1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Functions concerned with running Exim as a daemon */
16 /* Structure for holding data for each SMTP connection */
18 typedef struct smtp_slot {
19 pid_t pid; /* pid of the spawned reception process */
20 uschar *host_address; /* address of the client host */
23 /* An empty slot for initializing (Standard C does not allow constructor
24 expressions in assignments except as initializers in declarations). */
26 static smtp_slot empty_smtp_slot = { .pid = 0, .host_address = NULL };
30 /*************************************************
31 * Local static variables *
32 *************************************************/
34 static SIGNAL_BOOL sigchld_seen;
35 static SIGNAL_BOOL sighup_seen;
36 static SIGNAL_BOOL sigterm_seen;
38 static int accept_retry_count = 0;
39 static int accept_retry_errno;
40 static BOOL accept_retry_select_failed;
42 static int queue_run_count = 0;
43 static pid_t *queue_pid_slots = NULL;
44 static smtp_slot *smtp_slots = NULL;
46 static BOOL write_pid = TRUE;
50 /*************************************************
52 *************************************************/
54 /* All this handler does is to set a flag and re-enable the signal.
56 Argument: the signal number
61 sighup_handler(int sig)
64 signal(SIGHUP, sighup_handler);
69 /*************************************************
70 * SIGCHLD handler for main daemon process *
71 *************************************************/
73 /* Don't re-enable the handler here, since we aren't doing the
74 waiting here. If the signal is re-enabled, there will just be an
75 infinite sequence of calls to this handler. The SIGCHLD signal is
76 used just as a means of waking up the daemon so that it notices
77 terminated subprocesses as soon as possible.
79 Argument: the signal number
84 main_sigchld_handler(int sig)
86 os_non_restarting_signal(SIGCHLD, SIG_DFL);
91 /* SIGTERM handler. Try to get the daemon pid file removed
95 main_sigterm_handler(int sig)
103 /*************************************************
104 * Unexpected errors in SMTP calls *
105 *************************************************/
107 /* This function just saves a bit of repetitious coding.
110 log_msg Text of message to be logged
111 smtp_msg Text of SMTP error message
112 was_errno The failing errno
118 never_error(uschar *log_msg, uschar *smtp_msg, int was_errno)
120 uschar *emsg = was_errno <= 0
121 ? US"" : string_sprintf(": %s", strerror(was_errno));
122 log_write(0, LOG_MAIN|LOG_PANIC, "%s%s", log_msg, emsg);
123 if (smtp_out) smtp_printf("421 %s\r\n", FALSE, smtp_msg);
129 /*************************************************
130 *************************************************/
132 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
134 unlink_notifier_socket(void)
136 uschar * s = expand_string(notifier_socket);
137 DEBUG(D_any) debug_printf("unlinking notifier socket %s\n", s);
144 close_daemon_sockets(int daemon_notifier_fd,
145 struct pollfd * fd_polls, int listen_socket_count)
147 if (daemon_notifier_fd >= 0)
149 (void) close(daemon_notifier_fd);
150 daemon_notifier_fd = -1;
151 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
152 unlink_notifier_socket();
156 for (int i = 0; i < listen_socket_count; i++) (void) close(fd_polls[i].fd);
160 /*************************************************
161 * Handle a connected SMTP call *
162 *************************************************/
164 /* This function is called when an SMTP connection has been accepted.
165 If there are too many, give an error message and close down. Otherwise
166 spin off a sub-process to handle the call. The list of listening sockets
167 is required so that they can be closed in the sub-process. Take care not to
168 leak store in this process - reset the stacking pool at the end.
171 fd_polls sockets which are listening for incoming calls
172 listen_socket_count count of listening sockets
173 accept_socket socket of the current accepted call
174 accepted socket information about the current call
180 handle_smtp_call(struct pollfd *fd_polls, int listen_socket_count,
181 int accept_socket, struct sockaddr *accepted)
184 union sockaddr_46 interface_sockaddr;
185 EXIM_SOCKLEN_T ifsize = sizeof(interface_sockaddr);
186 int dup_accept_socket = -1;
187 int max_for_this_host = 0;
188 int save_log_selector = *log_selector;
191 rmark reset_point = store_mark();
193 /* Make the address available in ASCII representation, and also fish out
196 sender_host_address = host_ntoa(-1, accepted, NULL, &sender_host_port);
197 DEBUG(D_any) debug_printf("Connection request from %s port %d\n",
198 sender_host_address, sender_host_port);
200 /* Set up the output stream, check the socket has duplicated, and set up the
201 input stream. These operations fail only the exceptional circumstances. Note
202 that never_error() won't use smtp_out if it is NULL. */
204 if (!(smtp_out = fdopen(accept_socket, "wb")))
206 never_error(US"daemon: fdopen() for smtp_out failed", US"", errno);
210 if ((dup_accept_socket = dup(accept_socket)) < 0)
212 never_error(US"daemon: couldn't dup socket descriptor",
213 US"Connection setup failed", errno);
217 if (!(smtp_in = fdopen(dup_accept_socket, "rb")))
219 never_error(US"daemon: fdopen() for smtp_in failed",
220 US"Connection setup failed", errno);
224 /* Get the data for the local interface address. Panic for most errors, but
225 "connection reset by peer" just means the connection went away. */
227 if (getsockname(accept_socket, (struct sockaddr *)(&interface_sockaddr),
230 log_write(0, LOG_MAIN | ((errno == ECONNRESET)? 0 : LOG_PANIC),
231 "getsockname() failed: %s", strerror(errno));
232 smtp_printf("421 Local problem: getsockname() failed; please try again later\r\n", FALSE);
236 interface_address = host_ntoa(-1, &interface_sockaddr, NULL, &interface_port);
237 DEBUG(D_interface) debug_printf("interface address=%s port=%d\n",
238 interface_address, interface_port);
240 /* Build a string identifying the remote host and, if requested, the port and
241 the local interface data. This is for logging; at the end of this function the
242 memory is reclaimed. */
244 whofrom = string_append(NULL, 3, "[", sender_host_address, "]");
246 if (LOGGING(incoming_port))
247 whofrom = string_fmt_append(whofrom, ":%d", sender_host_port);
249 if (LOGGING(incoming_interface))
250 whofrom = string_fmt_append(whofrom, " I=[%s]:%d",
251 interface_address, interface_port);
253 (void) string_from_gstring(whofrom); /* Terminate the newly-built string */
255 /* Check maximum number of connections. We do not check for reserved
256 connections or unacceptable hosts here. That is done in the subprocess because
257 it might take some time. */
259 if (smtp_accept_max > 0 && smtp_accept_count >= smtp_accept_max)
261 DEBUG(D_any) debug_printf("rejecting SMTP connection: count=%d max=%d\n",
262 smtp_accept_count, smtp_accept_max);
263 smtp_printf("421 Too many concurrent SMTP connections; "
264 "please try again later.\r\n", FALSE);
265 log_write(L_connection_reject,
266 LOG_MAIN, "Connection from %s refused: too many connections",
271 /* If a load limit above which only reserved hosts are acceptable is defined,
272 get the load average here, and if there are in fact no reserved hosts, do
273 the test right away (saves a fork). If there are hosts, do the check in the
274 subprocess because it might take time. */
276 if (smtp_load_reserve >= 0)
278 load_average = OS_GETLOADAVG();
279 if (!smtp_reserve_hosts && load_average > smtp_load_reserve)
281 DEBUG(D_any) debug_printf("rejecting SMTP connection: load average = %.2f\n",
282 (double)load_average/1000.0);
283 smtp_printf("421 Too much load; please try again later.\r\n", FALSE);
284 log_write(L_connection_reject,
285 LOG_MAIN, "Connection from %s refused: load average = %.2f",
286 whofrom->s, (double)load_average/1000.0);
291 /* Check that one specific host (strictly, IP address) is not hogging
292 resources. This is done here to prevent a denial of service attack by someone
293 forcing you to fork lots of times before denying service. The value of
294 smtp_accept_max_per_host is a string which is expanded. This makes it possible
295 to provide host-specific limits according to $sender_host address, but because
296 this is in the daemon mainline, only fast expansions (such as inline address
297 checks) should be used. The documentation is full of warnings. */
299 if (smtp_accept_max_per_host)
301 uschar *expanded = expand_string(smtp_accept_max_per_host);
304 if (!f.expand_string_forcedfail)
305 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
306 "failed for %s: %s", whofrom->s, expand_string_message);
308 /* For speed, interpret a decimal number inline here */
311 uschar *s = expanded;
313 max_for_this_host = max_for_this_host * 10 + *s++ - '0';
315 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
316 "for %s contains non-digit: %s", whofrom->s, expanded);
320 /* If we have fewer connections than max_for_this_host, we can skip the tedious
321 per host_address checks. Note that at this stage smtp_accept_count contains the
322 count of *other* connections, not including this one. */
324 if (max_for_this_host > 0 && smtp_accept_count >= max_for_this_host)
326 int host_accept_count = 0;
327 int other_host_count = 0; /* keep a count of non matches to optimise */
329 for (int i = 0; i < smtp_accept_max; ++i)
330 if (smtp_slots[i].host_address)
332 if (Ustrcmp(sender_host_address, smtp_slots[i].host_address) == 0)
337 /* Testing all these strings is expensive - see if we can drop out
338 early, either by hitting the target, or finding there are not enough
339 connections left to make the target. */
341 if ( host_accept_count >= max_for_this_host
342 || smtp_accept_count - other_host_count < max_for_this_host)
346 if (host_accept_count >= max_for_this_host)
348 DEBUG(D_any) debug_printf("rejecting SMTP connection: too many from this "
349 "IP address: count=%d max=%d\n",
350 host_accept_count, max_for_this_host);
351 smtp_printf("421 Too many concurrent SMTP connections "
352 "from this IP address; please try again later.\r\n", FALSE);
353 log_write(L_connection_reject,
354 LOG_MAIN, "Connection from %s refused: too many connections "
355 "from that IP address", whofrom->s);
361 /* OK, the connection count checks have been passed. Before we can fork the
362 accepting process, we must first log the connection if requested. This logging
363 used to happen in the subprocess, but doing that means that the value of
364 smtp_accept_count can be out of step by the time it is logged. So we have to do
365 the logging here and accept the performance cost. Note that smtp_accept_count
366 hasn't yet been incremented to take account of this connection.
