a3d1b9e60f1808cd78c4cc918fd7c2467dc26a0b
[exim.git] / src / src / exim.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8
9 /* The main function: entry point, initialization, and high-level control.
10 Also a few functions that don't naturally fit elsewhere. */
11
12
13 #include "exim.h"
14
15 #if defined(__GLIBC__) && !defined(__UCLIBC__)
16 # include <gnu/libc-version.h>
17 #endif
18
19 #ifdef USE_GNUTLS
20 # include <gnutls/gnutls.h>
21 # if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22 # define DISABLE_OCSP
23 # endif
24 #endif
25
26 extern void init_lookup_list(void);
27
28
29
30 /*************************************************
31 * Function interface to store functions *
32 *************************************************/
33
34 /* We need some real functions to pass to the PCRE regular expression library
35 for store allocation via Exim's store manager. The normal calls are actually
36 macros that pass over location information to make tracing easier. These
37 functions just interface to the standard macro calls. A good compiler will
38 optimize out the tail recursion and so not make them too expensive. There
39 are two sets of functions; one for use when we want to retain the compiled
40 regular expression for a long time; the other for short-term use. */
41
42 static void *
43 function_store_get(size_t size)
44 {
45 return store_get((int)size);
46 }
47
48 static void
49 function_dummy_free(void *block) { block = block; }
50
51 static void *
52 function_store_malloc(size_t size)
53 {
54 return store_malloc((int)size);
55 }
56
57 static void
58 function_store_free(void *block)
59 {
60 store_free(block);
61 }
62
63
64
65
66 /*************************************************
67 * Enums for cmdline interface *
68 *************************************************/
69
70 enum commandline_info { CMDINFO_NONE=0,
71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
72
73
74
75
76 /*************************************************
77 * Compile regular expression and panic on fail *
78 *************************************************/
79
80 /* This function is called when failure to compile a regular expression leads
81 to a panic exit. In other cases, pcre_compile() is called directly. In many
82 cases where this function is used, the results of the compilation are to be
83 placed in long-lived store, so we temporarily reset the store management
84 functions that PCRE uses if the use_malloc flag is set.
85
86 Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91 Returns: pointer to the compiled pattern
92 */
93
94 const pcre *
95 regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
96 {
97 int offset;
98 int options = PCRE_COPT;
99 const pcre *yield;
100 const uschar *error;
101 if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106 if (caseless) options |= PCRE_CASELESS;
107 yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
108 pcre_malloc = function_store_get;
109 pcre_free = function_dummy_free;
110 if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113 return yield;
114 }
115
116
117
118
119 /*************************************************
120 * Execute regular expression and set strings *
121 *************************************************/
122
123 /* This function runs a regular expression match, and sets up the pointers to
124 the matched substrings.
125
126 Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134 Returns: TRUE or FALSE
135 */
136
137 BOOL
138 regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
139 {
140 int ovector[3*(EXPAND_MAXN+1)];
141 uschar * s = string_copy(subject); /* de-constifying */
142 int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
143 PCRE_EOPT | options, ovector, nelem(ovector));
144 BOOL yield = n >= 0;
145 if (n == 0) n = EXPAND_MAXN + 1;
146 if (yield)
147 {
148 int nn;
149 expand_nmax = setup < 0 ? 0 : setup + 1;
150 for (nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
151 {
152 expand_nstring[expand_nmax] = s + ovector[nn];
153 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
154 }
155 expand_nmax--;
156 }
157 return yield;
158 }
159
160
161
162
163 /*************************************************
164 * Set up processing details *
165 *************************************************/
166
167 /* Save a text string for dumping when SIGUSR1 is received.
168 Do checks for overruns.
169
170 Arguments: format and arguments, as for printf()
171 Returns: nothing
172 */
173
174 void
175 set_process_info(const char *format, ...)
176 {
177 int len = sprintf(CS process_info, "%5d ", (int)getpid());
178 va_list ap;
179 va_start(ap, format);
180 if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len - 2, format, ap))
181 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
182 len = Ustrlen(process_info);
183 process_info[len+0] = '\n';
184 process_info[len+1] = '\0';
185 process_info_len = len + 1;
186 DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
187 va_end(ap);
188 }
189
190 /***********************************************
191 * Handler for SIGTERM *
192 ***********************************************/
193
194 static void
195 term_handler(int sig)
196 {
197 exit(1);
198 }
199
200
201 /*************************************************
202 * Handler for SIGUSR1 *
203 *************************************************/
204
205 /* SIGUSR1 causes any exim process to write to the process log details of
206 what it is currently doing. It will only be used if the OS is capable of
207 setting up a handler that causes automatic restarting of any system call
208 that is in progress at the time.
209
210 This function takes care to be signal-safe.
211
212 Argument: the signal number (SIGUSR1)
213 Returns: nothing
214 */
215
216 static void
217 usr1_handler(int sig)
218 {
219 int fd;
220
221 os_restarting_signal(sig, usr1_handler);
222
223 if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
224 {
225 /* If we are already running as the Exim user, try to create it in the
226 current process (assuming spool_directory exists). Otherwise, if we are
227 root, do the creation in an exim:exim subprocess. */
228
229 int euid = geteuid();
230 if (euid == exim_uid)
231 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
232 else if (euid == root_uid)
233 fd = log_create_as_exim(process_log_path);
234 }
235
236 /* If we are neither exim nor root, or if we failed to create the log file,
237 give up. There is not much useful we can do with errors, since we don't want
238 to disrupt whatever is going on outside the signal handler. */
239
240 if (fd < 0) return;
241
242 (void)write(fd, process_info, process_info_len);
243 (void)close(fd);
244 }
245
246
247
248 /*************************************************
249 * Timeout handler *
250 *************************************************/
251
252 /* This handler is enabled most of the time that Exim is running. The handler
253 doesn't actually get used unless alarm() has been called to set a timer, to
254 place a time limit on a system call of some kind. When the handler is run, it
255 re-enables itself.
256
257 There are some other SIGALRM handlers that are used in special cases when more
258 than just a flag setting is required; for example, when reading a message's
259 input. These are normally set up in the code module that uses them, and the
260 SIGALRM handler is reset to this one afterwards.
261
262 Argument: the signal value (SIGALRM)
263 Returns: nothing
264 */
265
266 void
267 sigalrm_handler(int sig)
268 {
269 sig = sig; /* Keep picky compilers happy */
270 sigalrm_seen = TRUE;
271 os_non_restarting_signal(SIGALRM, sigalrm_handler);
272 }
273
274
275
276 /*************************************************
277 * Sleep for a fractional time interval *
278 *************************************************/
279
280 /* This function is called by millisleep() and exim_wait_tick() to wait for a
281 period of time that may include a fraction of a second. The coding is somewhat
282 tedious. We do not expect setitimer() ever to fail, but if it does, the process
283 will wait for ever, so we panic in this instance. (There was a case of this
284 when a bug in a function that calls milliwait() caused it to pass invalid data.
285 That's when I added the check. :-)
286
287 We assume it to be not worth sleeping for under 100us; this value will
288 require revisiting as hardware advances. This avoids the issue of
289 a zero-valued timer setting meaning "never fire".
290
291 Argument: an itimerval structure containing the interval
292 Returns: nothing
293 */
294
295 static void
296 milliwait(struct itimerval *itval)
297 {
298 sigset_t sigmask;
299 sigset_t old_sigmask;
300
301 if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
302 return;
303 (void)sigemptyset(&sigmask); /* Empty mask */
304 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
305 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
306 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
307 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
308 "setitimer() failed: %s", strerror(errno));
309 (void)sigfillset(&sigmask); /* All signals */
310 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
311 (void)sigsuspend(&sigmask); /* Until SIGALRM */
312 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
313 }
314
315
316
317
318 /*************************************************
319 * Millisecond sleep function *
320 *************************************************/
321
322 /* The basic sleep() function has a granularity of 1 second, which is too rough
323 in some cases - for example, when using an increasing delay to slow down
324 spammers.
325
326 Argument: number of millseconds
327 Returns: nothing
328 */
329
330 void
331 millisleep(int msec)
332 {
333 struct itimerval itval;
334 itval.it_interval.tv_sec = 0;
335 itval.it_interval.tv_usec = 0;
336 itval.it_value.tv_sec = msec/1000;
337 itval.it_value.tv_usec = (msec % 1000) * 1000;
338 milliwait(&itval);
339 }
340
341
342
343 /*************************************************
344 * Compare microsecond times *
345 *************************************************/
346
347 /*
348 Arguments:
349 tv1 the first time
350 tv2 the second time
351
352 Returns: -1, 0, or +1
353 */
354
355 static int
356 exim_tvcmp(struct timeval *t1, struct timeval *t2)
357 {
358 if (t1->tv_sec > t2->tv_sec) return +1;
359 if (t1->tv_sec < t2->tv_sec) return -1;
360 if (t1->tv_usec > t2->tv_usec) return +1;
361 if (t1->tv_usec < t2->tv_usec) return -1;
362 return 0;
363 }
364
365
366
367
368 /*************************************************
369 * Clock tick wait function *
370 *************************************************/
371
372 /* Exim uses a time + a pid to generate a unique identifier in two places: its
373 message IDs, and in file names for maildir deliveries. Because some OS now
374 re-use pids within the same second, sub-second times are now being used.
375 However, for absolute certainty, we must ensure the clock has ticked before
376 allowing the relevant process to complete. At the time of implementation of
377 this code (February 2003), the speed of processors is such that the clock will
378 invariably have ticked already by the time a process has done its job. This
379 function prepares for the time when things are faster - and it also copes with
380 clocks that go backwards.
381
382 Arguments:
383 then_tv A timeval which was used to create uniqueness; its usec field
384 has been rounded down to the value of the resolution.
385 We want to be sure the current time is greater than this.
386 resolution The resolution that was used to divide the microseconds
387 (1 for maildir, larger for message ids)
388
389 Returns: nothing
390 */
391
392 void
393 exim_wait_tick(struct timeval *then_tv, int resolution)
394 {
395 struct timeval now_tv;
396 long int now_true_usec;
397
398 (void)gettimeofday(&now_tv, NULL);
399 now_true_usec = now_tv.tv_usec;
400 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
401
402 if (exim_tvcmp(&now_tv, then_tv) <= 0)
403 {
404 struct itimerval itval;
405 itval.it_interval.tv_sec = 0;
406 itval.it_interval.tv_usec = 0;
407 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
408 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
409
410 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
411 negative value for the microseconds is possible only in the case when "now"
412 is more than a second less than "then". That means that itval.it_value.tv_sec
413 is greater than zero. The following correction is therefore safe. */
414
415 if (itval.it_value.tv_usec < 0)
416 {
417 itval.it_value.tv_usec += 1000000;
418 itval.it_value.tv_sec -= 1;
419 }
420
421 DEBUG(D_transport|D_receive)
422 {
423 if (!f.running_in_test_harness)
424 {
425 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
426 then_tv->tv_sec, (long) then_tv->tv_usec,
427 now_tv.tv_sec, (long) now_tv.tv_usec);
428 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
429 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
430 }
431 }
432
433 milliwait(&itval);
434 }
435 }
436
437
438
439
440 /*************************************************
441 * Call fopen() with umask 777 and adjust mode *
442 *************************************************/
443
444 /* Exim runs with umask(0) so that files created with open() have the mode that
445 is specified in the open() call. However, there are some files, typically in
446 the spool directory, that are created with fopen(). They end up world-writeable
447 if no precautions are taken. Although the spool directory is not accessible to
448 the world, this is an untidiness. So this is a wrapper function for fopen()
449 that sorts out the mode of the created file.
450
451 Arguments:
452 filename the file name
453 options the fopen() options
454 mode the required mode
455
456 Returns: the fopened FILE or NULL
457 */
458
459 FILE *
460 modefopen(const uschar *filename, const char *options, mode_t mode)
461 {
462 mode_t saved_umask = umask(0777);
463 FILE *f = Ufopen(filename, options);
464 (void)umask(saved_umask);
465 if (f != NULL) (void)fchmod(fileno(f), mode);
466 return f;
467 }
468
469
470
471
472 /*************************************************
473 * Ensure stdin, stdout, and stderr exist *
474 *************************************************/
475
476 /* Some operating systems grumble if an exec() happens without a standard
477 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
478 file will be opened and will use these fd values, and then some other bit of
479 code will assume, for example, that it can write error messages to stderr.
480 This function ensures that fds 0, 1, and 2 are open if they do not already
481 exist, by connecting them to /dev/null.
482
483 This function is also used to ensure that std{in,out,err} exist at all times,
484 so that if any library that Exim calls tries to use them, it doesn't crash.
485
486 Arguments: None
487 Returns: Nothing
488 */
489
490 void
491 exim_nullstd(void)
492 {
493 int i;
494 int devnull = -1;
495 struct stat statbuf;
496 for (i = 0; i <= 2; i++)
497 {
498 if (fstat(i, &statbuf) < 0 && errno == EBADF)
499 {
500 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
501 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
502 string_open_failed(errno, "/dev/null"));
503 if (devnull != i) (void)dup2(devnull, i);
504 }
505 }
506 if (devnull > 2) (void)close(devnull);
507 }
508
509
510
511
512 /*************************************************
513 * Close unwanted file descriptors for delivery *
514 *************************************************/
515
516 /* This function is called from a new process that has been forked to deliver
517 an incoming message, either directly, or using exec.
518
519 We want any smtp input streams to be closed in this new process. However, it
520 has been observed that using fclose() here causes trouble. When reading in -bS
521 input, duplicate copies of messages have been seen. The files will be sharing a
522 file pointer with the parent process, and it seems that fclose() (at least on
523 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
524 least sometimes. Hence we go for closing the underlying file descriptors.
525
526 If TLS is active, we want to shut down the TLS library, but without molesting
527 the parent's SSL connection.
528
529 For delivery of a non-SMTP message, we want to close stdin and stdout (and
530 stderr unless debugging) because the calling process might have set them up as
531 pipes and be waiting for them to close before it waits for the submission
532 process to terminate. If they aren't closed, they hold up the calling process
533 until the initial delivery process finishes, which is not what we want.
534
535 Exception: We do want it for synchronous delivery!
536
537 And notwithstanding all the above, if D_resolver is set, implying resolver
538 debugging, leave stdout open, because that's where the resolver writes its
539 debugging output.
540
541 When we close stderr (which implies we've also closed stdout), we also get rid
542 of any controlling terminal.
543
544 Arguments: None
545 Returns: Nothing
546 */
547
548 static void
549 close_unwanted(void)
550 {
551 if (smtp_input)
552 {
553 #ifdef SUPPORT_TLS
554 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
555 #endif
556 (void)close(fileno(smtp_in));
557 (void)close(fileno(smtp_out));
558 smtp_in = NULL;
559 }
560 else
561 {
562 (void)close(0); /* stdin */
563 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
564 if (debug_selector == 0) /* stderr */
565 {
566 if (!f.synchronous_delivery)
567 {
568 (void)close(2);
569 log_stderr = NULL;
570 }
571 (void)setsid();
572 }
573 }
574 }
575
576
577
578
579 /*************************************************
580 * Set uid and gid *
581 *************************************************/
582
583 /* This function sets a new uid and gid permanently, optionally calling
584 initgroups() to set auxiliary groups. There are some special cases when running
585 Exim in unprivileged modes. In these situations the effective uid will not be
586 root; if we already have the right effective uid/gid, and don't need to
587 initialize any groups, leave things as they are.
