1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2012 */
6 /* See the file NOTICE for conditions of use and distribution. */
9 /* The main function: entry point, initialization, and high-level control.
10 Also a few functions that don't naturally fit elsewhere. */
15 extern void init_lookup_list(void);
19 /*************************************************
20 * Function interface to store functions *
21 *************************************************/
23 /* We need some real functions to pass to the PCRE regular expression library
24 for store allocation via Exim's store manager. The normal calls are actually
25 macros that pass over location information to make tracing easier. These
26 functions just interface to the standard macro calls. A good compiler will
27 optimize out the tail recursion and so not make them too expensive. There
28 are two sets of functions; one for use when we want to retain the compiled
29 regular expression for a long time; the other for short-term use. */
32 function_store_get(size_t size)
34 return store_get((int)size);
38 function_dummy_free(void *block) { block = block; }
41 function_store_malloc(size_t size)
43 return store_malloc((int)size);
47 function_store_free(void *block)
55 /*************************************************
56 * Compile regular expression and panic on fail *
57 *************************************************/
59 /* This function is called when failure to compile a regular expression leads
60 to a panic exit. In other cases, pcre_compile() is called directly. In many
61 cases where this function is used, the results of the compilation are to be
62 placed in long-lived store, so we temporarily reset the store management
63 functions that PCRE uses if the use_malloc flag is set.
66 pattern the pattern to compile
67 caseless TRUE if caseless matching is required
68 use_malloc TRUE if compile into malloc store
70 Returns: pointer to the compiled pattern
74 regex_must_compile(uschar *pattern, BOOL caseless, BOOL use_malloc)
77 int options = PCRE_COPT;
82 pcre_malloc = function_store_malloc;
83 pcre_free = function_store_free;
85 if (caseless) options |= PCRE_CASELESS;
86 yield = pcre_compile(CS pattern, options, (const char **)&error, &offset, NULL);
87 pcre_malloc = function_store_get;
88 pcre_free = function_dummy_free;
90 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "regular expression error: "
91 "%s at offset %d while compiling %s", error, offset, pattern);
98 /*************************************************
99 * Execute regular expression and set strings *
100 *************************************************/
102 /* This function runs a regular expression match, and sets up the pointers to
103 the matched substrings.
106 re the compiled expression
107 subject the subject string
108 options additional PCRE options
109 setup if < 0 do full setup
110 if >= 0 setup from setup+1 onwards,
111 excluding the full matched string
113 Returns: TRUE or FALSE
117 regex_match_and_setup(const pcre *re, uschar *subject, int options, int setup)
119 int ovector[3*(EXPAND_MAXN+1)];
120 int n = pcre_exec(re, NULL, CS subject, Ustrlen(subject), 0,
121 PCRE_EOPT | options, ovector, sizeof(ovector)/sizeof(int));
123 if (n == 0) n = EXPAND_MAXN + 1;
127 expand_nmax = (setup < 0)? 0 : setup + 1;
128 for (nn = (setup < 0)? 0 : 2; nn < n*2; nn += 2)
130 expand_nstring[expand_nmax] = subject + ovector[nn];
131 expand_nlength[expand_nmax++] = ovector[nn+1] - ovector[nn];
141 /*************************************************
142 * Set up processing details *
143 *************************************************/
145 /* Save a text string for dumping when SIGUSR1 is received.
146 Do checks for overruns.
148 Arguments: format and arguments, as for printf()
153 set_process_info(const char *format, ...)
157 sprintf(CS process_info, "%5d ", (int)getpid());
158 len = Ustrlen(process_info);
159 va_start(ap, format);
160 if (!string_vformat(process_info + len, PROCESS_INFO_SIZE - len - 2, format, ap))
161 Ustrcpy(process_info + len, "**** string overflowed buffer ****");
162 len = Ustrlen(process_info);
163 process_info[len+0] = '\n';
164 process_info[len+1] = '\0';
165 process_info_len = len + 1;
166 DEBUG(D_process_info) debug_printf("set_process_info: %s", process_info);
173 /*************************************************
174 * Handler for SIGUSR1 *
175 *************************************************/
177 /* SIGUSR1 causes any exim process to write to the process log details of
178 what it is currently doing. It will only be used if the OS is capable of
179 setting up a handler that causes automatic restarting of any system call
180 that is in progress at the time.
182 This function takes care to be signal-safe.
184 Argument: the signal number (SIGUSR1)
189 usr1_handler(int sig)
193 os_restarting_signal(sig, usr1_handler);
195 fd = Uopen(process_log_path, O_APPEND|O_WRONLY, LOG_MODE);
198 /* If we are already running as the Exim user, try to create it in the
199 current process (assuming spool_directory exists). Otherwise, if we are
200 root, do the creation in an exim:exim subprocess. */
202 int euid = geteuid();
203 if (euid == exim_uid)
204 fd = Uopen(process_log_path, O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
205 else if (euid == root_uid)
206 fd = log_create_as_exim(process_log_path);
209 /* If we are neither exim nor root, or if we failed to create the log file,
210 give up. There is not much useful we can do with errors, since we don't want
211 to disrupt whatever is going on outside the signal handler. */
215 (void)write(fd, process_info, process_info_len);
221 /*************************************************
223 *************************************************/
225 /* This handler is enabled most of the time that Exim is running. The handler
226 doesn't actually get used unless alarm() has been called to set a timer, to
227 place a time limit on a system call of some kind. When the handler is run, it
230 There are some other SIGALRM handlers that are used in special cases when more
231 than just a flag setting is required; for example, when reading a message's
232 input. These are normally set up in the code module that uses them, and the
233 SIGALRM handler is reset to this one afterwards.
235 Argument: the signal value (SIGALRM)
240 sigalrm_handler(int sig)
242 sig = sig; /* Keep picky compilers happy */
244 os_non_restarting_signal(SIGALRM, sigalrm_handler);
249 /*************************************************
250 * Sleep for a fractional time interval *
251 *************************************************/
253 /* This function is called by millisleep() and exim_wait_tick() to wait for a
254 period of time that may include a fraction of a second. The coding is somewhat
255 tedious. We do not expect setitimer() ever to fail, but if it does, the process
256 will wait for ever, so we panic in this instance. (There was a case of this
257 when a bug in a function that calls milliwait() caused it to pass invalid data.
258 That's when I added the check. :-)
260 Argument: an itimerval structure containing the interval
265 milliwait(struct itimerval *itval)
268 sigset_t old_sigmask;
269 (void)sigemptyset(&sigmask); /* Empty mask */
270 (void)sigaddset(&sigmask, SIGALRM); /* Add SIGALRM */
271 (void)sigprocmask(SIG_BLOCK, &sigmask, &old_sigmask); /* Block SIGALRM */
272 if (setitimer(ITIMER_REAL, itval, NULL) < 0) /* Start timer */
273 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
274 "setitimer() failed: %s", strerror(errno));
275 (void)sigfillset(&sigmask); /* All signals */
276 (void)sigdelset(&sigmask, SIGALRM); /* Remove SIGALRM */
277 (void)sigsuspend(&sigmask); /* Until SIGALRM */
278 (void)sigprocmask(SIG_SETMASK, &old_sigmask, NULL); /* Restore mask */
284 /*************************************************
285 * Millisecond sleep function *
286 *************************************************/
288 /* The basic sleep() function has a granularity of 1 second, which is too rough
289 in some cases - for example, when using an increasing delay to slow down
292 Argument: number of millseconds
299 struct itimerval itval;
300 itval.it_interval.tv_sec = 0;
301 itval.it_interval.tv_usec = 0;
302 itval.it_value.tv_sec = msec/1000;
303 itval.it_value.tv_usec = (msec % 1000) * 1000;
309 /*************************************************
310 * Compare microsecond times *
311 *************************************************/
318 Returns: -1, 0, or +1
322 exim_tvcmp(struct timeval *t1, struct timeval *t2)
324 if (t1->tv_sec > t2->tv_sec) return +1;
325 if (t1->tv_sec < t2->tv_sec) return -1;
326 if (t1->tv_usec > t2->tv_usec) return +1;
327 if (t1->tv_usec < t2->tv_usec) return -1;
334 /*************************************************
335 * Clock tick wait function *
336 *************************************************/
338 /* Exim uses a time + a pid to generate a unique identifier in two places: its
339 message IDs, and in file names for maildir deliveries. Because some OS now
340 re-use pids within the same second, sub-second times are now being used.
341 However, for absolute certaintly, we must ensure the clock has ticked before
342 allowing the relevant process to complete. At the time of implementation of
343 this code (February 2003), the speed of processors is such that the clock will
344 invariably have ticked already by the time a process has done its job. This
345 function prepares for the time when things are faster - and it also copes with
346 clocks that go backwards.
349 then_tv A timeval which was used to create uniqueness; its usec field
350 has been rounded down to the value of the resolution.
351 We want to be sure the current time is greater than this.
352 resolution The resolution that was used to divide the microseconds
353 (1 for maildir, larger for message ids)
359 exim_wait_tick(struct timeval *then_tv, int resolution)
361 struct timeval now_tv;
362 long int now_true_usec;
364 (void)gettimeofday(&now_tv, NULL);
365 now_true_usec = now_tv.tv_usec;
366 now_tv.tv_usec = (now_true_usec/resolution) * resolution;
368 if (exim_tvcmp(&now_tv, then_tv) <= 0)
370 struct itimerval itval;
371 itval.it_interval.tv_sec = 0;
372 itval.it_interval.tv_usec = 0;
373 itval.it_value.tv_sec = then_tv->tv_sec - now_tv.tv_sec;
374 itval.it_value.tv_usec = then_tv->tv_usec + resolution - now_true_usec;
376 /* We know that, overall, "now" is less than or equal to "then". Therefore, a
377 negative value for the microseconds is possible only in the case when "now"
378 is more than a second less than "then". That means that itval.it_value.tv_sec
379 is greater than zero. The following correction is therefore safe. */
381 if (itval.it_value.tv_usec < 0)
383 itval.it_value.tv_usec += 1000000;
384 itval.it_value.tv_sec -= 1;
387 DEBUG(D_transport|D_receive)
389 if (!running_in_test_harness)
391 debug_printf("tick check: %lu.%06lu %lu.%06lu\n",
392 then_tv->tv_sec, then_tv->tv_usec, now_tv.tv_sec, now_tv.tv_usec);
393 debug_printf("waiting %lu.%06lu\n", itval.it_value.tv_sec,
394 itval.it_value.tv_usec);
405 /*************************************************
406 * Call fopen() with umask 777 and adjust mode *
407 *************************************************/
409 /* Exim runs with umask(0) so that files created with open() have the mode that
410 is specified in the open() call. However, there are some files, typically in
411 the spool directory, that are created with fopen(). They end up world-writeable
412 if no precautions are taken. Although the spool directory is not accessible to
413 the world, this is an untidiness. So this is a wrapper function for fopen()
414 that sorts out the mode of the created file.
417 filename the file name
418 options the fopen() options
419 mode the required mode
421 Returns: the fopened FILE or NULL
425 modefopen(const uschar *filename, const char *options, mode_t mode)
427 mode_t saved_umask = umask(0777);
428 FILE *f = Ufopen(filename, options);
429 (void)umask(saved_umask);
430 if (f != NULL) (void)fchmod(fileno(f), mode);
437 /*************************************************
438 * Ensure stdin, stdout, and stderr exist *
439 *************************************************/
441 /* Some operating systems grumble if an exec() happens without a standard
442 input, output, and error (fds 0, 1, 2) being defined. The worry is that some
443 file will be opened and will use these fd values, and then some other bit of
444 code will assume, for example, that it can write error messages to stderr.
445 This function ensures that fds 0, 1, and 2 are open if they do not already
446 exist, by connecting them to /dev/null.
448 This function is also used to ensure that std{in,out,err} exist at all times,
449 so that if any library that Exim calls tries to use them, it doesn't crash.
461 for (i = 0; i <= 2; i++)
463 if (fstat(i, &statbuf) < 0 && errno == EBADF)
465 if (devnull < 0) devnull = open("/dev/null", O_RDWR);
466 if (devnull < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s",
467 string_open_failed(errno, "/dev/null"));
468 if (devnull != i) (void)dup2(devnull, i);
471 if (devnull > 2) (void)close(devnull);
477 /*************************************************
478 * Close unwanted file descriptors for delivery *
479 *************************************************/
481 /* This function is called from a new process that has been forked to deliver
482 an incoming message, either directly, or using exec.
484 We want any smtp input streams to be closed in this new process. However, it
485 has been observed that using fclose() here causes trouble. When reading in -bS
486 input, duplicate copies of messages have been seen. The files will be sharing a
487 file pointer with the parent process, and it seems that fclose() (at least on
488 some systems - I saw this on Solaris 2.5.1) messes with that file pointer, at
489 least sometimes. Hence we go for closing the underlying file descriptors.
491 If TLS is active, we want to shut down the TLS library, but without molesting
492 the parent's SSL connection.
494 For delivery of a non-SMTP message, we want to close stdin and stdout (and
495 stderr unless debugging) because the calling process might have set them up as
496 pipes and be waiting for them to close before it waits for the submission
497 process to terminate. If they aren't closed, they hold up the calling process
498 until the initial delivery process finishes, which is not what we want.
500 Exception: We do want it for synchronous delivery!
502 And notwithstanding all the above, if D_resolver is set, implying resolver
503 debugging, leave stdout open, because that's where the resolver writes its
506 When we close stderr (which implies we've also closed stdout), we also get rid
507 of any controlling terminal.
519 tls_close(FALSE); /* Shut down the TLS library */
521 (void)close(fileno(smtp_in));
522 (void)close(fileno(smtp_out));
527 (void)close(0); /* stdin */
528 if ((debug_selector & D_resolver) == 0) (void)close(1); /* stdout */
529 if (debug_selector == 0) /* stderr */
531 if (!synchronous_delivery)
544 /*************************************************
546 *************************************************/
548 /* This function sets a new uid and gid permanently, optionally calling
549 initgroups() to set auxiliary groups. There are some special cases when running
550 Exim in unprivileged modes. In these situations the effective uid will not be
551 root; if we already have the right effective uid/gid, and don't need to
552 initialize any groups, leave things as they are.
557 igflag TRUE if initgroups() wanted
558 msg text to use in debugging output and failure log
560 Returns: nothing; bombs out on failure
564 exim_setugid(uid_t uid, gid_t gid, BOOL igflag, uschar *msg)
566 uid_t euid = geteuid();
567 gid_t egid = getegid();
569 if (euid == root_uid || euid != uid || egid != gid || igflag)
571 /* At least one OS returns +1 for initgroups failure, so just check for
576 struct passwd *pw = getpwuid(uid);
579 if (initgroups(pw->pw_name, gid) != 0)
580 log_write(0,LOG_MAIN|LOG_PANIC_DIE,"initgroups failed for uid=%ld: %s",
581 (long int)uid, strerror(errno));
583 else log_write(0, LOG_MAIN|LOG_PANIC_DIE, "cannot run initgroups(): "
584 "no passwd entry for uid=%ld", (long int)uid);
587 if (setgid(gid) < 0 || setuid(uid) < 0)
589 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "unable to set gid=%ld or uid=%ld "
590 "(euid=%ld): %s", (long int)gid, (long int)uid, (long int)euid, msg);
594 /* Debugging output included uid/gid and all groups */
598 int group_count, save_errno;
599 gid_t group_list[NGROUPS_MAX];
600 debug_printf("changed uid/gid: %s\n uid=%ld gid=%ld pid=%ld\n", msg,
601 (long int)geteuid(), (long int)getegid(), (long int)getpid());
602 group_count = getgroups(NGROUPS_MAX, group_list);
604 debug_printf(" auxiliary group list:");
608 for (i = 0; i < group_count; i++) debug_printf(" %d", (int)group_list[i]);
610 else if (group_count < 0)
611 debug_printf(" <error: %s>", strerror(save_errno));
612 else debug_printf(" <none>");
620 /*************************************************
622 *************************************************/
624 /* Exim exits via this function so that it always clears up any open
630 Returns: does not return
638 debug_printf(">>>>>>>>>>>>>>>> Exim pid=%d terminating with rc=%d "
639 ">>>>>>>>>>>>>>>>\n", (int)getpid(), rc);
646 /*************************************************
647 * Extract port from host address *
648 *************************************************/
650 /* Called to extract the port from the values given to -oMa and -oMi.
651 It also checks the syntax of the address, and terminates it before the
652 port data when a port is extracted.
655 address the address, with possible port on the end
657 Returns: the port, or zero if there isn't one
658 bombs out on a syntax error
662 check_port(uschar *address)
664 int port = host_address_extract_port(address);
665 if (string_is_ip_address(address, NULL) == 0)
667 fprintf(stderr, "exim abandoned: \"%s\" is not an IP address\n", address);
675 /*************************************************
676 * Test/verify an address *
677 *************************************************/
679 /* This function is called by the -bv and -bt code. It extracts a working
680 address from a full RFC 822 address. This isn't really necessary per se, but it
681 has the effect of collapsing source routes.
685 flags flag bits for verify_address()
686 exit_value to be set for failures
692 test_address(uschar *s, int flags, int *exit_value)
694 int start, end, domain;
695 uschar *parse_error = NULL;
696 uschar *address = parse_extract_address(s, &parse_error, &start, &end, &domain,
700 fprintf(stdout, "syntax error: %s\n", parse_error);
705 int rc = verify_address(deliver_make_addr(address,TRUE), stdout, flags, -1,
706 -1, -1, NULL, NULL, NULL);
707 if (rc == FAIL) *exit_value = 2;
708 else if (rc == DEFER && *exit_value == 0) *exit_value = 1;
714 /*************************************************
715 * Show supported features *
716 *************************************************/
718 /* This function is called for -bV/--version and for -d to output the optional
719 features of the current Exim binary.