368 In order to minimize the cost (because this is going to happen for every
369 connection), do a preliminary selector test here. This saves ploughing through
370 the generalized logging code each time when the selector is false. If the
371 selector is set, check whether the host is on the list for logging. If not,
372 arrange to unset the selector in the subprocess. */
374 if (LOGGING(smtp_connection))
376 uschar *list = hosts_connection_nolog;
377 memset(sender_host_cache, 0, sizeof(sender_host_cache));
378 if (list && verify_check_host(&list) == OK)
379 save_log_selector &= ~L_smtp_connection;
381 log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %s "
382 "(TCP/IP connection count = %d)", whofrom->s, smtp_accept_count + 1);
385 /* Now we can fork the accepting process; do a lookup tidy, just in case any
386 expansion above did a lookup. */
389 pid = exim_fork(US"daemon-accept");
391 /* Handle the child process */
395 int queue_only_reason = 0;
396 int old_pool = store_pool;
397 int save_debug_selector = debug_selector;
398 BOOL local_queue_only;
399 BOOL session_local_queue_only;
401 struct sigaction act;
404 smtp_accept_count++; /* So that it includes this process */
406 /* If the listen backlog was over the monitoring level, log it. */
408 if (smtp_listen_backlog > smtp_backlog_monitor)
409 log_write(0, LOG_MAIN, "listen backlog %d I=[%s]:%d",
410 smtp_listen_backlog, interface_address, interface_port);
412 /* May have been modified for the subprocess */
414 *log_selector = save_log_selector;
416 /* Get the local interface address into permanent store */
418 store_pool = POOL_PERM;
419 interface_address = string_copy(interface_address);
420 store_pool = old_pool;
422 /* Check for a tls-on-connect port */
424 if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
426 /* Expand smtp_active_hostname if required. We do not do this any earlier,
427 because it may depend on the local interface address (indeed, that is most
428 likely what it depends on.) */
430 smtp_active_hostname = primary_hostname;
431 if (raw_active_hostname)
433 uschar * nah = expand_string(raw_active_hostname);
436 if (!f.expand_string_forcedfail)
438 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" "
439 "(smtp_active_hostname): %s", raw_active_hostname,
440 expand_string_message);
441 smtp_printf("421 Local configuration error; "
442 "please try again later.\r\n", FALSE);
445 exim_underbar_exit(EXIT_FAILURE);
448 else if (*nah) smtp_active_hostname = nah;
451 /* Initialize the queueing flags */
454 session_local_queue_only = queue_only;
456 /* Close the listening sockets, and set the SIGCHLD handler to SIG_IGN.
457 We also attempt to set things up so that children are automatically reaped,
458 but just in case this isn't available, there's a paranoid waitpid() in the
459 loop too (except for systems where we are sure it isn't needed). See the more
460 extensive comment before the reception loop in exim.c for a fuller
461 explanation of this logic. */
463 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
465 /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes
466 to be able to communicate with them, under any circumstances. */
467 (void)fcntl(accept_socket, F_SETFD,
468 fcntl(accept_socket, F_GETFD) | FD_CLOEXEC);
469 (void)fcntl(dup_accept_socket, F_SETFD,
470 fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
473 act.sa_handler = SIG_IGN;
474 sigemptyset(&(act.sa_mask));
475 act.sa_flags = SA_NOCLDWAIT;
476 sigaction(SIGCHLD, &act, NULL);
478 signal(SIGCHLD, SIG_IGN);
480 signal(SIGTERM, SIG_DFL);
481 signal(SIGINT, SIG_DFL);
483 /* Attempt to get an id from the sending machine via the RFC 1413
484 protocol. We do this in the sub-process in order not to hold up the
485 main process if there is any delay. Then set up the fullhost information
486 in case there is no HELO/EHLO.
488 If debugging is enabled only for the daemon, we must turn if off while
489 finding the id, but turn it on again afterwards so that information about the
490 incoming connection is output. */
492 if (f.debug_daemon) debug_selector = 0;
493 verify_get_ident(IDENT_PORT);
494 host_build_sender_fullhost();
495 debug_selector = save_debug_selector;
498 debug_printf("Process %d is handling incoming connection from %s\n",
499 (int)getpid(), sender_fullhost);
501 /* Now disable debugging permanently if it's required only for the daemon
504 if (f.debug_daemon) debug_selector = 0;
506 /* If there are too many child processes for immediate delivery,
507 set the session_local_queue_only flag, which is initialized from the
508 configured value and may therefore already be TRUE. Leave logging
509 till later so it will have a message id attached. Note that there is no
510 possibility of re-calculating this per-message, because the value of
511 smtp_accept_count does not change in this subprocess. */
513 if (smtp_accept_queue > 0 && smtp_accept_count > smtp_accept_queue)
515 session_local_queue_only = TRUE;
516 queue_only_reason = 1;
519 /* Handle the start of the SMTP session, then loop, accepting incoming
520 messages from the SMTP connection. The end will come at the QUIT command,
521 when smtp_setup_msg() returns 0. A break in the connection causes the
522 process to die (see accept.c).
524 NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
525 because a log line has already been written for all its failure exists
526 (usually "connection refused: <reason>") and writing another one is
527 unnecessary clutter. */
529 if (!smtp_start_session())
533 exim_underbar_exit(EXIT_SUCCESS);
539 message_id[0] = 0; /* Clear out any previous message_id */
540 reset_point = store_mark(); /* Save current store high water point */
543 debug_printf("Process %d is ready for new message\n", (int)getpid());
545 /* Smtp_setup_msg() returns 0 on QUIT or if the call is from an
546 unacceptable host or if an ACL "drop" command was triggered, -1 on
547 connection lost, and +1 on validly reaching DATA. Receive_msg() almost
548 always returns TRUE when smtp_input is true; just retry if no message was
549 accepted (can happen for invalid message parameters). However, it can yield
550 FALSE if the connection was forcibly dropped by the DATA ACL. */
552 if ((rc = smtp_setup_msg()) > 0)
554 BOOL ok = receive_msg(FALSE);
555 search_tidyup(); /* Close cached databases */
556 if (!ok) /* Connection was dropped */
558 cancel_cutthrough_connection(TRUE, US"receive dropped");
560 smtp_log_no_mail(); /* Log no mail if configured */
561 exim_underbar_exit(EXIT_SUCCESS);
563 if (message_id[0] == 0) continue; /* No message was accepted */
565 else /* bad smtp_setup_msg() */
569 int fd = fileno(smtp_in);
573 /* drain socket, for clean TCP FINs */
574 if (fcntl(fd, F_SETFL, O_NONBLOCK) == 0)
575 for(int i = 16; read(fd, buf, sizeof(buf)) > 0 && i > 0; ) i--;
577 cancel_cutthrough_connection(TRUE, US"message setup dropped");
579 smtp_log_no_mail(); /* Log no mail if configured */
581 /*XXX should we pause briefly, hoping that the client will be the
582 active TCP closer hence get the TCP_WAIT endpoint? */
583 DEBUG(D_receive) debug_printf("SMTP>>(close on process exit)\n");
584 exim_underbar_exit(rc ? EXIT_FAILURE : EXIT_SUCCESS);
587 /* Show the recipients when debugging */
592 debug_printf("Sender: %s\n", sender_address);
595 debug_printf("Recipients:\n");
596 for (int i = 0; i < recipients_count; i++)
597 debug_printf(" %s\n", recipients_list[i].address);
601 /* A message has been accepted. Clean up any previous delivery processes
602 that have completed and are defunct, on systems where they don't go away
603 by themselves (see comments when setting SIG_IGN above). On such systems
604 (if any) these delivery processes hang around after termination until
605 the next message is received. */
607 #ifndef SIG_IGN_WORKS
608 while (waitpid(-1, NULL, WNOHANG) > 0);
611 /* Reclaim up the store used in accepting this message */
614 int r = receive_messagecount;
615 BOOL q = f.queue_only_policy;
616 smtp_reset(reset_point);
618 f.queue_only_policy = q;
619 receive_messagecount = r;
622 /* If queue_only is set or if there are too many incoming connections in
623 existence, session_local_queue_only will be TRUE. If it is not, check
624 whether we have received too many messages in this session for immediate
627 if (!session_local_queue_only &&
628 smtp_accept_queue_per_connection > 0 &&
629 receive_messagecount > smtp_accept_queue_per_connection)
631 session_local_queue_only = TRUE;
632 queue_only_reason = 2;
635 /* Initialize local_queue_only from session_local_queue_only. If it is not
636 true, and queue_only_load is set, check that the load average is below it.
637 If local_queue_only is set by this means, we also set if for the session if
638 queue_only_load_latch is true (the default). This means that, once set,
639 local_queue_only remains set for any subsequent messages on the same SMTP
640 connection. This is a deliberate choice; even though the load average may
641 fall, it doesn't seem right to deliver later messages on the same call when
642 not delivering earlier ones. However, the are special circumstances such as
643 very long-lived connections from scanning appliances where this is not the
644 best strategy. In such cases, queue_only_load_latch should be set false. */
646 if ( !(local_queue_only = session_local_queue_only)
647 && queue_only_load >= 0
648 && (local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load)
651 queue_only_reason = 3;
652 if (queue_only_load_latch) session_local_queue_only = TRUE;
655 /* Log the queueing here, when it will get a message id attached, but
656 not if queue_only is set (case 0). */
658 if (local_queue_only) switch(queue_only_reason)
660 case 1: log_write(L_delay_delivery,
661 LOG_MAIN, "no immediate delivery: too many connections "
662 "(%d, max %d)", smtp_accept_count, smtp_accept_queue);
665 case 2: log_write(L_delay_delivery,
666 LOG_MAIN, "no immediate delivery: more than %d messages "
667 "received in one connection", smtp_accept_queue_per_connection);
670 case 3: log_write(L_delay_delivery,
671 LOG_MAIN, "no immediate delivery: load average %.2f",
672 (double)load_average/1000.0);
676 /* If a delivery attempt is required, spin off a new process to handle it.
677 If we are not root, we have to re-exec exim unless deliveries are being
678 done unprivileged. */
680 else if ( (!f.queue_only_policy || f.queue_smtp)
681 && !f.deliver_freeze)
685 /* We used to flush smtp_out before forking so that buffered data was not
686 duplicated, but now we want to pipeline the responses for data and quit.