588
589 Arguments:
590 uid the uid
591 gid the gid
592 igflag TRUE if initgroups() wanted
593 msg text to use in debugging output and failure log
594
595 Returns: nothing; bombs out on failure
596 */
597
598 void
599 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
600 {
601 uid_t euid = geteuid();
602 gid_t egid = getegid();
603
604 if (euid == root_uid || euid != uid || egid != gid || igflag)
605 {
606 /* At least one OS returns +1 for initgroups failure, so just check for
607 non-zero. */
608
609 if (igflag)
610 {
611 struct passwd *pw = getpwuid(uid);
612 if (!pw)
613 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
614 "no passwd entry for uid=%ld", (long int)uid);
615
616 if (initgroups(pw->pw_name, gid) != 0)
617 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
618 (long int)uid, strerror(errno));
619 }
620
621 if (setgid(gid) < 0 || setuid(uid) < 0)
622 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
623 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
624 }
625
626 /* Debugging output included uid/gid and all groups */
627
628 DEBUG(D_uid)
629 {
630 int group_count, save_errno;
631 gid_t group_list[EXIM_GROUPLIST_SIZE];
632 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
633 (long int)geteuid(), (long int)getegid(), (long int)getpid());
634 group_count = getgroups(nelem(group_list), group_list);
635 save_errno = errno;
636 debug_printf(" auxiliary group list:");
637 if (group_count > 0)
638 {
639 int i;
640 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
641 }
642 else if (group_count < 0)
643 debug_printf(" <error: %s>", strerror(save_errno));
644 else debug_printf(" <none>");
645 debug_printf("\n");
646 }
647 }
648
649
650
651
652 /*************************************************
653 * Exit point *
654 *************************************************/
655
656 /* Exim exits via this function so that it always clears up any open
657 databases.
658
659 Arguments:
660 rc return code
661
662 Returns: does not return
663 */
664
665 void
666 exim_exit(int rc, const uschar * process)
667 {
668 search_tidyup();
669 DEBUG(D_any)
670 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
671 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
672 process ? "(" : "", process, process ? ") " : "", rc);
673 exit(rc);
674 }
675
676
677
678 /* Print error string, then die */
679 static void
680 exim_fail(const char * fmt, ...)
681 {
682 va_list ap;
683 va_start(ap, fmt);
684 vfprintf(stderr, fmt, ap);
685 exit(EXIT_FAILURE);
686 }
687
688
689
690 /*************************************************
691 * Extract port from host address *
692 *************************************************/
693
694 /* Called to extract the port from the values given to -oMa and -oMi.
695 It also checks the syntax of the address, and terminates it before the
696 port data when a port is extracted.
697
698 Argument:
699 address the address, with possible port on the end
700
701 Returns: the port, or zero if there isn't one
702 bombs out on a syntax error
703 */
704
705 static int
706 check_port(uschar *address)
707 {
708 int port = host_address_extract_port(address);
709 if (string_is_ip_address(address, NULL) == 0)
710 exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
711 return port;
712 }
713
714
715
716 /*************************************************
717 * Test/verify an address *
718 *************************************************/
719
720 /* This function is called by the -bv and -bt code. It extracts a working
721 address from a full RFC 822 address. This isn't really necessary per se, but it
722 has the effect of collapsing source routes.
723
724 Arguments:
725 s the address string
726 flags flag bits for verify_address()
727 exit_value to be set for failures
728
729 Returns: nothing
730 */
731
732 static void
733 test_address(uschar *s, int flags, int *exit_value)
734 {
735 int start, end, domain;
736 uschar *parse_error = NULL;
737 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
738 FALSE);
739 if (address == NULL)
740 {
741 fprintf(stdout, "syntax error: %s\n", parse_error);
742 *exit_value = 2;
743 }
744 else
745 {
746 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
747 -1, -1, NULL, NULL, NULL);
748 if (rc == FAIL) *exit_value = 2;
749 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
750 }
751 }
752
753
754
755 /*************************************************
756 * Show supported features *
757 *************************************************/
758
759 static void
760 show_db_version(FILE * f)
761 {
762 #ifdef DB_VERSION_STRING
763 DEBUG(D_any)
764 {
765 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
766 fprintf(f, " Runtime: %s\n",
767 db_version(NULL, NULL, NULL));
768 }
769 else
770 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
771
772 #elif defined(BTREEVERSION) && defined(HASHVERSION)
773 #ifdef USE_DB
774 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
775 #else
776 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
777 #endif
778
779 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
780 fprintf(f, "Probably ndbm\n");
781 #elif defined(USE_TDB)
782 fprintf(f, "Using tdb\n");
783 #else
784 #ifdef USE_GDBM
785 fprintf(f, "Probably GDBM (native mode)\n");
786 #else
787 fprintf(f, "Probably GDBM (compatibility mode)\n");
788 #endif
789 #endif
790 }
791
792
793 /* This function is called for -bV/--version and for -d to output the optional
794 features of the current Exim binary.
795
796 Arguments: a FILE for printing
797 Returns: nothing
798 */
799
800 static void
801 show_whats_supported(FILE * fp)
802 {
803 auth_info * authi;
804
805 DEBUG(D_any) {} else show_db_version(fp);
806
807 fprintf(fp, "Support for:");
808 #ifdef SUPPORT_CRYPTEQ
809 fprintf(fp, " crypteq");
810 #endif
811 #if HAVE_ICONV
812 fprintf(fp, " iconv()");
813 #endif
814 #if HAVE_IPV6
815 fprintf(fp, " IPv6");
816 #endif
817 #ifdef HAVE_SETCLASSRESOURCES
818 fprintf(fp, " use_setclassresources");
819 #endif
820 #ifdef SUPPORT_PAM
821 fprintf(fp, " PAM");
822 #endif
823 #ifdef EXIM_PERL
824 fprintf(fp, " Perl");
825 #endif
826 #ifdef EXPAND_DLFUNC
827 fprintf(fp, " Expand_dlfunc");
828 #endif
829 #ifdef USE_TCP_WRAPPERS
830 fprintf(fp, " TCPwrappers");
831 #endif
832 #ifdef SUPPORT_TLS
833 # ifdef USE_GNUTLS
834 fprintf(fp, " GnuTLS");
835 # else
836 fprintf(fp, " OpenSSL");
837 # endif
838 #endif
839 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
840 fprintf(fp, " translate_ip_address");
841 #endif
842 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
843 fprintf(fp, " move_frozen_messages");
844 #endif
845 #ifdef WITH_CONTENT_SCAN
846 fprintf(fp, " Content_Scanning");
847 #endif
848 #ifdef SUPPORT_DANE
849 fprintf(fp, " DANE");
850 #endif
851 #ifndef DISABLE_DKIM
852 fprintf(fp, " DKIM");
853 #endif
854 #ifndef DISABLE_DNSSEC
855 fprintf(fp, " DNSSEC");
856 #endif
857 #ifndef DISABLE_EVENT
858 fprintf(fp, " Event");
859 #endif
860 #ifdef SUPPORT_I18N
861 fprintf(fp, " I18N");
862 #endif
863 #ifndef DISABLE_OCSP
864 fprintf(fp, " OCSP");
865 #endif
866 #ifndef DISABLE_PRDR
867 fprintf(fp, " PRDR");
868 #endif
869 #ifdef SUPPORT_PROXY
870 fprintf(fp, " PROXY");
871 #endif
872 #ifdef SUPPORT_SOCKS
873 fprintf(fp, " SOCKS");
874 #endif
875 #ifdef SUPPORT_SPF
876 fprintf(fp, " SPF");
877 #endif
878 #ifdef TCP_FASTOPEN
879 deliver_init();
880 if (f.tcp_fastopen_ok) fprintf(fp, " TCP_Fast_Open");
881 #endif
882 #ifdef EXPERIMENTAL_LMDB
883 fprintf(fp, " Experimental_LMDB");
884 #endif
885 #ifdef EXPERIMENTAL_QUEUEFILE
886 fprintf(fp, " Experimental_QUEUEFILE");
887 #endif
888 #ifdef EXPERIMENTAL_SRS
889 fprintf(fp, " Experimental_SRS");
890 #endif
891 #ifdef EXPERIMENTAL_ARC
892 fprintf(fp, " Experimental_ARC");
893 #endif
894 #ifdef EXPERIMENTAL_BRIGHTMAIL
895 fprintf(fp, " Experimental_Brightmail");
896 #endif
897 #ifdef EXPERIMENTAL_DCC
898 fprintf(fp, " Experimental_DCC");
899 #endif
900 #ifdef EXPERIMENTAL_DMARC
901 fprintf(fp, " Experimental_DMARC");
902 #endif
903 #ifdef EXPERIMENTAL_DSN_INFO
904 fprintf(fp, " Experimental_DSN_info");
905 #endif
906 #ifdef EXPERIMENTAL_REQUIRETLS
907 fprintf(fp, " Experimental_REQUIRETLS");
908 #endif
909 #ifdef EXPERIMENTAL_PIPE_CONNECT
910 fprintf(fp, " Experimental_PIPE_CONNECT");
911 #endif
912 fprintf(fp, "\n");
913
914 fprintf(fp, "Lookups (built-in):");
915 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
916 fprintf(fp, " lsearch wildlsearch nwildlsearch iplsearch");
917 #endif
918 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
919 fprintf(fp, " cdb");
920 #endif
921 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
922 fprintf(fp, " dbm dbmjz dbmnz");
923 #endif
924 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
925 fprintf(fp, " dnsdb");
926 #endif
927 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
928 fprintf(fp, " dsearch");
929 #endif
930 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
931 fprintf(fp, " ibase");
932 #endif
933 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
934 fprintf(fp, " ldap ldapdn ldapm");
935 #endif
936 #ifdef EXPERIMENTAL_LMDB
937 fprintf(fp, " lmdb");
938 #endif
939 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
940 fprintf(fp, " mysql");
941 #endif
942 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
943 fprintf(fp, " nis nis0");
944 #endif
945 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
946 fprintf(fp, " nisplus");
947 #endif
948 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
949 fprintf(fp, " oracle");
950 #endif
951 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
952 fprintf(fp, " passwd");
953 #endif
954 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
955 fprintf(fp, " pgsql");
956 #endif
957 #if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
958 fprintf(fp, " redis");
959 #endif
960 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
961 fprintf(fp, " sqlite");
962 #endif
963 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
964 fprintf(fp, " testdb");
965 #endif
966 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
967 fprintf(fp, " whoson");
968 #endif
969 fprintf(fp, "\n");
970
971 auth_show_supported(fp);
972 route_show_supported(fp);
973 transport_show_supported(fp);
974
975 #ifdef WITH_CONTENT_SCAN
976 malware_show_supported(fp);
977 #endif
978
979 if (fixed_never_users[0] > 0)
980 {
981 int i;
982 fprintf(fp, "Fixed never_users: ");
983 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
984 fprintf(fp, "%d:", (unsigned int)fixed_never_users[i]);
985 fprintf(fp, "%d\n", (unsigned int)fixed_never_users[i]);
986 }
987
988 fprintf(fp, "Configure owner: %d:%d\n", config_uid, config_gid);
989
990 fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
991
992 /* Everything else is details which are only worth reporting when debugging.
993 Perhaps the tls_version_report should move into this too. */
994 DEBUG(D_any) do {
995
996 int i;
997
998 /* clang defines __GNUC__ (at least, for me) so test for it first */
999 #if defined(__clang__)
1000 fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
1001 #elif defined(__GNUC__)
1002 fprintf(fp, "Compiler: GCC [%s]\n",
1003 # ifdef __VERSION__
1004 __VERSION__
1005 # else
1006 "? unknown version ?"
1007 # endif
1008 );
1009 #else
1010 fprintf(fp, "Compiler: <unknown>\n");
1011 #endif
1012
1013 #if defined(__GLIBC__) && !defined(__UCLIBC__)
1014 fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
1015 __GLIBC__, __GLIBC_MINOR__);
1016 if (__GLIBC_PREREQ(2, 1))
1017 fprintf(fp, " Runtime: %s\n",
1018 gnu_get_libc_version());
1019 #endif
1020
1021 show_db_version(fp);
1022
1023 #ifdef SUPPORT_TLS
1024 tls_version_report(fp);
1025 #endif
1026 #ifdef SUPPORT_I18N
1027 utf8_version_report(fp);
1028 #endif
1029
1030 for (authi = auths_available; *authi->driver_name != '\0'; ++authi)
1031 if (authi->version_report)
1032 (*authi->version_report)(fp);
1033
1034 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
1035 characters; unless it's an ancient version of PCRE in which case it
1036 is not defined. */
1037 #ifndef PCRE_PRERELEASE
1038 # define PCRE_PRERELEASE
1039 #endif
1040 #define QUOTE(X) #X
1041 #define EXPAND_AND_QUOTE(X) QUOTE(X)
1042 fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
1043 " Runtime: %s\n",
1044 PCRE_MAJOR, PCRE_MINOR,
1045 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
1046 pcre_version());
1047 #undef QUOTE
1048 #undef EXPAND_AND_QUOTE
1049
1050 init_lookup_list();
1051 for (i = 0; i < lookup_list_count; i++)
1052 if (lookup_list[i]->version_report)
1053 lookup_list[i]->version_report(fp);
1054
1055 #ifdef WHITELIST_D_MACROS
1056 fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1057 #else
1058 fprintf(fp, "WHITELIST_D_MACROS unset\n");
1059 #endif
1060 #ifdef TRUSTED_CONFIG_LIST
1061 fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1062 #else
1063 fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
1064 #endif
1065
1066 } while (0);
1067 }
1068
1069
1070 /*************************************************
1071 * Show auxiliary information about Exim *
1072 *************************************************/
1073
1074 static void
1075 show_exim_information(enum commandline_info request, FILE *stream)
1076 {
1077 const uschar **pp;
1078
1079 switch(request)
1080 {
1081 case CMDINFO_NONE:
1082 fprintf(stream, "Oops, something went wrong.\n");
1083 return;
1084 case CMDINFO_HELP:
1085 fprintf(stream,
1086 "The -bI: flag takes a string indicating which information to provide.\n"
1087 "If the string is not recognised, you'll get this help (on stderr).\n"
1088 "\n"
1089 " exim -bI:help this information\n"
1090 " exim -bI:dscp list of known dscp value keywords\n"
1091 " exim -bI:sieve list of supported sieve extensions\n"
1092 );
1093 return;
1094 case CMDINFO_SIEVE:
1095 for (pp = exim_sieve_extension_list; *pp; ++pp)
1096 fprintf(stream, "%s\n", *pp);
1097 return;
1098 case CMDINFO_DSCP:
1099 dscp_list_to_stream(stream);
1100 return;
1101 }
1102 }
1103
1104
1105 /*************************************************
1106 * Quote a local part *
1107 *************************************************/
1108
1109 /* This function is used when a sender address or a From: or Sender: header
1110 line is being created from the caller's login, or from an authenticated_id. It
1111 applies appropriate quoting rules for a local part.
1112
1113 Argument: the local part
1114 Returns: the local part, quoted if necessary
1115 */
1116
1117 uschar *
1118 local_part_quote(uschar *lpart)
1119 {
1120 BOOL needs_quote = FALSE;
1121 gstring * g;
1122 uschar *t;
1123
1124 for (t = lpart; !needs_quote && *t != 0; t++)
1125 {
1126 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1127 (*t != '.' || t == lpart || t[1] == 0);
1128 }
1129
1130 if (!needs_quote) return lpart;
1131
1132 g = string_catn(NULL, US"\"", 1);
1133
1134 for (;;)
1135 {
1136 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1137 if (nq == NULL)
1138 {
1139 g = string_cat(g, lpart);
1140 break;
1141 }
1142 g = string_catn(g, lpart, nq - lpart);
1143 g = string_catn(g, US"\\", 1);
1144 g = string_catn(g, nq, 1);
1145 lpart = nq + 1;
1146 }
1147
1148 g = string_catn(g, US"\"", 1);
1149 return string_from_gstring(g);
1150 }
1151
1152
1153
1154 #ifdef USE_READLINE
1155 /*************************************************
1156 * Load readline() functions *
1157 *************************************************/
1158
1159 /* This function is called from testing executions that read data from stdin,
1160 but only when running as the calling user. Currently, only -be does this. The
1161 function loads the readline() function library and passes back the functions.
