TLS: move from SUPPORT_TLS to DISABLE_TLS macro for the build
[exim.git] / src / src / exim.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8
9 /* The main function: entry point, initialization, and high-level control.
10 Also a few functions that don't naturally fit elsewhere. */
11
12
13 #include "exim.h"
14
15 #if defined(__GLIBC__) && !defined(__UCLIBC__)
16 # include <gnu/libc-version.h>
17 #endif
18
19 #ifdef USE_GNUTLS
20 # include <gnutls/gnutls.h>
21 # if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
22 # define DISABLE_OCSP
23 # endif
24 #endif
25
26 extern void init_lookup_list(void);
27
28
29
30 /*************************************************
31 * Function interface to store functions *
32 *************************************************/
33
34 /* We need some real functions to pass to the PCRE regular expression library
35 for store allocation via Exim's store manager. The normal calls are actually
36 macros that pass over location information to make tracing easier. These
37 functions just interface to the standard macro calls. A good compiler will
38 optimize out the tail recursion and so not make them too expensive. There
39 are two sets of functions; one for use when we want to retain the compiled
40 regular expression for a long time; the other for short-term use. */
41
42 static void *
43 function_store_get(size_t size)
44 {
45 return store_get((int)size);
46 }
47
48 static void
49 function_dummy_free(void *block) { block = block; }
50
51 static void *
52 function_store_malloc(size_t size)
53 {
54 return store_malloc((int)size);
55 }
56
57 static void
58 function_store_free(void *block)
59 {
60 store_free(block);
61 }
62
63
64
65
66 /*************************************************
67 * Enums for cmdline interface *
68 *************************************************/
69
70 enum commandline_info { CMDINFO_NONE=0,
71 CMDINFO_HELP, CMDINFO_SIEVE, CMDINFO_DSCP };
72
73
74
75
76 /*************************************************
77 * Compile regular expression and panic on fail *
78 *************************************************/
79
80 /* This function is called when failure to compile a regular expression leads
81 to a panic exit. In other cases, pcre_compile() is called directly. In many
82 cases where this function is used, the results of the compilation are to be
83 placed in long-lived store, so we temporarily reset the store management
84 functions that PCRE uses if the use_malloc flag is set.
85
86 Argument:
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
90
91 Returns: pointer to the compiled pattern
92 */
93
94 const pcre *
95 regex_must_compile(const uschar *pattern, BOOL caseless, BOOL use_malloc)
96 {
97 int offset;
98 int options = PCRE_COPT;
99 const pcre *yield;
100 const uschar *error;
101 if (use_malloc)
102 {
103 pcre_malloc = function_store_malloc;
104 pcre_free = function_store_free;
105 }
106 if (caseless) options |= PCRE_CASELESS;
107 yield = pcre_compile(CCS pattern, options, (const char **)&error, &offset, NULL);
108 pcre_malloc = function_store_get;
109 pcre_free = function_dummy_free;
110 if (yield == NULL)
111 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
112 "%s at offset %d while compiling %s", error, offset, pattern);
113 return yield;
114 }
115
116
117
118
119 /*************************************************
120 * Execute regular expression and set strings *
121 *************************************************/
122
123 /* This function runs a regular expression match, and sets up the pointers to
124 the matched substrings.
125
126 Arguments:
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
133
134 Returns: TRUE or FALSE
135 */
136
137 BOOL
138 regex_match_and_setup(const pcre *re, const uschar *subject, int options, int setup)
139 {
140 int ovector[3*(EXPAND_MAXN+1)];
141 uschar * s = string_copy(subject); /* de-constifying */
142 int n = pcre_exec(re, NULL, CS s, Ustrlen(s), 0,
143 PCRE_EOPT | options, ovector, nelem(ovector));
144 BOOL yield = n >= 0;
145 if (n == 0) n = EXPAND_MAXN + 1;
146 if (yield)
147 {
148 expand_nmax = setup < 0 ? 0 : setup + 1;
149 for (int nn = setup < 0 ? 0 : 2; nn < n*2; nn += 2)
150 {
151 expand_nstring[expand_nmax] = s + ovector[nn];
152 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
153 }
154 expand_nmax--;
155 }
156 return yield;
157 }
158
159
160
161
162 /*************************************************
163 * Set up processing details *
164 *************************************************/
165
166 /* Save a text string for dumping when SIGUSR1 is received.
167 Do checks for overruns.
168
169 Arguments: format and arguments, as for printf()
170 Returns: nothing
171 */
172
173 void
174 set_process_info(const char *format, ...)
175 {
176 gstring gs = { .size = PROCESS_INFO_SIZE - 2, .ptr = 0, .s = process_info };
177 gstring * g;
178 int len;
179 va_list ap;
180
181 g = string_fmt_append(&gs, "%5d ", (int)getpid());
182 len = g->ptr;
183 va_start(ap, format);
184 if (!string_vformat(g, FALSE, format, ap))
185 {
186 gs.ptr = len;
187 g = string_cat(&gs, US"**** string overflowed buffer ****");
188 }
189 g = string_catn(g, US"\n", 1);
190 string_from_gstring(g);
191 process_info_len = g->ptr;
192 DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
193 va_end(ap);
194 }
195
196 /***********************************************
197 * Handler for SIGTERM *
198 ***********************************************/
199
200 static void
201 term_handler(int sig)
202 {
203 exit(1);
204 }
205
206
207 /*************************************************
208 * Handler for SIGUSR1 *
209 *************************************************/
210
211 /* SIGUSR1 causes any exim process to write to the process log details of
212 what it is currently doing. It will only be used if the OS is capable of
213 setting up a handler that causes automatic restarting of any system call
214 that is in progress at the time.
215
216 This function takes care to be signal-safe.
217
218 Argument: the signal number (SIGUSR1)
219 Returns: nothing
220 */
221
222 static void
223 usr1_handler(int sig)
224 {
225 int fd;
226
227 os_restarting_signal(sig, usr1_handler);
228
229 if ((fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE)) < 0)
230 {
231 /* If we are already running as the Exim user, try to create it in the
232 current process (assuming spool_directory exists). Otherwise, if we are
233 root, do the creation in an exim:exim subprocess. */
234
235 int euid = geteuid();
236 if (euid == exim_uid)
237 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
238 else if (euid == root_uid)
239 fd = log_create_as_exim(process_log_path);
240 }
241
242 /* If we are neither exim nor root, or if we failed to create the log file,
243 give up. There is not much useful we can do with errors, since we don't want
244 to disrupt whatever is going on outside the signal handler. */
245
246 if (fd < 0) return;
247
248 (void)write(fd, process_info, process_info_len);
249 (void)close(fd);
250 }
251
252
253
254 /*************************************************
255 * Timeout handler *
256 *************************************************/
257
258 /* This handler is enabled most of the time that Exim is running. The handler
259 doesn't actually get used unless alarm() has been called to set a timer, to
260 place a time limit on a system call of some kind. When the handler is run, it
261 re-enables itself.
262
263 There are some other SIGALRM handlers that are used in special cases when more
264 than just a flag setting is required; for example, when reading a message's
265 input. These are normally set up in the code module that uses them, and the
266 SIGALRM handler is reset to this one afterwards.
267
268 Argument: the signal value (SIGALRM)
269 Returns: nothing
270 */
271
272 void
273 sigalrm_handler(int sig)
274 {
275 sig = sig; /* Keep picky compilers happy */
276 sigalrm_seen = TRUE;
277 os_non_restarting_signal(SIGALRM, sigalrm_handler);
278 }
279
280
281
282 /*************************************************
283 * Sleep for a fractional time interval *
284 *************************************************/
285
286 /* This function is called by millisleep() and exim_wait_tick() to wait for a
287 period of time that may include a fraction of a second. The coding is somewhat
288 tedious. We do not expect setitimer() ever to fail, but if it does, the process
289 will wait for ever, so we panic in this instance. (There was a case of this
290 when a bug in a function that calls milliwait() caused it to pass invalid data.
291 That's when I added the check. :-)
292
293 We assume it to be not worth sleeping for under 100us; this value will
294 require revisiting as hardware advances. This avoids the issue of
295 a zero-valued timer setting meaning "never fire".
296
297 Argument: an itimerval structure containing the interval
298 Returns: nothing
299 */
300
301 static void
302 milliwait(struct itimerval *itval)
303 {
304 sigset_t sigmask;
305 sigset_t old_sigmask;
306
307 if (itval->it_value.tv_usec < 100 && itval->it_value.tv_sec == 0)
308 return;
309 (void)sigemptyset(&sigmask); /* Empty mask */
310 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
311 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
312 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
313 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
314 "setitimer() failed: %s", strerror(errno));
315 (void)sigfillset(&sigmask); /* All signals */
316 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
317 (void)sigsuspend(&sigmask); /* Until SIGALRM */
318 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
319 }
320
321
322
323
324 /*************************************************
325 * Millisecond sleep function *
326 *************************************************/
327
328 /* The basic sleep() function has a granularity of 1 second, which is too rough
329 in some cases - for example, when using an increasing delay to slow down
330 spammers.
331
332 Argument: number of millseconds
333 Returns: nothing
334 */
335
336 void
337 millisleep(int msec)
338 {
339 struct itimerval itval;
340 itval.it_interval.tv_sec = 0;
341 itval.it_interval.tv_usec = 0;
342 itval.it_value.tv_sec = msec/1000;
343 itval.it_value.tv_usec = (msec % 1000) * 1000;
344 milliwait(&itval);
345 }
346
347
348
349 /*************************************************
350 * Compare microsecond times *
351 *************************************************/
352
353 /*
354 Arguments:
355 tv1 the first time
356 tv2 the second time
357
358 Returns: -1, 0, or +1
359 */
360
361 static int
362 exim_tvcmp(struct timeval *t1, struct timeval *t2)
363 {
364 if (t1->tv_sec > t2->tv_sec) return +1;
365 if (t1->tv_sec < t2->tv_sec) return -1;
366 if (t1->tv_usec > t2->tv_usec) return +1;
367 if (t1->tv_usec < t2->tv_usec) return -1;
368 return 0;
369 }
370
371
372
373
374 /*************************************************
375 * Clock tick wait function *
376 *************************************************/
377
378 /* Exim uses a time + a pid to generate a unique identifier in two places: its
379 message IDs, and in file names for maildir deliveries. Because some OS now
380 re-use pids within the same second, sub-second times are now being used.
381 However, for absolute certainty, we must ensure the clock has ticked before
382 allowing the relevant process to complete. At the time of implementation of
383 this code (February 2003), the speed of processors is such that the clock will
384 invariably have ticked already by the time a process has done its job. This
385 function prepares for the time when things are faster - and it also copes with
386 clocks that go backwards.
387
388 Arguments:
389 then_tv A timeval which was used to create uniqueness; its usec field
390 has been rounded down to the value of the resolution.
391 We want to be sure the current time is greater than this.
392 resolution The resolution that was used to divide the microseconds
393 (1 for maildir, larger for message ids)
394
395 Returns: nothing
396 */
397
398 void
399 exim_wait_tick(struct timeval *then_tv, int resolution)
400 {
401 struct timeval now_tv;
402 long int now_true_usec;
403
404 (void)gettimeofday(&now_tv, NULL);
405 now_true_usec = now_tv.tv_usec;
406 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
407
408 if (exim_tvcmp(&now_tv, then_tv) <= 0)
409 {
410 struct itimerval itval;
411 itval.it_interval.tv_sec = 0;
412 itval.it_interval.tv_usec = 0;
413 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
414 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
415
416 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
417 negative value for the microseconds is possible only in the case when "now"
418 is more than a second less than "then". That means that itval.it_value.tv_sec
419 is greater than zero. The following correction is therefore safe. */
420
421 if (itval.it_value.tv_usec < 0)
422 {
423 itval.it_value.tv_usec += 1000000;
424 itval.it_value.tv_sec -= 1;
425 }
426
427 DEBUG(D_transport|D_receive)
428 {
429 if (!f.running_in_test_harness)
430 {
431 debug_printf("tick check: " TIME_T_FMT ".%06lu " TIME_T_FMT ".%06lu\n",
432 then_tv->tv_sec, (long) then_tv->tv_usec,
433 now_tv.tv_sec, (long) now_tv.tv_usec);
434 debug_printf("waiting " TIME_T_FMT ".%06lu\n",
435 itval.it_value.tv_sec, (long) itval.it_value.tv_usec);
436 }
437 }
438
439 milliwait(&itval);
440 }
441 }
442
443
444
445
446 /*************************************************
447 * Call fopen() with umask 777 and adjust mode *
448 *************************************************/
449
450 /* Exim runs with umask(0) so that files created with open() have the mode that
451 is specified in the open() call. However, there are some files, typically in
452 the spool directory, that are created with fopen(). They end up world-writeable
453 if no precautions are taken. Although the spool directory is not accessible to
454 the world, this is an untidiness. So this is a wrapper function for fopen()
455 that sorts out the mode of the created file.
456
457 Arguments:
458 filename the file name
459 options the fopen() options
460 mode the required mode
461
462 Returns: the fopened FILE or NULL
463 */
464
465 FILE *
466 modefopen(const uschar *filename, const char *options, mode_t mode)
467 {
468 mode_t saved_umask = umask(0777);
469 FILE *f = Ufopen(filename, options);
470 (void)umask(saved_umask);
471 if (f != NULL) (void)fchmod(fileno(f), mode);
472 return f;
473 }
474
475
476 /*************************************************
477 * Ensure stdin, stdout, and stderr exist *
478 *************************************************/
479
480 /* Some operating systems grumble if an exec() happens without a standard
481 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
482 file will be opened and will use these fd values, and then some other bit of
483 code will assume, for example, that it can write error messages to stderr.