687 Instead, hard-close the fd underlying smtp_out right after fork to discard
690 if ((dpid = exim_fork(US"daemon-accept-delivery")) == 0)
692 (void)fclose(smtp_in);
693 (void)close(fileno(smtp_out));
694 (void)fclose(smtp_out);
695 smtp_in = smtp_out = NULL;
697 /* Don't ever molest the parent's SSL connection, but do clean up
698 the data structures if necessary. */
701 tls_close(NULL, TLS_NO_SHUTDOWN);
704 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
706 signal(SIGHUP, SIG_DFL);
707 signal(SIGCHLD, SIG_DFL);
708 signal(SIGTERM, SIG_DFL);
709 signal(SIGINT, SIG_DFL);
711 if (geteuid() != root_uid && !deliver_drop_privilege)
713 signal(SIGALRM, SIG_DFL);
714 delivery_re_exec(CEE_EXEC_PANIC);
715 /* Control does not return here. */
718 /* No need to re-exec; SIGALRM remains set to the default handler */
720 (void) deliver_message(message_id, FALSE, FALSE);
722 exim_underbar_exit(EXIT_SUCCESS);
727 release_cutthrough_connection(US"passed for delivery");
728 DEBUG(D_any) debug_printf("forked delivery process %d\n", (int)dpid);
732 cancel_cutthrough_connection(TRUE, US"delivery fork failed");
733 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: delivery process fork "
734 "failed: %s", strerror(errno));
741 /* Carrying on in the parent daemon process... Can't do much if the fork
742 failed. Otherwise, keep count of the number of accepting processes and
743 remember the pid for ticking off when the child completes. */
746 never_error(US"daemon: accept process fork failed", US"Fork failed", errno);
749 for (int i = 0; i < smtp_accept_max; ++i)
750 if (smtp_slots[i].pid <= 0)
752 smtp_slots[i].pid = pid;
753 /* Connection closes come asyncronously, so we cannot stack this store */
754 if (smtp_accept_max_per_host)
755 smtp_slots[i].host_address = string_copy_malloc(sender_host_address);
759 DEBUG(D_any) debug_printf("%d SMTP accept process%s running\n",
760 smtp_accept_count, smtp_accept_count == 1 ? "" : "es");
763 /* Get here via goto in error cases */
767 /* Close the streams associated with the socket which will also close the
768 socket fds in this process. We can't do anything if fclose() fails, but
769 logging brings it to someone's attention. However, "connection reset by peer"
770 isn't really a problem, so skip that one. On Solaris, a dropped connection can
771 manifest itself as a broken pipe, so drop that one too. If the streams don't
772 exist, something went wrong while setting things up. Make sure the socket
773 descriptors are closed, in order to drop the connection. */
777 if (fclose(smtp_out) != 0 && errno != ECONNRESET && errno != EPIPE)
778 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_out) failed: %s",
782 else (void)close(accept_socket);
786 if (fclose(smtp_in) != 0 && errno != ECONNRESET && errno != EPIPE)
787 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_in) failed: %s",
791 else (void)close(dup_accept_socket);
793 /* Release any store used in this process, including the store used for holding
794 the incoming host address and an expanded active_hostname. */
797 interface_address = sender_host_name = sender_host_address = NULL;
798 store_reset(reset_point);
804 /*************************************************
805 * Check wildcard listen special cases *
806 *************************************************/
808 /* This function is used when binding and listening on lists of addresses and
809 ports. It tests for special cases of wildcard listening, when IPv4 and IPv6
810 sockets may interact in different ways in different operating systems. It is
811 passed an error number, the list of listening addresses, and the current
812 address. Two checks are available: for a previous wildcard IPv6 address, or for
813 a following wildcard IPv4 address, in both cases on the same port.
815 In practice, pairs of wildcard addresses should be adjacent in the address list
816 because they are sorted that way below.
820 addresses the list of addresses
821 ipa the current IP address
822 back if TRUE, check for previous wildcard IPv6 address
823 if FALSE, check for a following wildcard IPv4 address
825 Returns: TRUE or FALSE
829 check_special_case(int eno, ip_address_item *addresses, ip_address_item *ipa,
832 ip_address_item *ipa2;
834 /* For the "back" case, if the failure was "address in use" for a wildcard IPv4
835 address, seek a previous IPv6 wildcard address on the same port. As it is
836 previous, it must have been successfully bound and be listening. Flag it as a
837 "6 including 4" listener. */
841 if (eno != EADDRINUSE || ipa->address[0] != 0) return FALSE;
842 for (ipa2 = addresses; ipa2 != ipa; ipa2 = ipa2->next)
844 if (ipa2->address[1] == 0 && ipa2->port == ipa->port)
846 ipa2->v6_include_v4 = TRUE;
852 /* For the "forward" case, if the current address is a wildcard IPv6 address,
853 we seek a following wildcard IPv4 address on the same port. */
857 if (ipa->address[0] != ':' || ipa->address[1] != 0) return FALSE;
858 for (ipa2 = ipa->next; ipa2 != NULL; ipa2 = ipa2->next)
859 if (ipa2->address[0] == 0 && ipa->port == ipa2->port) return TRUE;
868 /*************************************************
869 * Handle terminating subprocesses *
870 *************************************************/
872 /* Handle the termination of child processes. Theoretically, this need be done
873 only when sigchld_seen is TRUE, but rumour has it that some systems lose
874 SIGCHLD signals at busy times, so to be on the safe side, this function is
875 called each time round. It shouldn't be too expensive.
882 handle_ending_processes(void)
887 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
891 debug_printf("child %d ended: status=0x%x\n", (int)pid, status);
893 if (WIFEXITED(status))
894 debug_printf(" normal exit, %d\n", WEXITSTATUS(status));
895 else if (WIFSIGNALED(status))
896 debug_printf(" signal exit, signal %d%s\n", WTERMSIG(status),
897 WCOREDUMP(status) ? " (core dumped)" : "");
901 /* If it's a listening daemon for which we are keeping track of individual
902 subprocesses, deal with an accepting process that has terminated. */
907 for (i = 0; i < smtp_accept_max; i++)
908 if (smtp_slots[i].pid == pid)
910 if (smtp_slots[i].host_address)
911 store_free(smtp_slots[i].host_address);
912 smtp_slots[i] = empty_smtp_slot;
913 if (--smtp_accept_count < 0) smtp_accept_count = 0;
914 DEBUG(D_any) debug_printf("%d SMTP accept process%s now running\n",
915 smtp_accept_count, (smtp_accept_count == 1)? "" : "es");
918 if (i < smtp_accept_max) continue; /* Found an accepting process */
921 /* If it wasn't an accepting process, see if it was a queue-runner
922 process that we are tracking. */
926 int max = atoi(CS expand_string(queue_run_max));
927 for (int i = 0; i < max; i++)
928 if (queue_pid_slots[i] == pid)
930 queue_pid_slots[i] = 0;
931 if (--queue_run_count < 0) queue_run_count = 0;
932 DEBUG(D_any) debug_printf("%d queue-runner process%s now running\n",
933 queue_run_count, (queue_run_count == 1)? "" : "es");
942 set_pid_file_path(void)
944 if (override_pid_file_path)
945 pid_file_path = override_pid_file_path;
948 pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory);
950 if (pid_file_path[0] != '/')
951 log_write(0, LOG_PANIC_DIE, "pid file path %s must be absolute\n", pid_file_path);
955 enum pid_op { PID_WRITE, PID_CHECK, PID_DELETE };
957 /* Do various pid file operations as safe as possible. Ideally we'd just
958 drop the privileges for creation of the pid file and not care at all about removal of
960 Returns: true on success, false + errno==EACCES otherwise
964 operate_on_pid_file(const enum pid_op operation, const pid_t pid)
966 char pid_line[sizeof(int) * 3 + 2];
967 const int pid_len = snprintf(pid_line, sizeof(pid_line), "%d\n", (int)pid);
968 BOOL lines_match = FALSE;
969 uschar * path, * base, * dir;
971 const int dir_flags = O_RDONLY | O_NONBLOCK;
972 const int base_flags = O_NOFOLLOW | O_NONBLOCK;
973 const mode_t base_mode = 0644;
975 int cwd_fd = -1, dir_fd = -1, base_fd = -1;
976 BOOL success = FALSE;
980 if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid) goto cleanup;
981 if (pid_len < 2 || pid_len >= (int)sizeof(pid_line)) goto cleanup;
983 path = string_copy(pid_file_path);
984 if ((base = Ustrrchr(path, '/')) == NULL) /* should not happen, but who knows */
985 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid file path \"%s\" does not contain a '/'", pid_file_path);
987 dir = base != path ? path : US"/";
990 if (!dir || !*dir || *dir != '/') goto cleanup;
991 if (!base || !*base || Ustrchr(base, '/') != NULL) goto cleanup;
993 cwd_fd = open(".", dir_flags);
994 if (cwd_fd < 0 || fstat(cwd_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
995 dir_fd = open(CS dir, dir_flags);
996 if (dir_fd < 0 || fstat(dir_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
999 if (fchdir(dir_fd) != 0) goto cleanup;
1000 base_fd = open(CS base, O_RDONLY | base_flags);
1001 if (fchdir(cwd_fd) != 0)
1002 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1006 char line[sizeof(pid_line)];
1009 if (fstat(base_fd, &sb) != 0 || !S_ISREG(sb.st_mode)) goto cleanup;
1010 if ((sb.st_mode & 07777) != base_mode || sb.st_nlink != 1) goto cleanup;
1011 if (sb.st_size < 2 || sb.st_size >= (off_t)sizeof(line)) goto cleanup;
1013 len = read(base_fd, line, sizeof(line));
1014 if (len != (ssize_t)sb.st_size) goto cleanup;
