Fix what d291c7670e4c370cdc4f631ea58f82c7f4f87823 broke. Closes 1115
[exim.git] / src / src / transports / appendfile.c
1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
4
5 /* Copyright (c) University of Cambridge 1995 - 2016 */
6 /* See the file NOTICE for conditions of use and distribution. */
7
8
9 #include "../exim.h"
10 #include "appendfile.h"
11
12 #ifdef SUPPORT_MAILDIR
13 #include "tf_maildir.h"
14 #endif
15
16
17 /* Encodings for mailbox formats, and their names. MBX format is actually
18 supported only if SUPPORT_MBX is set. */
19
20 enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
21
22 static const char *mailbox_formats[] = {
23 "unix", "mbx", "smail", "maildir", "mailstore" };
24
25
26 /* Check warn threshold only if quota size set or not a percentage threshold
27 percentage check should only be done if quota > 0 */
28
29 #define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \
30 (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
31
32
33 /* Options specific to the appendfile transport. They must be in alphabetic
34 order (note that "_" comes before the lower case letters). Some of them are
35 stored in the publicly visible instance block - these are flagged with the
36 opt_public flag. */
37
38 optionlist appendfile_transport_options[] = {
39 #ifdef SUPPORT_MAILDIR
40 { "*expand_maildir_use_size_file", opt_stringptr,
41 (void *)offsetof(appendfile_transport_options_block, expand_maildir_use_size_file) },
42 #endif
43 { "*set_use_fcntl_lock",opt_bool | opt_hidden,
44 (void *)offsetof(appendfile_transport_options_block, set_use_fcntl) },
45 { "*set_use_flock_lock",opt_bool | opt_hidden,
46 (void *)offsetof(appendfile_transport_options_block, set_use_flock) },
47 { "*set_use_lockfile", opt_bool | opt_hidden,
48 (void *)offsetof(appendfile_transport_options_block, set_use_lockfile) },
49 #ifdef SUPPORT_MBX
50 { "*set_use_mbx_lock", opt_bool | opt_hidden,
51 (void *)offsetof(appendfile_transport_options_block, set_use_mbx_lock) },
52 #endif
53 { "allow_fifo", opt_bool,
54 (void *)offsetof(appendfile_transport_options_block, allow_fifo) },
55 { "allow_symlink", opt_bool,
56 (void *)offsetof(appendfile_transport_options_block, allow_symlink) },
57 { "batch_id", opt_stringptr | opt_public,
58 (void *)offsetof(transport_instance, batch_id) },
59 { "batch_max", opt_int | opt_public,
60 (void *)offsetof(transport_instance, batch_max) },
61 { "check_group", opt_bool,
62 (void *)offsetof(appendfile_transport_options_block, check_group) },
63 { "check_owner", opt_bool,
64 (void *)offsetof(appendfile_transport_options_block, check_owner) },
65 { "check_string", opt_stringptr,
66 (void *)offsetof(appendfile_transport_options_block, check_string) },
67 { "create_directory", opt_bool,
68 (void *)offsetof(appendfile_transport_options_block, create_directory) },
69 { "create_file", opt_stringptr,
70 (void *)offsetof(appendfile_transport_options_block, create_file_string) },
71 { "directory", opt_stringptr,
72 (void *)offsetof(appendfile_transport_options_block, dirname) },
73 { "directory_file", opt_stringptr,
74 (void *)offsetof(appendfile_transport_options_block, dirfilename) },
75 { "directory_mode", opt_octint,
76 (void *)offsetof(appendfile_transport_options_block, dirmode) },
77 { "escape_string", opt_stringptr,
78 (void *)offsetof(appendfile_transport_options_block, escape_string) },
79 { "file", opt_stringptr,
80 (void *)offsetof(appendfile_transport_options_block, filename) },
81 { "file_format", opt_stringptr,
82 (void *)offsetof(appendfile_transport_options_block, file_format) },
83 { "file_must_exist", opt_bool,
84 (void *)offsetof(appendfile_transport_options_block, file_must_exist) },
85 { "lock_fcntl_timeout", opt_time,
86 (void *)offsetof(appendfile_transport_options_block, lock_fcntl_timeout) },
87 { "lock_flock_timeout", opt_time,
88 (void *)offsetof(appendfile_transport_options_block, lock_flock_timeout) },
89 { "lock_interval", opt_time,
90 (void *)offsetof(appendfile_transport_options_block, lock_interval) },
91 { "lock_retries", opt_int,
92 (void *)offsetof(appendfile_transport_options_block, lock_retries) },
93 { "lockfile_mode", opt_octint,
94 (void *)offsetof(appendfile_transport_options_block, lockfile_mode) },
95 { "lockfile_timeout", opt_time,
96 (void *)offsetof(appendfile_transport_options_block, lockfile_timeout) },
97 { "mailbox_filecount", opt_stringptr,
98 (void *)offsetof(appendfile_transport_options_block, mailbox_filecount_string) },
99 { "mailbox_size", opt_stringptr,
100 (void *)offsetof(appendfile_transport_options_block, mailbox_size_string) },
101 #ifdef SUPPORT_MAILDIR
102 { "maildir_format", opt_bool,
103 (void *)offsetof(appendfile_transport_options_block, maildir_format ) } ,
104 { "maildir_quota_directory_regex", opt_stringptr,
105 (void *)offsetof(appendfile_transport_options_block, maildir_dir_regex) },
106 { "maildir_retries", opt_int,
107 (void *)offsetof(appendfile_transport_options_block, maildir_retries) },
108 { "maildir_tag", opt_stringptr,
109 (void *)offsetof(appendfile_transport_options_block, maildir_tag) },
110 { "maildir_use_size_file", opt_expand_bool,
111 (void *)offsetof(appendfile_transport_options_block, maildir_use_size_file ) } ,
112 { "maildirfolder_create_regex", opt_stringptr,
113 (void *)offsetof(appendfile_transport_options_block, maildirfolder_create_regex ) },
114 #endif /* SUPPORT_MAILDIR */
115 #ifdef SUPPORT_MAILSTORE
116 { "mailstore_format", opt_bool,
117 (void *)offsetof(appendfile_transport_options_block, mailstore_format ) },
118 { "mailstore_prefix", opt_stringptr,
119 (void *)offsetof(appendfile_transport_options_block, mailstore_prefix ) },
120 { "mailstore_suffix", opt_stringptr,
121 (void *)offsetof(appendfile_transport_options_block, mailstore_suffix ) },
122 #endif /* SUPPORT_MAILSTORE */
123 #ifdef SUPPORT_MBX
124 { "mbx_format", opt_bool,
125 (void *)offsetof(appendfile_transport_options_block, mbx_format ) } ,
126 #endif /* SUPPORT_MBX */
127 { "message_prefix", opt_stringptr,
128 (void *)offsetof(appendfile_transport_options_block, message_prefix) },
129 { "message_suffix", opt_stringptr,
130 (void *)offsetof(appendfile_transport_options_block, message_suffix) },
131 { "mode", opt_octint,
132 (void *)offsetof(appendfile_transport_options_block, mode) },
133 { "mode_fail_narrower",opt_bool,
134 (void *)offsetof(appendfile_transport_options_block, mode_fail_narrower) },
135 { "notify_comsat", opt_bool,
136 (void *)offsetof(appendfile_transport_options_block, notify_comsat) },
137 { "quota", opt_stringptr,
138 (void *)offsetof(appendfile_transport_options_block, quota) },
139 { "quota_directory", opt_stringptr,
140 (void *)offsetof(appendfile_transport_options_block, quota_directory) },
141 { "quota_filecount", opt_stringptr,
142 (void *)offsetof(appendfile_transport_options_block, quota_filecount) },
143 { "quota_is_inclusive", opt_bool,
144 (void *)offsetof(appendfile_transport_options_block, quota_is_inclusive) },
145 { "quota_size_regex", opt_stringptr,
146 (void *)offsetof(appendfile_transport_options_block, quota_size_regex) },
147 { "quota_warn_message", opt_stringptr | opt_public,
148 (void *)offsetof(transport_instance, warn_message) },
149 { "quota_warn_threshold", opt_stringptr,
150 (void *)offsetof(appendfile_transport_options_block, quota_warn_threshold) },
151 { "use_bsmtp", opt_bool,
152 (void *)offsetof(appendfile_transport_options_block, use_bsmtp) },
153 { "use_crlf", opt_bool,
154 (void *)offsetof(appendfile_transport_options_block, use_crlf) },
155 { "use_fcntl_lock", opt_bool_set,
156 (void *)offsetof(appendfile_transport_options_block, use_fcntl) },
157 { "use_flock_lock", opt_bool_set,
158 (void *)offsetof(appendfile_transport_options_block, use_flock) },
159 { "use_lockfile", opt_bool_set,
160 (void *)offsetof(appendfile_transport_options_block, use_lockfile) },
161 #ifdef SUPPORT_MBX
162 { "use_mbx_lock", opt_bool_set,
163 (void *)offsetof(appendfile_transport_options_block, use_mbx_lock) },
164 #endif /* SUPPORT_MBX */
165 };
166
167 /* Size of the options list. An extern variable has to be used so that its
168 address can appear in the tables drtables.c. */
169
170 int appendfile_transport_options_count =
171 sizeof(appendfile_transport_options)/sizeof(optionlist);
172
173 /* Default private options block for the appendfile transport. */
174
175 appendfile_transport_options_block appendfile_transport_option_defaults = {
176 NULL, /* filename */
177 NULL, /* dirname */
178 US"q${base62:$tod_epoch}-$inode", /* dirfilename */
179 NULL, /* message_prefix (default reset in init if not bsmtp) */
180 NULL, /* message_suffix (ditto) */
181 US"anywhere", /* create_file_string (string value for create_file) */
182 NULL, /* quota */
183 NULL, /* quota_directory */
184 NULL, /* quota_filecount */
185 NULL, /* quota_size_regex */
186 NULL, /* quota_warn_threshold */
187 NULL, /* mailbox_size_string */
188 NULL, /* mailbox_filecount_string */
189 NULL, /* expand_maildir_use_size_file */
190 US"^(?:cur|new|\\..*)$", /* maildir_dir_regex */
191 NULL, /* maildir_tag */
192 NULL, /* maildirfolder_create_regex */
193 NULL, /* mailstore_prefix */
194 NULL, /* mailstore_suffix */
195 NULL, /* check_string (default changed for non-bsmtp file)*/
196 NULL, /* escape_string (ditto) */
197 NULL, /* file_format */
198 0, /* quota_value */
199 0, /* quota_warn_threshold_value */
200 -1, /* mailbox_size_value */
201 -1, /* mailbox_filecount_value */
202 0, /* quota_filecount_value */
203 APPENDFILE_MODE, /* mode */
204 APPENDFILE_DIRECTORY_MODE, /* dirmode */
205 APPENDFILE_LOCKFILE_MODE, /* lockfile_mode */
206 30*60, /* lockfile_timeout */
207 0, /* lock_fcntl_timeout */
208 0, /* lock_flock_timeout */
209 10, /* lock_retries */
210 3, /* lock_interval */
211 10, /* maildir_retries */
212 create_anywhere,/* create_file */
213 0, /* options */
214 FALSE, /* allow_fifo */
215 FALSE, /* allow_symlink */
216 FALSE, /* check_group */
217 TRUE, /* check_owner */
218 TRUE, /* create_directory */
219 FALSE, /* notify_comsat */
220 TRUE, /* use_lockfile */
221 FALSE, /* set_use_lockfile */
222 TRUE, /* use_fcntl */
223 FALSE, /* set_use_fcntl */
224 FALSE, /* use_flock */
225 FALSE, /* set_use_flock */
226 FALSE, /* use_mbx_lock */
227 FALSE, /* set_use_mbx_lock */
228 FALSE, /* use_bsmtp */
229 FALSE, /* use_crlf */
230 FALSE, /* file_must_exist */
231 TRUE, /* mode_fail_narrower */
232 FALSE, /* maildir_format */
233 FALSE, /* maildir_use_size_file */
234 FALSE, /* mailstore_format */
235 FALSE, /* mbx_format */
236 FALSE, /* quota_warn_threshold_is_percent */
237 TRUE, /* quota_is_inclusive */
238 FALSE, /* quota_no_check */
239 FALSE /* quota_filecount_no_check */
240 };
241
242
243
244 /*************************************************
245 * Setup entry point *
246 *************************************************/
247
248 /* Called for each delivery in the privileged state, just before the uid/gid
249 are changed and the main entry point is called. We use this function to
250 expand any quota settings, so that it can access files that may not be readable
251 by the user. It is also used to pick up external mailbox size information, if
252 set.
