1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* See the file NOTICE for conditions of use and distribution. */
9 /* The main function: entry point, initialization, and high-level control.
10 Also a few functions that don't naturally fit elsewhere. */
15 #if defined(__GLIBC__) && !defined(__UCLIBC__)
16 # include <gnu/libc-version.h>
20 # include <gnutls/gnutls.h>
21 # if GNUTLS_VERSION_NUMBER < 0x030103 && !defined(DISABLE_OCSP)
26 extern void init_lookup_list(void);
30 /*************************************************
31 * Function interface to store functions *
32 *************************************************/
34 /* We need some real functions to pass to the PCRE regular expression library
35 for store allocation via Exim's store manager. The normal calls are actually
36 macros that pass over location information to make tracing easier. These
37 functions just interface to the standard macro calls. A good compiler will
38 optimize out the tail recursion and so not make them too expensive. There
39 are two sets of functions; one for use when we want to retain the compiled
40 regular expression for a long time; the other for short-term use. */
43 function_store_get(size_t size
)
45 return store_get((int)size
);
49 function_dummy_free(void *block
) { block
= block
; }
52 function_store_malloc(size_t size
)
54 return store_malloc((int)size
);
58 function_store_free(void *block
)
66 /*************************************************
67 * Enums for cmdline interface *
68 *************************************************/
70 enum commandline_info
{ CMDINFO_NONE
=0,
71 CMDINFO_HELP
, CMDINFO_SIEVE
, CMDINFO_DSCP
};
76 /*************************************************
77 * Compile regular expression and panic on fail *
78 *************************************************/
80 /* This function is called when failure to compile a regular expression leads
81 to a panic exit. In other cases, pcre_compile() is called directly. In many
82 cases where this function is used, the results of the compilation are to be
83 placed in long-lived store, so we temporarily reset the store management
84 functions that PCRE uses if the use_malloc flag is set.
87 pattern the pattern to compile
88 caseless TRUE if caseless matching is required
89 use_malloc TRUE if compile into malloc store
91 Returns: pointer to the compiled pattern
95 regex_must_compile(const uschar
*pattern
, BOOL caseless
, BOOL use_malloc
)
98 int options
= PCRE_COPT
;
103 pcre_malloc
= function_store_malloc
;
104 pcre_free
= function_store_free
;
106 if (caseless
) options
|= PCRE_CASELESS
;
107 yield
= pcre_compile(CCS pattern
, options
, (const char **)&error
, &offset
, NULL
);
108 pcre_malloc
= function_store_get
;
109 pcre_free
= function_dummy_free
;
111 log_write(0, LOG_MAIN
|LOG_PANIC_DIE
, "regular expression error: "
112 "%s at offset %d while compiling %s", error
, offset
, pattern
);
119 /*************************************************
120 * Execute regular expression and set strings *
121 *************************************************/
123 /* This function runs a regular expression match, and sets up the pointers to
124 the matched substrings.
127 re the compiled expression
128 subject the subject string
129 options additional PCRE options
130 setup if < 0 do full setup
131 if >= 0 setup from setup+1 onwards,
132 excluding the full matched string
134 Returns: TRUE or FALSE
138 regex_match_and_setup(const pcre
*re
, const uschar
*subject
, int options
, int setup
)
140 int ovector
[3*(EXPAND_MAXN
+1)];
141 uschar
* s
= string_copy(subject
); /* de-constifying */
142 int n
= pcre_exec(re
, NULL
, CS s
, Ustrlen(s
), 0,
143 PCRE_EOPT
| options
, ovector
, sizeof(ovector
)/sizeof(int));
145 if (n
== 0) n
= EXPAND_MAXN
+ 1;
149 expand_nmax
= (setup
< 0)?
0 : setup
+ 1;
150 for (nn
= (setup
< 0)?
0 : 2; nn
< n
*2; nn
+= 2)
152 expand_nstring
[expand_nmax
] = s
+ ovector
[nn
];
153 expand_nlength
[expand_nmax
++] = ovector
[nn
+1] - ovector
[nn
];
163 /*************************************************
164 * Set up processing details *
165 *************************************************/
167 /* Save a text string for dumping when SIGUSR1 is received.
168 Do checks for overruns.
170 Arguments: format and arguments, as for printf()
175 set_process_info(const char *format
, ...)
177 int len
= sprintf(CS process_info
, "%5d ", (int)getpid());
179 va_start(ap
, format
);
180 if (!string_vformat(process_info
+ len
, PROCESS_INFO_SIZE
- len
- 2, format
, ap
))
181 Ustrcpy(process_info
+ len
, "**** string overflowed buffer ****");
182 len
= Ustrlen(process_info
);
183 process_info
[len
+0] = '\n';
184 process_info
[len
+1] = '\0';
185 process_info_len
= len
+ 1;
186 DEBUG(D_process_info
) debug_printf("set_process_info: %s", process_info
);
193 /*************************************************
194 * Handler for SIGUSR1 *
195 *************************************************/
197 /* SIGUSR1 causes any exim process to write to the process log details of
198 what it is currently doing. It will only be used if the OS is capable of
199 setting up a handler that causes automatic restarting of any system call
200 that is in progress at the time.
202 This function takes care to be signal-safe.
204 Argument: the signal number (SIGUSR1)
209 usr1_handler(int sig
)
213 os_restarting_signal(sig
, usr1_handler
);
215 if ((fd
= Uopen(process_log_path
, O_APPEND
|O_WRONLY
, LOG_MODE
)) < 0)
217 /* If we are already running as the Exim user, try to create it in the
218 current process (assuming spool_directory exists). Otherwise, if we are
219 root, do the creation in an exim:exim subprocess. */
221 int euid
= geteuid();
222 if (euid
== exim_uid
)
223 fd
= Uopen(process_log_path
, O_CREAT
|O_APPEND
|O_WRONLY
, LOG_MODE
);
224 else if (euid
== root_uid
)
225 fd
= log_create_as_exim(process_log_path
);
228 /* If we are neither exim nor root, or if we failed to create the log file,
229 give up. There is not much useful we can do with errors, since we don't want
230 to disrupt whatever is going on outside the signal handler. */
234 (void)write(fd
, process_info
, process_info_len
);
240 /*************************************************
242 *************************************************/
244 /* This handler is enabled most of the time that Exim is running. The handler
245 doesn't actually get used unless alarm() has been called to set a timer, to
246 place a time limit on a system call of some kind. When the handler is run, it
249 There are some other SIGALRM handlers that are used in special cases when more
250 than just a flag setting is required; for example, when reading a message's
251 input. These are normally set up in the code module that uses them, and the
252 SIGALRM handler is reset to this one afterwards.
254 Argument: the signal value (SIGALRM)
259 sigalrm_handler(int sig
)
261 sig
= sig
; /* Keep picky compilers happy */
263 os_non_restarting_signal(SIGALRM
, sigalrm_handler
);
268 /*************************************************
269 * Sleep for a fractional time interval *
270 *************************************************/
272 /* This function is called by millisleep() and exim_wait_tick() to wait for a
273 period of time that may include a fraction of a second. The coding is somewhat
274 tedious. We do not expect setitimer() ever to fail, but if it does, the process
275 will wait for ever, so we panic in this instance. (There was a case of this
276 when a bug in a function that calls milliwait() caused it to pass invalid data.
277 That's when I added the check. :-)
279 We assume it to be not worth sleeping for under 100us; this value will
280 require revisiting as hardware advances. This avoids the issue of
281 a zero-valued timer setting meaning "never fire".
283 Argument: an itimerval structure containing the interval
288 milliwait(struct itimerval
*itval
)
291 sigset_t old_sigmask
;
293 if (itval
->it_value
.tv_usec
< 100 && itval
->it_value
.tv_sec
== 0)
295 (void)sigemptyset(&sigmask
); /* Empty mask */
296 (void)sigaddset(&sigmask
, SIGALRM
); /* Add SIGALRM */
297 (void)sigprocmask(SIG_BLOCK
, &sigmask
, &old_sigmask
); /* Block SIGALRM */
298 if (setitimer(ITIMER_REAL
, itval
, NULL
) < 0) /* Start timer */
299 log_write(0, LOG_MAIN
|LOG_PANIC_DIE
,
300 "setitimer() failed: %s", strerror(errno
));
301 (void)sigfillset(&sigmask
); /* All signals */
302 (void)sigdelset(&sigmask
, SIGALRM
); /* Remove SIGALRM */
303 (void)sigsuspend(&sigmask
); /* Until SIGALRM */
304 (void)sigprocmask(SIG_SETMASK
, &old_sigmask
, NULL
); /* Restore mask */
310 /*************************************************
311 * Millisecond sleep function *
312 *************************************************/
314 /* The basic sleep() function has a granularity of 1 second, which is too rough
315 in some cases - for example, when using an increasing delay to slow down
318 Argument: number of millseconds
325 struct itimerval itval
;
326 itval
.it_interval
.tv_sec
= 0;
327 itval
.it_interval
.tv_usec
= 0;
328 itval
.it_value
.tv_sec
= msec
/1000;
329 itval
.it_value
.tv_usec
= (msec
% 1000) * 1000;
335 /*************************************************
336 * Compare microsecond times *
337 *************************************************/
344 Returns: -1, 0, or +1
348 exim_tvcmp(struct timeval
*t1
, struct timeval
*t2
)
350 if (t1
->tv_sec
> t2
->tv_sec
) return +1;
351 if (t1
->tv_sec
< t2
->tv_sec
) return -1;
352 if (t1
->tv_usec
> t2
->tv_usec
) return +1;
353 if (t1
->tv_usec
< t2
->tv_usec
) return -1;
360 /*************************************************
361 * Clock tick wait function *
362 *************************************************/
364 /* Exim uses a time + a pid to generate a unique identifier in two places: its
365 message IDs, and in file names for maildir deliveries. Because some OS now
366 re-use pids within the same second, sub-second times are now being used.
367 However, for absolute certainty, we must ensure the clock has ticked before
368 allowing the relevant process to complete. At the time of implementation of
369 this code (February 2003), the speed of processors is such that the clock will
370 invariably have ticked already by the time a process has done its job. This
371 function prepares for the time when things are faster - and it also copes with
372 clocks that go backwards.
375 then_tv A timeval which was used to create uniqueness; its usec field
376 has been rounded down to the value of the resolution.
377 We want to be sure the current time is greater than this.
378 resolution The resolution that was used to divide the microseconds
379 (1 for maildir, larger for message ids)
385 exim_wait_tick(struct timeval
*then_tv
, int resolution
)
387 struct timeval now_tv
;
388 long int now_true_usec
;
390 (void)gettimeofday(&now_tv
, NULL
);
391 now_true_usec
= now_tv
.tv_usec
;
392 now_tv
.tv_usec
= (now_true_usec
/resolution
) * resolution
;
394 if (exim_tvcmp(&now_tv
, then_tv
) <= 0)
396 struct itimerval itval
;
397 itval
.it_interval
.tv_sec
= 0;
398 itval
.it_interval
.tv_usec
= 0;
399 itval
.it_value
.tv_sec
= then_tv
->tv_sec
- now_tv
.tv_sec
;
400 itval
.it_value
.tv_usec
= then_tv
->tv_usec
+ resolution
- now_true_usec
;
402 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
403 negative value for the microseconds is possible only in the case when "now"
404 is more than a second less than "then". That means that itval.it_value.tv_sec
405 is greater than zero. The following correction is therefore safe. */
407 if (itval
.it_value
.tv_usec
< 0)
409 itval
.it_value
.tv_usec
+= 1000000;
410 itval
.it_value
.tv_sec
-= 1;
413 DEBUG(D_transport
|D_receive
)
415 if (!running_in_test_harness
)
417 debug_printf("tick check: " TIME_T_FMT
".%06lu " TIME_T_FMT
".%06lu\n",
418 then_tv
->tv_sec
, (long) then_tv
->tv_usec
,
419 now_tv
.tv_sec
, (long) now_tv
.tv_usec
);
420 debug_printf("waiting " TIME_T_FMT
".%06lu\n",
421 itval
.it_value
.tv_sec
, (long) itval
.it_value
.tv_usec
);
432 /*************************************************
433 * Call fopen() with umask 777 and adjust mode *
434 *************************************************/
436 /* Exim runs with umask(0) so that files created with open() have the mode that
437 is specified in the open() call. However, there are some files, typically in
438 the spool directory, that are created with fopen(). They end up world-writeable
439 if no precautions are taken. Although the spool directory is not accessible to
440 the world, this is an untidiness. So this is a wrapper function for fopen()
441 that sorts out the mode of the created file.
444 filename the file name
445 options the fopen() options
446 mode the required mode
448 Returns: the fopened FILE or NULL
452 modefopen(const uschar
*filename
, const char *options
, mode_t mode
)
454 mode_t saved_umask
= umask(0777);
455 FILE *f
= Ufopen(filename
, options
);
456 (void)umask(saved_umask
);
457 if (f
!= NULL
) (void)fchmod(fileno(f
), mode
);
464 /*************************************************
465 * Ensure stdin, stdout, and stderr exist *
466 *************************************************/
468 /* Some operating systems grumble if an exec() happens without a standard
469 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
470 file will be opened and will use these fd values, and then some other bit of
471 code will assume, for example, that it can write error messages to stderr.
472 This function ensures that fds 0, 1, and 2 are open if they do not already
473 exist, by connecting them to /dev/null.
475 This function is also used to ensure that std{in,out,err} exist at all times,
476 so that if any library that Exim calls tries to use them, it doesn't crash.
488 for (i
= 0; i
<= 2; i
++)
490 if (fstat(i
, &statbuf
) < 0 && errno
== EBADF
)
492 if (devnull
< 0) devnull
= open("/dev/null", O_RDWR
);
493 if (devnull
< 0) log_write(0, LOG_MAIN
|LOG_PANIC_DIE
, "%s",
494 string_open_failed(errno
, "/dev/null"));
495 if (devnull
!= i
) (void)dup2(devnull
, i
);
498 if (devnull
> 2) (void)close(devnull
);
504 /*************************************************
505 * Close unwanted file descriptors for delivery *
506 *************************************************/
508 /* This function is called from a new process that has been forked to deliver
509 an incoming message, either directly, or using exec.
511 We want any smtp input streams to be closed in this new process. However, it
512 has been observed that using fclose() here causes trouble. When reading in -bS
513 input, duplicate copies of messages have been seen. The files will be sharing a
514 file pointer with the parent process, and it seems that fclose() (at least on
515 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
516 least sometimes. Hence we go for closing the underlying file descriptors.
518 If TLS is active, we want to shut down the TLS library, but without molesting
519 the parent's SSL connection.
521 For delivery of a non-SMTP message, we want to close stdin and stdout (and
522 stderr unless debugging) because the calling process might have set them up as
523 pipes and be waiting for them to close before it waits for the submission
524 process to terminate. If they aren't closed, they hold up the calling process
525 until the initial delivery process finishes, which is not what we want.
