1 /* $Cambridge: exim/src/src/deliver.c,v 1.1 2004/10/07 10:39:01 ph10 Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2004 */
8 /* See the file NOTICE for conditions of use and distribution. */
10 /* The main code for delivering a message. */
16 /* Data block for keeping track of subprocesses for parallel remote
19 typedef struct pardata {
20 address_item *addrlist; /* chain of addresses */
21 address_item *addr; /* next address data expected for */
22 pid_t pid; /* subprocess pid */
23 int fd; /* pipe fd for getting result from subprocess */
24 int transport_count; /* returned transport count value */
25 BOOL done; /* no more data needed */
26 uschar *msg; /* error message */
27 uschar *return_path; /* return_path for these addresses */
30 /* Values for the process_recipients variable */
32 enum { RECIP_ACCEPT, RECIP_IGNORE, RECIP_DEFER,
33 RECIP_FAIL, RECIP_FAIL_FILTER, RECIP_FAIL_TIMEOUT,
36 /* Mutually recursive functions for marking addresses done. */
38 static void child_done(address_item *, uschar *);
39 static void address_done(address_item *, uschar *);
41 /* Table for turning base-62 numbers into binary */
43 static uschar tab62[] =
44 {0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0, /* 0-9 */
45 0,10,11,12,13,14,15,16,17,18,19,20, /* A-K */
46 21,22,23,24,25,26,27,28,29,30,31,32, /* L-W */
47 33,34,35, 0, 0, 0, 0, 0, /* X-Z */
48 0,36,37,38,39,40,41,42,43,44,45,46, /* a-k */
49 47,48,49,50,51,52,53,54,55,56,57,58, /* l-w */
53 /*************************************************
54 * Local static variables *
55 *************************************************/
57 /* addr_duplicate is global because it needs to be seen from the Envelope-To
60 static address_item *addr_defer = NULL;
61 static address_item *addr_failed = NULL;
62 static address_item *addr_fallback = NULL;
63 static address_item *addr_local = NULL;
64 static address_item *addr_new = NULL;
65 static address_item *addr_remote = NULL;
66 static address_item *addr_route = NULL;
67 static address_item *addr_succeed = NULL;
69 static FILE *message_log = NULL;
70 static BOOL update_spool;
71 static BOOL remove_journal;
72 static int parcount = 0;
73 static pardata *parlist = NULL;
74 static int return_count;
75 static uschar *frozen_info = US"";
76 static uschar *used_return_path = NULL;
78 static uschar spoolname[PATH_MAX];
82 /*************************************************
83 * Make a new address item *
84 *************************************************/
86 /* This function gets the store and initializes with default values. The
87 transport_return value defaults to DEFER, so that any unexpected failure to
88 deliver does not wipe out the message. The default unique string is set to a
89 copy of the address, so that its domain can be lowercased.
92 address the RFC822 address string
93 copy force a copy of the address
95 Returns: a pointer to an initialized address_item
99 deliver_make_addr(uschar *address, BOOL copy)
101 address_item *addr = store_get(sizeof(address_item));
102 *addr = address_defaults;
103 if (copy) address = string_copy(address);
104 addr->address = address;
105 addr->unique = string_copy(address);
112 /*************************************************
113 * Set expansion values for an address *
114 *************************************************/
116 /* Certain expansion variables are valid only when handling an address or
117 address list. This function sets them up or clears the values, according to its
121 addr the address in question, or NULL to clear values
126 deliver_set_expansions(address_item *addr)
130 uschar ***p = address_expansions;
131 while (*p != NULL) **p++ = NULL;
135 /* Exactly what gets set depends on whether there is one or more addresses, and
136 what they contain. These first ones are always set, taking their values from
137 the first address. */
139 if (addr->host_list == NULL)
141 deliver_host = deliver_host_address = US"";
145 deliver_host = addr->host_list->name;
146 deliver_host_address = addr->host_list->address;
149 deliver_recipients = addr;
150 deliver_address_data = addr->p.address_data;
151 deliver_domain_data = addr->p.domain_data;
152 deliver_localpart_data = addr->p.localpart_data;
154 /* These may be unset for multiple addresses */
156 deliver_domain = addr->domain;
157 self_hostname = addr->self_hostname;
159 /* If there's only one address we can set everything. */
161 if (addr->next == NULL)
163 address_item *addr_orig;
165 deliver_localpart = addr->local_part;
166 deliver_localpart_prefix = addr->prefix;
167 deliver_localpart_suffix = addr->suffix;
169 for (addr_orig = addr; addr_orig->parent != NULL;
170 addr_orig = addr_orig->parent);
171 deliver_domain_orig = addr_orig->domain;
173 /* Re-instate any prefix and suffix in the original local part. In all
174 normal cases, the address will have a router associated with it, and we can
175 choose the caseful or caseless version accordingly. However, when a system
176 filter sets up a pipe, file, or autoreply delivery, no router is involved.
177 In this case, though, there won't be any prefix or suffix to worry about. */
179 deliver_localpart_orig = (addr_orig->router == NULL)? addr_orig->local_part :
180 addr_orig->router->caseful_local_part?
181 addr_orig->cc_local_part : addr_orig->lc_local_part;
183 /* If there's a parent, make its domain and local part available, and if
184 delivering to a pipe or file, or sending an autoreply, get the local
185 part from the parent. For pipes and files, put the pipe or file string
186 into address_pipe and address_file. */
188 if (addr->parent != NULL)
190 deliver_domain_parent = addr->parent->domain;
191 deliver_localpart_parent = (addr->parent->router == NULL)?