253
254 Arguments:
255 tblock points to the transport instance
256 addrlist addresses about to be delivered (not used)
257 dummy not used (doesn't pass back data)
258 uid the uid that will be set (not used)
259 gid the gid that will be set (not used)
260 errmsg where to put an error message
261
262 Returns: OK, FAIL, or DEFER
263 */
264
265 static int
266 appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
267 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
268 {
269 appendfile_transport_options_block *ob =
270 (appendfile_transport_options_block *)(tblock->options_block);
271 uschar *q = ob->quota;
272 double default_value = 0.0;
273 int i;
274
275 addrlist = addrlist; /* Keep picky compilers happy */
276 dummy = dummy;
277 uid = uid;
278 gid = gid;
279
280 if (ob->expand_maildir_use_size_file)
281 ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file,
282 US"`maildir_use_size_file` in transport", tblock->name);
283
284 /* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
285 mailbox_filecount */
286
287 for (i = 0; i < 5; i++)
288 {
289 double d;
290 int no_check = 0;
291 uschar *which = NULL;
292
293 if (q == NULL) d = default_value;
294 else
295 {
296 uschar *rest;
297 uschar *s = expand_string(q);
298
299 if (s == NULL)
300 {
301 *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
302 "%s", q, tblock->name, expand_string_message);
303 return search_find_defer? DEFER : FAIL;
304 }
305
306 d = Ustrtod(s, &rest);
307
308 /* Handle following characters K, M, G, %, the latter being permitted
309 for quota_warn_threshold only. A threshold with no quota setting is
310 just ignored. */
311
312 if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
313 else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
314 else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
315 else if (*rest == '%' && i == 2)
316 {
317 if (ob->quota_value <= 0 && !ob->maildir_use_size_file) d = 0;
318 else if ((int)d < 0 || (int)d > 100)
319 {
320 *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
321 " for %s transport", (int)d, tblock->name);
322 return FAIL;
323 }
324 ob->quota_warn_threshold_is_percent = TRUE;
325 rest++;
326 }
327
328
329 /* For quota and quota_filecount there may be options
330 appended. Currently only "no_check", so we can be lazy parsing it */
331 if (i < 2 && Ustrstr(rest, "/no_check") == rest)
332 {
333 no_check = 1;
334 rest += sizeof("/no_check") - 1;
335 }
336
337 while (isspace(*rest)) rest++;
338
339 if (*rest != 0)
340 {
341 *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
342 "in %s transport [%s]", s, q, tblock->name);
343 return FAIL;
344 }
345 }
346
347 /* Set each value, checking for possible overflow. */
348
349 switch (i)
350 {
351 case 0:
352 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4) which = US"quota";
353 ob->quota_value = (off_t)d;
354 ob->quota_no_check = no_check;
355 q = ob->quota_filecount;
356 break;
357
358 case 1:
359 if (d >= 2.0*1024.0*1024.0*1024.0) which = US"quota_filecount";
360 ob->quota_filecount_value = (int)d;
361 ob->quota_filecount_no_check = no_check;
362 q = ob->quota_warn_threshold;
363 break;
364
365 case 2:
366 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
367 which = US"quota_warn_threshold";
368 ob->quota_warn_threshold_value = (off_t)d;
369 q = ob->mailbox_size_string;
370 default_value = -1.0;
371 break;
372
373 case 3:
374 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
375 which = US"mailbox_size";;
376 ob->mailbox_size_value = (off_t)d;
377 q = ob->mailbox_filecount_string;
378 break;
379
380 case 4:
381 if (d >= 2.0*1024.0*1024.0*1024.0) which = US"mailbox_filecount";
382 ob->mailbox_filecount_value = (int)d;
383 break;
384 }
385
386 if (which != NULL)
387 {
388 *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
389 "%s transport", which, d, tblock->name);
390 return FAIL;
391 }
392 }
393
394 return OK;
395 }
396
397
398
399 /*************************************************
400 * Initialization entry point *
401 *************************************************/
402
403 /* Called for each instance, after its options have been read, to
404 enable consistency checks to be done, or anything else that needs
405 to be set up. */
406
407 void
408 appendfile_transport_init(transport_instance *tblock)
409 {
410 appendfile_transport_options_block *ob =
411 (appendfile_transport_options_block *)(tblock->options_block);
412
413 /* Set up the setup entry point, to be called in the privileged state */
414
415 tblock->setup = appendfile_transport_setup;
416
417 /* Lock_retries must be greater than zero */
418
419 if (ob->lock_retries == 0) ob->lock_retries = 1;
420
421 /* Only one of a file name or directory name must be given. */
422
423 if (ob->filename != NULL && ob->dirname != NULL)
424 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
425 "only one of \"file\" or \"directory\" can be specified", tblock->name);
426
427 /* If a file name was specified, neither quota_filecount nor quota_directory
428 must be given. */
429
430 if (ob->filename != NULL)
431 {
432 if (ob->quota_filecount != NULL)
433 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
434 "quota_filecount must not be set without \"directory\"", tblock->name);
435 if (ob->quota_directory != NULL)
436 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
437 "quota_directory must not be set without \"directory\"", tblock->name);
438 }
439
440 /* The default locking depends on whether MBX is set or not. Change the
441 built-in default if none of the lock options has been explicitly set. At least
442 one form of locking is required in all cases, but mbx locking changes the
443 meaning of fcntl and flock locking. */
444
445 /* Not all operating systems provide flock(). For those that do, if flock is
446 requested, the default for fcntl is FALSE. */
447
448 if (ob->use_flock)
449 {
450 #ifdef NO_FLOCK
451 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
452 "flock() support was not available in the operating system when this "
453 "binary was built", tblock->name);
454 #endif /* NO_FLOCK */
455 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
456 }
457
458 #ifdef SUPPORT_MBX
459 if (ob->mbx_format)
460 {
461 if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
462 !ob->set_use_mbx_lock)
463 {
464 ob->use_lockfile = ob->use_flock = FALSE;
465 ob->use_mbx_lock = ob->use_fcntl = TRUE;
466 }
467 else if (ob->use_mbx_lock)
468 {
469 if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
470 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
471 if (!ob->set_use_flock) ob->use_flock = FALSE;
472 if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
473 }
474 }
475 #endif /* SUPPORT_MBX */
476
477 if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
478 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
479 "no locking configured", tblock->name);
480
481 /* Unset timeouts for non-used locking types */
482
483 if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
484 if (!ob->use_flock) ob->lock_flock_timeout = 0;
485
486 /* If a directory name was specified, only one of maildir or mailstore may be
487 specified, and if quota_filecount or quota_directory is given, quota must
488 be set. */
489
490 if (ob->dirname != NULL)
491 {
492 if (ob->maildir_format && ob->mailstore_format)
493 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
494 "only one of maildir and mailstore may be specified", tblock->name);
495 if (ob->quota_filecount != NULL && ob->quota == NULL)
496 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
497 "quota must be set if quota_filecount is set", tblock->name);
498 if (ob->quota_directory != NULL && ob->quota == NULL)
499 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
500 "quota must be set if quota_directory is set", tblock->name);
501 }
502
503 /* If a fixed uid field is set, then a gid field must also be set. */
504
505 if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL)
506 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
507 "user set without group for the %s transport", tblock->name);
508
509 /* If "create_file" is set, check that a valid option is given, and set the
510 integer variable. */
511
512 if (ob->create_file_string != NULL)
513 {
514 int value = 0;
515 if (Ustrcmp(ob->create_file_string, "anywhere") == 0) value = create_anywhere;
516 else if (Ustrcmp(ob->create_file_string, "belowhome") == 0) value =
517 create_belowhome;
518 else if (Ustrcmp(ob->create_file_string, "inhome") == 0)
519 value = create_inhome;
520 else
521 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
522 "invalid value given for \"file_create\" for the %s transport: %s",
523 tblock->name, ob->create_file_string);
524 ob->create_file = value;
525 }
526
527 /* If quota_warn_threshold is set, set up default for warn_message. It may
528 not be used if the actual threshold for a given delivery ends up as zero,
529 of if it's given as a percentage and there's no quota setting. */
530
531 if (ob->quota_warn_threshold != NULL)
532 {
533 if (tblock->warn_message == NULL) tblock->warn_message = US
534 "To: $local_part@$domain\n"
535 "Subject: Your mailbox\n\n"
536 "This message is automatically created by mail delivery software (Exim).\n\n"
537 "The size of your mailbox has exceeded a warning threshold that is\n"
538 "set by the system administrator.\n";
539 }
540
541 /* If batch SMTP is set, force the check and escape strings, and arrange that
542 headers are also escaped. */
543
544 if (ob->use_bsmtp)
545 {
546 ob->check_string = US".";
547 ob->escape_string = US"..";
548 ob->options |= topt_escape_headers;
549 }
550
551 /* If not batch SMTP, not maildir, not mailstore, and directory is not set,
552 insert default values for for the affixes and the check/escape strings. */
553
554 else if (ob->dirname == NULL && !ob->maildir_format && !ob->mailstore_format)
555 {
556 if (ob->message_prefix == NULL) ob->message_prefix =
557 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
558 if (ob->message_suffix == NULL) ob->message_suffix = US"\n";
559 if (ob->check_string == NULL) ob->check_string = US"From ";
560 if (ob->escape_string == NULL) ob->escape_string = US">From ";
561
562 }
563
564 /* Set up the bitwise options for transport_write_message from the various
565 driver options. Only one of body_only and headers_only can be set. */
566
567 ob->options |=
568 (tblock->body_only? topt_no_headers : 0) |
569 (tblock->headers_only? topt_no_body : 0) |
570 (tblock->return_path_add? topt_add_return_path : 0) |
571 (tblock->delivery_date_add? topt_add_delivery_date : 0) |
572 (tblock->envelope_to_add? topt_add_envelope_to : 0) |
573 ((ob->use_crlf || ob->mbx_format)? topt_use_crlf : 0);
574 }
575
576
577
578 /*************************************************
579 * Notify comsat *
580 *************************************************/
581
582 /* The comsat daemon is the thing that provides asynchronous notification of
583 the arrival of local messages, if requested by the user by "biff y". It is a
584 BSD thing that uses a TCP/IP protocol for communication. A message consisting
585 of the text "user@offset" must be sent, where offset is the place in the
586 mailbox where new mail starts. There is no scope for telling it which file to
587 look at, which makes it a less than useful if mail is being delivered into a
588 non-standard place such as the user's home directory. In fact, it doesn't seem
589 to pay much attention to the offset.
590
591 Arguments:
592 user user name
593 offset offset in mailbox
594
595 Returns: nothing
596 */
597
598 static void
599 notify_comsat(uschar *user, off_t offset)
600 {
601 struct servent *sp;
602 host_item host;
603 host_item *h;
604 uschar buffer[256];
605
606 DEBUG(D_transport) debug_printf("notify_comsat called\n");
607
608 sprintf(CS buffer, "%.200s@" OFF_T_FMT "\n", user, offset);
609
610 if ((sp = getservbyname("biff", "udp")) == NULL)
611 {
612 DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
613 return;
614 }
615
616 host.name = US"localhost";
617 host.next = NULL;
618
619
620 /* This code is all set up to look up "localhost" and use all its addresses
621 until one succeeds. However, it appears that at least on some systems, comsat
622 doesn't listen on the ::1 address. So for the moment, just force the address to
623 be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
624 can be changed. (But actually, comsat is probably dying out anyway.) */
625
626 /******
627 if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
628 {
629 DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
630 return;
631 }
632 ******/
633
634 host.address = US"127.0.0.1";
635
636
637 for (h = &host; h; h = h->next)
638 {
639 int sock, rc;
640 int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET;
641
642 DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
643
644 if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue;
645
646 /* Connect never fails for a UDP socket, so don't set a timeout. */
647
648 (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, FALSE);
649 rc = send(sock, buffer, Ustrlen(buffer) + 1, 0);
650 (void)close(sock);
651
652 if (rc >= 0) break;
653 DEBUG(D_transport)
654 debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
655 h->address);
656 }
657 }
658
659
660
661 /*************************************************
662 * Check the format of a file *
663 *************************************************/
664
665 /* This function is called when file_format is set, to check that an existing
666 file has the right format. The format string contains text/transport pairs. The
667 string matching is literal. we just read big_buffer_size bytes, because this is
668 all about the first few bytes of a file.
669
670 Arguments:
671 cfd the open file
672 tblock the transport block
673 addr the address block - for inserting error data
674
675 Returns: pointer to the required transport, or NULL
676 */
677
678 transport_instance *
679 check_file_format(int cfd, transport_instance *tblock, address_item *addr)
680 {
681 const uschar *format =
682 ((appendfile_transport_options_block *)(tblock->options_block))->file_format;
683 uschar data[256];
684 int len = read(cfd, data, sizeof(data));
685 int sep = 0;
686 uschar *s;
687
688 DEBUG(D_transport) debug_printf("checking file format\n");
689
690 /* An empty file matches the current transport */
691
692 if (len == 0) return tblock;
693
694 /* Search the formats for a match */
695
696 while ((s = string_nextinlist(&format,&sep,big_buffer,big_buffer_size)))
697 {
698 int slen = Ustrlen(s);
699 BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
700 uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
701
702 if (match && tp)
703 {
704 transport_instance *tt;
705 for (tt = transports; tt; tt = tt->next)
706 if (Ustrcmp(tp, tt->name) == 0)
707 {
708 DEBUG(D_transport)
709 debug_printf("file format -> %s transport\n", tt->name);
710 return tt;
711 }
712 addr->basic_errno = ERRNO_BADTRANSPORT;
713 addr->message = string_sprintf("%s transport (for %.*s format) not found",
714 tp, slen, data);
715 return NULL;
716 }
717 }
718
719 /* Failed to find a match */
720
721 addr->basic_errno = ERRNO_FORMATUNKNOWN;
722 addr->message = US"mailbox file format unrecognized";
723 return NULL;
724 }
725
726
727
728
729 /*************************************************
730 * Check directory's files for quota *
731 *************************************************/
732
733 /* This function is called if quota is set for one of the delivery modes that
734 delivers into a specific directory. It scans the directory and stats all the
735 files in order to get a total size and count. This is an expensive thing to do,
736 but some people are prepared to bear the cost. Alternatively, if size_regex is
737 set, it is used as a regex to try to extract the size from the file name, a
738 strategy that some people use on maildir files on systems where the users have
739 no shell access.
740
741 The function is global, because it is also called from tf_maildir.c for maildir
742 folders (which should contain only regular files).
743
744 Note: Any problems can be written to debugging output, but cannot be written to
745 the log, because we are running as an unprivileged user here.
746
747 Arguments:
748 dirname the name of the directory
749 countptr where to add the file count (because this function recurses)
750 regex a compiled regex to get the size from a name
751
752 Returns: the sum of the sizes of the stattable files
753 zero if the directory cannot be opened
754 */
755
756 off_t
757 check_dir_size(uschar *dirname, int *countptr, const pcre *regex)
758 {
759 DIR *dir;
760 off_t sum = 0;
761 int count = *countptr;
762 struct dirent *ent;
763 struct stat statbuf;
764
765 dir = opendir(CS dirname);
766 if (dir == NULL) return 0;
767
768 while ((ent = readdir(dir)) != NULL)
769 {
770 uschar *name = US ent->d_name;
771 uschar buffer[1024];
772
773 if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
774
775 count++;
776
777 /* If there's a regex, try to find the size using it */
778
779 if (regex != NULL)
780 {
781 int ovector[6];
782 if (pcre_exec(regex, NULL, CS name, Ustrlen(name), 0, 0, ovector,6) >= 2)
783 {
784 uschar *endptr;
785 off_t size = (off_t)Ustrtod(name + ovector[2], &endptr);
786 if (endptr == name + ovector[3])
787 {
788 sum += size;
789 DEBUG(D_transport)
790 debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
791 size);
792 continue;
793 }
794 }
795 DEBUG(D_transport)
796 debug_printf("check_dir_size: regex did not match %s\n", name);
797 }
798
799 /* No regex or no match for the regex, or captured non-digits */
800
801 if (!string_format(buffer, sizeof(buffer), "%s/%s", dirname, name))
802 {
803 DEBUG(D_transport)
804 debug_printf("check_dir_size: name too long: dir=%s name=%s\n", dirname,
805 name);
806 continue;
807 }
808
809 if (Ustat(buffer, &statbuf) < 0)
810 {
811 DEBUG(D_transport)
812 debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, buffer,
813 strerror(errno));
814 continue;
815 }
816
817 if ((statbuf.st_mode & S_IFMT) == S_IFREG)
818 sum += statbuf.st_size;
819 else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
820 sum += check_dir_size(buffer, &count, regex);
821 }
822
823 closedir(dir);
824 DEBUG(D_transport)
825 debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
826 sum, count);
827
828 *countptr = count;
829 return sum;
830 }
831
832
833
834
835 /*************************************************
836 * Apply a lock to a file descriptor *
837 *************************************************/
838
839 /* This function applies a lock to a file descriptor, using a blocking or
840 non-blocking lock, depending on the timeout value. It can apply either or
841 both of a fcntl() and a flock() lock. However, not all OS support flock();
842 for those that don't, the use_flock option cannot be set.