527 Exception: We do want it for synchronous delivery!
529 And notwithstanding all the above, if D_resolver is set, implying resolver
530 debugging, leave stdout open, because that's where the resolver writes its
533 When we close stderr (which implies we've also closed stdout), we also get rid
534 of any controlling terminal.
546 tls_close(TRUE
, FALSE
); /* Shut down the TLS library */
548 (void)close(fileno(smtp_in
));
549 (void)close(fileno(smtp_out
));
554 (void)close(0); /* stdin */
555 if ((debug_selector
& D_resolver
) == 0) (void)close(1); /* stdout */
556 if (debug_selector
== 0) /* stderr */
558 if (!synchronous_delivery
)
571 /*************************************************
573 *************************************************/
575 /* This function sets a new uid and gid permanently, optionally calling
576 initgroups() to set auxiliary groups. There are some special cases when running
577 Exim in unprivileged modes. In these situations the effective uid will not be
578 root; if we already have the right effective uid/gid, and don't need to
579 initialize any groups, leave things as they are.
584 igflag TRUE if initgroups() wanted
585 msg text to use in debugging output and failure log
587 Returns: nothing; bombs out on failure
591 exim_setugid(uid_t uid
, gid_t gid
, BOOL igflag
, uschar
*msg
)
593 uid_t euid
= geteuid();
594 gid_t egid
= getegid();
596 if (euid
== root_uid
|| euid
!= uid
|| egid
!= gid
|| igflag
)
598 /* At least one OS returns +1 for initgroups failure, so just check for
603 struct passwd
*pw
= getpwuid(uid
);
606 if (initgroups(pw
->pw_name
, gid
) != 0)
607 log_write(0,LOG_MAIN
|LOG_PANIC_DIE
,"initgroups failed for uid=%ld: %s",
608 (long int)uid
, strerror(errno
));
610 else log_write(0, LOG_MAIN
|LOG_PANIC_DIE
, "cannot run initgroups(): "
611 "no passwd entry for uid=%ld", (long int)uid
);
614 if (setgid(gid
) < 0 || setuid(uid
) < 0)
616 log_write(0, LOG_MAIN
|LOG_PANIC_DIE
, "unable to set gid=%ld or uid=%ld "
617 "(euid=%ld): %s", (long int)gid
, (long int)uid
, (long int)euid
, msg
);
621 /* Debugging output included uid/gid and all groups */
625 int group_count
, save_errno
;
626 gid_t group_list
[NGROUPS_MAX
];
627 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg
,
628 (long int)geteuid(), (long int)getegid(), (long int)getpid());
629 group_count
= getgroups(NGROUPS_MAX
, group_list
);
631 debug_printf(" auxiliary group list:");
635 for (i
= 0; i
< group_count
; i
++) debug_printf(" %d", (int)group_list
[i
]);
637 else if (group_count
< 0)
638 debug_printf(" <error: %s>", strerror(save_errno
));
639 else debug_printf(" <none>");
647 /*************************************************
649 *************************************************/
651 /* Exim exits via this function so that it always clears up any open
657 Returns: does not return
661 exim_exit(int rc
, const uschar
* process
)
665 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d %s%s%sterminating with rc=%d "
666 ">>>>>>>>>>>>>>>>\n", (int)getpid(),
667 process ?
"(" : "", process
, process ?
") " : "", rc
);
674 /*************************************************
675 * Extract port from host address *
676 *************************************************/
678 /* Called to extract the port from the values given to -oMa and -oMi.
679 It also checks the syntax of the address, and terminates it before the
680 port data when a port is extracted.
683 address the address, with possible port on the end
685 Returns: the port, or zero if there isn't one
686 bombs out on a syntax error
690 check_port(uschar
*address
)
692 int port
= host_address_extract_port(address
);
693 if (string_is_ip_address(address
, NULL
) == 0)
695 fprintf(stderr
, "exim abandoned: \"%s\" is not an IP address\n", address
);
703 /*************************************************
704 * Test/verify an address *
705 *************************************************/
707 /* This function is called by the -bv and -bt code. It extracts a working
708 address from a full RFC 822 address. This isn't really necessary per se, but it
709 has the effect of collapsing source routes.
713 flags flag bits for verify_address()
714 exit_value to be set for failures
720 test_address(uschar
*s
, int flags
, int *exit_value
)
722 int start
, end
, domain
;
723 uschar
*parse_error
= NULL
;
724 uschar
*address
= parse_extract_address(s
, &parse_error
, &start
, &end
, &domain
,
728 fprintf(stdout
, "syntax error: %s\n", parse_error
);
733 int rc
= verify_address(deliver_make_addr(address
,TRUE
), stdout
, flags
, -1,
734 -1, -1, NULL
, NULL
, NULL
);
735 if (rc
== FAIL
) *exit_value
= 2;
736 else if (rc
== DEFER
&& *exit_value
== 0) *exit_value
= 1;
742 /*************************************************
743 * Show supported features *
744 *************************************************/
747 show_db_version(FILE * f
)
749 #ifdef DB_VERSION_STRING
752 fprintf(f
, "Library version: BDB: Compile: %s\n", DB_VERSION_STRING
);
753 fprintf(f
, " Runtime: %s\n",
754 db_version(NULL
, NULL
, NULL
));
757 fprintf(f
, "Berkeley DB: %s\n", DB_VERSION_STRING
);
759 #elif defined(BTREEVERSION) && defined(HASHVERSION)
761 fprintf(f
, "Probably Berkeley DB version 1.8x (native mode)\n");
763 fprintf(f
, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
766 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
767 fprintf(f
, "Probably ndbm\n");
768 #elif defined(USE_TDB)
769 fprintf(f
, "Using tdb\n");
772 fprintf(f
, "Probably GDBM (native mode)\n");
774 fprintf(f
, "Probably GDBM (compatibility mode)\n");
780 /* This function is called for -bV/--version and for -d to output the optional
781 features of the current Exim binary.
783 Arguments: a FILE for printing
788 show_whats_supported(FILE * f
)
792 DEBUG(D_any
) {} else show_db_version(f
);
794 fprintf(f
, "Support for:");
795 #ifdef SUPPORT_CRYPTEQ
796 fprintf(f
, " crypteq");
799 fprintf(f
, " iconv()");
804 #ifdef HAVE_SETCLASSRESOURCES
805 fprintf(f
, " use_setclassresources");
814 fprintf(f
, " Expand_dlfunc");
816 #ifdef USE_TCP_WRAPPERS
817 fprintf(f
, " TCPwrappers");
821 fprintf(f
, " GnuTLS");
823 fprintf(f
, " OpenSSL");
826 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
827 fprintf(f
, " translate_ip_address");
829 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
830 fprintf(f
, " move_frozen_messages");
832 #ifdef WITH_CONTENT_SCAN
833 fprintf(f
, " Content_Scanning");
838 #ifndef DISABLE_DNSSEC
839 fprintf(f
, " DNSSEC");
841 #ifndef DISABLE_EVENT
842 fprintf(f
, " Event");
854 fprintf(f
, " PROXY");
857 fprintf(f
, " SOCKS");
864 if (tcp_fastopen_ok
) fprintf(f
, " TCP_Fast_Open");
866 #ifdef EXPERIMENTAL_LMDB
867 fprintf(f
, " Experimental_LMDB");
869 #ifdef EXPERIMENTAL_QUEUEFILE
870 fprintf(f
, " Experimental_QUEUEFILE");
872 #ifdef EXPERIMENTAL_SRS
873 fprintf(f
, " Experimental_SRS");
875 #ifdef EXPERIMENTAL_BRIGHTMAIL
876 fprintf(f
, " Experimental_Brightmail");
878 #ifdef EXPERIMENTAL_DANE
879 fprintf(f
, " Experimental_DANE");
881 #ifdef EXPERIMENTAL_DCC
882 fprintf(f
, " Experimental_DCC");
884 #ifdef EXPERIMENTAL_DMARC
885 fprintf(f
, " Experimental_DMARC");
887 #ifdef EXPERIMENTAL_DSN_INFO
888 fprintf(f
, " Experimental_DSN_info");
892 fprintf(f
, "Lookups (built-in):");
893 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
894 fprintf(f
, " lsearch wildlsearch nwildlsearch iplsearch");
896 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
899 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
900 fprintf(f
, " dbm dbmjz dbmnz");
902 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
903 fprintf(f
, " dnsdb");
905 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
906 fprintf(f
, " dsearch");
908 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
909 fprintf(f
, " ibase");
911 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
912 fprintf(f
, " ldap ldapdn ldapm");
914 #ifdef EXPERIMENTAL_LMDB
917 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
918 fprintf(f
, " mysql");
920 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
921 fprintf(f
, " nis nis0");
923 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
924 fprintf(f
, " nisplus");
926 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
927 fprintf(f
, " oracle");
929 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
930 fprintf(f
, " passwd");
932 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
933 fprintf(f
, " pgsql");
935 #if defined(LOOKUP_REDIS) && LOOKUP_REDIS!=2
936 fprintf(f
, " redis");
938 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
939 fprintf(f
, " sqlite");
941 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
942 fprintf(f
, " testdb");
944 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
945 fprintf(f
, " whoson");
949 auth_show_supported(f
);
950 route_show_supported(f
);
951 transport_show_supported(f
);
953 #ifdef WITH_CONTENT_SCAN
954 malware_show_supported(f
);
957 if (fixed_never_users
[0] > 0)
960 fprintf(f
, "Fixed never_users: ");
961 for (i
= 1; i
<= (int)fixed_never_users
[0] - 1; i
++)
962 fprintf(f
, "%d:", (unsigned int)fixed_never_users
[i
]);
963 fprintf(f
, "%d\n", (unsigned int)fixed_never_users
[i
]);
966 fprintf(f
, "Configure owner: %d:%d\n", config_uid
, config_gid
);
968 fprintf(f
, "Size of off_t: " SIZE_T_FMT
"\n", sizeof(off_t
));
970 /* Everything else is details which are only worth reporting when debugging.
971 Perhaps the tls_version_report should move into this too. */
976 /* clang defines __GNUC__ (at least, for me) so test for it first */
977 #if defined(__clang__)
978 fprintf(f
, "Compiler: CLang [%s]\n", __clang_version__
);
979 #elif defined(__GNUC__)
980 fprintf(f
, "Compiler: GCC [%s]\n",
984 "? unknown version ?"
988 fprintf(f
, "Compiler: <unknown>\n");
991 #if defined(__GLIBC__) && !defined(__UCLIBC__)
992 fprintf(f
, "Library version: Glibc: Compile: %d.%d\n",
993 __GLIBC__
, __GLIBC_MINOR__
);
994 if (__GLIBC_PREREQ(2, 1))
995 fprintf(f
, " Runtime: %s\n",
996 gnu_get_libc_version());
1002 tls_version_report(f
);
1005 utf8_version_report(f
);
1008 for (authi
= auths_available
; *authi
->driver_name
!= '\0'; ++authi
)
1009 if (authi
->version_report
)
1010 (*authi
->version_report
)(f
);
1012 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
1013 characters; unless it's an ancient version of PCRE in which case it
1015 #ifndef PCRE_PRERELEASE
1016 # define PCRE_PRERELEASE
1019 #define EXPAND_AND_QUOTE(X) QUOTE(X)
1020 fprintf(f
, "Library version: PCRE: Compile: %d.%d%s\n"
1022 PCRE_MAJOR
, PCRE_MINOR
,
1023 EXPAND_AND_QUOTE(PCRE_PRERELEASE
) "",
1026 #undef EXPAND_AND_QUOTE
1029 for (i
= 0; i
< lookup_list_count
; i
++)
1030 if (lookup_list
[i
]->version_report
)
1031 lookup_list
[i
]->version_report(f
);
1033 #ifdef WHITELIST_D_MACROS
1034 fprintf(f
, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS
);
1036 fprintf(f
, "WHITELIST_D_MACROS unset\n");
1038 #ifdef TRUSTED_CONFIG_LIST
1039 fprintf(f
, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST
);
1041 fprintf(f
, "TRUSTED_CONFIG_LIST unset\n");
1048 /*************************************************
1049 * Show auxiliary information about Exim *
1050 *************************************************/
1053 show_exim_information(enum commandline_info request
, FILE *stream
)
1060 fprintf(stream
, "Oops, something went wrong.\n");
1064 "The -bI: flag takes a string indicating which information to provide.\n"
1065 "If the string is not recognised, you'll get this help (on stderr).\n"
1067 " exim -bI:help this information\n"
1068 " exim -bI:dscp list of known dscp value keywords\n"
1069 " exim -bI:sieve list of supported sieve extensions\n"
1073 for (pp
= exim_sieve_extension_list
; *pp
; ++pp
)
1074 fprintf(stream
, "%s\n", *pp
);
1077 dscp_list_to_stream(stream
);
1083 /*************************************************
1084 * Quote a local part *
1085 *************************************************/
1087 /* This function is used when a sender address or a From: or Sender: header
1088 line is being created from the caller's login, or from an authenticated_id. It
1089 applies appropriate quoting rules for a local part.
1091 Argument: the local part
1092 Returns: the local part, quoted if necessary
1096 local_part_quote(uschar
*lpart
)
1098 BOOL needs_quote
= FALSE
;
1102 for (t
= lpart
; !needs_quote
&& *t
!= 0; t
++)
1104 needs_quote
= !isalnum(*t
) && strchr("!#$%&'*+-/=?^_`{|}~", *t
) == NULL
&&
1105 (*t
!= '.' || t
== lpart
|| t
[1] == 0);
1108 if (!needs_quote
) return lpart
;
1110 g
= string_catn(NULL
, US
"\"", 1);
1114 uschar
*nq
= US
Ustrpbrk(lpart
, "\\\"");
1117 g
= string_cat(g
, lpart
);
1120 g
= string_catn(g
, lpart
, nq
- lpart
);
1121 g
= string_catn(g
, US
"\\", 1);
1122 g
= string_catn(g
, nq
, 1);
1126 g
= string_catn(g
, US
"\"", 1);
1127 return string_from_gstring(g
);
1133 /*************************************************
1134 * Load readline() functions *
1135 *************************************************/
1137 /* This function is called from testing executions that read data from stdin,
1138 but only when running as the calling user. Currently, only -be does this. The
1139 function loads the readline() function library and passes back the functions.
1140 On some systems, it needs the curses library, so load that too, but try without
1141 it if loading fails. All this functionality has to be requested at build time.