192 addr->parent->local_part :
193 addr->parent->router->caseful_local_part?
194 addr->parent->cc_local_part : addr->parent->lc_local_part;
196 /* File deliveries have their own flag because they need to be picked out
197 as special more often. */
199 if (testflag(addr, af_pfr))
201 if (testflag(addr, af_file)) address_file = addr->local_part;
202 else if (deliver_localpart[0] == '|') address_pipe = addr->local_part;
203 deliver_localpart = addr->parent->local_part;
204 deliver_localpart_prefix = addr->parent->prefix;
205 deliver_localpart_suffix = addr->parent->suffix;
210 /* For multiple addresses, don't set local part, and leave the domain and
211 self_hostname set only if it is the same for all of them. */
216 for (addr2 = addr->next; addr2 != NULL; addr2 = addr2->next)
218 if (deliver_domain != NULL &&
219 Ustrcmp(deliver_domain, addr2->domain) != 0)
220 deliver_domain = NULL;
221 if (self_hostname != NULL && (addr2->self_hostname == NULL ||
222 Ustrcmp(self_hostname, addr2->self_hostname) != 0))
223 self_hostname = NULL;
224 if (deliver_domain == NULL && self_hostname == NULL) break;
232 /*************************************************
233 * Open a msglog file *
234 *************************************************/
236 /* This function is used both for normal message logs, and for files in the
237 msglog directory that are used to catch output from pipes. Try to create the
238 directory if it does not exist. From release 4.21, normal message logs should
239 be created when the message is received.
242 filename the file name
243 mode the mode required
244 error used for saying what failed
246 Returns: a file descriptor, or -1 (with errno set)
250 open_msglog_file(uschar *filename, int mode, uschar **error)
252 int fd = Uopen(filename, O_WRONLY|O_APPEND|O_CREAT, mode);
254 if (fd < 0 && errno == ENOENT)
257 sprintf(CS temp, "msglog/%s", message_subdir);
258 if (message_subdir[0] == 0) temp[6] = 0;
259 (void)directory_make(spool_directory, temp, MSGLOG_DIRECTORY_MODE, TRUE);
260 fd = Uopen(filename, O_WRONLY|O_APPEND|O_CREAT, mode);
263 /* Set the close-on-exec flag and change the owner to the exim uid/gid (this
264 function is called as root). Double check the mode, because the group setting
265 doesn't always get set automatically. */
269 fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
270 if (fchown(fd, exim_uid, exim_gid) < 0)
275 if (fchmod(fd, mode) < 0)
281 else *error = US"create";
289 /*************************************************
290 * Write to msglog if required *
291 *************************************************/
293 /* Write to the message log, if configured. This function may also be called
297 format a string format
303 deliver_msglog(const char *format, ...)
306 if (!message_logs) return;
307 va_start(ap, format);
308 vfprintf(message_log, format, ap);
316 /*************************************************
317 * Replicate status for batch *
318 *************************************************/
320 /* When a transport handles a batch of addresses, it may treat them
321 individually, or it may just put the status in the first one, and return FALSE,
322 requesting that the status be copied to all the others externally. This is the
323 replication function. As well as the status, it copies the transport pointer,
324 which may have changed if appendfile passed the addresses on to a different
327 Argument: pointer to the first address in a chain
332 replicate_status(address_item *addr)
335 for (addr2 = addr->next; addr2 != NULL; addr2 = addr2->next)
337 addr2->transport = addr->transport;
338 addr2->transport_return = addr->transport_return;
339 addr2->basic_errno = addr->basic_errno;
340 addr2->more_errno = addr->more_errno;
341 addr2->special_action = addr->special_action;
342 addr2->message = addr->message;
343 addr2->user_message = addr->user_message;
349 /*************************************************
350 * Compare lists of hosts *
351 *************************************************/
353 /* This function is given two pointers to chains of host items, and it yields
354 TRUE if the lists refer to the same hosts in the same order, except that
356 (1) Multiple hosts with the same non-negative MX values are permitted to appear
357 in different orders. Round-robinning nameservers can cause this to happen.
359 (2) Multiple hosts with the same negative MX values less than MX_NONE are also
360 permitted to appear in different orders. This is caused by randomizing
363 This enables Exim to use a single SMTP transaction for sending to two entirely
364 different domains that happen to end up pointing at the same hosts.
367 one points to the first host list
368 two points to the second host list
370 Returns: TRUE if the lists refer to the same host set
374 same_hosts(host_item *one, host_item *two)
376 while (one != NULL && two != NULL)
378 if (Ustrcmp(one->name, two->name) != 0)
381 host_item *end_one = one;
382 host_item *end_two = two;
384 /* Batch up only if there was no MX and the list was not randomized */
386 if (mx == MX_NONE) return FALSE;
388 /* Find the ends of the shortest sequence of identical MX values */
390 while (end_one->next != NULL && end_one->next->mx == mx &&
391 end_two->next != NULL && end_two->next->mx == mx)
393 end_one = end_one->next;
394 end_two = end_two->next;
397 /* If there aren't any duplicates, there's no match. */
399 if (end_one == one) return FALSE;
401 /* For each host in the 'one' sequence, check that it appears in the 'two'
402 sequence, returning FALSE if not. */
407 for (hi = two; hi != end_two->next; hi = hi->next)
408 if (Ustrcmp(one->name, hi->name) == 0) break;
409 if (hi == end_two->next) return FALSE;
410 if (one == end_one) break;
414 /* All the hosts in the 'one' sequence were found in the 'two' sequence.