484 This function ensures that fds 0, 1, and 2 are open if they do not already
485 exist, by connecting them to /dev/null.
486
487 This function is also used to ensure that std{in,out,err} exist at all times,
488 so that if any library that Exim calls tries to use them, it doesn't crash.
489
490 Arguments: None
491 Returns: Nothing
492 */
493
494 void
495 exim_nullstd(void)
496 {
497 int devnull = -1;
498 struct stat statbuf;
499 for (int i = 0; i <= 2; i++)
500 {
501 if (fstat(i, &statbuf) < 0 && errno == EBADF)
502 {
503 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
504 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
505 string_open_failed(errno, "/dev/null"));
506 if (devnull != i) (void)dup2(devnull, i);
507 }
508 }
509 if (devnull > 2) (void)close(devnull);
510 }
511
512
513
514
515 /*************************************************
516 * Close unwanted file descriptors for delivery *
517 *************************************************/
518
519 /* This function is called from a new process that has been forked to deliver
520 an incoming message, either directly, or using exec.
521
522 We want any smtp input streams to be closed in this new process. However, it
523 has been observed that using fclose() here causes trouble. When reading in -bS
524 input, duplicate copies of messages have been seen. The files will be sharing a
525 file pointer with the parent process, and it seems that fclose() (at least on
526 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
527 least sometimes. Hence we go for closing the underlying file descriptors.
528
529 If TLS is active, we want to shut down the TLS library, but without molesting
530 the parent's SSL connection.
531
532 For delivery of a non-SMTP message, we want to close stdin and stdout (and
533 stderr unless debugging) because the calling process might have set them up as
534 pipes and be waiting for them to close before it waits for the submission
535 process to terminate. If they aren't closed, they hold up the calling process
536 until the initial delivery process finishes, which is not what we want.
537
538 Exception: We do want it for synchronous delivery!
539
540 And notwithstanding all the above, if D_resolver is set, implying resolver
541 debugging, leave stdout open, because that's where the resolver writes its
542 debugging output.
543
544 When we close stderr (which implies we've also closed stdout), we also get rid
545 of any controlling terminal.
546
547 Arguments: None
548 Returns: Nothing
549 */
550
551 static void
552 close_unwanted(void)
553 {
554 if (smtp_input)
555 {
556 #ifndef DISABLE_TLS
557 tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
558 #endif
559 (void)close(fileno(smtp_in));
560 (void)close(fileno(smtp_out));
561 smtp_in = NULL;
562 }
563 else
564 {
565 (void)close(0); /* stdin */
566 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
567 if (debug_selector == 0) /* stderr */
568 {
569 if (!f.synchronous_delivery)
570 {
571 (void)close(2);
572 log_stderr = NULL;
573 }
574 (void)setsid();
575 }
576 }
577 }
578
579
580
581
582 /*************************************************
583 * Set uid and gid *
584 *************************************************/
585
586 /* This function sets a new uid and gid permanently, optionally calling
587 initgroups() to set auxiliary groups. There are some special cases when running
588 Exim in unprivileged modes. In these situations the effective uid will not be
589 root; if we already have the right effective uid/gid, and don't need to
590 initialize any groups, leave things as they are.
591
592 Arguments:
593 uid the uid
594 gid the gid
595 igflag TRUE if initgroups() wanted
596 msg text to use in debugging output and failure log
597
598 Returns: nothing; bombs out on failure
599 */
600
601 void
602 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
603 {
604 uid_t euid = geteuid();
605 gid_t egid = getegid();
606
607 if (euid == root_uid || euid != uid || egid != gid || igflag)
608 {
609 /* At least one OS returns +1 for initgroups failure, so just check for
610 non-zero. */
611
612 if (igflag)
613 {
614 struct passwd *pw = getpwuid(uid);
615 if (!pw)
616 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
617 "no passwd entry for uid=%ld", (long int)uid);
618
619 if (initgroups(pw->pw_name, gid) != 0)
620 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
621 (long int)uid, strerror(errno));
622 }
623
624 if (setgid(gid) < 0 || setuid(uid) < 0)
625 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
626 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
627 }
628
629 /* Debugging output included uid/gid and all groups */
630
631 DEBUG(D_uid)
632 {
633 int group_count, save_errno;
634 gid_t group_list[EXIM_GROUPLIST_SIZE];
635 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
636 (long int)geteuid(), (long int)getegid(), (long int)getpid());
637 group_count = getgroups(nelem(group_list), group_list);
638 save_errno = errno;
639 debug_printf(" auxiliary group list:");
640 if (group_count > 0)
641 for (int i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
642 else if (group_count < 0)
643 debug_printf(" <error: %s>", strerror(save_errno));
644 else debug_printf(" <none>");
645 debug_printf("\n");
646 }
647 }
648
649
650
651
652 /*************************************************
653 * Exit point *
654 *************************************************/
655
656 /* Exim exits via this function so that it always clears up any open
657 databases.
658
659 Arguments:
660 rc return code
661
662 Returns: does not return
663 */
664
665 void
666 exim_exit(int rc, const uschar * process)
667 {
668 search_tidyup();
669 DEBUG(D_any)
670 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
671 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
672 process ? "(" : "", process, process ? ") " : "", rc);
673 exit(rc);
674 }
675
676
677
678 /* Print error string, then die */
679 static void
680 exim_fail(const char * fmt, ...)
681 {
682 va_list ap;
683 va_start(ap, fmt);
684 vfprintf(stderr, fmt, ap);
685 exit(EXIT_FAILURE);
686 }
687
688 /* exim_chown_failure() called from exim_chown()/exim_fchown() on failure
689 of chown()/fchown(). See src/functions.h for more explanation */
690 int
691 exim_chown_failure(int fd, const uschar *name, uid_t owner, gid_t group)
692 {
693 int saved_errno = errno; /* from the preceeding chown call */
694 #if 1
695 log_write(0, LOG_MAIN|LOG_PANIC,
696 __FILE__ ":%d: chown(%s, %d:%d) failed (%s)."
697 " Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391",
698 __LINE__, name?name:US"<unknown>", owner, group, strerror(errno));
699 #else
700 /* I leave this here, commented, in case the "bug"(?) comes up again.
701 It is not an Exim bug, but we can provide a workaround.
702 See Bug 2391
703 HS 2019-04-18 */
704
705 struct stat buf;
706
707 if (0 == (fd < 0 ? stat(name, &buf) : fstat(fd, &buf)))
708 {
709 if (buf.st_uid == owner && buf.st_gid == group) return 0;
710 log_write(0, LOG_MAIN|LOG_PANIC, "Wrong ownership on %s", name);
711 }
712 else log_write(0, LOG_MAIN|LOG_PANIC, "Stat failed on %s: %s", name, strerror(errno));
713
714 #endif
715 errno = saved_errno;
716 return -1;
717 }
718
719
720 /*************************************************
721 * Extract port from host address *
722 *************************************************/
723
724 /* Called to extract the port from the values given to -oMa and -oMi.
725 It also checks the syntax of the address, and terminates it before the
726 port data when a port is extracted.
727
728 Argument:
729 address the address, with possible port on the end
730
731 Returns: the port, or zero if there isn't one
732 bombs out on a syntax error
733 */
734
735 static int
736 check_port(uschar *address)
737 {
738 int port = host_address_extract_port(address);
739 if (string_is_ip_address(address, NULL) == 0)
740 exim_fail("exim abandoned: \"%s\" is not an IP address\n", address);
741 return port;
742 }
743
744
745
746 /*************************************************
747 * Test/verify an address *
748 *************************************************/
749
750 /* This function is called by the -bv and -bt code. It extracts a working
751 address from a full RFC 822 address. This isn't really necessary per se, but it
752 has the effect of collapsing source routes.
753
754 Arguments:
755 s the address string
756 flags flag bits for verify_address()
757 exit_value to be set for failures
758
759 Returns: nothing
760 */
761
762 static void
763 test_address(uschar *s, int flags, int *exit_value)
764 {
765 int start, end, domain;
766 uschar *parse_error = NULL;
767 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
768 FALSE);
769 if (address == NULL)
770 {
771 fprintf(stdout, "syntax error: %s\n", parse_error);
772 *exit_value = 2;
773 }
774 else
775 {
776 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
777 -1, -1, NULL, NULL, NULL);
778 if (rc == FAIL) *exit_value = 2;
779 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
780 }
781 }
782
783
784
785 /*************************************************
786 * Show supported features *
787 *************************************************/
788
789 static void
790 show_db_version(FILE * f)
791 {
792 #ifdef DB_VERSION_STRING
793 DEBUG(D_any)
794 {
795 fprintf(f, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING);
796 fprintf(f, " Runtime: %s\n",
797 db_version(NULL, NULL, NULL));
798 }
799 else
800 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
801
802 #elif defined(BTREEVERSION) && defined(HASHVERSION)
803 #ifdef USE_DB
804 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
805 #else
806 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
807 #endif
808
809 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
810 fprintf(f, "Probably ndbm\n");
811 #elif defined(USE_TDB)
812 fprintf(f, "Using tdb\n");
813 #else
814 #ifdef USE_GDBM
815 fprintf(f, "Probably GDBM (native mode)\n");
816 #else
817 fprintf(f, "Probably GDBM (compatibility mode)\n");
818 #endif
819 #endif
820 }
821
822
823 /* This function is called for -bV/--version and for -d to output the optional
824 features of the current Exim binary.
825
826 Arguments: a FILE for printing
827 Returns: nothing
828 */
829
830 static void
831 show_whats_supported(FILE * fp)
832 {
833 DEBUG(D_any) {} else show_db_version(fp);
834
835 fprintf(fp, "Support for:");
836 #ifdef SUPPORT_CRYPTEQ
837 fprintf(fp, " crypteq");
838 #endif
839 #if HAVE_ICONV
840 fprintf(fp, " iconv()");
841 #endif
842 #if HAVE_IPV6
843 fprintf(fp, " IPv6");
844 #endif
845 #ifdef HAVE_SETCLASSRESOURCES
846 fprintf(fp, " use_setclassresources");
847 #endif
848 #ifdef SUPPORT_PAM
849 fprintf(fp, " PAM");
850 #endif
851 #ifdef EXIM_PERL
852 fprintf(fp, " Perl");
853 #endif
854 #ifdef EXPAND_DLFUNC
855 fprintf(fp, " Expand_dlfunc");
856 #endif
857 #ifdef USE_TCP_WRAPPERS
858 fprintf(fp, " TCPwrappers");
859 #endif
860 #ifndef DISABLE_TLS
861 # ifdef USE_GNUTLS
862 fprintf(fp, " GnuTLS");
863 # else
864 fprintf(fp, " OpenSSL");
865 # endif
866 #endif
867 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
868 fprintf(fp, " translate_ip_address");
869 #endif
870 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
871 fprintf(fp, " move_frozen_messages");
872 #endif
873 #ifdef WITH_CONTENT_SCAN
874 fprintf(fp, " Content_Scanning");
875 #endif
876 #ifdef SUPPORT_DANE
877 fprintf(fp, " DANE");
878 #endif
879 #ifndef DISABLE_DKIM
880 fprintf(fp, " DKIM");
881 #endif
882 #ifndef DISABLE_DNSSEC
883 fprintf(fp, " DNSSEC");
884 #endif
885 #ifndef DISABLE_EVENT
886 fprintf(fp, " Event");
887 #endif
888 #ifdef SUPPORT_I18N
889 fprintf(fp, " I18N");
890 #endif
891 #ifndef DISABLE_OCSP
892 fprintf(fp, " OCSP");
893 #endif
894 #ifndef DISABLE_PRDR
895 fprintf(fp, " PRDR");
896 #endif
897 #ifdef SUPPORT_PROXY
898 fprintf(fp, " PROXY");
899 #endif
900 #ifdef SUPPORT_SOCKS
901 fprintf(fp, " SOCKS");
902 #endif
903 #ifdef SUPPORT_SPF
904 fprintf(fp, " SPF");
905 #endif
906 #ifdef TCP_FASTOPEN
907 deliver_init();
908 if (f.tcp_fastopen_ok) fprintf(fp, " TCP_Fast_Open");
909 #endif
910 #ifdef EXPERIMENTAL_LMDB
911 fprintf(fp, " Experimental_LMDB");
912 #endif
913 #ifdef EXPERIMENTAL_QUEUEFILE
914 fprintf(fp, " Experimental_QUEUEFILE");
915 #endif
916 #ifdef EXPERIMENTAL_SRS
917 fprintf(fp, " Experimental_SRS");
918 #endif
919 #ifdef EXPERIMENTAL_ARC
920 fprintf(fp, " Experimental_ARC");
921 #endif
922 #ifdef EXPERIMENTAL_BRIGHTMAIL
923 fprintf(fp, " Experimental_Brightmail");
924 #endif
925 #ifdef EXPERIMENTAL_DCC
926 fprintf(fp, " Experimental_DCC");
927 #endif
928 #ifdef EXPERIMENTAL_DMARC
929 fprintf(fp, " Experimental_DMARC");
930 #endif
931 #ifdef EXPERIMENTAL_DSN_INFO
932 fprintf(fp, " Experimental_DSN_info");
933 #endif
934 #ifdef EXPERIMENTAL_PIPE_CONNECT
935 fprintf(fp, " Experimental_PIPE_CONNECT");
936 #endif
937 #ifdef EXPERIMENTAL_TLS_RESUME
938 fprintf(fp, " Experimental_TLS_resume");
939 #endif
940 fprintf(fp, "\n");
941
942 fprintf(fp, "Lookups (built-in):");
943 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
944 fprintf(fp, " lsearch wildlsearch nwildlsearch iplsearch");
945 #endif
946 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
947 fprintf(fp, " cdb");
948 #endif
949 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
950 fprintf(fp, " dbm dbmjz dbmnz");
951 #endif
952 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
953 fprintf(fp, " dnsdb");
954 #endif
955 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
956 fprintf(fp, " dsearch");
957 #endif
958 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
959 fprintf(fp, " ibase");
960 #endif
961 #if defined(LOOKUP_JSON) && LOOKUP_JSON!=2
962 fprintf(fp, " json");
963 #endif
964 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
965 fprintf(fp, " ldap ldapdn ldapm");
966 #endif
967 #ifdef EXPERIMENTAL_LMDB
968 fprintf(fp, " lmdb");
969 #endif
970 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
971 fprintf(fp, " mysql");
972 #endif
973 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
974 fprintf(fp, " nis nis0");
975 #endif
976 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
977 fprintf(fp, " nisplus");
978 #endif
979 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
980 fprintf(fp, " oracle");
981 #endif
982 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
983 fprintf(fp, " passwd");
984 #endif
985 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
986 fprintf(fp, " pgsql");
987 #endif
988 #if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
989 fprintf(fp, " redis");
990 #endif
991 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
992 fprintf(fp, " sqlite");
993 #endif
994 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
995 fprintf(fp, " testdb");
996 #endif
997 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
998 fprintf(fp, " whoson");
999 #endif
1000 fprintf(fp, "\n");
1001
1002 auth_show_supported(fp);
1003 route_show_supported(fp);
1004 transport_show_supported(fp);
1005
1006 #ifdef WITH_CONTENT_SCAN
1007 malware_show_supported(fp);
1008 #endif
1009
1010 if (fixed_never_users[0] > 0)
1011 {
1012 int i;
1013 fprintf(fp, "Fixed never_users: ");
1014 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
1015 fprintf(fp, "%d:", (unsigned int)fixed_never_users[i]);
1016 fprintf(fp, "%d\n", (unsigned int)fixed_never_users[i]);
1017 }
1018
1019 fprintf(fp, "Configure owner: %d:%d\n", config_uid, config_gid);
1020
1021 fprintf(fp, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
1022
1023 /* Everything else is details which are only worth reporting when debugging.