1144 fn_readline_ptr pointer to where to put the readline pointer
1145 fn_addhist_ptr pointer to where to put the addhistory function
1147 Returns: the dlopen handle or NULL on failure
1151 set_readline(char * (**fn_readline_ptr
)(const char *),
1152 void (**fn_addhist_ptr
)(const char *))
1155 void *dlhandle_curses
= dlopen("libcurses." DYNLIB_FN_EXT
, RTLD_GLOBAL
|RTLD_LAZY
);
1157 dlhandle
= dlopen("libreadline." DYNLIB_FN_EXT
, RTLD_GLOBAL
|RTLD_NOW
);
1158 if (dlhandle_curses
!= NULL
) dlclose(dlhandle_curses
);
1160 if (dlhandle
!= NULL
)
1162 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1163 * char * readline (const char *prompt);
1164 * void add_history (const char *string);
1166 *fn_readline_ptr
= (char *(*)(const char*))dlsym(dlhandle
, "readline");
1167 *fn_addhist_ptr
= (void(*)(const char*))dlsym(dlhandle
, "add_history");
1171 DEBUG(D_any
) debug_printf("failed to load readline: %s\n", dlerror());
1180 /*************************************************
1181 * Get a line from stdin for testing things *
1182 *************************************************/
1184 /* This function is called when running tests that can take a number of lines
1185 of input (for example, -be and -bt). It handles continuations and trailing
1186 spaces. And prompting and a blank line output on eof. If readline() is in use,
1187 the arguments are non-NULL and provide the relevant functions.
1190 fn_readline readline function or NULL
1191 fn_addhist addhist function or NULL
1193 Returns: pointer to dynamic memory, or NULL at end of file
1197 get_stdinput(char *(*fn_readline
)(const char *), void(*fn_addhist
)(const char *))
1202 if (!fn_readline
) { printf("> "); fflush(stdout
); }
1206 uschar buffer
[1024];
1210 char *readline_line
= NULL
;
1211 if (fn_readline
!= NULL
)
1213 if ((readline_line
= fn_readline((i
> 0)?
"":"> ")) == NULL
) break;
1214 if (*readline_line
!= 0 && fn_addhist
!= NULL
) fn_addhist(readline_line
);
1215 p
= US readline_line
;
1220 /* readline() not in use */
1223 if (Ufgets(buffer
, sizeof(buffer
), stdin
) == NULL
) break;
1227 /* Handle the line */
1229 ss
= p
+ (int)Ustrlen(p
);
1230 while (ss
> p
&& isspace(ss
[-1])) ss
--;
1234 while (p
< ss
&& isspace(*p
)) p
++; /* leading space after cont */
1237 g
= string_catn(g
, p
, ss
- p
);
1240 if (fn_readline
) free(readline_line
);
1243 /* g can only be NULL if ss==p */
1244 if (ss
== p
|| g
->s
[g
->ptr
-1] != '\\')
1248 (void) string_from_gstring(g
);
1251 if (!g
) printf("\n");
1252 return string_from_gstring(g
);
1257 /*************************************************
1258 * Output usage information for the program *
1259 *************************************************/
1261 /* This function is called when there are no recipients
1262 or a specific --help argument was added.
1265 progname information on what name we were called by
1267 Returns: DOES NOT RETURN
1271 exim_usage(uschar
*progname
)
1274 /* Handle specific program invocation variants */
1275 if (Ustrcmp(progname
, US
"-mailq") == 0)
1278 "mailq - list the contents of the mail queue\n\n"
1279 "For a list of options, see the Exim documentation.\n");
1283 /* Generic usage - we output this whatever happens */
1285 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1286 "not directly from a shell command line. Options and/or arguments control\n"
1287 "what it does when called. For a list of options, see the Exim documentation.\n");
1294 /*************************************************
1295 * Validate that the macros given are okay *
1296 *************************************************/
1298 /* Typically, Exim will drop privileges if macros are supplied. In some
1299 cases, we want to not do so.
1301 Arguments: opt_D_used - true if the commandline had a "-D" option
1302 Returns: true if trusted, false otherwise
1306 macros_trusted(BOOL opt_D_used
)
1308 #ifdef WHITELIST_D_MACROS
1310 uschar
*whitelisted
, *end
, *p
, **whites
, **w
;
1311 int white_count
, i
, n
;
1313 BOOL prev_char_item
, found
;
1318 #ifndef WHITELIST_D_MACROS
1322 /* We only trust -D overrides for some invoking users:
1323 root, the exim run-time user, the optional config owner user.
1324 I don't know why config-owner would be needed, but since they can own the
1325 config files anyway, there's no security risk to letting them override -D. */
1326 if ( ! ((real_uid
== root_uid
)
1327 || (real_uid
== exim_uid
)
1328 #ifdef CONFIGURE_OWNER
1329 || (real_uid
== config_uid
)
1333 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid
);
1337 /* Get a list of macros which are whitelisted */
1338 whitelisted
= string_copy_malloc(US WHITELIST_D_MACROS
);
1339 prev_char_item
= FALSE
;
1341 for (p
= whitelisted
; *p
!= '\0'; ++p
)
1343 if (*p
== ':' || isspace(*p
))
1348 prev_char_item
= FALSE
;
1351 if (!prev_char_item
)
1352 prev_char_item
= TRUE
;
1359 whites
= store_malloc(sizeof(uschar
*) * (white_count
+1));
1360 for (p
= whitelisted
, i
= 0; (p
!= end
) && (i
< white_count
); ++p
)
1365 if (i
== white_count
)
1367 while (*p
!= '\0' && p
< end
)
1373 /* The list of commandline macros should be very short.
1374 Accept the N*M complexity. */
1375 for (m
= macros_user
; m
; m
= m
->next
) if (m
->command_line
)
1378 for (w
= whites
; *w
; ++w
)
1379 if (Ustrcmp(*w
, m
->name
) == 0)
1386 if (!m
->replacement
)
1388 if ((len
= m
->replen
) == 0)
1390 n
= pcre_exec(regex_whitelisted_macro
, NULL
, CS m
->replacement
, len
,
1391 0, PCRE_EOPT
, NULL
, 0);
1394 if (n
!= PCRE_ERROR_NOMATCH
)
1395 debug_printf("macros_trusted checking %s returned %d\n", m
->name
, n
);
1399 DEBUG(D_any
) debug_printf("macros_trusted overridden to true by whitelisting\n");
1405 /*************************************************
1406 * Expansion testing *
1407 *************************************************/
1409 /* Expand and print one item, doing macro-processing.
1412 item line for expansion
1416 expansion_test_line(uschar
* line
)
1421 Ustrncpy(big_buffer
, line
, big_buffer_size
);
1422 big_buffer
[big_buffer_size
-1] = '\0';
1423 len
= Ustrlen(big_buffer
);
1425 (void) macros_expand(0, &len
, &dummy_macexp
);
1427 if (isupper(big_buffer
[0]))
1429 if (macro_read_assignment(big_buffer
))
1430 printf("Defined macro '%s'\n", mlast
->name
);
1433 if ((line
= expand_string(big_buffer
))) printf("%s\n", CS line
);
1434 else printf("Failed: %s\n", expand_string_message
);
1438 /*************************************************
1439 * Entry point and high-level code *
1440 *************************************************/
1442 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1443 the appropriate action. All the necessary functions are present in the one
1444 binary. I originally thought one should split it up, but it turns out that so
1445 much of the apparatus is needed in each chunk that one might as well just have
1446 it all available all the time, which then makes the coding easier as well.
1449 argc count of entries in argv
1450 argv argument strings, with argv[0] being the program name
1452 Returns: EXIT_SUCCESS if terminated successfully
1453 EXIT_FAILURE otherwise, except when a message has been sent
1454 to the sender, and -oee was given
1458 main(int argc
, char **cargv
)
1460 uschar
**argv
= USS cargv
;
1461 int arg_receive_timeout
= -1;
1462 int arg_smtp_receive_timeout
= -1;
1463 int arg_error_handling
= error_handling
;
1464 int filter_sfd
= -1;
1465 int filter_ufd
= -1;
1468 int list_queue_option
= 0;
1470 int msg_action_arg
= -1;
1471 int namelen
= (argv
[0] == NULL
)?
0 : Ustrlen(argv
[0]);
1472 int queue_only_reason
= 0;
1474 int perl_start_option
= 0;
1476 int recipients_arg
= argc
;
1477 int sender_address_domain
= 0;
1478 int test_retry_arg
= -1;
1479 int test_rewrite_arg
= -1;
1480 BOOL arg_queue_only
= FALSE
;
1481 BOOL bi_option
= FALSE
;
1482 BOOL checking
= FALSE
;
1483 BOOL count_queue
= FALSE
;
1484 BOOL expansion_test
= FALSE
;
1485 BOOL extract_recipients
= FALSE
;
1486 BOOL flag_G
= FALSE
;
1487 BOOL flag_n
= FALSE
;
1488 BOOL forced_delivery
= FALSE
;
1489 BOOL f_end_dot
= FALSE
;
1490 BOOL deliver_give_up
= FALSE
;
1491 BOOL list_queue
= FALSE
;
1492 BOOL list_options
= FALSE
;
1493 BOOL list_config
= FALSE
;
1494 BOOL local_queue_only
;
1496 BOOL one_msg_action
= FALSE
;
1497 BOOL opt_D_used
= FALSE
;
1498 BOOL queue_only_set
= FALSE
;
1499 BOOL receiving_message
= TRUE
;
1500 BOOL sender_ident_set
= FALSE
;
1501 BOOL session_local_queue_only
;
1503 BOOL removed_privilege
= FALSE
;
1504 BOOL usage_wanted
= FALSE
;
1505 BOOL verify_address_mode
= FALSE
;
1506 BOOL verify_as_sender
= FALSE
;
1507 BOOL version_printed
= FALSE
;
1508 uschar
*alias_arg
= NULL
;
1509 uschar
*called_as
= US
"";
1510 uschar
*cmdline_syslog_name
= NULL
;
1511 uschar
*start_queue_run_id
= NULL
;
1512 uschar
*stop_queue_run_id
= NULL
;
1513 uschar
*expansion_test_message
= NULL
;
1514 uschar
*ftest_domain
= NULL
;
1515 uschar
*ftest_localpart
= NULL
;
1516 uschar
*ftest_prefix
= NULL
;
1517 uschar
*ftest_suffix
= NULL
;
1518 uschar
*log_oneline
= NULL
;
1519 uschar
*malware_test_file
= NULL
;
1520 uschar
*real_sender_address
;
1521 uschar
*originator_home
= US
"/";
1526 struct stat statbuf
;
1527 pid_t passed_qr_pid
= (pid_t
)0;
1528 int passed_qr_pipe
= -1;
1529 gid_t group_list
[NGROUPS_MAX
];
1531 /* For the -bI: flag */
1532 enum commandline_info info_flag
= CMDINFO_NONE
;
1533 BOOL info_stdout
= FALSE
;
1535 /* Possible options for -R and -S */
1537 static uschar
*rsopts
[] = { US
"f", US
"ff", US
"r", US
"rf", US
"rff" };
1539 /* Need to define this in case we need to change the environment in order
1540 to get rid of a bogus time zone. We have to make it char rather than uschar
1541 because some OS define it in /usr/include/unistd.h. */
1543 extern char **environ
;
1545 /* If the Exim user and/or group and/or the configuration file owner/group were
1546 defined by ref:name at build time, we must now find the actual uid/gid values.
1547 This is a feature to make the lives of binary distributors easier. */
1549 #ifdef EXIM_USERNAME
1550 if (route_finduser(US EXIM_USERNAME
, &pw
, &exim_uid
))
1554 fprintf(stderr
, "exim: refusing to run with uid 0 for \"%s\"\n",
1558 /* If ref:name uses a number as the name, route_finduser() returns
1559 TRUE with exim_uid set and pw coerced to NULL. */
1561 exim_gid
= pw
->pw_gid
;
1562 #ifndef EXIM_GROUPNAME
1566 "exim: ref:name should specify a usercode, not a group.\n"
1567 "exim: can't let you get away with it unless you also specify a group.\n");
1574 fprintf(stderr
, "exim: failed to find uid for user name \"%s\"\n",
1580 #ifdef EXIM_GROUPNAME
1581 if (!route_findgroup(US EXIM_GROUPNAME
, &exim_gid
))
1583 fprintf(stderr
, "exim: failed to find gid for group name \"%s\"\n",
1589 #ifdef CONFIGURE_OWNERNAME
1590 if (!route_finduser(US CONFIGURE_OWNERNAME
, NULL
, &config_uid
))
1592 fprintf(stderr
, "exim: failed to find uid for user name \"%s\"\n",
1593 CONFIGURE_OWNERNAME
);
1598 /* We default the system_filter_user to be the Exim run-time user, as a
1599 sane non-root value. */
1600 system_filter_uid
= exim_uid
;
1602 #ifdef CONFIGURE_GROUPNAME
1603 if (!route_findgroup(US CONFIGURE_GROUPNAME
, &config_gid
))
1605 fprintf(stderr
, "exim: failed to find gid for group name \"%s\"\n",
1606 CONFIGURE_GROUPNAME
);
1611 /* In the Cygwin environment, some initialization used to need doing.
1612 It was fudged in by means of this macro; now no longer but we'll leave
1613 it in case of others. */
1619 /* Check a field which is patched when we are running Exim within its
1620 testing harness; do a fast initial check, and then the whole thing. */
1622 running_in_test_harness
=
1623 *running_status
== '<' && Ustrcmp(running_status
, "<<<testing>>>") == 0;
1625 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1626 at the start of a program; however, it seems that some environments do not
1627 follow this. A "strange" locale can affect the formatting of timestamps, so we
1630 setlocale(LC_ALL
, "C");
1632 /* Set up the default handler for timing using alarm(). */
1634 os_non_restarting_signal(SIGALRM
, sigalrm_handler
);
1636 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1637 because store_malloc writes a log entry on failure. */
1639 if (!(log_buffer
= US
malloc(LOG_BUFFER_SIZE
)))
1641 fprintf(stderr
, "exim: failed to get store for log buffer\n");
1645 /* Initialize the default log options. */
1647 bits_set(log_selector
, log_selector_size
, log_default
);
1649 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1650 NULL when the daemon is run and the file is closed. We have to use this
1651 indirection, because some systems don't allow writing to the variable "stderr".
1654 if (fstat(fileno(stderr
), &statbuf
) >= 0) log_stderr
= stderr
;
1656 /* Arrange for the PCRE regex library to use our store functions. Note that
1657 the normal calls are actually macros that add additional arguments for
1658 debugging purposes so we have to assign specially constructed functions here.
