test_ufile,
3638 strerror(errno));
3639
3640 /* Initialise lookup_list
3641 If debugging, already called above via version reporting.
3642 In either case, we initialise the list of available lookups while running
3643 as root. All dynamically modules are loaded from a directory which is
3644 hard-coded into the binary and is code which, if not a module, would be
3645 part of Exim already. Ability to modify the content of the directory
3646 is equivalent to the ability to modify a setuid binary!
3647
3648 This needs to happen before we read the main configuration. */
3649 init_lookup_list();
3650
3651 #ifdef SUPPORT_I18N
3652 if (f.running_in_test_harness) smtputf8_advertise_hosts = NULL;
3653 #endif
3654
3655 /* Read the main runtime configuration data; this gives up if there
3656 is a failure. It leaves the configuration file open so that the subsequent
3657 configuration data for delivery can be read if needed.
3658
3659 NOTE: immediatly after opening the configuration file we change the working
3660 directory to "/"! Later we change to $spool_directory. We do it there, because
3661 during readconf_main() some expansion takes place already. */
3662
3663 /* Store the initial cwd before we change directories. Can be NULL if the
3664 dir has already been unlinked. */
3665 initial_cwd = os_getcwd(NULL, 0);
3666
3667 /* checking:
3668 -be[m] expansion test -
3669 -b[fF] filter test new
3670 -bh[c] host test -
3671 -bmalware malware_test_file new
3672 -brt retry test new
3673 -brw rewrite test new
3674 -bt address test -
3675 -bv[s] address verify -
3676 list_options:
3677 -bP <option> (except -bP config, which sets list_config)
3678
3679 If any of these options is set, we suppress warnings about configuration
3680 issues (currently about tls_advertise_hosts and keep_environment not being
3681 defined) */
3682
3683 readconf_main(checking || list_options);
3684
3685
3686 /* Now in directory "/" */
3687
3688 if (cleanup_environment() == FALSE)
3689 log_write(0, LOG_PANIC_DIE, "Can't cleanup environment");
3690
3691
3692 /* If an action on specific messages is requested, or if a daemon or queue
3693 runner is being started, we need to know if Exim was called by an admin user.
3694 This is the case if the real user is root or exim, or if the real group is
3695 exim, or if one of the supplementary groups is exim or a group listed in
3696 admin_groups. We don't fail all message actions immediately if not admin_user,
3697 since some actions can be performed by non-admin users. Instead, set admin_user
3698 for later interrogation. */
3699
3700 if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3701 f.admin_user = TRUE;
3702 else
3703 {
3704 int i, j;
3705 for (i = 0; i < group_count && !f.admin_user; i++)
3706 if (group_list[i] == exim_gid)
3707 f.admin_user = TRUE;
3708 else if (admin_groups)
3709 for (j = 1; j <= (int)admin_groups[0] && !f.admin_user; j++)
3710 if (admin_groups[j] == group_list[i])
3711 f.admin_user = TRUE;
3712 }
3713
3714 /* Another group of privileged users are the trusted users. These are root,
3715 exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3716 are permitted to specify sender_addresses with -f on the command line, and
3717 other message parameters as well. */
3718
3719 if (real_uid == root_uid || real_uid == exim_uid)
3720 f.trusted_caller = TRUE;
3721 else
3722 {
3723 int i, j;
3724
3725 if (trusted_users)
3726 for (i = 1; i <= (int)trusted_users[0] && !f.trusted_caller; i++)
3727 if (trusted_users[i] == real_uid)
3728 f.trusted_caller = TRUE;
3729
3730 if (trusted_groups)
3731 for (i = 1; i <= (int)trusted_groups[0] && !f.trusted_caller; i++)
3732 if (trusted_groups[i] == real_gid)
3733 f.trusted_caller = TRUE;
3734 else for (j = 0; j < group_count && !f.trusted_caller; j++)
3735 if (trusted_groups[i] == group_list[j])
3736 f.trusted_caller = TRUE;
3737 }
3738
3739 /* At this point, we know if the user is privileged and some command-line
3740 options become possibly impermissible, depending upon the configuration file. */
3741
3742 if (checking && commandline_checks_require_admin && !f.admin_user)
3743 exim_fail("exim: those command-line flags are set to require admin\n");
3744
3745 /* Handle the decoding of logging options. */
3746
3747 decode_bits(log_selector, log_selector_size, log_notall,
3748 log_selector_string, log_options, log_options_count, US"log", 0);
3749
3750 DEBUG(D_any)
3751 {
3752 int i;
3753 debug_printf("configuration file is %s\n", config_main_filename);
3754 debug_printf("log selectors =");
3755 for (i = 0; i < log_selector_size; i++)
3756 debug_printf(" %08x", log_selector[i]);
3757 debug_printf("\n");
3758 }
3759
3760 /* If domain literals are not allowed, check the sender address that was
3761 supplied with -f. Ditto for a stripped trailing dot. */
3762
3763 if (sender_address)
3764 {
3765 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3766 exim_fail("exim: bad -f address \"%s\": domain literals not "
3767 "allowed\n", sender_address);
3768 if (f_end_dot && !strip_trailing_dot)
3769 exim_fail("exim: bad -f address \"%s.\": domain is malformed "
3770 "(trailing dot not allowed)\n", sender_address);
3771 }
3772
3773 /* See if an admin user overrode our logging. */
3774
3775 if (cmdline_syslog_name)
3776 if (f.admin_user)
3777 {
3778 syslog_processname = cmdline_syslog_name;