721 Arguments: a FILE for printing
726 show_whats_supported(FILE *f)
730 #ifdef DB_VERSION_STRING
731 fprintf(f, "Berkeley DB: %s\n", DB_VERSION_STRING);
732 #elif defined(BTREEVERSION) && defined(HASHVERSION)
734 fprintf(f, "Probably Berkeley DB version 1.8x (native mode)\n");
736 fprintf(f, "Probably Berkeley DB version 1.8x (compatibility mode)\n");
738 #elif defined(_DBM_RDONLY) || defined(dbm_dirfno)
739 fprintf(f, "Probably ndbm\n");
740 #elif defined(USE_TDB)
741 fprintf(f, "Using tdb\n");
744 fprintf(f, "Probably GDBM (native mode)\n");
746 fprintf(f, "Probably GDBM (compatibility mode)\n");
750 fprintf(f, "Support for:");
751 #ifdef SUPPORT_CRYPTEQ
752 fprintf(f, " crypteq");
755 fprintf(f, " iconv()");
760 #ifdef HAVE_SETCLASSRESOURCES
761 fprintf(f, " use_setclassresources");
770 fprintf(f, " Expand_dlfunc");
772 #ifdef USE_TCP_WRAPPERS
773 fprintf(f, " TCPwrappers");
777 fprintf(f, " GnuTLS");
779 fprintf(f, " OpenSSL");
782 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
783 fprintf(f, " translate_ip_address");
785 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
786 fprintf(f, " move_frozen_messages");
788 #ifdef WITH_CONTENT_SCAN
789 fprintf(f, " Content_Scanning");
794 #ifdef WITH_OLD_DEMIME
795 fprintf(f, " Old_Demime");
797 #ifdef EXPERIMENTAL_SPF
798 fprintf(f, " Experimental_SPF");
800 #ifdef EXPERIMENTAL_SRS
801 fprintf(f, " Experimental_SRS");
803 #ifdef EXPERIMENTAL_BRIGHTMAIL
804 fprintf(f, " Experimental_Brightmail");
806 #ifdef EXPERIMENTAL_DCC
807 fprintf(f, " Experimental_DCC");
809 #ifdef EXPERIMENTAL_DBL
810 fprintf(f, " EXPERIMENTAL_DBL");
814 fprintf(f, "Lookups (built-in):");
815 #if defined(LOOKUP_LSEARCH) && LOOKUP_LSEARCH!=2
816 fprintf(f, " lsearch wildlsearch nwildlsearch iplsearch");
818 #if defined(LOOKUP_CDB) && LOOKUP_CDB!=2
821 #if defined(LOOKUP_DBM) && LOOKUP_DBM!=2
822 fprintf(f, " dbm dbmjz dbmnz");
824 #if defined(LOOKUP_DNSDB) && LOOKUP_DNSDB!=2
825 fprintf(f, " dnsdb");
827 #if defined(LOOKUP_DSEARCH) && LOOKUP_DSEARCH!=2
828 fprintf(f, " dsearch");
830 #if defined(LOOKUP_IBASE) && LOOKUP_IBASE!=2
831 fprintf(f, " ibase");
833 #if defined(LOOKUP_LDAP) && LOOKUP_LDAP!=2
834 fprintf(f, " ldap ldapdn ldapm");
836 #if defined(LOOKUP_MYSQL) && LOOKUP_MYSQL!=2
837 fprintf(f, " mysql");
839 #if defined(LOOKUP_NIS) && LOOKUP_NIS!=2
840 fprintf(f, " nis nis0");
842 #if defined(LOOKUP_NISPLUS) && LOOKUP_NISPLUS!=2
843 fprintf(f, " nisplus");
845 #if defined(LOOKUP_ORACLE) && LOOKUP_ORACLE!=2
846 fprintf(f, " oracle");
848 #if defined(LOOKUP_PASSWD) && LOOKUP_PASSWD!=2
849 fprintf(f, " passwd");
851 #if defined(LOOKUP_PGSQL) && LOOKUP_PGSQL!=2
852 fprintf(f, " pgsql");
854 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
855 fprintf(f, " sqlite");
857 #if defined(LOOKUP_TESTDB) && LOOKUP_TESTDB!=2
858 fprintf(f, " testdb");
860 #if defined(LOOKUP_WHOSON) && LOOKUP_WHOSON!=2
861 fprintf(f, " whoson");
865 fprintf(f, "Authenticators:");
867 fprintf(f, " cram_md5");
869 #ifdef AUTH_CYRUS_SASL
870 fprintf(f, " cyrus_sasl");
873 fprintf(f, " dovecot");
876 fprintf(f, " gsasl");
878 #ifdef AUTH_HEIMDAL_GSSAPI
879 fprintf(f, " heimdal_gssapi");
881 #ifdef AUTH_PLAINTEXT
882 fprintf(f, " plaintext");
889 fprintf(f, "Routers:");
891 fprintf(f, " accept");
893 #ifdef ROUTER_DNSLOOKUP
894 fprintf(f, " dnslookup");
896 #ifdef ROUTER_IPLITERAL
897 fprintf(f, " ipliteral");
899 #ifdef ROUTER_IPLOOKUP
900 fprintf(f, " iplookup");
902 #ifdef ROUTER_MANUALROUTE
903 fprintf(f, " manualroute");
905 #ifdef ROUTER_QUERYPROGRAM
906 fprintf(f, " queryprogram");
908 #ifdef ROUTER_REDIRECT
909 fprintf(f, " redirect");
913 fprintf(f, "Transports:");
914 #ifdef TRANSPORT_APPENDFILE
915 fprintf(f, " appendfile");
916 #ifdef SUPPORT_MAILDIR
917 fprintf(f, "/maildir");
919 #ifdef SUPPORT_MAILSTORE
920 fprintf(f, "/mailstore");
926 #ifdef TRANSPORT_AUTOREPLY
927 fprintf(f, " autoreply");
929 #ifdef TRANSPORT_LMTP
932 #ifdef TRANSPORT_PIPE
935 #ifdef TRANSPORT_SMTP
940 if (fixed_never_users[0] > 0)
943 fprintf(f, "Fixed never_users: ");
944 for (i = 1; i <= (int)fixed_never_users[0] - 1; i++)
945 fprintf(f, "%d:", (unsigned int)fixed_never_users[i]);
946 fprintf(f, "%d\n", (unsigned int)fixed_never_users[i]);
949 fprintf(f, "Size of off_t: " SIZE_T_FMT "\n", sizeof(off_t));
951 /* Everything else is details which are only worth reporting when debugging.
952 Perhaps the tls_version_report should move into this too. */
957 /* clang defines __GNUC__ (at least, for me) so test for it first */
958 #if defined(__clang__)
959 fprintf(f, "Compiler: CLang [%s]\n", __clang_version__);
960 #elif defined(__GNUC__)
961 fprintf(f, "Compiler: GCC [%s]\n",
965 "? unknown version ?"
969 fprintf(f, "Compiler: <unknown>\n");
973 tls_version_report(f);
976 for (authi = auths_available; *authi->driver_name != '\0'; ++authi) {
977 if (authi->version_report) {
978 (*authi->version_report)(f);
982 /* PCRE_PRERELEASE is either defined and empty or a bare sequence of
983 characters; unless it's an ancient version of PCRE in which case it
985 #ifndef PCRE_PRERELEASE
986 #define PCRE_PRERELEASE
989 #define EXPAND_AND_QUOTE(X) QUOTE(X)
990 fprintf(f, "Library version: PCRE: Compile: %d.%d%s\n"
992 PCRE_MAJOR, PCRE_MINOR,
993 EXPAND_AND_QUOTE(PCRE_PRERELEASE) "",
996 #undef EXPAND_AND_QUOTE
999 for (i = 0; i < lookup_list_count; i++)
1001 if (lookup_list[i]->version_report)
1002 lookup_list[i]->version_report(f);
1005 #ifdef WHITELIST_D_MACROS
1006 fprintf(f, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
1008 fprintf(f, "WHITELIST_D_MACROS unset\n");
1010 #ifdef TRUSTED_CONFIG_LIST
1011 fprintf(f, "TRUSTED_CONFIG_LIST: \"%s\"\n", TRUSTED_CONFIG_LIST);
1013 fprintf(f, "TRUSTED_CONFIG_LIST unset\n");
1022 /*************************************************
1023 * Quote a local part *
1024 *************************************************/
1026 /* This function is used when a sender address or a From: or Sender: header
1027 line is being created from the caller's login, or from an authenticated_id. It
1028 applies appropriate quoting rules for a local part.
1030 Argument: the local part
1031 Returns: the local part, quoted if necessary
1035 local_part_quote(uschar *lpart)
1037 BOOL needs_quote = FALSE;
1042 for (t = lpart; !needs_quote && *t != 0; t++)
1044 needs_quote = !isalnum(*t) && strchr("!#$%&'*+-/=?^_`{|}~", *t) == NULL &&
1045 (*t != '.' || t == lpart || t[1] == 0);
1048 if (!needs_quote) return lpart;
1051 yield = string_cat(NULL, &size, &ptr, US"\"", 1);
1055 uschar *nq = US Ustrpbrk(lpart, "\\\"");
1058 yield = string_cat(yield, &size, &ptr, lpart, Ustrlen(lpart));
1061 yield = string_cat(yield, &size, &ptr, lpart, nq - lpart);
1062 yield = string_cat(yield, &size, &ptr, US"\\", 1);
1063 yield = string_cat(yield, &size, &ptr, nq, 1);
1067 yield = string_cat(yield, &size, &ptr, US"\"", 1);
1075 /*************************************************
1076 * Load readline() functions *
1077 *************************************************/
1079 /* This function is called from testing executions that read data from stdin,
1080 but only when running as the calling user. Currently, only -be does this. The
1081 function loads the readline() function library and passes back the functions.
1082 On some systems, it needs the curses library, so load that too, but try without
1083 it if loading fails. All this functionality has to be requested at build time.
1086 fn_readline_ptr pointer to where to put the readline pointer
1087 fn_addhist_ptr pointer to where to put the addhistory function
1089 Returns: the dlopen handle or NULL on failure
1093 set_readline(char * (**fn_readline_ptr)(const char *),
1094 void (**fn_addhist_ptr)(const char *))
1097 void *dlhandle_curses = dlopen("libcurses." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_LAZY);
1099 dlhandle = dlopen("libreadline." DYNLIB_FN_EXT, RTLD_GLOBAL|RTLD_NOW);
1100 if (dlhandle_curses != NULL) dlclose(dlhandle_curses);
1102 if (dlhandle != NULL)
1104 /* Checked manual pages; at least in GNU Readline 6.1, the prototypes are:
1105 * char * readline (const char *prompt);
1106 * void add_history (const char *string);
1108 *fn_readline_ptr = (char *(*)(const char*))dlsym(dlhandle, "readline");
1109 *fn_addhist_ptr = (void(*)(const char*))dlsym(dlhandle, "add_history");
1113 DEBUG(D_any) debug_printf("failed to load readline: %s\n", dlerror());
1122 /*************************************************
1123 * Get a line from stdin for testing things *
1124 *************************************************/
1126 /* This function is called when running tests that can take a number of lines
1127 of input (for example, -be and -bt). It handles continuations and trailing
1128 spaces. And prompting and a blank line output on eof. If readline() is in use,
1129 the arguments are non-NULL and provide the relevant functions.
1132 fn_readline readline function or NULL
1133 fn_addhist addhist function or NULL
1135 Returns: pointer to dynamic memory, or NULL at end of file
1139 get_stdinput(char *(*fn_readline)(const char *), void(*fn_addhist)(const char *))
1144 uschar *yield = NULL;
1146 if (fn_readline == NULL) { printf("> "); fflush(stdout); }
1150 uschar buffer[1024];
1154 char *readline_line = NULL;
1155 if (fn_readline != NULL)
1157 if ((readline_line = fn_readline((i > 0)? "":"> ")) == NULL) break;
1158 if (*readline_line != 0 && fn_addhist != NULL) fn_addhist(readline_line);
1159 p = US readline_line;
1164 /* readline() not in use */
1167 if (Ufgets(buffer, sizeof(buffer), stdin) == NULL) break;
1171 /* Handle the line */
1173 ss = p + (int)Ustrlen(p);
1174 while (ss > p && isspace(ss[-1])) ss--;
1178 while (p < ss && isspace(*p)) p++; /* leading space after cont */
1181 yield = string_cat(yield, &size, &ptr, p, ss - p);
1184 if (fn_readline != NULL) free(readline_line);
1187 if (ss == p || yield[ptr-1] != '\\')
1195 if (yield == NULL) printf("\n");
1201 /*************************************************
1202 * Output usage information for the program *
1203 *************************************************/
1205 /* This function is called when there are no recipients
1206 or a specific --help argument was added.
1209 progname information on what name we were called by
1211 Returns: DOES NOT RETURN
1215 exim_usage(uschar *progname)
1218 /* Handle specific program invocation varients */
1219 if (Ustrcmp(progname, US"-mailq") == 0)
1222 "mailq - list the contents of the mail queue\n\n"
1223 "For a list of options, see the Exim documentation.\n");
1227 /* Generic usage - we output this whatever happens */
1229 "Exim is a Mail Transfer Agent. It is normally called by Mail User Agents,\n"
1230 "not directly from a shell command line. Options and/or arguments control\n"
1231 "what it does when called. For a list of options, see the Exim documentation.\n");
1238 /*************************************************
1239 * Validate that the macros given are okay *
1240 *************************************************/
1242 /* Typically, Exim will drop privileges if macros are supplied. In some
1243 cases, we want to not do so.
1245 Arguments: none (macros is a global)
1246 Returns: true if trusted, false otherwise
1250 macros_trusted(void)
1252 #ifdef WHITELIST_D_MACROS
1254 uschar *whitelisted, *end, *p, **whites, **w;
1255 int white_count, i, n;
1257 BOOL prev_char_item, found;
1262 #ifndef WHITELIST_D_MACROS
1266 /* We only trust -D overrides for some invoking users:
1267 root, the exim run-time user, the optional config owner user.
1268 I don't know why config-owner would be needed, but since they can own the
1269 config files anyway, there's no security risk to letting them override -D. */
1270 if ( ! ((real_uid == root_uid)
1271 || (real_uid == exim_uid)
1272 #ifdef CONFIGURE_OWNER
1273 || (real_uid == config_uid)
1277 debug_printf("macros_trusted rejecting macros for uid %d\n", (int) real_uid);
1281 /* Get a list of macros which are whitelisted */
1282 whitelisted = string_copy_malloc(US WHITELIST_D_MACROS);
1283 prev_char_item = FALSE;
1285 for (p = whitelisted; *p != '\0'; ++p)
1287 if (*p == ':' || isspace(*p))
1292 prev_char_item = FALSE;
1295 if (!prev_char_item)
1296 prev_char_item = TRUE;
1303 whites = store_malloc(sizeof(uschar *) * (white_count+1));
1304 for (p = whitelisted, i = 0; (p != end) && (i < white_count); ++p)
1309 if (i == white_count)
1311 while (*p != '\0' && p < end)
1317 /* The list of macros should be very short. Accept the N*M complexity. */
1318 for (m = macros; m != NULL; m = m->next)
1321 for (w = whites; *w; ++w)
1322 if (Ustrcmp(*w, m->name) == 0)
1329 if (m->replacement == NULL)
1331 len = Ustrlen(m->replacement);
1334 n = pcre_exec(regex_whitelisted_macro, NULL, CS m->replacement, len,
1335 0, PCRE_EOPT, NULL, 0);
1338 if (n != PCRE_ERROR_NOMATCH)
1339 debug_printf("macros_trusted checking %s returned %d\n", m->name, n);
1343 DEBUG(D_any) debug_printf("macros_trusted overridden to true by whitelisting\n");
1349 /*************************************************
1350 * Entry point and high-level code *
1351 *************************************************/
1353 /* Entry point for the Exim mailer. Analyse the arguments and arrange to take
1354 the appropriate action. All the necessary functions are present in the one
1355 binary. I originally thought one should split it up, but it turns out that so
1356 much of the apparatus is needed in each chunk that one might as well just have
1357 it all available all the time, which then makes the coding easier as well.
1360 argc count of entries in argv
1361 argv argument strings, with argv[0] being the program name
1363 Returns: EXIT_SUCCESS if terminated successfully
1364 EXIT_FAILURE otherwise, except when a message has been sent
1365 to the sender, and -oee was given
1369 main(int argc, char **cargv)
1371 uschar **argv = USS cargv;
1372 int arg_receive_timeout = -1;
1373 int arg_smtp_receive_timeout = -1;
1374 int arg_error_handling = error_handling;
1375 int filter_sfd = -1;
1376 int filter_ufd = -1;
1379 int list_queue_option = 0;
1381 int msg_action_arg = -1;
1382 int namelen = (argv[0] == NULL)? 0 : Ustrlen(argv[0]);
1383 int queue_only_reason = 0;
1385 int perl_start_option = 0;
1387 int recipients_arg = argc;
1388 int sender_address_domain = 0;
1389 int test_retry_arg = -1;
1390 int test_rewrite_arg = -1;
1391 BOOL arg_queue_only = FALSE;
1392 BOOL bi_option = FALSE;
1393 BOOL checking = FALSE;
1394 BOOL count_queue = FALSE;
1395 BOOL expansion_test = FALSE;
1396 BOOL extract_recipients = FALSE;
1397 BOOL forced_delivery = FALSE;
1398 BOOL f_end_dot = FALSE;
1399 BOOL deliver_give_up = FALSE;
1400 BOOL list_queue = FALSE;
1401 BOOL list_options = FALSE;
1402 BOOL local_queue_only;
1404 BOOL one_msg_action = FALSE;
1405 BOOL queue_only_set = FALSE;
1406 BOOL receiving_message = TRUE;
1407 BOOL sender_ident_set = FALSE;
1408 BOOL session_local_queue_only;
1410 BOOL removed_privilege = FALSE;
1411 BOOL usage_wanted = FALSE;
1412 BOOL verify_address_mode = FALSE;
1413 BOOL verify_as_sender = FALSE;
1414 BOOL version_printed = FALSE;
1415 uschar *alias_arg = NULL;
1416 uschar *called_as = US"";
1417 uschar *start_queue_run_id = NULL;
1418 uschar *stop_queue_run_id = NULL;
1419 uschar *expansion_test_message = NULL;
1420 uschar *ftest_domain = NULL;
1421 uschar *ftest_localpart = NULL;
1422 uschar *ftest_prefix = NULL;
1423 uschar *ftest_suffix = NULL;
1424 uschar *malware_test_file = NULL;
1425 uschar *real_sender_address;
1426 uschar *originator_home = US"/";
1430 struct stat statbuf;
1431 pid_t passed_qr_pid = (pid_t)0;
1432 int passed_qr_pipe = -1;
1433 gid_t group_list[NGROUPS_MAX];
1435 /* Possible options for -R and -S */
1437 static uschar *rsopts[] = { US"f", US"ff", US"r", US"rf", US"rff" };
1439 /* Need to define this in case we need to change the environment in order
1440 to get rid of a bogus time zone. We have to make it char rather than uschar
1441 because some OS define it in /usr/include/unistd.h. */
1443 extern char **environ;
1445 /* If the Exim user and/or group and/or the configuration file owner/group were
1446 defined by ref:name at build time, we must now find the actual uid/gid values.
1447 This is a feature to make the lives of binary distributors easier. */
1449 #ifdef EXIM_USERNAME
1450 if (route_finduser(US EXIM_USERNAME, &pw, &exim_uid))
1454 fprintf(stderr, "exim: refusing to run with uid 0 for \"%s\"\n",
1458 /* If ref:name uses a number as the name, route_finduser() returns
1459 TRUE with exim_uid set and pw coerced to NULL. */
1461 exim_gid = pw->pw_gid;
1462 #ifndef EXIM_GROUPNAME
1466 "exim: ref:name should specify a usercode, not a group.\n"
1467 "exim: can't let you get away with it unless you also specify a group.\n");
1474 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1480 #ifdef EXIM_GROUPNAME
1481 if (!route_findgroup(US EXIM_GROUPNAME, &exim_gid))
1483 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1489 #ifdef CONFIGURE_OWNERNAME
1490 if (!route_finduser(US CONFIGURE_OWNERNAME, NULL, &config_uid))
1492 fprintf(stderr, "exim: failed to find uid for user name \"%s\"\n",
1493 CONFIGURE_OWNERNAME);
1498 /* We default the system_filter_user to be the Exim run-time user, as a
1499 sane non-root value. */
1500 system_filter_uid = exim_uid;
1502 #ifdef CONFIGURE_GROUPNAME
1503 if (!route_findgroup(US CONFIGURE_GROUPNAME, &config_gid))
1505 fprintf(stderr, "exim: failed to find gid for group name \"%s\"\n",
1506 CONFIGURE_GROUPNAME);
1511 /* In the Cygwin environment, some initialization needs doing. It is fudged
1512 in by means of this macro. */
1518 /* Check a field which is patched when we are running Exim within its
1519 testing harness; do a fast initial check, and then the whole thing. */
1521 running_in_test_harness =
1522 *running_status == '<' && Ustrcmp(running_status, "<<<testing>>>") == 0;
1524 /* The C standard says that the equivalent of setlocale(LC_ALL, "C") is obeyed
1525 at the start of a program; however, it seems that some environments do not
1526 follow this. A "strange" locale can affect the formatting of timestamps, so we
1529 setlocale(LC_ALL, "C");
1531 /* Set up the default handler for timing using alarm(). */
1533 os_non_restarting_signal(SIGALRM, sigalrm_handler);
1535 /* Ensure we have a buffer for constructing log entries. Use malloc directly,
1536 because store_malloc writes a log entry on failure. */
1538 log_buffer = (uschar *)malloc(LOG_BUFFER_SIZE);
1539 if (log_buffer == NULL)
1541 fprintf(stderr, "exim: failed to get store for log buffer\n");
1545 /* Set log_stderr to stderr, provided that stderr exists. This gets reset to
1546 NULL when the daemon is run and the file is closed. We have to use this
1547 indirection, because some systems don't allow writing to the variable "stderr".