1024 Perhaps the tls_version_report should move into this too. */
1025 DEBUG(D_any) do {
1026
1027 /* clang defines __GNUC__ (at least, for me) so test for it first */
1028 #if defined(__clang__)
1029 fprintf(fp, "Compiler: CLang [%s]\n", __clang_version__);
1030 #elif defined(__GNUC__)
1031 fprintf(fp, "Compiler: GCC [%s]\n",
1032 # ifdef __VERSION__
1033 __VERSION__
1034 # else
1035 "? unknown version ?"
1036 # endif
1037 );
1038 #else
1039 fprintf(fp, "Compiler: <unknown>\n");
1040 #endif
1041
1042 #if defined(__GLIBC__) && !defined(__UCLIBC__)
1043 fprintf(fp, "Library version: Glibc: Compile: %d.%d\n",
1044 __GLIBC__, __GLIBC_MINOR__);
1045 if (__GLIBC_PREREQ(2, 1))
1046 fprintf(fp, " Runtime: %s\n",
1047 gnu_get_libc_version());
1048 #endif
1049
1050 show_db_version(fp);
1051
1052 #ifndef DISABLE_TLS
1053 tls_version_report(fp);
1054 #endif
1055 #ifdef SUPPORT_I18N
1056 utf8_version_report(fp);
1057 #endif
1058
1059 for (auth_info * authi = auths_available; *authi->driver_name != '\0'; ++authi)
1060 if (authi->version_report)
1061 (*authi->version_report)(fp);
1062
1063 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
1064 characters; unless it's an ancient version of PCRE in which case it
1065 is not defined. */
1066 #ifndef PCRE_PRERELEASE
1067 # define PCRE_PRERELEASE
1068 #endif
1069 #define QUOTE(X) #X
1070 #define EXPAND_AND_QUOTE(X) QUOTE(X)
1071 fprintf(fp, "Library version: PCRE: Compile: %d.%d%s\n"
1072 " Runtime: %s\n",
1073 PCRE_MAJOR, PCRE_MINOR,
1074 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
1075 pcre_version());
1076 #undef QUOTE
1077 #undef EXPAND_AND_QUOTE
1078
1079 init_lookup_list();
1080 for (int i = 0; i < lookup_list_count; i++)
1081 if (lookup_list[i]->version_report)
1082 lookup_list[i]->version_report(fp);
1083
1084 #ifdef WHITELIST_D_MACROS
1085 fprintf(fp, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1086 #else
1087 fprintf(fp, "WHITELIST_D_MACROS unset\n");
1088 #endif
1089 #ifdef TRUSTED_CONFIG_LIST
1090 fprintf(fp, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1091 #else
1092 fprintf(fp, "TRUSTED_CONFIG_LIST unset\n");
1093 #endif
1094
1095 } while (0);
1096 }
1097
1098
1099 /*************************************************
1100 * Show auxiliary information about Exim *
1101 *************************************************/
1102
1103 static void
1104 show_exim_information(enum commandline_info request, FILE *stream)
1105 {
1106 switch(request)
1107 {
1108 case CMDINFO_NONE:
1109 fprintf(stream, "Oops, something went wrong.\n");
1110 return;
1111 case CMDINFO_HELP:
1112 fprintf(stream,
1113 "The -bI: flag takes a string indicating which information to provide.\n"
1114 "If the string is not recognised, you'll get this help (on stderr).\n"
1115 "\n"
1116 " exim -bI:help this information\n"
1117 " exim -bI:dscp list of known dscp value keywords\n"
1118 " exim -bI:sieve list of supported sieve extensions\n"
1119 );
1120 return;
1121 case CMDINFO_SIEVE:
1122 for (const uschar ** pp = exim_sieve_extension_list; *pp; ++pp)
1123 fprintf(stream, "%s\n", *pp);
1124 return;
1125 case CMDINFO_DSCP:
1126 dscp_list_to_stream(stream);
1127 return;
1128 }
1129 }
1130
1131
1132 /*************************************************
1133 * Quote a local part *
1134 *************************************************/
1135
1136 /* This function is used when a sender address or a From: or Sender: header
1137 line is being created from the caller's login, or from an authenticated_id. It
1138 applies appropriate quoting rules for a local part.
1139
1140 Argument: the local part
1141 Returns: the local part, quoted if necessary
1142 */
1143
1144 uschar *
1145 local_part_quote(uschar *lpart)
1146 {
1147 BOOL needs_quote = FALSE;
1148 gstring * g;
1149
1150 for (uschar * t = lpart; !needs_quote && *t != 0; t++)
1151 {
1152 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1153 (*t != '.' || t == lpart || t[1] == 0);
1154 }
1155
1156 if (!needs_quote) return lpart;
1157
1158 g = string_catn(NULL, US"\"", 1);
1159
1160 for (;;)
1161 {
1162 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1163 if (nq == NULL)
1164 {
1165 g = string_cat(g, lpart);
1166 break;
1167 }
1168 g = string_catn(g, lpart, nq - lpart);
1169 g = string_catn(g, US"\\", 1);
1170 g = string_catn(g, nq, 1);
1171 lpart = nq + 1;
1172 }
1173
1174 g = string_catn(g, US"\"", 1);
1175 return string_from_gstring(g);
1176 }
1177
1178
1179
1180 #ifdef USE_READLINE
1181 /*************************************************
1182 * Load readline() functions *
1183 *************************************************/
1184
1185 /* This function is called from testing executions that read data from stdin,
1186 but only when running as the calling user. Currently, only -be does this. The
1187 function loads the readline() function library and passes back the functions.
1188 On some systems, it needs the curses library, so load that too, but try without
1189 it if loading fails. All this functionality has to be requested at build time.
1190
1191 Arguments:
1192 fn_readline_ptr pointer to where to put the readline pointer
1193 fn_addhist_ptr pointer to where to put the addhistory function
1194
1195 Returns: the dlopen handle or NULL on failure
1196 */
1197
1198 static void *
1199 set_readline(char * (**fn_readline_ptr)(const char *),
1200 void (**fn_addhist_ptr)(const char *))
1201 {
1202 void *dlhandle;
1203 void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
1204
1205 dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
1206 if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1207
1208 if (dlhandle != NULL)
1209 {
1210 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1211 * char * readline (const char *prompt);
1212 * void add_history (const char *string);
1213 */
1214 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1215 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1216 }
1217 else
1218 {
1219 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1220 }
1221
1222 return dlhandle;
1223 }
1224 #endif
1225
1226
1227
1228 /*************************************************
1229 * Get a line from stdin for testing things *
1230 *************************************************/
1231
1232 /* This function is called when running tests that can take a number of lines
1233 of input (for example, -be and -bt). It handles continuations and trailing
1234 spaces. And prompting and a blank line output on eof. If readline() is in use,
1235 the arguments are non-NULL and provide the relevant functions.
1236
1237 Arguments:
1238 fn_readline readline function or NULL
1239 fn_addhist addhist function or NULL
1240
1241 Returns: pointer to dynamic memory, or NULL at end of file
1242 */
1243
1244 static uschar *
1245 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1246 {
1247 gstring * g = NULL;
1248
1249 if (!fn_readline) { printf("> "); fflush(stdout); }
1250
1251 for (int i = 0;; i++)
1252 {
1253 uschar buffer[1024];
1254 uschar *p, *ss;
1255
1256 #ifdef USE_READLINE
1257 char *readline_line = NULL;
1258 if (fn_readline != NULL)
1259 {
1260 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1261 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1262 p = US readline_line;
1263 }
1264 else
1265 #endif
1266
1267 /* readline() not in use */
1268
1269 {
1270 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1271 p = buffer;
1272 }
1273
1274 /* Handle the line */
1275
1276 ss = p + (int)Ustrlen(p);
1277 while (ss > p && isspace(ss[-1])) ss--;
1278
1279 if (i > 0)
1280 {
1281 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1282 }
1283
1284 g = string_catn(g, p, ss - p);
1285
1286 #ifdef USE_READLINE
1287 if (fn_readline) free(readline_line);
1288 #endif
1289
1290 /* g can only be NULL if ss==p */
1291 if (ss == p || g->s[g->ptr-1] != '\\')
1292 break;
1293
1294 --g->ptr;
1295 (void) string_from_gstring(g);
1296 }
1297
1298 if (!g) printf("\n");
1299 return string_from_gstring(g);
1300 }
1301
1302
1303
1304 /*************************************************
1305 * Output usage information for the program *
1306 *************************************************/
1307
1308 /* This function is called when there are no recipients
1309 or a specific --help argument was added.
1310
1311 Arguments:
1312 progname information on what name we were called by
1313
1314 Returns: DOES NOT RETURN
1315 */
1316
1317 static void
1318 exim_usage(uschar *progname)
1319 {
1320
1321 /* Handle specific program invocation variants */
1322 if (Ustrcmp(progname, US"-mailq") == 0)
1323 exim_fail(
1324 "mailq - list the contents of the mail queue\n\n"
1325 "For a list of options, see the Exim documentation.\n");
1326
1327 /* Generic usage - we output this whatever happens */
1328 exim_fail(
1329 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1330 "not directly from a shell command line. Options and/or arguments control\n"
1331 "what it does when called. For a list of options, see the Exim documentation.\n");
1332 }
1333
1334
1335
1336 /*************************************************
1337 * Validate that the macros given are okay *
1338 *************************************************/
1339
1340 /* Typically, Exim will drop privileges if macros are supplied. In some
1341 cases, we want to not do so.
1342
1343 Arguments: opt_D_used - true if the commandline had a "-D" option
1344 Returns: true if trusted, false otherwise
1345 */
1346
1347 static BOOL
1348 macros_trusted(BOOL opt_D_used)
1349 {
1350 #ifdef WHITELIST_D_MACROS
1351 uschar *whitelisted, *end, *p, **whites;
1352 int white_count, i, n;
1353 size_t len;
1354 BOOL prev_char_item, found;
1355 #endif
1356
1357 if (!opt_D_used)
1358 return TRUE;
1359 #ifndef WHITELIST_D_MACROS
1360 return FALSE;
1361 #else
1362
1363 /* We only trust -D overrides for some invoking users:
1364 root, the exim run-time user, the optional config owner user.