1017 if (strspn(line, "0123456789") != (size_t)len-1) goto cleanup;
1018 if (line[len-1] != '\n') goto cleanup;
1019 lines_match = len == pid_len && strcmp(line, pid_line) == 0;
1022 if (operation == PID_WRITE)
1029 /* emulate unlinkat */
1030 if (fchdir(dir_fd) != 0) goto cleanup;
1031 error = unlink(CS base);
1032 if (fchdir(cwd_fd) != 0)
1033 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1034 if (error) goto cleanup;
1035 (void)close(base_fd);
1038 /* emulate openat */
1039 if (fchdir(dir_fd) != 0) goto cleanup;
1040 base_fd = open(CS base, O_WRONLY | O_CREAT | O_EXCL | base_flags, base_mode);
1041 if (fchdir(cwd_fd) != 0)
1042 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1043 if (base_fd < 0) goto cleanup;
1044 if (fchmod(base_fd, base_mode) != 0) goto cleanup;
1045 if (write(base_fd, pid_line, pid_len) != pid_len) goto cleanup;
1046 DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
1051 if (!lines_match) goto cleanup;
1052 if (operation == PID_DELETE)
1055 /* emulate unlinkat */
1056 if (fchdir(dir_fd) != 0) goto cleanup;
1057 error = unlink(CS base);
1058 if (fchdir(cwd_fd) != 0)
1059 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1060 if (error) goto cleanup;
1068 if (cwd_fd >= 0) (void)close(cwd_fd);
1069 if (dir_fd >= 0) (void)close(dir_fd);
1070 if (base_fd >= 0) (void)close(base_fd);
1075 /* Remove the daemon's pidfile. Note: runs with root privilege,
1076 as a direct child of the daemon. Does not return. */
1079 delete_pid_file(void)
1081 const BOOL success = operate_on_pid_file(PID_DELETE, getppid());
1084 debug_printf("delete pid file %s %s: %s\n", pid_file_path,
1085 success ? "success" : "failure", strerror(errno));
1087 exim_exit(EXIT_SUCCESS);
1091 /* Called by the daemon; exec a child to get the pid file deleted
1092 since we may require privs for the containing directory */
1099 DEBUG(D_any) debug_printf("SIGTERM/SIGINT seen\n");
1100 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
1101 tls_watch_invalidate();
1104 if (daemon_notifier_fd >= 0)
1106 close(daemon_notifier_fd);
1107 daemon_notifier_fd = -1;
1108 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1109 unlink_notifier_socket();
1113 if (f.running_in_test_harness || write_pid)
1115 if ((pid = exim_fork(US"daemon-del-pidfile")) == 0)
1117 if (override_pid_file_path)
1118 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 3,
1119 "-oP", override_pid_file_path, "-oPX");
1121 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 1, "-oPX");
1123 /* Control never returns here. */
1126 child_close(pid, 1);
1128 exim_exit(EXIT_SUCCESS);
1132 /*************************************************
1133 * Listener socket for local work prompts *
1134 *************************************************/
1137 daemon_client_sockname(struct sockaddr_un * sup, uschar ** sname)
1139 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1140 sup->sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1141 return offsetof(struct sockaddr_un, sun_path) + 1
1142 + snprintf(sup->sun_path+1, sizeof(sup->sun_path)-1, "exim_%d", getpid());
1144 *sname = string_sprintf("%s/p_%d", spool_directory, getpid());
1145 return offsetof(struct sockaddr_un, sun_path)
1146 + snprintf(sup->sun_path, sizeof(sup->sun_path), "%s", sname);
1151 daemon_notifier_sockname(struct sockaddr_un * sup)
1153 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1154 sup->sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1155 return offsetof(struct sockaddr_un, sun_path) + 1
1156 + snprintf(sup->sun_path+1, sizeof(sup->sun_path)-1, "%s",
1157 expand_string(notifier_socket));
1159 return offsetof(struct sockaddr_un, sun_path)
1160 + snprintf(sup->sun_path, sizeof(sup->sun_path), "%s",
1161 expand_string(notifier_socket));
1167 daemon_notifier_socket(void)
1170 const uschar * where;
1171 struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
1174 if (!notifier_socket || !*notifier_socket)
1176 DEBUG(D_any) debug_printf("-oY used so not creating notifier socket\n");
1179 if (override_local_interfaces && !override_pid_file_path)
1182 debug_printf("-oX used without -oP so not creating notifier socket\n");
1186 DEBUG(D_any) debug_printf("creating notifier socket\n");
1189 if ((fd = socket(PF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0)
1190 { where = US"socket"; goto bad; }
1192 if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0)
1193 { where = US"socket"; goto bad; }
1194 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
1197 len = daemon_notifier_sockname(&sa_un);
1199 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1200 DEBUG(D_any) debug_printf(" @%s\n", sa_un.sun_path+1);
1201 #else /* filesystem-visible and persistent; will neeed removal */
1202 DEBUG(D_any) debug_printf(" %s\n", sa_un.sun_path);
1205 if (bind(fd, (const struct sockaddr *)&sa_un, (socklen_t)len) < 0)
1206 { where = US"bind"; goto bad; }
1208 #ifdef SO_PASSCRED /* Linux */
1209 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on)) < 0)
1210 { where = US"SO_PASSCRED"; goto bad2; }
1211 #elif defined(LOCAL_CREDS) /* FreeBSD-ish */
1212 if (setsockopt(fd, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
1213 { where = US"LOCAL_CREDS"; goto bad2; }
1216 /* debug_printf("%s: fd %d\n", __FUNCTION__, fd); */
1217 daemon_notifier_fd = fd;
1221 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1222 Uunlink(sa_un.sun_path);
1225 log_write(0, LOG_MAIN|LOG_PANIC, "%s %s: %s",
1226 __FUNCTION__, where, strerror(errno));
1232 static uschar queuerun_msgid[MESSAGE_ID_LENGTH+1];
1234 /* The notifier socket has something to read. Pull the message from it, decode
1237 Return TRUE if a sigalrm should be emulated */
1240 daemon_notification(void)
1242 uschar buf[256], cbuf[256];
1243 struct sockaddr_un sa_un;
1244 struct iovec iov = {.iov_base = buf, .iov_len = sizeof(buf)-1};
1245 struct msghdr msg = { .msg_name = &sa_un,
1246 .msg_namelen = sizeof(sa_un),
1249 .msg_control = cbuf,
1250 .msg_controllen = sizeof(cbuf)
1254 buf[sizeof(buf)-1] = 0;
1255 if ((sz = recvmsg(daemon_notifier_fd, &msg, 0)) <= 0) return FALSE;
1256 if (sz >= sizeof(buf)) return FALSE;
1259 debug_printf("addrlen %d\n", msg.msg_namelen);
1262 if (msg.msg_namelen > 0)
1263 debug_printf("%s from addr '%s%.*s'\n", __FUNCTION__,
1264 *sa_un.sun_path ? "" : "@",
1265 (int)msg.msg_namelen - (*sa_un.sun_path ? 0 : 1),
1266 sa_un.sun_path + (*sa_un.sun_path ? 0 : 1));
1268 debug_printf("%s (from unknown addr)\n", __FUNCTION__);
1270 /* Refuse to handle the item unless the peer has good credentials */
1271 #ifdef SCM_CREDENTIALS
1272 # define EXIM_SCM_CR_TYPE SCM_CREDENTIALS
1273 #elif defined(LOCAL_CREDS) && defined(SCM_CREDS)
1274 # define EXIM_SCM_CR_TYPE SCM_CREDS
1276 /* The OS has no way to get the creds of the caller (for a unix/datagram socket.
1277 Punt; don't try to check. */
1280 #ifdef EXIM_SCM_CR_TYPE
1281 for (struct cmsghdr * cp = CMSG_FIRSTHDR(&msg);
1283 cp = CMSG_NXTHDR(&msg, cp))
1284 if (cp->cmsg_level == SOL_SOCKET && cp->cmsg_type == EXIM_SCM_CR_TYPE)
1286 # ifdef SCM_CREDENTIALS /* Linux */
1287 struct ucred * cr = (struct ucred *) CMSG_DATA(cp);
1288 if (cr->uid && cr->uid != exim_uid)
1290 DEBUG(D_queue_run) debug_printf("%s: sender creds pid %d uid %d gid %d\n",
1291 __FUNCTION__, (int)cr->pid, (int)cr->uid, (int)cr->gid);
1293 # elif defined(LOCAL_CREDS) /* BSD-ish */
1294 struct sockcred * cr = (struct sockcred *) CMSG_DATA(cp);
1295 if (cr->sc_uid && cr->sc_uid != exim_uid)
1297 DEBUG(D_queue_run) debug_printf("%s: sender creds pid ??? uid %d gid %d\n",
1298 __FUNCTION__, (int)cr->sc_uid, (int)cr->sc_gid);
1308 #ifndef DISABLE_QUEUE_RAMP
1309 case NOTIFY_MSG_QRUN:
1310 /* this should be a message_id */
1312 debug_printf("%s: qrunner trigger: %s\n", __FUNCTION__, buf+1);
1313 memcpy(queuerun_msgid, buf+1, MESSAGE_ID_LENGTH+1);
1317 case NOTIFY_QUEUE_SIZE_REQ:
1320 int len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached());
1323 debug_printf("%s: queue size request: %s\n", __FUNCTION__, buf);
1325 if (sendto(daemon_notifier_fd, buf, len, 0,
1326 (const struct sockaddr *)&sa_un, msg.msg_namelen) < 0)
1327 log_write(0, LOG_MAIN|LOG_PANIC,
1328 "%s: sendto: %s\n", __FUNCTION__, strerror(errno));
1333 regex_at_daemon(buf);
1341 /*************************************************
1342 * Exim Daemon Mainline *
1343 *************************************************/
1345 /* The daemon can do two jobs, either of which is optional:
1347 (1) Listens for incoming SMTP calls and spawns off a sub-process to handle
1348 each one. This is requested by the -bd option, with -oX specifying the SMTP
1349 port on which to listen (for testing).
1351 (2) Spawns a queue-running process every so often. This is controlled by the
1352 -q option with a an interval time. (If no time is given, a single queue run
1353 is done from the main function, and control doesn't get here.)
1355 Root privilege is required in order to attach to port 25. Some systems require
1356 it when calling socket() rather than bind(). To cope with all cases, we run as
1357 root for both socket() and bind(). Some systems also require root in order to
1358 write to the pid file directory. This function must therefore be called as root
1359 if it is to work properly in all circumstances. Once the socket is bound and
1360 the pid file written, root privilege is given up if there is an exim uid.