1659 The default is to use store in the stacking pool, but this is overridden in the
1660 regex_must_compile() function. */
1662 pcre_malloc
= function_store_get
;
1663 pcre_free
= function_dummy_free
;
1665 /* Ensure there is a big buffer for temporary use in several places. It is put
1666 in malloc store so that it can be freed for enlargement if necessary. */
1668 big_buffer
= store_malloc(big_buffer_size
);
1670 /* Set up the handler for the data request signal, and set the initial
1671 descriptive text. */
1673 set_process_info("initializing");
1674 os_restarting_signal(SIGUSR1
, usr1_handler
);
1676 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1677 in the daemon code. For the rest of Exim's uses, we ignore it. */
1679 signal(SIGHUP
, SIG_IGN
);
1681 /* We don't want to die on pipe errors as the code is written to handle
1682 the write error instead. */
1684 signal(SIGPIPE
, SIG_IGN
);
1686 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1687 set to SIG_IGN. This causes subprocesses that complete before the parent
1688 process waits for them not to hang around, so when Exim calls wait(), nothing
1689 is there. The wait() code has been made robust against this, but let's ensure
1690 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1691 ending status. We use sigaction rather than plain signal() on those OS where
1692 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1693 problem on AIX with this.) */
1697 struct sigaction act
;
1698 act
.sa_handler
= SIG_DFL
;
1699 sigemptyset(&(act
.sa_mask
));
1701 sigaction(SIGCHLD
, &act
, NULL
);
1704 signal(SIGCHLD
, SIG_DFL
);
1707 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1712 /* Set up the version number. Set up the leading 'E' for the external form of
1713 message ids, set the pointer to the internal form, and initialize it to
1714 indicate no message being processed. */
1717 message_id_option
[0] = '-';
1718 message_id_external
= message_id_option
+ 1;
1719 message_id_external
[0] = 'E';
1720 message_id
= message_id_external
+ 1;
1723 /* Set the umask to zero so that any files Exim creates using open() are
1724 created with the modes that it specifies. NOTE: Files created with fopen() have
1725 a problem, which was not recognized till rather late (February 2006). With this
1726 umask, such files will be world writeable. (They are all content scanning files
1727 in the spool directory, which isn't world-accessible, so this is not a
1728 disaster, but it's untidy.) I don't want to change this overall setting,
1729 however, because it will interact badly with the open() calls. Instead, there's
1730 now a function called modefopen() that fiddles with the umask while calling
1735 /* Precompile the regular expression for matching a message id. Keep this in
1736 step with the code that generates ids in the accept.c module. We need to do
1737 this here, because the -M options check their arguments for syntactic validity
1738 using mac_ismsgid, which uses this. */
1741 regex_must_compile(US
"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE
, TRUE
);
1743 /* Precompile the regular expression that is used for matching an SMTP error
1744 code, possibly extended, at the start of an error message. Note that the
1745 terminating whitespace character is included. */
1748 regex_must_compile(US
"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1751 #ifdef WHITELIST_D_MACROS
1752 /* Precompile the regular expression used to filter the content of macros
1753 given to -D for permissibility. */
1755 regex_whitelisted_macro
=
1756 regex_must_compile(US
"^[A-Za-z0-9_/.-]*$", FALSE
, TRUE
);
1759 for (i
= 0; i
< REGEX_VARS
; i
++) regex_vars
[i
] = NULL
;
1761 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1762 this seems to be a generally accepted convention, since one finds symbolic
1763 links called "mailq" in standard OS configurations. */
1765 if ((namelen
== 5 && Ustrcmp(argv
[0], "mailq") == 0) ||
1766 (namelen
> 5 && Ustrncmp(argv
[0] + namelen
- 6, "/mailq", 6) == 0))
1769 receiving_message
= FALSE
;
1770 called_as
= US
"-mailq";
1773 /* If the program is called as "rmail" treat it as equivalent to
1774 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1775 i.e. preventing a single dot on a line from terminating the message, and
1776 returning with zero return code, even in cases of error (provided an error
1777 message has been sent). */
1779 if ((namelen
== 5 && Ustrcmp(argv
[0], "rmail") == 0) ||
1780 (namelen
> 5 && Ustrncmp(argv
[0] + namelen
- 6, "/rmail", 6) == 0))
1783 called_as
= US
"-rmail";
1784 errors_sender_rc
= EXIT_SUCCESS
;
1787 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1788 this is a smail convention. */
1790 if ((namelen
== 5 && Ustrcmp(argv
[0], "rsmtp") == 0) ||
1791 (namelen
> 5 && Ustrncmp(argv
[0] + namelen
- 6, "/rsmtp", 6) == 0))
1793 smtp_input
= smtp_batched_input
= TRUE
;
1794 called_as
= US
"-rsmtp";
1797 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1798 this is a smail convention. */
1800 if ((namelen
== 4 && Ustrcmp(argv
[0], "runq") == 0) ||
1801 (namelen
> 4 && Ustrncmp(argv
[0] + namelen
- 5, "/runq", 5) == 0))
1804 receiving_message
= FALSE
;
1805 called_as
= US
"-runq";
1808 /* If the program is called as "newaliases" treat it as equivalent to
1809 "exim -bi"; this is a sendmail convention. */
1811 if ((namelen
== 10 && Ustrcmp(argv
[0], "newaliases") == 0) ||
1812 (namelen
> 10 && Ustrncmp(argv
[0] + namelen
- 11, "/newaliases", 11) == 0))
1815 receiving_message
= FALSE
;
1816 called_as
= US
"-newaliases";
1819 /* Save the original effective uid for a couple of uses later. It should
1820 normally be root, but in some esoteric environments it may not be. */
1822 original_euid
= geteuid();
1824 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1825 to be the same as the real ones. This makes a difference only if Exim is setuid
1826 (or setgid) to something other than root, which could be the case in some
1827 special configurations. */
1829 real_uid
= getuid();
1830 real_gid
= getgid();
1832 if (real_uid
== root_uid
)
1834 rv
= setgid(real_gid
);
1837 fprintf(stderr
, "exim: setgid(%ld) failed: %s\n",
1838 (long int)real_gid
, strerror(errno
));
1841 rv
= setuid(real_uid
);
1844 fprintf(stderr
, "exim: setuid(%ld) failed: %s\n",
1845 (long int)real_uid
, strerror(errno
));
1850 /* If neither the original real uid nor the original euid was root, Exim is
1851 running in an unprivileged state. */
1853 unprivileged
= (real_uid
!= root_uid
&& original_euid
!= root_uid
);
1855 /* Scan the program's arguments. Some can be dealt with right away; others are
1856 simply recorded for checking and handling afterwards. Do a high-level switch
1857 on the second character (the one after '-'), to save some effort. */
1859 for (i
= 1; i
< argc
; i
++)
1861 BOOL badarg
= FALSE
;
1862 uschar
*arg
= argv
[i
];
1866 /* An argument not starting with '-' is the start of a recipients list;
1867 break out of the options-scanning loop. */
1875 /* An option consisting of -- terminates the options */
1877 if (Ustrcmp(arg
, "--") == 0)
1879 recipients_arg
= i
+ 1;
1883 /* Handle flagged options */
1885 switchchar
= arg
[1];
1888 /* Make all -ex options synonymous with -oex arguments, since that
1889 is assumed by various callers. Also make -qR options synonymous with -R
1890 options, as that seems to be required as well. Allow for -qqR too, and
1891 the same for -S options. */
1893 if (Ustrncmp(arg
+1, "oe", 2) == 0 ||
1894 Ustrncmp(arg
+1, "qR", 2) == 0 ||
1895 Ustrncmp(arg
+1, "qS", 2) == 0)
1897 switchchar
= arg
[2];
1900 else if (Ustrncmp(arg
+1, "qqR", 3) == 0 || Ustrncmp(arg
+1, "qqS", 3) == 0)
1902 switchchar
= arg
[3];
1904 queue_2stage
= TRUE
;
1907 /* Make -r synonymous with -f, since it is a documented alias */
1909 else if (arg
[1] == 'r') switchchar
= 'f';
1911 /* Make -ov synonymous with -v */
1913 else if (Ustrcmp(arg
, "-ov") == 0)
1919 /* deal with --option_aliases */
1920 else if (switchchar
== '-')
1922 if (Ustrcmp(argrest
, "help") == 0)
1924 usage_wanted
= TRUE
;
1927 else if (Ustrcmp(argrest
, "version") == 0)
1934 /* High-level switch on active initial letter */
1939 /* sendmail uses -Ac and -Am to control which .cf file is used;
1942 if (*argrest
== '\0') { badarg
= TRUE
; break; }
1945 BOOL ignore
= FALSE
;
1950 if (*(argrest
+ 1) == '\0')
1954 if (!ignore
) { badarg
= TRUE
; break; }
1958 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1959 so has no need of it. */
1962 if (*argrest
== 0) i
++; /* Skip over the type */
1967 receiving_message
= FALSE
; /* Reset TRUE for -bm, -bS, -bs below */
1969 /* -bd: Run in daemon mode, awaiting SMTP connections.
1970 -bdf: Ditto, but in the foreground.
1973 if (*argrest
== 'd')
1975 daemon_listen
= TRUE
;
1976 if (*(++argrest
) == 'f') background_daemon
= FALSE
;
1977 else if (*argrest
!= 0) { badarg
= TRUE
; break; }
1980 /* -be: Run in expansion test mode
1981 -bem: Ditto, but read a message from a file first
1984 else if (*argrest
== 'e')
1986 expansion_test
= checking
= TRUE
;
1987 if (argrest
[1] == 'm')
1989 if (++i
>= argc
) { badarg
= TRUE
; break; }
1990 expansion_test_message
= argv
[i
];
1993 if (argrest
[1] != 0) { badarg
= TRUE
; break; }
1996 /* -bF: Run system filter test */
1998 else if (*argrest
== 'F')
2000 filter_test
|= checking
= FTEST_SYSTEM
;
2001 if (*(++argrest
) != 0) { badarg
= TRUE
; break; }
2002 if (++i
< argc
) filter_test_sfile
= argv
[i
]; else
2004 fprintf(stderr
, "exim: file name expected after %s\n", argv
[i
-1]);
2009 /* -bf: Run user filter test
2010 -bfd: Set domain for filter testing
2011 -bfl: Set local part for filter testing
2012 -bfp: Set prefix for filter testing
2013 -bfs: Set suffix for filter testing
2016 else if (*argrest
== 'f')
2018 if (*(++argrest
) == 0)
2020 filter_test
|= checking
= FTEST_USER
;
2021 if (++i
< argc
) filter_test_ufile
= argv
[i
]; else
2023 fprintf(stderr
, "exim: file name expected after %s\n", argv
[i
-1]);
2031 fprintf(stderr
, "exim: string expected after %s\n", arg
);
2034 if (Ustrcmp(argrest
, "d") == 0) ftest_domain
= argv
[i
];
2035 else if (Ustrcmp(argrest
, "l") == 0) ftest_localpart
= argv
[i
];
2036 else if (Ustrcmp(argrest
, "p") == 0) ftest_prefix
= argv
[i
];
2037 else if (Ustrcmp(argrest
, "s") == 0) ftest_suffix
= argv
[i
];
2038 else { badarg
= TRUE
; break; }
2042 /* -bh: Host checking - an IP address must follow. */
2044 else if (Ustrcmp(argrest
, "h") == 0 || Ustrcmp(argrest
, "hc") == 0)
2046 if (++i
>= argc
) { badarg
= TRUE
; break; }
2047 sender_host_address
= argv
[i
];
2048 host_checking
= checking
= log_testing_mode
= TRUE
;
2049 host_checking_callout
= argrest
[1] == 'c';
2050 message_logs
= FALSE
;
2053 /* -bi: This option is used by sendmail to initialize *the* alias file,
2054 though it has the -oA option to specify a different file. Exim has no
2055 concept of *the* alias file, but since Sun's YP make script calls
2056 sendmail this way, some support must be provided. */
2058 else if (Ustrcmp(argrest
, "i") == 0) bi_option
= TRUE
;
2060 /* -bI: provide information, of the type to follow after a colon.
2061 This is an Exim flag. */
2063 else if (argrest
[0] == 'I' && Ustrlen(argrest
) >= 2 && argrest
[1] == ':')
2065 uschar
*p
= &argrest
[2];
2066 info_flag
= CMDINFO_HELP
;
2069 if (strcmpic(p
, CUS
"sieve") == 0)
2071 info_flag
= CMDINFO_SIEVE
;
2074 else if (strcmpic(p
, CUS
"dscp") == 0)
2076 info_flag
= CMDINFO_DSCP
;
2079 else if (strcmpic(p
, CUS
"help") == 0)
2086 /* -bm: Accept and deliver message - the default option. Reinstate
2087 receiving_message, which got turned off for all -b options. */
2089 else if (Ustrcmp(argrest
, "m") == 0) receiving_message
= TRUE
;
2091 /* -bmalware: test the filename given for malware */
2093 else if (Ustrcmp(argrest
, "malware") == 0)
2095 if (++i
>= argc
) { badarg
= TRUE
; break; }
2097 malware_test_file
= argv
[i
];
2100 /* -bnq: For locally originating messages, do not qualify unqualified
2101 addresses. In the envelope, this causes errors; in header lines they
2104 else if (Ustrcmp(argrest
, "nq") == 0)
2106 allow_unqualified_sender
= FALSE
;
2107 allow_unqualified_recipient
= FALSE
;
2110 /* -bpxx: List the contents of the mail queue, in various forms. If
2111 the option is -bpc, just a queue count is needed. Otherwise, if the
2112 first letter after p is r, then order is random. */
2114 else if (*argrest
== 'p')
2116 if (*(++argrest
) == 'c')
2119 if (*(++argrest
) != 0) badarg
= TRUE
;
2123 if (*argrest
== 'r')
2125 list_queue_option
= 8;
2128 else list_queue_option
= 0;
2132 /* -bp: List the contents of the mail queue, top-level only */
2134 if (*argrest
== 0) {}
2136 /* -bpu: List the contents of the mail queue, top-level undelivered */
2138 else if (Ustrcmp(argrest
, "u") == 0) list_queue_option
+= 1;
2140 /* -bpa: List the contents of the mail queue, including all delivered */
2142 else if (Ustrcmp(argrest
, "a") == 0) list_queue_option
+= 2;
2144 /* Unknown after -bp[r] */
2154 /* -bP: List the configuration variables given as the address list.