1162 On some systems, it needs the curses library, so load that too, but try without
1163 it if loading fails. All this functionality has to be requested at build time.
1164
1165 Arguments:
1166 fn_readline_ptr pointer to where to put the readline pointer
1167 fn_addhist_ptr pointer to where to put the addhistory function
1168
1169 Returns: the dlopen handle or NULL on failure
1170 */
1171
1172 static void *
1173 set_readline(char * (**fn_readline_ptr)(const char *),
1174 void (**fn_addhist_ptr)(const char *))
1175 {
1176 void *dlhandle;
1177 void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
1178
1179 dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
1180 if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1181
1182 if (dlhandle != NULL)
1183 {
1184 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1185 * char * readline (const char *prompt);
1186 * void add_history (const char *string);
1187 */
1188 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1189 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1190 }
1191 else
1192 {
1193 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1194 }
1195
1196 return dlhandle;
1197 }
1198 #endif
1199
1200
1201
1202 /*************************************************
1203 * Get a line from stdin for testing things *
1204 *************************************************/
1205
1206 /* This function is called when running tests that can take a number of lines
1207 of input (for example, -be and -bt). It handles continuations and trailing
1208 spaces. And prompting and a blank line output on eof. If readline() is in use,
1209 the arguments are non-NULL and provide the relevant functions.
1210
1211 Arguments:
1212 fn_readline readline function or NULL
1213 fn_addhist addhist function or NULL
1214
1215 Returns: pointer to dynamic memory, or NULL at end of file
1216 */
1217
1218 static uschar *
1219 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1220 {
1221 int i;
1222 gstring * g = NULL;
1223
1224 if (!fn_readline) { printf("> "); fflush(stdout); }
1225
1226 for (i = 0;; i++)
1227 {
1228 uschar buffer[1024];
1229 uschar *p, *ss;
1230
1231 #ifdef USE_READLINE
1232 char *readline_line = NULL;
1233 if (fn_readline != NULL)
1234 {
1235 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1236 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1237 p = US readline_line;
1238 }
1239 else
1240 #endif
1241
1242 /* readline() not in use */
1243
1244 {
1245 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1246 p = buffer;
1247 }
1248
1249 /* Handle the line */
1250
1251 ss = p + (int)Ustrlen(p);
1252 while (ss > p && isspace(ss[-1])) ss--;
1253
1254 if (i > 0)
1255 {
1256 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1257 }
1258
1259 g = string_catn(g, p, ss - p);
1260
1261 #ifdef USE_READLINE
1262 if (fn_readline) free(readline_line);
1263 #endif
1264
1265 /* g can only be NULL if ss==p */
1266 if (ss == p || g->s[g->ptr-1] != '\\')
1267 break;
1268
1269 --g->ptr;
1270 (void) string_from_gstring(g);
1271 }
1272
1273 if (!g) printf("\n");
1274 return string_from_gstring(g);
1275 }
1276
1277
1278
1279 /*************************************************
1280 * Output usage information for the program *
1281 *************************************************/
1282
1283 /* This function is called when there are no recipients
1284 or a specific --help argument was added.
1285
1286 Arguments:
1287 progname information on what name we were called by
1288
1289 Returns: DOES NOT RETURN
1290 */
1291
1292 static void
1293 exim_usage(uschar *progname)
1294 {
1295
1296 /* Handle specific program invocation variants */
1297 if (Ustrcmp(progname, US"-mailq") == 0)
1298 exim_fail(
1299 "mailq - list the contents of the mail queue\n\n"
1300 "For a list of options, see the Exim documentation.\n");
1301
1302 /* Generic usage - we output this whatever happens */
1303 exim_fail(
1304 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1305 "not directly from a shell command line. Options and/or arguments control\n"
1306 "what it does when called. For a list of options, see the Exim documentation.\n");
1307 }
1308
1309
1310
1311 /*************************************************
1312 * Validate that the macros given are okay *
1313 *************************************************/
1314
1315 /* Typically, Exim will drop privileges if macros are supplied. In some
1316 cases, we want to not do so.
1317
1318 Arguments: opt_D_used - true if the commandline had a "-D" option
1319 Returns: true if trusted, false otherwise
1320 */
1321
1322 static BOOL
1323 macros_trusted(BOOL opt_D_used)
1324 {
1325 #ifdef WHITELIST_D_MACROS
1326 macro_item *m;
1327 uschar *whitelisted, *end, *p, **whites, **w;
1328 int white_count, i, n;
1329 size_t len;
1330 BOOL prev_char_item, found;
1331 #endif
1332
1333 if (!opt_D_used)
1334 return TRUE;
1335 #ifndef WHITELIST_D_MACROS
1336 return FALSE;
1337 #else
1338
1339 /* We only trust -D overrides for some invoking users:
1340 root, the exim run-time user, the optional config owner user.
1341 I don't know why config-owner would be needed, but since they can own the
1342 config files anyway, there's no security risk to letting them override -D. */
1343 if ( ! ((real_uid == root_uid)
1344 || (real_uid == exim_uid)
1345 #ifdef CONFIGURE_OWNER
1346 || (real_uid == config_uid)
1347 #endif
1348 ))
1349 {
1350 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1351 return FALSE;
1352 }
1353
1354 /* Get a list of macros which are whitelisted */
1355 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1356 prev_char_item = FALSE;
1357 white_count = 0;
1358 for (p = whitelisted; *p != '\0'; ++p)
1359 {
1360 if (*p == ':' || isspace(*p))
1361 {
1362 *p = '\0';
1363 if (prev_char_item)
1364 ++white_count;
1365 prev_char_item = FALSE;
1366 continue;
1367 }
1368 if (!prev_char_item)
1369 prev_char_item = TRUE;
1370 }
1371 end = p;
1372 if (prev_char_item)
1373 ++white_count;
1374 if (!white_count)
1375 return FALSE;
1376 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1377 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1378 {
1379 if (*p != '\0')
1380 {
1381 whites[i++] = p;
1382 if (i == white_count)
1383 break;
1384 while (*p != '\0' && p < end)
1385 ++p;
1386 }
1387 }
1388 whites[i] = NULL;
1389
1390 /* The list of commandline macros should be very short.
1391 Accept the N*M complexity. */
1392 for (m = macros_user; m; m = m->next) if (m->command_line)
1393 {
1394 found = FALSE;
1395 for (w = whites; *w; ++w)
1396 if (Ustrcmp(*w, m->name) == 0)
1397 {
1398 found = TRUE;
1399 break;
1400 }
1401 if (!found)
1402 return FALSE;
1403 if (!m->replacement)
1404 continue;
1405 if ((len = m->replen) == 0)
1406 continue;
1407 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1408 0, PCRE_EOPT, NULL, 0);
1409 if (n < 0)
1410 {
1411 if (n != PCRE_ERROR_NOMATCH)
1412 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1413 return FALSE;
1414 }
1415 }
1416 DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
1417 return TRUE;
1418 #endif
1419 }
1420
1421
1422 /*************************************************
1423 * Expansion testing *
1424 *************************************************/
1425
1426 /* Expand and print one item, doing macro-processing.
1427
1428 Arguments:
1429 item line for expansion
1430 */
1431
1432 static void
1433 expansion_test_line(uschar * line)
1434 {
1435 int len;
1436 BOOL dummy_macexp;
1437
1438 Ustrncpy(big_buffer, line, big_buffer_size);
1439 big_buffer[big_buffer_size-1] = '\0';
1440 len = Ustrlen(big_buffer);
1441
1442 (void) macros_expand(0, &len, &dummy_macexp);
1443
1444 if (isupper(big_buffer[0]))
1445 {
1446 if (macro_read_assignment(big_buffer))
1447 printf("Defined macro '%s'\n", mlast->name);
1448 }
1449 else
1450 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1451 else printf("Failed: %s\n", expand_string_message);
1452 }
1453
1454
1455
1456 /*************************************************
1457 * Entry point and high-level code *
1458 *************************************************/
1459
1460 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1461 the appropriate action. All the necessary functions are present in the one
1462 binary. I originally thought one should split it up, but it turns out that so
1463 much of the apparatus is needed in each chunk that one might as well just have
1464 it all available all the time, which then makes the coding easier as well.
1465
1466 Arguments:
1467 argc count of entries in argv
1468 argv argument strings, with argv[0] being the program name
1469
1470 Returns: EXIT_SUCCESS if terminated successfully
1471 EXIT_FAILURE otherwise, except when a message has been sent
1472 to the sender, and -oee was given
1473 */
1474
1475 int
1476 main(int argc, char **cargv)
1477 {
1478 uschar **argv = USS cargv;
1479 int arg_receive_timeout = -1;
1480 int arg_smtp_receive_timeout = -1;
1481 int arg_error_handling = error_handling;
1482 int filter_sfd = -1;
1483 int filter_ufd = -1;
1484 int group_count;
1485 int i, rv;
1486 int list_queue_option = 0;
1487 int msg_action = 0;
1488 int msg_action_arg = -1;
1489 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1490 int queue_only_reason = 0;
1491 #ifdef EXIM_PERL
1492 int perl_start_option = 0;
1493 #endif
1494 int recipients_arg = argc;
1495 int sender_address_domain = 0;
1496 int test_retry_arg = -1;
1497 int test_rewrite_arg = -1;
1498 gid_t original_egid;
1499 BOOL arg_queue_only = FALSE;
1500 BOOL bi_option = FALSE;
1501 BOOL checking = FALSE;
1502 BOOL count_queue = FALSE;
1503 BOOL expansion_test = FALSE;
1504 BOOL extract_recipients = FALSE;
1505 BOOL flag_G = FALSE;
1506 BOOL flag_n = FALSE;
1507 BOOL forced_delivery = FALSE;
1508 BOOL f_end_dot = FALSE;
1509 BOOL deliver_give_up = FALSE;
1510 BOOL list_queue = FALSE;
1511 BOOL list_options = FALSE;
1512 BOOL list_config = FALSE;
1513 BOOL local_queue_only;
1514 BOOL more = TRUE;
1515 BOOL one_msg_action = FALSE;
1516 BOOL opt_D_used = FALSE;
1517 BOOL queue_only_set = FALSE;
1518 BOOL receiving_message = TRUE;
1519 BOOL sender_ident_set = FALSE;
1520 BOOL session_local_queue_only;
1521 BOOL unprivileged;
1522 BOOL removed_privilege = FALSE;
1523 BOOL usage_wanted = FALSE;
1524 BOOL verify_address_mode = FALSE;
1525 BOOL verify_as_sender = FALSE;
1526 BOOL version_printed = FALSE;
1527 uschar *alias_arg = NULL;
1528 uschar *called_as = US"";
1529 uschar *cmdline_syslog_name = NULL;
1530 uschar *start_queue_run_id = NULL;
1531 uschar *stop_queue_run_id = NULL;
1532 uschar *expansion_test_message = NULL;
1533 uschar *ftest_domain = NULL;
1534 uschar *ftest_localpart = NULL;
1535 uschar *ftest_prefix = NULL;
1536 uschar *ftest_suffix = NULL;
1537 uschar *log_oneline = NULL;
1538 uschar *malware_test_file = NULL;
1539 uschar *real_sender_address;
1540 uschar *originator_home = US"/";
1541 size_t sz;
1542 void *reset_point;
1543
1544 struct passwd *pw;
1545 struct stat statbuf;
1546 pid_t passed_qr_pid = (pid_t)0;
1547 int passed_qr_pipe = -1;
1548 gid_t group_list[EXIM_GROUPLIST_SIZE];
1549
1550 /* For the -bI: flag */
1551 enum commandline_info info_flag = CMDINFO_NONE;
1552 BOOL info_stdout = FALSE;
1553
1554 /* Possible options for -R and -S */
1555
1556 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1557
1558 /* Need to define this in case we need to change the environment in order
1559 to get rid of a bogus time zone. We have to make it char rather than uschar
1560 because some OS define it in /usr/include/unistd.h. */
1561
1562 extern char **environ;
1563
1564 /* If the Exim user and/or group and/or the configuration file owner/group were
1565 defined by ref:name at build time, we must now find the actual uid/gid values.
1566 This is a feature to make the lives of binary distributors easier. */
1567
1568 #ifdef EXIM_USERNAME
1569 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1570 {
1571 if (exim_uid == 0)
1572 exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
1573
1574 /* If ref:name uses a number as the name, route_finduser() returns
1575 TRUE with exim_uid set and pw coerced to NULL. */
1576 if (pw)
1577 exim_gid = pw->pw_gid;
1578 #ifndef EXIM_GROUPNAME
1579 else
1580 exim_fail(
1581 "exim: ref:name should specify a usercode, not a group.\n"
1582 "exim: can't let you get away with it unless you also specify a group.\n");
1583 #endif
1584 }
1585 else
1586 exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
1587 #endif
1588
1589 #ifdef EXIM_GROUPNAME
1590 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1591 exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
1592 #endif
1593
1594 #ifdef CONFIGURE_OWNERNAME
1595 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1596 exim_fail("exim: failed to find uid for user name \"%s\"\n",
1597 CONFIGURE_OWNERNAME);
1598 #endif
1599
1600 /* We default the system_filter_user to be the Exim run-time user, as a
1601 sane non-root value. */
1602 system_filter_uid = exim_uid;
1603
1604 #ifdef CONFIGURE_GROUPNAME
1605 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1606 exim_fail("exim: failed to find gid for group name \"%s\"\n",
1607 CONFIGURE_GROUPNAME);
1608 #endif
1609
1610 /* In the Cygwin environment, some initialization used to need doing.
1611 It was fudged in by means of this macro; now no longer but we'll leave
1612 it in case of others. */
1613
1614 #ifdef OS_INIT
1615 OS_INIT
1616 #endif
1617
1618 /* Check a field which is patched when we are running Exim within its
1619 testing harness; do a fast initial check, and then the whole thing. */
1620
1621 f.running_in_test_harness =
1622 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1623 if (f.running_in_test_harness)
1624 debug_store = TRUE;
1625
1626 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1627 at the start of a program; however, it seems that some environments do not
1628 follow this. A "strange" locale can affect the formatting of timestamps, so we
1629 make quite sure. */
1630
1631 setlocale(LC_ALL, "C");
1632
1633 /* Set up the default handler for timing using alarm(). */
1634
1635 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1636
1637 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1638 because store_malloc writes a log entry on failure. */
1639
1640 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
1641 exim_fail("exim: failed to get store for log buffer\n");
1642
1643 /* Initialize the default log options. */
1644
1645 bits_set(log_selector, log_selector_size, log_default);
1646
1647 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1648 NULL when the daemon is run and the file is closed. We have to use this
1649 indirection, because some systems don't allow writing to the variable "stderr".
1650 */
1651
1652 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1653
1654 /* Arrange for the PCRE regex library to use our store functions. Note that
1655 the normal calls are actually macros that add additional arguments for
1656 debugging purposes so we have to assign specially constructed functions here.