1365 I don't know why config-owner would be needed, but since they can own the
1366 config files anyway, there's no security risk to letting them override -D. */
1367 if ( ! ((real_uid == root_uid)
1368 || (real_uid == exim_uid)
1369 #ifdef CONFIGURE_OWNER
1370 || (real_uid == config_uid)
1371 #endif
1372 ))
1373 {
1374 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1375 return FALSE;
1376 }
1377
1378 /* Get a list of macros which are whitelisted */
1379 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1380 prev_char_item = FALSE;
1381 white_count = 0;
1382 for (p = whitelisted; *p != '\0'; ++p)
1383 {
1384 if (*p == ':' || isspace(*p))
1385 {
1386 *p = '\0';
1387 if (prev_char_item)
1388 ++white_count;
1389 prev_char_item = FALSE;
1390 continue;
1391 }
1392 if (!prev_char_item)
1393 prev_char_item = TRUE;
1394 }
1395 end = p;
1396 if (prev_char_item)
1397 ++white_count;
1398 if (!white_count)
1399 return FALSE;
1400 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1401 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1402 {
1403 if (*p != '\0')
1404 {
1405 whites[i++] = p;
1406 if (i == white_count)
1407 break;
1408 while (*p != '\0' && p < end)
1409 ++p;
1410 }
1411 }
1412 whites[i] = NULL;
1413
1414 /* The list of commandline macros should be very short.
1415 Accept the N*M complexity. */
1416 for (macro_item * m = macros_user; m; m = m->next) if (m->command_line)
1417 {
1418 found = FALSE;
1419 for (uschar ** w = whites; *w; ++w)
1420 if (Ustrcmp(*w, m->name) == 0)
1421 {
1422 found = TRUE;
1423 break;
1424 }
1425 if (!found)
1426 return FALSE;
1427 if (!m->replacement)
1428 continue;
1429 if ((len = m->replen) == 0)
1430 continue;
1431 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1432 0, PCRE_EOPT, NULL, 0);
1433 if (n < 0)
1434 {
1435 if (n != PCRE_ERROR_NOMATCH)
1436 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1437 return FALSE;
1438 }
1439 }
1440 DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
1441 return TRUE;
1442 #endif
1443 }
1444
1445
1446 /*************************************************
1447 * Expansion testing *
1448 *************************************************/
1449
1450 /* Expand and print one item, doing macro-processing.
1451
1452 Arguments:
1453 item line for expansion
1454 */
1455
1456 static void
1457 expansion_test_line(uschar * line)
1458 {
1459 int len;
1460 BOOL dummy_macexp;
1461
1462 Ustrncpy(big_buffer, line, big_buffer_size);
1463 big_buffer[big_buffer_size-1] = '\0';
1464 len = Ustrlen(big_buffer);
1465
1466 (void) macros_expand(0, &len, &dummy_macexp);
1467
1468 if (isupper(big_buffer[0]))
1469 {
1470 if (macro_read_assignment(big_buffer))
1471 printf("Defined macro '%s'\n", mlast->name);
1472 }
1473 else
1474 if ((line = expand_string(big_buffer))) printf("%s\n", CS line);
1475 else printf("Failed: %s\n", expand_string_message);
1476 }
1477
1478
1479
1480 /*************************************************
1481 * Entry point and high-level code *
1482 *************************************************/
1483
1484 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1485 the appropriate action. All the necessary functions are present in the one
1486 binary. I originally thought one should split it up, but it turns out that so
1487 much of the apparatus is needed in each chunk that one might as well just have
1488 it all available all the time, which then makes the coding easier as well.
1489
1490 Arguments:
1491 argc count of entries in argv
1492 argv argument strings, with argv[0] being the program name
1493
1494 Returns: EXIT_SUCCESS if terminated successfully
1495 EXIT_FAILURE otherwise, except when a message has been sent
1496 to the sender, and -oee was given
1497 */
1498
1499 int
1500 main(int argc, char **cargv)
1501 {
1502 uschar **argv = USS cargv;
1503 int arg_receive_timeout = -1;
1504 int arg_smtp_receive_timeout = -1;
1505 int arg_error_handling = error_handling;
1506 int filter_sfd = -1;
1507 int filter_ufd = -1;
1508 int group_count;
1509 int i, rv;
1510 int list_queue_option = 0;
1511 int msg_action = 0;
1512 int msg_action_arg = -1;
1513 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1514 int queue_only_reason = 0;
1515 #ifdef EXIM_PERL
1516 int perl_start_option = 0;
1517 #endif
1518 int recipients_arg = argc;
1519 int sender_address_domain = 0;
1520 int test_retry_arg = -1;
1521 int test_rewrite_arg = -1;
1522 gid_t original_egid;
1523 BOOL arg_queue_only = FALSE;
1524 BOOL bi_option = FALSE;
1525 BOOL checking = FALSE;
1526 BOOL count_queue = FALSE;
1527 BOOL expansion_test = FALSE;
1528 BOOL extract_recipients = FALSE;
1529 BOOL flag_G = FALSE;
1530 BOOL flag_n = FALSE;
1531 BOOL forced_delivery = FALSE;
1532 BOOL f_end_dot = FALSE;
1533 BOOL deliver_give_up = FALSE;
1534 BOOL list_queue = FALSE;
1535 BOOL list_options = FALSE;
1536 BOOL list_config = FALSE;
1537 BOOL local_queue_only;
1538 BOOL more = TRUE;
1539 BOOL one_msg_action = FALSE;
1540 BOOL opt_D_used = FALSE;
1541 BOOL queue_only_set = FALSE;
1542 BOOL receiving_message = TRUE;
1543 BOOL sender_ident_set = FALSE;
1544 BOOL session_local_queue_only;
1545 BOOL unprivileged;
1546 BOOL removed_privilege = FALSE;
1547 BOOL usage_wanted = FALSE;
1548 BOOL verify_address_mode = FALSE;
1549 BOOL verify_as_sender = FALSE;
1550 BOOL version_printed = FALSE;
1551 uschar *alias_arg = NULL;
1552 uschar *called_as = US"";
1553 uschar *cmdline_syslog_name = NULL;
1554 uschar *start_queue_run_id = NULL;
1555 uschar *stop_queue_run_id = NULL;
1556 uschar *expansion_test_message = NULL;
1557 uschar *ftest_domain = NULL;
1558 uschar *ftest_localpart = NULL;
1559 uschar *ftest_prefix = NULL;
1560 uschar *ftest_suffix = NULL;
1561 uschar *log_oneline = NULL;
1562 uschar *malware_test_file = NULL;
1563 uschar *real_sender_address;
1564 uschar *originator_home = US"/";
1565 size_t sz;
1566 void *reset_point;
1567
1568 struct passwd *pw;
1569 struct stat statbuf;
1570 pid_t passed_qr_pid = (pid_t)0;
1571 int passed_qr_pipe = -1;
1572 gid_t group_list[EXIM_GROUPLIST_SIZE];
1573
1574 /* For the -bI: flag */
1575 enum commandline_info info_flag = CMDINFO_NONE;
1576 BOOL info_stdout = FALSE;
1577
1578 /* Possible options for -R and -S */
1579
1580 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1581
1582 /* Need to define this in case we need to change the environment in order
1583 to get rid of a bogus time zone. We have to make it char rather than uschar
1584 because some OS define it in /usr/include/unistd.h. */
1585
1586 extern char **environ;
1587
1588 /* If the Exim user and/or group and/or the configuration file owner/group were
1589 defined by ref:name at build time, we must now find the actual uid/gid values.
1590 This is a feature to make the lives of binary distributors easier. */
1591
1592 #ifdef EXIM_USERNAME
1593 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1594 {
1595 if (exim_uid == 0)
1596 exim_fail("exim: refusing to run with uid 0 for \"%s\"\n", EXIM_USERNAME);
1597
1598 /* If ref:name uses a number as the name, route_finduser() returns
1599 TRUE with exim_uid set and pw coerced to NULL. */
1600 if (pw)
1601 exim_gid = pw->pw_gid;
1602 #ifndef EXIM_GROUPNAME
1603 else
1604 exim_fail(
1605 "exim: ref:name should specify a usercode, not a group.\n"
1606 "exim: can't let you get away with it unless you also specify a group.\n");
1607 #endif
1608 }
1609 else
1610 exim_fail("exim: failed to find uid for user name \"%s\"\n", EXIM_USERNAME);
1611 #endif
1612
1613 #ifdef EXIM_GROUPNAME
1614 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1615 exim_fail("exim: failed to find gid for group name \"%s\"\n", EXIM_GROUPNAME);
1616 #endif
1617
1618 #ifdef CONFIGURE_OWNERNAME
1619 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1620 exim_fail("exim: failed to find uid for user name \"%s\"\n",
1621 CONFIGURE_OWNERNAME);
1622 #endif
1623
1624 /* We default the system_filter_user to be the Exim run-time user, as a
1625 sane non-root value. */
1626 system_filter_uid = exim_uid;
1627
1628 #ifdef CONFIGURE_GROUPNAME
1629 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1630 exim_fail("exim: failed to find gid for group name \"%s\"\n",
1631 CONFIGURE_GROUPNAME);
1632 #endif
1633
1634 /* In the Cygwin environment, some initialization used to need doing.
1635 It was fudged in by means of this macro; now no longer but we'll leave
1636 it in case of others. */
1637
1638 #ifdef OS_INIT
1639 OS_INIT
1640 #endif
1641
1642 /* Check a field which is patched when we are running Exim within its
1643 testing harness; do a fast initial check, and then the whole thing. */
1644
1645 f.running_in_test_harness =
1646 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1647 if (f.running_in_test_harness)
1648 debug_store = TRUE;
1649
1650 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1651 at the start of a program; however, it seems that some environments do not
1652 follow this. A "strange" locale can affect the formatting of timestamps, so we
1653 make quite sure. */
1654
1655 setlocale(LC_ALL, "C");
1656
1657 /* Set up the default handler for timing using alarm(). */
1658
1659 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1660
1661 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1662 because store_malloc writes a log entry on failure. */
1663
1664 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
1665 exim_fail("exim: failed to get store for log buffer\n");
1666
1667 /* Initialize the default log options. */
1668
1669 bits_set(log_selector, log_selector_size, log_default);
1670
1671 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1672 NULL when the daemon is run and the file is closed. We have to use this
1673 indirection, because some systems don't allow writing to the variable "stderr".
1674 */
1675
1676 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1677
1678 /* Arrange for the PCRE regex library to use our store functions. Note that
1679 the normal calls are actually macros that add additional arguments for
1680 debugging purposes so we have to assign specially constructed functions here.