843
844 Arguments:
845 fd the file descriptor
846 fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in
847 fcntl() format); the flock() type is deduced if needed
848 dofcntl do fcntl() locking
849 fcntltime non-zero to use blocking fcntl()
850 doflock do flock() locking
851 flocktime non-zero to use blocking flock()
852
853 Returns: yield of the fcntl() or flock() call, with errno preserved;
854 sigalrm_seen set if there has been a timeout
855 */
856
857 static int
858 apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
859 int flocktime)
860 {
861 int yield = 0;
862 int save_errno;
863 struct flock lock_data;
864 lock_data.l_type = fcntltype;
865 lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
866
867 sigalrm_seen = FALSE;
868
869 if (dofcntl)
870 {
871 if (fcntltime > 0)
872 {
873 alarm(fcntltime);
874 yield = fcntl(fd, F_SETLKW, &lock_data);
875 save_errno = errno;
876 alarm(0);
877 errno = save_errno;
878 }
879 else yield = fcntl(fd, F_SETLK, &lock_data);
880 }
881
882 #ifndef NO_FLOCK
883 if (doflock && (yield >= 0))
884 {
885 int flocktype = (fcntltype == F_WRLCK)? LOCK_EX : LOCK_SH;
886 if (flocktime > 0)
887 {
888 alarm(flocktime);
889 yield = flock(fd, flocktype);
890 save_errno = errno;
891 alarm(0);
892 errno = save_errno;
893 }
894 else yield = flock(fd, flocktype | LOCK_NB);
895 }
896 #endif /* NO_FLOCK */
897
898 return yield;
899 }
900
901
902
903
904 #ifdef SUPPORT_MBX
905 /*************************************************
906 * Copy message into MBX mailbox *
907 *************************************************/
908
909 /* This function is called when a message intended for a MBX mailbox has been
910 written to a temporary file. We can now get the size of the message and then
911 copy it in MBX format to the mailbox.
912
913 Arguments:
914 to_fd fd to write to (the real mailbox)
915 from_fd fd to read from (the temporary file)
916 saved_size current size of mailbox
917
918 Returns: OK if all went well, DEFER otherwise, with errno preserved
919 the number of bytes written are added to transport_count
920 by virtue of calling transport_write_block()
921 */
922
923 /* Values taken from c-client */
924
925 #define MBX_HDRSIZE 2048
926 #define MBX_NUSERFLAGS 30
927
928 static int
929 copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
930 {
931 int used;
932 off_t size;
933 struct stat statbuf;
934 transport_ctx tctx = {0};
935
936 tctx.u.fd = to_fd;
937
938 /* If the current mailbox size is zero, write a header block */
939
940 if (saved_size == 0)
941 {
942 int i;
943 uschar *s;
944 memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
945 sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
946 (long int)time(NULL));
947 for (i = 0; i < MBX_NUSERFLAGS; i++)
948 sprintf (CS(s += Ustrlen(s)), "\015\012");
949 if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE))
950 return DEFER;
951 }
952
953 DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
954
955 /* Now construct the message's header from the time and the RFC822 file
956 size, including CRLFs, which is the size of the input (temporary) file. */
957
958 if (fstat(from_fd, &statbuf) < 0) return DEFER;
959 size = statbuf.st_size;
960
961 sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
962 tod_stamp(tod_mbx), size, 0L, 0, 0);
963 used = Ustrlen(deliver_out_buffer);
964
965 /* Rewind the temporary file, and copy it over in chunks. */
966
967 if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER;
968
969 while (size > 0)
970 {
971 int len = read(from_fd, deliver_out_buffer + used,
972 DELIVER_OUT_BUFFER_SIZE - used);
973 if (len <= 0)
974 {
975 if (len == 0) errno = ERRNO_MBXLENGTH;
976 return DEFER;
977 }
978 if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE))
979 return DEFER;
980 size -= len;
981 used = 0;
982 }
983
984 return OK;
985 }
986 #endif /* SUPPORT_MBX */
987
988
989
990 /*************************************************
991 * Check creation is permitted *
992 *************************************************/
993
994 /* This function checks whether a given file name is permitted to be created,
995 as controlled by the create_file option. If no home directory is set, however,
996 we can't do any tests.
997
998 Arguments:
999 filename the file name
1000 create_file the ob->create_file option
1001
1002 Returns: TRUE if creation is permitted
1003 */
1004
1005 static BOOL
1006 check_creation(uschar *filename, int create_file)
1007 {
1008 BOOL yield = TRUE;
1009
1010 if (deliver_home != NULL && create_file != create_anywhere)
1011 {
1012 int len = Ustrlen(deliver_home);
1013 uschar *file = filename;
1014
1015 while (file[0] == '/' && file[1] == '/') file++;
1016 if (Ustrncmp(file, deliver_home, len) != 0 || file[len] != '/' ||
1017 ( Ustrchr(file+len+2, '/') != NULL &&
1018 (
1019 create_file != create_belowhome ||
1020 Ustrstr(file+len, "/../") != NULL
1021 )
1022 )
1023 ) yield = FALSE;
1024
1025 /* If yield is TRUE, the file name starts with the home directory, and does
1026 not contain any instances of "/../" in the "belowhome" case. However, it may
1027 still contain symbolic links. We can check for this by making use of
1028 realpath(), which most Unixes seem to have (but make it possible to cut this
1029 out). We can't just use realpath() on the whole file name, because we know
1030 the file itself doesn't exist, and intermediate directories may also not
1031 exist. What we want to know is the real path of the longest existing part of
1032 the path. That must match the home directory's beginning, whichever is the
1033 shorter. */
1034
1035 #ifndef NO_REALPATH
1036 if (yield && create_file == create_belowhome)
1037 {
1038 uschar *slash, *next;
1039 uschar *rp = NULL;
1040 for (slash = Ustrrchr(file, '/'); /* There is known to be one */
1041 rp == NULL && slash > file; /* Stop if reached beginning */
1042 slash = next)
1043 {
1044 *slash = 0;
1045 rp = US realpath(CS file, CS big_buffer);
1046 next = Ustrrchr(file, '/');
1047 *slash = '/';
1048 }
1049
1050 /* If rp == NULL it means that none of the relevant directories exist.
1051 This is not a problem here - it means that no symbolic links can exist,
1052 which is all we are worried about. Otherwise, we must compare it
1053 against the start of the home directory. However, that may itself
1054 contain symbolic links, so we have to "realpath" it as well, if
1055 possible. */
1056
1057 if (rp != NULL)
1058 {
1059 uschar hdbuffer[PATH_MAX+1];
1060 uschar *rph = deliver_home;
1061 int rlen = Ustrlen(big_buffer);
1062
1063 rp = US realpath(CS deliver_home, CS hdbuffer);
1064 if (rp != NULL)
1065 {
1066 rph = hdbuffer;
1067 len = Ustrlen(rph);
1068 }
1069
1070 if (rlen > len) rlen = len;
1071 if (Ustrncmp(rph, big_buffer, rlen) != 0)
1072 {
1073 yield = FALSE;
1074 DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
1075 big_buffer, deliver_home);
1076 }
1077 }
1078 }
1079 #endif /* NO_REALPATH */
1080 }
1081
1082 return yield;
1083 }
1084
1085
1086
1087 /*************************************************
1088 * Main entry point *
1089 *************************************************/
1090
1091 /* See local README for general interface details. This transport always
1092 returns FALSE, indicating that the status which has been placed in the first
1093 address should be copied to any other addresses in a batch.
1094
1095 Appendfile delivery is tricky and has led to various security problems in other
1096 mailers. The logic used here is therefore laid out in some detail. When this
1097 function is called, we are running in a subprocess which has had its gid and
1098 uid set to the appropriate values. Therefore, we cannot write directly to the
1099 exim logs. Any errors must be handled by setting appropriate return codes.
1100 Note that the default setting for addr->transport_return is DEFER, so it need
1101 not be set unless some other value is required.
1102
1103 The code below calls geteuid() rather than getuid() to get the current uid
1104 because in weird configurations not running setuid root there may be a
1105 difference. In the standard configuration, where setuid() has been used in the
1106 delivery process, there will be no difference between the uid and the euid.
1107
1108 (1) If the af_file flag is set, this is a delivery to a file after .forward or
1109 alias expansion. Otherwise, there must be a configured file name or
1110 directory name.
1111
1112 The following items apply in the case when a file name (as opposed to a
1113 directory name) is given, that is, when appending to a single file:
1114
1115 (2f) Expand the file name.
1116
1117 (3f) If the file name is /dev/null, return success (optimization).
1118
1119 (4f) If the file_format options is set, open the file for reading, and check
1120 that the bytes at the start of the file match one of the given strings.
1121 If the check indicates a transport other than the current one should be
1122 used, pass control to that other transport. Otherwise continue. An empty
1123 or non-existent file matches the current transport. The file is closed
1124 after the check.
1125
1126 (5f) If a lock file is required, create it (see extensive separate comments
1127 below about the algorithm for doing this). It is important to do this
1128 before opening the mailbox if NFS is in use.
1129
1130 (6f) Stat the file, using lstat() rather than stat(), in order to pick up
1131 details of any symbolic link.
1132
1133 (7f) If the file already exists:
1134
1135 Check the owner and group if necessary, and defer if they are wrong.
1136
1137 If it is a symbolic link AND the allow_symlink option is set (NOT the
1138 default), go back to (6f) but this time use stat() instead of lstat().
1139
1140 If it's not a regular file (or FIFO when permitted), defer delivery.
1141
1142 Check permissions. If the required permissions are *less* than the
1143 existing ones, or supplied by the address (often by the user via filter),
1144 chmod() the file. Otherwise, defer.
1145
1146 Save the inode number.
1147
1148 Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
1149
1150 If open fails because the file does not exist, go to (6f); on any other
1151 failure, defer.
1152
1153 Check the inode number hasn't changed - I realize this isn't perfect (an
1154 inode can be reused) but it's cheap and will catch some of the races.
1155
1156 Check it's still a regular file (or FIFO if permitted).
1157
1158 Check that the owner and permissions haven't changed.
1159
1160 If file_format is set, check that the file still matches the format for
1161 the current transport. If not, defer delivery.
1162
1163 (8f) If file does not exist initially:
1164
1165 Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
1166 this is via a symbolic link (only possible if allow_symlinks is set), in
1167 which case don't use O_EXCL, as it doesn't work.
1168
1169 If open fails because the file already exists, go to (6f). To avoid
1170 looping for ever in a situation where the file is continuously being
1171 created and deleted, all of this happens inside a loop that operates
1172 lock_retries times and includes the fcntl and flock locking. If the
1173 loop completes without the file getting opened, defer and request
1174 freezing, because something really weird is happening.
1175
1176 If open fails for any other reason, defer for subsequent delivery except
1177 when this is a file delivery resulting from an alias or forward expansion
1178 and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
1179 most likely a user rather than a configuration error.
1180
1181 (9f) We now have the file checked and open for writing. If so configured, lock
1182 it using fcntl, flock, or MBX locking rules. If this fails, close the file
1183 and goto (6f), up to lock_retries times, after sleeping for a while. If it
1184 still fails, give up and defer delivery.
1185
1186 (10f)Save the access time (for subsequent restoration) and the size of the
1187 file, for comsat and for re-setting if delivery fails in the middle -
1188 e.g. for quota exceeded.
1189
1190 The following items apply in the case when a directory name is given:
1191
1192 (2d) Create a new file in the directory using a temporary name, by opening for
1193 writing and with O_CREAT. If maildir format is being used, the file
1194 is created in a temporary subdirectory with a prescribed name. If
1195 mailstore format is being used, the envelope file is first created with a
1196 temporary name, then the data file.
1197
1198 The following items apply in all cases:
1199
1200 (11) We now have the file open for writing, and locked if it was given as a
1201 file name. Write the message and flush the file, unless there is a setting
1202 of the local quota option, in which case we can check for its excession
1203 without doing any writing.
1204
1205 In the case of MBX format mailboxes, the message is first written to a
1206 temporary file, in order to get its correct length. This is then copied to
1207 the real file, preceded by an MBX header.
1208
1209 If there is a quota error on writing, defer the address. Timeout logic
1210 will determine for how long retries are attempted. We restore the mailbox
1211 to its original length if it's a single file. There doesn't seem to be a
1212 uniform error code for quota excession (it even differs between SunOS4
1213 and some versions of SunOS5) so a system-dependent macro called
1214 ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
1215 compile time.
1216
1217 For any other error (most commonly disk full), do the same.
1218
1219 The following applies after appending to a file:
1220
1221 (12f)Restore the atime; notify_comsat if required; close the file (which
1222 unlocks it if it was locked). Delete the lock file if it exists.
1223
1224 The following applies after writing a unique file in a directory:
1225
1226 (12d)For maildir format, rename the file into the new directory. For mailstore
1227 format, rename the envelope file to its correct name. Otherwise, generate
1228 a unique name from the directory_file option, and rename to that, possibly
1229 trying a few times if the file exists and re-expanding the name gives a
1230 different string.