415 Ensure both are pointing at the last host, and carry on as for equality. */
426 /* True if both are NULL */
433 /*************************************************
434 * Compare header lines *
435 *************************************************/
437 /* This function is given two pointers to chains of header items, and it yields
438 TRUE if they are the same header texts in the same order.
441 one points to the first header list
442 two points to the second header list
444 Returns: TRUE if the lists refer to the same header set
448 same_headers(header_line *one, header_line *two)
452 if (one == two) return TRUE; /* Includes the case where both NULL */
453 if (one == NULL || two == NULL) return FALSE;
454 if (Ustrcmp(one->text, two->text) != 0) return FALSE;
462 /*************************************************
463 * Compare string settings *
464 *************************************************/
466 /* This function is given two pointers to strings, and it returns
467 TRUE if they are the same pointer, or if the two strings are the same.
470 one points to the first string
471 two points to the second string
473 Returns: TRUE or FALSE
477 same_strings(uschar *one, uschar *two)
479 if (one == two) return TRUE; /* Includes the case where both NULL */
480 if (one == NULL || two == NULL) return FALSE;
481 return (Ustrcmp(one, two) == 0);
486 /*************************************************
487 * Compare uid/gid for addresses *
488 *************************************************/
490 /* This function is given a transport and two addresses. It yields TRUE if the
491 uid/gid/initgroups settings for the two addresses are going to be the same when
496 addr1 the first address
497 addr2 the second address
499 Returns: TRUE or FALSE
503 same_ugid(transport_instance *tp, address_item *addr1, address_item *addr2)
505 if (!tp->uid_set && tp->expand_uid == NULL && !tp->deliver_as_creator)
507 if (testflag(addr1, af_uid_set) != testflag(addr2, af_gid_set) ||
508 (testflag(addr1, af_uid_set) &&
509 (addr1->uid != addr2->uid ||
510 testflag(addr1, af_initgroups) != testflag(addr2, af_initgroups))))
514 if (!tp->gid_set && tp->expand_gid == NULL)
516 if (testflag(addr1, af_gid_set) != testflag(addr2, af_gid_set) ||
517 (testflag(addr1, af_gid_set) && addr1->gid != addr2->gid))
527 /*************************************************
528 * Record that an address is complete *
529 *************************************************/
531 /* This function records that an address is complete. This is straightforward
532 for most addresses, where the unique address is just the full address with the
533 domain lower cased. For homonyms (addresses that are the same as one of their
534 ancestors) their are complications. Their unique addresses have \x\ prepended
535 (where x = 0, 1, 2...), so that de-duplication works correctly for siblings and
538 Exim used to record the unique addresses of homonyms as "complete". This,
539 however, fails when the pattern of redirection varies over time (e.g. if taking
540 unseen copies at only some times of day) because the prepended numbers may vary
541 from one delivery run to the next. This problem is solved by never recording
542 prepended unique addresses as complete. Instead, when a homonymic address has
543 actually been delivered via a transport, we record its basic unique address
544 followed by the name of the transport. This is checked in subsequent delivery
545 runs whenever an address is routed to a transport.
547 If the completed address is a top-level one (has no parent, which means it
548 cannot be homonymic) we also add the original address to the non-recipients
549 tree, so that it gets recorded in the spool file and therefore appears as
550 "done" in any spool listings. The original address may differ from the unique
551 address in the case of the domain.
553 Finally, this function scans the list of duplicates, marks as done any that
554 match this address, and calls child_done() for their ancestors.
557 addr address item that has been completed
558 now current time as a string
564 address_done(address_item *addr, uschar *now)
568 update_spool = TRUE; /* Ensure spool gets updated */
570 /* Top-level address */
572 if (addr->parent == NULL)
574 tree_add_nonrecipient(addr->unique);
575 tree_add_nonrecipient(addr->address);
578 /* Homonymous child address */
580 else if (testflag(addr, af_homonym))
582 if (addr->transport != NULL)
584 tree_add_nonrecipient(
585 string_sprintf("%s/%s", addr->unique + 3, addr->transport->name));
589 /* Non-homonymous child address */
591 else tree_add_nonrecipient(addr->unique);
593 /* Check the list of duplicate addresses and ensure they are now marked
596 for (dup = addr_duplicate; dup != NULL; dup = dup->next)
598 if (Ustrcmp(addr->unique, dup->unique) == 0)
600 tree_add_nonrecipient(dup->address);
601 child_done(dup, now);
609 /*************************************************
610 * Decrease counts in parents and mark done *
611 *************************************************/
613 /* This function is called when an address is complete. If there is a parent
614 address, its count of children is decremented. If there are still other
615 children outstanding, the function exits. Otherwise, if the count has become
616 zero, address_done() is called to mark the parent and its duplicates complete.
617 Then loop for any earlier ancestors.
620 addr points to the completed address item
621 now the current time as a string, for writing to the message log
627 child_done(address_item *addr, uschar *now)
630 while (addr->parent != NULL)
633 if ((addr->child_count -= 1) > 0) return; /* Incomplete parent */
634 address_done(addr, now);
636 /* Log the completion of all descendents only when there is no ancestor with
637 the same original address. */
639 for (aa = addr->parent; aa != NULL; aa = aa->parent)
640 if (Ustrcmp(aa->address, addr->address) == 0) break;
641 if (aa != NULL) continue;
643 deliver_msglog("%s %s: children all complete\n", now, addr->address);
644 DEBUG(D_deliver) debug_printf("%s: children all complete\n", addr->address);
651 /*************************************************
652 * Actions at the end of handling an address *
653 *************************************************/
655 /* This is a function for processing a single address when all that can be done
656 with it has been done.