1681 The default is to use store in the stacking pool, but this is overridden in the
1682 regex_must_compile() function. */
1683
1684 pcre_malloc = function_store_get;
1685 pcre_free = function_dummy_free;
1686
1687 /* Ensure there is a big buffer for temporary use in several places. It is put
1688 in malloc store so that it can be freed for enlargement if necessary. */
1689
1690 big_buffer = store_malloc(big_buffer_size);
1691
1692 /* Set up the handler for the data request signal, and set the initial
1693 descriptive text. */
1694
1695 set_process_info("initializing");
1696 os_restarting_signal(SIGUSR1, usr1_handler);
1697
1698 /* If running in a dockerized environment, the TERM signal is only
1699 delegated to the PID 1 if we request it by setting an signal handler */
1700 if (getpid() == 1) signal(SIGTERM, term_handler);
1701
1702 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1703 in the daemon code. For the rest of Exim's uses, we ignore it. */
1704
1705 signal(SIGHUP, SIG_IGN);
1706
1707 /* We don't want to die on pipe errors as the code is written to handle
1708 the write error instead. */
1709
1710 signal(SIGPIPE, SIG_IGN);
1711
1712 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1713 set to SIG_IGN. This causes subprocesses that complete before the parent
1714 process waits for them not to hang around, so when Exim calls wait(), nothing
1715 is there. The wait() code has been made robust against this, but let's ensure
1716 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1717 ending status. We use sigaction rather than plain signal() on those OS where
1718 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1719 problem on AIX with this.) */
1720
1721 #ifdef SA_NOCLDWAIT
1722 {
1723 struct sigaction act;
1724 act.sa_handler = SIG_DFL;
1725 sigemptyset(&(act.sa_mask));
1726 act.sa_flags = 0;
1727 sigaction(SIGCHLD, &act, NULL);
1728 }
1729 #else
1730 signal(SIGCHLD, SIG_DFL);
1731 #endif
1732
1733 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1734 SIGHUP. */
1735
1736 sighup_argv = argv;
1737
1738 /* Set up the version number. Set up the leading 'E' for the external form of
1739 message ids, set the pointer to the internal form, and initialize it to
1740 indicate no message being processed. */
1741
1742 version_init();
1743 message_id_option[0] = '-';
1744 message_id_external = message_id_option + 1;
1745 message_id_external[0] = 'E';
1746 message_id = message_id_external + 1;
1747 message_id[0] = 0;
1748
1749 /* Set the umask to zero so that any files Exim creates using open() are
1750 created with the modes that it specifies. NOTE: Files created with fopen() have
1751 a problem, which was not recognized till rather late (February 2006). With this
1752 umask, such files will be world writeable. (They are all content scanning files
1753 in the spool directory, which isn't world-accessible, so this is not a
1754 disaster, but it's untidy.) I don't want to change this overall setting,
1755 however, because it will interact badly with the open() calls. Instead, there's
1756 now a function called modefopen() that fiddles with the umask while calling
1757 fopen(). */
1758
1759 (void)umask(0);
1760
1761 /* Precompile the regular expression for matching a message id. Keep this in
1762 step with the code that generates ids in the accept.c module. We need to do
1763 this here, because the -M options check their arguments for syntactic validity
1764 using mac_ismsgid, which uses this. */
1765
1766 regex_ismsgid =
1767 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1768
1769 /* Precompile the regular expression that is used for matching an SMTP error
1770 code, possibly extended, at the start of an error message. Note that the
1771 terminating whitespace character is included. */
1772
1773 regex_smtp_code =
1774 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1775 FALSE, TRUE);
1776
1777 #ifdef WHITELIST_D_MACROS
1778 /* Precompile the regular expression used to filter the content of macros
1779 given to -D for permissibility. */
1780
1781 regex_whitelisted_macro =
1782 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1783 #endif
1784
1785 for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
1786
1787 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1788 this seems to be a generally accepted convention, since one finds symbolic
1789 links called "mailq" in standard OS configurations. */
1790
1791 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1792 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1793 {
1794 list_queue = TRUE;
1795 receiving_message = FALSE;
1796 called_as = US"-mailq";
1797 }
1798
1799 /* If the program is called as "rmail" treat it as equivalent to
1800 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1801 i.e. preventing a single dot on a line from terminating the message, and
1802 returning with zero return code, even in cases of error (provided an error
1803 message has been sent). */
1804
1805 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1806 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1807 {
1808 f.dot_ends = FALSE;
1809 called_as = US"-rmail";
1810 errors_sender_rc = EXIT_SUCCESS;
1811 }
1812
1813 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1814 this is a smail convention. */
1815
1816 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1817 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1818 {
1819 smtp_input = smtp_batched_input = TRUE;
1820 called_as = US"-rsmtp";
1821 }
1822
1823 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1824 this is a smail convention. */
1825
1826 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1827 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1828 {
1829 queue_interval = 0;
1830 receiving_message = FALSE;
1831 called_as = US"-runq";
1832 }
1833
1834 /* If the program is called as "newaliases" treat it as equivalent to
1835 "exim -bi"; this is a sendmail convention. */
1836
1837 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1838 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1839 {
1840 bi_option = TRUE;
1841 receiving_message = FALSE;
1842 called_as = US"-newaliases";
1843 }
1844
1845 /* Save the original effective uid for a couple of uses later. It should
1846 normally be root, but in some esoteric environments it may not be. */
1847
1848 original_euid = geteuid();
1849 original_egid = getegid();
1850
1851 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1852 to be the same as the real ones. This makes a difference only if Exim is setuid
1853 (or setgid) to something other than root, which could be the case in some
1854 special configurations. */
1855
1856 real_uid = getuid();
1857 real_gid = getgid();
1858
1859 if (real_uid == root_uid)
1860 {
1861 if ((rv = setgid(real_gid)))
1862 exim_fail("exim: setgid(%ld) failed: %s\n",
1863 (long int)real_gid, strerror(errno));
1864 if ((rv = setuid(real_uid)))
1865 exim_fail("exim: setuid(%ld) failed: %s\n",
1866 (long int)real_uid, strerror(errno));
1867 }
1868
1869 /* If neither the original real uid nor the original euid was root, Exim is
1870 running in an unprivileged state. */
1871
1872 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1873
1874 /* Scan the program's arguments. Some can be dealt with right away; others are
1875 simply recorded for checking and handling afterwards. Do a high-level switch
1876 on the second character (the one after '-'), to save some effort. */
1877
1878 for (i = 1; i < argc; i++)
1879 {
1880 BOOL badarg = FALSE;
1881 uschar *arg = argv[i];
1882 uschar *argrest;
1883 int switchchar;
1884
1885 /* An argument not starting with '-' is the start of a recipients list;
1886 break out of the options-scanning loop. */
1887
1888 if (arg[0] != '-')
1889 {
1890 recipients_arg = i;
1891 break;
1892 }
1893
1894 /* An option consisting of -- terminates the options */
1895
1896 if (Ustrcmp(arg, "--") == 0)
1897 {
1898 recipients_arg = i + 1;
1899 break;
1900 }
1901
1902 /* Handle flagged options */
1903
1904 switchchar = arg[1];
1905 argrest = arg+2;
1906
1907 /* Make all -ex options synonymous with -oex arguments, since that
1908 is assumed by various callers. Also make -qR options synonymous with -R
1909 options, as that seems to be required as well. Allow for -qqR too, and
1910 the same for -S options. */
1911
1912 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1913 Ustrncmp(arg+1, "qR", 2) == 0 ||
1914 Ustrncmp(arg+1, "qS", 2) == 0)
1915 {
1916 switchchar = arg[2];
1917 argrest++;
1918 }
1919 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1920 {
1921 switchchar = arg[3];
1922 argrest += 2;
1923 f.queue_2stage = TRUE;
1924 }
1925
1926 /* Make -r synonymous with -f, since it is a documented alias */
1927
1928 else if (arg[1] == 'r') switchchar = 'f';
1929
1930 /* Make -ov synonymous with -v */
1931
1932 else if (Ustrcmp(arg, "-ov") == 0)
1933 {
1934 switchchar = 'v';
1935 argrest++;
1936 }
1937
1938 /* deal with --option_aliases */
1939 else if (switchchar == '-')
1940 {
1941 if (Ustrcmp(argrest, "help") == 0)
1942 {
1943 usage_wanted = TRUE;
1944 break;
1945 }
1946 else if (Ustrcmp(argrest, "version") == 0)
1947 {
1948 switchchar = 'b';
1949 argrest = US"V";
1950 }
1951 }
1952
1953 /* High-level switch on active initial letter */
1954
1955 switch(switchchar)
1956 {
1957
1958 /* sendmail uses -Ac and -Am to control which .cf file is used;
1959 we ignore them. */
1960 case 'A':
1961 if (*argrest == '\0') { badarg = TRUE; break; }
1962 else
1963 {
1964 BOOL ignore = FALSE;
1965 switch (*argrest)
1966 {
1967 case 'c':
1968 case 'm':
1969 if (*(argrest + 1) == '\0')
1970 ignore = TRUE;
1971 break;
1972 }
1973 if (!ignore) { badarg = TRUE; break; }
1974 }
1975 break;
1976
1977 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1978 so has no need of it. */
1979
1980 case 'B':
1981 if (*argrest == 0) i++; /* Skip over the type */
1982 break;
1983
1984
1985 case 'b':
1986 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1987
1988 /* -bd: Run in daemon mode, awaiting SMTP connections.
1989 -bdf: Ditto, but in the foreground.
1990 */
1991
1992 if (*argrest == 'd')
1993 {
1994 f.daemon_listen = TRUE;
1995 if (*(++argrest) == 'f') f.background_daemon = FALSE;
1996 else if (*argrest != 0) { badarg = TRUE; break; }
1997 }
1998
1999 /* -be: Run in expansion test mode
2000 -bem: Ditto, but read a message from a file first
2001 */
2002
2003 else if (*argrest == 'e')
2004 {
2005 expansion_test = checking = TRUE;
2006 if (argrest[1] == 'm')
2007 {
2008 if (++i >= argc) { badarg = TRUE; break; }
2009 expansion_test_message = argv[i];
2010 argrest++;
2011 }
2012 if (argrest[1] != 0) { badarg = TRUE; break; }
2013 }
2014
2015 /* -bF: Run system filter test */
2016
2017 else if (*argrest == 'F')
2018 {
2019 filter_test |= checking = FTEST_SYSTEM;
2020 if (*(++argrest) != 0) { badarg = TRUE; break; }
2021 if (++i < argc) filter_test_sfile = argv[i]; else
2022 exim_fail("exim: file name expected after %s\n", argv[i-1]);
2023 }
2024
2025 /* -bf: Run user filter test
2026 -bfd: Set domain for filter testing
2027 -bfl: Set local part for filter testing
2028 -bfp: Set prefix for filter testing
2029 -bfs: Set suffix for filter testing
2030 */
2031
2032 else if (*argrest == 'f')
2033 {
2034 if (*(++argrest) == 0)
2035 {
2036 filter_test |= checking = FTEST_USER;
2037 if (++i < argc) filter_test_ufile = argv[i]; else
2038 exim_fail("exim: file name expected after %s\n", argv[i-1]);
2039 }
2040 else
2041 {
2042 if (++i >= argc)
2043 exim_fail("exim: string expected after %s\n", arg);
2044 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
2045 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
2046 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
2047 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
2048 else { badarg = TRUE; break; }
2049 }
2050 }
2051
2052 /* -bh: Host checking - an IP address must follow. */
2053
2054 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
2055 {
2056 if (++i >= argc) { badarg = TRUE; break; }
2057 sender_host_address = argv[i];
2058 host_checking = checking = f.log_testing_mode = TRUE;
2059 f.host_checking_callout = argrest[1] == 'c';
2060 message_logs = FALSE;
2061 }
2062
2063 /* -bi: This option is used by sendmail to initialize *the* alias file,
2064 though it has the -oA option to specify a different file. Exim has no
2065 concept of *the* alias file, but since Sun's YP make script calls
2066 sendmail this way, some support must be provided. */
2067
2068 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
2069
2070 /* -bI: provide information, of the type to follow after a colon.
2071 This is an Exim flag. */
2072
2073 else if (argrest[0] == 'I' && Ustrlen(argrest) >= 2 && argrest[1] == ':')
2074 {
2075 uschar *p = &argrest[2];
2076 info_flag = CMDINFO_HELP;
2077 if (Ustrlen(p))
2078 {
2079 if (strcmpic(p, CUS"sieve") == 0)
2080 {
2081 info_flag = CMDINFO_SIEVE;
2082 info_stdout = TRUE;
2083 }
2084 else if (strcmpic(p, CUS"dscp") == 0)
2085 {
2086 info_flag = CMDINFO_DSCP;
2087 info_stdout = TRUE;
2088 }
2089 else if (strcmpic(p, CUS"help") == 0)
2090 {
2091 info_stdout = TRUE;
2092 }
2093 }
2094 }
2095
2096 /* -bm: Accept and deliver message - the default option. Reinstate
2097 receiving_message, which got turned off for all -b options. */
2098
2099 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
2100
2101 /* -bmalware: test the filename given for malware */
2102
2103 else if (Ustrcmp(argrest, "malware") == 0)
2104 {
2105 if (++i >= argc) { badarg = TRUE; break; }
2106 checking = TRUE;
2107 malware_test_file = argv[i];
2108 }
2109
2110 /* -bnq: For locally originating messages, do not qualify unqualified
2111 addresses. In the envelope, this causes errors; in header lines they
2112 just get left. */
2113
2114 else if (Ustrcmp(argrest, "nq") == 0)
2115 {
2116 f.allow_unqualified_sender = FALSE;
2117 f.allow_unqualified_recipient = FALSE;
2118 }
2119
2120 /* -bpxx: List the contents of the mail queue, in various forms. If
2121 the option is -bpc, just a queue count is needed. Otherwise, if the
2122 first letter after p is r, then order is random. */
2123
2124 else if (*argrest == 'p')
2125 {
2126 if (*(++argrest) == 'c')
2127 {
2128 count_queue = TRUE;
2129 if (*(++argrest) != 0) badarg = TRUE;
2130 break;
2131 }
2132
2133 if (*argrest == 'r')
2134 {
2135 list_queue_option = 8;
2136 argrest++;
2137 }
2138 else list_queue_option = 0;
2139
2140 list_queue = TRUE;
2141
2142 /* -bp: List the contents of the mail queue, top-level only */
2143
2144 if (*argrest == 0) {}
2145
2146 /* -bpu: List the contents of the mail queue, top-level undelivered */
2147
2148 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
2149
2150 /* -bpa: List the contents of the mail queue, including all delivered */
2151
2152 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
2153
2154 /* Unknown after -bp[r] */
2155
2156 else
2157 {
2158 badarg = TRUE;
2159 break;
2160 }
2161 }
2162
2163
2164 /* -bP: List the configuration variables given as the address list.