1550 if (fstat(fileno(stderr), &statbuf) >= 0) log_stderr = stderr;
1552 /* Arrange for the PCRE regex library to use our store functions. Note that
1553 the normal calls are actually macros that add additional arguments for
1554 debugging purposes so we have to assign specially constructed functions here.
1555 The default is to use store in the stacking pool, but this is overridden in the
1556 regex_must_compile() function. */
1558 pcre_malloc = function_store_get;
1559 pcre_free = function_dummy_free;
1561 /* Ensure there is a big buffer for temporary use in several places. It is put
1562 in malloc store so that it can be freed for enlargement if necessary. */
1564 big_buffer = store_malloc(big_buffer_size);
1566 /* Set up the handler for the data request signal, and set the initial
1567 descriptive text. */
1569 set_process_info("initializing");
1570 os_restarting_signal(SIGUSR1, usr1_handler);
1572 /* SIGHUP is used to get the daemon to reconfigure. It gets set as appropriate
1573 in the daemon code. For the rest of Exim's uses, we ignore it. */
1575 signal(SIGHUP, SIG_IGN);
1577 /* We don't want to die on pipe errors as the code is written to handle
1578 the write error instead. */
1580 signal(SIGPIPE, SIG_IGN);
1582 /* Under some circumstance on some OS, Exim can get called with SIGCHLD
1583 set to SIG_IGN. This causes subprocesses that complete before the parent
1584 process waits for them not to hang around, so when Exim calls wait(), nothing
1585 is there. The wait() code has been made robust against this, but let's ensure
1586 that SIGCHLD is set to SIG_DFL, because it's tidier to wait and get a process
1587 ending status. We use sigaction rather than plain signal() on those OS where
1588 SA_NOCLDWAIT exists, because we want to be sure it is turned off. (There was a
1589 problem on AIX with this.) */
1593 struct sigaction act;
1594 act.sa_handler = SIG_DFL;
1595 sigemptyset(&(act.sa_mask));
1597 sigaction(SIGCHLD, &act, NULL);
1600 signal(SIGCHLD, SIG_DFL);
1603 /* Save the arguments for use if we re-exec exim as a daemon after receiving
1608 /* Set up the version number. Set up the leading 'E' for the external form of
1609 message ids, set the pointer to the internal form, and initialize it to
1610 indicate no message being processed. */
1613 message_id_option[0] = '-';
1614 message_id_external = message_id_option + 1;
1615 message_id_external[0] = 'E';
1616 message_id = message_id_external + 1;
1619 /* Set the umask to zero so that any files Exim creates using open() are
1620 created with the modes that it specifies. NOTE: Files created with fopen() have
1621 a problem, which was not recognized till rather late (February 2006). With this
1622 umask, such files will be world writeable. (They are all content scanning files
1623 in the spool directory, which isn't world-accessible, so this is not a
1624 disaster, but it's untidy.) I don't want to change this overall setting,
1625 however, because it will interact badly with the open() calls. Instead, there's
1626 now a function called modefopen() that fiddles with the umask while calling
1631 /* Precompile the regular expression for matching a message id. Keep this in
1632 step with the code that generates ids in the accept.c module. We need to do
1633 this here, because the -M options check their arguments for syntactic validity
1634 using mac_ismsgid, which uses this. */
1637 regex_must_compile(US"^(?:[^\\W_]{6}-){2}[^\\W_]{2}$", FALSE, TRUE);
1639 /* Precompile the regular expression that is used for matching an SMTP error
1640 code, possibly extended, at the start of an error message. Note that the
1641 terminating whitespace character is included. */
1644 regex_must_compile(US"^\\d\\d\\d\\s(?:\\d\\.\\d\\d?\\d?\\.\\d\\d?\\d?\\s)?",
1647 #ifdef WHITELIST_D_MACROS
1648 /* Precompile the regular expression used to filter the content of macros
1649 given to -D for permissibility. */
1651 regex_whitelisted_macro =
1652 regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
1656 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
1657 this seems to be a generally accepted convention, since one finds symbolic
1658 links called "mailq" in standard OS configurations. */
1660 if ((namelen == 5 && Ustrcmp(argv[0], "mailq") == 0) ||
1661 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/mailq", 6) == 0))
1664 receiving_message = FALSE;
1665 called_as = US"-mailq";
1668 /* If the program is called as "rmail" treat it as equivalent to
1669 "exim -i -oee", thus allowing UUCP messages to be input using non-SMTP mode,
1670 i.e. preventing a single dot on a line from terminating the message, and
1671 returning with zero return code, even in cases of error (provided an error
1672 message has been sent). */
1674 if ((namelen == 5 && Ustrcmp(argv[0], "rmail") == 0) ||
1675 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rmail", 6) == 0))
1678 called_as = US"-rmail";
1679 errors_sender_rc = EXIT_SUCCESS;
1682 /* If the program is called as "rsmtp" treat it as equivalent to "exim -bS";
1683 this is a smail convention. */
1685 if ((namelen == 5 && Ustrcmp(argv[0], "rsmtp") == 0) ||
1686 (namelen > 5 && Ustrncmp(argv[0] + namelen - 6, "/rsmtp", 6) == 0))
1688 smtp_input = smtp_batched_input = TRUE;
1689 called_as = US"-rsmtp";
1692 /* If the program is called as "runq" treat it as equivalent to "exim -q";
1693 this is a smail convention. */
1695 if ((namelen == 4 && Ustrcmp(argv[0], "runq") == 0) ||
1696 (namelen > 4 && Ustrncmp(argv[0] + namelen - 5, "/runq", 5) == 0))
1699 receiving_message = FALSE;
1700 called_as = US"-runq";
1703 /* If the program is called as "newaliases" treat it as equivalent to
1704 "exim -bi"; this is a sendmail convention. */
1706 if ((namelen == 10 && Ustrcmp(argv[0], "newaliases") == 0) ||
1707 (namelen > 10 && Ustrncmp(argv[0] + namelen - 11, "/newaliases", 11) == 0))
1710 receiving_message = FALSE;
1711 called_as = US"-newaliases";
1714 /* Save the original effective uid for a couple of uses later. It should
1715 normally be root, but in some esoteric environments it may not be. */
1717 original_euid = geteuid();
1719 /* Get the real uid and gid. If the caller is root, force the effective uid/gid
1720 to be the same as the real ones. This makes a difference only if Exim is setuid
1721 (or setgid) to something other than root, which could be the case in some
1722 special configurations. */
1724 real_uid = getuid();
1725 real_gid = getgid();
1727 if (real_uid == root_uid)
1729 rv = setgid(real_gid);
1732 fprintf(stderr, "exim: setgid(%ld) failed: %s\n",
1733 (long int)real_gid, strerror(errno));
1736 rv = setuid(real_uid);
1739 fprintf(stderr, "exim: setuid(%ld) failed: %s\n",
1740 (long int)real_uid, strerror(errno));
1745 /* If neither the original real uid nor the original euid was root, Exim is
1746 running in an unprivileged state. */
1748 unprivileged = (real_uid != root_uid && original_euid != root_uid);
1750 /* Scan the program's arguments. Some can be dealt with right away; others are
1751 simply recorded for checking and handling afterwards. Do a high-level switch
1752 on the second character (the one after '-'), to save some effort. */
1754 for (i = 1; i < argc; i++)
1756 BOOL badarg = FALSE;
1757 uschar *arg = argv[i];
1761 /* An argument not starting with '-' is the start of a recipients list;
1762 break out of the options-scanning loop. */
1770 /* An option consistion of -- terminates the options */
1772 if (Ustrcmp(arg, "--") == 0)
1774 recipients_arg = i + 1;
1778 /* Handle flagged options */
1780 switchchar = arg[1];
1783 /* Make all -ex options synonymous with -oex arguments, since that
1784 is assumed by various callers. Also make -qR options synonymous with -R
1785 options, as that seems to be required as well. Allow for -qqR too, and
1786 the same for -S options. */
1788 if (Ustrncmp(arg+1, "oe", 2) == 0 ||
1789 Ustrncmp(arg+1, "qR", 2) == 0 ||
1790 Ustrncmp(arg+1, "qS", 2) == 0)
1792 switchchar = arg[2];
1795 else if (Ustrncmp(arg+1, "qqR", 3) == 0 || Ustrncmp(arg+1, "qqS", 3) == 0)
1797 switchchar = arg[3];
1799 queue_2stage = TRUE;
1802 /* Make -r synonymous with -f, since it is a documented alias */
1804 else if (arg[1] == 'r') switchchar = 'f';
1806 /* Make -ov synonymous with -v */
1808 else if (Ustrcmp(arg, "-ov") == 0)
1814 /* deal with --option_aliases */
1815 else if (switchchar == '-')
1817 if (Ustrcmp(argrest, "help") == 0)
1819 usage_wanted = TRUE;
1822 else if (Ustrcmp(argrest, "version") == 0)
1829 /* High-level switch on active initial letter */
1833 /* -Btype is a sendmail option for 7bit/8bit setting. Exim is 8-bit clean
1834 so has no need of it. */
1837 if (*argrest == 0) i++; /* Skip over the type */
1842 receiving_message = FALSE; /* Reset TRUE for -bm, -bS, -bs below */
1844 /* -bd: Run in daemon mode, awaiting SMTP connections.
1845 -bdf: Ditto, but in the foreground.
1848 if (*argrest == 'd')
1850 daemon_listen = TRUE;
1851 if (*(++argrest) == 'f') background_daemon = FALSE;
1852 else if (*argrest != 0) { badarg = TRUE; break; }
1855 /* -be: Run in expansion test mode
1856 -bem: Ditto, but read a message from a file first
1859 else if (*argrest == 'e')
1861 expansion_test = checking = TRUE;
1862 if (argrest[1] == 'm')
1864 if (++i >= argc) { badarg = TRUE; break; }
1865 expansion_test_message = argv[i];
1868 if (argrest[1] != 0) { badarg = TRUE; break; }
1871 /* -bF: Run system filter test */
1873 else if (*argrest == 'F')
1875 filter_test |= FTEST_SYSTEM;
1876 if (*(++argrest) != 0) { badarg = TRUE; break; }
1877 if (++i < argc) filter_test_sfile = argv[i]; else
1879 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1884 /* -bf: Run user filter test
1885 -bfd: Set domain for filter testing
1886 -bfl: Set local part for filter testing
1887 -bfp: Set prefix for filter testing
1888 -bfs: Set suffix for filter testing
1891 else if (*argrest == 'f')
1893 if (*(++argrest) == 0)
1895 filter_test |= FTEST_USER;
1896 if (++i < argc) filter_test_ufile = argv[i]; else
1898 fprintf(stderr, "exim: file name expected after %s\n", argv[i-1]);
1906 fprintf(stderr, "exim: string expected after %s\n", arg);
1909 if (Ustrcmp(argrest, "d") == 0) ftest_domain = argv[i];
1910 else if (Ustrcmp(argrest, "l") == 0) ftest_localpart = argv[i];
1911 else if (Ustrcmp(argrest, "p") == 0) ftest_prefix = argv[i];
1912 else if (Ustrcmp(argrest, "s") == 0) ftest_suffix = argv[i];
1913 else { badarg = TRUE; break; }
1917 /* -bh: Host checking - an IP address must follow. */
1919 else if (Ustrcmp(argrest, "h") == 0 || Ustrcmp(argrest, "hc") == 0)
1921 if (++i >= argc) { badarg = TRUE; break; }
1922 sender_host_address = argv[i];
1923 host_checking = checking = log_testing_mode = TRUE;
1924 host_checking_callout = argrest[1] == 'c';
1927 /* -bi: This option is used by sendmail to initialize *the* alias file,
1928 though it has the -oA option to specify a different file. Exim has no
1929 concept of *the* alias file, but since Sun's YP make script calls
1930 sendmail this way, some support must be provided. */
1932 else if (Ustrcmp(argrest, "i") == 0) bi_option = TRUE;
1934 /* -bm: Accept and deliver message - the default option. Reinstate
1935 receiving_message, which got turned off for all -b options. */
1937 else if (Ustrcmp(argrest, "m") == 0) receiving_message = TRUE;
1939 /* -bmalware: test the filename given for malware */
1941 else if (Ustrcmp(argrest, "malware") == 0)
1943 if (++i >= argc) { badarg = TRUE; break; }
1944 malware_test_file = argv[i];
1947 /* -bnq: For locally originating messages, do not qualify unqualified
1948 addresses. In the envelope, this causes errors; in header lines they
1951 else if (Ustrcmp(argrest, "nq") == 0)
1953 allow_unqualified_sender = FALSE;
1954 allow_unqualified_recipient = FALSE;
1957 /* -bpxx: List the contents of the mail queue, in various forms. If
1958 the option is -bpc, just a queue count is needed. Otherwise, if the
1959 first letter after p is r, then order is random. */
1961 else if (*argrest == 'p')
1963 if (*(++argrest) == 'c')
1966 if (*(++argrest) != 0) badarg = TRUE;
1970 if (*argrest == 'r')
1972 list_queue_option = 8;
1975 else list_queue_option = 0;
1979 /* -bp: List the contents of the mail queue, top-level only */
1981 if (*argrest == 0) {}
1983 /* -bpu: List the contents of the mail queue, top-level undelivered */
1985 else if (Ustrcmp(argrest, "u") == 0) list_queue_option += 1;
1987 /* -bpa: List the contents of the mail queue, including all delivered */
1989 else if (Ustrcmp(argrest, "a") == 0) list_queue_option += 2;
1991 /* Unknown after -bp[r] */
2001 /* -bP: List the configuration variables given as the address list.
2002 Force -v, so configuration errors get displayed. */
2004 else if (Ustrcmp(argrest, "P") == 0)
2006 list_options = TRUE;
2007 debug_selector |= D_v;
2008 debug_file = stderr;
2011 /* -brt: Test retry configuration lookup */
2013 else if (Ustrcmp(argrest, "rt") == 0)
2015 test_retry_arg = i + 1;
2019 /* -brw: Test rewrite configuration */
2021 else if (Ustrcmp(argrest, "rw") == 0)
2023 test_rewrite_arg = i + 1;
2027 /* -bS: Read SMTP commands on standard input, but produce no replies -
2028 all errors are reported by sending messages. */
2030 else if (Ustrcmp(argrest, "S") == 0)
2031 smtp_input = smtp_batched_input = receiving_message = TRUE;
2033 /* -bs: Read SMTP commands on standard input and produce SMTP replies
2034 on standard output. */
2036 else if (Ustrcmp(argrest, "s") == 0) smtp_input = receiving_message = TRUE;
2038 /* -bt: address testing mode */
2040 else if (Ustrcmp(argrest, "t") == 0)
2041 address_test_mode = checking = log_testing_mode = TRUE;
2043 /* -bv: verify addresses */
2045 else if (Ustrcmp(argrest, "v") == 0)
2046 verify_address_mode = checking = log_testing_mode = TRUE;
2048 /* -bvs: verify sender addresses */
2050 else if (Ustrcmp(argrest, "vs") == 0)
2052 verify_address_mode = checking = log_testing_mode = TRUE;
2053 verify_as_sender = TRUE;
2056 /* -bV: Print version string and support details */
2058 else if (Ustrcmp(argrest, "V") == 0)
2060 printf("Exim version %s #%s built %s\n", version_string,
2061 version_cnumber, version_date);
2062 printf("%s\n", CS version_copyright);
2063 version_printed = TRUE;
2064 show_whats_supported(stdout);
2067 /* -bw: inetd wait mode, accept a listening socket as stdin */
2069 else if (*argrest == 'w')
2071 inetd_wait_mode = TRUE;
2072 background_daemon = FALSE;
2073 daemon_listen = TRUE;
2074 if (*(++argrest) != '\0')
2076 inetd_wait_timeout = readconf_readtime(argrest, 0, FALSE);
2077 if (inetd_wait_timeout <= 0)
2079 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2089 /* -C: change configuration file list; ignore if it isn't really
2090 a change! Enforce a prefix check if required. */
2095 if(++i < argc) argrest = argv[i]; else
2096 { badarg = TRUE; break; }
2098 if (Ustrcmp(config_main_filelist, argrest) != 0)
2100 #ifdef ALT_CONFIG_PREFIX
2102 int len = Ustrlen(ALT_CONFIG_PREFIX);
2103 uschar *list = argrest;
2105 while((filename = string_nextinlist(&list, &sep, big_buffer,
2106 big_buffer_size)) != NULL)
2108 if ((Ustrlen(filename) < len ||
2109 Ustrncmp(filename, ALT_CONFIG_PREFIX, len) != 0 ||
2110 Ustrstr(filename, "/../") != NULL) &&
2111 (Ustrcmp(filename, "/dev/null") != 0 || real_uid != root_uid))
2113 fprintf(stderr, "-C Permission denied\n");
2118 if (real_uid != root_uid)
2120 #ifdef TRUSTED_CONFIG_LIST
2122 if (real_uid != exim_uid
2123 #ifdef CONFIGURE_OWNER
2124 && real_uid != config_uid
2127 trusted_config = FALSE;
2130 FILE *trust_list = Ufopen(TRUSTED_CONFIG_LIST, "rb");
2133 struct stat statbuf;
2135 if (fstat(fileno(trust_list), &statbuf) != 0 ||
2136 (statbuf.st_uid != root_uid /* owner not root */
2137 #ifdef CONFIGURE_OWNER
2138 && statbuf.st_uid != config_uid /* owner not the special one */
2141 (statbuf.st_gid != root_gid /* group not root */
2142 #ifdef CONFIGURE_GROUP
2143 && statbuf.st_gid != config_gid /* group not the special one */
2145 && (statbuf.st_mode & 020) != 0 /* group writeable */
2147 (statbuf.st_mode & 2) != 0) /* world writeable */
2149 trusted_config = FALSE;
2154 /* Well, the trust list at least is up to scratch... */
2155 void *reset_point = store_get(0);
2156 uschar *trusted_configs[32];
2160 while (Ufgets(big_buffer, big_buffer_size, trust_list))
2162 uschar *start = big_buffer, *nl;
2163 while (*start && isspace(*start))
2167 nl = Ustrchr(start, '\n');
2170 trusted_configs[nr_configs++] = string_copy(start);
2171 if (nr_configs == 32)
2179 uschar *list = argrest;
2181 while (trusted_config && (filename = string_nextinlist(&list,
2182 &sep, big_buffer, big_buffer_size)) != NULL)
2184 for (i=0; i < nr_configs; i++)
2186 if (Ustrcmp(filename, trusted_configs[i]) == 0)
2189 if (i == nr_configs)
2191 trusted_config = FALSE;
2195 store_reset(reset_point);
2199 /* No valid prefixes found in trust_list file. */
2200 trusted_config = FALSE;
2206 /* Could not open trust_list file. */
2207 trusted_config = FALSE;
2211 /* Not root; don't trust config */
2212 trusted_config = FALSE;
2216 config_main_filelist = argrest;
2217 config_changed = TRUE;
2222 /* -D: set up a macro definition */
2225 #ifdef DISABLE_D_OPTION
2226 fprintf(stderr, "exim: -D is not available in this Exim binary\n");
2231 macro_item *mlast = NULL;
2234 uschar *s = argrest;
2236 while (isspace(*s)) s++;
2238 if (*s < 'A' || *s > 'Z')
2240 fprintf(stderr, "exim: macro name set by -D must start with "
2241 "an upper case letter\n");
2245 while (isalnum(*s) || *s == '_')
2247 if (ptr < sizeof(name)-1) name[ptr++] = *s;
2251 if (ptr == 0) { badarg = TRUE; break; }
2252 while (isspace(*s)) s++;
2255 if (*s++ != '=') { badarg = TRUE; break; }
2256 while (isspace(*s)) s++;
2259 for (m = macros; m != NULL; m = m->next)
2261 if (Ustrcmp(m->name, name) == 0)
2263 fprintf(stderr, "exim: duplicated -D in command line\n");
2269 m = store_get(sizeof(macro_item) + Ustrlen(name));
2271 m->command_line = TRUE;
2272 if (mlast == NULL) macros = m; else mlast->next = m;
2273 Ustrcpy(m->name, name);
2274 m->replacement = string_copy(s);
2276 if (clmacro_count >= MAX_CLMACROS)
2278 fprintf(stderr, "exim: too many -D options on command line\n");
2281 clmacros[clmacro_count++] = string_sprintf("-D%s=%s", m->name,
2287 /* -d: Set debug level (see also -v below) or set the drop_cr option.