659 addr points to the address block
660 result the result of the delivery attempt
661 logflags flags for log_write() (LOG_MAIN and/or LOG_PANIC)
662 driver_type indicates which type of driver (transport, or router) was last
663 to process the address
664 logchar '=' or '-' for use when logging deliveries with => or ->
670 post_process_one(address_item *addr, int result, int logflags, int driver_type,
673 uschar *now = tod_stamp(tod_log);
674 uschar *driver_kind = NULL;
675 uschar *driver_name = NULL;
678 int size = 256; /* Used for a temporary, */
679 int ptr = 0; /* expanding buffer, for */
680 uschar *s; /* building log lines; */
681 void *reset_point; /* released afterwards. */
684 DEBUG(D_deliver) debug_printf("post-process %s (%d)\n", addr->address, result);
686 /* Set up driver kind and name for logging. Disable logging if the router or
687 transport has disabled it. */
689 if (driver_type == DTYPE_TRANSPORT)
691 if (addr->transport != NULL)
693 driver_name = addr->transport->name;
694 driver_kind = US" transport";
695 disable_logging = addr->transport->disable_logging;
697 else driver_kind = US"transporting";
699 else if (driver_type == DTYPE_ROUTER)
701 if (addr->router != NULL)
703 driver_name = addr->router->name;
704 driver_kind = US" router";
705 disable_logging = addr->router->disable_logging;
707 else driver_kind = US"routing";
710 /* If there's an error message set, ensure that it contains only printing
711 characters - it should, but occasionally things slip in and this at least
712 stops the log format from getting wrecked. */
714 if (addr->message != NULL) addr->message = string_printing(addr->message);
716 /* If we used a transport that has one of the "return_output" options set, and
717 if it did in fact generate some output, then for return_output we treat the
718 message as failed if it was not already set that way, so that the output gets
719 returned to the sender, provided there is a sender to send it to. For
720 return_fail_output, do this only if the delivery failed. Otherwise we just
721 unlink the file, and remove the name so that if the delivery failed, we don't
722 try to send back an empty or unwanted file. The log_output options operate only
725 In any case, we close the message file, because we cannot afford to leave a
726 file-descriptor for one address while processing (maybe very many) others. */
728 if (addr->return_file >= 0 && addr->return_filename != NULL)
730 BOOL return_output = FALSE;
732 fsync(addr->return_file);
734 /* If there is no output, do nothing. */
736 if (fstat(addr->return_file, &statbuf) == 0 && statbuf.st_size > 0)
738 transport_instance *tb = addr->transport;
740 /* Handle logging options */
742 if (tb->log_output || (result == FAIL && tb->log_fail_output) ||
743 (result == DEFER && tb->log_defer_output))
746 FILE *f = Ufopen(addr->return_filename, "rb");
748 log_write(0, LOG_MAIN|LOG_PANIC, "failed to open %s to log output "
749 "from %s transport: %s", addr->return_filename, tb->name,
753 s = US Ufgets(big_buffer, big_buffer_size, f);
756 uschar *p = big_buffer + Ustrlen(big_buffer);
757 while (p > big_buffer && isspace(p[-1])) p--;
759 s = string_printing(big_buffer);
760 log_write(0, LOG_MAIN, "<%s>: %s transport output: %s",
761 addr->address, tb->name, s);
767 /* Handle returning options, but only if there is an address to return
770 if (sender_address[0] != 0 || addr->p.errors_address != NULL)
772 if (tb->return_output)
774 addr->transport_return = result = FAIL;
775 if (addr->basic_errno == 0 && addr->message == NULL)
776 addr->message = US"return message generated";
777 return_output = TRUE;
780 if (tb->return_fail_output && result == FAIL) return_output = TRUE;
784 /* Get rid of the file unless it might be returned, but close it in
789 Uunlink(addr->return_filename);
790 addr->return_filename = NULL;
791 addr->return_file = -1;
794 close(addr->return_file);
797 /* Create the address string for logging. Must not do this earlier, because
798 an OK result may be changed to FAIL when a pipe returns text. */
800 log_address = string_log_address(addr,
801 (log_write_selector & L_all_parents) != 0, result == OK);
803 /* The sucess case happens only after delivery by a transport. */
807 addr->next = addr_succeed;
810 /* Call address_done() to ensure that we don't deliver to this address again,
811 and write appropriate things to the message log. If it is a child address, we
812 call child_done() to scan the ancestors and mark them complete if this is the
813 last child to complete. */
815 address_done(addr, now);
816 DEBUG(D_deliver) debug_printf("%s delivered\n", addr->address);
818 if (addr->parent == NULL)
820 deliver_msglog("%s %s: %s%s succeeded\n", now, addr->address,