3779 log_file_path = string_copy(CUS"syslog");
3780 }
3781 else
3782 /* not a panic, non-privileged users should not be able to spam paniclog */
3783 exim_fail(
3784 "exim: you lack sufficient privilege to specify syslog process name\n");
3785
3786 /* Paranoia check of maximum lengths of certain strings. There is a check
3787 on the length of the log file path in log.c, which will come into effect
3788 if there are any calls to write the log earlier than this. However, if we
3789 get this far but the string is very long, it is better to stop now than to
3790 carry on and (e.g.) receive a message and then have to collapse. The call to
3791 log_write() from here will cause the ultimate panic collapse if the complete
3792 file name exceeds the buffer length. */
3793
3794 if (Ustrlen(log_file_path) > 200)
3795 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3796 "log_file_path is longer than 200 chars: aborting");
3797
3798 if (Ustrlen(pid_file_path) > 200)
3799 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3800 "pid_file_path is longer than 200 chars: aborting");
3801
3802 if (Ustrlen(spool_directory) > 200)
3803 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3804 "spool_directory is longer than 200 chars: aborting");
3805
3806 /* Length check on the process name given to syslog for its TAG field,
3807 which is only permitted to be 32 characters or less. See RFC 3164. */
3808
3809 if (Ustrlen(syslog_processname) > 32)
3810 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3811 "syslog_processname is longer than 32 chars: aborting");
3812
3813 if (log_oneline)
3814 if (f.admin_user)
3815 {
3816 log_write(0, LOG_MAIN, "%s", log_oneline);
3817 return EXIT_SUCCESS;
3818 }
3819 else
3820 return EXIT_FAILURE;
3821
3822 /* In some operating systems, the environment variable TMPDIR controls where
3823 temporary files are created; Exim doesn't use these (apart from when delivering
3824 to MBX mailboxes), but called libraries such as DBM libraries may require them.
3825 If TMPDIR is found in the environment, reset it to the value defined in the
3826 EXIM_TMPDIR macro, if this macro is defined. For backward compatibility this
3827 macro may be called TMPDIR in old "Local/Makefile"s. It's converted to
3828 EXIM_TMPDIR by the build scripts.
3829 */
3830
3831 #ifdef EXIM_TMPDIR
3832 {
3833 uschar **p;
3834 if (environ) for (p = USS environ; *p; p++)
3835 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 && Ustrcmp(*p+7, EXIM_TMPDIR) != 0)
3836 {
3837 uschar * newp = store_malloc(Ustrlen(EXIM_TMPDIR) + 8);
3838 sprintf(CS newp, "TMPDIR=%s", EXIM_TMPDIR);
3839 *p = newp;
3840 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", EXIM_TMPDIR);
3841 }
3842 }
3843 #endif
3844
3845 /* Timezone handling. If timezone_string is "utc", set a flag to cause all
3846 timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3847 we may need to get rid of a bogus timezone setting. This can arise when Exim is
3848 called by a user who has set the TZ variable. This then affects the timestamps
3849 in log files and in Received: headers, and any created Date: header lines. The
3850 required timezone is settable in the configuration file, so nothing can be done
3851 about this earlier - but hopefully nothing will normally be logged earlier than
3852 this. We have to make a new environment if TZ is wrong, but don't bother if
3853 timestamps_utc is set, because then all times are in UTC anyway. */
3854
3855 if (timezone_string && strcmpic(timezone_string, US"UTC") == 0)
3856 f.timestamps_utc = TRUE;
3857 else
3858 {
3859 uschar *envtz = US getenv("TZ");
3860 if (envtz
3861 ? !timezone_string || Ustrcmp(timezone_string, envtz) != 0
3862 : timezone_string != NULL
3863 )
3864 {
3865 uschar **p = USS environ;
3866 uschar **new;
3867 uschar **newp;
3868 int count = 0;
3869 if (environ) while (*p++) count++;
3870 if (!envtz) count++;
3871 newp = new = store_malloc(sizeof(uschar *) * (count + 1));
3872 if (environ) for (p = USS environ; *p; p++)
3873 if (Ustrncmp(*p, "TZ=", 3) != 0) *newp++ = *p;
3874 if (timezone_string)
3875 {
3876 *newp = store_malloc(Ustrlen(timezone_string) + 4);
3877 sprintf(CS *newp++, "TZ=%s", timezone_string);
3878 }
3879 *newp = NULL;
3880 environ = CSS new;
3881 tzset();
3882 DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3883 tod_stamp(tod_log));
3884 }
3885 }
3886
3887 /* Handle the case when we have removed the setuid privilege because of -C or
3888 -D. This means that the caller of Exim was not root.
3889
3890 There is a problem if we were running as the Exim user. The sysadmin may
3891 expect this case to retain privilege because "the binary was called by the
3892 Exim user", but it hasn't, because either the -D option set macros, or the
3893 -C option set a non-trusted configuration file. There are two possibilities:
3894
3895 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3896 to do message deliveries. Thus, the fact that it is running as a
3897 non-privileged user is plausible, and might be wanted in some special
3898 configurations. However, really_exim will have been set false when
3899 privilege was dropped, to stop Exim trying to write to its normal log
3900 files. Therefore, re-enable normal log processing, assuming the sysadmin
3901 has set up the log directory correctly.