1231
1232 This transport yields FAIL only when a file name is generated by an alias or
1233 forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
1234 All other failures return DEFER (in addr->transport_return). */
1235
1236
1237 BOOL
1238 appendfile_transport_entry(
1239 transport_instance *tblock, /* data for this instantiation */
1240 address_item *addr) /* address we are working on */
1241 {
1242 appendfile_transport_options_block *ob =
1243 (appendfile_transport_options_block *)(tblock->options_block);
1244 struct stat statbuf;
1245 uschar *fdname = NULL;
1246 uschar *filename = NULL;
1247 uschar *hitchname = NULL;
1248 uschar *dataname = NULL;
1249 uschar *lockname = NULL;
1250 uschar *newname = NULL;
1251 uschar *nametag = NULL;
1252 uschar *cr = US"";
1253 uschar *filecount_msg = US"";
1254 uschar *path;
1255 struct utimbuf times;
1256 struct timeval msg_tv;
1257 BOOL disable_quota = FALSE;
1258 BOOL isdirectory = FALSE;
1259 BOOL isfifo = FALSE;
1260 BOOL wait_for_tick = FALSE;
1261 uid_t uid = geteuid(); /* See note above */
1262 gid_t gid = getegid();
1263 int mbformat;
1264 int mode = (addr->mode > 0)? addr->mode : ob->mode;
1265 off_t saved_size = -1;
1266 off_t mailbox_size = ob->mailbox_size_value;
1267 int mailbox_filecount = ob->mailbox_filecount_value;
1268 int hd = -1;
1269 int fd = -1;
1270 int yield = FAIL;
1271 int i;
1272
1273 #ifdef SUPPORT_MBX
1274 int save_fd = 0;
1275 int mbx_lockfd = -1;
1276 uschar mbx_lockname[40];
1277 FILE *temp_file = NULL;
1278 #endif /* SUPPORT_MBX */
1279
1280 #ifdef SUPPORT_MAILDIR
1281 int maildirsize_fd = -1; /* fd for maildirsize file */
1282 int maildir_save_errno;
1283 #endif
1284
1285
1286 DEBUG(D_transport) debug_printf("appendfile transport entered\n");
1287
1288 /* An "address_file" or "address_directory" transport is used to deliver to
1289 files specified via .forward or an alias file. Prior to release 4.20, the
1290 "file" and "directory" options were ignored in this case. This has been changed
1291 to allow the redirection data to specify what is in effect a folder, whose
1292 location is determined by the options on the transport.
1293
1294 Compatibility with the case when neither option is set is retained by forcing a
1295 value for the file or directory name. A directory delivery is assumed if the
1296 last character of the path from the router is '/'.
1297
1298 The file path is in the local part of the address, but not in the $local_part
1299 variable (that holds the parent local part). It is, however, in the
1300 $address_file variable. Below, we update the local part in the address if it
1301 changes by expansion, so that the final path ends up in the log. */
1302
1303 if (testflag(addr, af_file) &&
1304 ob->filename == NULL &&
1305 ob->dirname == NULL)
1306 {
1307 fdname = US"$address_file";
1308 if (address_file[Ustrlen(address_file)-1] == '/' ||
1309 ob->maildir_format ||
1310 ob->mailstore_format)
1311 isdirectory = TRUE;
1312 }
1313
1314 /* Handle (a) an "address file" delivery where "file" or "directory" is
1315 explicitly set and (b) a non-address_file delivery, where one of "file" or
1316 "directory" must be set; initialization ensures that they are not both set. */
1317
1318 if (fdname == NULL)
1319 {
1320 fdname = ob->filename;
1321 if (fdname == NULL)
1322 {
1323 fdname = ob->dirname;
1324 isdirectory = TRUE;
1325 }
1326 if (fdname == NULL)
1327 {
1328 addr->transport_return = PANIC;
1329 addr->message = string_sprintf("Mandatory file or directory option "
1330 "missing from %s transport", tblock->name);
1331 return FALSE;
1332 }
1333 }
1334
1335 /* Maildir and mailstore require a directory */
1336
1337 if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
1338 {
1339 addr->transport_return = PANIC;
1340 addr->message = string_sprintf("mail%s_format requires \"directory\" "
1341 "to be specified for the %s transport",
1342 ob->maildir_format? "dir" : "store", tblock->name);
1343 return FALSE;
1344 }
1345
1346 path = expand_string(fdname);
1347
1348 if (path == NULL)
1349 {
1350 addr->transport_return = PANIC;
1351 addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
1352 "name for %s transport) failed: %s", fdname, tblock->name,
1353 expand_string_message);
1354 return FALSE;
1355 }
1356
1357 if (path[0] != '/')
1358 {
1359 addr->message = string_sprintf("appendfile: file or directory name "
1360 "\"%s\" is not absolute", path);
1361 addr->basic_errno = ERRNO_NOTABSOLUTE;
1362 return FALSE;
1363 }
1364
1365 /* For a file delivery, make sure the local part in the address(es) is updated
1366 to the true local part. */
1367
1368 if (testflag(addr, af_file))
1369 {
1370 address_item *addr2;
1371 for (addr2 = addr; addr2 != NULL; addr2 = addr2->next)
1372 addr2->local_part = string_copy(path);
1373 }
1374
1375 /* The available mailbox formats depend on whether it is a directory or a file
1376 delivery. */
1377
1378 if (isdirectory)
1379 {
1380 mbformat =
1381 #ifdef SUPPORT_MAILDIR
1382 (ob->maildir_format)? mbf_maildir :
1383 #endif
1384 #ifdef SUPPORT_MAILSTORE
1385 (ob->mailstore_format)? mbf_mailstore :
1386 #endif
1387 mbf_smail;
1388 }
1389 else
1390 {
1391 mbformat =
1392 #ifdef SUPPORT_MBX
1393 (ob->mbx_format)? mbf_mbx :
1394 #endif
1395 mbf_unix;
1396 }
1397
1398 DEBUG(D_transport)
1399 {
1400 debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
1401 "%s%s"
1402 " warning=" OFF_T_FMT "%s\n"
1403 " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n "
1404 "maildir_use_size_file=%s\n",
1405 mode, ob->notify_comsat, ob->quota_value,
1406 ob->quota_no_check? " (no_check)" : "",
1407 ob->quota_filecount_no_check? " (no_check_filecount)" : "",
1408 ob->quota_warn_threshold_value,
1409 ob->quota_warn_threshold_is_percent? "%" : "",
1410 isdirectory? "directory" : "file",
1411 path, mailbox_formats[mbformat],
1412 (ob->message_prefix == NULL)? US"null" : string_printing(ob->message_prefix),
1413 (ob->message_suffix == NULL)? US"null" : string_printing(ob->message_suffix),
1414 (ob->maildir_use_size_file)? "yes" : "no");
1415
1416 if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n",
1417 ob->use_lockfile? "lockfile " : "",
1418 ob->use_mbx_lock? "mbx locking (" : "",
1419 ob->use_fcntl? "fcntl " : "",
1420 ob->use_flock? "flock" : "",
1421 ob->use_mbx_lock? ")" : "");
1422 }
1423
1424 /* If the -N option is set, can't do any more. */
1425
1426 if (dont_deliver)
1427 {
1428 DEBUG(D_transport)
1429 debug_printf("*** delivery by %s transport bypassed by -N option\n",
1430 tblock->name);
1431 addr->transport_return = OK;
1432 return FALSE;
1433 }
1434
1435 /* Handle the case of a file name. If the file name is /dev/null, we can save
1436 ourselves some effort and just give a success return right away. */
1437
1438 if (!isdirectory)
1439 {
1440 BOOL use_lstat = TRUE;
1441 BOOL file_opened = FALSE;
1442 BOOL allow_creation_here = TRUE;
1443
1444 if (Ustrcmp(path, "/dev/null") == 0)
1445 {
1446 addr->transport_return = OK;
1447 return FALSE;
1448 }
1449
1450 /* Set the name of the file to be opened, and the file to which the data
1451 is written, and find out if we are permitted to create a non-existent file. */
1452
1453 dataname = filename = path;
1454 allow_creation_here = check_creation(filename, ob->create_file);
1455
1456 /* If ob->create_directory is set, attempt to create the directories in
1457 which this mailbox lives, but only if we are permitted to create the file
1458 itself. We know we are dealing with an absolute path, because this was
1459 checked above. */
1460
1461 if (ob->create_directory && allow_creation_here)
1462 {
1463 uschar *p = Ustrrchr(path, '/');
1464 *p = '\0';
1465 if (!directory_make(NULL, path, ob->dirmode, FALSE))
1466 {
1467 addr->basic_errno = errno;
1468 addr->message =
1469 string_sprintf("failed to create directories for %s: %s", path,
1470 strerror(errno));
1471 DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path);
1472 return FALSE;
1473 }
1474 *p = '/';
1475 }
1476
1477 /* If file_format is set we must check that any existing file matches one of
1478 the configured formats by checking the bytes it starts with. A match then
1479 indicates a specific transport - if it is not this one, pass control to it.
1480 Otherwise carry on here. An empty or non-existent file matches the current
1481 transport. We don't need to distinguish between non-existence and other open
1482 failures because if an existing file fails to open here, it will also fail
1483 again later when O_RDWR is used. */
1484
1485 if (ob->file_format != NULL)
1486 {
1487 int cfd = Uopen(path, O_RDONLY, 0);
1488 if (cfd >= 0)
1489 {
1490 transport_instance *tt = check_file_format(cfd, tblock, addr);
1491 (void)close(cfd);
1492
1493 /* If another transport is indicated, call it and return; if no transport
1494 was found, just return - the error data will have been set up.*/
1495
1496 if (tt != tblock)
1497 {
1498 if (tt != NULL)
1499 {
1500 set_process_info("delivering %s to %s using %s", message_id,
1501 addr->local_part, tt->name);
1502 debug_print_string(tt->debug_string);
1503 addr->transport = tt;
1504 (tt->info->code)(tt, addr);
1505 }
1506 return FALSE;
1507 }
1508 }
1509 }
1510
1511 /* The locking of mailbox files is worse than the naming of cats, which is
1512 known to be "a difficult matter" (T.S. Eliot) and just as cats must have
1513 three different names, so several different styles of locking are used.
1514
1515 Research in other programs that lock mailboxes shows that there is no
1516 universally standard method. Having mailboxes NFS-mounted on the system that
1517 is delivering mail is not the best thing, but people do run like this,
1518 and so the code must do its best to cope.
1519
1520 Three different locking mechanisms are supported. The initialization function
1521 checks that at least one is configured.
1522
1523 LOCK FILES
1524
1525 Unless no_use_lockfile is set, we attempt to build a lock file in a way that
1526 will work over NFS. Only after that is done do we actually open the mailbox
1527 and apply locks to it (if configured).
1528
1529 Originally, Exim got the file opened before doing anything about locking.
1530 However, a very occasional problem was observed on Solaris 2 when delivering
1531 over NFS. It is seems that when a file is opened with O_APPEND, the file size
1532 gets remembered at open time. If another process on another host (that's
1533 important) has the file open and locked and writes to it and then releases
1534 the lock while the first process is waiting to get the lock, the first
1535 process may fail to write at the new end point of the file - despite the very
1536 definite statement about O_APPEND in the man page for write(). Experiments
1537 have reproduced this problem, but I do not know any way of forcing a host to
1538 update its attribute cache for an open NFS file. It would be nice if it did
1539 so when a lock was taken out, but this does not seem to happen. Anyway, to
1540 reduce the risk of this problem happening, we now create the lock file
1541 (if configured) *before* opening the mailbox. That will prevent two different
1542 Exims opening the file simultaneously. It may not prevent clashes with MUAs,
1543 however, but Pine at least seems to operate in the same way.
1544
1545 Lockfiles should normally be used when NFS is involved, because of the above
1546 problem.
1547
1548 The logic for creating the lock file is:
1549
1550 . The name of the lock file is <mailbox-name>.lock
1551
1552 . First, create a "hitching post" name by adding the primary host name,
1553 current time and pid to the lock file name. This should be unique.
1554
1555 . Create the hitching post file using WRONLY + CREAT + EXCL.
1556
1557 . If that fails EACCES, we assume it means that the user is unable to create
1558 files in the mail spool directory. Some installations might operate in this
1559 manner, so there is a configuration option to allow this state not to be an
1560 error - we proceed to lock using fcntl only, after the file is open.
1561
1562 . Otherwise, an error causes a deferment of the address.
1563
1564 . Hard link the hitching post to the lock file name.
1565
1566 . If the link succeeds, we have successfully created the lock file. Simply
1567 close and unlink the hitching post file.
1568
1569 . If the link does not succeed, proceed as follows:
1570
1571 o Fstat the hitching post file, and then close and unlink it.
1572
1573 o Now examine the stat data. If the number of links to the file is exactly
1574 2, the linking succeeded but for some reason, e.g. an NFS server crash,
1575 the return never made it back, so the link() function gave a failure
1576 return.
1577
1578 . This method allows for the lock file to be created by some other process
1579 right up to the moment of the attempt to hard link it, and is also robust
1580 against NFS server crash-reboots, which would probably result in timeouts
1581 in the middle of link().
1582
1583 . System crashes may cause lock files to get left lying around, and some means
1584 of flushing them is required. The approach of writing a pid (used by smail
1585 and by elm) into the file isn't useful when NFS may be in use. Pine uses a
1586 timeout, which seems a better approach. Since any program that writes to a
1587 mailbox using a lock file should complete its task very quickly, Pine
1588 removes lock files that are older than 5 minutes. We allow the value to be
1589 configurable on the transport.
1590
1591 FCNTL LOCKING
1592
1593 If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
1594 mailbox once it is open. This is done by default with a non-blocking lock.
1595 Failures to lock cause retries after a sleep, but only for a certain number
1596 of tries. A blocking lock is deliberately not used so that we don't hold the
1597 mailbox open. This minimizes the possibility of the NFS problem described
1598 under LOCK FILES above, if for some reason NFS deliveries are happening
1599 without lock files. However, the use of a non-blocking lock and sleep, though
1600 the safest approach, does not give the best performance on very busy systems.
1601 A blocking lock plus timeout does better. Therefore Exim has an option to
1602 allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
1603 enables the use of blocking fcntl() calls.