2288 The latter is now a no-op, retained for compatibility only. If -dd is used,
2289 debugging subprocesses of the daemon is disabled. */
2292 if (Ustrcmp(argrest, "ropcr") == 0)
2294 /* drop_cr = TRUE; */
2297 /* Use an intermediate variable so that we don't set debugging while
2298 decoding the debugging bits. */
2302 unsigned int selector = D_default;
2305 if (*argrest == 'd')
2307 debug_daemon = TRUE;
2311 decode_bits(&selector, NULL, D_memory, 0, argrest, debug_options,
2312 debug_options_count, US"debug", 0);
2313 debug_selector = selector;
2318 /* -E: This is a local error message. This option is not intended for
2319 external use at all, but is not restricted to trusted callers because it
2320 does no harm (just suppresses certain error messages) and if Exim is run
2321 not setuid root it won't always be trusted when it generates error
2322 messages using this option. If there is a message id following -E, point
2323 message_reference at it, for logging. */
2326 local_error_message = TRUE;
2327 if (mac_ismsgid(argrest)) message_reference = argrest;
2331 /* -ex: The vacation program calls sendmail with the undocumented "-eq"
2332 option, so it looks as if historically the -oex options are also callable
2333 without the leading -o. So we have to accept them. Before the switch,
2334 anything starting -oe has been converted to -e. Exim does not support all
2335 of the sendmail error options. */
2338 if (Ustrcmp(argrest, "e") == 0)
2340 arg_error_handling = ERRORS_SENDER;
2341 errors_sender_rc = EXIT_SUCCESS;
2343 else if (Ustrcmp(argrest, "m") == 0) arg_error_handling = ERRORS_SENDER;
2344 else if (Ustrcmp(argrest, "p") == 0) arg_error_handling = ERRORS_STDERR;
2345 else if (Ustrcmp(argrest, "q") == 0) arg_error_handling = ERRORS_STDERR;
2346 else if (Ustrcmp(argrest, "w") == 0) arg_error_handling = ERRORS_SENDER;
2351 /* -F: Set sender's full name, used instead of the gecos entry from
2352 the password file. Since users can usually alter their gecos entries,
2353 there's no security involved in using this instead. The data can follow
2354 the -F or be in the next argument. */
2359 if(++i < argc) argrest = argv[i]; else
2360 { badarg = TRUE; break; }
2362 originator_name = argrest;
2363 sender_name_forced = TRUE;
2367 /* -f: Set sender's address - this value is only actually used if Exim is
2368 run by a trusted user, or if untrusted_set_sender is set and matches the
2369 address, except that the null address can always be set by any user. The
2370 test for this happens later, when the value given here is ignored when not
2371 permitted. For an untrusted user, the actual sender is still put in Sender:
2372 if it doesn't match the From: header (unless no_local_from_check is set).
2373 The data can follow the -f or be in the next argument. The -r switch is an
2374 obsolete form of -f but since there appear to be programs out there that
2375 use anything that sendmail has ever supported, better accept it - the
2376 synonymizing is done before the switch above.
2378 At this stage, we must allow domain literal addresses, because we don't
2379 know what the setting of allow_domain_literals is yet. Ditto for trailing
2380 dots and strip_trailing_dot. */
2388 if (i+1 < argc) argrest = argv[++i]; else
2389 { badarg = TRUE; break; }
2393 sender_address = string_sprintf(""); /* Ensure writeable memory */
2397 uschar *temp = argrest + Ustrlen(argrest) - 1;
2398 while (temp >= argrest && isspace(*temp)) temp--;
2399 if (temp >= argrest && *temp == '.') f_end_dot = TRUE;
2400 allow_domain_literals = TRUE;
2401 strip_trailing_dot = TRUE;
2402 sender_address = parse_extract_address(argrest, &errmess, &start, &end,
2403 &sender_address_domain, TRUE);
2404 allow_domain_literals = FALSE;
2405 strip_trailing_dot = FALSE;
2406 if (sender_address == NULL)
2408 fprintf(stderr, "exim: bad -f address \"%s\": %s\n", argrest, errmess);
2409 return EXIT_FAILURE;
2412 sender_address_forced = TRUE;
2416 /* This is some Sendmail thing which can be ignored */
2421 /* -h: Set the hop count for an incoming message. Exim does not currently
2422 support this; it always computes it by counting the Received: headers.
2423 To put it in will require a change to the spool header file format. */
2428 if(++i < argc) argrest = argv[i]; else
2429 { badarg = TRUE; break; }
2431 if (!isdigit(*argrest)) badarg = TRUE;
2435 /* -i: Set flag so dot doesn't end non-SMTP input (same as -oi, seems
2436 not to be documented for sendmail but mailx (at least) uses it) */
2439 if (*argrest == 0) dot_ends = FALSE; else badarg = TRUE;
2444 receiving_message = FALSE;
2446 /* -MC: continue delivery of another message via an existing open
2447 file descriptor. This option is used for an internal call by the
2448 smtp transport when there is a pending message waiting to go to an
2449 address to which it has got a connection. Five subsequent arguments are
2450 required: transport name, host name, IP address, sequence number, and
2451 message_id. Transports may decline to create new processes if the sequence
2452 number gets too big. The channel is stdin. This (-MC) must be the last
2453 argument. There's a subsequent check that the real-uid is privileged.
2455 If we are running in the test harness. delay for a bit, to let the process
2456 that set this one up complete. This makes for repeatability of the logging,
2459 if (Ustrcmp(argrest, "C") == 0)
2461 union sockaddr_46 interface_sock;
2462 EXIM_SOCKLEN_T size = sizeof(interface_sock);
2466 fprintf(stderr, "exim: too many or too few arguments after -MC\n");
2467 return EXIT_FAILURE;
2470 if (msg_action_arg >= 0)
2472 fprintf(stderr, "exim: incompatible arguments\n");
2473 return EXIT_FAILURE;
2476 continue_transport = argv[++i];
2477 continue_hostname = argv[++i];
2478 continue_host_address = argv[++i];
2479 continue_sequence = Uatoi(argv[++i]);
2480 msg_action = MSG_DELIVER;
2481 msg_action_arg = ++i;
2482 forced_delivery = TRUE;
2483 queue_run_pid = passed_qr_pid;
2484 queue_run_pipe = passed_qr_pipe;
2486 if (!mac_ismsgid(argv[i]))
2488 fprintf(stderr, "exim: malformed message id %s after -MC option\n",
2490 return EXIT_FAILURE;
2493 /* Set up $sending_ip_address and $sending_port */
2495 if (getsockname(fileno(stdin), (struct sockaddr *)(&interface_sock),
2497 sending_ip_address = host_ntoa(-1, &interface_sock, NULL,
2501 fprintf(stderr, "exim: getsockname() failed after -MC option: %s\n",
2503 return EXIT_FAILURE;
2506 if (running_in_test_harness) millisleep(500);
2510 /* -MCA: set the smtp_authenticated flag; this is useful only when it
2511 precedes -MC (see above). The flag indicates that the host to which
2512 Exim is connected has accepted an AUTH sequence. */
2514 else if (Ustrcmp(argrest, "CA") == 0)
2516 smtp_authenticated = TRUE;
2520 /* -MCP: set the smtp_use_pipelining flag; this is useful only when
2521 it preceded -MC (see above) */
2523 else if (Ustrcmp(argrest, "CP") == 0)
2525 smtp_use_pipelining = TRUE;
2529 /* -MCQ: pass on the pid of the queue-running process that started
2530 this chain of deliveries and the fd of its synchronizing pipe; this
2531 is useful only when it precedes -MC (see above) */
2533 else if (Ustrcmp(argrest, "CQ") == 0)
2535 if(++i < argc) passed_qr_pid = (pid_t)(Uatol(argv[i]));
2537 if(++i < argc) passed_qr_pipe = (int)(Uatol(argv[i]));
2542 /* -MCS: set the smtp_use_size flag; this is useful only when it
2543 precedes -MC (see above) */
2545 else if (Ustrcmp(argrest, "CS") == 0)
2547 smtp_use_size = TRUE;
2551 /* -MCT: set the tls_offered flag; this is useful only when it
2552 precedes -MC (see above). The flag indicates that the host to which
2553 Exim is connected has offered TLS support. */
2556 else if (Ustrcmp(argrest, "CT") == 0)
2563 /* -M[x]: various operations on the following list of message ids:
2564 -M deliver the messages, ignoring next retry times and thawing
2565 -Mc deliver the messages, checking next retry times, no thawing
2566 -Mf freeze the messages
2567 -Mg give up on the messages
2568 -Mt thaw the messages
2569 -Mrm remove the messages
2570 In the above cases, this must be the last option. There are also the
2571 following options which are followed by a single message id, and which
2572 act on that message. Some of them use the "recipient" addresses as well.
2573 -Mar add recipient(s)
2574 -Mmad mark all recipients delivered
2575 -Mmd mark recipients(s) delivered
2577 -Mset load a message for use with -be
2579 -Mvc show copy (of whole message, in RFC 2822 format)
2584 else if (*argrest == 0)
2586 msg_action = MSG_DELIVER;
2587 forced_delivery = deliver_force_thaw = TRUE;
2589 else if (Ustrcmp(argrest, "ar") == 0)
2591 msg_action = MSG_ADD_RECIPIENT;
2592 one_msg_action = TRUE;
2594 else if (Ustrcmp(argrest, "c") == 0) msg_action = MSG_DELIVER;
2595 else if (Ustrcmp(argrest, "es") == 0)
2597 msg_action = MSG_EDIT_SENDER;
2598 one_msg_action = TRUE;
2600 else if (Ustrcmp(argrest, "f") == 0) msg_action = MSG_FREEZE;
2601 else if (Ustrcmp(argrest, "g") == 0)
2603 msg_action = MSG_DELIVER;
2604 deliver_give_up = TRUE;
2606 else if (Ustrcmp(argrest, "mad") == 0)
2608 msg_action = MSG_MARK_ALL_DELIVERED;
2610 else if (Ustrcmp(argrest, "md") == 0)
2612 msg_action = MSG_MARK_DELIVERED;
2613 one_msg_action = TRUE;
2615 else if (Ustrcmp(argrest, "rm") == 0) msg_action = MSG_REMOVE;
2616 else if (Ustrcmp(argrest, "set") == 0)
2618 msg_action = MSG_LOAD;
2619 one_msg_action = TRUE;
2621 else if (Ustrcmp(argrest, "t") == 0) msg_action = MSG_THAW;
2622 else if (Ustrcmp(argrest, "vb") == 0)
2624 msg_action = MSG_SHOW_BODY;
2625 one_msg_action = TRUE;
2627 else if (Ustrcmp(argrest, "vc") == 0)
2629 msg_action = MSG_SHOW_COPY;
2630 one_msg_action = TRUE;
2632 else if (Ustrcmp(argrest, "vh") == 0)
2634 msg_action = MSG_SHOW_HEADER;
2635 one_msg_action = TRUE;
2637 else if (Ustrcmp(argrest, "vl") == 0)
2639 msg_action = MSG_SHOW_LOG;
2640 one_msg_action = TRUE;
2642 else { badarg = TRUE; break; }
2644 /* All the -Mxx options require at least one message id. */
2646 msg_action_arg = i + 1;
2647 if (msg_action_arg >= argc)
2649 fprintf(stderr, "exim: no message ids given after %s option\n", arg);
2650 return EXIT_FAILURE;
2653 /* Some require only message ids to follow */
2655 if (!one_msg_action)
2658 for (j = msg_action_arg; j < argc; j++) if (!mac_ismsgid(argv[j]))
2660 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2662 return EXIT_FAILURE;
2664 goto END_ARG; /* Remaining args are ids */
2667 /* Others require only one message id, possibly followed by addresses,
2668 which will be handled as normal arguments. */
2672 if (!mac_ismsgid(argv[msg_action_arg]))
2674 fprintf(stderr, "exim: malformed message id %s after %s option\n",
2675 argv[msg_action_arg], arg);
2676 return EXIT_FAILURE;
2683 /* Some programs seem to call the -om option without the leading o;
2684 for sendmail it askes for "me too". Exim always does this. */
2687 if (*argrest != 0) badarg = TRUE;
2691 /* -N: don't do delivery - a debugging option that stops transports doing
2692 their thing. It implies debugging at the D_v level. */
2697 dont_deliver = TRUE;
2698 debug_selector |= D_v;
2699 debug_file = stderr;
2705 /* -n: This means "don't alias" in sendmail, apparently. Just ignore
2711 /* -O: Just ignore it. In sendmail, apparently -O option=value means set
2712 option to the specified value. This form uses long names. We need to handle
2713 -O option=value and -Ooption=value. */
2720 fprintf(stderr, "exim: string expected after -O\n");
2728 /* -oA: Set an argument for the bi command (sendmail's "alternate alias
2731 if (*argrest == 'A')
2733 alias_arg = argrest + 1;
2734 if (alias_arg[0] == 0)
2736 if (i+1 < argc) alias_arg = argv[++i]; else
2738 fprintf(stderr, "exim: string expected after -oA\n");
2744 /* -oB: Set a connection message max value for remote deliveries */
2746 else if (*argrest == 'B')
2748 uschar *p = argrest + 1;
2751 if (i+1 < argc && isdigit((argv[i+1][0]))) p = argv[++i]; else
2753 connection_max_messages = 1;
2762 fprintf(stderr, "exim: number expected after -oB\n");
2765 connection_max_messages = Uatoi(p);
2769 /* -odb: background delivery */
2771 else if (Ustrcmp(argrest, "db") == 0)
2773 synchronous_delivery = FALSE;
2774 arg_queue_only = FALSE;
2775 queue_only_set = TRUE;
2778 /* -odf: foreground delivery (smail-compatible option); same effect as
2779 -odi: interactive (synchronous) delivery (sendmail-compatible option)
2782 else if (Ustrcmp(argrest, "df") == 0 || Ustrcmp(argrest, "di") == 0)
2784 synchronous_delivery = TRUE;
2785 arg_queue_only = FALSE;
2786 queue_only_set = TRUE;
2789 /* -odq: queue only */
2791 else if (Ustrcmp(argrest, "dq") == 0)
2793 synchronous_delivery = FALSE;
2794 arg_queue_only = TRUE;
2795 queue_only_set = TRUE;
2798 /* -odqs: queue SMTP only - do local deliveries and remote routing,
2799 but no remote delivery */
2801 else if (Ustrcmp(argrest, "dqs") == 0)
2804 arg_queue_only = FALSE;
2805 queue_only_set = TRUE;
2808 /* -oex: Sendmail error flags. As these are also accepted without the
2809 leading -o prefix, for compatibility with vacation and other callers,
2810 they are handled with -e above. */
2812 /* -oi: Set flag so dot doesn't end non-SMTP input (same as -i)
2813 -oitrue: Another sendmail syntax for the same */
2815 else if (Ustrcmp(argrest, "i") == 0 ||
2816 Ustrcmp(argrest, "itrue") == 0)
2819 /* -oM*: Set various characteristics for an incoming message; actually
2820 acted on for trusted callers only. */
2822 else if (*argrest == 'M')
2826 fprintf(stderr, "exim: data expected after -o%s\n", argrest);
2830 /* -oMa: Set sender host address */
2832 if (Ustrcmp(argrest, "Ma") == 0) sender_host_address = argv[++i];
2834 /* -oMaa: Set authenticator name */
2836 else if (Ustrcmp(argrest, "Maa") == 0)
2837 sender_host_authenticated = argv[++i];
2839 /* -oMas: setting authenticated sender */
2841 else if (Ustrcmp(argrest, "Mas") == 0) authenticated_sender = argv[++i];
2843 /* -oMai: setting authenticated id */
2845 else if (Ustrcmp(argrest, "Mai") == 0) authenticated_id = argv[++i];
2847 /* -oMi: Set incoming interface address */
2849 else if (Ustrcmp(argrest, "Mi") == 0) interface_address = argv[++i];
2851 /* -oMr: Received protocol */
2853 else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
2855 /* -oMs: Set sender host name */
2857 else if (Ustrcmp(argrest, "Ms") == 0) sender_host_name = argv[++i];
2859 /* -oMt: Set sender ident */
2861 else if (Ustrcmp(argrest, "Mt") == 0)
2863 sender_ident_set = TRUE;
2864 sender_ident = argv[++i];
2867 /* Else a bad argument */
2876 /* -om: Me-too flag for aliases. Exim always does this. Some programs
2877 seem to call this as -m (undocumented), so that is also accepted (see
2880 else if (Ustrcmp(argrest, "m") == 0) {}
2882 /* -oo: An ancient flag for old-style addresses which still seems to
2883 crop up in some calls (see in SCO). */
2885 else if (Ustrcmp(argrest, "o") == 0) {}
2887 /* -oP <name>: set pid file path for daemon */
2889 else if (Ustrcmp(argrest, "P") == 0)
2890 override_pid_file_path = argv[++i];
2892 /* -or <n>: set timeout for non-SMTP acceptance
2893 -os <n>: set timeout for SMTP acceptance */
2895 else if (*argrest == 'r' || *argrest == 's')
2897 int *tp = (*argrest == 'r')?