1657 The default is to use store in the stacking pool, but this is overridden in the
1658 regex_must_compile() function. */
1659
1660 pcre_malloc = function_store_get;
1661 pcre_free = function_dummy_free;
1662
1663 /* Ensure there is a big buffer for temporary use in several places. It is put
1664 in malloc store so that it can be freed for enlargement if necessary. */
1665
1666 big_buffer = store_malloc(big_buffer_size);
1667
1668 /* Set up the handler for the data request signal, and set the initial
1669 descriptive text. */
1670
1671 set_process_info("initializing");
1672 os_restarting_signal(SIGUSR1, usr1_handler);
1673
1674 /* If running in a dockerized environment, the TERM signal is only
1675 delegated to the PID 1 if we request it by setting an signal handler */
1676 if (getpid() == 1) signal(SIGTERM, term_handler);
1677
1678 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1679 in the daemon code. For the rest of Exim's uses, we ignore it. */
1680
1681 signal(SIGHUP, SIG_IGN);
1682
1683 /* We don't want to die on pipe errors as the code is written to handle
1684 the write error instead. */
1685
1686 signal(SIGPIPE, SIG_IGN);
1687
1688 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1689 set to SIG_IGN. This causes subprocesses that complete before the parent
1690 process waits for them not to hang around, so when Exim calls wait(), nothing
1691 is there. The wait() code has been made robust against this, but let's ensure
1692 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1693 ending status. We use sigaction rather than plain signal() on those OS where
1694 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1695 problem on AIX with this.) */
1696
1697 #ifdef SA_NOCLDWAIT
1698 {
1699 struct sigaction act;
1700 act.sa_handler = SIG_DFL;
1701 sigemptyset(&(act.sa_mask));
1702 act.sa_flags = 0;
1703 sigaction(SIGCHLD, &act, NULL);
1704 }
1705 #else
1706 signal(SIGCHLD, SIG_DFL);
1707 #endif
1708
1709 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1710 SIGHUP. */
1711
1712 sighup_argv = argv;
1713
1714 /* Set up the version number. Set up the leading 'E' for the external form of
1715 message ids, set the pointer to the internal form, and initialize it to
1716 indicate no message being processed. */
1717
1718 version_init();
1719 message_id_option[0] = '-';
1720 message_id_external = message_id_option + 1;
1721 message_id_external[0] = 'E';
1722 message_id = message_id_external + 1;
1723 message_id[0] = 0;
1724
1725 /* Set the umask to zero so that any files Exim creates using open() are
1726 created with the modes that it specifies. NOTE: Files created with fopen() have
1727 a problem, which was not recognized till rather late (February 2006). With this
1728 umask, such files will be world writeable. (They are all content scanning files
1729 in the spool directory, which isn't world-accessible, so this is not a
1730 disaster, but it's untidy.) I don't want to change this overall setting,
1731 however, because it will interact badly with the open() calls. Instead, there's
1732 now a function called modefopen() that fiddles with the umask while calling
1733 fopen(). */
1734
1735 (void)umask(0);
1736
1737 /* Precompile the regular expression for matching a message id. Keep this in
1738 step with the code that generates ids in the accept.c module. We need to do
1739 this here, because the -M options check their arguments for syntactic validity
1740 using mac_ismsgid, which uses this. */
1741
1742 regex_ismsgid =
1743 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1744
1745 /* Precompile the regular expression that is used for matching an SMTP error
1746 code, possibly extended, at the start of an error message. Note that the
1747 terminating whitespace character is included. */
1748
1749 regex_smtp_code =
1750 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1751 FALSE, TRUE);
1752
1753 #ifdef WHITELIST_D_MACROS
1754 /* Precompile the regular expression used to filter the content of macros
1755 given to -D for permissibility. */
1756
1757 regex_whitelisted_macro =
1758 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1759 #endif
1760
1761 for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1762
1763 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1764 this seems to be a generally accepted convention, since one finds symbolic
1765 links called "mailq" in standard OS configurations. */
1766
1767 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1768 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1769 {
1770 list_queue = TRUE;
1771 receiving_message = FALSE;
1772 called_as = US"-mailq";
1773 }
1774
1775 /* If the program is called as "rmail" treat it as equivalent to
1776 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1777 i.e. preventing a single dot on a line from terminating the message, and
1778 returning with zero return code, even in cases of error (provided an error
1779 message has been sent). */
1780
1781 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1782 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1783 {
1784 f.dot_ends = FALSE;
1785 called_as = US"-rmail";
1786 errors_sender_rc = EXIT_SUCCESS;
1787 }
1788
1789 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1790 this is a smail convention. */
1791
1792 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1793 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1794 {
1795 smtp_input = smtp_batched_input = TRUE;
1796 called_as = US"-rsmtp";
1797 }
1798
1799 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1800 this is a smail convention. */
1801
1802 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1803 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1804 {
1805 queue_interval = 0;
1806 receiving_message = FALSE;
1807 called_as = US"-runq";
1808 }
1809
1810 /* If the program is called as "newaliases" treat it as equivalent to
1811 "exim -bi"; this is a sendmail convention. */
1812
1813 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1814 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1815 {
1816 bi_option = TRUE;
1817 receiving_message = FALSE;
1818 called_as = US"-newaliases";
1819 }
1820
1821 /* Save the original effective uid for a couple of uses later. It should
1822 normally be root, but in some esoteric environments it may not be. */
1823
1824 original_euid = geteuid();
1825 original_egid = getegid();
1826
1827 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1828 to be the same as the real ones. This makes a difference only if Exim is setuid
1829 (or setgid) to something other than root, which could be the case in some
1830 special configurations. */
1831
1832 real_uid = getuid();
1833 real_gid = getgid();
1834
1835 if (real_uid == root_uid)
1836 {
1837 if ((rv = setgid(real_gid)))
1838 exim_fail("exim: setgid(%ld) failed: %s\n",
1839 (long int)real_gid, strerror(errno));
1840 if ((rv = setuid(real_uid)))
1841 exim_fail("exim: setuid(%ld) failed: %s\n",
1842 (long int)real_uid, strerror(errno));
1843 }
1844
1845 /* If neither the original real uid nor the original euid was root, Exim is
1846 running in an unprivileged state. */
1847
1848 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1849
1850 /* Scan the program's arguments. Some can be dealt with right away; others are
1851 simply recorded for checking and handling afterwards. Do a high-level switch
1852 on the second character (the one after '-'), to save some effort. */
1853
1854 for (i = 1; i < argc; i++)
1855 {
1856 BOOL badarg = FALSE;
1857 uschar *arg = argv[i];
1858 uschar *argrest;
1859 int switchchar;
1860
1861 /* An argument not starting with '-' is the start of a recipients list;
1862 break out of the options-scanning loop. */
1863
1864 if (arg[0] != '-')
1865 {
1866 recipients_arg = i;
1867 break;
1868 }
1869
1870 /* An option consisting of -- terminates the options */
1871
1872 if (Ustrcmp(arg, "--") == 0)
1873 {
1874 recipients_arg = i + 1;
1875 break;
1876 }
1877
1878 /* Handle flagged options */
1879
1880 switchchar = arg[1];
1881 argrest = arg+2;
1882
1883 /* Make all -ex options synonymous with -oex arguments, since that
1884 is assumed by various callers. Also make -qR options synonymous with -R
1885 options, as that seems to be required as well. Allow for -qqR too, and
1886 the same for -S options. */
1887
1888 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1889 Ustrncmp(arg+1, "qR", 2) == 0 ||
1890 Ustrncmp(arg+1, "qS", 2) == 0)
1891 {
1892 switchchar = arg[2];
1893 argrest++;
1894 }
1895 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1896 {
1897 switchchar = arg[3];
1898 argrest += 2;
1899 f.queue_2stage = TRUE;
1900 }
1901
1902 /* Make -r synonymous with -f, since it is a documented alias */
1903
1904 else if (arg[1] == 'r') switchchar = 'f';
1905
1906 /* Make -ov synonymous with -v */
1907
1908 else if (Ustrcmp(arg, "-ov") == 0)
1909 {
1910 switchchar = 'v';
1911 argrest++;
1912 }
1913
1914 /* deal with --option_aliases */
1915 else if (switchchar == '-')
1916 {
1917 if (Ustrcmp(argrest, "help") == 0)
1918 {
1919 usage_wanted = TRUE;
1920 break;
1921 }
1922 else if (Ustrcmp(argrest, "version") == 0)
1923 {
1924 switchchar = 'b';
1925 argrest = US"V";
1926 }
1927 }
1928
1929 /* High-level switch on active initial letter */
1930
1931 switch(switchchar)
1932 {
1933
1934 /* sendmail uses -Ac and -Am to control which .cf file is used;
1935 we ignore them. */
1936 case 'A':
1937 if (*argrest == '\0') { badarg = TRUE; break; }
1938 else
1939 {
1940 BOOL ignore = FALSE;
1941 switch (*argrest)
1942 {
1943 case 'c':
1944 case 'm':
1945 if (*(argrest + 1) == '\0')
1946 ignore = TRUE;
1947 break;
1948 }
1949 if (!ignore) { badarg = TRUE; break; }
1950 }
1951 break;
1952
1953 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1954 so has no need of it. */
1955
1956 case 'B':
1957 if (*argrest == 0) i++; /* Skip over the type */
1958 break;
1959
1960
1961 case 'b':
1962 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1963
1964 /* -bd: Run in daemon mode, awaiting SMTP connections.
1965 -bdf: Ditto, but in the foreground.
1966 */
1967
1968 if (*argrest == 'd')
1969 {
1970 f.daemon_listen = TRUE;
1971 if (*(++argrest) == 'f') f.background_daemon = FALSE;
1972 else if (*argrest != 0) { badarg = TRUE; break; }
1973 }
1974
1975 /* -be: Run in expansion test mode
1976 -bem: Ditto, but read a message from a file first
1977 */
1978
1979 else if (*argrest == 'e')
1980 {
1981 expansion_test = checking = TRUE;
1982 if (argrest[1] == 'm')
1983 {
1984 if (++i >= argc) { badarg = TRUE; break; }
1985 expansion_test_message = argv[i];
1986 argrest++;
1987 }
1988 if (argrest[1] != 0) { badarg = TRUE; break; }
1989 }
1990
1991 /* -bF: Run system filter test */
1992
1993 else if (*argrest == 'F')
1994 {
1995 filter_test |= checking = FTEST_SYSTEM;
1996 if (*(++argrest) != 0) { badarg = TRUE; break; }
1997 if (++i < argc) filter_test_sfile = argv[i]; else
1998 exim_fail("exim: file name expected after %s\n", argv[i-1]);
1999 }
2000
2001 /* -bf: Run user filter test
2002 -bfd: Set domain for filter testing
2003 -bfl: Set local part for filter testing
2004 -bfp: Set prefix for filter testing
2005 -bfs: Set suffix for filter testing
2006 */
2007
2008 else if (*argrest == 'f')
2009 {
2010 if (*(++argrest) == 0)
2011 {
2012 filter_test |= checking = FTEST_USER;
2013 if (++i < argc) filter_test_ufile = argv[i]; else
2014 exim_fail("exim: file name expected after %s\n", argv[i-1]);
2015 }
2016 else
2017 {
2018 if (++i >= argc)
2019 exim_fail("exim: string expected after %s\n", arg);
2020 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2021 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2022 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2023 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2024 else { badarg = TRUE; break; }
2025 }
2026 }
2027
2028 /* -bh: Host checking - an IP address must follow. */
2029
2030 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2031 {
2032 if (++i >= argc) { badarg = TRUE; break; }
2033 sender_host_address = argv[i];
2034 host_checking = checking = f.log_testing_mode = TRUE;
2035 f.host_checking_callout = argrest[1] == 'c';
2036 message_logs = FALSE;
2037 }
2038
2039 /* -bi: This option is used by sendmail to initialize *the* alias file,
2040 though it has the -oA option to specify a different file. Exim has no
2041 concept of *the* alias file, but since Sun's YP make script calls
2042 sendmail this way, some support must be provided. */
2043
2044 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2045
2046 /* -bI: provide information, of the type to follow after a colon.
2047 This is an Exim flag. */
2048
2049 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2050 {
2051 uschar *p = &argrest[2];
2052 info_flag = CMDINFO_HELP;
2053 if (Ustrlen(p))
2054 {
2055 if (strcmpic(p, CUS"sieve") == 0)
2056 {
2057 info_flag = CMDINFO_SIEVE;
2058 info_stdout = TRUE;
2059 }
2060 else if (strcmpic(p, CUS"dscp") == 0)
2061 {
2062 info_flag = CMDINFO_DSCP;
2063 info_stdout = TRUE;
2064 }
2065 else if (strcmpic(p, CUS"help") == 0)
2066 {
2067 info_stdout = TRUE;
2068 }
2069 }
2070 }
2071
2072 /* -bm: Accept and deliver message - the default option. Reinstate
2073 receiving_message, which got turned off for all -b options. */
2074
2075 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2076
2077 /* -bmalware: test the filename given for malware */
2078
2079 else if (Ustrcmp(argrest, "malware") == 0)
2080 {
2081 if (++i >= argc) { badarg = TRUE; break; }
2082 checking = TRUE;
2083 malware_test_file = argv[i];
2084 }
2085
2086 /* -bnq: For locally originating messages, do not qualify unqualified
2087 addresses. In the envelope, this causes errors; in header lines they
2088 just get left. */
2089
2090 else if (Ustrcmp(argrest, "nq") == 0)
2091 {
2092 f.allow_unqualified_sender = FALSE;
2093 f.allow_unqualified_recipient = FALSE;
2094 }
2095
2096 /* -bpxx: List the contents of the mail queue, in various forms. If
2097 the option is -bpc, just a queue count is needed. Otherwise, if the
2098 first letter after p is r, then order is random. */
2099
2100 else if (*argrest == 'p')
2101 {
2102 if (*(++argrest) == 'c')
2103 {
2104 count_queue = TRUE;
2105 if (*(++argrest) != 0) badarg = TRUE;
2106 break;
2107 }
2108
2109 if (*argrest == 'r')
2110 {
2111 list_queue_option = 8;
2112 argrest++;
2113 }
2114 else list_queue_option = 0;
2115
2116 list_queue = TRUE;
2117
2118 /* -bp: List the contents of the mail queue, top-level only */
2119
2120 if (*argrest == 0) {}
2121
2122 /* -bpu: List the contents of the mail queue, top-level undelivered */
2123
2124 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2125
2126 /* -bpa: List the contents of the mail queue, including all delivered */
2127
2128 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2129
2130 /* Unknown after -bp[r] */
2131
2132 else
2133 {
2134 badarg = TRUE;
2135 break;
2136 }
2137 }
2138
2139
2140 /* -bP: List the configuration variables given as the address list.