1604
1605 FLOCK LOCKING
1606
1607 If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
1608 same manner as for fcntl locking above. No-blocking/timeout is also set as
1609 above in lock_flock_timeout. Not all operating systems provide or support
1610 flock(). For those that don't (as determined by the definition of LOCK_SH in
1611 /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
1612 is implemented (not precisely) on top of fcntl(), which means there's no
1613 point in actually using it.
1614
1615 MBX LOCKING
1616
1617 If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
1618 then the rules used for locking in c-client are used. Exim takes out a shared
1619 lock on the mailbox file, and an exclusive lock on the file whose name is
1620 /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
1621 any other MBX client from getting an exclusive lock on it and expunging it.
1622 It also stops any other MBX client from unlinking the /tmp lock when it has
1623 finished with it.
1624
1625 The exclusive lock on the /tmp file prevents any other MBX client from
1626 updating the mailbox in any way. When writing is finished, if an exclusive
1627 lock on the mailbox can be obtained, indicating there are no current sharers,
1628 the /tmp file is unlinked.
1629
1630 MBX locking can use either fcntl() or flock() locking. If neither
1631 use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
1632 The calls for getting these locks are by default non-blocking, as for non-mbx
1633 locking, but can be made blocking by setting lock_fcntl_timeout and/or
1634 lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it
1635 probably makes sense to set timeouts for any MBX deliveries. */
1636
1637
1638 /* Build a lock file if configured to do so - the existence of a lock
1639 file is subsequently checked by looking for a non-negative value of the
1640 file descriptor hd - even though the file is no longer open. */
1641
1642 if (ob->use_lockfile)
1643 {
1644 /* cf. exim_lock.c */
1645 lockname = string_sprintf("%s.lock", filename);
1646 hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
1647 (unsigned int)(time(NULL)), (unsigned int)getpid());
1648
1649 DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
1650 hitchname);
1651
1652 /* Lock file creation retry loop */
1653
1654 for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
1655 {
1656 int rc;
1657 hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
1658
1659 if (hd < 0)
1660 {
1661 addr->basic_errno = errno;
1662 addr->message =
1663 string_sprintf("creating lock file hitching post %s "
1664 "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
1665 (long int)getegid());
1666 return FALSE;
1667 }
1668
1669 /* Attempt to hitch the hitching post to the lock file. If link()
1670 succeeds (the common case, we hope) all is well. Otherwise, fstat the
1671 file, and get rid of the hitching post. If the number of links was 2,
1672 the link was created, despite the failure of link(). If the hitch was
1673 not successful, try again, having unlinked the lock file if it is too
1674 old.
1675
1676 There's a version of Linux (2.0.27) which doesn't update its local cache
1677 of the inode after link() by default - which many think is a bug - but
1678 if the link succeeds, this code will be OK. It just won't work in the
1679 case when link() fails after having actually created the link. The Linux
1680 NFS person is fixing this; a temporary patch is available if anyone is
1681 sufficiently worried. */
1682
1683 if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
1684 (void)close(hd);
1685 Uunlink(hitchname);
1686 if (rc != 0 && statbuf.st_nlink != 2)
1687 {
1688 if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
1689 time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
1690 {
1691 DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
1692 Uunlink(lockname);
1693 }
1694 DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
1695 continue;
1696 }
1697
1698 DEBUG(D_transport) debug_printf("lock file created\n");
1699 break;
1700 }
1701
1702 /* Check for too many tries at creating the lock file */
1703
1704 if (i >= ob->lock_retries)
1705 {
1706 addr->basic_errno = ERRNO_LOCKFAILED;
1707 addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
1708 filename);
1709 return FALSE;
1710 }
1711 }
1712
1713
1714 /* We now have to get the file open. First, stat() it and act on existence or
1715 non-existence. This is in a loop to handle the case of a file's being created
1716 or deleted as we watch, and also to handle retries when the locking fails.
1717 Rather than holding the file open while waiting for the fcntl() and/or
1718 flock() lock, we close and do the whole thing again. This should be safer,
1719 especially for NFS files, which might get altered from other hosts, making
1720 their cached sizes incorrect.
1721
1722 With the default settings, no symlinks are permitted, but there is an option
1723 to permit symlinks for those sysadmins that know what they are doing.
1724 Shudder. However, insist that the initial symlink is owned by the right user.
1725 Thus lstat() is used initially; if a symlink is discovered, the loop is
1726 repeated such that stat() is used, to look at the end file. */
1727
1728 for (i = 0; i < ob->lock_retries; i++)
1729 {
1730 int sleep_before_retry = TRUE;
1731 file_opened = FALSE;
1732
1733 if((use_lstat? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
1734 {
1735 /* Let's hope that failure to stat (other than non-existence) is a
1736 rare event. */
1737
1738 if (errno != ENOENT)
1739 {
1740 addr->basic_errno = errno;
1741 addr->message = string_sprintf("attempting to stat mailbox %s",
1742 filename);
1743 goto RETURN;
1744 }
1745
1746 /* File does not exist. If it is required to pre-exist this state is an
1747 error. */
1748
1749 if (ob->file_must_exist)
1750 {
1751 addr->basic_errno = errno;
1752 addr->message = string_sprintf("mailbox %s does not exist, "
1753 "but file_must_exist is set", filename);
1754 goto RETURN;
1755 }
1756
1757 /* If not permitted to create this file because it isn't in or below
1758 the home directory, generate an error. */
1759
1760 if (!allow_creation_here)
1761 {
1762 addr->basic_errno = ERRNO_BADCREATE;
1763 addr->message = string_sprintf("mailbox %s does not exist, "
1764 "but creation outside the home directory is not permitted",
1765 filename);
1766 goto RETURN;
1767 }
1768
1769 /* Attempt to create and open the file. If open fails because of
1770 pre-existence, go round the loop again. For any other error, defer the
1771 address, except for an alias or forward generated file name with EPERM,
1772 ENOENT, or EACCES, as those are most likely to be user errors rather
1773 than Exim config errors. When a symbolic link is permitted and points
1774 to a non-existent file, we get here with use_lstat = FALSE. In this case
1775 we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
1776 consistency and because MBX locking requires it in order to be able to
1777 get a shared lock. */
1778
1779 fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
1780 (use_lstat? O_EXCL : 0), mode);
1781 if (fd < 0)
1782 {
1783 if (errno == EEXIST) continue;
1784 addr->basic_errno = errno;
1785 addr->message = string_sprintf("while creating mailbox %s",
1786 filename);
1787 if (testflag(addr, af_file) &&
1788 (errno == EPERM || errno == ENOENT || errno == EACCES))
1789 addr->transport_return = FAIL;
1790 goto RETURN;
1791 }
1792
1793 /* We have successfully created and opened the file. Ensure that the group
1794 and the mode are correct. */
1795
1796 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
1797 {
1798 addr->basic_errno = errno;
1799 addr->message = string_sprintf("while setting perms on mailbox %s",
1800 filename);
1801 addr->transport_return = FAIL;
1802 goto RETURN;
1803 }
1804 }
1805
1806
1807 /* The file already exists. Test its type, ownership, and permissions, and
1808 save the inode for checking later. If symlinks are permitted (not the
1809 default or recommended state) it may be a symlink that already exists.
1810 Check its ownership and then look for the file at the end of the link(s).
1811 This at least prevents one user creating a symlink for another user in
1812 a sticky directory. */
1813
1814 else
1815 {
1816 int oldmode = (int)statbuf.st_mode;
1817 ino_t inode = statbuf.st_ino;
1818 BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
1819
1820 isfifo = FALSE; /* In case things are changing */
1821
1822 /* Check owner if required - the default. */
1823
1824 if (ob->check_owner && statbuf.st_uid != uid)
1825 {
1826 addr->basic_errno = ERRNO_BADUGID;
1827 addr->message = string_sprintf("mailbox %s%s has wrong uid "
1828 "(%ld != %ld)", filename,
1829 islink? " (symlink)" : "",
1830 (long int)(statbuf.st_uid), (long int)uid);
1831 goto RETURN;
1832 }
1833
1834 /* Group is checked only if check_group is set. */
1835
1836 if (ob->check_group && statbuf.st_gid != gid)
1837 {
1838 addr->basic_errno = ERRNO_BADUGID;
1839 addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
1840 filename, islink? " (symlink)" : "", statbuf.st_gid, gid);
1841 goto RETURN;
1842 }
1843
1844 /* Just in case this is a sticky-bit mail directory, we don't want
1845 users to be able to create hard links to other users' files. */
1846
1847 if (statbuf.st_nlink != 1)
1848 {
1849 addr->basic_errno = ERRNO_NOTREGULAR;
1850 addr->message = string_sprintf("mailbox %s%s has too many links (%d)",
1851 filename, islink? " (symlink)" : "", statbuf.st_nlink);
1852 goto RETURN;
1853
1854 }
1855
1856 /* If symlinks are permitted (not recommended), the lstat() above will
1857 have found the symlink. Its ownership has just been checked; go round
1858 the loop again, using stat() instead of lstat(). That will never yield a
1859 mode of S_IFLNK. */
1860
1861 if (islink && ob->allow_symlink)
1862 {
1863 use_lstat = FALSE;
1864 i--; /* Don't count this time round */
1865 continue;
1866 }
1867
1868 /* An actual file exists. Check that it is a regular file, or FIFO
1869 if permitted. */
1870
1871 if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
1872
1873 else if ((oldmode & S_IFMT) != S_IFREG)
1874 {
1875 addr->basic_errno = ERRNO_NOTREGULAR;
1876 addr->message = string_sprintf("mailbox %s is not a regular file%s",
1877 filename, ob->allow_fifo? " or named pipe" : "");
1878 goto RETURN;
1879 }
1880
1881 /* If the mode is not what it would be for a newly created file, change
1882 the permissions if the mode is supplied for the address. Otherwise,
1883 reduce but do not extend the permissions. If the newly created
1884 permissions are greater than the existing permissions, don't change
1885 things when the mode is not from the address. */
1886
1887 if ((oldmode = (oldmode & 07777)) != mode)
1888 {
1889 int diffs = oldmode ^ mode;
1890 if (addr->mode > 0 || (diffs & oldmode) == diffs)
1891 {
1892 DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
1893 if (Uchmod(filename, mode) < 0)
1894 {
1895 addr->basic_errno = errno;
1896 addr->message = string_sprintf("attempting to chmod mailbox %s",
1897 filename);
1898 goto RETURN;
1899 }
1900 oldmode = mode;
1901 }
1902
1903 /* Mode not from address, and newly-created permissions are greater
1904 than existing permissions. Default is to complain, but it can be
1905 configured to go ahead and try to deliver anyway if that's what
1906 the administration wants. */
1907
1908 else if (ob->mode_fail_narrower)
1909 {
1910 addr->basic_errno = ERRNO_BADMODE;
1911 addr->message = string_sprintf("mailbox %s has the wrong mode %o "
1912 "(%o expected)", filename, oldmode, mode);
1913 goto RETURN;
1914 }
1915 }
1916
1917 /* We are happy with the existing file. Open it, and then do further
1918 tests to ensure that it is the same file that we were just looking at.
1919 If the file does not now exist, restart this loop, going back to using
1920 lstat again. For an NFS error, just defer; other opening errors are
1921 more serious. The file is opened RDWR so that its format can be checked,
1922 and also MBX locking requires the use of a shared (read) lock. However,
1923 a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
1924 reading the pipe. */
1925
1926 fd = Uopen(filename, isfifo? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
1927 mode);
1928 if (fd < 0)
1929 {
1930 if (errno == ENOENT)
1931 {
1932 use_lstat = TRUE;
1933 continue;
1934 }
1935 addr->basic_errno = errno;
1936 if (isfifo)
1937 {
1938 addr->message = string_sprintf("while opening named pipe %s "
1939 "(could mean no process is reading it)", filename);
1940 }
1941 else if (errno != EWOULDBLOCK)
1942 {
1943 addr->message = string_sprintf("while opening mailbox %s", filename);
1944 }
1945 goto RETURN;
1946 }
1947
1948 /* This fstat really shouldn't fail, as we have an open file! There's a
1949 dilemma here. We use fstat in order to be sure we are peering at the file
1950 we have got open. However, that won't tell us if the file was reached
1951 via a symbolic link. We checked this above, but there is a race exposure
1952 if the link was created between the previous lstat and the open. However,
1953 it would have to be created with the same inode in order to pass the
1954 check below. If ob->allow_symlink is set, causing the use of stat rather
1955 than lstat above, symbolic links may be there anyway, and the checking is
1956 weaker. */
1957
1958 if (fstat(fd, &statbuf) < 0)
1959 {
1960 addr->basic_errno = errno;
1961 addr->message = string_sprintf("attempting to stat open mailbox %s",
1962 filename);
1963 goto RETURN;
1964 }
1965
1966 /* Check the inode; this is isn't a perfect check, but gives some
1967 confidence. */
1968
1969 if (inode != statbuf.st_ino)
1970 {
1971 addr->basic_errno = ERRNO_INODECHANGED;
1972 addr->message = string_sprintf("opened mailbox %s inode number changed "
1973 "from %d to %ld", filename, inode, statbuf.st_ino);
1974 addr->special_action = SPECIAL_FREEZE;
1975 goto RETURN;
1976 }
1977
1978 /* Check it's still a regular file or FIFO, and the uid, gid, and
1979 permissions have not changed. */
1980
1981 if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
1982 (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
1983 {
1984 addr->basic_errno = ERRNO_NOTREGULAR;
1985 addr->message =
1986 string_sprintf("opened mailbox %s is no longer a %s", filename,
1987 isfifo? "named pipe" : "regular file");
1988 addr->special_action = SPECIAL_FREEZE;
1989 goto RETURN;
1990 }
1991
1992 if ((ob->check_owner && statbuf.st_uid != uid) ||
1993 (ob->check_group && statbuf.st_gid != gid))
1994 {
1995 addr->basic_errno = ERRNO_BADUGID;
1996 addr->message =
1997 string_sprintf("opened mailbox %s has wrong uid or gid", filename);
1998 addr->special_action = SPECIAL_FREEZE;
1999 goto RETURN;
2000 }
2001
2002 if ((statbuf.st_mode & 07777) != oldmode)
2003 {
2004 addr->basic_errno = ERRNO_BADMODE;
2005 addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
2006 "(%o expected)", filename, statbuf.st_mode & 07777, mode);
2007 addr->special_action = SPECIAL_FREEZE;
2008 goto RETURN;
2009 }
2010
2011 /* If file_format is set, check that the format of the file has not
2012 changed. Error data is set by the testing function. */
2013
2014 if (ob->file_format != NULL &&
2015 check_file_format(fd, tblock, addr) != tblock)
2016 {
2017 addr->message = US"open mailbox has changed format";
2018 goto RETURN;
2019 }
2020
2021 /* The file is OK. Carry on to do the locking. */
2022 }
2023
2024 /* We now have an open file, and must lock it using fcntl(), flock() or MBX
2025 locking rules if configured to do so. If a lock file is also required, it
2026 was created above and hd was left >= 0. At least one form of locking is
2027 required by the initialization function. If locking fails here, close the
2028 file and go round the loop all over again, after waiting for a bit, unless
2029 blocking locking was used. */
2030
2031 file_opened = TRUE;
2032 if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
2033 sleep_before_retry = FALSE;
2034
2035 /* Simple fcntl() and/or flock() locking */
2036
2037 if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
2038 {
2039 if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
2040 ob->use_flock, ob->lock_flock_timeout) >= 0) break;
2041 }
2042
2043 /* MBX locking rules */
2044
2045 #ifdef SUPPORT_MBX
2046 else if (ob->use_mbx_lock)
2047 {
2048 int mbx_tmp_oflags;
2049 struct stat lstatbuf, statbuf2;
2050 if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
2051 ob->use_flock, ob->lock_flock_timeout) >= 0 &&
2052 fstat(fd, &statbuf) >= 0)
2053 {
2054 sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
2055 (long)statbuf.st_ino);
2056
2057 /*
2058 * 2010-05-29: SECURITY
2059 * Dan Rosenberg reported the presence of a race-condition in the
2060 * original code here. Beware that many systems still allow symlinks
2061 * to be followed in /tmp so an attacker can create a symlink pointing
2062 * elsewhere between a stat and an open, which we should avoid
2063 * following.