2898 &arg_receive_timeout : &arg_smtp_receive_timeout;
2899 if (argrest[1] == 0)
2901 if (i+1 < argc) *tp= readconf_readtime(argv[++i], 0, FALSE);
2903 else *tp = readconf_readtime(argrest + 1, 0, FALSE);
2906 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
2911 /* -oX <list>: Override local_interfaces and/or default daemon ports */
2913 else if (Ustrcmp(argrest, "X") == 0)
2914 override_local_interfaces = argv[++i];
2916 /* Unknown -o argument */
2922 /* -ps: force Perl startup; -pd force delayed Perl startup */
2926 if (*argrest == 's' && argrest[1] == 0)
2928 perl_start_option = 1;
2931 if (*argrest == 'd' && argrest[1] == 0)
2933 perl_start_option = -1;
2938 /* -panythingelse is taken as the Sendmail-compatible argument -prval:sval,
2939 which sets the host protocol and host name */
2943 if (i+1 < argc) argrest = argv[++i]; else
2944 { badarg = TRUE; break; }
2949 uschar *hn = Ustrchr(argrest, ':');
2952 received_protocol = argrest;
2956 received_protocol = string_copyn(argrest, hn - argrest);
2957 sender_host_name = hn + 1;
2964 receiving_message = FALSE;
2965 if (queue_interval >= 0)
2967 fprintf(stderr, "exim: -q specified more than once\n");
2971 /* -qq...: Do queue runs in a 2-stage manner */
2973 if (*argrest == 'q')
2975 queue_2stage = TRUE;
2979 /* -qi...: Do only first (initial) deliveries */
2981 if (*argrest == 'i')
2983 queue_run_first_delivery = TRUE;
2987 /* -qf...: Run the queue, forcing deliveries
2988 -qff..: Ditto, forcing thawing as well */
2990 if (*argrest == 'f')
2992 queue_run_force = TRUE;
2993 if (*(++argrest) == 'f')
2995 deliver_force_thaw = TRUE;
3000 /* -q[f][f]l...: Run the queue only on local deliveries */
3002 if (*argrest == 'l')
3004 queue_run_local = TRUE;
3008 /* -q[f][f][l]: Run the queue, optionally forced, optionally local only,
3009 optionally starting from a given message id. */
3011 if (*argrest == 0 &&
3012 (i + 1 >= argc || argv[i+1][0] == '-' || mac_ismsgid(argv[i+1])))
3015 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3016 start_queue_run_id = argv[++i];
3017 if (i+1 < argc && mac_ismsgid(argv[i+1]))
3018 stop_queue_run_id = argv[++i];
3021 /* -q[f][f][l]<n>: Run the queue at regular intervals, optionally forced,
3022 optionally local only. */
3027 queue_interval = readconf_readtime(argrest, 0, FALSE);
3029 queue_interval = readconf_readtime(argv[++i], 0, FALSE);
3030 if (queue_interval <= 0)
3032 fprintf(stderr, "exim: bad time value %s: abandoned\n", argv[i]);
3039 case 'R': /* Synonymous with -qR... */
3040 receiving_message = FALSE;
3042 /* -Rf: As -R (below) but force all deliveries,
3043 -Rff: Ditto, but also thaw all frozen messages,
3044 -Rr: String is regex
3045 -Rrf: Regex and force
3046 -Rrff: Regex and force and thaw
3048 in all cases provided there are no further characters in this
3054 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3056 if (Ustrcmp(argrest, rsopts[i]) == 0)
3058 if (i != 2) queue_run_force = TRUE;
3059 if (i >= 2) deliver_selectstring_regex = TRUE;
3060 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3061 argrest += Ustrlen(rsopts[i]);
3066 /* -R: Set string to match in addresses for forced queue run to
3067 pick out particular messages. */
3071 if (i+1 < argc) deliver_selectstring = argv[++i]; else
3073 fprintf(stderr, "exim: string expected after -R\n");
3077 else deliver_selectstring = argrest;
3081 /* -r: an obsolete synonym for -f (see above) */
3084 /* -S: Like -R but works on sender. */
3086 case 'S': /* Synonymous with -qS... */
3087 receiving_message = FALSE;
3089 /* -Sf: As -S (below) but force all deliveries,
3090 -Sff: Ditto, but also thaw all frozen messages,
3091 -Sr: String is regex
3092 -Srf: Regex and force
3093 -Srff: Regex and force and thaw
3095 in all cases provided there are no further characters in this
3101 for (i = 0; i < sizeof(rsopts)/sizeof(uschar *); i++)
3103 if (Ustrcmp(argrest, rsopts[i]) == 0)
3105 if (i != 2) queue_run_force = TRUE;
3106 if (i >= 2) deliver_selectstring_sender_regex = TRUE;
3107 if (i == 1 || i == 4) deliver_force_thaw = TRUE;
3108 argrest += Ustrlen(rsopts[i]);
3113 /* -S: Set string to match in addresses for forced queue run to
3114 pick out particular messages. */
3118 if (i+1 < argc) deliver_selectstring_sender = argv[++i]; else
3120 fprintf(stderr, "exim: string expected after -S\n");
3124 else deliver_selectstring_sender = argrest;
3127 /* -Tqt is an option that is exclusively for use by the testing suite.
3128 It is not recognized in other circumstances. It allows for the setting up
3129 of explicit "queue times" so that various warning/retry things can be
3130 tested. Otherwise variability of clock ticks etc. cause problems. */
3133 if (running_in_test_harness && Ustrcmp(argrest, "qt") == 0)
3134 fudged_queue_times = argv[++i];
3139 /* -t: Set flag to extract recipients from body of message. */
3142 if (*argrest == 0) extract_recipients = TRUE;
3144 /* -ti: Set flag to extract recipients from body of message, and also
3145 specify that dot does not end the message. */
3147 else if (Ustrcmp(argrest, "i") == 0)
3149 extract_recipients = TRUE;
3153 /* -tls-on-connect: don't wait for STARTTLS (for old clients) */
3156 else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_on_connect = TRUE;
3163 /* -U: This means "initial user submission" in sendmail, apparently. The
3164 doc claims that in future sendmail may refuse syntactically invalid
3165 messages instead of fixing them. For the moment, we just ignore it. */
3171 /* -v: verify things - this is a very low-level debugging */
3176 debug_selector |= D_v;
3177 debug_file = stderr;
3183 /* -x: AIX uses this to indicate some fancy 8-bit character stuff:
3185 The -x flag tells the sendmail command that mail from a local
3186 mail program has National Language Support (NLS) extended characters
3187 in the body of the mail item. The sendmail command can send mail with
3188 extended NLS characters across networks that normally corrupts these
3191 As Exim is 8-bit clean, it just ignores this flag. */
3194 if (*argrest != 0) badarg = TRUE;
3197 /* All other initial characters are errors */
3202 } /* End of high-level switch statement */
3204 /* Failed to recognize the option, or syntax error */
3208 fprintf(stderr, "exim abandoned: unknown, malformed, or incomplete "
3209 "option %s\n", arg);
3215 /* If -R or -S have been specified without -q, assume a single queue run. */
3217 if ((deliver_selectstring != NULL || deliver_selectstring_sender != NULL) &&
3218 queue_interval < 0) queue_interval = 0;
3222 /* If usage_wanted is set we call the usage function - which never returns */
3223 if (usage_wanted) exim_usage(called_as);
3225 /* Arguments have been processed. Check for incompatibilities. */
3227 (smtp_input || extract_recipients || recipients_arg < argc) &&
3228 (daemon_listen || queue_interval >= 0 || bi_option ||
3229 test_retry_arg >= 0 || test_rewrite_arg >= 0 ||
3230 filter_test != FTEST_NONE || (msg_action_arg > 0 && !one_msg_action))
3233 msg_action_arg > 0 &&
3234 (daemon_listen || queue_interval >= 0 || list_options ||
3235 (checking && msg_action != MSG_LOAD) ||
3236 bi_option || test_retry_arg >= 0 || test_rewrite_arg >= 0)
3239 (daemon_listen || queue_interval >= 0) &&
3240 (sender_address != NULL || list_options || list_queue || checking ||
3244 daemon_listen && queue_interval == 0
3247 inetd_wait_mode && queue_interval >= 0
3251 (checking || smtp_input || extract_recipients ||
3252 filter_test != FTEST_NONE || bi_option)
3255 verify_address_mode &&
3256 (address_test_mode || smtp_input || extract_recipients ||
3257 filter_test != FTEST_NONE || bi_option)
3260 address_test_mode && (smtp_input || extract_recipients ||
3261 filter_test != FTEST_NONE || bi_option)
3264 smtp_input && (sender_address != NULL || filter_test != FTEST_NONE ||
3268 deliver_selectstring != NULL && queue_interval < 0
3271 msg_action == MSG_LOAD &&
3272 (!expansion_test || expansion_test_message != NULL)
3276 fprintf(stderr, "exim: incompatible command-line options or arguments\n");
3280 /* If debugging is set up, set the file and the file descriptor to pass on to
3281 child processes. It should, of course, be 2 for stderr. Also, force the daemon
3282 to run in the foreground. */
3284 if (debug_selector != 0)
3286 debug_file = stderr;
3287 debug_fd = fileno(debug_file);
3288 background_daemon = FALSE;
3289 if (running_in_test_harness) millisleep(100); /* lets caller finish */
3290 if (debug_selector != D_v) /* -v only doesn't show this */
3292 debug_printf("Exim version %s uid=%ld gid=%ld pid=%d D=%x\n",
3293 version_string, (long int)real_uid, (long int)real_gid, (int)getpid(),
3295 if (!version_printed)
3296 show_whats_supported(stderr);
3300 /* When started with root privilege, ensure that the limits on the number of
3301 open files and the number of processes (where that is accessible) are
3302 sufficiently large, or are unset, in case Exim has been called from an
3303 environment where the limits are screwed down. Not all OS have the ability to
3304 change some of these limits. */
3308 DEBUG(D_any) debug_print_ids(US"Exim has no root privilege:");
3314 #ifdef RLIMIT_NOFILE
3315 if (getrlimit(RLIMIT_NOFILE, &rlp) < 0)
3317 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NOFILE) failed: %s",
3319 rlp.rlim_cur = rlp.rlim_max = 0;
3322 /* I originally chose 1000 as a nice big number that was unlikely to
3323 be exceeded. It turns out that some older OS have a fixed upper limit of
3326 if (rlp.rlim_cur < 1000)
3328 rlp.rlim_cur = rlp.rlim_max = 1000;
3329 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3331 rlp.rlim_cur = rlp.rlim_max = 256;
3332 if (setrlimit(RLIMIT_NOFILE, &rlp) < 0)
3333 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NOFILE) failed: %s",
3340 if (getrlimit(RLIMIT_NPROC, &rlp) < 0)
3342 log_write(0, LOG_MAIN|LOG_PANIC, "getrlimit(RLIMIT_NPROC) failed: %s",
3344 rlp.rlim_cur = rlp.rlim_max = 0;
3347 #ifdef RLIM_INFINITY
3348 if (rlp.rlim_cur != RLIM_INFINITY && rlp.rlim_cur < 1000)
3350 rlp.rlim_cur = rlp.rlim_max = RLIM_INFINITY;
3352 if (rlp.rlim_cur < 1000)
3354 rlp.rlim_cur = rlp.rlim_max = 1000;
3356 if (setrlimit(RLIMIT_NPROC, &rlp) < 0)
3357 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_NPROC) failed: %s",
3363 /* Exim is normally entered as root (but some special configurations are
3364 possible that don't do this). However, it always spins off sub-processes that
3365 set their uid and gid as required for local delivery. We don't want to pass on
3366 any extra groups that root may belong to, so we want to get rid of them all at
3369 We need to obey setgroups() at this stage, before possibly giving up root
3370 privilege for a changed configuration file, but later on we might need to
3371 check on the additional groups for the admin user privilege - can't do that
3372 till after reading the config, which might specify the exim gid. Therefore,
3373 save the group list here first. */
3375 group_count = getgroups(NGROUPS_MAX, group_list);
3376 if (group_count < 0)
3378 fprintf(stderr, "exim: getgroups() failed: %s\n", strerror(errno));
3382 /* There is a fundamental difference in some BSD systems in the matter of
3383 groups. FreeBSD and BSDI are known to be different; NetBSD and OpenBSD are
3384 known not to be different. On the "different" systems there is a single group
3385 list, and the first entry in it is the current group. On all other versions of
3386 Unix there is a supplementary group list, which is in *addition* to the current
3387 group. Consequently, to get rid of all extraneous groups on a "standard" system
3388 you pass over 0 groups to setgroups(), while on a "different" system you pass
3389 over a single group - the current group, which is always the first group in the
3390 list. Calling setgroups() with zero groups on a "different" system results in
3391 an error return. The following code should cope with both types of system.
3393 However, if this process isn't running as root, setgroups() can't be used
3394 since you have to be root to run it, even if throwing away groups. Not being
3395 root here happens only in some unusual configurations. We just ignore the
3398 if (setgroups(0, NULL) != 0)
3400 if (setgroups(1, group_list) != 0 && !unprivileged)
3402 fprintf(stderr, "exim: setgroups() failed: %s\n", strerror(errno));
3407 /* If the configuration file name has been altered by an argument on the
3408 command line (either a new file name or a macro definition) and the caller is
3409 not root, or if this is a filter testing run, remove any setuid privilege the
3410 program has and run as the underlying user.
3412 The exim user is locked out of this, which severely restricts the use of -C
3415 Otherwise, set the real ids to the effective values (should be root unless run
3416 from inetd, which it can either be root or the exim uid, if one is configured).
3418 There is a private mechanism for bypassing some of this, in order to make it
3419 possible to test lots of configurations automatically, without having either to
3420 recompile each time, or to patch in an actual configuration file name and other
3421 values (such as the path name). If running in the test harness, pretend that
3422 configuration file changes and macro definitions haven't happened. */
3425 (!trusted_config || /* Config changed, or */
3426 !macros_trusted()) && /* impermissible macros and */
3427 real_uid != root_uid && /* Not root, and */
3428 !running_in_test_harness /* Not fudged */
3430 expansion_test /* expansion testing */
3432 filter_test != FTEST_NONE) /* Filter testing */
3434 setgroups(group_count, group_list);
3435 exim_setugid(real_uid, real_gid, FALSE,
3436 US"-C, -D, -be or -bf forces real uid");
3437 removed_privilege = TRUE;
3439 /* In the normal case when Exim is called like this, stderr is available
3440 and should be used for any logging information because attempts to write
3441 to the log will usually fail. To arrange this, we unset really_exim. However,
3442 if no stderr is available there is no point - we might as well have a go
3443 at the log (if it fails, syslog will be written).
3445 Note that if the invoker is Exim, the logs remain available. Messing with
3446 this causes unlogged successful deliveries. */
3448 if ((log_stderr != NULL) && (real_uid != exim_uid))
3449 really_exim = FALSE;
3452 /* Privilege is to be retained for the moment. It may be dropped later,
3453 depending on the job that this Exim process has been asked to do. For now, set
3454 the real uid to the effective so that subsequent re-execs of Exim are done by a
3457 else exim_setugid(geteuid(), getegid(), FALSE, US"forcing real = effective");
3459 /* If testing a filter, open the file(s) now, before wasting time doing other
3460 setups and reading the message. */
3462 if ((filter_test & FTEST_SYSTEM) != 0)
3464 filter_sfd = Uopen(filter_test_sfile, O_RDONLY, 0);
3467 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_sfile,
3469 return EXIT_FAILURE;
3473 if ((filter_test & FTEST_USER) != 0)
3475 filter_ufd = Uopen(filter_test_ufile, O_RDONLY, 0);
3478 fprintf(stderr, "exim: failed to open %s: %s\n", filter_test_ufile,
3480 return EXIT_FAILURE;
3484 /* Initialise lookup_list
3485 If debugging, already called above via version reporting.
3486 In either case, we initialise the list of available lookups while running
3487 as root. All dynamically modules are loaded from a directory which is
3488 hard-coded into the binary and is code which, if not a module, would be
3489 part of Exim already. Ability to modify the content of the directory
3490 is equivalent to the ability to modify a setuid binary!
3492 This needs to happen before we read the main configuration. */
3495 /* Read the main runtime configuration data; this gives up if there
3496 is a failure. It leaves the configuration file open so that the subsequent
3497 configuration data for delivery can be read if needed. */
3501 /* Handle the decoding of logging options. */
3503 decode_bits(&log_write_selector, &log_extra_selector, 0, 0,
3504 log_selector_string, log_options, log_options_count, US"log", 0);
3508 debug_printf("configuration file is %s\n", config_main_filename);
3509 debug_printf("log selectors = %08x %08x\n", log_write_selector,
3510 log_extra_selector);
3513 /* If domain literals are not allowed, check the sender address that was
3514 supplied with -f. Ditto for a stripped trailing dot. */
3516 if (sender_address != NULL)
3518 if (sender_address[sender_address_domain] == '[' && !allow_domain_literals)
3520 fprintf(stderr, "exim: bad -f address \"%s\": domain literals not "
3521 "allowed\n", sender_address);
3522 return EXIT_FAILURE;
3524 if (f_end_dot && !strip_trailing_dot)
3526 fprintf(stderr, "exim: bad -f address \"%s.\": domain is malformed "
3527 "(trailing dot not allowed)\n", sender_address);
3528 return EXIT_FAILURE;
3532 /* Paranoia check of maximum lengths of certain strings. There is a check
3533 on the length of the log file path in log.c, which will come into effect
3534 if there are any calls to write the log earlier than this. However, if we
3535 get this far but the string is very long, it is better to stop now than to
3536 carry on and (e.g.) receive a message and then have to collapse. The call to
3537 log_write() from here will cause the ultimate panic collapse if the complete
3538 file name exceeds the buffer length. */
3540 if (Ustrlen(log_file_path) > 200)
3541 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3542 "log_file_path is longer than 200 chars: aborting");
3544 if (Ustrlen(pid_file_path) > 200)
3545 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3546 "pid_file_path is longer than 200 chars: aborting");
3548 if (Ustrlen(spool_directory) > 200)
3549 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3550 "spool_directory is longer than 200 chars: aborting");
3552 /* Length check on the process name given to syslog for its TAG field,
3553 which is only permitted to be 32 characters or less. See RFC 3164. */
3555 if (Ustrlen(syslog_processname) > 32)
3556 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
3557 "syslog_processname is longer than 32 chars: aborting");
3559 /* In some operating systems, the environment variable TMPDIR controls where
3560 temporary files are created; Exim doesn't use these (apart from when delivering
3561 to MBX mailboxes), but called libraries such as DBM libraries may require them.