1362 There are no arguments to this function, and it never returns. */
1368 struct pollfd * fd_polls, * tls_watch_poll = NULL, * dnotify_poll = NULL;
1369 int listen_socket_count = 0, poll_fd_count;
1370 ip_address_item * addresses = NULL;
1371 time_t last_connection_time = (time_t)0;
1372 int local_queue_run_max = atoi(CS expand_string(queue_run_max));
1374 process_purpose = US"daemon";
1376 /* If any debugging options are set, turn on the D_pid bit so that all
1377 debugging lines get the pid added. */
1379 DEBUG(D_any|D_v) debug_selector |= D_pid;
1381 /* Allocate enough pollstructs for inetd mode plus the ancillary sockets;
1382 also used when there are no listen sockets. */
1384 fd_polls = store_get(sizeof(struct pollfd) * 3, GET_UNTAINTED);
1386 if (f.inetd_wait_mode)
1388 listen_socket_count = 1;
1390 if (dup2(0, 3) == -1)
1391 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1392 "failed to dup inetd socket safely away: %s", strerror(errno));
1395 fd_polls[0].events = POLLIN;
1401 if (debug_file == stderr)
1403 /* need a call to log_write before call to open debug_file, so that
1404 log.c:file_path has been initialised. This is unfortunate. */
1405 log_write(0, LOG_MAIN, "debugging Exim in inetd wait mode starting");
1409 exim_nullstd(); /* re-open fd2 after we just closed it again */
1410 debug_logging_activate(US"-wait", NULL);
1413 DEBUG(D_any) debug_printf("running in inetd wait mode\n");
1415 /* As per below, when creating sockets ourselves, we handle tcp_nodelay for
1416 our own buffering; we assume though that inetd set the socket REUSEADDR. */
1419 if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
1420 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s",
1425 if (f.inetd_wait_mode || f.daemon_listen)
1427 /* If any option requiring a load average to be available during the
1428 reception of a message is set, call os_getloadavg() while we are root
1429 for those OS for which this is necessary the first time it is called (in
1430 order to perform an "open" on the kernel memory file). */
1432 #ifdef LOAD_AVG_NEEDS_ROOT
1433 if (queue_only_load >= 0 || smtp_load_reserve >= 0 ||
1434 (deliver_queue_load_max >= 0 && deliver_drop_privilege))
1435 (void)os_getloadavg();
1440 /* Do the preparation for setting up a listener on one or more interfaces, and
1441 possible on various ports. This is controlled by the combination of
1442 local_interfaces (which can set IP addresses and ports) and daemon_smtp_port
1443 (which is a list of default ports to use for those items in local_interfaces
1444 that do not specify a port). The -oX command line option can be used to
1445 override one or both of these options.
1447 If local_interfaces is not set, the default is to listen on all interfaces.
1448 When it is set, it can include "all IPvx interfaces" as an item. This is useful
1449 when different ports are in use.
1451 It turns out that listening on all interfaces is messy in an IPv6 world,
1452 because several different implementation approaches have been taken. This code
1453 is now supposed to work with all of them. The point of difference is whether an
1454 IPv6 socket that is listening on all interfaces will receive incoming IPv4
1455 calls or not. We also have to cope with the case when IPv6 libraries exist, but
1456 there is no IPv6 support in the kernel.
1458 . On Solaris, an IPv6 socket will accept IPv4 calls, and give them as mapped
1459 addresses. However, if an IPv4 socket is also listening on all interfaces,
1460 calls are directed to the appropriate socket.
1462 . On (some versions of) Linux, an IPv6 socket will accept IPv4 calls, and
1463 give them as mapped addresses, but an attempt also to listen on an IPv4
1464 socket on all interfaces causes an error.
1466 . On OpenBSD, an IPv6 socket will not accept IPv4 calls. You have to set up
1467 two sockets if you want to accept both kinds of call.
1469 . FreeBSD is like OpenBSD, but it has the IPV6_V6ONLY socket option, which
1470 can be turned off, to make it behave like the versions of Linux described
1473 . I heard a report that the USAGI IPv6 stack for Linux has implemented
1476 So, what we do when IPv6 is supported is as follows:
1478 (1) After it is set up, the list of interfaces is scanned for wildcard
1479 addresses. If an IPv6 and an IPv4 wildcard are both found for the same
1480 port, the list is re-arranged so that they are together, with the IPv6
1483 (2) If the creation of a wildcard IPv6 socket fails, we just log the error and
1484 carry on if an IPv4 wildcard socket for the same port follows later in the
1485 list. This allows Exim to carry on in the case when the kernel has no IPv6
1488 (3) Having created an IPv6 wildcard socket, we try to set IPV6_V6ONLY if that
1489 option is defined. However, if setting fails, carry on regardless (but log
1492 (4) If binding or listening on an IPv6 wildcard socket fails, it is a serious
1495 (5) If binding or listening on an IPv4 wildcard socket fails with the error
1496 EADDRINUSE, and a previous interface was an IPv6 wildcard for the same
1497 port (which must have succeeded or we wouldn't have got this far), we
1498 assume we are in the situation where just a single socket is permitted,
1499 and ignore the error.
1503 The preparation code decodes options and sets up the relevant data. We do this
1504 first, so that we can return non-zero if there are any syntax errors, and also
1507 if (f.daemon_listen && !f.inetd_wait_mode)
1509 int *default_smtp_port;
1513 const uschar * list;
1514 uschar *local_iface_source = US"local_interfaces";
1515 ip_address_item *ipa;
1516 ip_address_item **pipa;
1518 /* If -oX was used, disable the writing of a pid file unless -oP was
1519 explicitly used to force it. Then scan the string given to -oX. Any items
1520 that contain neither a dot nor a colon are used to override daemon_smtp_port.
1521 Any other items are used to override local_interfaces. */
1523 if (override_local_interfaces)
1525 gstring * new_smtp_port = NULL;
1526 gstring * new_local_interfaces = NULL;
1528 if (!override_pid_file_path) write_pid = FALSE;
1530 list = override_local_interfaces;
1532 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1535 gstring ** gp = Ustrpbrk(s, ".:") ? &new_local_interfaces : &new_smtp_port;
1541 *gp = string_catn(*gp, US"<", 1);
1544 *gp = string_catn(*gp, joinstr, 2);
1545 *gp = string_cat (*gp, s);
1550 daemon_smtp_port = string_from_gstring(new_smtp_port);
1551 DEBUG(D_any) debug_printf("daemon_smtp_port overridden by -oX:\n %s\n",
1555 if (new_local_interfaces)
1557 local_interfaces = string_from_gstring(new_local_interfaces);
1558 local_iface_source = US"-oX data";
1559 DEBUG(D_any) debug_printf("local_interfaces overridden by -oX:\n %s\n",
1564 /* Create a list of default SMTP ports, to be used if local_interfaces
1565 contains entries without explicit ports. First count the number of ports, then
1566 build a translated list in a vector. */
1568 list = daemon_smtp_port;
1570 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1572 default_smtp_port = store_get((pct+1) * sizeof(int), GET_UNTAINTED);
1573 list = daemon_smtp_port;
1576 (s = string_nextinlist(&list, &sep, NULL, 0));
1582 default_smtp_port[pct] = Ustrtol(s, &end, 0);
1583 if (end != s + Ustrlen(s))
1584 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "invalid SMTP port: %s", s);
1588 struct servent *smtp_service = getservbyname(CS s, "tcp");
1590 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1591 default_smtp_port[pct] = ntohs(smtp_service->s_port);
1594 default_smtp_port[pct] = 0;
1596 /* Check the list of TLS-on-connect ports and do name lookups if needed */
1598 list = tls_in.on_connect_ports;
1600 /* the list isn't expanded so cannot be tainted. If it ever is we will trap here */
1601 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1606 list = tls_in.on_connect_ports;
1607 tls_in.on_connect_ports = NULL;
1609 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1613 struct servent * smtp_service = getservbyname(CS s, "tcp");
1615 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1616 s = string_sprintf("%d", (int)ntohs(smtp_service->s_port));
1618 g = string_append_listele(g, ':', s);
1621 tls_in.on_connect_ports = g->s;
1625 /* Create the list of local interfaces, possibly with ports included. This
1626 list may contain references to 0.0.0.0 and ::0 as wildcards. These special
1627 values are converted below. */
1629 addresses = host_build_ifacelist(local_interfaces, local_iface_source);
1631 /* In the list of IP addresses, convert 0.0.0.0 into an empty string, and ::0
1632 into the string ":". We use these to recognize wildcards in IPv4 and IPv6. In
1633 fact, many IP stacks recognize 0.0.0.0 and ::0 and handle them as wildcards
1634 anyway, but we need to know which are the wildcard addresses, and the shorter
1637 In the same scan, fill in missing port numbers from the default list. When
1638 there is more than one item in the list, extra items are created. */
1640 for (ipa = addresses; ipa; ipa = ipa->next)
1642 if (Ustrcmp(ipa->address, "0.0.0.0") == 0)
1643 ipa->address[0] = 0;
1644 else if (Ustrcmp(ipa->address, "::0") == 0)
1646 ipa->address[0] = ':';
1647 ipa->address[1] = 0;
1650 if (ipa->port > 0) continue;
1652 if (daemon_smtp_port[0] <= 0)
1653 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "no port specified for interface "
1654 "%s and daemon_smtp_port is unset; cannot start daemon",
1655 ipa->address[0] == 0 ? US"\"all IPv4\"" :
1656 ipa->address[1] == 0 ? US"\"all IPv6\"" : ipa->address);
1658 ipa->port = default_smtp_port[0];
1659 for (int i = 1; default_smtp_port[i] > 0; i++)
1661 ip_address_item * new = store_get(sizeof(ip_address_item), GET_UNTAINTED);
1663 memcpy(new->address, ipa->address, Ustrlen(ipa->address) + 1);
1664 new->port = default_smtp_port[i];
1665 new->next = ipa->next;
1671 /* Scan the list of addresses for wildcards. If we find an IPv4 and an IPv6
1672 wildcard for the same port, ensure that (a) they are together and (b) the
1673 IPv6 address comes first. This makes handling the messy features easier, and
1674 also simplifies the construction of the "daemon started" log line. */
1677 for (ipa = addresses; ipa; pipa = &ipa->next, ipa = ipa->next)
1679 ip_address_item *ipa2;
1681 /* Handle an IPv4 wildcard */
1683 if (ipa->address[0] == 0)
1684 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1686 ip_address_item *ipa3 = ipa2->next;
1687 if (ipa3->address[0] == ':' &&
1688 ipa3->address[1] == 0 &&
1689 ipa3->port == ipa->port)
1691 ipa2->next = ipa3->next;
1698 /* Handle an IPv6 wildcard. */
1700 else if (ipa->address[0] == ':' && ipa->address[1] == 0)
1701 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1703 ip_address_item *ipa3 = ipa2->next;
1704 if (ipa3->address[0] == 0 && ipa3->port == ipa->port)
1706 ipa2->next = ipa3->next;
1707 ipa3->next = ipa->next;
1715 /* Get a vector to remember all the sockets in.