2141 Force -v, so configuration errors get displayed. */
2142
2143 else if (Ustrcmp(argrest, "P") == 0)
2144 {
2145 /* -bP config: we need to setup here, because later,
2146 * when list_options is checked, the config is read already */
2147 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2148 {
2149 list_config = TRUE;
2150 readconf_save_config(version_string);
2151 }
2152 else
2153 {
2154 list_options = TRUE;
2155 debug_selector |= D_v;
2156 debug_file = stderr;
2157 }
2158 }
2159
2160 /* -brt: Test retry configuration lookup */
2161
2162 else if (Ustrcmp(argrest, "rt") == 0)
2163 {
2164 checking = TRUE;
2165 test_retry_arg = i + 1;
2166 goto END_ARG;
2167 }
2168
2169 /* -brw: Test rewrite configuration */
2170
2171 else if (Ustrcmp(argrest, "rw") == 0)
2172 {
2173 checking = TRUE;
2174 test_rewrite_arg = i + 1;
2175 goto END_ARG;
2176 }
2177
2178 /* -bS: Read SMTP commands on standard input, but produce no replies -
2179 all errors are reported by sending messages. */
2180
2181 else if (Ustrcmp(argrest, "S") == 0)
2182 smtp_input = smtp_batched_input = receiving_message = TRUE;
2183
2184 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2185 on standard output. */
2186
2187 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2188
2189 /* -bt: address testing mode */
2190
2191 else if (Ustrcmp(argrest, "t") == 0)
2192 f.address_test_mode = checking = f.log_testing_mode = TRUE;
2193
2194 /* -bv: verify addresses */
2195
2196 else if (Ustrcmp(argrest, "v") == 0)
2197 verify_address_mode = checking = f.log_testing_mode = TRUE;
2198
2199 /* -bvs: verify sender addresses */
2200
2201 else if (Ustrcmp(argrest, "vs") == 0)
2202 {
2203 verify_address_mode = checking = f.log_testing_mode = TRUE;
2204 verify_as_sender = TRUE;
2205 }
2206
2207 /* -bV: Print version string and support details */
2208
2209 else if (Ustrcmp(argrest, "V") == 0)
2210 {
2211 printf("Exim version %s #%s built %s\n", version_string,
2212 version_cnumber, version_date);
2213 printf("%s\n", CS version_copyright);
2214 version_printed = TRUE;
2215 show_whats_supported(stdout);
2216 f.log_testing_mode = TRUE;
2217 }
2218
2219 /* -bw: inetd wait mode, accept a listening socket as stdin */
2220
2221 else if (*argrest == 'w')
2222 {
2223 f.inetd_wait_mode = TRUE;
2224 f.background_daemon = FALSE;
2225 f.daemon_listen = TRUE;
2226 if (*(++argrest) != '\0')
2227 if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
2228 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
2229 }
2230
2231 else badarg = TRUE;
2232 break;
2233
2234
2235 /* -C: change configuration file list; ignore if it isn't really
2236 a change! Enforce a prefix check if required. */
2237
2238 case 'C':
2239 if (*argrest == 0)
2240 {
2241 if(++i < argc) argrest = argv[i]; else
2242 { badarg = TRUE; break; }
2243 }
2244 if (Ustrcmp(config_main_filelist, argrest) != 0)
2245 {
2246 #ifdef ALT_CONFIG_PREFIX
2247 int sep = 0;
2248 int len = Ustrlen(ALT_CONFIG_PREFIX);
2249 const uschar *list = argrest;
2250 uschar *filename;
2251 while((filename = string_nextinlist(&list, &sep, big_buffer,
2252 big_buffer_size)) != NULL)
2253 {
2254 if ((Ustrlen(filename) < len ||
2255 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2256 Ustrstr(filename, "/../") != NULL) &&
2257 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2258 exim_fail("-C Permission denied\n");
2259 }
2260 #endif
2261 if (real_uid != root_uid)
2262 {
2263 #ifdef TRUSTED_CONFIG_LIST
2264
2265 if (real_uid != exim_uid
2266 #ifdef CONFIGURE_OWNER
2267 && real_uid != config_uid
2268 #endif
2269 )
2270 f.trusted_config = FALSE;
2271 else
2272 {
2273 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2274 if (trust_list)
2275 {
2276 struct stat statbuf;
2277
2278 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2279 (statbuf.st_uid != root_uid /* owner not root */
2280 #ifdef CONFIGURE_OWNER
2281 && statbuf.st_uid != config_uid /* owner not the special one */
2282 #endif
2283 ) || /* or */
2284 (statbuf.st_gid != root_gid /* group not root */
2285 #ifdef CONFIGURE_GROUP
2286 && statbuf.st_gid != config_gid /* group not the special one */
2287 #endif
2288 && (statbuf.st_mode & 020) != 0 /* group writeable */
2289 ) || /* or */
2290 (statbuf.st_mode & 2) != 0) /* world writeable */
2291 {
2292 f.trusted_config = FALSE;
2293 fclose(trust_list);
2294 }
2295 else
2296 {
2297 /* Well, the trust list at least is up to scratch... */
2298 void *reset_point = store_get(0);
2299 uschar *trusted_configs[32];
2300 int nr_configs = 0;
2301 int i = 0;
2302
2303 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2304 {
2305 uschar *start = big_buffer, *nl;
2306 while (*start && isspace(*start))
2307 start++;
2308 if (*start != '/')
2309 continue;
2310 nl = Ustrchr(start, '\n');
2311 if (nl)
2312 *nl = 0;
2313 trusted_configs[nr_configs++] = string_copy(start);
2314 if (nr_configs == 32)
2315 break;
2316 }
2317 fclose(trust_list);
2318
2319 if (nr_configs)
2320 {
2321 int sep = 0;
2322 const uschar *list = argrest;
2323 uschar *filename;
2324 while (f.trusted_config && (filename = string_nextinlist(&list,
2325 &sep, big_buffer, big_buffer_size)) != NULL)
2326 {
2327 for (i=0; i < nr_configs; i++)
2328 {
2329 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2330 break;
2331 }
2332 if (i == nr_configs)
2333 {
2334 f.trusted_config = FALSE;
2335 break;
2336 }
2337 }
2338 store_reset(reset_point);
2339 }
2340 else
2341 {
2342 /* No valid prefixes found in trust_list file. */
2343 f.trusted_config = FALSE;
2344 }
2345 }
2346 }
2347 else
2348 {
2349 /* Could not open trust_list file. */
2350 f.trusted_config = FALSE;
2351 }
2352 }
2353 #else
2354 /* Not root; don't trust config */
2355 f.trusted_config = FALSE;
2356 #endif
2357 }
2358
2359 config_main_filelist = argrest;
2360 f.config_changed = TRUE;
2361 }
2362 break;
2363
2364
2365 /* -D: set up a macro definition */
2366
2367 case 'D':
2368 #ifdef DISABLE_D_OPTION
2369 exim_fail("exim: -D is not available in this Exim binary\n");
2370 #else
2371 {
2372 int ptr = 0;
2373 macro_item *m;
2374 uschar name[24];
2375 uschar *s = argrest;
2376
2377 opt_D_used = TRUE;
2378 while (isspace(*s)) s++;
2379
2380 if (*s < 'A' || *s > 'Z')
2381 exim_fail("exim: macro name set by -D must start with "
2382 "an upper case letter\n");
2383
2384 while (isalnum(*s) || *s == '_')
2385 {
2386 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2387 s++;
2388 }
2389 name[ptr] = 0;
2390 if (ptr == 0) { badarg = TRUE; break; }
2391 while (isspace(*s)) s++;
2392 if (*s != 0)
2393 {
2394 if (*s++ != '=') { badarg = TRUE; break; }
2395 while (isspace(*s)) s++;
2396 }
2397
2398 for (m = macros_user; m; m = m->next)
2399 if (Ustrcmp(m->name, name) == 0)
2400 exim_fail("exim: duplicated -D in command line\n");
2401
2402 m = macro_create(name, s, TRUE);
2403
2404 if (clmacro_count >= MAX_CLMACROS)
2405 exim_fail("exim: too many -D options on command line\n");
2406 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2407 m->replacement);
2408 }
2409 #endif
2410 break;
2411
2412 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2413 The latter is now a no-op, retained for compatibility only. If -dd is used,
2414 debugging subprocesses of the daemon is disabled. */
2415
2416 case 'd':
2417 if (Ustrcmp(argrest, "ropcr") == 0)
2418 {
2419 /* drop_cr = TRUE; */
2420 }
2421
2422 /* Use an intermediate variable so that we don't set debugging while
2423 decoding the debugging bits. */
2424
2425 else
2426 {
2427 unsigned int selector = D_default;
2428 debug_selector = 0;
2429 debug_file = NULL;
2430 if (*argrest == 'd')
2431 {
2432 f.debug_daemon = TRUE;
2433 argrest++;
2434 }
2435 if (*argrest != 0)
2436 decode_bits(&selector, 1, debug_notall, argrest,
2437 debug_options, debug_options_count, US"debug", 0);
2438 debug_selector = selector;
2439 }
2440 break;
2441
2442
2443 /* -E: This is a local error message. This option is not intended for
2444 external use at all, but is not restricted to trusted callers because it
2445 does no harm (just suppresses certain error messages) and if Exim is run
2446 not setuid root it won't always be trusted when it generates error
2447 messages using this option. If there is a message id following -E, point
2448 message_reference at it, for logging. */
2449
2450 case 'E':
2451 f.local_error_message = TRUE;
2452 if (mac_ismsgid(argrest)) message_reference = argrest;
2453 break;
2454
2455
2456 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2457 option, so it looks as if historically the -oex options are also callable
2458 without the leading -o. So we have to accept them. Before the switch,
2459 anything starting -oe has been converted to -e. Exim does not support all
2460 of the sendmail error options. */
2461
2462 case 'e':
2463 if (Ustrcmp(argrest, "e") == 0)
2464 {
2465 arg_error_handling = ERRORS_SENDER;
2466 errors_sender_rc = EXIT_SUCCESS;
2467 }
2468 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2469 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2470 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2471 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2472 else badarg = TRUE;
2473 break;
2474
2475
2476 /* -F: Set sender's full name, used instead of the gecos entry from
2477 the password file. Since users can usually alter their gecos entries,
2478 there's no security involved in using this instead. The data can follow
2479 the -F or be in the next argument. */
2480
2481 case 'F':
2482 if (*argrest == 0)
2483 {
2484 if(++i < argc) argrest = argv[i]; else
2485 { badarg = TRUE; break; }
2486 }
2487 originator_name = argrest;
2488 f.sender_name_forced = TRUE;
2489 break;
2490
2491
2492 /* -f: Set sender's address - this value is only actually used if Exim is
2493 run by a trusted user, or if untrusted_set_sender is set and matches the
2494 address, except that the null address can always be set by any user. The
2495 test for this happens later, when the value given here is ignored when not
2496 permitted. For an untrusted user, the actual sender is still put in Sender:
2497 if it doesn't match the From: header (unless no_local_from_check is set).
2498 The data can follow the -f or be in the next argument. The -r switch is an
2499 obsolete form of -f but since there appear to be programs out there that
2500 use anything that sendmail has ever supported, better accept it - the
2501 synonymizing is done before the switch above.
2502
2503 At this stage, we must allow domain literal addresses, because we don't
2504 know what the setting of allow_domain_literals is yet. Ditto for trailing
2505 dots and strip_trailing_dot. */
2506
2507 case 'f':
2508 {
2509 int dummy_start, dummy_end;
2510 uschar *errmess;
2511 if (*argrest == 0)
2512 {
2513 if (i+1 < argc) argrest = argv[++i]; else
2514 { badarg = TRUE; break; }
2515 }
2516 if (*argrest == 0)
2517 sender_address = string_sprintf(""); /* Ensure writeable memory */
2518 else
2519 {
2520 uschar *temp = argrest + Ustrlen(argrest) - 1;
2521 while (temp >= argrest && isspace(*temp)) temp--;
2522 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2523 allow_domain_literals = TRUE;
2524 strip_trailing_dot = TRUE;
2525 #ifdef SUPPORT_I18N
2526 allow_utf8_domains = TRUE;
2527 #endif
2528 sender_address = parse_extract_address(argrest, &errmess,
2529 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
2530 #ifdef SUPPORT_I18N
2531 message_smtputf8 = string_is_utf8(sender_address);
2532 allow_utf8_domains = FALSE;
2533 #endif
2534 allow_domain_literals = FALSE;
2535 strip_trailing_dot = FALSE;
2536 if (!sender_address)
2537 exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
2538 }
2539 f.sender_address_forced = TRUE;
2540 }
2541 break;
2542
2543 /* -G: sendmail invocation to specify that it's a gateway submission and
2544 sendmail may complain about problems instead of fixing them.
2545 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2546 not at this time complain about problems. */
2547
2548 case 'G':
2549 flag_G = TRUE;
2550 break;
2551
2552 /* -h: Set the hop count for an incoming message. Exim does not currently
2553 support this; it always computes it by counting the Received: headers.
2554 To put it in will require a change to the spool header file format. */
2555
2556 case 'h':
2557 if (*argrest == 0)
2558 {
2559 if(++i < argc) argrest = argv[i]; else
2560 { badarg = TRUE; break; }
2561 }
2562 if (!isdigit(*argrest)) badarg = TRUE;
2563 break;
2564
2565
2566 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2567 not to be documented for sendmail but mailx (at least) uses it) */
2568
2569 case 'i':
2570 if (*argrest == 0) f.dot_ends = FALSE; else badarg = TRUE;
2571 break;
2572
2573
2574 /* -L: set the identifier used for syslog; equivalent to setting
2575 syslog_processname in the config file, but needs to be an admin option. */
2576
2577 case 'L':
2578 if (*argrest == '\0')
2579 {
2580 if(++i < argc) argrest = argv[i]; else
2581 { badarg = TRUE; break; }
2582 }
2583 if ((sz = Ustrlen(argrest)) > 32)
2584 exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
2585 if (sz < 1)
2586 exim_fail("exim: the -L syslog name is too short\n");
2587 cmdline_syslog_name = argrest;
2588 break;
2589
2590 case 'M':
2591 receiving_message = FALSE;
2592
2593 /* -MC: continue delivery of another message via an existing open
2594 file descriptor. This option is used for an internal call by the
2595 smtp transport when there is a pending message waiting to go to an
2596 address to which it has got a connection. Five subsequent arguments are
2597 required: transport name, host name, IP address, sequence number, and
2598 message_id. Transports may decline to create new processes if the sequence
2599 number gets too big. The channel is stdin. This (-MC) must be the last
2600 argument. There's a subsequent check that the real-uid is privileged.
2601
2602 If we are running in the test harness. delay for a bit, to let the process
2603 that set this one up complete. This makes for repeatability of the logging,
2604 etc. output. */
2605
2606 if (Ustrcmp(argrest, "C") == 0)
2607 {
2608 union sockaddr_46 interface_sock;
2609 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2610
2611 if (argc != i + 6)
2612 exim_fail("exim: too many or too few arguments after -MC\n");
2613
2614 if (msg_action_arg >= 0)
2615 exim_fail("exim: incompatible arguments\n");
2616
2617 continue_transport = argv[++i];
2618 continue_hostname = argv[++i];
2619 continue_host_address = argv[++i];
2620 continue_sequence = Uatoi(argv[++i]);
2621 msg_action = MSG_DELIVER;
2622 msg_action_arg = ++i;
2623 forced_delivery = TRUE;
2624 queue_run_pid = passed_qr_pid;
2625 queue_run_pipe = passed_qr_pipe;
2626
2627 if (!mac_ismsgid(argv[i]))
2628 exim_fail("exim: malformed message id %s after -MC option\n",
2629 argv[i]);
2630
2631 /* Set up $sending_ip_address and $sending_port, unless proxied */
2632
2633 if (!continue_proxy_cipher)
2634 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2635 &size) == 0)
2636 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2637 &sending_port);
2638 else
2639 exim_fail("exim: getsockname() failed after -MC option: %s\n",
2640 strerror(errno));
2641
2642 if (f.running_in_test_harness) millisleep(500);
2643 break;
2644 }
2645
2646 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2647 {
2648 switch(argrest[1])
2649 {
2650 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2651 precedes -MC (see above). The flag indicates that the host to which
2652 Exim is connected has accepted an AUTH sequence. */
2653
2654 case 'A': f.smtp_authenticated = TRUE; break;
2655
2656 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2657 that exim is connected to supports the esmtp extension DSN */
2658
2659 case 'D': smtp_peer_options |= OPTION_DSN; break;
2660
2661 /* -MCG: set the queue name, to a non-default value */
2662
2663 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2664 else badarg = TRUE;
2665 break;
2666
2667 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2668
2669 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
2670
2671 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2672 it preceded -MC (see above) */
2673
2674 case 'P': smtp_peer_options |= OPTION_PIPE; break;
2675
2676 /* -MCQ: pass on the pid of the queue-running process that started
2677 this chain of deliveries and the fd of its synchronizing pipe; this
2678 is useful only when it precedes -MC (see above) */
2679
2680 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2681 else badarg = TRUE;
2682 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2683 else badarg = TRUE;
2684 break;
2685
2686 /* -MCS: set the smtp_use_size flag; this is useful only when it
2687 precedes -MC (see above) */
2688
2689 case 'S': smtp_peer_options |= OPTION_SIZE; break;
2690
2691 #ifdef SUPPORT_TLS
2692 /* -MCt: similar to -MCT below but the connection is still open
2693 via a proxy proces which handles the TLS context and coding.