821 driver_name, driver_kind);
825 deliver_msglog("%s %s <%s>: %s%s succeeded\n", now, addr->address,
826 addr->parent->address, driver_name, driver_kind);
827 child_done(addr, now);
830 /* Log the delivery on the main log. We use an extensible string to build up
831 the log line, and reset the store afterwards. Remote deliveries should always
832 have a pointer to the host item that succeeded; local deliveries can have a
833 pointer to a single host item in their host list, for use by the transport. */
835 s = reset_point = store_get(size);
838 s = string_append(s, &size, &ptr, 2, US"> ", log_address);
840 if ((log_extra_selector & LX_sender_on_delivery) != 0)
841 s = string_append(s, &size, &ptr, 3, US" F=<", sender_address, US">");
843 /* You might think that the return path must always be set for a successful
844 delivery; indeed, I did for some time, until this statement crashed. The case
845 when it is not set is for a delivery to /dev/null which is optimised by not
848 if (used_return_path != NULL &&
849 (log_extra_selector & LX_return_path_on_delivery) != 0)
850 s = string_append(s, &size, &ptr, 3, US" P=<", used_return_path, US">");
852 /* For a delivery from a system filter, there may not be a router */
854 if (addr->router != NULL)
855 s = string_append(s, &size, &ptr, 2, US" R=", addr->router->name);
857 s = string_append(s, &size, &ptr, 2, US" T=", addr->transport->name);
859 if ((log_extra_selector & LX_delivery_size) != 0)
860 s = string_append(s, &size, &ptr, 2, US" S=",
861 string_sprintf("%d", transport_count));
865 if (addr->transport->info->local)
867 if (addr->host_list != NULL)
868 s = string_append(s, &size, &ptr, 2, US" H=", addr->host_list->name);
869 if (addr->shadow_message != NULL)
870 s = string_cat(s, &size, &ptr, addr->shadow_message,
871 Ustrlen(addr->shadow_message));
874 /* Remote delivery */
878 if (addr->host_used != NULL)
880 s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name,
881 US" [", addr->host_used->address, US"]");
882 if ((log_extra_selector & LX_outgoing_port) != 0)
883 s = string_append(s, &size, &ptr, 2, US":", string_sprintf("%d",
884 addr->host_used->port));
885 if (continue_sequence > 1)
886 s = string_cat(s, &size, &ptr, US"*", 1);
890 if ((log_extra_selector & LX_tls_cipher) != 0 && addr->cipher != NULL)
891 s = string_append(s, &size, &ptr, 2, US" X=", addr->cipher);
892 if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
893 addr->cipher != NULL)
894 s = string_append(s, &size, &ptr, 2, US" CV=",
895 testflag(addr, af_cert_verified)? "yes":"no");
896 if ((log_extra_selector & LX_tls_peerdn) != 0 && addr->peerdn != NULL)
897 s = string_append(s, &size, &ptr, 3, US" DN=\"", addr->peerdn, US"\"");
900 if ((log_extra_selector & LX_smtp_confirmation) != 0 &&
901 addr->message != NULL)
904 uschar *p = big_buffer;
905 uschar *ss = addr->message;
907 for (i = 0; i < 100 && ss[i] != 0; i++)
909 if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\';
914 s = string_append(s, &size, &ptr, 2, US" C=", big_buffer);
918 /* Time on queue and actual time taken to deliver */
920 if ((log_extra_selector & LX_queue_time) != 0)
922 s = string_append(s, &size, &ptr, 2, US" QT=",
923 readconf_printtime(time(NULL) - received_time));
926 if ((log_extra_selector & LX_deliver_time) != 0)
928 s = string_append(s, &size, &ptr, 2, US" DT=",
929 readconf_printtime(addr->more_errno));
932 /* string_cat() always leaves room for the terminator. Release the
933 store we used to build the line after writing it. */
936 log_write(0, LOG_MAIN, "%s", s);
937 store_reset(reset_point);
941 /* Soft failure, or local delivery process failed; freezing may be
944 else if (result == DEFER || result == PANIC)
946 if (result == PANIC) logflags |= LOG_PANIC;
948 /* This puts them on the chain in reverse order. Do not change this, because
949 the code for handling retries assumes that the one with the retry
950 information is last. */
952 addr->next = addr_defer;
955 /* The only currently implemented special action is to freeze the
956 message. Logging of this is done later, just before the -H file is
959 if (addr->special_action == SPECIAL_FREEZE)
961 deliver_freeze = TRUE;
962 deliver_frozen_at = time(NULL);
966 /* If doing a 2-stage queue run, we skip writing to either the message
967 log or the main log for SMTP defers. */
969 if (!queue_2stage || addr->basic_errno != 0)
973 /* For errors of the type "retry time not reached" (also remotes skipped
974 on queue run), logging is controlled by L_retry_defer. Note that this kind
975 of error number is negative, and all the retry ones are less than any
978 unsigned int use_log_selector = (addr->basic_errno <= ERRNO_RETRY_BASE)?