2165 Force -v, so configuration errors get displayed. */
2166
2167 else if (Ustrcmp(argrest, "P") == 0)
2168 {
2169 /* -bP config: we need to setup here, because later,
2170 * when list_options is checked, the config is read already */
2171 if (argv[i+1] && Ustrcmp(argv[i+1], "config") == 0)
2172 {
2173 list_config = TRUE;
2174 readconf_save_config(version_string);
2175 }
2176 else
2177 {
2178 list_options = TRUE;
2179 debug_selector |= D_v;
2180 debug_file = stderr;
2181 }
2182 }
2183
2184 /* -brt: Test retry configuration lookup */
2185
2186 else if (Ustrcmp(argrest, "rt") == 0)
2187 {
2188 checking = TRUE;
2189 test_retry_arg = i + 1;
2190 goto END_ARG;
2191 }
2192
2193 /* -brw: Test rewrite configuration */
2194
2195 else if (Ustrcmp(argrest, "rw") == 0)
2196 {
2197 checking = TRUE;
2198 test_rewrite_arg = i + 1;
2199 goto END_ARG;
2200 }
2201
2202 /* -bS: Read SMTP commands on standard input, but produce no replies -
2203 all errors are reported by sending messages. */
2204
2205 else if (Ustrcmp(argrest, "S") == 0)
2206 smtp_input = smtp_batched_input = receiving_message = TRUE;
2207
2208 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2209 on standard output. */
2210
2211 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2212
2213 /* -bt: address testing mode */
2214
2215 else if (Ustrcmp(argrest, "t") == 0)
2216 f.address_test_mode = checking = f.log_testing_mode = TRUE;
2217
2218 /* -bv: verify addresses */
2219
2220 else if (Ustrcmp(argrest, "v") == 0)
2221 verify_address_mode = checking = f.log_testing_mode = TRUE;
2222
2223 /* -bvs: verify sender addresses */
2224
2225 else if (Ustrcmp(argrest, "vs") == 0)
2226 {
2227 verify_address_mode = checking = f.log_testing_mode = TRUE;
2228 verify_as_sender = TRUE;
2229 }
2230
2231 /* -bV: Print version string and support details */
2232
2233 else if (Ustrcmp(argrest, "V") == 0)
2234 {
2235 printf("Exim version %s #%s built %s\n", version_string,
2236 version_cnumber, version_date);
2237 printf("%s\n", CS version_copyright);
2238 version_printed = TRUE;
2239 show_whats_supported(stdout);
2240 f.log_testing_mode = TRUE;
2241 }
2242
2243 /* -bw: inetd wait mode, accept a listening socket as stdin */
2244
2245 else if (*argrest == 'w')
2246 {
2247 f.inetd_wait_mode = TRUE;
2248 f.background_daemon = FALSE;
2249 f.daemon_listen = TRUE;
2250 if (*(++argrest) != '\0')
2251 if ((inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE)) <= 0)
2252 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
2253 }
2254
2255 else badarg = TRUE;
2256 break;
2257
2258
2259 /* -C: change configuration file list; ignore if it isn't really
2260 a change! Enforce a prefix check if required. */
2261
2262 case 'C':
2263 if (*argrest == 0)
2264 {
2265 if(++i < argc) argrest = argv[i]; else
2266 { badarg = TRUE; break; }
2267 }
2268 if (Ustrcmp(config_main_filelist, argrest) != 0)
2269 {
2270 #ifdef ALT_CONFIG_PREFIX
2271 int sep = 0;
2272 int len = Ustrlen(ALT_CONFIG_PREFIX);
2273 const uschar *list = argrest;
2274 uschar *filename;
2275 while((filename = string_nextinlist(&list, &sep, big_buffer,
2276 big_buffer_size)) != NULL)
2277 {
2278 if ((Ustrlen(filename) < len ||
2279 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2280 Ustrstr(filename, "/../") != NULL) &&
2281 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2282 exim_fail("-C Permission denied\n");
2283 }
2284 #endif
2285 if (real_uid != root_uid)
2286 {
2287 #ifdef TRUSTED_CONFIG_LIST
2288
2289 if (real_uid != exim_uid
2290 #ifdef CONFIGURE_OWNER
2291 && real_uid != config_uid
2292 #endif
2293 )
2294 f.trusted_config = FALSE;
2295 else
2296 {
2297 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2298 if (trust_list)
2299 {
2300 struct stat statbuf;
2301
2302 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2303 (statbuf.st_uid != root_uid /* owner not root */
2304 #ifdef CONFIGURE_OWNER
2305 && statbuf.st_uid != config_uid /* owner not the special one */
2306 #endif
2307 ) || /* or */
2308 (statbuf.st_gid != root_gid /* group not root */
2309 #ifdef CONFIGURE_GROUP
2310 && statbuf.st_gid != config_gid /* group not the special one */
2311 #endif
2312 && (statbuf.st_mode & 020) != 0 /* group writeable */
2313 ) || /* or */
2314 (statbuf.st_mode & 2) != 0) /* world writeable */
2315 {
2316 f.trusted_config = FALSE;
2317 fclose(trust_list);
2318 }
2319 else
2320 {
2321 /* Well, the trust list at least is up to scratch... */
2322 void *reset_point = store_get(0);
2323 uschar *trusted_configs[32];
2324 int nr_configs = 0;
2325 int i = 0;
2326
2327 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2328 {
2329 uschar *start = big_buffer, *nl;
2330 while (*start && isspace(*start))
2331 start++;
2332 if (*start != '/')
2333 continue;
2334 nl = Ustrchr(start, '\n');
2335 if (nl)
2336 *nl = 0;
2337 trusted_configs[nr_configs++] = string_copy(start);
2338 if (nr_configs == 32)
2339 break;
2340 }
2341 fclose(trust_list);
2342
2343 if (nr_configs)
2344 {
2345 int sep = 0;
2346 const uschar *list = argrest;
2347 uschar *filename;
2348 while (f.trusted_config && (filename = string_nextinlist(&list,
2349 &sep, big_buffer, big_buffer_size)) != NULL)
2350 {
2351 for (i=0; i < nr_configs; i++)
2352 {
2353 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2354 break;
2355 }
2356 if (i == nr_configs)
2357 {
2358 f.trusted_config = FALSE;
2359 break;
2360 }
2361 }
2362 store_reset(reset_point);
2363 }
2364 else
2365 {
2366 /* No valid prefixes found in trust_list file. */
2367 f.trusted_config = FALSE;
2368 }
2369 }
2370 }
2371 else
2372 {
2373 /* Could not open trust_list file. */
2374 f.trusted_config = FALSE;
2375 }
2376 }
2377 #else
2378 /* Not root; don't trust config */
2379 f.trusted_config = FALSE;
2380 #endif
2381 }
2382
2383 config_main_filelist = argrest;
2384 f.config_changed = TRUE;
2385 }
2386 break;
2387
2388
2389 /* -D: set up a macro definition */
2390
2391 case 'D':
2392 #ifdef DISABLE_D_OPTION
2393 exim_fail("exim: -D is not available in this Exim binary\n");
2394 #else
2395 {
2396 int ptr = 0;
2397 macro_item *m;
2398 uschar name[24];
2399 uschar *s = argrest;
2400
2401 opt_D_used = TRUE;
2402 while (isspace(*s)) s++;
2403
2404 if (*s < 'A' || *s > 'Z')
2405 exim_fail("exim: macro name set by -D must start with "
2406 "an upper case letter\n");
2407
2408 while (isalnum(*s) || *s == '_')
2409 {
2410 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2411 s++;
2412 }
2413 name[ptr] = 0;
2414 if (ptr == 0) { badarg = TRUE; break; }
2415 while (isspace(*s)) s++;
2416 if (*s != 0)
2417 {
2418 if (*s++ != '=') { badarg = TRUE; break; }
2419 while (isspace(*s)) s++;
2420 }
2421
2422 for (m = macros_user; m; m = m->next)
2423 if (Ustrcmp(m->name, name) == 0)
2424 exim_fail("exim: duplicated -D in command line\n");
2425
2426 m = macro_create(name, s, TRUE);
2427
2428 if (clmacro_count >= MAX_CLMACROS)
2429 exim_fail("exim: too many -D options on command line\n");
2430 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2431 m->replacement);
2432 }
2433 #endif
2434 break;
2435
2436 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2437 The latter is now a no-op, retained for compatibility only. If -dd is used,
2438 debugging subprocesses of the daemon is disabled. */
2439
2440 case 'd':
2441 if (Ustrcmp(argrest, "ropcr") == 0)
2442 {
2443 /* drop_cr = TRUE; */
2444 }
2445
2446 /* Use an intermediate variable so that we don't set debugging while
2447 decoding the debugging bits. */
2448
2449 else
2450 {
2451 unsigned int selector = D_default;
2452 debug_selector = 0;
2453 debug_file = NULL;
2454 if (*argrest == 'd')
2455 {
2456 f.debug_daemon = TRUE;
2457 argrest++;
2458 }
2459 if (*argrest != 0)
2460 decode_bits(&selector, 1, debug_notall, argrest,
2461 debug_options, debug_options_count, US"debug", 0);
2462 debug_selector = selector;
2463 }
2464 break;
2465
2466
2467 /* -E: This is a local error message. This option is not intended for
2468 external use at all, but is not restricted to trusted callers because it
2469 does no harm (just suppresses certain error messages) and if Exim is run
2470 not setuid root it won't always be trusted when it generates error
2471 messages using this option. If there is a message id following -E, point
2472 message_reference at it, for logging. */
2473
2474 case 'E':
2475 f.local_error_message = TRUE;
2476 if (mac_ismsgid(argrest)) message_reference = argrest;
2477 break;
2478
2479
2480 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2481 option, so it looks as if historically the -oex options are also callable
2482 without the leading -o. So we have to accept them. Before the switch,
2483 anything starting -oe has been converted to -e. Exim does not support all
2484 of the sendmail error options. */
2485
2486 case 'e':
2487 if (Ustrcmp(argrest, "e") == 0)
2488 {
2489 arg_error_handling = ERRORS_SENDER;
2490 errors_sender_rc = EXIT_SUCCESS;
2491 }
2492 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2493 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2494 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2495 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2496 else badarg = TRUE;
2497 break;
2498
2499
2500 /* -F: Set sender's full name, used instead of the gecos entry from
2501 the password file. Since users can usually alter their gecos entries,
2502 there's no security involved in using this instead. The data can follow
2503 the -F or be in the next argument. */
2504
2505 case 'F':
2506 if (*argrest == 0)
2507 {
2508 if(++i < argc) argrest = argv[i]; else
2509 { badarg = TRUE; break; }
2510 }
2511 originator_name = argrest;
2512 f.sender_name_forced = TRUE;
2513 break;
2514
2515
2516 /* -f: Set sender's address - this value is only actually used if Exim is
2517 run by a trusted user, or if untrusted_set_sender is set and matches the
2518 address, except that the null address can always be set by any user. The
2519 test for this happens later, when the value given here is ignored when not
2520 permitted. For an untrusted user, the actual sender is still put in Sender:
2521 if it doesn't match the From: header (unless no_local_from_check is set).
2522 The data can follow the -f or be in the next argument. The -r switch is an
2523 obsolete form of -f but since there appear to be programs out there that
2524 use anything that sendmail has ever supported, better accept it - the
2525 synonymizing is done before the switch above.
2526
2527 At this stage, we must allow domain literal addresses, because we don't
2528 know what the setting of allow_domain_literals is yet. Ditto for trailing
2529 dots and strip_trailing_dot. */
2530
2531 case 'f':
2532 {
2533 int dummy_start, dummy_end;
2534 uschar *errmess;
2535 if (*argrest == 0)
2536 {
2537 if (i+1 < argc) argrest = argv[++i]; else
2538 { badarg = TRUE; break; }
2539 }
2540 if (*argrest == 0)
2541 sender_address = string_sprintf(""); /* Ensure writeable memory */
2542 else
2543 {
2544 uschar *temp = argrest + Ustrlen(argrest) - 1;
2545 while (temp >= argrest && isspace(*temp)) temp--;
2546 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2547 allow_domain_literals = TRUE;
2548 strip_trailing_dot = TRUE;
2549 #ifdef SUPPORT_I18N
2550 allow_utf8_domains = TRUE;
2551 #endif
2552 sender_address = parse_extract_address(argrest, &errmess,
2553 &dummy_start, &dummy_end, &sender_address_domain, TRUE);
2554 #ifdef SUPPORT_I18N
2555 message_smtputf8 = string_is_utf8(sender_address);
2556 allow_utf8_domains = FALSE;
2557 #endif
2558 allow_domain_literals = FALSE;
2559 strip_trailing_dot = FALSE;
2560 if (!sender_address)
2561 exim_fail("exim: bad -f address \"%s\": %s\n", argrest, errmess);
2562 }
2563 f.sender_address_forced = TRUE;
2564 }
2565 break;
2566
2567 /* -G: sendmail invocation to specify that it's a gateway submission and
2568 sendmail may complain about problems instead of fixing them.
2569 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2570 not at this time complain about problems. */
2571
2572 case 'G':
2573 flag_G = TRUE;
2574 break;
2575
2576 /* -h: Set the hop count for an incoming message. Exim does not currently
2577 support this; it always computes it by counting the Received: headers.
2578 To put it in will require a change to the spool header file format. */
2579
2580 case 'h':
2581 if (*argrest == 0)
2582 {
2583 if(++i < argc) argrest = argv[i]; else
2584 { badarg = TRUE; break; }
2585 }
2586 if (!isdigit(*argrest)) badarg = TRUE;
2587 break;
2588
2589
2590 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2591 not to be documented for sendmail but mailx (at least) uses it) */
2592
2593 case 'i':
2594 if (*argrest == 0) f.dot_ends = FALSE; else badarg = TRUE;
2595 break;
2596
2597
2598 /* -L: set the identifier used for syslog; equivalent to setting
2599 syslog_processname in the config file, but needs to be an admin option. */
2600
2601 case 'L':
2602 if (*argrest == '\0')
2603 {
2604 if(++i < argc) argrest = argv[i]; else
2605 { badarg = TRUE; break; }
2606 }
2607 if ((sz = Ustrlen(argrest)) > 32)
2608 exim_fail("exim: the -L syslog name is too long: \"%s\"\n", argrest);
2609 if (sz < 1)
2610 exim_fail("exim: the -L syslog name is too short\n");
2611 cmdline_syslog_name = argrest;
2612 break;
2613
2614 case 'M':
2615 receiving_message = FALSE;
2616
2617 /* -MC: continue delivery of another message via an existing open
2618 file descriptor. This option is used for an internal call by the
2619 smtp transport when there is a pending message waiting to go to an
2620 address to which it has got a connection. Five subsequent arguments are
2621 required: transport name, host name, IP address, sequence number, and
2622 message_id. Transports may decline to create new processes if the sequence
2623 number gets too big. The channel is stdin. This (-MC) must be the last
2624 argument. There's a subsequent check that the real-uid is privileged.