2155 Force -v, so configuration errors get displayed. */
2157 else if (Ustrcmp(argrest
, "P") == 0)
2159 /* -bP config: we need to setup here, because later,
2160 * when list_options is checked, the config is read already */
2161 if (argv
[i
+1] && Ustrcmp(argv
[i
+1], "config") == 0)
2164 readconf_save_config(version_string
);
2168 list_options
= TRUE
;
2169 debug_selector
|= D_v
;
2170 debug_file
= stderr
;
2174 /* -brt: Test retry configuration lookup */
2176 else if (Ustrcmp(argrest
, "rt") == 0)
2179 test_retry_arg
= i
+ 1;
2183 /* -brw: Test rewrite configuration */
2185 else if (Ustrcmp(argrest
, "rw") == 0)
2188 test_rewrite_arg
= i
+ 1;
2192 /* -bS: Read SMTP commands on standard input, but produce no replies -
2193 all errors are reported by sending messages. */
2195 else if (Ustrcmp(argrest
, "S") == 0)
2196 smtp_input
= smtp_batched_input
= receiving_message
= TRUE
;
2198 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2199 on standard output. */
2201 else if (Ustrcmp(argrest
, "s") == 0) smtp_input
= receiving_message
= TRUE
;
2203 /* -bt: address testing mode */
2205 else if (Ustrcmp(argrest
, "t") == 0)
2206 address_test_mode
= checking
= log_testing_mode
= TRUE
;
2208 /* -bv: verify addresses */
2210 else if (Ustrcmp(argrest
, "v") == 0)
2211 verify_address_mode
= checking
= log_testing_mode
= TRUE
;
2213 /* -bvs: verify sender addresses */
2215 else if (Ustrcmp(argrest
, "vs") == 0)
2217 verify_address_mode
= checking
= log_testing_mode
= TRUE
;
2218 verify_as_sender
= TRUE
;
2221 /* -bV: Print version string and support details */
2223 else if (Ustrcmp(argrest
, "V") == 0)
2225 printf("Exim version %s #%s built %s\n", version_string
,
2226 version_cnumber
, version_date
);
2227 printf("%s\n", CS version_copyright
);
2228 version_printed
= TRUE
;
2229 show_whats_supported(stdout
);
2230 log_testing_mode
= TRUE
;
2233 /* -bw: inetd wait mode, accept a listening socket as stdin */
2235 else if (*argrest
== 'w')
2237 inetd_wait_mode
= TRUE
;
2238 background_daemon
= FALSE
;
2239 daemon_listen
= TRUE
;
2240 if (*(++argrest
) != '\0')
2242 inetd_wait_timeout
= readconf_readtime(argrest
, 0, FALSE
);
2243 if (inetd_wait_timeout
<= 0)
2245 fprintf(stderr
, "exim: bad time value %s: abandoned\n", argv
[i
]);
2255 /* -C: change configuration file list; ignore if it isn't really
2256 a change! Enforce a prefix check if required. */
2261 if(++i
< argc
) argrest
= argv
[i
]; else
2262 { badarg
= TRUE
; break; }
2264 if (Ustrcmp(config_main_filelist
, argrest
) != 0)
2266 #ifdef ALT_CONFIG_PREFIX
2268 int len
= Ustrlen(ALT_CONFIG_PREFIX
);
2269 const uschar
*list
= argrest
;
2271 while((filename
= string_nextinlist(&list
, &sep
, big_buffer
,
2272 big_buffer_size
)) != NULL
)
2274 if ((Ustrlen(filename
) < len
||
2275 Ustrncmp(filename
, ALT_CONFIG_PREFIX
, len
) != 0 ||
2276 Ustrstr(filename
, "/../") != NULL
) &&
2277 (Ustrcmp(filename
, "/dev/null") != 0 || real_uid
!= root_uid
))
2279 fprintf(stderr
, "-C Permission denied\n");
2284 if (real_uid
!= root_uid
)
2286 #ifdef TRUSTED_CONFIG_LIST
2288 if (real_uid
!= exim_uid
2289 #ifdef CONFIGURE_OWNER
2290 && real_uid
!= config_uid
2293 trusted_config
= FALSE
;
2296 FILE *trust_list
= Ufopen(TRUSTED_CONFIG_LIST
, "rb");
2299 struct stat statbuf
;
2301 if (fstat(fileno(trust_list
), &statbuf
) != 0 ||
2302 (statbuf
.st_uid
!= root_uid
/* owner not root */
2303 #ifdef CONFIGURE_OWNER
2304 && statbuf
.st_uid
!= config_uid
/* owner not the special one */
2307 (statbuf
.st_gid
!= root_gid
/* group not root */
2308 #ifdef CONFIGURE_GROUP
2309 && statbuf
.st_gid
!= config_gid
/* group not the special one */
2311 && (statbuf
.st_mode
& 020) != 0 /* group writeable */
2313 (statbuf
.st_mode
& 2) != 0) /* world writeable */
2315 trusted_config
= FALSE
;
2320 /* Well, the trust list at least is up to scratch... */
2321 void *reset_point
= store_get(0);
2322 uschar
*trusted_configs
[32];
2326 while (Ufgets(big_buffer
, big_buffer_size
, trust_list
))
2328 uschar
*start
= big_buffer
, *nl
;
2329 while (*start
&& isspace(*start
))
2333 nl
= Ustrchr(start
, '\n');
2336 trusted_configs
[nr_configs
++] = string_copy(start
);
2337 if (nr_configs
== 32)
2345 const uschar
*list
= argrest
;
2347 while (trusted_config
&& (filename
= string_nextinlist(&list
,
2348 &sep
, big_buffer
, big_buffer_size
)) != NULL
)
2350 for (i
=0; i
< nr_configs
; i
++)
2352 if (Ustrcmp(filename
, trusted_configs
[i
]) == 0)
2355 if (i
== nr_configs
)
2357 trusted_config
= FALSE
;
2361 store_reset(reset_point
);
2365 /* No valid prefixes found in trust_list file. */
2366 trusted_config
= FALSE
;
2372 /* Could not open trust_list file. */
2373 trusted_config
= FALSE
;
2377 /* Not root; don't trust config */
2378 trusted_config
= FALSE
;
2382 config_main_filelist
= argrest
;
2383 config_changed
= TRUE
;
2388 /* -D: set up a macro definition */
2391 #ifdef DISABLE_D_OPTION
2392 fprintf(stderr
, "exim: -D is not available in this Exim binary\n");
2399 uschar
*s
= argrest
;
2402 while (isspace(*s
)) s
++;
2404 if (*s
< 'A' || *s
> 'Z')
2406 fprintf(stderr
, "exim: macro name set by -D must start with "
2407 "an upper case letter\n");
2411 while (isalnum(*s
) || *s
== '_')
2413 if (ptr
< sizeof(name
)-1) name
[ptr
++] = *s
;
2417 if (ptr
== 0) { badarg
= TRUE
; break; }
2418 while (isspace(*s
)) s
++;
2421 if (*s
++ != '=') { badarg
= TRUE
; break; }
2422 while (isspace(*s
)) s
++;
2425 for (m
= macros_user
; m
; m
= m
->next
)
2426 if (Ustrcmp(m
->name
, name
) == 0)
2428 fprintf(stderr
, "exim: duplicated -D in command line\n");
2432 m
= macro_create(name
, s
, TRUE
);
2434 if (clmacro_count
>= MAX_CLMACROS
)
2436 fprintf(stderr
, "exim: too many -D options on command line\n");
2439 clmacros
[clmacro_count
++] = string_sprintf("-D%s=%s", m
->name
,
2445 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2446 The latter is now a no-op, retained for compatibility only. If -dd is used,
2447 debugging subprocesses of the daemon is disabled. */
2450 if (Ustrcmp(argrest
, "ropcr") == 0)
2452 /* drop_cr = TRUE; */
2455 /* Use an intermediate variable so that we don't set debugging while
2456 decoding the debugging bits. */
2460 unsigned int selector
= D_default
;
2463 if (*argrest
== 'd')
2465 debug_daemon
= TRUE
;
2469 decode_bits(&selector
, 1, debug_notall
, argrest
,
2470 debug_options
, debug_options_count
, US
"debug", 0);
2471 debug_selector
= selector
;
2476 /* -E: This is a local error message. This option is not intended for
2477 external use at all, but is not restricted to trusted callers because it
2478 does no harm (just suppresses certain error messages) and if Exim is run
2479 not setuid root it won't always be trusted when it generates error
2480 messages using this option. If there is a message id following -E, point
2481 message_reference at it, for logging. */
2484 local_error_message
= TRUE
;
2485 if (mac_ismsgid(argrest
)) message_reference
= argrest
;
2489 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2490 option, so it looks as if historically the -oex options are also callable
2491 without the leading -o. So we have to accept them. Before the switch,
2492 anything starting -oe has been converted to -e. Exim does not support all
2493 of the sendmail error options. */
2496 if (Ustrcmp(argrest
, "e") == 0)
2498 arg_error_handling
= ERRORS_SENDER
;
2499 errors_sender_rc
= EXIT_SUCCESS
;
2501 else if (Ustrcmp(argrest
, "m") == 0) arg_error_handling
= ERRORS_SENDER
;
2502 else if (Ustrcmp(argrest
, "p") == 0) arg_error_handling
= ERRORS_STDERR
;
2503 else if (Ustrcmp(argrest
, "q") == 0) arg_error_handling
= ERRORS_STDERR
;
2504 else if (Ustrcmp(argrest
, "w") == 0) arg_error_handling
= ERRORS_SENDER
;
2509 /* -F: Set sender's full name, used instead of the gecos entry from
2510 the password file. Since users can usually alter their gecos entries,
2511 there's no security involved in using this instead. The data can follow
2512 the -F or be in the next argument. */
2517 if(++i
< argc
) argrest
= argv
[i
]; else
2518 { badarg
= TRUE
; break; }
2520 originator_name
= argrest
;
2521 sender_name_forced
= TRUE
;
2525 /* -f: Set sender's address - this value is only actually used if Exim is
2526 run by a trusted user, or if untrusted_set_sender is set and matches the
2527 address, except that the null address can always be set by any user. The
2528 test for this happens later, when the value given here is ignored when not
2529 permitted. For an untrusted user, the actual sender is still put in Sender:
2530 if it doesn't match the From: header (unless no_local_from_check is set).
2531 The data can follow the -f or be in the next argument. The -r switch is an
2532 obsolete form of -f but since there appear to be programs out there that
2533 use anything that sendmail has ever supported, better accept it - the
2534 synonymizing is done before the switch above.
2536 At this stage, we must allow domain literal addresses, because we don't
2537 know what the setting of allow_domain_literals is yet. Ditto for trailing
2538 dots and strip_trailing_dot. */
2542 int dummy_start
, dummy_end
;
2546 if (i
+1 < argc
) argrest
= argv
[++i
]; else
2547 { badarg
= TRUE
; break; }
2550 sender_address
= string_sprintf(""); /* Ensure writeable memory */
2553 uschar
*temp
= argrest
+ Ustrlen(argrest
) - 1;
2554 while (temp
>= argrest
&& isspace(*temp
)) temp
--;
2555 if (temp
>= argrest
&& *temp
== '.') f_end_dot
= TRUE
;
2556 allow_domain_literals
= TRUE
;
2557 strip_trailing_dot
= TRUE
;
2559 allow_utf8_domains
= TRUE
;
2561 sender_address
= parse_extract_address(argrest
, &errmess
,
2562 &dummy_start
, &dummy_end
, &sender_address_domain
, TRUE
);
2564 message_smtputf8
= string_is_utf8(sender_address
);
2565 allow_utf8_domains
= FALSE
;
2567 allow_domain_literals
= FALSE
;
2568 strip_trailing_dot
= FALSE
;
2569 if (sender_address
== NULL
)
2571 fprintf(stderr
, "exim: bad -f address \"%s\": %s\n", argrest
, errmess
);
2572 return EXIT_FAILURE
;
2575 sender_address_forced
= TRUE
;
2579 /* -G: sendmail invocation to specify that it's a gateway submission and
2580 sendmail may complain about problems instead of fixing them.
2581 We make it equivalent to an ACL "control = suppress_local_fixups" and do
2582 not at this time complain about problems. */
2588 /* -h: Set the hop count for an incoming message. Exim does not currently
2589 support this; it always computes it by counting the Received: headers.
2590 To put it in will require a change to the spool header file format. */
2595 if(++i
< argc
) argrest
= argv
[i
]; else
2596 { badarg
= TRUE
; break; }
2598 if (!isdigit(*argrest
)) badarg
= TRUE
;
2602 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2603 not to be documented for sendmail but mailx (at least) uses it) */
2606 if (*argrest
== 0) dot_ends
= FALSE
; else badarg
= TRUE
;
2610 /* -L: set the identifier used for syslog; equivalent to setting
2611 syslog_processname in the config file, but needs to be an admin option. */
2614 if (*argrest
== '\0')
2616 if(++i
< argc
) argrest
= argv
[i
]; else
2617 { badarg
= TRUE
; break; }
2619 sz
= Ustrlen(argrest
);
2622 fprintf(stderr
, "exim: the -L syslog name is too long: \"%s\"\n", argrest
);
2623 return EXIT_FAILURE
;
2627 fprintf(stderr
, "exim: the -L syslog name is too short\n");
2628 return EXIT_FAILURE
;
2630 cmdline_syslog_name
= argrest
;
2634 receiving_message
= FALSE
;
2636 /* -MC: continue delivery of another message via an existing open
2637 file descriptor. This option is used for an internal call by the
2638 smtp transport when there is a pending message waiting to go to an
2639 address to which it has got a connection. Five subsequent arguments are
2640 required: transport name, host name, IP address, sequence number, and
2641 message_id. Transports may decline to create new processes if the sequence
2642 number gets too big. The channel is stdin. This (-MC) must be the last
2643 argument. There's a subsequent check that the real-uid is privileged.
2645 If we are running in the test harness. delay for a bit, to let the process
2646 that set this one up complete. This makes for repeatability of the logging,
2649 if (Ustrcmp(argrest
, "C") == 0)
2651 union sockaddr_46 interface_sock
;
2652 EXIM_SOCKLEN_T size
= sizeof(interface_sock
);
2656 fprintf(stderr
, "exim: too many or too few arguments after -MC\n");
2657 return EXIT_FAILURE
;
2660 if (msg_action_arg
>= 0)
2662 fprintf(stderr
, "exim: incompatible arguments\n");
2663 return EXIT_FAILURE
;
2666 continue_transport
= argv
[++i
];
2667 continue_hostname
= argv
[++i
];
2668 continue_host_address
= argv
[++i
];
2669 continue_sequence
= Uatoi(argv
[++i
]);
2670 msg_action
= MSG_DELIVER
;
2671 msg_action_arg
= ++i
;
2672 forced_delivery
= TRUE
;
2673 queue_run_pid
= passed_qr_pid
;
2674 queue_run_pipe
= passed_qr_pipe
;
2676 if (!mac_ismsgid(argv
[i
]))
2678 fprintf(stderr
, "exim: malformed message id %s after -MC option\n",
2680 return EXIT_FAILURE
;
2683 /* Set up $sending_ip_address and $sending_port, unless proxied */
2685 if (!continue_proxy_cipher
)
2686 if (getsockname(fileno(stdin
), (struct sockaddr
*)(&interface_sock
),
2688 sending_ip_address
= host_ntoa(-1, &interface_sock
, NULL
,
2692 fprintf(stderr
, "exim: getsockname() failed after -MC option: %s\n",
2694 return EXIT_FAILURE
;
2697 if (running_in_test_harness
) millisleep(500);
2701 else if (*argrest
== 'C' && argrest
[1] && !argrest
[2])
2705 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2706 precedes -MC (see above). The flag indicates that the host to which
2707 Exim is connected has accepted an AUTH sequence. */
2709 case 'A': smtp_authenticated
= TRUE
; break;
2711 /* -MCD: set the smtp_use_dsn flag; this indicates that the host
2712 that exim is connected to supports the esmtp extension DSN */
2714 case 'D': smtp_peer_options
|= OPTION_DSN
; break;
2716 /* -MCG: set the queue name, to a non-default value */
2718 case 'G': if (++i
< argc
) queue_name
= string_copy(argv
[i
]);
2722 /* -MCK: the peer offered CHUNKING. Must precede -MC */
2724 case 'K': smtp_peer_options
|= OPTION_CHUNKING
; break;
2726 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2727 it preceded -MC (see above) */
2729 case 'P': smtp_peer_options
|= OPTION_PIPE
; break;
2731 /* -MCQ: pass on the pid of the queue-running process that started
2732 this chain of deliveries and the fd of its synchronizing pipe; this
2733 is useful only when it precedes -MC (see above) */
2735 case 'Q': if (++i
< argc
) passed_qr_pid
= (pid_t
)(Uatol(argv
[i
]));
2737 if (++i
< argc
) passed_qr_pipe
= (int)(Uatol(argv
[i
]));
2741 /* -MCS: set the smtp_use_size flag; this is useful only when it
2742 precedes -MC (see above) */
2744 case 'S': smtp_peer_options
|= OPTION_SIZE
; break;
2747 /* -MCt: similar to -MCT below but the connection is still open
2748 via a proxy proces which handles the TLS context and coding.