981 /* Build up the line that is used for both the message log and the main
984 s = reset_point = store_get(size);
985 s = string_cat(s, &size, &ptr, log_address, Ustrlen(log_address));
987 /* Either driver_name contains something and driver_kind contains
988 " router" or " transport" (note the leading space), or driver_name is
989 a null string and driver_kind contains "routing" without the leading
990 space, if all routing has been deferred. When a domain has been held,
991 so nothing has been done at all, both variables contain null strings. */
993 if (driver_name == NULL)
995 if (driver_kind != NULL)
996 s = string_append(s, &size, &ptr, 2, US" ", driver_kind);
1000 if (driver_kind[1] == 't' && addr->router != NULL)
1001 s = string_append(s, &size, &ptr, 2, US" R=", addr->router->name);
1003 ss[1] = toupper(driver_kind[1]);
1004 s = string_append(s, &size, &ptr, 2, ss, driver_name);
1007 sprintf(CS ss, " defer (%d)", addr->basic_errno);
1008 s = string_cat(s, &size, &ptr, ss, Ustrlen(ss));
1010 if (addr->basic_errno > 0)
1011 s = string_append(s, &size, &ptr, 2, US": ",
1012 US strerror(addr->basic_errno));
1014 if (addr->message != NULL)
1015 s = string_append(s, &size, &ptr, 2, US": ", addr->message);
1019 /* Log the deferment in the message log, but don't clutter it
1020 up with retry-time defers after the first delivery attempt. */
1022 if (deliver_firsttime || addr->basic_errno > ERRNO_RETRY_BASE)
1023 deliver_msglog("%s %s\n", now, s);
1025 /* Write the main log and reset the store */
1027 log_write(use_log_selector, logflags, "== %s", s);
1028 store_reset(reset_point);
1033 /* Hard failure. If there is an address to which an error message can be sent,
1034 put this address on the failed list. If not, put it on the deferred list and
1035 freeze the mail message for human attention. The latter action can also be
1036 explicitly requested by a router or transport. */
1040 /* If this is a delivery error, or a message for which no replies are
1041 wanted, and the message's age is greater than ignore_bounce_errors_after,
1042 force the af_ignore_error flag. This will cause the address to be discarded
1043 later (with a log entry). */
1045 if (sender_address[0] == 0 && message_age >= ignore_bounce_errors_after)
1046 setflag(addr, af_ignore_error);
1048 /* Freeze the message if requested, or if this is a bounce message (or other
1049 message with null sender). However, don't freeze if errors are being ignored.
1050 The actual code to ignore occurs later, instead of sending a message. Logging
1051 of freezing occurs later, just before writing the -H file. */
1053 if (!testflag(addr, af_ignore_error) &&
1054 (addr->special_action == SPECIAL_FREEZE || sender_address[0] == 0))
1056 frozen_info = (addr->special_action == SPECIAL_FREEZE)? US"" :
1057 (sender_local && !local_error_message)?
1058 US" (message created with -f <>)" : US" (delivery error message)";
1059 deliver_freeze = TRUE;
1060 deliver_frozen_at = time(NULL);
1061 update_spool = TRUE;
1063 /* The address is put on the defer rather than the failed queue, because
1064 the message is being retained. */
1066 addr->next = addr_defer;
1070 /* Don't put the address on the nonrecipients tree yet; wait until an
1071 error message has been successfully sent. */
1075 addr->next = addr_failed;
1079 /* Build up the log line for the message and main logs */
1081 s = reset_point = store_get(size);
1082 s = string_cat(s, &size, &ptr, log_address, Ustrlen(log_address));
1084 if ((log_extra_selector & LX_sender_on_delivery) != 0)
1085 s = string_append(s, &size, &ptr, 3, US" F=<", sender_address, US">");
1087 /* Return path may not be set if no delivery actually happened */
1089 if (used_return_path != NULL &&
1090 (log_extra_selector & LX_return_path_on_delivery) != 0)
1092 s = string_append(s, &size, &ptr, 3, US" P=<", used_return_path, US">");
1095 if (addr->router != NULL)
1096 s = string_append(s, &size, &ptr, 2, US" R=", addr->router->name);
1097 if (addr->transport != NULL)
1098 s = string_append(s, &size, &ptr, 2, US" T=", addr->transport->name);
1100 if (addr->host_used != NULL)
1101 s = string_append(s, &size, &ptr, 5, US" H=", addr->host_used->name,
1102 US" [", addr->host_used->address, US"]");
1104 if (addr->basic_errno > 0)
1105 s = string_append(s, &size, &ptr, 2, US": ",
1106 US strerror(addr->basic_errno));
1108 if (addr->message != NULL)
1109 s = string_append(s, &size, &ptr, 2, US": ", addr->message);
1113 /* Do the logging. For the message log, "routing failed" for those cases,
1114 just to make it clearer. */
1116 if (driver_name == NULL)
1117 deliver_msglog("%s %s failed for %s\n", now, driver_kind, s);
1119 deliver_msglog("%s %s\n", now, s);
1121 log_write(0, LOG_MAIN, "** %s", s);
1122 store_reset(reset_point);
1125 /* Ensure logging is turned on again in all cases */
1127 disable_logging = FALSE;
1133 /*************************************************
1134 * Address-independent error *
1135 *************************************************/
1137 /* This function is called when there's an error that is not dependent on a
1138 particular address, such as an expansion string failure. It puts the error into
1139 all the addresses in a batch, logs the incident on the main and panic logs, and
1140 clears the expansions. It is mostly called from local_deliver(), but can be
1141 called for a remote delivery via findugid().
1144 logit TRUE if (MAIN+PANIC) logging required
1145 addr the first of the chain of addresses
1147 format format string for error message, or NULL if already set in addr
1148 ... arguments for the format
1154 common_error(BOOL logit, address_item *addr, int code, uschar *format, ...)