1716 Two extra elements for the ancillary sockets */
1718 for (ipa = addresses; ipa; ipa = ipa->next)
1719 listen_socket_count++;
1720 fd_polls = store_get(sizeof(struct pollfd) * (listen_socket_count + 2),
1722 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count + 2;
1724 { p->fd = -1; p->events = POLLIN; }
1726 } /* daemon_listen but not inetd_wait_mode */
1728 if (f.daemon_listen)
1731 /* Do a sanity check on the max connects value just to save us from getting
1732 a huge amount of store. */
1734 if (smtp_accept_max > 4095) smtp_accept_max = 4096;
1736 /* There's no point setting smtp_accept_queue unless it is less than the max
1737 connects limit. The configuration reader ensures that the max is set if the
1738 queue-only option is set. */
1740 if (smtp_accept_queue > smtp_accept_max) smtp_accept_queue = 0;
1742 /* Get somewhere to keep the list of SMTP accepting pids if we are keeping
1743 track of them for total number and queue/host limits. */
1745 if (smtp_accept_max > 0)
1747 smtp_slots = store_get(smtp_accept_max * sizeof(smtp_slot), GET_UNTAINTED);
1748 for (int i = 0; i < smtp_accept_max; i++) smtp_slots[i] = empty_smtp_slot;
1752 /* The variable background_daemon is always false when debugging, but
1753 can also be forced false in order to keep a non-debugging daemon in the
1754 foreground. If background_daemon is true, close all open file descriptors that
1755 we know about, but then re-open stdin, stdout, and stderr to /dev/null. Also
1756 do this for inetd_wait mode.
1758 This is protection against any called functions (in libraries, or in
1759 Perl, or whatever) that think they can write to stderr (or stdout). Before this
1760 was added, it was quite likely that an SMTP connection would use one of these
1761 file descriptors, in which case writing random stuff to it caused chaos.
1763 Then disconnect from the controlling terminal, Most modern Unixes seem to have
1764 setsid() for getting rid of the controlling terminal. For any OS that doesn't,
1765 setsid() can be #defined as a no-op, or as something else. */
1767 if (f.background_daemon || f.inetd_wait_mode)
1769 log_close_all(); /* Just in case anything was logged earlier */
1770 search_tidyup(); /* Just in case any were used in reading the config. */
1771 (void)close(0); /* Get rid of stdin/stdout/stderr */
1774 exim_nullstd(); /* Connect stdin/stdout/stderr to /dev/null */
1775 log_stderr = NULL; /* So no attempt to copy paniclog output */
1778 if (f.background_daemon)
1780 /* If the parent process of this one has pid == 1, we are re-initializing the
1781 daemon as the result of a SIGHUP. In this case, there is no need to do
1782 anything, because the controlling terminal has long gone. Otherwise, fork, in
1783 case current process is a process group leader (see 'man setsid' for an
1784 explanation) before calling setsid().
1785 All other forks want daemon_listen cleared. Rather than blow a register, jsut
1790 BOOL daemon_listen = f.daemon_listen;
1791 pid_t pid = exim_fork(US"daemon");
1792 if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1793 "fork() failed when starting daemon: %s", strerror(errno));
1794 if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */
1795 (void)setsid(); /* release controlling terminal */
1796 f.daemon_listen = daemon_listen;
1800 /* We are now in the disconnected, daemon process (unless debugging). Set up
1801 the listening sockets if required. */
1803 daemon_notifier_socket();
1805 if (f.daemon_listen && !f.inetd_wait_mode)
1808 ip_address_item *ipa;
1810 /* For each IP address, create a socket, bind it to the appropriate port, and
1811 start listening. See comments above about IPv6 sockets that may or may not
1812 accept IPv4 calls when listening on all interfaces. We also have to cope with
1813 the case of a system with IPv6 libraries, but no IPv6 support in the kernel.
1814 listening, provided a wildcard IPv4 socket for the same port follows. */
1816 for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++)
1819 ip_address_item * ipa2;
1822 if (Ustrchr(ipa->address, ':') != NULL)
1825 wildcard = ipa->address[1] == 0;
1830 wildcard = ipa->address[0] == 0;
1833 if ((fd_polls[sk].fd = fd = ip_socket(SOCK_STREAM, af)) < 0)
1835 if (check_special_case(0, addresses, ipa, FALSE))
1837 log_write(0, LOG_MAIN, "Failed to create IPv6 socket for wildcard "
1838 "listening (%s): will use IPv4", strerror(errno));
1841 log_write(0, LOG_PANIC_DIE, "IPv%c socket creation failed: %s",
1842 af == AF_INET6 ? '6' : '4', strerror(errno));
1845 /* If this is an IPv6 wildcard socket, set IPV6_V6ONLY if that option is
1846 available. Just log failure (can get protocol not available, just like
1847 socket creation can). */
1850 if (af == AF_INET6 && wildcard &&
1851 setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
1852 log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard "
1853 "socket failed (%s): carrying on without it", strerror(errno));
1854 #endif /* IPV6_V6ONLY */
1856 /* Set SO_REUSEADDR so that the daemon can be restarted while a connection
1857 is being handled. Without this, a connection will prevent reuse of the
1858 smtp port for listening. */
1860 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
1861 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket "
1862 "failed when starting daemon: %s", strerror(errno));
1864 /* Set TCP_NODELAY; Exim does its own buffering. There is a switch to
1865 disable this because it breaks some broken clients. */
1867 if (tcp_nodelay) setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
1869 /* Now bind the socket to the required port; if Exim is being restarted
1870 it may not always be possible to bind immediately, even with SO_REUSEADDR
1871 set, so try 10 times, waiting between each try. After 10 failures, we give
1872 up. In an IPv6 environment, if bind () fails with the error EADDRINUSE and
1873 we are doing wildcard IPv4 listening and there was a previous IPv6 wildcard
1874 address for the same port, ignore the error on the grounds that we must be
1875 in a system where the IPv6 socket accepts both kinds of call. This is
1876 necessary for (some release of) USAGI Linux; other IP stacks fail at the
1877 listen() stage instead. */
1880 f.tcp_fastopen_ok = TRUE;
1885 if (ip_bind(fd, af, ipa->address, ipa->port) >= 0) break;
1886 if (check_special_case(errno, addresses, ipa, TRUE))
1888 DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 "
1889 "listen() success; EADDRINUSE ignored\n");
1893 msg = US strerror(errno);
1899 if (daemon_startup_retries <= 0)
1900 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1901 "socket bind() to port %d for address %s failed: %s: "
1902 "daemon abandoned", ipa->port, addr, msg);
1903 log_write(0, LOG_MAIN, "socket bind() to port %d for address %s "
1904 "failed: %s: waiting %s before trying again (%d more %s)",
1905 ipa->port, addr, msg, readconf_printtime(daemon_startup_sleep),
1906 daemon_startup_retries, (daemon_startup_retries > 1)? "tries" : "try");
1907 daemon_startup_retries--;
1908 sleep(daemon_startup_sleep);
1913 debug_printf("listening on all interfaces (IPv%c) port %d\n",
1914 af == AF_INET6 ? '6' : '4', ipa->port);
1916 debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
1918 /* Start listening on the bound socket, establishing the maximum backlog of
1919 connections that is allowed. On success, add to the set of sockets for select
1920 and continue to the next address. */
1922 #if defined(TCP_FASTOPEN) && !defined(__APPLE__)
1923 if ( f.tcp_fastopen_ok
1924 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN,
1925 &smtp_connect_backlog, sizeof(smtp_connect_backlog)))
1927 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
1928 f.tcp_fastopen_ok = FALSE;
1931 if (listen(fd, smtp_connect_backlog) >= 0)
1933 #if defined(TCP_FASTOPEN) && defined(__APPLE__)
1934 if ( f.tcp_fastopen_ok
1935 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)))
1937 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
1938 f.tcp_fastopen_ok = FALSE;
1941 fd_polls[sk].fd = fd;
1945 /* Listening has failed. In an IPv6 environment, as for bind(), if listen()
1946 fails with the error EADDRINUSE and we are doing IPv4 wildcard listening
1947 and there was a previous successful IPv6 wildcard listen on the same port,
1948 we want to ignore the error on the grounds that we must be in a system
1949 where the IPv6 socket accepts both kinds of call. */
1951 if (!check_special_case(errno, addresses, ipa, TRUE))
1952 log_write(0, LOG_PANIC_DIE, "listen() failed on interface %s: %s",
1954 ? af == AF_INET6 ? US"(any IPv6)" : US"(any IPv4)" : ipa->address,
1957 DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 "
1958 "listen() success; EADDRINUSE ignored\n");
1961 /* Come here if there has been a problem with the socket which we
1962 are going to ignore. We remove the address from the chain, and back up the
1966 sk--; /* Back up the count */
1967 listen_socket_count--; /* Reduce the total */
1968 if (ipa == addresses) addresses = ipa->next; else
1970 for (ipa2 = addresses; ipa2->next != ipa; ipa2 = ipa2->next);
1971 ipa2->next = ipa->next;
1974 } /* End of bind/listen loop for each address */
1975 } /* End of setup for listening */
1978 /* If we are not listening, we want to write a pid file only if -oP was
1979 explicitly given. */
1981 else if (!override_pid_file_path)
1984 /* Write the pid to a known file for assistance in identification, if required.
1985 We do this before giving up root privilege, because on some systems it is
1986 necessary to be root in order to write into the pid file directory. There's
1987 nothing to stop multiple daemons running, as long as no more than one listens
1988 on a given TCP/IP port on the same interface(s). However, in these
1989 circumstances it gets far too complicated to mess with pid file names
1990 automatically. Consequently, Exim 4 writes a pid file only
1992 (a) When running in the test harness, or
1993 (b) When -bd is used and -oX is not used, or
1994 (c) When -oP is used to supply a path.
1996 The variable daemon_write_pid is used to control this. */
1998 if (f.running_in_test_harness || write_pid)
2000 const enum pid_op operation = (f.running_in_test_harness
2001 || real_uid == root_uid
2002 || (real_uid == exim_uid && !override_pid_file_path)) ? PID_WRITE : PID_CHECK;
2003 if (!operate_on_pid_file(operation, getpid()))
2004 DEBUG(D_any) debug_printf("%s pid file %s: %s\n", (operation == PID_WRITE) ? "write" : "check", pid_file_path, strerror(errno));
2007 /* Set up the handler for SIGHUP, which causes a restart of the daemon. */
2009 sighup_seen = FALSE;
2010 signal(SIGHUP, sighup_handler);
2012 /* Give up root privilege at this point (assuming that exim_uid and exim_gid
2013 are not root). The third argument controls the running of initgroups().