2749 Require three arguments for the proxied local address and port,
2750 and the TLS cipher. */
2752 case 't': if (++i
< argc
) sending_ip_address
= argv
[i
];
2754 if (++i
< argc
) sending_port
= (int)(Uatol(argv
[i
]));
2756 if (++i
< argc
) continue_proxy_cipher
= argv
[i
];
2760 /* -MCT: set the tls_offered flag; this is useful only when it
2761 precedes -MC (see above). The flag indicates that the host to which
2762 Exim is connected has offered TLS support. */
2764 case 'T': smtp_peer_options
|= OPTION_TLS
; break;
2767 default: badarg
= TRUE
; break;
2772 /* -M[x]: various operations on the following list of message ids:
2773 -M deliver the messages, ignoring next retry times and thawing
2774 -Mc deliver the messages, checking next retry times, no thawing
2775 -Mf freeze the messages
2776 -Mg give up on the messages
2777 -Mt thaw the messages
2778 -Mrm remove the messages
2779 In the above cases, this must be the last option. There are also the
2780 following options which are followed by a single message id, and which
2781 act on that message. Some of them use the "recipient" addresses as well.
2782 -Mar add recipient(s)
2783 -Mmad mark all recipients delivered
2784 -Mmd mark recipients(s) delivered
2786 -Mset load a message for use with -be
2788 -Mvc show copy (of whole message, in RFC 2822 format)
2793 else if (*argrest
== 0)
2795 msg_action
= MSG_DELIVER
;
2796 forced_delivery
= deliver_force_thaw
= TRUE
;
2798 else if (Ustrcmp(argrest
, "ar") == 0)
2800 msg_action
= MSG_ADD_RECIPIENT
;
2801 one_msg_action
= TRUE
;
2803 else if (Ustrcmp(argrest
, "c") == 0) msg_action
= MSG_DELIVER
;
2804 else if (Ustrcmp(argrest
, "es") == 0)
2806 msg_action
= MSG_EDIT_SENDER
;
2807 one_msg_action
= TRUE
;
2809 else if (Ustrcmp(argrest
, "f") == 0) msg_action
= MSG_FREEZE
;
2810 else if (Ustrcmp(argrest
, "g") == 0)
2812 msg_action
= MSG_DELIVER
;
2813 deliver_give_up
= TRUE
;
2815 else if (Ustrcmp(argrest
, "mad") == 0)
2817 msg_action
= MSG_MARK_ALL_DELIVERED
;
2819 else if (Ustrcmp(argrest
, "md") == 0)
2821 msg_action
= MSG_MARK_DELIVERED
;
2822 one_msg_action
= TRUE
;
2824 else if (Ustrcmp(argrest
, "rm") == 0) msg_action
= MSG_REMOVE
;
2825 else if (Ustrcmp(argrest
, "set") == 0)
2827 msg_action
= MSG_LOAD
;
2828 one_msg_action
= TRUE
;
2830 else if (Ustrcmp(argrest
, "t") == 0) msg_action
= MSG_THAW
;
2831 else if (Ustrcmp(argrest
, "vb") == 0)
2833 msg_action
= MSG_SHOW_BODY
;
2834 one_msg_action
= TRUE
;
2836 else if (Ustrcmp(argrest
, "vc") == 0)
2838 msg_action
= MSG_SHOW_COPY
;
2839 one_msg_action
= TRUE
;
2841 else if (Ustrcmp(argrest
, "vh") == 0)
2843 msg_action
= MSG_SHOW_HEADER
;
2844 one_msg_action
= TRUE
;
2846 else if (Ustrcmp(argrest
, "vl") == 0)
2848 msg_action
= MSG_SHOW_LOG
;
2849 one_msg_action
= TRUE
;
2851 else { badarg
= TRUE
; break; }
2853 /* All the -Mxx options require at least one message id. */
2855 msg_action_arg
= i
+ 1;
2856 if (msg_action_arg
>= argc
)
2858 fprintf(stderr
, "exim: no message ids given after %s option\n", arg
);
2859 return EXIT_FAILURE
;
2862 /* Some require only message ids to follow */
2864 if (!one_msg_action
)
2867 for (j
= msg_action_arg
; j
< argc
; j
++) if (!mac_ismsgid(argv
[j
]))
2869 fprintf(stderr
, "exim: malformed message id %s after %s option\n",
2871 return EXIT_FAILURE
;
2873 goto END_ARG
; /* Remaining args are ids */
2876 /* Others require only one message id, possibly followed by addresses,
2877 which will be handled as normal arguments. */
2881 if (!mac_ismsgid(argv
[msg_action_arg
]))
2883 fprintf(stderr
, "exim: malformed message id %s after %s option\n",
2884 argv
[msg_action_arg
], arg
);
2885 return EXIT_FAILURE
;
2892 /* Some programs seem to call the -om option without the leading o;
2893 for sendmail it askes for "me too". Exim always does this. */
2896 if (*argrest
!= 0) badarg
= TRUE
;
2900 /* -N: don't do delivery - a debugging option that stops transports doing
2901 their thing. It implies debugging at the D_v level. */
2906 dont_deliver
= TRUE
;
2907 debug_selector
|= D_v
;
2908 debug_file
= stderr
;
2914 /* -n: This means "don't alias" in sendmail, apparently.
2915 For normal invocations, it has no effect.
2916 It may affect some other options. */
2922 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2923 option to the specified value. This form uses long names. We need to handle
2924 -O option=value and -Ooption=value. */
2931 fprintf(stderr
, "exim: string expected after -O\n");
2939 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2942 if (*argrest
== 'A')
2944 alias_arg
= argrest
+ 1;
2945 if (alias_arg
[0] == 0)
2947 if (i
+1 < argc
) alias_arg
= argv
[++i
]; else
2949 fprintf(stderr
, "exim: string expected after -oA\n");
2955 /* -oB: Set a connection message max value for remote deliveries */
2957 else if (*argrest
== 'B')
2959 uschar
*p
= argrest
+ 1;
2962 if (i
+1 < argc
&& isdigit((argv
[i
+1][0]))) p
= argv
[++i
]; else
2964 connection_max_messages
= 1;
2973 fprintf(stderr
, "exim: number expected after -oB\n");
2976 connection_max_messages
= Uatoi(p
);
2980 /* -odb: background delivery */
2982 else if (Ustrcmp(argrest
, "db") == 0)
2984 synchronous_delivery
= FALSE
;
2985 arg_queue_only
= FALSE
;
2986 queue_only_set
= TRUE
;
2989 /* -odf: foreground delivery (smail-compatible option); same effect as
2990 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2993 else if (Ustrcmp(argrest
, "df") == 0 || Ustrcmp(argrest
, "di") == 0)
2995 synchronous_delivery
= TRUE
;
2996 arg_queue_only
= FALSE
;
2997 queue_only_set
= TRUE
;
3000 /* -odq: queue only */
3002 else if (Ustrcmp(argrest
, "dq") == 0)
3004 synchronous_delivery
= FALSE
;
3005 arg_queue_only
= TRUE
;
3006 queue_only_set
= TRUE
;
3009 /* -odqs: queue SMTP only - do local deliveries and remote routing,
3010 but no remote delivery */
3012 else if (Ustrcmp(argrest
, "dqs") == 0)
3015 arg_queue_only
= FALSE
;
3016 queue_only_set
= TRUE
;
3019 /* -oex: Sendmail error flags. As these are also accepted without the
3020 leading -o prefix, for compatibility with vacation and other callers,
3021 they are handled with -e above. */
3023 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
3024 -oitrue: Another sendmail syntax for the same */
3026 else if (Ustrcmp(argrest
, "i") == 0 ||
3027 Ustrcmp(argrest
, "itrue") == 0)
3030 /* -oM*: Set various characteristics for an incoming message; actually
3031 acted on for trusted callers only. */
3033 else if (*argrest
== 'M')
3037 fprintf(stderr
, "exim: data expected after -o%s\n", argrest
);
3041 /* -oMa: Set sender host address */
3043 if (Ustrcmp(argrest
, "Ma") == 0) sender_host_address
= argv
[++i
];
3045 /* -oMaa: Set authenticator name */
3047 else if (Ustrcmp(argrest
, "Maa") == 0)
3048 sender_host_authenticated
= argv
[++i
];
3050 /* -oMas: setting authenticated sender */
3052 else if (Ustrcmp(argrest
, "Mas") == 0) authenticated_sender
= argv
[++i
];
3054 /* -oMai: setting authenticated id */
3056 else if (Ustrcmp(argrest
, "Mai") == 0) authenticated_id
= argv
[++i
];
3058 /* -oMi: Set incoming interface address */
3060 else if (Ustrcmp(argrest
, "Mi") == 0) interface_address
= argv
[++i
];
3062 /* -oMm: Message reference */
3064 else if (Ustrcmp(argrest
, "Mm") == 0)
3066 if (!mac_ismsgid(argv
[i
+1]))
3068 fprintf(stderr
,"-oMm must be a valid message ID\n");
3071 if (!trusted_config
)
3073 fprintf(stderr
,"-oMm must be called by a trusted user/config\n");
3076 message_reference
= argv
[++i
];
3079 /* -oMr: Received protocol */
3081 else if (Ustrcmp(argrest
, "Mr") == 0)
3083 if (received_protocol
)
3085 fprintf(stderr
, "received_protocol is set already\n");
3088 else received_protocol
= argv
[++i
];
3090 /* -oMs: Set sender host name */
3092 else if (Ustrcmp(argrest
, "Ms") == 0) sender_host_name
= argv
[++i
];
3094 /* -oMt: Set sender ident */
3096 else if (Ustrcmp(argrest
, "Mt") == 0)
3098 sender_ident_set
= TRUE
;
3099 sender_ident
= argv
[++i
];
3102 /* Else a bad argument */
3111 /* -om: Me-too flag for aliases. Exim always does this. Some programs
3112 seem to call this as -m (undocumented), so that is also accepted (see
3115 else if (Ustrcmp(argrest
, "m") == 0) {}
3117 /* -oo: An ancient flag for old-style addresses which still seems to
3118 crop up in some calls (see in SCO). */
3120 else if (Ustrcmp(argrest
, "o") == 0) {}
3122 /* -oP <name>: set pid file path for daemon */
3124 else if (Ustrcmp(argrest
, "P") == 0)
3125 override_pid_file_path
= argv
[++i
];
3127 /* -or <n>: set timeout for non-SMTP acceptance
3128 -os <n>: set timeout for SMTP acceptance */
3130 else if (*argrest
== 'r' || *argrest
== 's')
3132 int *tp
= (*argrest
== 'r')?