2694 Require three arguments for the proxied local address and port,
2695 and the TLS cipher. */
2696
2697 case 't': if (++i < argc) sending_ip_address = argv[i];
2698 else badarg = TRUE;
2699 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2700 else badarg = TRUE;
2701 if (++i < argc) continue_proxy_cipher = argv[i];
2702 else badarg = TRUE;
2703 /*FALLTHROUGH*/
2704
2705 /* -MCT: set the tls_offered flag; this is useful only when it
2706 precedes -MC (see above). The flag indicates that the host to which
2707 Exim is connected has offered TLS support. */
2708
2709 case 'T': smtp_peer_options |= OPTION_TLS; break;
2710 #endif
2711
2712 default: badarg = TRUE; break;
2713 }
2714 break;
2715 }
2716
2717 #if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_REQUIRETLS)
2718 /* -MS set REQUIRETLS on (new) message */
2719
2720 else if (*argrest == 'S')
2721 {
2722 tls_requiretls |= REQUIRETLS_MSG;
2723 break;
2724 }
2725 #endif
2726
2727 /* -M[x]: various operations on the following list of message ids:
2728 -M deliver the messages, ignoring next retry times and thawing
2729 -Mc deliver the messages, checking next retry times, no thawing
2730 -Mf freeze the messages
2731 -Mg give up on the messages
2732 -Mt thaw the messages
2733 -Mrm remove the messages
2734 In the above cases, this must be the last option. There are also the
2735 following options which are followed by a single message id, and which
2736 act on that message. Some of them use the "recipient" addresses as well.
2737 -Mar add recipient(s)
2738 -Mmad mark all recipients delivered
2739 -Mmd mark recipients(s) delivered
2740 -Mes edit sender
2741 -Mset load a message for use with -be
2742 -Mvb show body
2743 -Mvc show copy (of whole message, in RFC 2822 format)
2744 -Mvh show header
2745 -Mvl show log
2746 */
2747
2748 else if (*argrest == 0)
2749 {
2750 msg_action = MSG_DELIVER;
2751 forced_delivery = f.deliver_force_thaw = TRUE;
2752 }
2753 else if (Ustrcmp(argrest, "ar") == 0)
2754 {
2755 msg_action = MSG_ADD_RECIPIENT;
2756 one_msg_action = TRUE;
2757 }
2758 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2759 else if (Ustrcmp(argrest, "es") == 0)
2760 {
2761 msg_action = MSG_EDIT_SENDER;
2762 one_msg_action = TRUE;
2763 }
2764 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2765 else if (Ustrcmp(argrest, "g") == 0)
2766 {
2767 msg_action = MSG_DELIVER;
2768 deliver_give_up = TRUE;
2769 }
2770 else if (Ustrcmp(argrest, "mad") == 0)
2771 {
2772 msg_action = MSG_MARK_ALL_DELIVERED;
2773 }
2774 else if (Ustrcmp(argrest, "md") == 0)
2775 {
2776 msg_action = MSG_MARK_DELIVERED;
2777 one_msg_action = TRUE;
2778 }
2779 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2780 else if (Ustrcmp(argrest, "set") == 0)
2781 {
2782 msg_action = MSG_LOAD;
2783 one_msg_action = TRUE;
2784 }
2785 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2786 else if (Ustrcmp(argrest, "vb") == 0)
2787 {
2788 msg_action = MSG_SHOW_BODY;
2789 one_msg_action = TRUE;
2790 }
2791 else if (Ustrcmp(argrest, "vc") == 0)
2792 {
2793 msg_action = MSG_SHOW_COPY;
2794 one_msg_action = TRUE;
2795 }
2796 else if (Ustrcmp(argrest, "vh") == 0)
2797 {
2798 msg_action = MSG_SHOW_HEADER;
2799 one_msg_action = TRUE;
2800 }
2801 else if (Ustrcmp(argrest, "vl") == 0)
2802 {
2803 msg_action = MSG_SHOW_LOG;
2804 one_msg_action = TRUE;
2805 }
2806 else { badarg = TRUE; break; }
2807
2808 /* All the -Mxx options require at least one message id. */
2809
2810 msg_action_arg = i + 1;
2811 if (msg_action_arg >= argc)
2812 exim_fail("exim: no message ids given after %s option\n", arg);
2813
2814 /* Some require only message ids to follow */
2815
2816 if (!one_msg_action)
2817 {
2818 int j;
2819 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2820 exim_fail("exim: malformed message id %s after %s option\n",
2821 argv[j], arg);
2822 goto END_ARG; /* Remaining args are ids */
2823 }
2824
2825 /* Others require only one message id, possibly followed by addresses,
2826 which will be handled as normal arguments. */
2827
2828 else
2829 {
2830 if (!mac_ismsgid(argv[msg_action_arg]))
2831 exim_fail("exim: malformed message id %s after %s option\n",
2832 argv[msg_action_arg], arg);
2833 i++;
2834 }
2835 break;
2836
2837
2838 /* Some programs seem to call the -om option without the leading o;
2839 for sendmail it askes for "me too". Exim always does this. */
2840
2841 case 'm':
2842 if (*argrest != 0) badarg = TRUE;
2843 break;
2844
2845
2846 /* -N: don't do delivery - a debugging option that stops transports doing
2847 their thing. It implies debugging at the D_v level. */
2848
2849 case 'N':
2850 if (*argrest == 0)
2851 {
2852 f.dont_deliver = TRUE;
2853 debug_selector |= D_v;
2854 debug_file = stderr;
2855 }
2856 else badarg = TRUE;
2857 break;
2858
2859
2860 /* -n: This means "don't alias" in sendmail, apparently.
2861 For normal invocations, it has no effect.
2862 It may affect some other options. */
2863
2864 case 'n':
2865 flag_n = TRUE;
2866 break;
2867
2868 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2869 option to the specified value. This form uses long names. We need to handle
2870 -O option=value and -Ooption=value. */
2871
2872 case 'O':
2873 if (*argrest == 0)
2874 {
2875 if (++i >= argc)
2876 exim_fail("exim: string expected after -O\n");
2877 }
2878 break;
2879
2880 case 'o':
2881
2882 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2883 file" option). */
2884
2885 if (*argrest == 'A')
2886 {
2887 alias_arg = argrest + 1;
2888 if (alias_arg[0] == 0)
2889 {
2890 if (i+1 < argc) alias_arg = argv[++i]; else
2891 exim_fail("exim: string expected after -oA\n");
2892 }
2893 }
2894
2895 /* -oB: Set a connection message max value for remote deliveries */
2896
2897 else if (*argrest == 'B')
2898 {
2899 uschar *p = argrest + 1;
2900 if (p[0] == 0)
2901 {
2902 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2903 {
2904 connection_max_messages = 1;
2905 p = NULL;
2906 }
2907 }
2908
2909 if (p != NULL)
2910 {
2911 if (!isdigit(*p))
2912 exim_fail("exim: number expected after -oB\n");
2913 connection_max_messages = Uatoi(p);
2914 }
2915 }
2916
2917 /* -odb: background delivery */
2918
2919 else if (Ustrcmp(argrest, "db") == 0)
2920 {
2921 f.synchronous_delivery = FALSE;
2922 arg_queue_only = FALSE;
2923 queue_only_set = TRUE;
2924 }
2925
2926 /* -odf: foreground delivery (smail-compatible option); same effect as
2927 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2928 */
2929
2930 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2931 {
2932 f.synchronous_delivery = TRUE;
2933 arg_queue_only = FALSE;
2934 queue_only_set = TRUE;
2935 }
2936
2937 /* -odq: queue only */
2938
2939 else if (Ustrcmp(argrest, "dq") == 0)
2940 {
2941 f.synchronous_delivery = FALSE;
2942 arg_queue_only = TRUE;
2943 queue_only_set = TRUE;
2944 }
2945
2946 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2947 but no remote delivery */
2948
2949 else if (Ustrcmp(argrest, "dqs") == 0)
2950 {
2951 f.queue_smtp = TRUE;
2952 arg_queue_only = FALSE;
2953 queue_only_set = TRUE;
2954 }
2955
2956 /* -oex: Sendmail error flags. As these are also accepted without the
2957 leading -o prefix, for compatibility with vacation and other callers,
2958 they are handled with -e above. */
2959
2960 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2961 -oitrue: Another sendmail syntax for the same */
2962
2963 else if (Ustrcmp(argrest, "i") == 0 ||
2964 Ustrcmp(argrest, "itrue") == 0)
2965 f.dot_ends = FALSE;
2966
2967 /* -oM*: Set various characteristics for an incoming message; actually
2968 acted on for trusted callers only. */
2969
2970 else if (*argrest == 'M')
2971 {
2972 if (i+1 >= argc)
2973 exim_fail("exim: data expected after -o%s\n", argrest);
2974
2975 /* -oMa: Set sender host address */
2976
2977 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2978
2979 /* -oMaa: Set authenticator name */
2980
2981 else if (Ustrcmp(argrest, "Maa") == 0)
2982 sender_host_authenticated = argv[++i];
2983
2984 /* -oMas: setting authenticated sender */
2985
2986 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2987
2988 /* -oMai: setting authenticated id */
2989
2990 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2991
2992 /* -oMi: Set incoming interface address */
2993
2994 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2995
2996 /* -oMm: Message reference */
2997
2998 else if (Ustrcmp(argrest, "Mm") == 0)
2999 {
3000 if (!mac_ismsgid(argv[i+1]))
3001 exim_fail("-oMm must be a valid message ID\n");
3002 if (!f.trusted_config)
3003 exim_fail("-oMm must be called by a trusted user/config\n");
3004 message_reference = argv[++i];
3005 }
3006
3007 /* -oMr: Received protocol */
3008
3009 else if (Ustrcmp(argrest, "Mr") == 0)
3010
3011 if (received_protocol)
3012 exim_fail("received_protocol is set already\n");
3013 else
3014 received_protocol = argv[++i];
3015
3016 /* -oMs: Set sender host name */
3017
3018 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3019
3020 /* -oMt: Set sender ident */
3021
3022 else if (Ustrcmp(argrest, "Mt") == 0)
3023 {
3024 sender_ident_set = TRUE;
3025 sender_ident = argv[++i];
3026 }
3027
3028 /* Else a bad argument */
3029
3030 else
3031 {
3032 badarg = TRUE;
3033 break;
3034 }
3035 }
3036
3037 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3038 seem to call this as -m (undocumented), so that is also accepted (see
3039 above). */
3040
3041 else if (Ustrcmp(argrest, "m") == 0) {}
3042
3043 /* -oo: An ancient flag for old-style addresses which still seems to
3044 crop up in some calls (see in SCO). */
3045
3046 else if (Ustrcmp(argrest, "o") == 0) {}
3047
3048 /* -oP <name>: set pid file path for daemon */
3049
3050 else if (Ustrcmp(argrest, "P") == 0)
3051 override_pid_file_path = argv[++i];
3052
3053 /* -or <n>: set timeout for non-SMTP acceptance
3054 -os <n>: set timeout for SMTP acceptance */
3055
3056 else if (*argrest == 'r' || *argrest == 's')
3057 {
3058 int *tp = (*argrest == 'r')?
3059 &arg_receive_timeout : &arg_smtp_receive_timeout;
3060 if (argrest[1] == 0)
3061 {
3062 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3063 }
3064 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3065 if (*tp < 0)
3066 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3067 }
3068
3069 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3070
3071 else if (Ustrcmp(argrest, "X") == 0)
3072 override_local_interfaces = argv[++i];
3073
3074 /* Unknown -o argument */
3075
3076 else badarg = TRUE;
3077 break;
3078
3079
3080 /* -ps: force Perl startup; -pd force delayed Perl startup */
3081
3082 case 'p':
3083 #ifdef EXIM_PERL
3084 if (*argrest == 's' && argrest[1] == 0)
3085 {
3086 perl_start_option = 1;
3087 break;
3088 }
3089 if (*argrest == 'd' && argrest[1] == 0)
3090 {
3091 perl_start_option = -1;
3092 break;
3093 }
3094 #endif
3095
3096 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3097 which sets the host protocol and host name */
3098
3099 if (*argrest == 0)
3100 if (i+1 < argc)
3101 argrest = argv[++i];
3102 else
3103 { badarg = TRUE; break; }
3104
3105 if (*argrest != 0)
3106 {
3107 uschar *hn;
3108
3109 if (received_protocol)
3110 exim_fail("received_protocol is set already\n");
3111
3112 hn = Ustrchr(argrest, ':');
3113 if (hn == NULL)
3114 received_protocol = argrest;
3115 else
3116 {
3117 int old_pool = store_pool;
3118 store_pool = POOL_PERM;
3119 received_protocol = string_copyn(argrest, hn - argrest);
3120 store_pool = old_pool;
3121 sender_host_name = hn + 1;
3122 }
3123 }
3124 break;
3125
3126
3127 case 'q':
3128 receiving_message = FALSE;
3129 if (queue_interval >= 0)
3130 exim_fail("exim: -q specified more than once\n");
3131
3132 /* -qq...: Do queue runs in a 2-stage manner */
3133
3134 if (*argrest == 'q')
3135 {
3136 f.queue_2stage = TRUE;
3137 argrest++;
3138 }
3139
3140 /* -qi...: Do only first (initial) deliveries */
3141
3142 if (*argrest == 'i')
3143 {
3144 f.queue_run_first_delivery = TRUE;
3145 argrest++;
3146 }
3147
3148 /* -qf...: Run the queue, forcing deliveries
3149 -qff..: Ditto, forcing thawing as well */
3150
3151 if (*argrest == 'f')
3152 {
3153 f.queue_run_force = TRUE;
3154 if (*++argrest == 'f')
3155 {
3156 f.deliver_force_thaw = TRUE;
3157 argrest++;
3158 }
3159 }
3160
3161 /* -q[f][f]l...: Run the queue only on local deliveries */
3162
3163 if (*argrest == 'l')
3164 {
3165 f.queue_run_local = TRUE;
3166 argrest++;
3167 }
3168
3169 /* -q[f][f][l][G<name>]... Work on the named queue */
3170
3171 if (*argrest == 'G')
3172 {
3173 int i;
3174 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3175 queue_name = string_copyn(argrest, i);
3176 argrest += i;
3177 if (*argrest == '/') argrest++;
3178 }
3179
3180 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3181 only, optionally named, optionally starting from a given message id. */
3182
3183 if (*argrest == 0 &&
3184 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3185 {
3186 queue_interval = 0;
3187 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3188 start_queue_run_id = argv[++i];
3189 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3190 stop_queue_run_id = argv[++i];
3191 }
3192
3193 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3194 forced, optionally local only, optionally named. */
3195
3196 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3197 0, FALSE)) <= 0)
3198 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3199 break;
3200
3201
3202 case 'R': /* Synonymous with -qR... */
3203 receiving_message = FALSE;
3204
3205 /* -Rf: As -R (below) but force all deliveries,
3206 -Rff: Ditto, but also thaw all frozen messages,
3207 -Rr: String is regex
3208 -Rrf: Regex and force
3209 -Rrff: Regex and force and thaw
3210
3211 in all cases provided there are no further characters in this
3212 argument. */
3213
3214 if (*argrest != 0)
3215 {
3216 int i;
3217 for (i = 0; i < nelem(rsopts); i++)
3218 if (Ustrcmp(argrest, rsopts[i]) == 0)
3219 {
3220 if (i != 2) f.queue_run_force = TRUE;
3221 if (i >= 2) f.deliver_selectstring_regex = TRUE;
3222 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3223 argrest += Ustrlen(rsopts[i]);
3224 }
3225 }
3226
3227 /* -R: Set string to match in addresses for forced queue run to
3228 pick out particular messages. */
3229
3230 if (*argrest)
3231 deliver_selectstring = argrest;
3232 else if (i+1 < argc)
3233 deliver_selectstring = argv[++i];
3234 else
3235 exim_fail("exim: string expected after -R\n");
3236 break;
3237
3238
3239 /* -r: an obsolete synonym for -f (see above) */
3240
3241
3242 /* -S: Like -R but works on sender. */
3243
3244 case 'S': /* Synonymous with -qS... */
3245 receiving_message = FALSE;
3246
3247 /* -Sf: As -S (below) but force all deliveries,
3248 -Sff: Ditto, but also thaw all frozen messages,
3249 -Sr: String is regex
3250 -Srf: Regex and force
3251 -Srff: Regex and force and thaw
3252
3253 in all cases provided there are no further characters in this
3254 argument. */
3255
3256 if (*argrest)
3257 {
3258 int i;
3259 for (i = 0; i < nelem(rsopts); i++)
3260 if (Ustrcmp(argrest, rsopts[i]) == 0)
3261 {
3262 if (i != 2) f.queue_run_force = TRUE;
3263 if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
3264 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3265 argrest += Ustrlen(rsopts[i]);
3266 }
3267 }
3268
3269 /* -S: Set string to match in addresses for forced queue run to
3270 pick out particular messages. */
3271
3272 if (*argrest)
3273 deliver_selectstring_sender = argrest;
3274 else if (i+1 < argc)
3275 deliver_selectstring_sender = argv[++i];
3276 else
3277 exim_fail("exim: string expected after -S\n");
3278 break;
3279
3280 /* -Tqt is an option that is exclusively for use by the testing suite.