3562 If TMPDIR is found in the environment, reset it to the value defined in the
3563 TMPDIR macro, if this macro is defined. */
3568 for (p = USS environ; *p != NULL; p++)
3570 if (Ustrncmp(*p, "TMPDIR=", 7) == 0 &&
3571 Ustrcmp(*p+7, TMPDIR) != 0)
3573 uschar *newp = malloc(Ustrlen(TMPDIR) + 8);
3574 sprintf(CS newp, "TMPDIR=%s", TMPDIR);
3576 DEBUG(D_any) debug_printf("reset TMPDIR=%s in environment\n", TMPDIR);
3582 /* Timezone handling. If timezone_string is "utc", set a flag to cause all
3583 timestamps to be in UTC (gmtime() is used instead of localtime()). Otherwise,
3584 we may need to get rid of a bogus timezone setting. This can arise when Exim is
3585 called by a user who has set the TZ variable. This then affects the timestamps
3586 in log files and in Received: headers, and any created Date: header lines. The
3587 required timezone is settable in the configuration file, so nothing can be done
3588 about this earlier - but hopefully nothing will normally be logged earlier than
3589 this. We have to make a new environment if TZ is wrong, but don't bother if
3590 timestamps_utc is set, because then all times are in UTC anyway. */
3592 if (timezone_string != NULL && strcmpic(timezone_string, US"UTC") == 0)
3594 timestamps_utc = TRUE;
3598 uschar *envtz = US getenv("TZ");
3599 if ((envtz == NULL && timezone_string != NULL) ||
3601 (timezone_string == NULL ||
3602 Ustrcmp(timezone_string, envtz) != 0)))
3604 uschar **p = USS environ;
3608 while (*p++ != NULL) count++;
3609 if (envtz == NULL) count++;
3610 newp = new = malloc(sizeof(uschar *) * (count + 1));
3611 for (p = USS environ; *p != NULL; p++)
3613 if (Ustrncmp(*p, "TZ=", 3) == 0) continue;
3616 if (timezone_string != NULL)
3618 *newp = malloc(Ustrlen(timezone_string) + 4);
3619 sprintf(CS *newp++, "TZ=%s", timezone_string);
3624 DEBUG(D_any) debug_printf("Reset TZ to %s: time is %s\n", timezone_string,
3625 tod_stamp(tod_log));
3629 /* Handle the case when we have removed the setuid privilege because of -C or
3630 -D. This means that the caller of Exim was not root.
3632 There is a problem if we were running as the Exim user. The sysadmin may
3633 expect this case to retain privilege because "the binary was called by the
3634 Exim user", but it hasn't, because either the -D option set macros, or the
3635 -C option set a non-trusted configuration file. There are two possibilities:
3637 (1) If deliver_drop_privilege is set, Exim is not going to re-exec in order
3638 to do message deliveries. Thus, the fact that it is running as a
3639 non-privileged user is plausible, and might be wanted in some special
3640 configurations. However, really_exim will have been set false when
3641 privilege was dropped, to stop Exim trying to write to its normal log
3642 files. Therefore, re-enable normal log processing, assuming the sysadmin
3643 has set up the log directory correctly.
3645 (2) If deliver_drop_privilege is not set, the configuration won't work as
3646 apparently intended, and so we log a panic message. In order to retain
3647 root for -C or -D, the caller must either be root or be invoking a
3648 trusted configuration file (when deliver_drop_privilege is false). */
3650 if (removed_privilege && (!trusted_config || macros != NULL) &&
3651 real_uid == exim_uid)
3653 if (deliver_drop_privilege)
3654 really_exim = TRUE; /* let logging work normally */
3656 log_write(0, LOG_MAIN|LOG_PANIC,
3657 "exim user lost privilege for using %s option",
3658 trusted_config? "-D" : "-C");
3661 /* Start up Perl interpreter if Perl support is configured and there is a
3662 perl_startup option, and the configuration or the command line specifies
3663 initializing starting. Note that the global variables are actually called
3664 opt_perl_xxx to avoid clashing with perl's namespace (perl_*). */
3667 if (perl_start_option != 0)
3668 opt_perl_at_start = (perl_start_option > 0);
3669 if (opt_perl_at_start && opt_perl_startup != NULL)
3672 DEBUG(D_any) debug_printf("Starting Perl interpreter\n");
3673 errstr = init_perl(opt_perl_startup);
3676 fprintf(stderr, "exim: error in perl_startup code: %s\n", errstr);
3677 return EXIT_FAILURE;
3679 opt_perl_started = TRUE;
3681 #endif /* EXIM_PERL */
3683 /* Log the arguments of the call if the configuration file said so. This is
3684 a debugging feature for finding out what arguments certain MUAs actually use.
3685 Don't attempt it if logging is disabled, or if listing variables or if
3686 verifying/testing addresses or expansions. */
3688 if (((debug_selector & D_any) != 0 || (log_extra_selector & LX_arguments) != 0)
3689 && really_exim && !list_options && !checking)
3692 uschar *p = big_buffer;
3694 (void)getcwd(CS p+4, big_buffer_size - 4);
3696 (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
3698 for (i = 0; i < argc; i++)
3700 int len = Ustrlen(argv[i]);
3703 if (p + len + 8 >= big_buffer + big_buffer_size)
3706 log_write(0, LOG_MAIN, "%s", big_buffer);
3707 Ustrcpy(big_buffer, "...");
3710 printing = string_printing(argv[i]);
3711 if (printing[0] == 0) quote = US"\""; else
3713 uschar *pp = printing;
3715 while (*pp != 0) if (isspace(*pp++)) { quote = US"\""; break; }
3717 sprintf(CS p, " %s%.*s%s", quote, (int)(big_buffer_size -
3718 (p - big_buffer) - 4), printing, quote);
3722 if ((log_extra_selector & LX_arguments) != 0)
3723 log_write(0, LOG_MAIN, "%s", big_buffer);
3725 debug_printf("%s\n", big_buffer);
3728 /* Set the working directory to be the top-level spool directory. We don't rely
3729 on this in the code, which always uses fully qualified names, but it's useful
3730 for core dumps etc. Don't complain if it fails - the spool directory might not
3731 be generally accessible and calls with the -C option (and others) have lost
3732 privilege by now. Before the chdir, we try to ensure that the directory exists.
3735 if (Uchdir(spool_directory) != 0)
3737 (void)directory_make(spool_directory, US"", SPOOL_DIRECTORY_MODE, FALSE);
3738 (void)Uchdir(spool_directory);
3741 /* Handle calls with the -bi option. This is a sendmail option to rebuild *the*
3742 alias file. Exim doesn't have such a concept, but this call is screwed into
3743 Sun's YP makefiles. Handle this by calling a configured script, as the real
3744 user who called Exim. The -oA option can be used to pass an argument to the
3749 (void)fclose(config_file);
3750 if (bi_command != NULL)
3754 argv[i++] = bi_command;
3755 if (alias_arg != NULL) argv[i++] = alias_arg;
3758 setgroups(group_count, group_list);
3759 exim_setugid(real_uid, real_gid, FALSE, US"running bi_command");
3761 DEBUG(D_exec) debug_printf("exec %.256s %.256s\n", argv[0],
3762 (argv[1] == NULL)? US"" : argv[1]);
3764 execv(CS argv[0], (char *const *)argv);
3765 fprintf(stderr, "exim: exec failed: %s\n", strerror(errno));
3770 DEBUG(D_any) debug_printf("-bi used but bi_command not set; exiting\n");
3775 /* If an action on specific messages is requested, or if a daemon or queue
3776 runner is being started, we need to know if Exim was called by an admin user.
3777 This is the case if the real user is root or exim, or if the real group is
3778 exim, or if one of the supplementary groups is exim or a group listed in
3779 admin_groups. We don't fail all message actions immediately if not admin_user,
3780 since some actions can be performed by non-admin users. Instead, set admin_user
3781 for later interrogation. */
3783 if (real_uid == root_uid || real_uid == exim_uid || real_gid == exim_gid)
3788 for (i = 0; i < group_count; i++)
3790 if (group_list[i] == exim_gid) admin_user = TRUE;
3791 else if (admin_groups != NULL)
3793 for (j = 1; j <= (int)(admin_groups[0]); j++)
3794 if (admin_groups[j] == group_list[i])
3795 { admin_user = TRUE; break; }
3797 if (admin_user) break;
3801 /* Another group of privileged users are the trusted users. These are root,
3802 exim, and any caller matching trusted_users or trusted_groups. Trusted callers
3803 are permitted to specify sender_addresses with -f on the command line, and
3804 other message parameters as well. */
3806 if (real_uid == root_uid || real_uid == exim_uid)
3807 trusted_caller = TRUE;
3812 if (trusted_users != NULL)
3814 for (i = 1; i <= (int)(trusted_users[0]); i++)
3815 if (trusted_users[i] == real_uid)
3816 { trusted_caller = TRUE; break; }
3819 if (!trusted_caller && trusted_groups != NULL)
3821 for (i = 1; i <= (int)(trusted_groups[0]); i++)
3823 if (trusted_groups[i] == real_gid)
3824 trusted_caller = TRUE;
3825 else for (j = 0; j < group_count; j++)
3827 if (trusted_groups[i] == group_list[j])
3828 { trusted_caller = TRUE; break; }
3830 if (trusted_caller) break;
3835 if (trusted_caller) DEBUG(D_any) debug_printf("trusted user\n");
3836 if (admin_user) DEBUG(D_any) debug_printf("admin user\n");
3838 /* Only an admin user may start the daemon or force a queue run in the default
3839 configuration, but the queue run restriction can be relaxed. Only an admin
3840 user may request that a message be returned to its sender forthwith. Only an
3841 admin user may specify a debug level greater than D_v (because it might show
3842 passwords, etc. in lookup queries). Only an admin user may request a queue
3843 count. Only an admin user can use the test interface to scan for email
3844 (because Exim will be in the spool dir and able to look at mails). */
3848 BOOL debugset = (debug_selector & ~D_v) != 0;
3849 if (deliver_give_up || daemon_listen || malware_test_file ||
3850 (count_queue && queue_list_requires_admin) ||
3851 (list_queue && queue_list_requires_admin) ||
3852 (queue_interval >= 0 && prod_requires_admin) ||
3853 (debugset && !running_in_test_harness))
3855 fprintf(stderr, "exim:%s permission denied\n", debugset? " debugging" : "");
3860 /* If the real user is not root or the exim uid, the argument for passing
3861 in an open TCP/IP connection for another message is not permitted, nor is
3862 running with the -N option for any delivery action, unless this call to exim is
3863 one that supplied an input message, or we are using a patched exim for
3864 regression testing. */
3866 if (real_uid != root_uid && real_uid != exim_uid &&
3867 (continue_hostname != NULL ||
3869 (queue_interval >= 0 || daemon_listen || msg_action_arg > 0)
3870 )) && !running_in_test_harness)
3872 fprintf(stderr, "exim: Permission denied\n");
3873 return EXIT_FAILURE;
3876 /* If the caller is not trusted, certain arguments are ignored when running for
3877 real, but are permitted when checking things (-be, -bv, -bt, -bh, -bf, -bF).
3878 Note that authority for performing certain actions on messages is tested in the
3879 queue_action() function. */
3881 if (!trusted_caller && !checking && filter_test == FTEST_NONE)
3883 sender_host_name = sender_host_address = interface_address =
3884 sender_ident = received_protocol = NULL;
3885 sender_host_port = interface_port = 0;
3886 sender_host_authenticated = authenticated_sender = authenticated_id = NULL;
3889 /* If a sender host address is set, extract the optional port number off the
3890 end of it and check its syntax. Do the same thing for the interface address.
3891 Exim exits if the syntax is bad. */
3895 if (sender_host_address != NULL)
3896 sender_host_port = check_port(sender_host_address);
3897 if (interface_address != NULL)
3898 interface_port = check_port(interface_address);
3901 /* If an SMTP message is being received check to see if the standard input is a
3902 TCP/IP socket. If it is, we assume that Exim was called from inetd if the
3903 caller is root or the Exim user, or if the port is a privileged one. Otherwise,
3908 union sockaddr_46 inetd_sock;
3909 EXIM_SOCKLEN_T size = sizeof(inetd_sock);
3910 if (getpeername(0, (struct sockaddr *)(&inetd_sock), &size) == 0)
3912 int family = ((struct sockaddr *)(&inetd_sock))->sa_family;
3913 if (family == AF_INET || family == AF_INET6)
3915 union sockaddr_46 interface_sock;
3916 size = sizeof(interface_sock);
3918 if (getsockname(0, (struct sockaddr *)(&interface_sock), &size) == 0)
3919 interface_address = host_ntoa(-1, &interface_sock, NULL,
3922 if (host_is_tls_on_connect_port(interface_port)) tls_on_connect = TRUE;
3924 if (real_uid == root_uid || real_uid == exim_uid || interface_port < 1024)
3927 sender_host_address = host_ntoa(-1, (struct sockaddr *)(&inetd_sock),
3928 NULL, &sender_host_port);
3929 if (mua_wrapper) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Input from "
3930 "inetd is not supported when mua_wrapper is set");
3935 "exim: Permission denied (unprivileged user, unprivileged port)\n");
3936 return EXIT_FAILURE;
3942 /* If the load average is going to be needed while receiving a message, get it
3943 now for those OS that require the first call to os_getloadavg() to be done as
3944 root. There will be further calls later for each message received. */
3946 #ifdef LOAD_AVG_NEEDS_ROOT
3947 if (receiving_message &&
3948 (queue_only_load >= 0 ||
3949 (is_inetd && smtp_load_reserve >= 0)
3952 load_average = OS_GETLOADAVG();
3956 /* The queue_only configuration option can be overridden by -odx on the command
3957 line, except that if queue_only_override is false, queue_only cannot be unset
3958 from the command line. */
3960 if (queue_only_set && (queue_only_override || arg_queue_only))
3961 queue_only = arg_queue_only;
3963 /* The receive_timeout and smtp_receive_timeout options can be overridden by
3966 if (arg_receive_timeout >= 0) receive_timeout = arg_receive_timeout;
3967 if (arg_smtp_receive_timeout >= 0)
3968 smtp_receive_timeout = arg_smtp_receive_timeout;
3970 /* If Exim was started with root privilege, unless we have already removed the
3971 root privilege above as a result of -C, -D, -be, -bf or -bF, remove it now
3972 except when starting the daemon or doing some kind of delivery or address
3973 testing (-bt). These are the only cases when root need to be retained. We run
3974 as exim for -bv and -bh. However, if deliver_drop_privilege is set, root is
3975 retained only for starting the daemon. We always do the initgroups() in this
3976 situation (controlled by the TRUE below), in order to be as close as possible
3977 to the state Exim usually runs in. */
3979 if (!unprivileged && /* originally had root AND */
3980 !removed_privilege && /* still got root AND */
3981 !daemon_listen && /* not starting the daemon */
3982 queue_interval <= 0 && /* (either kind of daemon) */
3984 deliver_drop_privilege || /* requested unprivileged */
3986 queue_interval < 0 && /* not running the queue */
3987 (msg_action_arg < 0 || /* and */
3988 msg_action != MSG_DELIVER) && /* not delivering and */
3989 (!checking || !address_test_mode) /* not address checking */
3993 exim_setugid(exim_uid, exim_gid, TRUE, US"privilege not needed");
3996 /* When we are retaining a privileged uid, we still change to the exim gid. */
4001 rv = setgid(exim_gid);
4002 /* Impact of failure is that some stuff might end up with an incorrect group.
4003 We track this for failures from root, since any attempt to change privilege
4004 by root should succeed and failures should be examined. For non-root,
4005 there's no security risk. For me, it's { exim -bV } on a just-built binary,
4006 no need to complain then. */
4009 if (!(unprivileged || removed_privilege))
4012 "exim: changing group failed: %s\n", strerror(errno));
4016 DEBUG(D_any) debug_printf("changing group to %ld failed: %s\n",
4017 (long int)exim_gid, strerror(errno));
4021 /* Handle a request to scan a file for malware */
4022 if (malware_test_file)
4024 #ifdef WITH_CONTENT_SCAN
4026 set_process_info("scanning file for malware");
4027 result = malware_in_file(malware_test_file);
4030 printf("No malware found.\n");
4035 printf("Malware lookup returned non-okay/fail: %d\n", result);
4039 printf("Malware found: %s\n", malware_name);
4041 printf("Malware scan detected malware of unknown name.\n");
4043 printf("Malware scanning not enabled at compile time.\n");
4048 /* Handle a request to list the delivery queue */
4052 set_process_info("listing the queue");
4053 queue_list(list_queue_option, argv + recipients_arg, argc - recipients_arg);
4057 /* Handle a request to count the delivery queue */
4061 set_process_info("counting the queue");
4066 /* Handle actions on specific messages, except for the force delivery and
4067 message load actions, which are done below. Some actions take a whole list of
4068 message ids, which are known to continue up to the end of the arguments. Others
4069 take a single message id and then operate on the recipients list. */
4071 if (msg_action_arg > 0 && msg_action != MSG_DELIVER && msg_action != MSG_LOAD)
4073 int yield = EXIT_SUCCESS;
4074 set_process_info("acting on specified messages");
4076 if (!one_msg_action)
4078 for (i = msg_action_arg; i < argc; i++)
4079 if (!queue_action(argv[i], msg_action, NULL, 0, 0))
4080 yield = EXIT_FAILURE;
4083 else if (!queue_action(argv[msg_action_arg], msg_action, argv, argc,
4084 recipients_arg)) yield = EXIT_FAILURE;
4088 /* All the modes below here require the remaining configuration sections
4089 to be read, except that we can skip over the ACL setting when delivering
4090 specific messages, or doing a queue run. (For various testing cases we could
4091 skip too, but as they are rare, it doesn't really matter.) The argument is TRUE
4094 readconf_rest(msg_action_arg > 0 || (queue_interval == 0 && !daemon_listen));
4096 /* The configuration data will have been read into POOL_PERM because we won't
4097 ever want to reset back past it. Change the current pool to POOL_MAIN. In fact,
4098 this is just a bit of pedantic tidiness. It wouldn't really matter if the
4099 configuration were read into POOL_MAIN, because we don't do any resets till
4100 later on. However, it seems right, and it does ensure that both pools get used.
4103 store_pool = POOL_MAIN;
4105 /* Handle the -brt option. This is for checking out retry configurations.