3133 &arg_receive_timeout
: &arg_smtp_receive_timeout
;
3134 if (argrest
[1] == 0)
3136 if (i
+1 < argc
) *tp
= readconf_readtime(argv
[++i
], 0, FALSE
);
3138 else *tp
= readconf_readtime(argrest
+ 1, 0, FALSE
);
3141 fprintf(stderr
, "exim: bad time value %s: abandoned\n", argv
[i
]);
3146 /* -oX <list>: Override local_interfaces and/or default daemon ports */
3148 else if (Ustrcmp(argrest
, "X") == 0)
3149 override_local_interfaces
= argv
[++i
];
3151 /* Unknown -o argument */
3157 /* -ps: force Perl startup; -pd force delayed Perl startup */
3161 if (*argrest
== 's' && argrest
[1] == 0)
3163 perl_start_option
= 1;
3166 if (*argrest
== 'd' && argrest
[1] == 0)
3168 perl_start_option
= -1;
3173 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
3174 which sets the host protocol and host name */
3178 argrest
= argv
[++i
];
3180 { badarg
= TRUE
; break; }
3186 if (received_protocol
)
3188 fprintf(stderr
, "received_protocol is set already\n");
3192 hn
= Ustrchr(argrest
, ':');
3194 received_protocol
= argrest
;
3197 int old_pool
= store_pool
;
3198 store_pool
= POOL_PERM
;
3199 received_protocol
= string_copyn(argrest
, hn
- argrest
);
3200 store_pool
= old_pool
;
3201 sender_host_name
= hn
+ 1;
3208 receiving_message
= FALSE
;
3209 if (queue_interval
>= 0)
3211 fprintf(stderr
, "exim: -q specified more than once\n");
3215 /* -qq...: Do queue runs in a 2-stage manner */
3217 if (*argrest
== 'q')
3219 queue_2stage
= TRUE
;
3223 /* -qi...: Do only first (initial) deliveries */
3225 if (*argrest
== 'i')
3227 queue_run_first_delivery
= TRUE
;
3231 /* -qf...: Run the queue, forcing deliveries
3232 -qff..: Ditto, forcing thawing as well */
3234 if (*argrest
== 'f')
3236 queue_run_force
= TRUE
;
3237 if (*++argrest
== 'f')
3239 deliver_force_thaw
= TRUE
;
3244 /* -q[f][f]l...: Run the queue only on local deliveries */
3246 if (*argrest
== 'l')
3248 queue_run_local
= TRUE
;
3252 /* -q[f][f][l][G<name>]... Work on the named queue */
3254 if (*argrest
== 'G')
3257 for (argrest
++, i
= 0; argrest
[i
] && argrest
[i
] != '/'; ) i
++;
3258 queue_name
= string_copyn(argrest
, i
);
3260 if (*argrest
== '/') argrest
++;
3263 /* -q[f][f][l][G<name>]: Run the queue, optionally forced, optionally local
3264 only, optionally named, optionally starting from a given message id. */
3266 if (*argrest
== 0 &&
3267 (i
+ 1 >= argc
|| argv
[i
+1][0] == '-' || mac_ismsgid(argv
[i
+1])))
3270 if (i
+1 < argc
&& mac_ismsgid(argv
[i
+1]))
3271 start_queue_run_id
= argv
[++i
];
3272 if (i
+1 < argc
&& mac_ismsgid(argv
[i
+1]))
3273 stop_queue_run_id
= argv
[++i
];
3276 /* -q[f][f][l][G<name>/]<n>: Run the queue at regular intervals, optionally
3277 forced, optionally local only, optionally named. */
3279 else if ((queue_interval
= readconf_readtime(*argrest ? argrest
: argv
[++i
],
3282 fprintf(stderr
, "exim: bad time value %s: abandoned\n", argv
[i
]);
3288 case 'R': /* Synonymous with -qR... */
3289 receiving_message
= FALSE
;
3291 /* -Rf: As -R (below) but force all deliveries,
3292 -Rff: Ditto, but also thaw all frozen messages,
3293 -Rr: String is regex
3294 -Rrf: Regex and force
3295 -Rrff: Regex and force and thaw
3297 in all cases provided there are no further characters in this
3303 for (i
= 0; i
< nelem(rsopts
); i
++)
3304 if (Ustrcmp(argrest
, rsopts
[i
]) == 0)
3306 if (i
!= 2) queue_run_force
= TRUE
;
3307 if (i
>= 2) deliver_selectstring_regex
= TRUE
;
3308 if (i
== 1 || i
== 4) deliver_force_thaw
= TRUE
;
3309 argrest
+= Ustrlen(rsopts
[i
]);
3313 /* -R: Set string to match in addresses for forced queue run to
3314 pick out particular messages. */
3317 deliver_selectstring
= argrest
;
3318 else if (i
+1 < argc
)
3319 deliver_selectstring
= argv
[++i
];
3322 fprintf(stderr
, "exim: string expected after -R\n");
3328 /* -r: an obsolete synonym for -f (see above) */
3331 /* -S: Like -R but works on sender. */
3333 case 'S': /* Synonymous with -qS... */
3334 receiving_message
= FALSE
;
3336 /* -Sf: As -S (below) but force all deliveries,
3337 -Sff: Ditto, but also thaw all frozen messages,
3338 -Sr: String is regex
3339 -Srf: Regex and force
3340 -Srff: Regex and force and thaw
3342 in all cases provided there are no further characters in this
3348 for (i
= 0; i
< nelem(rsopts
); i
++)
3349 if (Ustrcmp(argrest
, rsopts
[i
]) == 0)
3351 if (i
!= 2) queue_run_force
= TRUE
;
3352 if (i
>= 2) deliver_selectstring_sender_regex
= TRUE
;
3353 if (i
== 1 || i
== 4) deliver_force_thaw
= TRUE
;
3354 argrest
+= Ustrlen(rsopts
[i
]);
3358 /* -S: Set string to match in addresses for forced queue run to
3359 pick out particular messages. */
3362 deliver_selectstring_sender
= argrest
;
3363 else if (i
+1 < argc
)
3364 deliver_selectstring_sender
= argv
[++i
];
3367 fprintf(stderr
, "exim: string expected after -S\n");
3372 /* -Tqt is an option that is exclusively for use by the testing suite.
3373 It is not recognized in other circumstances. It allows for the setting up
3374 of explicit "queue times" so that various warning/retry things can be
3375 tested. Otherwise variability of clock ticks etc. cause problems. */
3378 if (running_in_test_harness
&& Ustrcmp(argrest
, "qt") == 0)
3379 fudged_queue_times
= argv
[++i
];
3384 /* -t: Set flag to extract recipients from body of message. */
3387 if (*argrest
== 0) extract_recipients
= TRUE
;
3389 /* -ti: Set flag to extract recipients from body of message, and also
3390 specify that dot does not end the message. */
3392 else if (Ustrcmp(argrest
, "i") == 0)
3394 extract_recipients
= TRUE
;
3398 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3401 else if (Ustrcmp(argrest
, "ls-on-connect") == 0) tls_in
.on_connect
= TRUE
;
3408 /* -U: This means "initial user submission" in sendmail, apparently. The
3409 doc claims that in future sendmail may refuse syntactically invalid
3410 messages instead of fixing them. For the moment, we just ignore it. */
3416 /* -v: verify things - this is a very low-level debugging */
3421 debug_selector
|= D_v
;
3422 debug_file
= stderr
;
3428 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3430 The -x flag tells the sendmail command that mail from a local
3431 mail program has National Language Support (NLS) extended characters
3432 in the body of the mail item. The sendmail command can send mail with
3433 extended NLS characters across networks that normally corrupts these
3436 As Exim is 8-bit clean, it just ignores this flag. */
3439 if (*argrest
!= 0) badarg
= TRUE
;
3442 /* -X: in sendmail: takes one parameter, logfile, and sends debugging
3443 logs to that file. We swallow the parameter and otherwise ignore it. */
3446 if (*argrest
== '\0')
3449 fprintf(stderr
, "exim: string expected after -X\n");
3455 if (*argrest
== '\0')
3456 if (++i
< argc
) log_oneline
= argv
[i
]; else
3458 fprintf(stderr
, "exim: file name expected after %s\n", argv
[i
-1]);
3463 /* All other initial characters are errors */
3468 } /* End of high-level switch statement */
3470 /* Failed to recognize the option, or syntax error */
3474 fprintf(stderr
, "exim abandoned: unknown, malformed, or incomplete "
3475 "option %s\n", arg
);
3481 /* If -R or -S have been specified without -q, assume a single queue run. */
3483 if ( (deliver_selectstring
|| deliver_selectstring_sender
)
3484 && queue_interval
< 0)
3489 /* If usage_wanted is set we call the usage function - which never returns */
3490 if (usage_wanted
) exim_usage(called_as
);
3492 /* Arguments have been processed. Check for incompatibilities. */
3494 (smtp_input
|| extract_recipients
|| recipients_arg
< argc
) &&
3495 (daemon_listen
|| queue_interval
>= 0 || bi_option
||
3496 test_retry_arg
>= 0 || test_rewrite_arg
>= 0 ||
3497 filter_test
!= FTEST_NONE
|| (msg_action_arg
> 0 && !one_msg_action
))
3500 msg_action_arg
> 0 &&
3501 (daemon_listen
|| queue_interval
> 0 || list_options
||
3502 (checking
&& msg_action
!= MSG_LOAD
) ||
3503 bi_option
|| test_retry_arg
>= 0 || test_rewrite_arg
>= 0)
3506 (daemon_listen
|| queue_interval
> 0) &&
3507 (sender_address
!= NULL
|| list_options
|| list_queue
|| checking
||
3511 daemon_listen
&& queue_interval
== 0
3514 inetd_wait_mode
&& queue_interval
>= 0
3518 (checking
|| smtp_input
|| extract_recipients
||
3519 filter_test
!= FTEST_NONE
|| bi_option
)
3522 verify_address_mode
&&
3523 (address_test_mode
|| smtp_input
|| extract_recipients
||
3524 filter_test
!= FTEST_NONE
|| bi_option
)
3527 address_test_mode
&& (smtp_input
|| extract_recipients
||
3528 filter_test
!= FTEST_NONE
|| bi_option
)
3531 smtp_input
&& (sender_address
!= NULL
|| filter_test
!= FTEST_NONE
||
3535 deliver_selectstring
!= NULL
&& queue_interval
< 0
3538 msg_action
== MSG_LOAD
&&
3539 (!expansion_test
|| expansion_test_message
!= NULL
)
3543 fprintf(stderr
, "exim: incompatible command-line options or arguments\n");
3547 /* If debugging is set up, set the file and the file descriptor to pass on to
3548 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3549 to run in the foreground. */
3551 if (debug_selector
!= 0)
3553 debug_file
= stderr
;
3554 debug_fd
= fileno(debug_file
);
3555 background_daemon
= FALSE
;
3556 if (running_in_test_harness
) millisleep(100); /* lets caller finish */
3557 if (debug_selector
!= D_v
) /* -v only doesn't show this */
3559 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3560 version_string
, (long int)real_uid
, (long int)real_gid
, (int)getpid(),
3562 if (!version_printed
)
3563 show_whats_supported(stderr
);
3567 /* When started with root privilege, ensure that the limits on the number of
3568 open files and the number of processes (where that is accessible) are
3569 sufficiently large, or are unset, in case Exim has been called from an
3570 environment where the limits are screwed down. Not all OS have the ability to
3571 change some of these limits. */
3575 DEBUG(D_any
) debug_print_ids(US
"Exim has no root privilege:");
3581 #ifdef RLIMIT_NOFILE
3582 if (getrlimit(RLIMIT_NOFILE
, &rlp
) < 0)
3584 log_write(0, LOG_MAIN
|LOG_PANIC
, "getrlimit(RLIMIT_NOFILE) failed: %s",
3586 rlp
.rlim_cur
= rlp
.rlim_max
= 0;
3589 /* I originally chose 1000 as a nice big number that was unlikely to
3590 be exceeded. It turns out that some older OS have a fixed upper limit of
3593 if (rlp
.rlim_cur
< 1000)
3595 rlp
.rlim_cur
= rlp
.rlim_max
= 1000;
3596 if (setrlimit(RLIMIT_NOFILE
, &rlp
) < 0)
3598 rlp
.rlim_cur
= rlp
.rlim_max
= 256;
3599 if (setrlimit(RLIMIT_NOFILE
, &rlp
) < 0)
3600 log_write(0, LOG_MAIN
|LOG_PANIC
, "setrlimit(RLIMIT_NOFILE) failed: %s",
3607 if (getrlimit(RLIMIT_NPROC
, &rlp
) < 0)
3609 log_write(0, LOG_MAIN
|LOG_PANIC
, "getrlimit(RLIMIT_NPROC) failed: %s",
3611 rlp
.rlim_cur
= rlp
.rlim_max
= 0;
3614 #ifdef RLIM_INFINITY
3615 if (rlp
.rlim_cur
!= RLIM_INFINITY
&& rlp
.rlim_cur
< 1000)
3617 rlp
.rlim_cur
= rlp
.rlim_max
= RLIM_INFINITY
;
3619 if (rlp
.rlim_cur
< 1000)
3621 rlp
.rlim_cur
= rlp
.rlim_max
= 1000;
3623 if (setrlimit(RLIMIT_NPROC
, &rlp
) < 0)
3624 log_write(0, LOG_MAIN
|LOG_PANIC
, "setrlimit(RLIMIT_NPROC) failed: %s",
3630 /* Exim is normally entered as root (but some special configurations are
3631 possible that don't do this). However, it always spins off sub-processes that
3632 set their uid and gid as required for local delivery. We don't want to pass on
3633 any extra groups that root may belong to, so we want to get rid of them all at
3636 We need to obey setgroups() at this stage, before possibly giving up root
3637 privilege for a changed configuration file, but later on we might need to
3638 check on the additional groups for the admin user privilege - can't do that
3639 till after reading the config, which might specify the exim gid. Therefore,
3640 save the group list here first. */
3642 group_count
= getgroups(NGROUPS_MAX
, group_list
);
3643 if (group_count
< 0)
3645 fprintf(stderr
, "exim: getgroups() failed: %s\n", strerror(errno
));
3649 /* There is a fundamental difference in some BSD systems in the matter of
3650 groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3651 known not to be different. On the "different" systems there is a single group
3652 list, and the first entry in it is the current group. On all other versions of
3653 Unix there is a supplementary group list, which is in *addition* to the current
3654 group. Consequently, to get rid of all extraneous groups on a "standard" system
3655 you pass over 0 groups to setgroups(), while on a "different" system you pass
3656 over a single group - the current group, which is always the first group in the
3657 list. Calling setgroups() with zero groups on a "different" system results in
3658 an error return. The following code should cope with both types of system.
3660 However, if this process isn't running as root, setgroups() can't be used
3661 since you have to be root to run it, even if throwing away groups. Not being
3662 root here happens only in some unusual configurations. We just ignore the
3665 if (setgroups(0, NULL
) != 0)
3667 if (setgroups(1, group_list
) != 0 && !unprivileged
)
3669 fprintf(stderr
, "exim: setgroups() failed: %s\n", strerror(errno
));
3674 /* If the configuration file name has been altered by an argument on the
3675 command line (either a new file name or a macro definition) and the caller is
3676 not root, or if this is a filter testing run, remove any setuid privilege the
3677 program has and run as the underlying user.
3679 The exim user is locked out of this, which severely restricts the use of -C
3682 Otherwise, set the real ids to the effective values (should be root unless run
3683 from inetd, which it can either be root or the exim uid, if one is configured).
3685 There is a private mechanism for bypassing some of this, in order to make it
3686 possible to test lots of configurations automatically, without having either to
3687 recompile each time, or to patch in an actual configuration file name and other
3688 values (such as the path name). If running in the test harness, pretend that
3689 configuration file changes and macro definitions haven't happened. */
3692 (!trusted_config
|| /* Config changed, or */
3693 !macros_trusted(opt_D_used
)) && /* impermissible macros and */
3694 real_uid
!= root_uid
&& /* Not root, and */
3695 !running_in_test_harness
/* Not fudged */
3697 expansion_test
/* expansion testing */
3699 filter_test
!= FTEST_NONE
) /* Filter testing */
3701 setgroups(group_count
, group_list
);
3702 exim_setugid(real_uid
, real_gid
, FALSE
,
3703 US
"-C, -D, -be or -bf forces real uid");
3704 removed_privilege
= TRUE
;
3706 /* In the normal case when Exim is called like this, stderr is available
3707 and should be used for any logging information because attempts to write
3708 to the log will usually fail. To arrange this, we unset really_exim. However,
3709 if no stderr is available there is no point - we might as well have a go
3710 at the log (if it fails, syslog will be written).