2014 Normally we do this, in order to set up the groups for the Exim user. However,
2015 if we are not root at this time - some odd installations run that way - we
2018 exim_setugid(exim_uid, exim_gid, geteuid()==root_uid, US"running as a daemon");
2020 /* Update the originator_xxx fields so that received messages as listed as
2021 coming from Exim, not whoever started the daemon. */
2023 originator_uid = exim_uid;
2024 originator_gid = exim_gid;
2025 originator_login = (pw = getpwuid(exim_uid))
2026 ? string_copy_perm(US pw->pw_name, FALSE) : US"exim";
2028 /* Get somewhere to keep the list of queue-runner pids if we are keeping track
2029 of them (and also if we are doing queue runs). */
2031 if (queue_interval > 0 && local_queue_run_max > 0)
2033 queue_pid_slots = store_get(local_queue_run_max * sizeof(pid_t), GET_UNTAINTED);
2034 for (int i = 0; i < local_queue_run_max; i++) queue_pid_slots[i] = 0;
2037 /* Set up the handler for termination of child processes, and the one
2038 telling us to die. */
2040 sigchld_seen = FALSE;
2041 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2043 sigterm_seen = FALSE;
2044 os_non_restarting_signal(SIGTERM, main_sigterm_handler);
2045 os_non_restarting_signal(SIGINT, main_sigterm_handler);
2047 /* If we are to run the queue periodically, pretend the alarm has just gone
2048 off. This will cause the first queue-runner to get kicked off straight away. */
2050 sigalrm_seen = (queue_interval > 0);
2052 /* Log the start up of a daemon - at least one of listening or queue running
2055 if (f.inetd_wait_mode)
2057 uschar *p = big_buffer;
2059 if (inetd_wait_timeout >= 0)
2060 sprintf(CS p, "terminating after %d seconds", inetd_wait_timeout);
2062 sprintf(CS p, "with no wait timeout");
2064 log_write(0, LOG_MAIN,
2065 "exim %s daemon started: pid=%d, launched with listening socket, %s",
2066 version_string, getpid(), big_buffer);
2067 set_process_info("daemon(%s): pre-listening socket", version_string);
2069 /* set up the timeout logic */
2070 sigalrm_seen = TRUE;
2073 else if (f.daemon_listen)
2076 int smtps_ports = 0;
2077 ip_address_item * ipa;
2079 uschar * qinfo = queue_interval > 0
2080 ? string_sprintf("-q%s%s",
2081 f.queue_2stage ? "q" : "", readconf_printtime(queue_interval))
2082 : US"no queue runs";
2084 /* Build a list of listening addresses in big_buffer, but limit it to 10
2085 items. The style is for backwards compatibility.
2087 It is now possible to have some ports listening for SMTPS (the old,
2088 deprecated protocol that starts TLS without using STARTTLS), and others
2089 listening for standard SMTP. Keep their listings separate. */
2091 for (int j = 0, i; j < 2; j++)
2093 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2095 /* First time round, look for SMTP ports; second time round, look for
2096 SMTPS ports. Build IP+port strings. */
2098 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2105 /* Now the information about the port (and sometimes interface) */
2107 if (ipa->address[0] == ':' && ipa->address[1] == 0)
2109 if (ipa->next && ipa->next->address[0] == 0 &&
2110 ipa->next->port == ipa->port)
2112 ipa->log = string_sprintf(" port %d (IPv6 and IPv4)", ipa->port);
2113 (ipa = ipa->next)->log = NULL;
2115 else if (ipa->v6_include_v4)
2116 ipa->log = string_sprintf(" port %d (IPv6 with IPv4)", ipa->port);
2118 ipa->log = string_sprintf(" port %d (IPv6)", ipa->port);
2120 else if (ipa->address[0] == 0) /* v4 wildcard */
2121 ipa->log = string_sprintf(" port %d (IPv4)", ipa->port);
2122 else /* check for previously-seen IP */
2124 ip_address_item * i2;
2125 for (i2 = addresses; i2 != ipa; i2 = i2->next)
2126 if ( host_is_tls_on_connect_port(i2->port) == (j > 0)
2127 && Ustrcmp(ipa->address, i2->address) == 0
2129 { /* found; append port to list */
2130 for (p = i2->log; *p; ) p++; /* end of existing string */
2131 if (*--p == '}') *p = '\0'; /* drop EOL */
2132 while (isdigit(*--p)) ; /* char before port */
2134 i2->log = *p == ':' /* no list yet? { */
2135 ? string_sprintf("%.*s{%s,%d}",
2136 (int)(p - i2->log + 1), i2->log, p+1, ipa->port)
2137 : string_sprintf("%s,%d}", i2->log, ipa->port);
2141 if (i2 == ipa) /* first-time IP */
2142 ipa->log = string_sprintf(" [%s]:%d", ipa->address, ipa->port);
2149 for (int j = 0, i; j < 2; j++)
2151 /* First time round, look for SMTP ports; second time round, look for
2152 SMTPS ports. For the first one of each, insert leading text. */
2157 p += sprintf(CS p, "SMTP on");
2160 if (smtps_ports > 0)
2161 p += sprintf(CS p, "%sSMTPS on",
2162 smtp_ports == 0 ? "" : " and for ");
2164 /* Now the information about the port (and sometimes interface) */
2166 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2167 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2169 p += sprintf(CS p, "%s", ipa->log);
2172 p += sprintf(CS p, " ...");
2175 log_write(0, LOG_MAIN,
2176 "exim %s daemon started: pid=%d, %s, listening for %s",
2177 version_string, getpid(), qinfo, big_buffer);
2178 set_process_info("daemon(%s): %s, listening for %s",
2179 version_string, qinfo, big_buffer);
2184 uschar * s = *queue_name
2185 ? string_sprintf("-qG%s/%s", queue_name, readconf_printtime(queue_interval))
2186 : string_sprintf("-q%s", readconf_printtime(queue_interval));
2187 log_write(0, LOG_MAIN,
2188 "exim %s daemon started: pid=%d, %s, not listening for SMTP",
2189 version_string, getpid(), s);
2190 set_process_info("daemon(%s): %s, not listening", version_string, s);
2193 /* Do any work it might be useful to amortize over our children
2194 (eg: compile regex) */
2197 smtp_deliver_init(); /* Used for callouts */
2199 #ifndef DISABLE_DKIM
2201 # ifdef MEASURE_TIMING
2203 gettimeofday(&t0, NULL);
2206 # ifdef MEASURE_TIMING
2207 report_time_since(&t0, US"dkim_exim_init (delta)");
2212 #ifdef WITH_CONTENT_SCAN
2222 /* Add ancillary sockets to the set for select */
2224 poll_fd_count = listen_socket_count;
2226 if (tls_watch_fd >= 0)
2228 tls_watch_poll = &fd_polls[poll_fd_count++];
2229 tls_watch_poll->fd = tls_watch_fd;
2230 tls_watch_poll->events = POLLIN;
2233 if (daemon_notifier_fd >= 0)
2235 dnotify_poll = &fd_polls[poll_fd_count++];
2236 dnotify_poll->fd = daemon_notifier_fd;
2237 dnotify_poll->events = POLLIN;
2240 /* Close the log so it can be renamed and moved. In the few cases below where
2241 this long-running process writes to the log (always exceptional conditions), it
2242 closes the log afterwards, for the same reason. */
2246 DEBUG(D_any) debug_print_ids(US"daemon running with");
2248 /* Any messages accepted via this route are going to be SMTP. */
2252 #ifdef MEASURE_TIMING
2253 report_time_since(×tamp_startup, US"daemon loop start"); /* testcase 0022 */
2256 /* Enter the never-ending loop... */
2263 daemon_die(); /* Does not return */
2265 /* This code is placed first in the loop, so that it gets obeyed at the
2266 start, before the first wait, for the queue-runner case, so that the first
2267 one can be started immediately.