4106 The next three arguments are a domain name or a complete address, and
4107 optionally two error numbers. All it does is to call the function that
4108 scans the retry configuration data. */
4110 if (test_retry_arg >= 0)
4112 retry_config *yield;
4113 int basic_errno = 0;
4117 if (test_retry_arg >= argc)
4119 printf("-brt needs a domain or address argument\n");
4120 exim_exit(EXIT_FAILURE);
4122 s1 = argv[test_retry_arg++];
4125 /* If the first argument contains no @ and no . it might be a local user
4126 or it might be a single-component name. Treat as a domain. */
4128 if (Ustrchr(s1, '@') == NULL && Ustrchr(s1, '.') == NULL)
4130 printf("Warning: \"%s\" contains no '@' and no '.' characters. It is "
4131 "being \ntreated as a one-component domain, not as a local part.\n\n",
4135 /* There may be an optional second domain arg. */
4137 if (test_retry_arg < argc && Ustrchr(argv[test_retry_arg], '.') != NULL)
4138 s2 = argv[test_retry_arg++];
4140 /* The final arg is an error name */
4142 if (test_retry_arg < argc)
4144 uschar *ss = argv[test_retry_arg];
4146 readconf_retry_error(ss, ss + Ustrlen(ss), &basic_errno, &more_errno);
4149 printf("%s\n", CS error);
4150 return EXIT_FAILURE;
4153 /* For the {MAIL,RCPT,DATA}_4xx errors, a value of 255 means "any", and a
4154 code > 100 as an error is for matching codes to the decade. Turn them into
4155 a real error code, off the decade. */
4157 if (basic_errno == ERRNO_MAIL4XX ||
4158 basic_errno == ERRNO_RCPT4XX ||
4159 basic_errno == ERRNO_DATA4XX)
4161 int code = (more_errno >> 8) & 255;
4163 more_errno = (more_errno & 0xffff00ff) | (21 << 8);
4164 else if (code > 100)
4165 more_errno = (more_errno & 0xffff00ff) | ((code - 96) << 8);
4169 yield = retry_find_config(s1, s2, basic_errno, more_errno);
4170 if (yield == NULL) printf("No retry information found\n"); else
4173 more_errno = yield->more_errno;
4174 printf("Retry rule: %s ", yield->pattern);
4176 if (yield->basic_errno == ERRNO_EXIMQUOTA)
4178 printf("quota%s%s ",
4179 (more_errno > 0)? "_" : "",
4180 (more_errno > 0)? readconf_printtime(more_errno) : US"");
4182 else if (yield->basic_errno == ECONNREFUSED)
4184 printf("refused%s%s ",
4185 (more_errno > 0)? "_" : "",
4186 (more_errno == 'M')? "MX" :
4187 (more_errno == 'A')? "A" : "");
4189 else if (yield->basic_errno == ETIMEDOUT)
4192 if ((more_errno & RTEF_CTOUT) != 0) printf("_connect");
4194 if (more_errno != 0) printf("_%s",
4195 (more_errno == 'M')? "MX" : "A");
4198 else if (yield->basic_errno == ERRNO_AUTHFAIL)
4199 printf("auth_failed ");
4202 for (r = yield->rules; r != NULL; r = r->next)
4204 printf("%c,%s", r->rule, readconf_printtime(r->timeout)); /* Do not */
4205 printf(",%s", readconf_printtime(r->p1)); /* amalgamate */
4211 printf(",%d.", x/1000);
4225 exim_exit(EXIT_SUCCESS);
4228 /* Handle a request to list one or more configuration options */
4232 set_process_info("listing variables");
4233 if (recipients_arg >= argc) readconf_print(US"all", NULL);
4234 else for (i = recipients_arg; i < argc; i++)
4237 (Ustrcmp(argv[i], "router") == 0 ||
4238 Ustrcmp(argv[i], "transport") == 0 ||
4239 Ustrcmp(argv[i], "authenticator") == 0 ||
4240 Ustrcmp(argv[i], "macro") == 0))
4242 readconf_print(argv[i+1], argv[i]);
4245 else readconf_print(argv[i], NULL);
4247 exim_exit(EXIT_SUCCESS);
4251 /* Handle a request to deliver one or more messages that are already on the
4252 queue. Values of msg_action other than MSG_DELIVER and MSG_LOAD are dealt with
4253 above. MSG_LOAD is handled with -be (which is the only time it applies) below.
4255 Delivery of specific messages is typically used for a small number when
4256 prodding by hand (when the option forced_delivery will be set) or when
4257 re-execing to regain root privilege. Each message delivery must happen in a
4258 separate process, so we fork a process for each one, and run them sequentially
4259 so that debugging output doesn't get intertwined, and to avoid spawning too
4260 many processes if a long list is given. However, don't fork for the last one;
4261 this saves a process in the common case when Exim is called to deliver just one
4264 if (msg_action_arg > 0 && msg_action != MSG_LOAD)
4266 if (prod_requires_admin && !admin_user)
4268 fprintf(stderr, "exim: Permission denied\n");
4269 exim_exit(EXIT_FAILURE);
4271 set_process_info("delivering specified messages");
4272 if (deliver_give_up) forced_delivery = deliver_force_thaw = TRUE;
4273 for (i = msg_action_arg; i < argc; i++)
4278 (void)deliver_message(argv[i], forced_delivery, deliver_give_up);
4279 else if ((pid = fork()) == 0)
4281 (void)deliver_message(argv[i], forced_delivery, deliver_give_up);
4282 _exit(EXIT_SUCCESS);
4286 fprintf(stderr, "failed to fork delivery process for %s: %s\n", argv[i],
4288 exim_exit(EXIT_FAILURE);
4292 exim_exit(EXIT_SUCCESS);
4296 /* If only a single queue run is requested, without SMTP listening, we can just
4297 turn into a queue runner, with an optional starting message id. */
4299 if (queue_interval == 0 && !daemon_listen)
4301 DEBUG(D_queue_run) debug_printf("Single queue run%s%s%s%s\n",
4302 (start_queue_run_id == NULL)? US"" : US" starting at ",
4303 (start_queue_run_id == NULL)? US"" : start_queue_run_id,
4304 (stop_queue_run_id == NULL)? US"" : US" stopping at ",
4305 (stop_queue_run_id == NULL)? US"" : stop_queue_run_id);
4306 set_process_info("running the queue (single queue run)");
4307 queue_run(start_queue_run_id, stop_queue_run_id, FALSE);
4308 exim_exit(EXIT_SUCCESS);
4312 /* Find the login name of the real user running this process. This is always
4313 needed when receiving a message, because it is written into the spool file. It
4314 may also be used to construct a from: or a sender: header, and in this case we
4315 need the user's full name as well, so save a copy of it, checked for RFC822
4316 syntax and munged if necessary, if it hasn't previously been set by the -F
4317 argument. We may try to get the passwd entry more than once, in case NIS or
4318 other delays are in evidence. Save the home directory for use in filter testing
4323 if ((pw = getpwuid(real_uid)) != NULL)
4325 originator_login = string_copy(US pw->pw_name);
4326 originator_home = string_copy(US pw->pw_dir);
4328 /* If user name has not been set by -F, set it from the passwd entry
4329 unless -f has been used to set the sender address by a trusted user. */
4331 if (originator_name == NULL)
4333 if (sender_address == NULL ||
4334 (!trusted_caller && filter_test == FTEST_NONE))
4336 uschar *name = US pw->pw_gecos;
4337 uschar *amp = Ustrchr(name, '&');
4340 /* Most Unix specify that a '&' character in the gecos field is
4341 replaced by a copy of the login name, and some even specify that
4342 the first character should be upper cased, so that's what we do. */
4347 string_format(buffer, sizeof(buffer), "%.*s%n%s%s",
4348 amp - name, name, &loffset, originator_login, amp + 1);
4349 buffer[loffset] = toupper(buffer[loffset]);
4353 /* If a pattern for matching the gecos field was supplied, apply
4354 it and then expand the name string. */
4356 if (gecos_pattern != NULL && gecos_name != NULL)
4359 re = regex_must_compile(gecos_pattern, FALSE, TRUE); /* Use malloc */
4361 if (regex_match_and_setup(re, name, 0, -1))
4363 uschar *new_name = expand_string(gecos_name);
4365 if (new_name != NULL)
4367 DEBUG(D_receive) debug_printf("user name \"%s\" extracted from "
4368 "gecos field \"%s\"\n", new_name, name);
4371 else DEBUG(D_receive) debug_printf("failed to expand gecos_name string "
4372 "\"%s\": %s\n", gecos_name, expand_string_message);
4374 else DEBUG(D_receive) debug_printf("gecos_pattern \"%s\" did not match "
4375 "gecos field \"%s\"\n", gecos_pattern, name);
4376 store_free((void *)re);
4378 originator_name = string_copy(name);
4381 /* A trusted caller has used -f but not -F */
4383 else originator_name = US"";
4386 /* Break the retry loop */
4391 if (++i > finduser_retries) break;
4395 /* If we cannot get a user login, log the incident and give up, unless the
4396 configuration specifies something to use. When running in the test harness,
4397 any setting of unknown_login overrides the actual name. */
4399 if (originator_login == NULL || running_in_test_harness)
4401 if (unknown_login != NULL)
4403 originator_login = expand_string(unknown_login);
4404 if (originator_name == NULL && unknown_username != NULL)
4405 originator_name = expand_string(unknown_username);
4406 if (originator_name == NULL) originator_name = US"";
4408 if (originator_login == NULL)
4409 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to get user name for uid %d",
4413 /* Ensure that the user name is in a suitable form for use as a "phrase" in an
4416 originator_name = string_copy(parse_fix_phrase(originator_name,
4417 Ustrlen(originator_name), big_buffer, big_buffer_size));
4419 /* If a message is created by this call of Exim, the uid/gid of its originator
4420 are those of the caller. These values are overridden if an existing message is
4421 read in from the spool. */
4423 originator_uid = real_uid;
4424 originator_gid = real_gid;
4426 DEBUG(D_receive) debug_printf("originator: uid=%d gid=%d login=%s name=%s\n",
4427 (int)originator_uid, (int)originator_gid, originator_login, originator_name);
4429 /* Run in daemon and/or queue-running mode. The function daemon_go() never
4430 returns. We leave this till here so that the originator_ fields are available
4431 for incoming messages via the daemon. The daemon cannot be run in mua_wrapper
4434 if (daemon_listen || inetd_wait_mode || queue_interval > 0)
4438 fprintf(stderr, "Daemon cannot be run when mua_wrapper is set\n");
4439 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Daemon cannot be run when "
4440 "mua_wrapper is set");
4445 /* If the sender ident has not been set (by a trusted caller) set it to
4446 the caller. This will get overwritten below for an inetd call. If a trusted
4447 caller has set it empty, unset it. */
4449 if (sender_ident == NULL) sender_ident = originator_login;
4450 else if (sender_ident[0] == 0) sender_ident = NULL;
4452 /* Handle the -brw option, which is for checking out rewriting rules. Cause log
4453 writes (on errors) to go to stderr instead. Can't do this earlier, as want the
4454 originator_* variables set. */
4456 if (test_rewrite_arg >= 0)
4458 really_exim = FALSE;
4459 if (test_rewrite_arg >= argc)
4461 printf("-brw needs an address argument\n");
4462 exim_exit(EXIT_FAILURE);
4464 rewrite_test(argv[test_rewrite_arg]);
4465 exim_exit(EXIT_SUCCESS);
4468 /* A locally-supplied message is considered to be coming from a local user
4469 unless a trusted caller supplies a sender address with -f, or is passing in the
4470 message via SMTP (inetd invocation or otherwise). */
4472 if ((sender_address == NULL && !smtp_input) ||
4473 (!trusted_caller && filter_test == FTEST_NONE))
4475 sender_local = TRUE;
4477 /* A trusted caller can supply authenticated_sender and authenticated_id
4478 via -oMas and -oMai and if so, they will already be set. Otherwise, force
4479 defaults except when host checking. */
4481 if (authenticated_sender == NULL && !host_checking)
4482 authenticated_sender = string_sprintf("%s@%s", originator_login,
4483 qualify_domain_sender);
4484 if (authenticated_id == NULL && !host_checking)
4485 authenticated_id = originator_login;
4488 /* Trusted callers are always permitted to specify the sender address.
4489 Untrusted callers may specify it if it matches untrusted_set_sender, or if what
4490 is specified is the empty address. However, if a trusted caller does not
4491 specify a sender address for SMTP input, we leave sender_address unset. This
4492 causes the MAIL commands to be honoured. */
4494 if ((!smtp_input && sender_address == NULL) ||
4495 !receive_check_set_sender(sender_address))
4497 /* Either the caller is not permitted to set a general sender, or this is
4498 non-SMTP input and the trusted caller has not set a sender. If there is no
4499 sender, or if a sender other than <> is set, override with the originator's
4500 login (which will get qualified below), except when checking things. */
4502 if (sender_address == NULL /* No sender_address set */
4504 (sender_address[0] != 0 && /* Non-empty sender address, AND */
4505 !checking && /* Not running tests, AND */
4506 filter_test == FTEST_NONE)) /* Not testing a filter */
4508 sender_address = originator_login;
4509 sender_address_forced = FALSE;
4510 sender_address_domain = 0;
4514 /* Remember whether an untrusted caller set the sender address */
4516 sender_set_untrusted = sender_address != originator_login && !trusted_caller;
4518 /* Ensure that the sender address is fully qualified unless it is the empty
4519 address, which indicates an error message, or doesn't exist (root caller, smtp
4520 interface, no -f argument). */
4522 if (sender_address != NULL && sender_address[0] != 0 &&
4523 sender_address_domain == 0)
4524 sender_address = string_sprintf("%s@%s", local_part_quote(sender_address),
4525 qualify_domain_sender);
4527 DEBUG(D_receive) debug_printf("sender address = %s\n", sender_address);
4529 /* Handle a request to verify a list of addresses, or test them for delivery.
4530 This must follow the setting of the sender address, since routers can be
4531 predicated upon the sender. If no arguments are given, read addresses from
4532 stdin. Set debug_level to at least D_v to get full output for address testing.
4535 if (verify_address_mode || address_test_mode)
4538 int flags = vopt_qualify;
4540 if (verify_address_mode)
4542 if (!verify_as_sender) flags |= vopt_is_recipient;
4543 DEBUG(D_verify) debug_print_ids(US"Verifying:");
4548 flags |= vopt_is_recipient;
4549 debug_selector |= D_v;
4550 debug_file = stderr;
4551 debug_fd = fileno(debug_file);
4552 DEBUG(D_verify) debug_print_ids(US"Address testing:");
4555 if (recipients_arg < argc)
4557 while (recipients_arg < argc)
4559 uschar *s = argv[recipients_arg++];
4562 BOOL finished = FALSE;
4563 uschar *ss = parse_find_address_end(s, FALSE);
4564 if (*ss == ',') *ss = 0; else finished = TRUE;
4565 test_address(s, flags, &exit_value);
4568 while (*(++s) != 0 && (*s == ',' || isspace(*s)));
4575 uschar *s = get_stdinput(NULL, NULL);
4576 if (s == NULL) break;
4577 test_address(s, flags, &exit_value);
4581 exim_exit(exit_value);
4584 /* Handle expansion checking. Either expand items on the command line, or read
4585 from stdin if there aren't any. If -Mset was specified, load the message so
4586 that its variables can be used, but restrict this facility to admin users.
4587 Otherwise, if -bem was used, read a message from stdin. */
4591 if (msg_action_arg > 0 && msg_action == MSG_LOAD)
4593 uschar spoolname[256]; /* Not big_buffer; used in spool_read_header() */
4596 fprintf(stderr, "exim: permission denied\n");
4599 message_id = argv[msg_action_arg];
4600 (void)string_format(spoolname, sizeof(spoolname), "%s-H", message_id);
4601 if (!spool_open_datafile(message_id))
4602 printf ("Failed to load message datafile %s\n", message_id);
4603 if (spool_read_header(spoolname, TRUE, FALSE) != spool_read_OK)
4604 printf ("Failed to load message %s\n", message_id);
4607 /* Read a test message from a file. We fudge it up to be on stdin, saving
4608 stdin itself for later reading of expansion strings. */
4610 else if (expansion_test_message != NULL)
4612 int save_stdin = dup(0);
4613 int fd = Uopen(expansion_test_message, O_RDONLY, 0);
4616 fprintf(stderr, "exim: failed to open %s: %s\n", expansion_test_message,
4618 return EXIT_FAILURE;
4621 filter_test = FTEST_USER; /* Fudge to make it look like filter test */
4622 message_ended = END_NOTENDED;
4623 read_message_body(receive_msg(extract_recipients));
4624 message_linecount += body_linecount;
4625 (void)dup2(save_stdin, 0);
4626 (void)close(save_stdin);
4627 clearerr(stdin); /* Required by Darwin */
4630 /* Allow $recipients for this testing */
4632 enable_dollar_recipients = TRUE;
4634 /* Expand command line items */
4636 if (recipients_arg < argc)
4638 while (recipients_arg < argc)
4640 uschar *s = argv[recipients_arg++];
4641 uschar *ss = expand_string(s);
4642 if (ss == NULL) printf ("Failed: %s\n", expand_string_message);
4643 else printf("%s\n", CS ss);
4651 char *(*fn_readline)(const char *) = NULL;
4652 void (*fn_addhist)(const char *) = NULL;
4655 void *dlhandle = set_readline(&fn_readline, &fn_addhist);
4661 uschar *source = get_stdinput(fn_readline, fn_addhist);
4662 if (source == NULL) break;
4663 ss = expand_string(source);
4665 printf ("Failed: %s\n", expand_string_message);
4666 else printf("%s\n", CS ss);
4670 if (dlhandle != NULL) dlclose(dlhandle);
4674 /* The data file will be open after -Mset */
4676 if (deliver_datafile >= 0)
4678 (void)close(deliver_datafile);
4679 deliver_datafile = -1;
4682 exim_exit(EXIT_SUCCESS);
4686 /* The active host name is normally the primary host name, but it can be varied
4687 for hosts that want to play several parts at once. We need to ensure that it is
4688 set for host checking, and for receiving messages. */
4690 smtp_active_hostname = primary_hostname;
4691 if (raw_active_hostname != NULL)
4693 uschar *nah = expand_string(raw_active_hostname);
4696 if (!expand_string_forcedfail)
4697 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand \"%s\" "
4698 "(smtp_active_hostname): %s", raw_active_hostname,
4699 expand_string_message);
4701 else if (nah[0] != 0) smtp_active_hostname = nah;
4704 /* Handle host checking: this facility mocks up an incoming SMTP call from a
4705 given IP address so that the blocking and relay configuration can be tested.
4706 Unless a sender_ident was set by -oMt, we discard it (the default is the
4707 caller's login name). An RFC 1413 call is made only if we are running in the
4708 test harness and an incoming interface and both ports are specified, because
4709 there is no TCP/IP call to find the ident for. */
4716 if (!sender_ident_set)
4718 sender_ident = NULL;
4719 if (running_in_test_harness && sender_host_port != 0 &&
4720 interface_address != NULL && interface_port != 0)
4721 verify_get_ident(1413);
4724 /* In case the given address is a non-canonical IPv6 address, canonicize
4725 it. The code works for both IPv4 and IPv6, as it happens. */
4727 size = host_aton(sender_host_address, x);
4728 sender_host_address = store_get(48); /* large enough for full IPv6 */
4729 (void)host_nmtoa(size, x, -1, sender_host_address, ':');
4731 /* Now set up for testing */
4733 host_build_sender_fullhost();
4737 sender_local = FALSE;
4738 sender_host_notsocket = TRUE;
4739 debug_file = stderr;
4740 debug_fd = fileno(debug_file);
4741 fprintf(stdout, "\n**** SMTP testing session as if from host %s\n"
4742 "**** but without any ident (RFC 1413) callback.\n"
4743 "**** This is not for real!\n\n",
4744 sender_host_address);
4746 if (verify_check_host(&hosts_connection_nolog) == OK)
4747 log_write_selector &= ~L_smtp_connection;
4748 log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info());
4750 /* NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
4751 because a log line has already been written for all its failure exists
4752 (usually "connection refused: <reason>") and writing another one is
4753 unnecessary clutter. */
4755 if (smtp_start_session())
4757 reset_point = store_get(0);
4760 store_reset(reset_point);
4761 if (smtp_setup_msg() <= 0) break;
4762 if (!receive_msg(FALSE)) break;
4766 exim_exit(EXIT_SUCCESS);
4770 /* Arrange for message reception if recipients or SMTP were specified;
4771 otherwise complain unless a version print (-bV) happened or this is a filter
4772 verification test. In the former case, show the configuration file name. */
4774 if (recipients_arg >= argc && !extract_recipients && !smtp_input)
4776 if (version_printed)
4778 printf("Configuration file is %s\n", config_main_filename);
4779 return EXIT_SUCCESS;
4782 if (filter_test == FTEST_NONE)
4783 exim_usage(called_as);
4787 /* If mua_wrapper is set, Exim is being used to turn an MUA that submits on the
4788 standard input into an MUA that submits to a smarthost over TCP/IP. We know
4789 that we are not called from inetd, because that is rejected above. The
4790 following configuration settings are forced here:
4792 (1) Synchronous delivery (-odi)
4793 (2) Errors to stderr (-oep == -oeq)
4794 (3) No parallel remote delivery
4795 (4) Unprivileged delivery
4797 We don't force overall queueing options because there are several of them;
4798 instead, queueing is avoided below when mua_wrapper is set. However, we do need
4799 to override any SMTP queueing. */
4803 synchronous_delivery = TRUE;
4804 arg_error_handling = ERRORS_STDERR;
4805 remote_max_parallel = 1;
4806 deliver_drop_privilege = TRUE;
4808 queue_smtp_domains = NULL;
4812 /* Prepare to accept one or more new messages on the standard input. When a
4813 message has been read, its id is returned in message_id[]. If doing immediate
4814 delivery, we fork a delivery process for each received message, except for the
4815 last one, where we can save a process switch.