2625
2626 If we are running in the test harness. delay for a bit, to let the process
2627 that set this one up complete. This makes for repeatability of the logging,
2628 etc. output. */
2629
2630 if (Ustrcmp(argrest, "C") == 0)
2631 {
2632 union sockaddr_46 interface_sock;
2633 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2634
2635 if (argc != i + 6)
2636 exim_fail("exim: too many or too few arguments after -MC\n");
2637
2638 if (msg_action_arg >= 0)
2639 exim_fail("exim: incompatible arguments\n");
2640
2641 continue_transport = argv[++i];
2642 continue_hostname = argv[++i];
2643 continue_host_address = argv[++i];
2644 continue_sequence = Uatoi(argv[++i]);
2645 msg_action = MSG_DELIVER;
2646 msg_action_arg = ++i;
2647 forced_delivery = TRUE;
2648 queue_run_pid = passed_qr_pid;
2649 queue_run_pipe = passed_qr_pipe;
2650
2651 if (!mac_ismsgid(argv[i]))
2652 exim_fail("exim: malformed message id %s after -MC option\n",
2653 argv[i]);
2654
2655 /* Set up $sending_ip_address and $sending_port, unless proxied */
2656
2657 if (!continue_proxy_cipher)
2658 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2659 &size) == 0)
2660 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2661 &sending_port);
2662 else
2663 exim_fail("exim: getsockname() failed after -MC option: %s\n",
2664 strerror(errno));
2665
2666 if (f.running_in_test_harness) millisleep(500);
2667 break;
2668 }
2669
2670 else if (*argrest == 'C' && argrest[1] && !argrest[2])
2671 {
2672 switch(argrest[1])
2673 {
2674 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2675 precedes -MC (see above). The flag indicates that the host to which
2676 Exim is connected has accepted an AUTH sequence. */
2677
2678 case 'A': f.smtp_authenticated = TRUE; break;
2679
2680 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2681 that exim is connected to supports the esmtp extension DSN */
2682
2683 case 'D': smtp_peer_options |= OPTION_DSN; break;
2684
2685 /* -MCG: set the queue name, to a non-default value */
2686
2687 case 'G': if (++i < argc) queue_name = string_copy(argv[i]);
2688 else badarg = TRUE;
2689 break;
2690
2691 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2692
2693 case 'K': smtp_peer_options |= OPTION_CHUNKING; break;
2694
2695 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2696 it preceded -MC (see above) */
2697
2698 case 'P': smtp_peer_options |= OPTION_PIPE; break;
2699
2700 /* -MCQ: pass on the pid of the queue-running process that started
2701 this chain of deliveries and the fd of its synchronizing pipe; this
2702 is useful only when it precedes -MC (see above) */
2703
2704 case 'Q': if (++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2705 else badarg = TRUE;
2706 if (++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2707 else badarg = TRUE;
2708 break;
2709
2710 /* -MCS: set the smtp_use_size flag; this is useful only when it
2711 precedes -MC (see above) */
2712
2713 case 'S': smtp_peer_options |= OPTION_SIZE; break;
2714
2715 #ifndef DISABLE_TLS
2716 /* -MCt: similar to -MCT below but the connection is still open
2717 via a proxy process which handles the TLS context and coding.
2718 Require three arguments for the proxied local address and port,
2719 and the TLS cipher. */
2720
2721 case 't': if (++i < argc) sending_ip_address = argv[i];
2722 else badarg = TRUE;
2723 if (++i < argc) sending_port = (int)(Uatol(argv[i]));
2724 else badarg = TRUE;
2725 if (++i < argc) continue_proxy_cipher = argv[i];
2726 else badarg = TRUE;
2727 /*FALLTHROUGH*/
2728
2729 /* -MCT: set the tls_offered flag; this is useful only when it
2730 precedes -MC (see above). The flag indicates that the host to which
2731 Exim is connected has offered TLS support. */
2732
2733 case 'T': smtp_peer_options |= OPTION_TLS; break;
2734 #endif
2735
2736 default: badarg = TRUE; break;
2737 }
2738 break;
2739 }
2740
2741 /* -M[x]: various operations on the following list of message ids:
2742 -M deliver the messages, ignoring next retry times and thawing
2743 -Mc deliver the messages, checking next retry times, no thawing
2744 -Mf freeze the messages
2745 -Mg give up on the messages
2746 -Mt thaw the messages
2747 -Mrm remove the messages
2748 In the above cases, this must be the last option. There are also the
2749 following options which are followed by a single message id, and which
2750 act on that message. Some of them use the "recipient" addresses as well.
2751 -Mar add recipient(s)
2752 -Mmad mark all recipients delivered
2753 -Mmd mark recipients(s) delivered
2754 -Mes edit sender
2755 -Mset load a message for use with -be
2756 -Mvb show body
2757 -Mvc show copy (of whole message, in RFC 2822 format)
2758 -Mvh show header
2759 -Mvl show log
2760 */
2761
2762 else if (*argrest == 0)
2763 {
2764 msg_action = MSG_DELIVER;
2765 forced_delivery = f.deliver_force_thaw = TRUE;
2766 }
2767 else if (Ustrcmp(argrest, "ar") == 0)
2768 {
2769 msg_action = MSG_ADD_RECIPIENT;
2770 one_msg_action = TRUE;
2771 }
2772 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2773 else if (Ustrcmp(argrest, "es") == 0)
2774 {
2775 msg_action = MSG_EDIT_SENDER;
2776 one_msg_action = TRUE;
2777 }
2778 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2779 else if (Ustrcmp(argrest, "g") == 0)
2780 {
2781 msg_action = MSG_DELIVER;
2782 deliver_give_up = TRUE;
2783 }
2784 else if (Ustrcmp(argrest, "mad") == 0)
2785 {
2786 msg_action = MSG_MARK_ALL_DELIVERED;
2787 }
2788 else if (Ustrcmp(argrest, "md") == 0)
2789 {
2790 msg_action = MSG_MARK_DELIVERED;
2791 one_msg_action = TRUE;
2792 }
2793 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2794 else if (Ustrcmp(argrest, "set") == 0)
2795 {
2796 msg_action = MSG_LOAD;
2797 one_msg_action = TRUE;
2798 }
2799 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2800 else if (Ustrcmp(argrest, "vb") == 0)
2801 {
2802 msg_action = MSG_SHOW_BODY;
2803 one_msg_action = TRUE;
2804 }
2805 else if (Ustrcmp(argrest, "vc") == 0)
2806 {
2807 msg_action = MSG_SHOW_COPY;
2808 one_msg_action = TRUE;
2809 }
2810 else if (Ustrcmp(argrest, "vh") == 0)
2811 {
2812 msg_action = MSG_SHOW_HEADER;
2813 one_msg_action = TRUE;
2814 }
2815 else if (Ustrcmp(argrest, "vl") == 0)
2816 {
2817 msg_action = MSG_SHOW_LOG;
2818 one_msg_action = TRUE;
2819 }
2820 else { badarg = TRUE; break; }
2821
2822 /* All the -Mxx options require at least one message id. */
2823
2824 msg_action_arg = i + 1;
2825 if (msg_action_arg >= argc)
2826 exim_fail("exim: no message ids given after %s option\n", arg);
2827
2828 /* Some require only message ids to follow */
2829
2830 if (!one_msg_action)
2831 {
2832 for (int j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2833 exim_fail("exim: malformed message id %s after %s option\n",
2834 argv[j], arg);
2835 goto END_ARG; /* Remaining args are ids */
2836 }
2837
2838 /* Others require only one message id, possibly followed by addresses,
2839 which will be handled as normal arguments. */
2840
2841 else
2842 {
2843 if (!mac_ismsgid(argv[msg_action_arg]))
2844 exim_fail("exim: malformed message id %s after %s option\n",
2845 argv[msg_action_arg], arg);
2846 i++;
2847 }
2848 break;
2849
2850
2851 /* Some programs seem to call the -om option without the leading o;
2852 for sendmail it askes for "me too". Exim always does this. */
2853
2854 case 'm':
2855 if (*argrest != 0) badarg = TRUE;
2856 break;
2857
2858
2859 /* -N: don't do delivery - a debugging option that stops transports doing
2860 their thing. It implies debugging at the D_v level. */
2861
2862 case 'N':
2863 if (*argrest == 0)
2864 {
2865 f.dont_deliver = TRUE;
2866 debug_selector |= D_v;
2867 debug_file = stderr;
2868 }
2869 else badarg = TRUE;
2870 break;
2871
2872
2873 /* -n: This means "don't alias" in sendmail, apparently.
2874 For normal invocations, it has no effect.
2875 It may affect some other options. */
2876
2877 case 'n':
2878 flag_n = TRUE;
2879 break;
2880
2881 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2882 option to the specified value. This form uses long names. We need to handle
2883 -O option=value and -Ooption=value. */
2884
2885 case 'O':
2886 if (*argrest == 0)
2887 {
2888 if (++i >= argc)
2889 exim_fail("exim: string expected after -O\n");
2890 }
2891 break;
2892
2893 case 'o':
2894
2895 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2896 file" option). */
2897
2898 if (*argrest == 'A')
2899 {
2900 alias_arg = argrest + 1;
2901 if (alias_arg[0] == 0)
2902 {
2903 if (i+1 < argc) alias_arg = argv[++i]; else
2904 exim_fail("exim: string expected after -oA\n");
2905 }
2906 }
2907
2908 /* -oB: Set a connection message max value for remote deliveries */
2909
2910 else if (*argrest == 'B')
2911 {
2912 uschar *p = argrest + 1;
2913 if (p[0] == 0)
2914 {
2915 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2916 {
2917 connection_max_messages = 1;
2918 p = NULL;
2919 }
2920 }
2921
2922 if (p != NULL)
2923 {
2924 if (!isdigit(*p))
2925 exim_fail("exim: number expected after -oB\n");
2926 connection_max_messages = Uatoi(p);
2927 }
2928 }
2929
2930 /* -odb: background delivery */
2931
2932 else if (Ustrcmp(argrest, "db") == 0)
2933 {
2934 f.synchronous_delivery = FALSE;
2935 arg_queue_only = FALSE;
2936 queue_only_set = TRUE;
2937 }
2938
2939 /* -odf: foreground delivery (smail-compatible option); same effect as
2940 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2941 */
2942
2943 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2944 {
2945 f.synchronous_delivery = TRUE;
2946 arg_queue_only = FALSE;
2947 queue_only_set = TRUE;
2948 }
2949
2950 /* -odq: queue only */
2951
2952 else if (Ustrcmp(argrest, "dq") == 0)
2953 {
2954 f.synchronous_delivery = FALSE;
2955 arg_queue_only = TRUE;
2956 queue_only_set = TRUE;
2957 }
2958
2959 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2960 but no remote delivery */
2961
2962 else if (Ustrcmp(argrest, "dqs") == 0)
2963 {
2964 f.queue_smtp = TRUE;
2965 arg_queue_only = FALSE;
2966 queue_only_set = TRUE;
2967 }
2968
2969 /* -oex: Sendmail error flags. As these are also accepted without the
2970 leading -o prefix, for compatibility with vacation and other callers,
2971 they are handled with -e above. */
2972
2973 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2974 -oitrue: Another sendmail syntax for the same */
2975
2976 else if (Ustrcmp(argrest, "i") == 0 ||
2977 Ustrcmp(argrest, "itrue") == 0)
2978 f.dot_ends = FALSE;
2979
2980 /* -oM*: Set various characteristics for an incoming message; actually
2981 acted on for trusted callers only. */
2982
2983 else if (*argrest == 'M')
2984 {
2985 if (i+1 >= argc)
2986 exim_fail("exim: data expected after -o%s\n", argrest);
2987
2988 /* -oMa: Set sender host address */
2989
2990 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2991
2992 /* -oMaa: Set authenticator name */
2993
2994 else if (Ustrcmp(argrest, "Maa") == 0)
2995 sender_host_authenticated = argv[++i];
2996
2997 /* -oMas: setting authenticated sender */
2998
2999 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
3000
3001 /* -oMai: setting authenticated id */
3002
3003 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
3004
3005 /* -oMi: Set incoming interface address */
3006
3007 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
3008
3009 /* -oMm: Message reference */
3010
3011 else if (Ustrcmp(argrest, "Mm") == 0)
3012 {
3013 if (!mac_ismsgid(argv[i+1]))
3014 exim_fail("-oMm must be a valid message ID\n");
3015 if (!f.trusted_config)
3016 exim_fail("-oMm must be called by a trusted user/config\n");
3017 message_reference = argv[++i];
3018 }
3019
3020 /* -oMr: Received protocol */
3021
3022 else if (Ustrcmp(argrest, "Mr") == 0)
3023
3024 if (received_protocol)
3025 exim_fail("received_protocol is set already\n");
3026 else
3027 received_protocol = argv[++i];
3028
3029 /* -oMs: Set sender host name */
3030
3031 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
3032
3033 /* -oMt: Set sender ident */
3034
3035 else if (Ustrcmp(argrest, "Mt") == 0)
3036 {
3037 sender_ident_set = TRUE;
3038 sender_ident = argv[++i];
3039 }
3040
3041 /* Else a bad argument */
3042
3043 else
3044 {
3045 badarg = TRUE;
3046 break;
3047 }
3048 }
3049
3050 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3051 seem to call this as -m (undocumented), so that is also accepted (see
3052 above). */
3053
3054 else if (Ustrcmp(argrest, "m") == 0) {}
3055
3056 /* -oo: An ancient flag for old-style addresses which still seems to
3057 crop up in some calls (see in SCO). */
3058
3059 else if (Ustrcmp(argrest, "o") == 0) {}
3060
3061 /* -oP <name>: set pid file path for daemon */
3062
3063 else if (Ustrcmp(argrest, "P") == 0)
3064 override_pid_file_path = argv[++i];
3065
3066 /* -or <n>: set timeout for non-SMTP acceptance
3067 -os <n>: set timeout for SMTP acceptance */
3068
3069 else if (*argrest == 'r' || *argrest == 's')
3070 {
3071 int *tp = (*argrest == 'r')?