2269 The other option is that we have an inetd wait timeout specified to -bw. */
2273 if (inetd_wait_timeout > 0)
2275 time_t resignal_interval = inetd_wait_timeout;
2277 if (last_connection_time == (time_t)0)
2280 debug_printf("inetd wait timeout expired, but still not seen first message, ignoring\n");
2284 time_t now = time(NULL);
2285 if (now == (time_t)-1)
2287 DEBUG(D_any) debug_printf("failed to get time: %s\n", strerror(errno));
2291 if ((now - last_connection_time) >= inetd_wait_timeout)
2294 debug_printf("inetd wait timeout %d expired, ending daemon\n",
2295 inetd_wait_timeout);
2296 log_write(0, LOG_MAIN, "exim %s daemon terminating, inetd wait timeout reached.\n",
2302 resignal_interval -= (now - last_connection_time);
2307 sigalrm_seen = FALSE;
2308 ALARM(resignal_interval);
2313 DEBUG(D_any) debug_printf("%s received\n",
2314 #ifndef DISABLE_QUEUE_RAMP
2315 *queuerun_msgid ? "qrun notification" :
2319 /* Do a full queue run in a child process, if required, unless we already
2320 have enough queue runners on the go. If we are not running as root, a
2321 re-exec is required. */
2323 if ( queue_interval > 0
2324 && (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max))
2326 if ((pid = exim_fork(US"queue-runner")) == 0)
2328 /* Disable debugging if it's required only for the daemon process. We
2329 leave the above message, because it ties up with the "child ended"
2330 debugging messages. */
2332 if (f.debug_daemon) debug_selector = 0;
2334 /* Close any open listening sockets in the child */
2336 close_daemon_sockets(daemon_notifier_fd,
2337 fd_polls, listen_socket_count);
2339 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
2341 signal(SIGHUP, SIG_DFL);
2342 signal(SIGCHLD, SIG_DFL);
2343 signal(SIGTERM, SIG_DFL);
2344 signal(SIGINT, SIG_DFL);
2346 /* Re-exec if privilege has been given up, unless deliver_drop_
2347 privilege is set. Reset SIGALRM before exec(). */
2349 if (geteuid() != root_uid && !deliver_drop_privilege)
2356 signal(SIGALRM, SIG_DFL);
2360 #ifndef DISABLE_QUEUE_RAMP
2364 if (f.queue_run_first_delivery) *p++ = 'i';
2365 if (f.queue_run_force) *p++ = 'f';
2366 if (f.deliver_force_thaw) *p++ = 'f';
2367 if (f.queue_run_local) *p++ = 'l';
2369 extra[0] = *queue_name
2370 ? string_sprintf("%sG%s", opt, queue_name) : opt;
2372 #ifndef DISABLE_QUEUE_RAMP
2373 if (*queuerun_msgid)
2375 log_write(0, LOG_MAIN, "notify triggered queue run");
2376 extra[extracount++] = queuerun_msgid; /* Trigger only the */
2377 extra[extracount++] = queuerun_msgid; /* one message */
2381 /* If -R or -S were on the original command line, ensure they get
2384 if (deliver_selectstring)
2386 extra[extracount++] = f.deliver_selectstring_regex ? US"-Rr" : US"-R";
2387 extra[extracount++] = deliver_selectstring;
2390 if (deliver_selectstring_sender)
2392 extra[extracount++] = f.deliver_selectstring_sender_regex
2394 extra[extracount++] = deliver_selectstring_sender;
2397 /* Overlay this process with a new execution. */
2399 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, extracount,
2400 extra[0], extra[1], extra[2], extra[3], extra[4], extra[5], extra[6]);
2402 /* Control never returns here. */
2405 /* No need to re-exec; SIGALRM remains set to the default handler */
2407 #ifndef DISABLE_QUEUE_RAMP
2408 if (*queuerun_msgid)
2410 log_write(0, LOG_MAIN, "notify triggered queue run");
2411 f.queue_2stage = FALSE;
2412 queue_run(queuerun_msgid, queuerun_msgid, FALSE);
2416 queue_run(NULL, NULL, FALSE);
2417 exim_underbar_exit(EXIT_SUCCESS);
2422 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fork of queue-runner "
2423 "process failed: %s", strerror(errno));
2428 for (int i = 0; i < local_queue_run_max; ++i)
2429 if (queue_pid_slots[i] <= 0)
2431 queue_pid_slots[i] = pid;
2435 DEBUG(D_any) debug_printf("%d queue-runner process%s running\n",
2436 queue_run_count, queue_run_count == 1 ? "" : "es");
2440 /* Reset the alarm clock */
2442 sigalrm_seen = FALSE;
2443 #ifndef DISABLE_QUEUE_RAMP
2444 if (*queuerun_msgid)
2445 *queuerun_msgid = 0;
2448 ALARM(queue_interval);
2451 } /* sigalrm_seen */
2454 /* Sleep till a connection happens if listening, and handle the connection if
2455 that is why we woke up. The FreeBSD operating system requires the use of
2456 select() before accept() because the latter function is not interrupted by
2457 a signal, and we want to wake up for SIGCHLD and SIGALRM signals. Some other
2458 OS do notice signals in accept() but it does no harm to have the select()
2459 in for all of them - and it won't then be a lurking problem for ports to
2460 new OS. In fact, the later addition of listening on specific interfaces only
2461 requires this way of working anyway. */
2463 if (f.daemon_listen)
2466 BOOL select_failed = FALSE;
2468 DEBUG(D_any) debug_printf("Listening...\n");
2470 /* In rare cases we may have had a SIGCHLD signal in the time between
2471 setting the handler (below) and getting back here. If so, pretend that the
2472 select() was interrupted so that we reap the child. This might still leave
2473 a small window when a SIGCHLD could get lost. However, since we use SIGCHLD
2474 only to do the reaping more quickly, it shouldn't result in anything other
2475 than a delay until something else causes a wake-up. */
2483 lcount = poll(fd_polls, poll_fd_count, -1);
2487 select_failed = TRUE;
2491 /* Clean up any subprocesses that may have terminated. We need to do this
2492 here so that smtp_accept_max_per_host works when a connection to that host
2493 has completed, and we are about to accept a new one. When this code was
2494 later in the sequence, a new connection could be rejected, even though an
2495 old one had just finished. Preserve the errno from any select() failure for
2496 the use of the common select/accept error processing below. */
2499 int select_errno = errno;
2500 handle_ending_processes();
2505 /* Create or rotate any required keys; handle (delayed) filewatch event */
2507 if ((old_tfd = tls_daemon_tick()) >= 0)
2508 for (struct pollfd * p = &fd_polls[listen_socket_count];
2509 p < fd_polls + poll_fd_count; p++)
2510 if (p->fd == old_tfd) { p->fd = tls_watch_fd ; break; }
2513 errno = select_errno;
2516 /* Loop for all the sockets that are currently ready to go. If select
2517 actually failed, we have set the count to 1 and select_failed=TRUE, so as
2518 to use the common error code for select/accept below. */
2520 while (lcount-- > 0)
2522 int accept_socket = -1;
2524 struct sockaddr_in6 accepted;
2526 struct sockaddr_in accepted;
2531 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
2532 if (tls_watch_poll && tls_watch_poll->revents & POLLIN)
2534 tls_watch_poll->revents = 0;
2535 tls_watch_trigger_time = time(NULL); /* Set up delayed event */
2536 tls_watch_discard_event(tls_watch_fd);
2537 break; /* to top of daemon loop */
2540 if (dnotify_poll && dnotify_poll->revents & POLLIN)
2542 dnotify_poll->revents = 0;
2543 sigalrm_seen = daemon_notification();
2544 break; /* to top of daemon loop */
2546 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count;
2548 if (p->revents & POLLIN)
2550 EXIM_SOCKLEN_T alen = sizeof(accepted);
2553 socklen_t tlen = sizeof(ti);
2555 /* If monitoring the backlog is wanted, grab for later logging */
2557 smtp_listen_backlog = 0;
2558 if ( smtp_backlog_monitor > 0
2559 && getsockopt(p->fd, IPPROTO_TCP, TCP_INFO, &ti, &tlen) == 0)
2561 # ifdef EXIM_HAVE_TCPI_UNACKED
2562 DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
2563 p->fd, ti.tcpi_sacked, ti.tcpi_unacked);
2564 smtp_listen_backlog = ti.tcpi_unacked;
2565 # elif defined(__FreeBSD__) /* This does not work. Investigate kernel sourcecode. */
2566 DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
2567 p->fd, ti.__tcpi_sacked, ti.__tcpi_unacked);
2568 smtp_listen_backlog = ti.__tcpi_unacked;
2573 accept_socket = accept(p->fd, (struct sockaddr *)&accepted, &alen);
2578 /* If select or accept has failed and this was not caused by an
2579 interruption, log the incident and try again. With asymmetric TCP/IP
2580 routing errors such as "No route to network" have been seen here. Also
2581 "connection reset by peer" has been seen. These cannot be classed as
2582 disastrous errors, but they could fill up a lot of log. The code in smail
2583 crashes the daemon after 10 successive failures of accept, on the grounds
2584 that some OS fail continuously. Exim originally followed suit, but this
2585 appears to have caused problems. Now it just keeps going, but instead of
2586 logging each error, it batches them up when they are continuous. */
2588 if (accept_socket < 0 && errno != EINTR)
2590 if (accept_retry_count == 0)
2592 accept_retry_errno = errno;
2593 accept_retry_select_failed = select_failed;
2595 else if ( errno != accept_retry_errno
2596 || select_failed != accept_retry_select_failed
2597 || accept_retry_count >= 50)
2599 log_write(0, LOG_MAIN | (accept_retry_count >= 50 ? LOG_PANIC : 0),
2600 "%d %s() failure%s: %s",
2602 accept_retry_select_failed ? "select" : "accept",
2603 accept_retry_count == 1 ? "" : "s",
2604 strerror(accept_retry_errno));
2606 accept_retry_count = 0;
2607 accept_retry_errno = errno;
2608 accept_retry_select_failed = select_failed;
2610 accept_retry_count++;
2612 else if (accept_retry_count > 0)
2614 log_write(0, LOG_MAIN, "%d %s() failure%s: %s",
2616 accept_retry_select_failed ? "select" : "accept",
2617 accept_retry_count == 1 ? "" : "s",
2618 strerror(accept_retry_errno));
2620 accept_retry_count = 0;
2623 /* If select/accept succeeded, deal with the connection. */
2625 if (accept_socket >= 0)
2627 #ifdef TCP_QUICKACK /* Avoid pure-ACKs while in tls protocol pingpong phase */
2628 /* Unfortunately we cannot be certain to do this before a TLS-on-connect
2629 Client Hello arrives and is acked. We do it as early as possible. */
2630 (void) setsockopt(accept_socket, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
2632 if (inetd_wait_timeout)
2633 last_connection_time = time(NULL);
2634 handle_smtp_call(fd_polls, listen_socket_count, accept_socket,
2635 (struct sockaddr *)&accepted);
2640 /* If not listening, then just sleep for the queue interval. If we woke
2641 up early the last time for some other signal, it won't matter because
2642 the alarm signal will wake at the right time. This code originally used
2643 sleep() but it turns out that on the FreeBSD system, sleep() is not inter-
2644 rupted by signals, so it wasn't waking up for SIGALRM or SIGCHLD. Luckily
2645 select() can be used as an interruptible sleep() on all versions of Unix. */
2650 poll(&p, 0, queue_interval * 1000);
2651 handle_ending_processes();
2654 /* Re-enable the SIGCHLD handler if it has been run. It can't do it
2655 for itself, because it isn't doing the waiting itself. */
2659 sigchld_seen = FALSE;
2660 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2663 /* Handle being woken by SIGHUP. We know at this point that the result
2664 of accept() has been dealt with, so we can re-exec exim safely, first
2665 closing the listening sockets so that they can be reused. Cancel any pending
2666 alarm in case it is just about to go off, and set SIGHUP to be ignored so
2667 that another HUP in quick succession doesn't clobber the new daemon before it
2668 gets going. All log files get closed by the close-on-exec flag; however, if
2669 the exec fails, we need to close the logs. */
2673 log_write(0, LOG_MAIN, "pid %d: SIGHUP received: re-exec daemon",
2675 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
2677 signal(SIGHUP, SIG_IGN);
2678 sighup_argv[0] = exim_path;
2680 execv(CS exim_path, (char *const *)sighup_argv);
2681 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid %d: exec of %s failed: %s",
2682 getpid(), exim_path, strerror(errno));
2686 } /* End of main loop */
2688 /* Control never reaches here */
2693 /* End of exim_daemon.c */
git://git.exim.org / exim.git / blob