2064 *
2065 * It's unfortunate that we can't just use all the heavily debugged
2066 * locking from above.
2067 *
2068 * Also: remember to mirror changes into exim_lock.c */
2069
2070 /* first leave the old pre-check in place, it provides better
2071 * diagnostics for common cases */
2072 if (Ulstat(mbx_lockname, &statbuf) >= 0)
2073 {
2074 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
2075 {
2076 addr->basic_errno = ERRNO_LOCKFAILED;
2077 addr->message = string_sprintf("symbolic link on MBX lock file %s",
2078 mbx_lockname);
2079 goto RETURN;
2080 }
2081 if (statbuf.st_nlink > 1)
2082 {
2083 addr->basic_errno = ERRNO_LOCKFAILED;
2084 addr->message = string_sprintf("hard link to MBX lock file %s",
2085 mbx_lockname);
2086 goto RETURN;
2087 }
2088 }
2089
2090 /* If we could just declare "we must be the ones who create this
2091 * file" then a hitching post in a subdir would work, since a
2092 * subdir directly in /tmp/ which we create wouldn't follow links
2093 * but this isn't our locking logic, so we can't safely change the
2094 * file existence rules. */
2095
2096 /* On systems which support O_NOFOLLOW, it's the easiest and most
2097 * obviously correct security fix */
2098 mbx_tmp_oflags = O_RDWR | O_CREAT;
2099 #ifdef O_NOFOLLOW
2100 mbx_tmp_oflags |= O_NOFOLLOW;
2101 #endif
2102 mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
2103 if (mbx_lockfd < 0)
2104 {
2105 addr->basic_errno = ERRNO_LOCKFAILED;
2106 addr->message = string_sprintf("failed to open MBX lock file %s :%s",
2107 mbx_lockname, strerror(errno));
2108 goto RETURN;
2109 }
2110
2111 if (Ulstat(mbx_lockname, &lstatbuf) < 0)
2112 {
2113 addr->basic_errno = ERRNO_LOCKFAILED;
2114 addr->message = string_sprintf("attempting to lstat open MBX "
2115 "lock file %s: %s", mbx_lockname, strerror(errno));
2116 goto RETURN;
2117 }
2118 if (fstat(mbx_lockfd, &statbuf2) < 0)
2119 {
2120 addr->basic_errno = ERRNO_LOCKFAILED;
2121 addr->message = string_sprintf("attempting to stat fd of open MBX "
2122 "lock file %s: %s", mbx_lockname, strerror(errno));
2123 goto RETURN;
2124 }
2125
2126 /*
2127 * At this point:
2128 * statbuf: if exists, is file which existed prior to opening the
2129 * lockfile, might have been replaced since then
2130 * statbuf2: result of stat'ing the open fd, is what was actually
2131 * opened
2132 * lstatbuf: result of lstat'ing the filename immediately after
2133 * the open but there's a race condition again between
2134 * those two steps: before open, symlink to foo, after
2135 * open but before lstat have one of:
2136 * * was no symlink, so is the opened file
2137 * (we created it, no messing possible after that point)
2138 * * hardlink to foo
2139 * * symlink elsewhere
2140 * * hardlink elsewhere
2141 * * new file/other
2142 * Don't want to compare to device of /tmp because some modern systems
2143 * have regressed to having /tmp be the safe actual filesystem as
2144 * valuable data, so is mostly worthless, unless we assume that *only*
2145 * Linux systems do this and that all Linux has O_NOFOLLOW. Something
2146 * for further consideration.
2147 * No point in doing a readlink on the lockfile as that will always be
2148 * at a different point in time from when we open it, so tells us
2149 * nothing; attempts to clean up and delete after ourselves would risk
2150 * deleting a *third* filename.
2151 */
2152 if ((statbuf2.st_nlink > 1) ||
2153 (lstatbuf.st_nlink > 1) ||
2154 (!S_ISREG(lstatbuf.st_mode)) ||
2155 (lstatbuf.st_dev != statbuf2.st_dev) ||
2156 (lstatbuf.st_ino != statbuf2.st_ino))
2157 {
2158 addr->basic_errno = ERRNO_LOCKFAILED;
2159 addr->message = string_sprintf("RACE CONDITION detected: "
2160 "mismatch post-initial-checks between \"%s\" and opened "
2161 "fd lead us to abort!", mbx_lockname);
2162 goto RETURN;
2163 }
2164
2165 (void)Uchmod(mbx_lockname, ob->lockfile_mode);
2166
2167 if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
2168 ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
2169 {
2170 struct stat ostatbuf;
2171
2172 /* This tests for a specific race condition. Ensure that we still
2173 have the same file. */
2174
2175 if (Ulstat(mbx_lockname, &statbuf) == 0 &&
2176 fstat(mbx_lockfd, &ostatbuf) == 0 &&
2177 statbuf.st_dev == ostatbuf.st_dev &&
2178 statbuf.st_ino == ostatbuf.st_ino)
2179 break;
2180 DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
2181 "between creation and locking\n", mbx_lockname);
2182 }
2183
2184 DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
2185 strerror(errno));
2186 (void)close(mbx_lockfd);
2187 mbx_lockfd = -1;
2188 }
2189 else
2190 {
2191 DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
2192 filename, strerror(errno));
2193 }
2194 }
2195 #endif /* SUPPORT_MBX */
2196
2197 else break; /* No on-file locking required; break the open/lock loop */
2198
2199 DEBUG(D_transport)
2200 debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
2201
2202 (void)close(fd);
2203 fd = -1;
2204 use_lstat = TRUE; /* Reset to use lstat first */
2205
2206
2207 /* If a blocking call timed out, break the retry loop if the total time
2208 so far is not less than than retries * interval. Use the larger of the
2209 flock() and fcntl() timeouts. */
2210
2211 if (sigalrm_seen &&
2212 (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
2213 ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
2214 ob->lock_retries * ob->lock_interval)
2215 i = ob->lock_retries;
2216
2217 /* Wait a bit before retrying, except when it was a blocked fcntl() or
2218 flock() that caused the problem. */
2219
2220 if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
2221 }
2222
2223 /* Test for exceeding the maximum number of tries. Either the file remains
2224 locked, or, if we haven't got it open, something is terribly wrong... */
2225
2226 if (i >= ob->lock_retries)
2227 {
2228 if (!file_opened)
2229 {
2230 addr->basic_errno = ERRNO_EXISTRACE;
2231 addr->message = string_sprintf("mailbox %s: existence unclear", filename);
2232 addr->special_action = SPECIAL_FREEZE;
2233 }
2234 else
2235 {
2236 addr->basic_errno = ERRNO_LOCKFAILED;
2237 addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
2238 filename);
2239 }
2240 goto RETURN;
2241 }
2242
2243 DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
2244
2245 /* Save access time (for subsequent restoration), modification time (for
2246 restoration if updating fails), size of file (for comsat and for re-setting if
2247 delivery fails in the middle - e.g. for quota exceeded). */
2248
2249 if (fstat(fd, &statbuf) < 0)
2250 {
2251 addr->basic_errno = errno;
2252 addr->message = string_sprintf("while fstatting opened mailbox %s",
2253 filename);
2254 goto RETURN;
2255 }
2256
2257 times.actime = statbuf.st_atime;
2258 times.modtime = statbuf.st_mtime;
2259 saved_size = statbuf.st_size;
2260 if (mailbox_size < 0) mailbox_size = saved_size;
2261 mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */
2262 }
2263
2264 /* Prepare for writing to a new file (as opposed to appending to an old one).
2265 There are several different formats, but there is preliminary stuff concerned
2266 with quotas that applies to all of them. Finding the current size by directory
2267 scanning is expensive; for maildirs some fudges have been invented:
2268
2269 (1) A regex can be used to extract a file size from its name;
2270 (2) If maildir_use_size is set, a maildirsize file is used to cache the
2271 mailbox size.
2272 */
2273
2274 else
2275 {
2276 uschar *check_path = path; /* Default quota check path */
2277 const pcre *regex = NULL; /* Regex for file size from file name */
2278
2279 if (!check_creation(string_sprintf("%s/any", path), ob->create_file))
2280 {
2281 addr->basic_errno = ERRNO_BADCREATE;
2282 addr->message = string_sprintf("tried to create file in %s, but "
2283 "file creation outside the home directory is not permitted", path);
2284 goto RETURN;
2285 }
2286
2287 #ifdef SUPPORT_MAILDIR
2288 /* For a maildir delivery, ensure that all the relevant directories exist,
2289 and a maildirfolder file if necessary. */
2290
2291 if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
2292 ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
2293 return FALSE;
2294 #endif /* SUPPORT_MAILDIR */
2295
2296 /* If we are going to do a quota check, of if maildir_use_size_file is set
2297 for a maildir delivery, compile the regular expression if there is one. We
2298 may also need to adjust the path that is used. We need to do this for
2299 maildir_use_size_file even if the quota is unset, because we still want to
2300 create the file. When maildir support is not compiled,
2301 ob->maildir_use_size_file is always FALSE. */
2302
2303 if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
2304 {
2305 const uschar *error;
2306 int offset;
2307
2308 /* Compile the regex if there is one. */
2309
2310 if (ob->quota_size_regex != NULL)
2311 {
2312 regex = pcre_compile(CS ob->quota_size_regex, PCRE_COPT,
2313 (const char **)&error, &offset, NULL);
2314 if (regex == NULL)
2315 {
2316 addr->message = string_sprintf("appendfile: regular expression "
2317 "error: %s at offset %d while compiling %s", error, offset,
2318 ob->quota_size_regex);
2319 return FALSE;
2320 }
2321 DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
2322 ob->quota_size_regex);
2323 }
2324
2325 /* Use an explicitly configured directory if set */
2326
2327 if (ob->quota_directory != NULL)
2328 {
2329 check_path = expand_string(ob->quota_directory);
2330 if (check_path == NULL)
2331 {
2332 addr->transport_return = PANIC;
2333 addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
2334 "name for %s transport) failed: %s", ob->quota_directory,
2335 tblock->name, expand_string_message);
2336 return FALSE;
2337 }
2338
2339 if (check_path[0] != '/')
2340 {
2341 addr->message = string_sprintf("appendfile: quota_directory name "
2342 "\"%s\" is not absolute", check_path);
2343 addr->basic_errno = ERRNO_NOTABSOLUTE;
2344 return FALSE;
2345 }
2346 }
2347
2348 #ifdef SUPPORT_MAILDIR
2349 /* Otherwise, if we are handling a maildir delivery, and the directory
2350 contains a file called maildirfolder, this is a maildir++ feature telling
2351 us that this is a sub-directory of the real inbox. We should therefore do
2352 the quota check on the parent directory. Beware of the special case when
2353 the directory name itself ends in a slash. */
2354
2355 else if (mbformat == mbf_maildir)
2356 {
2357 struct stat statbuf;
2358 if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
2359 {
2360 uschar *new_check_path = string_copy(check_path);
2361 uschar *slash = Ustrrchr(new_check_path, '/');
2362 if (slash != NULL)
2363 {
2364 if (slash[1] == 0)
2365 {
2366 *slash = 0;
2367 slash = Ustrrchr(new_check_path, '/');
2368 }
2369 if (slash != NULL)
2370 {
2371 *slash = 0;
2372 check_path = new_check_path;
2373 DEBUG(D_transport) debug_printf("maildirfolder file exists: "
2374 "quota check directory changed to %s\n", check_path);
2375 }
2376 }
2377 }
2378 }
2379 #endif /* SUPPORT_MAILDIR */
2380 }
2381
2382 /* If we are using maildirsize files, we need to ensure that such a file
2383 exists and, if necessary, recalculate its contents. As a byproduct of this,
2384 we obtain the current size of the maildir. If no quota is to be enforced
2385 (ob->quota_value == 0), we still need the size if a threshold check will
2386 happen later.