3072 &arg_receive_timeout : &arg_smtp_receive_timeout;
3073 if (argrest[1] == 0)
3074 {
3075 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
3076 }
3077 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
3078 if (*tp < 0)
3079 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3080 }
3081
3082 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3083
3084 else if (Ustrcmp(argrest, "X") == 0)
3085 override_local_interfaces = argv[++i];
3086
3087 /* Unknown -o argument */
3088
3089 else badarg = TRUE;
3090 break;
3091
3092
3093 /* -ps: force Perl startup; -pd force delayed Perl startup */
3094
3095 case 'p':
3096 #ifdef EXIM_PERL
3097 if (*argrest == 's' && argrest[1] == 0)
3098 {
3099 perl_start_option = 1;
3100 break;
3101 }
3102 if (*argrest == 'd' && argrest[1] == 0)
3103 {
3104 perl_start_option = -1;
3105 break;
3106 }
3107 #endif
3108
3109 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3110 which sets the host protocol and host name */
3111
3112 if (*argrest == 0)
3113 if (i+1 < argc)
3114 argrest = argv[++i];
3115 else
3116 { badarg = TRUE; break; }
3117
3118 if (*argrest != 0)
3119 {
3120 uschar *hn;
3121
3122 if (received_protocol)
3123 exim_fail("received_protocol is set already\n");
3124
3125 hn = Ustrchr(argrest, ':');
3126 if (hn == NULL)
3127 received_protocol = argrest;
3128 else
3129 {
3130 int old_pool = store_pool;
3131 store_pool = POOL_PERM;
3132 received_protocol = string_copyn(argrest, hn - argrest);
3133 store_pool = old_pool;
3134 sender_host_name = hn + 1;
3135 }
3136 }
3137 break;
3138
3139
3140 case 'q':
3141 receiving_message = FALSE;
3142 if (queue_interval >= 0)
3143 exim_fail("exim: -q specified more than once\n");
3144
3145 /* -qq...: Do queue runs in a 2-stage manner */
3146
3147 if (*argrest == 'q')
3148 {
3149 f.queue_2stage = TRUE;
3150 argrest++;
3151 }
3152
3153 /* -qi...: Do only first (initial) deliveries */
3154
3155 if (*argrest == 'i')
3156 {
3157 f.queue_run_first_delivery = TRUE;
3158 argrest++;
3159 }
3160
3161 /* -qf...: Run the queue, forcing deliveries
3162 -qff..: Ditto, forcing thawing as well */
3163
3164 if (*argrest == 'f')
3165 {
3166 f.queue_run_force = TRUE;
3167 if (*++argrest == 'f')
3168 {
3169 f.deliver_force_thaw = TRUE;
3170 argrest++;
3171 }
3172 }
3173
3174 /* -q[f][f]l...: Run the queue only on local deliveries */
3175
3176 if (*argrest == 'l')
3177 {
3178 f.queue_run_local = TRUE;
3179 argrest++;
3180 }
3181
3182 /* -q[f][f][l][G<name>]... Work on the named queue */
3183
3184 if (*argrest == 'G')
3185 {
3186 int i;
3187 for (argrest++, i = 0; argrest[i] && argrest[i] != '/'; ) i++;
3188 queue_name = string_copyn(argrest, i);
3189 argrest += i;
3190 if (*argrest == '/') argrest++;
3191 }
3192
3193 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3194 only, optionally named, optionally starting from a given message id. */
3195
3196 if (!(list_queue || count_queue))
3197 if (*argrest == 0
3198 && (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3199 {
3200 queue_interval = 0;
3201 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3202 start_queue_run_id = argv[++i];
3203 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3204 stop_queue_run_id = argv[++i];
3205 }
3206
3207 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3208 forced, optionally local only, optionally named. */
3209
3210 else if ((queue_interval = readconf_readtime(*argrest ? argrest : argv[++i],
3211 0, FALSE)) <= 0)
3212 exim_fail("exim: bad time value %s: abandoned\n", argv[i]);
3213 break;
3214
3215
3216 case 'R': /* Synonymous with -qR... */
3217 receiving_message = FALSE;
3218
3219 /* -Rf: As -R (below) but force all deliveries,
3220 -Rff: Ditto, but also thaw all frozen messages,
3221 -Rr: String is regex
3222 -Rrf: Regex and force
3223 -Rrff: Regex and force and thaw
3224
3225 in all cases provided there are no further characters in this
3226 argument. */
3227
3228 if (*argrest != 0)
3229 for (int i = 0; i < nelem(rsopts); i++)
3230 if (Ustrcmp(argrest, rsopts[i]) == 0)
3231 {
3232 if (i != 2) f.queue_run_force = TRUE;
3233 if (i >= 2) f.deliver_selectstring_regex = TRUE;
3234 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3235 argrest += Ustrlen(rsopts[i]);
3236 }
3237
3238 /* -R: Set string to match in addresses for forced queue run to
3239 pick out particular messages. */
3240
3241 if (*argrest)
3242 deliver_selectstring = argrest;
3243 else if (i+1 < argc)
3244 deliver_selectstring = argv[++i];
3245 else
3246 exim_fail("exim: string expected after -R\n");
3247 break;
3248
3249
3250 /* -r: an obsolete synonym for -f (see above) */
3251
3252
3253 /* -S: Like -R but works on sender. */
3254
3255 case 'S': /* Synonymous with -qS... */
3256 receiving_message = FALSE;
3257
3258 /* -Sf: As -S (below) but force all deliveries,
3259 -Sff: Ditto, but also thaw all frozen messages,
3260 -Sr: String is regex
3261 -Srf: Regex and force
3262 -Srff: Regex and force and thaw
3263
3264 in all cases provided there are no further characters in this
3265 argument. */
3266
3267 if (*argrest)
3268 for (int i = 0; i < nelem(rsopts); i++)
3269 if (Ustrcmp(argrest, rsopts[i]) == 0)
3270 {
3271 if (i != 2) f.queue_run_force = TRUE;
3272 if (i >= 2) f.deliver_selectstring_sender_regex = TRUE;
3273 if (i == 1 || i == 4) f.deliver_force_thaw = TRUE;
3274 argrest += Ustrlen(rsopts[i]);
3275 }
3276
3277 /* -S: Set string to match in addresses for forced queue run to
3278 pick out particular messages. */
3279
3280 if (*argrest)
3281 deliver_selectstring_sender = argrest;
3282 else if (i+1 < argc)
3283 deliver_selectstring_sender = argv[++i];
3284 else
3285 exim_fail("exim: string expected after -S\n");
3286 break;
3287
3288 /* -Tqt is an option that is exclusively for use by the testing suite.
3289 It is not recognized in other circumstances. It allows for the setting up
3290 of explicit "queue times" so that various warning/retry things can be
3291 tested. Otherwise variability of clock ticks etc. cause problems. */
3292
3293 case 'T':
3294 if (f.running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3295 fudged_queue_times = argv[++i];
3296 else badarg = TRUE;
3297 break;
3298
3299
3300 /* -t: Set flag to extract recipients from body of message. */
3301
3302 case 't':
3303 if (*argrest == 0) extract_recipients = TRUE;
3304
3305 /* -ti: Set flag to extract recipients from body of message, and also
3306 specify that dot does not end the message. */
3307
3308 else if (Ustrcmp(argrest, "i") == 0)
3309 {
3310 extract_recipients = TRUE;
3311 f.dot_ends = FALSE;
3312 }
3313
3314 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3315
3316 #ifndef DISABLE_TLS
3317 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
3318 #endif
3319
3320 else badarg = TRUE;
3321 break;
3322
3323
3324 /* -U: This means "initial user submission" in sendmail, apparently. The
3325 doc claims that in future sendmail may refuse syntactically invalid
3326 messages instead of fixing them. For the moment, we just ignore it. */
3327
3328 case 'U':
3329 break;
3330
3331
3332 /* -v: verify things - this is a very low-level debugging */
3333
3334 case 'v':
3335 if (*argrest == 0)
3336 {
3337 debug_selector |= D_v;
3338 debug_file = stderr;
3339 }
3340 else badarg = TRUE;
3341 break;
3342
3343
3344 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3345
3346 The -x flag tells the sendmail command that mail from a local
3347 mail program has National Language Support (NLS) extended characters
3348 in the body of the mail item. The sendmail command can send mail with
3349 extended NLS characters across networks that normally corrupts these
3350 8-bit characters.
3351
3352 As Exim is 8-bit clean, it just ignores this flag. */
3353
3354 case 'x':
3355 if (*argrest != 0) badarg = TRUE;
3356 break;
3357
3358 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3359 logs to that file. We swallow the parameter and otherwise ignore it. */
3360
3361 case 'X':
3362 if (*argrest == '\0')
3363 if (++i >= argc)
3364 exim_fail("exim: string expected after -X\n");
3365 break;
3366
3367 case 'z':
3368 if (*argrest == '\0')
3369 if (++i < argc)
3370 log_oneline = argv[i];
3371 else
3372 exim_fail("exim: file name expected after %s\n", argv[i-1]);
3373 break;
3374
3375 /* All other initial characters are errors */
3376
3377 default:
3378 badarg = TRUE;
3379 break;
3380 } /* End of high-level switch statement */
3381
3382 /* Failed to recognize the option, or syntax error */
3383
3384 if (badarg)
3385 exim_fail("exim abandoned: unknown, malformed, or incomplete "
3386 "option %s\n", arg);
3387 }
3388
3389
3390 /* If -R or -S have been specified without -q, assume a single queue run. */
3391
3392 if ( (deliver_selectstring || deliver_selectstring_sender)
3393 && queue_interval < 0)
3394 queue_interval = 0;
3395
3396
3397 END_ARG:
3398 /* If usage_wanted is set we call the usage function - which never returns */
3399 if (usage_wanted) exim_usage(called_as);
3400
3401 /* Arguments have been processed. Check for incompatibilities. */
3402 if ((
3403 (smtp_input || extract_recipients || recipients_arg < argc) &&
3404 (f.daemon_listen || queue_interval >= 0 || bi_option ||
3405 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3406 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3407 ) ||
3408 (
3409 msg_action_arg > 0 &&
3410 (f.daemon_listen || queue_interval > 0 || list_options ||
3411 (checking && msg_action != MSG_LOAD) ||
3412 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3413 ) ||
3414 (
3415 (f.daemon_listen || queue_interval > 0) &&
3416 (sender_address != NULL || list_options || list_queue || checking ||
3417 bi_option)
3418 ) ||
3419 (
3420 f.daemon_listen && queue_interval == 0
3421 ) ||
3422 (
3423 f.inetd_wait_mode && queue_interval >= 0
3424 ) ||
3425 (
3426 list_options &&
3427 (checking || smtp_input || extract_recipients ||
3428 filter_test != FTEST_NONE || bi_option)
3429 ) ||
3430 (
3431 verify_address_mode &&
3432 (f.address_test_mode || smtp_input || extract_recipients ||
3433 filter_test != FTEST_NONE || bi_option)
3434 ) ||
3435 (
3436 f.address_test_mode && (smtp_input || extract_recipients ||
3437 filter_test != FTEST_NONE || bi_option)
3438 ) ||
3439 (
3440 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3441 extract_recipients)
3442 ) ||
3443 (
3444 deliver_selectstring != NULL && queue_interval < 0
3445 ) ||
3446 (
3447 msg_action == MSG_LOAD &&
3448 (!expansion_test || expansion_test_message != NULL)
3449 )
3450 )
3451 exim_fail("exim: incompatible command-line options or arguments\n");
3452
3453 /* If debugging is set up, set the file and the file descriptor to pass on to
3454 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3455 to run in the foreground. */
3456
3457 if (debug_selector != 0)
3458 {
3459 debug_file = stderr;
3460 debug_fd = fileno(debug_file);
3461 f.background_daemon = FALSE;
3462 if (f.running_in_test_harness) millisleep(100); /* lets caller finish */
3463 if (debug_selector != D_v) /* -v only doesn't show this */
3464 {
3465 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3466 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3467 debug_selector);
3468 if (!version_printed)
3469 show_whats_supported(stderr);
3470 }
3471 }
3472
3473 /* When started with root privilege, ensure that the limits on the number of
3474 open files and the number of processes (where that is accessible) are
3475 sufficiently large, or are unset, in case Exim has been called from an
3476 environment where the limits are screwed down. Not all OS have the ability to
3477 change some of these limits. */
3478
3479 if (unprivileged)
3480 {
3481 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3482 }
3483 else
3484 {
3485 struct rlimit rlp;
3486
3487 #ifdef RLIMIT_NOFILE
3488 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3489 {
3490 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3491 strerror(errno));
3492 rlp.rlim_cur = rlp.rlim_max = 0;
3493 }
3494
3495 /* I originally chose 1000 as a nice big number that was unlikely to
3496 be exceeded. It turns out that some older OS have a fixed upper limit of
3497 256. */
3498
3499 if (rlp.rlim_cur < 1000)
3500 {
3501 rlp.rlim_cur = rlp.rlim_max = 1000;
3502 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3503 {
3504 rlp.rlim_cur = rlp.rlim_max = 256;
3505 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3506 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3507 strerror(errno));
3508 }
3509 }
3510 #endif
3511
3512 #ifdef RLIMIT_NPROC
3513