3281 It is not recognized in other circumstances. It allows for the setting up
3282 of explicit "queue times" so that various warning/retry things can be
3283 tested. Otherwise variability of clock ticks etc. cause problems. */
3284
3285 case 'T':
3286 if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3287 fudged_queue_times = argv[++i];
3288 else badarg = TRUE;
3289 break;
3290
3291
3292 /* -t: Set flag to extract recipients from body of message. */
3293
3294 case 't':
3295 if (*argrest == 0) extract_recipients = TRUE;
3296
3297 /* -ti: Set flag to extract recipients from body of message, and also
3298 specify that dot does not end the message. */
3299
3300 else if (Ustrcmp(argrest, "i") == 0)
3301 {
3302 extract_recipients = TRUE;
3303 f.dot_ends = FALSE;
3304 }
3305
3306 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3307
3308 #ifdef SUPPORT_TLS
3309 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
3310 #endif
3311
3312 else badarg = TRUE;
3313 break;
3314
3315
3316 /* -U: This means "initial user submission" in sendmail, apparently. The
3317 doc claims that in future sendmail may refuse syntactically invalid
3318 messages instead of fixing them. For the moment, we just ignore it. */
3319
3320 case 'U':
3321 break;
3322
3323
3324 /* -v: verify things - this is a very low-level debugging */
3325
3326 case 'v':
3327 if (*argrest == 0)
3328 {
3329 debug_selector |= D_v;
3330 debug_file = stderr;
3331 }
3332 else badarg = TRUE;
3333 break;
3334
3335
3336 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3337
3338 The -x flag tells the sendmail command that mail from a local
3339 mail program has National Language Support (NLS) extended characters
3340 in the body of the mail item. The sendmail command can send mail with
3341 extended NLS characters across networks that normally corrupts these
3342 8-bit characters.
3343
3344 As Exim is 8-bit clean, it just ignores this flag. */
3345
3346 case 'x':
3347 if (*argrest != 0) badarg = TRUE;
3348 break;
3349
3350 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3351 logs to that file. We swallow the parameter and otherwise ignore it. */
3352
3353 case 'X':
3354 if (*argrest == '\0')
3355 if (++i >= argc)
3356 exim_fail("exim: string expected after -X\n");
3357 break;
3358
3359 case 'z':
3360 if (*argrest == '\0')
3361 if (++i < argc)
3362 log_oneline = argv[i];
3363 else
3364 exim_fail("exim: file name expected after %s\n", argv[i-1]);
3365 break;
3366
3367 /* All other initial characters are errors */
3368
3369 default:
3370 badarg = TRUE;
3371 break;
3372 } /* End of high-level switch statement */
3373
3374 /* Failed to recognize the option, or syntax error */
3375
3376 if (badarg)
3377 exim_fail("exim abandoned: unknown, malformed, or incomplete "
3378 "option %s\n", arg);
3379 }
3380
3381
3382 /* If -R or -S have been specified without -q, assume a single queue run. */
3383
3384 if ( (deliver_selectstring || deliver_selectstring_sender)
3385 && queue_interval < 0)
3386 queue_interval = 0;
3387
3388
3389 END_ARG:
3390 /* If usage_wanted is set we call the usage function - which never returns */
3391 if (usage_wanted) exim_usage(called_as);
3392
3393 /* Arguments have been processed. Check for incompatibilities. */
3394 if ((
3395 (smtp_input || extract_recipients || recipients_arg < argc) &&
3396 (f.daemon_listen || queue_interval >= 0 || bi_option ||
3397 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3398 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3399 ) ||
3400 (
3401 msg_action_arg > 0 &&
3402 (f.daemon_listen || queue_interval > 0 || list_options ||
3403 (checking && msg_action != MSG_LOAD) ||
3404 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3405 ) ||
3406 (
3407 (f.daemon_listen || queue_interval > 0) &&
3408 (sender_address != NULL || list_options || list_queue || checking ||
3409 bi_option)
3410 ) ||
3411 (
3412 f.daemon_listen && queue_interval == 0
3413 ) ||
3414 (
3415 f.inetd_wait_mode && queue_interval >= 0
3416 ) ||
3417 (
3418 list_options &&
3419 (checking || smtp_input || extract_recipients ||
3420 filter_test != FTEST_NONE || bi_option)
3421 ) ||
3422 (
3423 verify_address_mode &&
3424 (f.address_test_mode || smtp_input || extract_recipients ||
3425 filter_test != FTEST_NONE || bi_option)
3426 ) ||
3427 (
3428 f.address_test_mode && (smtp_input || extract_recipients ||
3429 filter_test != FTEST_NONE || bi_option)
3430 ) ||
3431 (
3432 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3433 extract_recipients)
3434 ) ||
3435 (
3436 deliver_selectstring != NULL && queue_interval < 0
3437 ) ||
3438 (
3439 msg_action == MSG_LOAD &&
3440 (!expansion_test || expansion_test_message != NULL)
3441 )
3442 )
3443 exim_fail("exim: incompatible command-line options or arguments\n");
3444
3445 /* If debugging is set up, set the file and the file descriptor to pass on to
3446 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3447 to run in the foreground. */
3448
3449 if (debug_selector != 0)
3450 {
3451 debug_file = stderr;
3452 debug_fd = fileno(debug_file);
3453 f.background_daemon = FALSE;
3454 if (f.running_in_test_harness) millisleep(100); /* lets caller finish */
3455 if (debug_selector != D_v) /* -v only doesn't show this */
3456 {
3457 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3458 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3459 debug_selector);
3460 if (!version_printed)
3461 show_whats_supported(stderr);
3462 }
3463 }
3464
3465 /* When started with root privilege, ensure that the limits on the number of
3466 open files and the number of processes (where that is accessible) are
3467 sufficiently large, or are unset, in case Exim has been called from an
3468 environment where the limits are screwed down. Not all OS have the ability to
3469 change some of these limits. */
3470
3471 if (unprivileged)
3472 {
3473 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3474 }
3475 else
3476 {
3477 struct rlimit rlp;
3478
3479 #ifdef RLIMIT_NOFILE
3480 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3481 {
3482 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3483 strerror(errno));
3484 rlp.rlim_cur = rlp.rlim_max = 0;
3485 }
3486
3487 /* I originally chose 1000 as a nice big number that was unlikely to
3488 be exceeded. It turns out that some older OS have a fixed upper limit of
3489 256. */
3490
3491 if (rlp.rlim_cur < 1000)
3492 {
3493 rlp.rlim_cur = rlp.rlim_max = 1000;
3494 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3495 {
3496 rlp.rlim_cur = rlp.rlim_max = 256;
3497 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3498 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3499 strerror(errno));
3500 }
3501 }
3502 #endif
3503
3504 #ifdef RLIMIT_NPROC
3505 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3506 {
3507 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3508 strerror(errno));
3509 rlp.rlim_cur = rlp.rlim_max = 0;
3510 }
3511
3512 #ifdef RLIM_INFINITY
3513 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3514 {
3515 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3516 #else
3517 if (rlp.rlim_cur < 1000)
3518 {
3519 rlp.rlim_cur = rlp.rlim_max = 1000;
3520 #endif
3521 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3522 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3523 strerror(errno));
3524 }
3525 #endif
3526 }
3527
3528 /* Exim is normally entered as root (but some special configurations are
3529 possible that don't do this). However, it always spins off sub-processes that
3530 set their uid and gid as required for local delivery. We don't want to pass on
3531 any extra groups that root may belong to, so we want to get rid of them all at
3532 this point.
3533
3534 We need to obey setgroups() at this stage, before possibly giving up root
3535 privilege for a changed configuration file, but later on we might need to
3536 check on the additional groups for the admin user privilege - can't do that
3537 till after reading the config, which might specify the exim gid. Therefore,
3538 save the group list here first. */
3539
3540 if ((group_count = getgroups(nelem(group_list), group_list)) < 0)
3541 exim_fail("exim: getgroups() failed: %s\n", strerror(errno));
3542
3543 /* There is a fundamental difference in some BSD systems in the matter of
3544 groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3545 known not to be different. On the "different" systems there is a single group
3546 list, and the first entry in it is the current group. On all other versions of
3547 Unix there is a supplementary group list, which is in *addition* to the current
3548 group. Consequently, to get rid of all extraneous groups on a "standard" system
3549 you pass over 0 groups to setgroups(), while on a "different" system you pass
3550 over a single group - the current group, which is always the first group in the
3551 list. Calling setgroups() with zero groups on a "different" system results in
3552 an error return. The following code should cope with both types of system.
3553
3554 Unfortunately, recent MacOS, which should be a FreeBSD, "helpfully" succeeds
3555 the "setgroups() with zero groups" - and changes the egid.
3556 Thanks to that we had to stash the original_egid above, for use below
3557 in the call to exim_setugid().
3558
3559 However, if this process isn't running as root, setgroups() can't be used
3560 since you have to be root to run it, even if throwing away groups. Not being
3561 root here happens only in some unusual configurations. We just ignore the
3562 error. */
3563
3564 if (setgroups(0, NULL) != 0 && setgroups(1, group_list) != 0 && !unprivileged)
3565 exim_fail("exim: setgroups() failed: %s\n", strerror(errno));
3566
3567 /* If the configuration file name has been altered by an argument on the
3568 command line (either a new file name or a macro definition) and the caller is
3569 not root, or if this is a filter testing run, remove any setuid privilege the
3570 program has and run as the underlying user.
3571
3572 The exim user is locked out of this, which severely restricts the use of -C
3573 for some purposes.
3574
3575 Otherwise, set the real ids to the effective values (should be root unless run
3576 from inetd, which it can either be root or the exim uid, if one is configured).
3577
3578 There is a private mechanism for bypassing some of this, in order to make it
3579 possible to test lots of configurations automatically, without having either to
3580 recompile each time, or to patch in an actual configuration file name and other
3581 values (such as the path name). If running in the test harness, pretend that
3582 configuration file changes and macro definitions haven't happened. */
3583
3584 if (( /* EITHER */
3585 (!f.trusted_config || /* Config changed, or */
3586 !macros_trusted(opt_D_used)) && /* impermissible macros and */
3587 real_uid != root_uid && /* Not root, and */
3588 !f.running_in_test_harness /* Not fudged */
3589 ) || /* OR */
3590 expansion_test /* expansion testing */
3591 || /* OR */
3592 filter_test != FTEST_NONE) /* Filter testing */
3593 {
3594 setgroups(group_count, group_list);
3595 exim_setugid(real_uid, real_gid, FALSE,
3596 US"-C, -D, -be or -bf forces real uid");
3597 removed_privilege = TRUE;
3598
3599 /* In the normal case when Exim is called like this, stderr is available
3600 and should be used for any logging information because attempts to write
3601 to the log will usually fail. To arrange this, we unset really_exim. However,
3602 if no stderr is available there is no point - we might as well have a go
3603 at the log (if it fails, syslog will be written).
3604
3605 Note that if the invoker is Exim, the logs remain available. Messing with
3606 this causes unlogged successful deliveries. */
3607
3608 if (log_stderr && real_uid != exim_uid)
3609 f.really_exim = FALSE;
3610 }
3611
3612 /* Privilege is to be retained for the moment. It may be dropped later,
3613 depending on the job that this Exim process has been asked to do. For now, set
3614 the real uid to the effective so that subsequent re-execs of Exim are done by a
3615 privileged user. */
3616
3617 else
3618 exim_setugid(geteuid(), original_egid, FALSE, US"forcing real = effective");
3619
3620 /* If testing a filter, open the file(s) now, before wasting time doing other
3621 setups and reading the message. */
3622
3623 if (filter_test & FTEST_SYSTEM)
3624 if ((filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0)) < 0)
3625 exim_fail("exim: failed to open %s: %s\n", filter_test_sfile,
3626 strerror(errno));
3627
3628 if (filter_test & FTEST_USER)
3629 if ((filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0)) < 0)
3630 exim_fail("exim: failed to open %s: %s\n", filter_test_ufile,
3631 strerror(errno));
3632
3633 /* Initialise lookup_list
3634 If debugging, already called above via version reporting.
3635 In either case, we initialise the list of available lookups while running
3636 as root. All dynamically modules are loaded from a directory which is
3637 hard-coded into the binary and is code which, if not a module, would be
3638 part of Exim already. Ability to modify the content of the directory
3639 is equivalent to the ability to modify a setuid binary!
3640
3641 This needs to happen before we read the main configuration. */
3642 init_lookup_list();
3643
3644 #ifdef SUPPORT_I18N
3645 if (f.running_in_test_harness) smtputf8_advertise_hosts = NULL;
3646 #endif
3647
3648 /* Read the main runtime configuration data; this gives up if there
3649 is a failure. It leaves the configuration file open so that the subsequent
3650 configuration data for delivery can be read if needed.
3651
3652 NOTE: immediatly after opening the configuration file we change the working
3653 directory to "/"! Later we change to $spool_directory. We do it there, because
3654 during readconf_main() some expansion takes place already. */
3655
3656 /* Store the initial cwd before we change directories. Can be NULL if the
3657 dir has already been unlinked. */
3658 initial_cwd = os_getcwd(NULL, 0);
3659
3660 /* checking:
3661 -be[m] expansion test -
3662 -b[fF] filter test new
3663 -bh[c] host test -
3664 -bmalware malware_test_file new
3665 -brt retry test new
3666 -brw rewrite test new
3667 -bt address test -
3668 -bv[s] address verify -
3669 list_options:
3670 -bP <option> (except -bP config, which sets list_config)
3671
3672 If any of these options is set, we suppress warnings about configuration
3673 issues (currently about tls_advertise_hosts and keep_environment not being
3674 defined) */
3675
3676 readconf_main(checking || list_options);
3677
3678
3679 /* Now in directory "/" */
3680
3681 if (cleanup_environment() == FALSE)
3682 log_write(0, LOG_PANIC_DIE, "Can't cleanup environment");
3683
3684
3685 /* If an action on specific messages is requested, or if a daemon or queue
3686 runner is being started, we need to know if Exim was called by an admin user.