2387
2388 Another regular expression is used to determine which directories inside the
2389 maildir are going to be counted. */
2390
2391 #ifdef SUPPORT_MAILDIR
2392 if (ob->maildir_use_size_file)
2393 {
2394 const pcre *dir_regex = NULL;
2395 const uschar *error;
2396 int offset;
2397
2398 if (ob->maildir_dir_regex != NULL)
2399 {
2400 int check_path_len = Ustrlen(check_path);
2401
2402 dir_regex = pcre_compile(CS ob->maildir_dir_regex, PCRE_COPT,
2403 (const char **)&error, &offset, NULL);
2404 if (dir_regex == NULL)
2405 {
2406 addr->message = string_sprintf("appendfile: regular expression "
2407 "error: %s at offset %d while compiling %s", error, offset,
2408 ob->maildir_dir_regex);
2409 return FALSE;
2410 }
2411
2412 DEBUG(D_transport)
2413 debug_printf("using regex for maildir directory selection: %s\n",
2414 ob->maildir_dir_regex);
2415
2416 /* Check to see if we are delivering into an ignored directory, that is,
2417 if the delivery path starts with the quota check path, and the rest
2418 of the deliver path matches the regex; if so, set a flag to disable quota
2419 checking and maildirsize updating. */
2420
2421 if (Ustrncmp(path, check_path, check_path_len) == 0)
2422 {
2423 uschar *s = path + check_path_len;
2424 while (*s == '/') s++;
2425 s = (*s == 0)? US "new" : string_sprintf("%s/new", s);
2426 if (pcre_exec(dir_regex, NULL, CS s, Ustrlen(s), 0, 0, NULL, 0) < 0)
2427 {
2428 disable_quota = TRUE;
2429 DEBUG(D_transport) debug_printf("delivery directory does not match "
2430 "maildir_quota_directory_regex: disabling quota\n");
2431 }
2432 }
2433 }
2434
2435 /* Quota enforcement; create and check the file. There is some discussion
2436 about whether this should happen if the quota is unset. At present, Exim
2437 always creates the file. If we ever want to change this, uncomment
2438 appropriate lines below, possibly doing a check on some option. */
2439
2440 /* if (???? || ob->quota_value > 0) */
2441
2442 if (!disable_quota)
2443 {
2444 off_t size;
2445 int filecount;
2446
2447 maildirsize_fd = maildir_ensure_sizefile(check_path, ob, regex, dir_regex,
2448 &size, &filecount);
2449
2450 if (maildirsize_fd == -1)
2451 {
2452 addr->basic_errno = errno;
2453 addr->message = string_sprintf("while opening or reading "
2454 "%s/maildirsize", check_path);
2455 return FALSE;
2456 }
2457 /* can also return -2, which means that the file was removed because of
2458 raciness; but in this case, the size & filecount will still have been
2459 updated. */
2460
2461 if (mailbox_size < 0) mailbox_size = size;
2462 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2463 }
2464
2465 /* No quota enforcement; ensure file does *not* exist; calculate size if
2466 needed. */
2467
2468 /* else
2469 * {
2470 * time_t old_latest;
2471 * (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
2472 * if (THRESHOLD_CHECK)
2473 * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
2474 * regex, dir_regex, FALSE);
2475 * }
2476 */
2477
2478 }
2479 #endif /* SUPPORT_MAILDIR */
2480
2481 /* Otherwise if we are going to do a quota check later on, and the mailbox
2482 size is not set, find the current size of the mailbox. Ditto for the file
2483 count. Note that ob->quota_filecount_value cannot be set without
2484 ob->quota_value being set. */
2485
2486 if (!disable_quota &&
2487 (ob->quota_value > 0 || THRESHOLD_CHECK) &&
2488 (mailbox_size < 0 ||
2489 (mailbox_filecount < 0 && ob->quota_filecount_value > 0)))
2490 {
2491 off_t size;
2492 int filecount = 0;
2493 DEBUG(D_transport)
2494 debug_printf("quota checks on directory %s\n", check_path);
2495 size = check_dir_size(check_path, &filecount, regex);
2496 if (mailbox_size < 0) mailbox_size = size;
2497 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2498 }
2499
2500 /* Handle the case of creating a unique file in a given directory (not in
2501 maildir or mailstore format - this is how smail did it). A temporary name is
2502 used to create the file. Later, when it is written, the name is changed to a
2503 unique one. There is no need to lock the file. An attempt is made to create
2504 the directory if it does not exist. */
2505
2506 if (mbformat == mbf_smail)
2507 {
2508 DEBUG(D_transport)
2509 debug_printf("delivering to new file in %s\n", path);
2510 filename = dataname =
2511 string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
2512 fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
2513 if (fd < 0 && /* failed to open, and */
2514 (errno != ENOENT || /* either not non-exist */
2515 !ob->create_directory || /* or not allowed to make */
2516 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2517 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2518 {
2519 addr->basic_errno = errno;
2520 addr->message = string_sprintf("while creating file %s", filename);
2521 return FALSE;
2522 }
2523 }
2524
2525 #ifdef SUPPORT_MAILDIR
2526
2527 /* Handle the case of a unique file in maildir format. The file is written to
2528 the tmp subdirectory, with a prescribed form of name. */
2529
2530 else if (mbformat == mbf_maildir)
2531 {
2532 DEBUG(D_transport)
2533 debug_printf("delivering in maildir format in %s\n", path);
2534
2535 nametag = ob->maildir_tag;
2536
2537 /* Check that nametag expands successfully; a hard failure causes a panic
2538 return. The actual expansion for use happens again later, when
2539 $message_size is accurately known. */
2540
2541 if (nametag != NULL && expand_string(nametag) == NULL &&
2542 !expand_string_forcedfail)
2543 {
2544 addr->transport_return = PANIC;
2545 addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
2546 "for %s transport) failed: %s", nametag, tblock->name,
2547 expand_string_message);
2548 return FALSE;
2549 }
2550
2551 /* We ensured the existence of all the relevant directories above. Attempt
2552 to open the temporary file a limited number of times. I think this rather
2553 scary-looking for statement is actually OK. If open succeeds, the loop is
2554 broken; if not, there is a test on the value of i. Get the time again
2555 afresh each time round the loop. Its value goes into a variable that is
2556 checked at the end, to make sure we don't release this process until the
2557 clock has ticked. */
2558
2559 for (i = 1;; i++)
2560 {
2561 uschar *basename;
2562
2563 (void)gettimeofday(&msg_tv, NULL);
2564 basename = string_sprintf(TIME_T_FMT ".H%luP%lu.%s",
2565 msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname);
2566
2567 filename = dataname = string_sprintf("tmp/%s", basename);
2568 newname = string_sprintf("new/%s", basename);
2569
2570 if (Ustat(filename, &statbuf) == 0)
2571 errno = EEXIST;
2572 else if (errno == ENOENT)
2573 {
2574 fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode);
2575 if (fd >= 0) break;
2576 DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
2577 filename, strerror(errno));
2578 }
2579
2580 /* Too many retries - give up */
2581
2582 if (i >= ob->maildir_retries)
2583 {
2584 addr->message = string_sprintf ("failed to open %s (%d tr%s)",
2585 filename, i, (i == 1)? "y" : "ies");
2586 addr->basic_errno = errno;
2587 if (errno == errno_quota || errno == ENOSPC)
2588 addr->user_message = US"mailbox is full";
2589 return FALSE;
2590 }
2591
2592 /* Open or stat failed but we haven't tried too many times yet. */
2593
2594 sleep(2);
2595 }
2596
2597 /* Note that we have to ensure the clock has ticked before leaving */
2598
2599 wait_for_tick = TRUE;
2600
2601 /* Why are these here? Put in because they are present in the non-maildir
2602 directory case above. */
2603
2604 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
2605 {
2606 addr->basic_errno = errno;
2607 addr->message = string_sprintf("while setting perms on maildir %s",
2608 filename);
2609 return FALSE;
2610 }
2611 }
2612
2613 #endif /* SUPPORT_MAILDIR */
2614
2615 #ifdef SUPPORT_MAILSTORE
2616
2617 /* Handle the case of a unique file in mailstore format. First write the
2618 envelope to a temporary file, then open the main file. The unique base name
2619 for the files consists of the message id plus the pid of this delivery
2620 process. */
2621
2622 else
2623 {
2624 FILE *env_file;
2625 address_item *taddr;
2626 mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
2627 string_base62((long int)getpid()));
2628
2629 DEBUG(D_transport)
2630 debug_printf("delivering in mailstore format in %s\n", path);
2631
2632 filename = string_sprintf("%s.tmp", mailstore_basename);
2633 newname = string_sprintf("%s.env", mailstore_basename);
2634 dataname = string_sprintf("%s.msg", mailstore_basename);
2635
2636 fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2637 if (fd < 0 && /* failed to open, and */
2638 (errno != ENOENT || /* either not non-exist */
2639 !ob->create_directory || /* or not allowed to make */
2640 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2641 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2642 {
2643 addr->basic_errno = errno;
2644 addr->message = string_sprintf("while creating file %s", filename);
2645 return FALSE;
2646 }
2647
2648 /* Why are these here? Put in because they are present in the non-maildir
2649 directory case above. */
2650
2651 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
2652 {
2653 addr->basic_errno = errno;
2654 addr->message = string_sprintf("while setting perms on file %s",
2655 filename);
2656 return FALSE;
2657 }
2658
2659 /* Built a C stream from the open file descriptor. */
2660
2661 if ((env_file = fdopen(fd, "wb")) == NULL)
2662 {
2663 addr->basic_errno = errno;
2664 addr->transport_return = PANIC;
2665 addr->message = string_sprintf("fdopen of %s ("
2666 "for %s transport) failed", filename, tblock->name);
2667 (void)close(fd);
2668 Uunlink(filename);
2669 return FALSE;
2670 }
2671
2672 /* Write the envelope file, then close it. */
2673
2674 if (ob->mailstore_prefix != NULL)
2675 {
2676 uschar *s = expand_string(ob->mailstore_prefix);
2677 if (s == NULL)
2678 {
2679 if (!expand_string_forcedfail)
2680 {
2681 addr->transport_return = PANIC;
2682 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2683 "prefix for %s transport) failed: %s", ob->mailstore_prefix,
2684 tblock->name, expand_string_message);
2685 (void)fclose(env_file);
2686 Uunlink(filename);
2687 return FALSE;
2688 }
2689 }
2690 else
2691 {
2692 int n = Ustrlen(s);
2693 fprintf(env_file, "%s", CS s);
2694 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2695 }
2696 }
2697
2698 fprintf(env_file, "%s\n", sender_address);
2699
2700 for (taddr = addr; taddr!= NULL; taddr = taddr->next)
2701 fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
2702
2703 if (ob->mailstore_suffix != NULL)
2704 {
2705 uschar *s = expand_string(ob->mailstore_suffix);
2706 if (s == NULL)
2707 {
2708 if (!expand_string_forcedfail)
2709 {
2710 addr->transport_return = PANIC;
2711 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2712 "suffix for %s transport) failed: %s", ob->mailstore_suffix,
2713 tblock->name, expand_string_message);
2714 (void)fclose(env_file);
2715 Uunlink(filename);
2716 return FALSE;
2717 }
2718 }
2719 else
2720 {
2721 int n = Ustrlen(s);
2722 fprintf(env_file, "%s", CS s);
2723 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2724 }
2725 }
2726
2727 if (fclose(env_file) != 0)
2728 {
2729 addr->basic_errno = errno;
2730 addr->message = string_sprintf("while closing %s", filename);
2731 Uunlink(filename);
2732 return FALSE;
2733 }
2734
2735 DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
2736
2737 /* Now open the data file, and ensure that it has the correct ownership and
2738 mode. */
2739
2740 fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode);
2741 if (fd < 0)
2742 {
2743 addr->basic_errno = errno;
2744 addr->message = string_sprintf("while creating file %s", dataname);
2745 Uunlink(filename);
2746 return FALSE;
2747 }
2748 if(Uchown(dataname, uid, gid) || Uchmod(dataname, mode))
2749 {
2750 addr->basic_errno = errno;
2751 addr->message = string_sprintf("while setting perms on file %s",
2752 dataname);
2753 return FALSE;
2754 }
2755 }
2756
2757 #endif /* SUPPORT_MAILSTORE */
2758
2759
2760 /* In all cases of writing to a new file, ensure that the file which is
2761 going to be renamed has the correct ownership and mode. */
2762
2763 if(Uchown(filename, uid, gid) || Uchmod(filename, mode))
2764 {
2765 addr->basic_errno = errno;
2766 addr->message = string_sprintf("while setting perms on file %s",
2767 filename);
2768 return FALSE;
2769 }
2770 }
2771
2772
2773 /* At last we can write the message to the file, preceded by any configured
2774 prefix line, and followed by any configured suffix line. If there are any
2775 writing errors, we must defer. */
2776
2777 DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
2778
2779 yield = OK;
2780 errno = 0;
2781
2782 /* If there is a local quota setting, check that we are not going to exceed it
2783 with this message if quota_is_inclusive is set; if it is not set, the check
2784 is for the mailbox already being over quota (i.e. the current message is not
2785 included in the check). */
2786
2787 if (!disable_quota && ob->quota_value > 0)
2788 {
2789 DEBUG(D_transport)
2790 {
2791 debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
2792 " this message = %d (%sincluded)\n",
2793 ob->quota_value, mailbox_size, message_size,
2794 ob->quota_is_inclusive? "" : "not ");
2795 debug_printf(" file count quota = %d count = %d\n",
2796 ob->quota_filecount_value, mailbox_filecount);
2797 }
2798
2799 if (mailbox_size + (ob->quota_is_inclusive? message_size:0) > ob->quota_value)
2800 {
2801
2802 if (!ob->quota_no_check)
2803 {
2804 DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
2805 yield = DEFER;
2806 errno = ERRNO_EXIMQUOTA;
2807 }
2808 else DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n");
2809
2810 }
2811
2812 if (ob->quota_filecount_value > 0
2813 && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
2814 ob->quota_filecount_value)
2815 if(!ob->quota_filecount_no_check)
2816 {
2817 DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
2818 yield = DEFER;
2819 errno = ERRNO_EXIMQUOTA;
2820 filecount_msg = US" filecount";
2821 }
2822 else DEBUG(D_transport) if (ob->quota_filecount_no_check)
2823 debug_printf("mailbox file count quota exceeded but ignored\n");
2824
2825 }
2826
2827 /* If we are writing in MBX format, what we actually do is to write the message
2828 to a temporary file, and then copy it to the real file once we know its size.