1156 address_item *addr2;
1157 addr->basic_errno = code;
1163 va_start(ap, format);
1164 if (!string_vformat(buffer, sizeof(buffer), CS format, ap))
1165 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1166 "common_error expansion was longer than %d", sizeof(buffer));
1168 addr->message = string_copy(buffer);
1171 for (addr2 = addr->next; addr2 != NULL; addr2 = addr2->next)
1173 addr2->basic_errno = code;
1174 addr2->message = addr->message;
1177 if (logit) log_write(0, LOG_MAIN|LOG_PANIC, "%s", addr->message);
1178 deliver_set_expansions(NULL);
1184 /*************************************************
1185 * Check a "never users" list *
1186 *************************************************/
1188 /* This function is called to check whether a uid is on one of the two "never
1192 uid the uid to be checked
1193 nusers the list to be scanned; the first item in the list is the count
1195 Returns: TRUE if the uid is on the list
1199 check_never_users(uid_t uid, uid_t *nusers)
1202 if (nusers == NULL) return FALSE;
1203 for (i = 1; i <= (int)(nusers[0]); i++) if (nusers[i] == uid) return TRUE;
1209 /*************************************************
1210 * Find uid and gid for a transport *
1211 *************************************************/
1213 /* This function is called for both local and remote deliveries, to find the
1214 uid/gid under which to run the delivery. The values are taken preferentially
1215 from the transport (either explicit or deliver_as_creator), then from the
1216 address (i.e. the router), and if nothing is set, the exim uid/gid are used. If
1217 the resulting uid is on the "never_users" or the "fixed_never_users" list, a
1218 panic error is logged, and the function fails (which normally leads to delivery
1222 addr the address (possibly a chain)
1224 uidp pointer to uid field
1225 gidp pointer to gid field
1226 igfp pointer to the use_initgroups field
1228 Returns: FALSE if failed - error has been set in address(es)
1232 findugid(address_item *addr, transport_instance *tp, uid_t *uidp, gid_t *gidp,
1235 uschar *nuname = NULL;
1236 BOOL gid_set = FALSE;
1238 /* Default initgroups flag comes from the transport */
1240 *igfp = tp->initgroups;
1242 /* First see if there's a gid on the transport, either fixed or expandable.
1243 The expanding function always logs failure itself. */
1250 else if (tp->expand_gid != NULL)
1252 if (route_find_expanded_group(tp->expand_gid, tp->name, US"transport", gidp,
1253 &(addr->message))) gid_set = TRUE;
1256 common_error(FALSE, addr, ERRNO_GIDFAIL, NULL);
1261 /* Pick up a uid from the transport if one is set. */
1263 if (tp->uid_set) *uidp = tp->uid;
1265 /* Otherwise, try for an expandable uid field. If it ends up as a numeric id,
1266 it does not provide a passwd value from which a gid can be taken. */
1268 else if (tp->expand_uid != NULL)
1271 if (!route_find_expanded_user(tp->expand_uid, tp->name, US"transport", &pw,
1272 uidp, &(addr->message)))
1274 common_error(FALSE, addr, ERRNO_UIDFAIL, NULL);
1277 if (!gid_set && pw != NULL)
1284 /* If the transport doesn't set the uid, test the deliver_as_creator flag. */
1286 else if (tp->deliver_as_creator)
1288 *uidp = originator_uid;
1291 *gidp = originator_gid;
1296 /* Otherwise see if the address specifies the uid and if so, take its
1297 initgroups flag. The gid from the address is taken only if the transport hasn't
1298 set it. In other words, a gid on the transport overrides the gid on the
1301 else if (testflag(addr, af_uid_set))
1304 *igfp = testflag(addr, af_initgroups);
1312 /* Nothing has specified the uid - default to the Exim user, and group if the
1325 /* If no gid is set, it is a disaster. */
1329 common_error(TRUE, addr, ERRNO_GIDFAIL, US"User set without group for "
1330 "%s transport", tp->name);
1334 /* Check that the uid is not on the lists of banned uids that may not be used
1335 for delivery processes. */
1337 if (check_never_users(*uidp, never_users))
1338 nuname = US"never_users";
1339 else if (check_never_users(*uidp, fixed_never_users))
1340 nuname = US"fixed_never_users";
1344 common_error(TRUE, addr, ERRNO_UIDFAIL, US"User %ld set for %s transport "
1345 "is on the %s list", (long int)(*uidp), tp->name, nuname);
1357 /*************************************************
1358 * Check the size of a message for a transport *
1359 *************************************************/
1361 /* Checks that the message isn't too big for the selected transport.
1362 This is called only when it is known that the limit is set.
1366 addr the (first) address being delivered
1369 DEFER expansion failed or did not yield an integer
1370 FAIL message too big
1374 check_message_size(transport_instance *tp, address_item *addr)
1379 deliver_set_expansions(addr);
1380 size_limit = expand_string_integer(tp->message_size_limit);
1381 deliver_set_expansions(NULL);
1386 if (size_limit == -1)
1387 addr->message = string_sprintf("failed to expand message_size_limit "
1388 "in %s transport: %s", tp->name, expand_string_message);
1390 addr->message = string_sprintf("invalid message_size_limit "
1391 "in %s transport: %s", tp->name, expand_string_message);
1393 else if (size_limit > 0 && message_size > size_limit)
1397 string_sprintf("message is too big (transport limit = %d)",
1406 /*************************************************
1407 * Transport-time check for a previous delivery *
1408 *************************************************/
1410 /* Check that this base address hasn't previously been delivered to its routed
1411 transport. The check is necessary at delivery time in order to handle homonymic
1412 addresses correctly in cases where the pattern of redirection changes between
1413 delivery attempts (so the unique fields change). Non-homonymic previous
1414 delivery is detected earlier, at routing time (which saves unnecessary
1417 Argument: the address item
1418 Returns: TRUE if previously delivered by the transport
1422 previously_transported(address_item *addr)
1424 (void)string_format(big_buffer, big_buffer_size, "%s/%s",
1425 addr->unique + (testflag(addr, af_homonym)? 3:0), addr->transport->name);
1427 if (tree_search(tree_nonrecipients, big_buffer) != 0)
1429 DEBUG(D_deliver|D_route|D_transport)
1430 debug_printf("%s was previously delivered (%s transport): discarded\n",
1431 addr->address, addr->transport->name);
1432 child_done(addr, tod_stamp(tod_log));
1442 /*************************************************
1443 * Perform a local delivery *
1444 *************************************************/
1446 /* Each local delivery is performed in a separate process which sets its
1447 uid and gid as specified. This is a safer way than simply changing and
1448 restoring using seteuid(); there is a body of opinion that seteuid() cannot be
1449 used safely. From release 4, Exim no longer makes any use of it. Besides, not
1450 all systems have seteuid().