3687 This is the case if the real user is root or exim, or if the real group is
3688 exim, or if one of the supplementary groups is exim or a group listed in
3689 admin_groups. We don't fail all message actions immediately if not admin_user,
3690 since some actions can be performed by non-admin users. Instead, set admin_user
3691 for later interrogation. */
3692
3693 if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3694 f.admin_user = TRUE;
3695 else
3696 {
3697 int i, j;
3698 for (i = 0; i < group_count && !f.admin_user; i++)
3699 if (group_list[i] == exim_gid)
3700 f.admin_user = TRUE;
3701 else if (admin_groups)
3702 for (j = 1; j <= (int)admin_groups[0] && !f.admin_user; j++)
3703 if (admin_groups[j] == group_list[i])
3704 f.admin_user = TRUE;
3705 }
3706
3707 /* Another group of privileged users are the trusted users. These are root,
3708 exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3709 are permitted to specify sender_addresses with -f on the command line, and
3710 other message parameters as well. */
3711
3712 if (real_uid == root_uid || real_uid == exim_uid)
3713 f.trusted_caller = TRUE;
3714 else
3715 {
3716 int i, j;
3717
3718 if (trusted_users)
3719 for (i = 1; i <= (int)trusted_users[0] && !f.trusted_caller; i++)
3720 if (trusted_users[i] == real_uid)
3721 f.trusted_caller = TRUE;
3722
3723 if (trusted_groups)
3724 for (i = 1; i <= (int)trusted_groups[0] && !f.trusted_caller; i++)
3725 if (trusted_groups[i] == real_gid)
3726 f.trusted_caller = TRUE;
3727 else for (j = 0; j < group_count && !f.trusted_caller; j++)
3728 if (trusted_groups[i] == group_list[j])
3729 f.trusted_caller = TRUE;
3730 }
3731
3732 /* At this point, we know if the user is privileged and some command-line
3733 options become possibly impermissible, depending upon the configuration file. */
3734
3735 if (checking && commandline_checks_require_admin && !f.admin_user)
3736 exim_fail("exim: those command-line flags are set to require admin\n");
3737
3738 /* Handle the decoding of logging options. */
3739
3740 decode_bits(log_selector, log_selector_size, log_notall,
3741 log_selector_string, log_options, log_options_count, US"log", 0);
3742
3743 DEBUG(D_any)
3744 {
3745 int i;
3746 debug_printf("configuration file is %s\n", config_main_filename);
3747 debug_printf("log selectors =");
3748 for (i = 0; i < log_selector_size; i++)
3749 debug_printf(" %08x", log_selector[i]);
3750 debug_printf("\n");
3751 }
3752
3753 /* If domain literals are not allowed, check the sender address that was
3754 supplied with -f. Ditto for a stripped trailing dot. */
3755
3756 if (sender_address)
3757 {
3758 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3759 exim_fail("exim: bad -f address \"%s\": domain literals not "
3760 "allowed\n", sender_address);
3761 if (f_end_dot && !strip_trailing_dot)
3762 exim_fail("exim: bad -f address \"%s.\": domain is malformed "
3763 "(trailing dot not allowed)\n", sender_address);
3764 }
3765
3766 /* See if an admin user overrode our logging. */
3767
3768 if (cmdline_syslog_name)
3769 if (f.admin_user)
3770 {
3771 syslog_processname = cmdline_syslog_name;
3772 log_file_path = string_copy(CUS"syslog");
3773 }
3774 else
3775 /* not a panic, non-privileged users should not be able to spam paniclog */
3776 exim_fail(
3777 "exim: you lack sufficient privilege to specify syslog process name\n");
3778
3779 /* Paranoia check of maximum lengths of certain strings. There is a check
3780 on the length of the log file path in log.c, which will come into effect
3781 if there are any calls to write the log earlier than this. However, if we
3782 get this far but the string is very long, it is better to stop now than to
3783 carry on and (e.g.) receive a message and then have to collapse. The call to
3784 log_write() from here will cause the ultimate panic collapse if the complete
3785 file name exceeds the buffer length. */
3786
3787 if (Ustrlen(log_file_path) > 200)
3788 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3789 "log_file_path is longer than 200 chars: aborting");
3790
3791 if (Ustrlen(pid_file_path) > 200)
3792 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3793 "pid_file_path is longer than 200 chars: aborting");
3794
3795 if (Ustrlen(spool_directory) > 200)
3796 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3797 "spool_directory is longer than 200 chars: aborting");
3798
3799 /* Length check on the process name given to syslog for its TAG field,
3800 which is only permitted to be 32 characters or less. See RFC 3164. */
3801
3802 if (Ustrlen(syslog_processname) > 32)
3803 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3804 "syslog_processname is longer than 32 chars: aborting");
3805
3806 if (log_oneline)
3807 if (f.admin_user)
3808 {
3809 log_write(0, LOG_MAIN, "%s", log_oneline);
3810 return EXIT_SUCCESS;
3811 }
3812 else
3813 return EXIT_FAILURE;
3814
3815 /* In some operating systems, the environment variable TMPDIR controls where
3816 temporary files are created; Exim doesn't use these (apart from when delivering
3817 to MBX mailboxes), but called libraries such as DBM libraries may require them.
3818 If TMPDIR is found in the environment, reset it to the value defined in the
3819 EXIM_TMPDIR macro, if this macro is defined. For backward compatibility this
3820 macro may be called TMPDIR in old "Local/Makefile"s. It's converted to
3821 EXIM_TMPDIR by the build scripts.
3822 */
3823
3824 #ifdef EXIM_TMPDIR
3825 {
3826 uschar **p;
3827 if (environ) for (p = USS environ; *p; p++)
3828 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 && Ustrcmp(*p+7, EXIM_TMPDIR) != 0)
3829 {
3830 uschar * newp = store_malloc(Ustrlen(EXIM_TMPDIR) + 8);
3831 sprintf(CS newp, "TMPDIR=%s", EXIM_TMPDIR);
3832 *p = newp;
3833 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", EXIM_TMPDIR);
3834 }
3835 }
3836 #endif
3837
3838 /* Timezone handling. If timezone_string is "utc", set a flag to cause all
3839 timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3840 we may need to get rid of a bogus timezone setting. This can arise when Exim is
3841 called by a user who has set the TZ variable. This then affects the timestamps
3842 in log files and in Received: headers, and any created Date: header lines. The
3843 required timezone is settable in the configuration file, so nothing can be done
3844 about this earlier - but hopefully nothing will normally be logged earlier than
3845 this. We have to make a new environment if TZ is wrong, but don't bother if
3846 timestamps_utc is set, because then all times are in UTC anyway. */
3847
3848 if (timezone_string && strcmpic(timezone_string, US"UTC") == 0)
3849 f.timestamps_utc = TRUE;
3850 else
3851 {
3852 uschar *envtz = US getenv("TZ");
3853 if (envtz
3854 ? !timezone_string || Ustrcmp(timezone_string, envtz) != 0
3855 : timezone_string != NULL
3856 )
3857 {
3858 uschar **p = USS environ;
3859 uschar **new;
3860 uschar **newp;
3861 int count = 0;
3862 if (environ) while (*p++) count++;
3863 if (!envtz) count++;
3864 newp = new = store_malloc(sizeof(uschar *) * (count + 1));
3865 if (environ) for (p = USS environ; *p; p++)
3866 if (Ustrncmp(*p, "TZ=", 3) != 0) *newp++ = *p;
3867 if (timezone_string)
3868 {
3869 *newp = store_malloc(Ustrlen(timezone_string) + 4);
3870 sprintf(CS *newp++, "TZ=%s", timezone_string);
3871 }
3872 *newp = NULL;
3873 environ = CSS new;
3874 tzset();
3875 DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3876 tod_stamp(tod_log));
3877 }
3878 }
3879
3880 /* Handle the case when we have removed the setuid privilege because of -C or
3881 -D. This means that the caller of Exim was not root.
3882
3883 There is a problem if we were running as the Exim user. The sysadmin may
3884 expect this case to retain privilege because "the binary was called by the
3885 Exim user", but it hasn't, because either the -D option set macros, or the
3886 -C option set a non-trusted configuration file. There are two possibilities:
3887
3888 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3889 to do message deliveries. Thus, the fact that it is running as a
3890 non-privileged user is plausible, and might be wanted in some special
3891 configurations. However, really_exim will have been set false when
3892 privilege was dropped, to stop Exim trying to write to its normal log
3893 files. Therefore, re-enable normal log processing, assuming the sysadmin
3894 has set up the log directory correctly.
3895
3896 (2) If deliver_drop_privilege is not set, the configuration won't work as
3897 apparently intended, and so we log a panic message. In order to retain
3898 root for -C or -D, the caller must either be root or be invoking a
3899 trusted configuration file (when deliver_drop_privilege is false). */
3900
3901 if ( removed_privilege
3902 && (!f.trusted_config || opt_D_used)
3903 && real_uid == exim_uid)
3904 if (deliver_drop_privilege)
3905 f.really_exim = TRUE; /* let logging work normally */
3906 else
3907 log_write(0, LOG_MAIN|LOG_PANIC,
3908 "exim user lost privilege for using %s option",
3909 f.trusted_config? "-D" : "-C");
3910
3911 /* Start up Perl interpreter if Perl support is configured and there is a
3912 perl_startup option, and the configuration or the command line specifies
3913 initializing starting. Note that the global variables are actually called
3914 opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3915
3916 #ifdef EXIM_PERL
3917 if (perl_start_option != 0)
3918 opt_perl_at_start = (perl_start_option > 0);
3919 if (opt_perl_at_start && opt_perl_startup != NULL)
3920 {
3921 uschar *errstr;
3922 DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3923 if ((errstr = init_perl(opt_perl_startup)))
3924 exim_fail("exim: error in perl_startup code: %s\n", errstr);
3925 opt_perl_started = TRUE;
3926 }
3927 #endif /* EXIM_PERL */
3928
3929 /* Log the arguments of the call if the configuration file said so. This is
3930 a debugging feature for finding out what arguments certain MUAs actually use.
3931 Don't attempt it if logging is disabled, or if listing variables or if
3932 verifying/testing addresses or expansions. */
3933
3934 if ( (debug_selector & D_any || LOGGING(arguments))
3935 && f.really_exim && !list_options && !checking)
3936 {
3937 int i;
3938 uschar *p = big_buffer;
3939 Ustrcpy(p, "cwd= (failed)");
3940
3941 if (!initial_cwd)
3942 p += 13;
3943 else
3944 {
3945 Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
3946 p += 4 + Ustrlen(initial_cwd);
3947 /* in case p is near the end and we don't provide enough space for
3948 * string_format to be willing to write. */
3949 *p = '\0';
3950 }
3951
3952 (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3953 while (*p) p++;
3954 for (i = 0; i < argc; i++)
3955 {
3956 int len = Ustrlen(argv[i]);
3957 const uschar *printing;
3958 uschar *quote;
3959 if (p + len + 8 >= big_buffer + big_buffer_size)
3960 {
3961 Ustrcpy(p, " ...");
3962 log_write(0, LOG_MAIN, "%s", big_buffer);
3963 Ustrcpy(big_buffer, "...");
3964 p = big_buffer + 3;
3965 }
3966 printing = string_printing(argv[i]);
3967 if (printing[0] == 0) quote = US"\""; else
3968 {
3969 const uschar *pp = printing;
3970 quote = US"";
3971 while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3972 }
3973 p += sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3974 (p - big_buffer) - 4), printing, quote);
3975 }
3976
3977 if (LOGGING(arguments))
3978 log_write(0, LOG_MAIN, "%s", big_buffer);
3979 else
3980 debug_printf("%s\n", big_buffer);
3981 }
3982
3983 /* Set the working directory to be the top-level spool directory. We don't rely
3984 on this in the code, which always uses fully qualified names, but it's useful
3985 for core dumps etc. Don't complain if it fails - the spool directory might not
3986 be generally accessible and calls with the -C option (and others) have lost
3987 privilege by now. Before the chdir, we try to ensure that the directory exists.
3988 */
3989
3990 if (Uchdir(spool_directory) != 0)
3991 {
3992 int dummy;
3993 (void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
3994 dummy = /* quieten compiler */ Uchdir(spool_directory);
3995 dummy = dummy; /* yet more compiler quietening, sigh */
3996 }
3997
3998 /* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3999 alias file. Exim doesn't have such a concept, but this call is screwed into
4000 Sun's YP makefiles. Handle this by calling a configured script, as the real
4001 user who called Exim. The -oA option can be used to pass an argument to the
4002 script. */
4003
4004 if (bi_option)
4005 {
4006 (void)fclose(config_file);
4007 if (bi_command != NULL)
4008 {
4009 int i = 0;
4010 uschar *argv[3];
4011 argv[i++] = bi_command;
4012 if (alias_arg != NULL) argv[i++] = alias_arg;
4013 argv[i++] = NULL;
4014
4015 setgroups(group_count, group_list);
4016 exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
4017
4018 DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
4019 (argv[1] == NULL)? US"" : argv[1]);
4020
4021 execv(CS argv[0], (char *const *)argv);
4022 exim_fail("exim: exec failed: %s\n", strerror(errno));
4023 }
4024 else
4025 {
4026 DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
4027 exit(EXIT_SUCCESS);
4028 }
4029 }
4030
4031 /* We moved the admin/trusted check to be immediately after reading the
4032 configuration file. We leave these prints here to ensure that syslog setup,
4033 logfile setup, and so on has already happened. */
4034
4035 if (f.trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
4036 if (f.admin_user) DEBUG(D_any) debug_printf("admin user\n");
4037
4038 /* Only an admin user may start the daemon or force a queue run in the default
4039 configuration, but the queue run restriction can be relaxed. Only an admin
4040 user may request that a message be returned to its sender forthwith. Only an
4041 admin user may specify a debug level greater than D_v (because it might show
4042 passwords, etc. in lookup queries). Only an admin user may request a queue
4043 count. Only an admin user can use the test interface to scan for email
4044 (because Exim will be in the spool dir and able to look at mails). */
4045
4046 if (!f.admin_user)
4047 {
4048 BOOL debugset = (debug_selector & ~D_v) != 0;
4049 if (deliver_give_up || f.daemon_listen || malware_test_file ||
4050 (count_queue && queue_list_requires_admin) ||
4051 (list_queue && queue_list_requires_admin) ||
4052 (queue_interval >= 0 && prod_requires_admin) ||
4053 (debugset && !f.running_in_test_harness))
4054 exim_fail("exim:%s permission denied\n", debugset? " debugging" : "");
4055 }
4056
4057 /* If the real user is not root or the exim uid, the argument for passing
4058 in an open TCP/IP connection for another message is not permitted, nor is
4059 running with the -N option for any delivery action, unless this call to exim is
4060 one that supplied an input message, or we are using a patched exim for
4061 regression testing. */
4062
4063 if (real_uid != root_uid && real_uid != exim_uid &&
4064 (continue_hostname != NULL ||
4065 (f.dont_deliver &&
4066 (queue_interval >= 0 || f.daemon_listen || msg_action_arg > 0)
4067 )) && !f.running_in_test_harness)
4068 exim_fail("exim: Permission denied\n");
4069
4070 /* If the caller is not trusted, certain arguments are ignored when running for
4071 real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
4072 Note that authority for performing certain actions on messages is tested in the
4073 queue_action() function. */
4074
4075 if (!f.trusted_caller && !checking)
4076 {
4077 sender_host_name = sender_host_address = interface_address =
4078 sender_ident = received_protocol = NULL;
4079 sender_host_port = interface_port = 0;
4080 sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
4081 }
4082
4083 /* If a sender host address is set, extract the optional port number off the
4084 end of it and check its syntax. Do the same thing for the interface address.
4085 Exim exits if the syntax is bad. */
4086
4087 else
4088 {
4089 if (sender_host_address != NULL)
4090 sender_host_port = check_port(sender_host_address);
4091 if (interface_address != NULL)
4092 interface_port = check_port(interface_address);
4093 }
4094
4095 /* If the caller is trusted, then they can use -G to suppress_local_fixups. */
4096 if (flag_G)
4097 {
4098 if (f.trusted_caller)
4099 {
4100 f.suppress_local_fixups = f.suppress_local_fixups_default = TRUE;