3712 Note that if the invoker is Exim, the logs remain available. Messing with
3713 this causes unlogged successful deliveries. */
3715 if ((log_stderr
!= NULL
) && (real_uid
!= exim_uid
))
3716 really_exim
= FALSE
;
3719 /* Privilege is to be retained for the moment. It may be dropped later,
3720 depending on the job that this Exim process has been asked to do. For now, set
3721 the real uid to the effective so that subsequent re-execs of Exim are done by a
3724 else exim_setugid(geteuid(), getegid(), FALSE
, US
"forcing real = effective");
3726 /* If testing a filter, open the file(s) now, before wasting time doing other
3727 setups and reading the message. */
3729 if ((filter_test
& FTEST_SYSTEM
) != 0)
3731 filter_sfd
= Uopen(filter_test_sfile
, O_RDONLY
, 0);
3734 fprintf(stderr
, "exim: failed to open %s: %s\n", filter_test_sfile
,
3736 return EXIT_FAILURE
;
3740 if ((filter_test
& FTEST_USER
) != 0)
3742 filter_ufd
= Uopen(filter_test_ufile
, O_RDONLY
, 0);
3745 fprintf(stderr
, "exim: failed to open %s: %s\n", filter_test_ufile
,
3747 return EXIT_FAILURE
;
3751 /* Initialise lookup_list
3752 If debugging, already called above via version reporting.
3753 In either case, we initialise the list of available lookups while running
3754 as root. All dynamically modules are loaded from a directory which is
3755 hard-coded into the binary and is code which, if not a module, would be
3756 part of Exim already. Ability to modify the content of the directory
3757 is equivalent to the ability to modify a setuid binary!
3759 This needs to happen before we read the main configuration. */
3763 if (running_in_test_harness
) smtputf8_advertise_hosts
= NULL
;
3766 /* Read the main runtime configuration data; this gives up if there
3767 is a failure. It leaves the configuration file open so that the subsequent
3768 configuration data for delivery can be read if needed.
3770 NOTE: immediatly after opening the configuration file we change the working
3771 directory to "/"! Later we change to $spool_directory. We do it there, because
3772 during readconf_main() some expansion takes place already. */
3774 /* Store the initial cwd before we change directories. Can be NULL if the
3775 dir has already been unlinked. */
3776 initial_cwd
= os_getcwd(NULL
, 0);
3779 -be[m] expansion test -
3780 -b[fF] filter test new
3782 -bmalware malware_test_file new
3784 -brw rewrite test new
3786 -bv[s] address verify -
3788 -bP <option> (except -bP config, which sets list_config)
3790 If any of these options is set, we suppress warnings about configuration
3791 issues (currently about tls_advertise_hosts and keep_environment not being
3794 readconf_main(checking
|| list_options
);
3797 /* Now in directory "/" */
3799 if (cleanup_environment() == FALSE
)
3800 log_write(0, LOG_PANIC_DIE
, "Can't cleanup environment");
3803 /* If an action on specific messages is requested, or if a daemon or queue
3804 runner is being started, we need to know if Exim was called by an admin user.
3805 This is the case if the real user is root or exim, or if the real group is
3806 exim, or if one of the supplementary groups is exim or a group listed in
3807 admin_groups. We don't fail all message actions immediately if not admin_user,
3808 since some actions can be performed by non-admin users. Instead, set admin_user
3809 for later interrogation. */
3811 if (real_uid
== root_uid
|| real_uid
== exim_uid
|| real_gid
== exim_gid
)
3816 for (i
= 0; i
< group_count
&& !admin_user
; i
++)
3817 if (group_list
[i
] == exim_gid
)
3819 else if (admin_groups
)
3820 for (j
= 1; j
<= (int)admin_groups
[0] && !admin_user
; j
++)
3821 if (admin_groups
[j
] == group_list
[i
])
3825 /* Another group of privileged users are the trusted users. These are root,
3826 exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3827 are permitted to specify sender_addresses with -f on the command line, and
3828 other message parameters as well. */
3830 if (real_uid
== root_uid
|| real_uid
== exim_uid
)
3831 trusted_caller
= TRUE
;
3837 for (i
= 1; i
<= (int)trusted_users
[0] && !trusted_caller
; i
++)
3838 if (trusted_users
[i
] == real_uid
)
3839 trusted_caller
= TRUE
;
3842 for (i
= 1; i
<= (int)trusted_groups
[0] && !trusted_caller
; i
++)
3843 if (trusted_groups
[i
] == real_gid
)
3844 trusted_caller
= TRUE
;
3845 else for (j
= 0; j
< group_count
&& !trusted_caller
; j
++)
3846 if (trusted_groups
[i
] == group_list
[j
])
3847 trusted_caller
= TRUE
;
3850 /* At this point, we know if the user is privileged and some command-line
3851 options become possibly impermissible, depending upon the configuration file. */
3853 if (checking
&& commandline_checks_require_admin
&& !admin_user
) {
3854 fprintf(stderr
, "exim: those command-line flags are set to require admin\n");
3858 /* Handle the decoding of logging options. */
3860 decode_bits(log_selector
, log_selector_size
, log_notall
,
3861 log_selector_string
, log_options
, log_options_count
, US
"log", 0);
3866 debug_printf("configuration file is %s\n", config_main_filename
);
3867 debug_printf("log selectors =");
3868 for (i
= 0; i
< log_selector_size
; i
++)
3869 debug_printf(" %08x", log_selector
[i
]);
3873 /* If domain literals are not allowed, check the sender address that was
3874 supplied with -f. Ditto for a stripped trailing dot. */
3876 if (sender_address
!= NULL
)
3878 if (sender_address
[sender_address_domain
] == '[' && !allow_domain_literals
)
3880 fprintf(stderr
, "exim: bad -f address \"%s\": domain literals not "
3881 "allowed\n", sender_address
);
3882 return EXIT_FAILURE
;
3884 if (f_end_dot
&& !strip_trailing_dot
)
3886 fprintf(stderr
, "exim: bad -f address \"%s.\": domain is malformed "
3887 "(trailing dot not allowed)\n", sender_address
);
3888 return EXIT_FAILURE
;
3892 /* See if an admin user overrode our logging. */
3894 if (cmdline_syslog_name
!= NULL
)
3898 syslog_processname
= cmdline_syslog_name
;
3899 log_file_path
= string_copy(CUS
"syslog");
3903 /* not a panic, non-privileged users should not be able to spam paniclog */
3905 "exim: you lack sufficient privilege to specify syslog process name\n");
3906 return EXIT_FAILURE
;
3910 /* Paranoia check of maximum lengths of certain strings. There is a check
3911 on the length of the log file path in log.c, which will come into effect
3912 if there are any calls to write the log earlier than this. However, if we
3913 get this far but the string is very long, it is better to stop now than to
3914 carry on and (e.g.) receive a message and then have to collapse. The call to
3915 log_write() from here will cause the ultimate panic collapse if the complete
3916 file name exceeds the buffer length. */
3918 if (Ustrlen(log_file_path
) > 200)
3919 log_write(0, LOG_MAIN
|LOG_PANIC_DIE
,
3920 "log_file_path is longer than 200 chars: aborting");
3922 if (Ustrlen(pid_file_path
) > 200)
3923 log_write(0, LOG_MAIN
|LOG_PANIC_DIE
,
3924 "pid_file_path is longer than 200 chars: aborting");
3926 if (Ustrlen(spool_directory
) > 200)
3927 log_write(0, LOG_MAIN
|LOG_PANIC_DIE
,
3928 "spool_directory is longer than 200 chars: aborting");
3930 /* Length check on the process name given to syslog for its TAG field,
3931 which is only permitted to be 32 characters or less. See RFC 3164. */
3933 if (Ustrlen(syslog_processname
) > 32)
3934 log_write(0, LOG_MAIN
|LOG_PANIC_DIE
,
3935 "syslog_processname is longer than 32 chars: aborting");
3940 log_write(0, LOG_MAIN
, "%s", log_oneline
);
3941 return EXIT_SUCCESS
;
3944 return EXIT_FAILURE
;
3946 /* In some operating systems, the environment variable TMPDIR controls where
3947 temporary files are created; Exim doesn't use these (apart from when delivering
3948 to MBX mailboxes), but called libraries such as DBM libraries may require them.
3949 If TMPDIR is found in the environment, reset it to the value defined in the
3950 EXIM_TMPDIR macro, if this macro is defined. For backward compatibility this
3951 macro may be called TMPDIR in old "Local/Makefile"s. It's converted to
3952 EXIM_TMPDIR by the build scripts.
3958 if (environ
) for (p
= USS environ
; *p
; p
++)
3959 if (Ustrncmp(*p
, "TMPDIR=", 7) == 0 && Ustrcmp(*p
+7, EXIM_TMPDIR
) != 0)
3961 uschar
* newp
= store_malloc(Ustrlen(EXIM_TMPDIR
) + 8);
3962 sprintf(CS newp
, "TMPDIR=%s", EXIM_TMPDIR
);
3964 DEBUG(D_any
) debug_printf("reset TMPDIR=%s in environment\n", EXIM_TMPDIR
);
3969 /* Timezone handling. If timezone_string is "utc", set a flag to cause all
3970 timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3971 we may need to get rid of a bogus timezone setting. This can arise when Exim is
3972 called by a user who has set the TZ variable. This then affects the timestamps
3973 in log files and in Received: headers, and any created Date: header lines. The
3974 required timezone is settable in the configuration file, so nothing can be done
3975 about this earlier - but hopefully nothing will normally be logged earlier than
3976 this. We have to make a new environment if TZ is wrong, but don't bother if
3977 timestamps_utc is set, because then all times are in UTC anyway. */
3979 if (timezone_string
&& strcmpic(timezone_string
, US
"UTC") == 0)
3980 timestamps_utc
= TRUE
;
3983 uschar
*envtz
= US
getenv("TZ");
3985 ?
!timezone_string
|| Ustrcmp(timezone_string
, envtz
) != 0
3986 : timezone_string
!= NULL
3989 uschar
**p
= USS environ
;
3993 if (environ
) while (*p
++) count
++;
3994 if (!envtz
) count
++;
3995 newp
= new = store_malloc(sizeof(uschar
*) * (count
+ 1));
3996 if (environ
) for (p
= USS environ
; *p
; p
++)
3997 if (Ustrncmp(*p
, "TZ=", 3) != 0) *newp
++ = *p
;
3998 if (timezone_string
)
4000 *newp
= store_malloc(Ustrlen(timezone_string
) + 4);
4001 sprintf(CS
*newp
++, "TZ=%s", timezone_string
);
4006 DEBUG(D_any
) debug_printf("Reset TZ to %s: time is %s\n", timezone_string
,
4007 tod_stamp(tod_log
));
4011 /* Handle the case when we have removed the setuid privilege because of -C or
4012 -D. This means that the caller of Exim was not root.
4014 There is a problem if we were running as the Exim user. The sysadmin may
4015 expect this case to retain privilege because "the binary was called by the
4016 Exim user", but it hasn't, because either the -D option set macros, or the
4017 -C option set a non-trusted configuration file. There are two possibilities:
4019 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
4020 to do message deliveries. Thus, the fact that it is running as a
4021 non-privileged user is plausible, and might be wanted in some special
4022 configurations. However, really_exim will have been set false when
4023 privilege was dropped, to stop Exim trying to write to its normal log
4024 files. Therefore, re-enable normal log processing, assuming the sysadmin
4025 has set up the log directory correctly.
4027 (2) If deliver_drop_privilege is not set, the configuration won't work as
4028 apparently intended, and so we log a panic message. In order to retain
4029 root for -C or -D, the caller must either be root or be invoking a
4030 trusted configuration file (when deliver_drop_privilege is false). */
4032 if ( removed_privilege
4033 && (!trusted_config
|| opt_D_used
)
4034 && real_uid
== exim_uid
)
4035 if (deliver_drop_privilege
)
4036 really_exim
= TRUE
; /* let logging work normally */
4038 log_write(0, LOG_MAIN
|LOG_PANIC
,
4039 "exim user lost privilege for using %s option",
4040 trusted_config?
"-D" : "-C");
4042 /* Start up Perl interpreter if Perl support is configured and there is a
4043 perl_startup option, and the configuration or the command line specifies
4044 initializing starting. Note that the global variables are actually called
4045 opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
4048 if (perl_start_option
!= 0)
4049 opt_perl_at_start
= (perl_start_option
> 0);
4050 if (opt_perl_at_start
&& opt_perl_startup
!= NULL
)
4053 DEBUG(D_any
) debug_printf("Starting Perl interpreter\n");
4054 errstr
= init_perl(opt_perl_startup
);
4057 fprintf(stderr
, "exim: error in perl_startup code: %s\n", errstr
);
4058 return EXIT_FAILURE
;
4060 opt_perl_started
= TRUE
;
4062 #endif /* EXIM_PERL */
4064 /* Log the arguments of the call if the configuration file said so. This is
4065 a debugging feature for finding out what arguments certain MUAs actually use.
4066 Don't attempt it if logging is disabled, or if listing variables or if
4067 verifying/testing addresses or expansions. */
4069 if (((debug_selector
& D_any
) != 0 || LOGGING(arguments
))
4070 && really_exim
&& !list_options
&& !checking
)
4073 uschar
*p
= big_buffer
;
4074 Ustrcpy(p
, "cwd= (failed)");
4076 Ustrncpy(p
+ 4, initial_cwd
, big_buffer_size
-5);
4079 (void)string_format(p
, big_buffer_size
- (p
- big_buffer
), " %d args:", argc
);
4081 for (i
= 0; i
< argc
; i
++)
4083 int len
= Ustrlen(argv
[i
]);
4084 const uschar
*printing
;
4086 if (p
+ len
+ 8 >= big_buffer
+ big_buffer_size
)
4089 log_write(0, LOG_MAIN
, "%s", big_buffer
);
4090 Ustrcpy(big_buffer
, "...");
4093 printing
= string_printing(argv
[i
]);
4094 if (printing
[0] == 0) quote
= US
"\""; else
4096 const uschar
*pp
= printing
;
4098 while (*pp
!= 0) if (isspace(*pp
++)) { quote
= US
"\""; break; }
4100 p
+= sprintf(CS p
, " %s%.*s%s", quote
, (int)(big_buffer_size
-
4101 (p
- big_buffer
) - 4), printing
, quote
);
4104 if (LOGGING(arguments
))
4105 log_write(0, LOG_MAIN
, "%s", big_buffer
);
4107 debug_printf("%s\n", big_buffer
);
4110 /* Set the working directory to be the top-level spool directory. We don't rely
4111 on this in the code, which always uses fully qualified names, but it's useful
4112 for core dumps etc. Don't complain if it fails - the spool directory might not
4113 be generally accessible and calls with the -C option (and others) have lost
4114 privilege by now. Before the chdir, we try to ensure that the directory exists.
4117 if (Uchdir(spool_directory
) != 0)
4120 (void)directory_make(spool_directory
, US
"", SPOOL_DIRECTORY_MODE
, FALSE
);
4121 dummy
= /* quieten compiler */ Uchdir(spool_directory
);
4122 dummy
= dummy
; /* yet more compiler quietening, sigh */
4125 /* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
4126 alias file. Exim doesn't have such a concept, but this call is screwed into
4127 Sun's YP makefiles. Handle this by calling a configured script, as the real
4128 user who called Exim. The -oA option can be used to pass an argument to the
4133 (void)fclose(config_file
);
4134 if (bi_command
!= NULL
)