2829 This is the most straightforward way of getting the correct length in the
2830 separator line. So, what we do here is to save the real file descriptor, and
2831 replace it with one for a temporary file. The temporary file gets unlinked once
2832 opened, so that it goes away on closure. */
2833
2834 #ifdef SUPPORT_MBX
2835 if (yield == OK && ob->mbx_format)
2836 {
2837 temp_file = tmpfile();
2838 if (temp_file == NULL)
2839 {
2840 addr->basic_errno = errno;
2841 addr->message = US"while setting up temporary file";
2842 yield = DEFER;
2843 goto RETURN;
2844 }
2845 save_fd = fd;
2846 fd = fileno(temp_file);
2847 DEBUG(D_transport) debug_printf("writing to temporary file\n");
2848 }
2849 #endif /* SUPPORT_MBX */
2850
2851 /* Zero the count of bytes written. It is incremented by the transport_xxx()
2852 functions. */
2853
2854 transport_count = 0;
2855 transport_newlines = 0;
2856
2857 /* Write any configured prefix text first */
2858
2859 if (yield == OK && ob->message_prefix != NULL && ob->message_prefix[0] != 0)
2860 {
2861 uschar *prefix = expand_string(ob->message_prefix);
2862 if (prefix == NULL)
2863 {
2864 errno = ERRNO_EXPANDFAIL;
2865 addr->transport_return = PANIC;
2866 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
2867 "transport) failed", ob->message_prefix, tblock->name);
2868 yield = DEFER;
2869 }
2870 else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER;
2871 }
2872
2873 /* If the use_bsmtp option is on, we need to write SMTP prefix information. The
2874 various different values for batching are handled outside; if there is more
2875 than one address available here, all must be included. If any address is a
2876 file, use its parent in the RCPT TO. */
2877
2878 if (yield == OK && ob->use_bsmtp)
2879 {
2880 transport_count = 0;
2881 transport_newlines = 0;
2882 if (ob->use_crlf) cr = US"\r";
2883 if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
2884 yield = DEFER;
2885 else
2886 {
2887 address_item *a;
2888 transport_newlines++;
2889 for (a = addr; a != NULL; a = a->next)
2890 {
2891 address_item *b = testflag(a, af_pfr)? a->parent: a;
2892 if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
2893 transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
2894 { yield = DEFER; break; }
2895 transport_newlines++;
2896 }
2897 if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
2898 yield = DEFER;
2899 else
2900 transport_newlines++;
2901 }
2902 }
2903
2904 /* Now the message itself. The options for transport_write_message were set up
2905 at initialization time. */
2906
2907 if (yield == OK)
2908 {
2909 transport_ctx tctx = {
2910 fd,
2911 tblock,
2912 addr,
2913 ob->check_string,
2914 ob->escape_string,
2915 ob->options
2916 };
2917 if (!transport_write_message(&tctx, 0))
2918 yield = DEFER;
2919 }
2920
2921 /* Now a configured suffix. */
2922
2923 if (yield == OK && ob->message_suffix != NULL && ob->message_suffix[0] != 0)
2924 {
2925 uschar *suffix = expand_string(ob->message_suffix);
2926 if (suffix == NULL)
2927 {
2928 errno = ERRNO_EXPANDFAIL;
2929 addr->transport_return = PANIC;
2930 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
2931 "transport) failed", ob->message_suffix, tblock->name);
2932 yield = DEFER;
2933 }
2934 else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER;
2935 }
2936
2937 /* If batch smtp, write the terminating dot. */
2938
2939 if (yield == OK && ob->use_bsmtp ) {
2940 if(!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
2941 else transport_newlines++;
2942 }
2943
2944 /* If MBX format is being used, all that writing was to the temporary file.
2945 However, if there was an earlier failure (Exim quota exceeded, for example),
2946 the temporary file won't have got opened - and no writing will have been done.
2947 If writing was OK, we restore the fd, and call a function that copies the
2948 message in MBX format into the real file. Otherwise use the temporary name in
2949 any messages. */
2950
2951 #ifdef SUPPORT_MBX
2952 if (temp_file != NULL && ob->mbx_format)
2953 {
2954 int mbx_save_errno;
2955 fd = save_fd;
2956
2957 if (yield == OK)
2958 {
2959 transport_count = 0; /* Reset transport count for actual write */
2960 /* No need to reset transport_newlines as we're just using a block copy
2961 * routine so the number won't be affected */
2962 yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
2963 }
2964 else if (errno >= 0) dataname = US"temporary file";
2965
2966 /* Preserve errno while closing the temporary file. */
2967
2968 mbx_save_errno = errno;
2969 (void)fclose(temp_file);
2970 errno = mbx_save_errno;
2971 }
2972 #endif /* SUPPORT_MBX */
2973
2974 /* Force out the remaining data to check for any errors; some OS don't allow
2975 fsync() to be called for a FIFO. */
2976
2977 if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
2978
2979 /* Update message_size and message_linecount to the accurate count of bytes
2980 written, including added headers. Note; we subtract 1 from message_linecount as
2981 this variable doesn't count the new line between the header and the body of the
2982 message. */
2983
2984 message_size = transport_count;
2985 message_linecount = transport_newlines - 1;
2986
2987 /* If using a maildir++ quota file, add this message's size to it, and
2988 close the file descriptor, except when the quota has been disabled because we
2989 are delivering into an uncounted folder. */
2990
2991 #ifdef SUPPORT_MAILDIR
2992 if (!disable_quota)
2993 {
2994 if (yield == OK && maildirsize_fd >= 0)
2995 maildir_record_length(maildirsize_fd, message_size);
2996 maildir_save_errno = errno; /* Preserve errno while closing the file */
2997 if (maildirsize_fd >= 0)
2998 (void)close(maildirsize_fd);
2999 errno = maildir_save_errno;
3000 }
3001 #endif /* SUPPORT_MAILDIR */
3002
3003 /* If there is a quota warning threshold and we are have crossed it with this
3004 message, set the SPECIAL_WARN flag in the address, to cause a warning message
3005 to be sent. */
3006
3007 if (!disable_quota && THRESHOLD_CHECK)
3008 {
3009 off_t threshold = ob->quota_warn_threshold_value;
3010 if (ob->quota_warn_threshold_is_percent)
3011 threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
3012 DEBUG(D_transport)
3013 debug_printf("quota = " OFF_T_FMT
3014 " threshold = " OFF_T_FMT
3015 " old size = " OFF_T_FMT
3016 " message size = %d\n",
3017 ob->quota_value, threshold, mailbox_size,
3018 message_size);
3019 if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
3020 addr->special_action = SPECIAL_WARN;
3021
3022 /******* You might think that the test ought to be this:
3023 *
3024 * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
3025 * mailbox_size <= threshold && mailbox_size + message_size > threshold)
3026 *
3027 * (indeed, I was sent a patch with that in). However, it is possible to
3028 * have a warning threshold without actually imposing a quota, and I have
3029 * therefore kept Exim backwards compatible.
3030 ********/
3031
3032 }
3033
3034 /* Handle error while writing the file. Control should come here directly after
3035 the error, with the reason in errno. In the case of expansion failure in prefix
3036 or suffix, it will be ERRNO_EXPANDFAIL. */
3037
3038 if (yield != OK)
3039 {
3040 addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */
3041
3042 /* Save the error number. If positive, it will ultimately cause a strerror()
3043 call to generate some text. */
3044
3045 addr->basic_errno = errno;
3046
3047 /* For system or Exim quota excession, or disk full, set more_errno to the
3048 time since the file was last read. If delivery was into a directory, the
3049 time since last read logic is not relevant, in general. However, for maildir
3050 deliveries we can approximate it by looking at the last modified time of the
3051 "new" subdirectory. Since Exim won't be adding new messages, a change to the
3052 "new" subdirectory implies that an MUA has moved a message from there to the
3053 "cur" directory. */
3054
3055 if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
3056 {
3057 addr->more_errno = 0;
3058 if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
3059
3060 #ifdef SUPPORT_MAILDIR
3061 else if (mbformat == mbf_maildir)
3062 {
3063 struct stat statbuf;
3064 if (Ustat("new", &statbuf) < 0)
3065 {
3066 DEBUG(D_transport) debug_printf("maildir quota exceeded: "
3067 "stat error %d for \"new\": %s\n", errno, strerror(errno));
3068 }
3069 else /* Want a repeatable time when in test harness */
3070 {
3071 addr->more_errno = running_in_test_harness? 10 :
3072 (int)time(NULL) - statbuf.st_mtime;
3073 }
3074 DEBUG(D_transport)
3075 debug_printf("maildir: time since \"new\" directory modified = %s\n",
3076 readconf_printtime(addr->more_errno));
3077 }
3078 #endif /* SUPPORT_MAILDIR */
3079 }
3080
3081 /* Handle system quota excession. Add an explanatory phrase for the error
3082 message, since some systems don't have special quota-excession errors,
3083 and on those that do, "quota" doesn't always mean anything to the user. */
3084
3085 if (errno == errno_quota)
3086 {
3087 #ifndef EDQUOT
3088 addr->message = string_sprintf("mailbox is full "
3089 "(quota exceeded while writing to file %s)", filename);
3090 #else
3091 addr->message = string_sprintf("mailbox is full");
3092 #endif /* EDQUOT */
3093 addr->user_message = US"mailbox is full";
3094 DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
3095 dataname,
3096 isdirectory? US"" : US": time since file read = ",
3097 isdirectory? US"" : readconf_printtime(addr->more_errno));
3098 }
3099
3100 /* Handle Exim's own quota-imposition */
3101
3102 else if (errno == ERRNO_EXIMQUOTA)
3103 {
3104 addr->message = string_sprintf("mailbox is full "
3105 "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
3106 dataname);
3107 addr->user_message = US"mailbox is full";
3108 DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
3109 filecount_msg, dataname,
3110 isdirectory? US"" : US": time since file read = ",
3111 isdirectory? US"" : readconf_printtime(addr->more_errno));
3112 }
3113
3114 /* Handle a process failure while writing via a filter; the return
3115 from child_close() is in more_errno. */
3116
3117 else if (errno == ERRNO_FILTER_FAIL)
3118 {
3119 yield = PANIC;
3120 addr->message = string_sprintf("transport filter process failed (%d) "
3121 "while writing to %s%s", addr->more_errno, dataname,
3122 (addr->more_errno == EX_EXECFAILED)? ": unable to execute command" : "");
3123 }
3124
3125 /* Handle failure to expand header changes */
3126
3127 else if (errno == ERRNO_CHHEADER_FAIL)
3128 {
3129 yield = PANIC;
3130 addr->message =
3131 string_sprintf("failed to expand headers_add or headers_remove while "
3132 "writing to %s: %s", dataname, expand_string_message);
3133 }
3134
3135 /* Handle failure to complete writing of a data block */
3136
3137 else if (errno == ERRNO_WRITEINCOMPLETE)
3138 {
3139 addr->message = string_sprintf("failed to write data block while "
3140 "writing to %s", dataname);
3141 }
3142
3143 /* Handle length mismatch on MBX copying */
3144
3145 #ifdef SUPPORT_MBX
3146 else if (errno == ERRNO_MBXLENGTH)
3147 {
3148 addr->message = string_sprintf("length mismatch while copying MBX "
3149 "temporary file to %s", dataname);
3150 }
3151 #endif /* SUPPORT_MBX */
3152
3153 /* For other errors, a general-purpose explanation, if the message is
3154 not already set. */
3155
3156 else if (addr->message == NULL)
3157 addr->message = string_sprintf("error while writing to %s", dataname);
3158
3159 /* For a file, reset the file size to what it was before we started, leaving
3160 the last modification time unchanged, so it will get reset also. All systems
3161 investigated so far have ftruncate(), whereas not all have the F_FREESP
3162 fcntl() call (BSDI & FreeBSD do not). */
3163
3164 if (!isdirectory && ftruncate(fd, saved_size))
3165 DEBUG(D_transport) debug_printf("Error resetting file size\n");
3166 }
3167
3168 /* Handle successful writing - we want the modification time to be now for
3169 appended files. Remove the default backstop error number. For a directory, now
3170 is the time to rename the file with a unique name. As soon as such a name
3171 appears it may get used by another process, so we close the file first and
3172 check that all is well. */
3173
3174 else
3175 {
3176 times.modtime = time(NULL);
3177 addr->basic_errno = 0;
3178
3179 /* Handle the case of writing to a new file in a directory. This applies
3180 to all single-file formats - maildir, mailstore, and "smail format". */
3181
3182 if (isdirectory)
3183 {
3184 if (fstat(fd, &statbuf) < 0)
3185 {
3186 addr->basic_errno = errno;
3187 addr->message = string_sprintf("while fstatting opened message file %s",
3188 filename);
3189 yield = DEFER;
3190 }
3191
3192 else if (close(fd) < 0)
3193 {
3194 addr->basic_errno = errno;
3195 addr->message = string_sprintf("close() error for %s",
3196 (ob->mailstore_format)? dataname : filename);
3197 yield = DEFER;
3198 }
3199
3200 /* File is successfully written and closed. Arrange to rename it. For the
3201 different kinds of single-file delivery, some games can be played with the
3202 name. The message size is by this time set to the accurate value so that
3203 its value can be used in expansions. */
3204
3205 else
3206 {
3207 uschar *renamename = newname;
3208 fd = -1;
3209
3210 DEBUG(D_transport) debug_printf("renaming temporary file\n");
3211
3212 /* If there is no rename name set, we are in a non-maildir, non-mailstore
3213 situation. The name is built by expanding the directory_file option, and
3214 we make the inode number available for use in this. The expansion was
3215 checked for syntactic validity above, before we wrote the file.
3216
3217 We have to be careful here, in case the file name exists. (In the other
3218 cases, the names used are constructed to be unique.) The rename()
3219 function just replaces an existing file - we don't want that! So instead
3220 of calling rename(), we must use link() and unlink().
3221
3222 In this case, if the link fails because of an existing file, we wait
3223 for one second and try the expansion again, to see if it produces a
3224 different value. Do this up to 5 times unless the name stops changing.
3225 This makes it possible to build values that are based on the time, and
3226 still cope with races from multiple simultaneous deliveries. */
3227
3228 if (newname == NULL)
3229 {
3230 int i;
3231 uschar *renameleaf;
3232 uschar *old_renameleaf = US"";
3233
3234 for (i = 0