4817 It is only in non-smtp mode that error_handling is allowed to be changed from
4818 its default of ERRORS_SENDER by argument. (Idle thought: are any of the
4819 sendmail error modes other than -oem ever actually used? Later: yes.) */
4821 if (!smtp_input) error_handling = arg_error_handling;
4823 /* If this is an inetd call, ensure that stderr is closed to prevent panic
4824 logging being sent down the socket and make an identd call to get the
4829 (void)fclose(stderr);
4830 exim_nullstd(); /* Re-open to /dev/null */
4831 verify_get_ident(IDENT_PORT);
4832 host_build_sender_fullhost();
4833 set_process_info("handling incoming connection from %s via inetd",
4837 /* If the sender host address has been set, build sender_fullhost if it hasn't
4838 already been done (which it will have been for inetd). This caters for the
4839 case when it is forced by -oMa. However, we must flag that it isn't a socket,
4840 so that the test for IP options is skipped for -bs input. */
4842 if (sender_host_address != NULL && sender_fullhost == NULL)
4844 host_build_sender_fullhost();
4845 set_process_info("handling incoming connection from %s via -oMa",
4847 sender_host_notsocket = TRUE;
4850 /* Otherwise, set the sender host as unknown except for inetd calls. This
4851 prevents host checking in the case of -bs not from inetd and also for -bS. */
4853 else if (!is_inetd) sender_host_unknown = TRUE;
4855 /* If stdout does not exist, then dup stdin to stdout. This can happen
4856 if exim is started from inetd. In this case fd 0 will be set to the socket,
4857 but fd 1 will not be set. This also happens for passed SMTP channels. */
4859 if (fstat(1, &statbuf) < 0) (void)dup2(0, 1);
4861 /* Set up the incoming protocol name and the state of the program. Root is
4862 allowed to force received protocol via the -oMr option above. If we have come
4863 via inetd, the process info has already been set up. We don't set
4864 received_protocol here for smtp input, as it varies according to
4865 batch/HELO/EHLO/AUTH/TLS. */
4869 if (!is_inetd) set_process_info("accepting a local %sSMTP message from <%s>",
4870 smtp_batched_input? "batched " : "",
4871 (sender_address!= NULL)? sender_address : originator_login);
4875 if (received_protocol == NULL)
4876 received_protocol = string_sprintf("local%s", called_as);
4877 set_process_info("accepting a local non-SMTP message from <%s>",
4881 /* Initialize the session_local_queue-only flag (this will be ignored if
4882 mua_wrapper is set) */
4885 session_local_queue_only = queue_only;
4887 /* For non-SMTP and for batched SMTP input, check that there is enough space on
4888 the spool if so configured. On failure, we must not attempt to send an error
4889 message! (For interactive SMTP, the check happens at MAIL FROM and an SMTP
4890 error code is given.) */
4892 if ((!smtp_input || smtp_batched_input) && !receive_check_fs(0))
4894 fprintf(stderr, "exim: insufficient disk space\n");
4895 return EXIT_FAILURE;
4898 /* If this is smtp input of any kind, real or batched, handle the start of the
4901 NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
4902 because a log line has already been written for all its failure exists
4903 (usually "connection refused: <reason>") and writing another one is
4904 unnecessary clutter. */
4910 if (verify_check_host(&hosts_connection_nolog) == OK)
4911 log_write_selector &= ~L_smtp_connection;
4912 log_write(L_smtp_connection, LOG_MAIN, "%s", smtp_get_connection_info());
4913 if (!smtp_start_session())
4916 exim_exit(EXIT_SUCCESS);
4920 /* Otherwise, set up the input size limit here. */
4924 thismessage_size_limit = expand_string_integer(message_size_limit, TRUE);
4925 if (expand_string_message != NULL)
4927 if (thismessage_size_limit == -1)
4928 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to expand "
4929 "message_size_limit: %s", expand_string_message);
4931 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "invalid value for "
4932 "message_size_limit: %s", expand_string_message);
4936 /* Loop for several messages when reading SMTP input. If we fork any child
4937 processes, we don't want to wait for them unless synchronous delivery is
4938 requested, so set SIGCHLD to SIG_IGN in that case. This is not necessarily the
4939 same as SIG_DFL, despite the fact that documentation often lists the default as
4940 "ignore". This is a confusing area. This is what I know:
4942 At least on some systems (e.g. Solaris), just setting SIG_IGN causes child
4943 processes that complete simply to go away without ever becoming defunct. You
4944 can't then wait for them - but we don't want to wait for them in the
4945 non-synchronous delivery case. However, this behaviour of SIG_IGN doesn't
4946 happen for all OS (e.g. *BSD is different).
4948 But that's not the end of the story. Some (many? all?) systems have the
4949 SA_NOCLDWAIT option for sigaction(). This requests the behaviour that Solaris
4950 has by default, so it seems that the difference is merely one of default
4951 (compare restarting vs non-restarting signals).
4953 To cover all cases, Exim sets SIG_IGN with SA_NOCLDWAIT here if it can. If not,
4954 it just sets SIG_IGN. To be on the safe side it also calls waitpid() at the end
4955 of the loop below. Paranoia rules.
4957 February 2003: That's *still* not the end of the story. There are now versions
4958 of Linux (where SIG_IGN does work) that are picky. If, having set SIG_IGN, a
4959 process then calls waitpid(), a grumble is written to the system log, because
4960 this is logically inconsistent. In other words, it doesn't like the paranoia.
4961 As a consequenc of this, the waitpid() below is now excluded if we are sure
4962 that SIG_IGN works. */
4964 if (!synchronous_delivery)
4967 struct sigaction act;
4968 act.sa_handler = SIG_IGN;
4969 sigemptyset(&(act.sa_mask));
4970 act.sa_flags = SA_NOCLDWAIT;
4971 sigaction(SIGCHLD, &act, NULL);
4973 signal(SIGCHLD, SIG_IGN);
4977 /* Save the current store pool point, for resetting at the start of
4978 each message, and save the real sender address, if any. */
4980 reset_point = store_get(0);
4981 real_sender_address = sender_address;
4983 /* Loop to receive messages; receive_msg() returns TRUE if there are more
4984 messages to be read (SMTP input), or FALSE otherwise (not SMTP, or SMTP channel
4989 store_reset(reset_point);
4992 /* Handle the SMTP case; call smtp_setup_mst() to deal with the initial SMTP
4993 input and build the recipients list, before calling receive_msg() to read the
4994 message proper. Whatever sender address is given in the SMTP transaction is
4995 often ignored for local senders - we use the actual sender, which is normally
4996 either the underlying user running this process or a -f argument provided by
4997 a trusted caller. It is saved in real_sender_address. The test for whether to
4998 accept the SMTP sender is encapsulated in receive_check_set_sender(). */
5003 if ((rc = smtp_setup_msg()) > 0)
5005 if (real_sender_address != NULL &&
5006 !receive_check_set_sender(sender_address))
5008 sender_address = raw_sender = real_sender_address;
5009 sender_address_unrewritten = NULL;
5012 /* For batched SMTP, we have to run the acl_not_smtp_start ACL, since it
5013 isn't really SMTP, so no other ACL will run until the acl_not_smtp one at
5014 the very end. The result of the ACL is ignored (as for other non-SMTP
5015 messages). It is run for its potential side effects. */
5017 if (smtp_batched_input && acl_not_smtp_start != NULL)
5019 uschar *user_msg, *log_msg;
5020 enable_dollar_recipients = TRUE;
5021 (void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
5022 &user_msg, &log_msg);
5023 enable_dollar_recipients = FALSE;
5026 /* Now get the data for the message */
5028 more = receive_msg(extract_recipients);
5029 if (message_id[0] == 0)
5032 smtp_log_no_mail(); /* Log no mail if configured */
5033 exim_exit(EXIT_FAILURE);
5038 smtp_log_no_mail(); /* Log no mail if configured */
5039 exim_exit((rc == 0)? EXIT_SUCCESS : EXIT_FAILURE);
5043 /* In the non-SMTP case, we have all the information from the command
5044 line, but must process it in case it is in the more general RFC822
5045 format, and in any case, to detect syntax errors. Also, it appears that
5046 the use of comma-separated lists as single arguments is common, so we
5047 had better support them. */
5053 int count = argc - recipients_arg;
5054 uschar **list = argv + recipients_arg;
5056 /* These options cannot be changed dynamically for non-SMTP messages */
5058 active_local_sender_retain = local_sender_retain;
5059 active_local_from_check = local_from_check;
5061 /* Save before any rewriting */
5063 raw_sender = string_copy(sender_address);
5065 /* Loop for each argument */
5067 for (i = 0; i < count; i++)
5069 int start, end, domain;
5071 uschar *s = list[i];
5073 /* Loop for each comma-separated address */
5077 BOOL finished = FALSE;
5079 uschar *ss = parse_find_address_end(s, FALSE);
5081 if (*ss == ',') *ss = 0; else finished = TRUE;
5083 /* Check max recipients - if -t was used, these aren't recipients */
5085 if (recipients_max > 0 && ++rcount > recipients_max &&
5086 !extract_recipients)
5088 if (error_handling == ERRORS_STDERR)
5090 fprintf(stderr, "exim: too many recipients\n");
5091 exim_exit(EXIT_FAILURE);
5096 moan_to_sender(ERRMESS_TOOMANYRECIP, NULL, NULL, stdin, TRUE)?
5097 errors_sender_rc : EXIT_FAILURE;
5102 parse_extract_address(s, &errmess, &start, &end, &domain, FALSE);
5104 if (domain == 0 && !allow_unqualified_recipient)
5107 errmess = US"unqualified recipient address not allowed";
5110 if (recipient == NULL)
5112 if (error_handling == ERRORS_STDERR)
5114 fprintf(stderr, "exim: bad recipient address \"%s\": %s\n",
5115 string_printing(list[i]), errmess);
5116 exim_exit(EXIT_FAILURE);
5122 eblock.text1 = string_printing(list[i]);
5123 eblock.text2 = errmess;
5125 moan_to_sender(ERRMESS_BADARGADDRESS, &eblock, NULL, stdin, TRUE)?
5126 errors_sender_rc : EXIT_FAILURE;
5130 receive_add_recipient(recipient, -1);
5133 while (*(++s) != 0 && (*s == ',' || isspace(*s)));
5137 /* Show the recipients when debugging */
5142 if (sender_address != NULL) debug_printf("Sender: %s\n", sender_address);
5143 if (recipients_list != NULL)
5145 debug_printf("Recipients:\n");
5146 for (i = 0; i < recipients_count; i++)
5147 debug_printf(" %s\n", recipients_list[i].address);
5151 /* Run the acl_not_smtp_start ACL if required. The result of the ACL is
5152 ignored; rejecting here would just add complication, and it can just as
5153 well be done later. Allow $recipients to be visible in the ACL. */
5155 if (acl_not_smtp_start != NULL)
5157 uschar *user_msg, *log_msg;
5158 enable_dollar_recipients = TRUE;
5159 (void)acl_check(ACL_WHERE_NOTSMTP_START, NULL, acl_not_smtp_start,
5160 &user_msg, &log_msg);
5161 enable_dollar_recipients = FALSE;
5164 /* Read the data for the message. If filter_test is not FTEST_NONE, this
5165 will just read the headers for the message, and not write anything onto the
5168 message_ended = END_NOTENDED;
5169 more = receive_msg(extract_recipients);
5171 /* more is always FALSE here (not SMTP message) when reading a message
5172 for real; when reading the headers of a message for filter testing,
5173 it is TRUE if the headers were terminated by '.' and FALSE otherwise. */
5175 if (message_id[0] == 0) exim_exit(EXIT_FAILURE);
5176 } /* Non-SMTP message reception */
5178 /* If this is a filter testing run, there are headers in store, but
5179 no message on the spool. Run the filtering code in testing mode, setting
5180 the domain to the qualify domain and the local part to the current user,
5181 unless they have been set by options. The prefix and suffix are left unset
5182 unless specified. The the return path is set to to the sender unless it has
5183 already been set from a return-path header in the message. */
5185 if (filter_test != FTEST_NONE)
5187 deliver_domain = (ftest_domain != NULL)?
5188 ftest_domain : qualify_domain_recipient;
5189 deliver_domain_orig = deliver_domain;
5190 deliver_localpart = (ftest_localpart != NULL)?
5191 ftest_localpart : originator_login;
5192 deliver_localpart_orig = deliver_localpart;
5193 deliver_localpart_prefix = ftest_prefix;
5194 deliver_localpart_suffix = ftest_suffix;
5195 deliver_home = originator_home;
5197 if (return_path == NULL)
5199 printf("Return-path copied from sender\n");
5200 return_path = string_copy(sender_address);
5204 printf("Return-path = %s\n", (return_path[0] == 0)? US"<>" : return_path);
5206 printf("Sender = %s\n", (sender_address[0] == 0)? US"<>" : sender_address);
5208 receive_add_recipient(
5209 string_sprintf("%s%s%s@%s",
5210 (ftest_prefix == NULL)? US"" : ftest_prefix,
5212 (ftest_suffix == NULL)? US"" : ftest_suffix,
5213 deliver_domain), -1);
5215 printf("Recipient = %s\n", recipients_list[0].address);
5216 if (ftest_prefix != NULL) printf("Prefix = %s\n", ftest_prefix);
5217 if (ftest_suffix != NULL) printf("Suffix = %s\n", ftest_suffix);
5219 (void)chdir("/"); /* Get away from wherever the user is running this from */
5221 /* Now we run either a system filter test, or a user filter test, or both.
5222 In the latter case, headers added by the system filter will persist and be
5223 available to the user filter. We need to copy the filter variables
5226 if ((filter_test & FTEST_SYSTEM) != 0)
5228 if (!filter_runtest(filter_sfd, filter_test_sfile, TRUE, more))
5229 exim_exit(EXIT_FAILURE);
5232 memcpy(filter_sn, filter_n, sizeof(filter_sn));
5234 if ((filter_test & FTEST_USER) != 0)
5236 if (!filter_runtest(filter_ufd, filter_test_ufile, FALSE, more))
5237 exim_exit(EXIT_FAILURE);
5240 exim_exit(EXIT_SUCCESS);
5243 /* Else act on the result of message reception. We should not get here unless
5244 message_id[0] is non-zero. If queue_only is set, session_local_queue_only
5245 will be TRUE. If it is not, check on the number of messages received in this
5248 if (!session_local_queue_only &&
5249 smtp_accept_queue_per_connection > 0 &&
5250 receive_messagecount > smtp_accept_queue_per_connection)
5252 session_local_queue_only = TRUE;
5253 queue_only_reason = 2;
5256 /* Initialize local_queue_only from session_local_queue_only. If it is false,
5257 and queue_only_load is set, check that the load average is below it. If it is
5258 not, set local_queue_only TRUE. If queue_only_load_latch is true (the
5259 default), we put the whole session into queue_only mode. It then remains this
5260 way for any subsequent messages on the same SMTP connection. This is a
5261 deliberate choice; even though the load average may fall, it doesn't seem
5262 right to deliver later messages on the same call when not delivering earlier
5263 ones. However, there are odd cases where this is not wanted, so this can be
5264 changed by setting queue_only_load_latch false. */
5266 local_queue_only = session_local_queue_only;
5267 if (!local_queue_only && queue_only_load >= 0)
5269 local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load;
5270 if (local_queue_only)
5272 queue_only_reason = 3;
5273 if (queue_only_load_latch) session_local_queue_only = TRUE;
5277 /* If running as an MUA wrapper, all queueing options and freezing options
5281 local_queue_only = queue_only_policy = deliver_freeze = FALSE;
5283 /* Log the queueing here, when it will get a message id attached, but
5284 not if queue_only is set (case 0). Case 1 doesn't happen here (too many
5287 if (local_queue_only) switch(queue_only_reason)
5290 log_write(L_delay_delivery,
5291 LOG_MAIN, "no immediate delivery: more than %d messages "
5292 "received in one connection", smtp_accept_queue_per_connection);
5296 log_write(L_delay_delivery,
5297 LOG_MAIN, "no immediate delivery: load average %.2f",
5298 (double)load_average/1000.0);
5302 /* Else do the delivery unless the ACL or local_scan() called for queue only
5303 or froze the message. Always deliver in a separate process. A fork failure is
5304 not a disaster, as the delivery will eventually happen on a subsequent queue
5305 run. The search cache must be tidied before the fork, as the parent will
5306 do it before exiting. The child will trigger a lookup failure and
5307 thereby defer the delivery if it tries to use (for example) a cached ldap
5308 connection that the parent has called unbind on. */
5310 else if (!queue_only_policy && !deliver_freeze)
5315 if ((pid = fork()) == 0)
5318 close_unwanted(); /* Close unwanted file descriptors and TLS */
5319 exim_nullstd(); /* Ensure std{in,out,err} exist */
5321 /* Re-exec Exim if we need to regain privilege (note: in mua_wrapper
5322 mode, deliver_drop_privilege is forced TRUE). */
5324 if (geteuid() != root_uid && !deliver_drop_privilege && !unprivileged)
5326 (void)child_exec_exim(CEE_EXEC_EXIT, FALSE, NULL, FALSE, 2, US"-Mc",
5328 /* Control does not return here. */
5331 /* No need to re-exec */
5333 rc = deliver_message(message_id, FALSE, FALSE);
5335 _exit((!mua_wrapper || rc == DELIVER_MUA_SUCCEEDED)?
5336 EXIT_SUCCESS : EXIT_FAILURE);
5341 log_write(0, LOG_MAIN|LOG_PANIC, "failed to fork automatic delivery "
5342 "process: %s", strerror(errno));
5345 /* In the parent, wait if synchronous delivery is required. This will
5346 always be the case in MUA wrapper mode. */
5348 else if (synchronous_delivery)
5351 while (wait(&status) != pid);
5352 if ((status & 0x00ff) != 0)
5353 log_write(0, LOG_MAIN|LOG_PANIC,
5354 "process %d crashed with signal %d while delivering %s",
5355 (int)pid, status & 0x00ff, message_id);
5356 if (mua_wrapper && (status & 0xffff) != 0) exim_exit(EXIT_FAILURE);
5360 /* The loop will repeat if more is TRUE. If we do not know know that the OS
5361 automatically reaps children (see comments above the loop), clear away any
5362 finished subprocesses here, in case there are lots of messages coming in
5363 from the same source. */
5365 #ifndef SIG_IGN_WORKS
5366 while (waitpid(-1, NULL, WNOHANG) > 0);
5370 exim_exit(EXIT_SUCCESS); /* Never returns */
5371 return 0; /* To stop compiler warning */