1452 If the uid/gid are specified in the transport_instance, they are used; the
1453 transport initialization must ensure that either both or neither are set.
1454 Otherwise, the values associated with the address are used. If neither are set,
1455 it is a configuration error.
1457 The transport or the address may specify a home directory (transport over-
1458 rides), and if they do, this is set as $home. If neither have set a working
1459 directory, this value is used for that as well. Otherwise $home is left unset
1460 and the cwd is set to "/" - a directory that should be accessible to all users.
1462 Using a separate process makes it more complicated to get error information
1463 back. We use a pipe to pass the return code and also an error code and error
1464 text string back to the parent process.
1467 addr points to an address block for this delivery; for "normal" local
1468 deliveries this is the only address to be delivered, but for
1469 pseudo-remote deliveries (e.g. by batch SMTP to a file or pipe)
1470 a number of addresses can be handled simultaneously, and in this
1471 case addr will point to a chain of addresses with the same
1474 shadowing TRUE if running a shadow transport; this causes output from pipes
1481 deliver_local(address_item *addr, BOOL shadowing)
1483 BOOL use_initgroups;
1486 int status, len, rc;
1489 uschar *working_directory;
1490 address_item *addr2;
1491 transport_instance *tp = addr->transport;
1493 /* Set up the return path from the errors or sender address. If the transport
1494 has its own return path setting, expand it and replace the existing value. */
1496 return_path = (addr->p.errors_address != NULL)?
1497 addr->p.errors_address : sender_address;
1499 if (tp->return_path != NULL)
1501 uschar *new_return_path = expand_string(tp->return_path);
1502 if (new_return_path == NULL)
1504 if (!expand_string_forcedfail)
1506 common_error(TRUE, addr, ERRNO_EXPANDFAIL,
1507 US"Failed to expand return path \"%s\" in %s transport: %s",
1508 tp->return_path, tp->name, expand_string_message);
1512 else return_path = new_return_path;
1515 /* For local deliveries, one at a time, the value used for logging can just be
1516 set directly, once and for all. */
1518 used_return_path = return_path;
1520 /* Sort out the uid, gid, and initgroups flag. If an error occurs, the message
1521 gets put into the address(es), and the expansions are unset, so we can just
1524 if (!findugid(addr, tp, &uid, &gid, &use_initgroups)) return;
1526 /* See if either the transport or the address specifies a home and/or a current
1527 working directory. Expand it if necessary. If nothing is set, use "/", for the
1528 working directory, which is assumed to be a directory to which all users have
1529 access. It is necessary to be in a visible directory for some operating systems
1530 when running pipes, as some commands (e.g. "rm" under Solaris 2.5) require
1533 deliver_home = (tp->home_dir != NULL)? tp->home_dir :
1534 (addr->home_dir != NULL)? addr->home_dir : NULL;
1536 if (deliver_home != NULL && !testflag(addr, af_home_expanded))
1538 uschar *rawhome = deliver_home;
1539 deliver_home = NULL; /* in case it contains $home */
1540 deliver_home = expand_string(rawhome);
1541 if (deliver_home == NULL)
1543 common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"home directory \"%s\" failed "
1544 "to expand for %s transport: %s", rawhome, tp->name,
1545 expand_string_message);
1548 if (*deliver_home != '/')
1550 common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"home directory path \"%s\" "
1551 "is not absolute for %s transport", deliver_home, tp->name);
1556 working_directory = (tp->current_dir != NULL)? tp->current_dir :
1557 (addr->current_dir != NULL)? addr->current_dir : NULL;
1559 if (working_directory != NULL)
1561 uschar *raw = working_directory;
1562 working_directory = expand_string(raw);
1563 if (working_directory == NULL)
1565 common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"current directory \"%s\" "
1566 "failed to expand for %s transport: %s", raw, tp->name,
1567 expand_string_message);
1570 if (*working_directory != '/')
1572 common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"current directory path "
1573 "\"%s\" is not absolute for %s transport", working_directory, tp->name);
1577 else working_directory = (deliver_home == NULL)? US"/" : deliver_home;
1579 /* If one of the return_output flags is set on the transport, create and open a
1580 file in the message log directory for the transport to write its output onto.
1581 This is mainly used by pipe transports. The file needs to be unique to the
1582 address. This feature is not available for shadow transports. */
1584 if (!shadowing && (tp->return_output || tp->return_fail_output ||
1585 tp->log_output || tp->log_fail_output))
1588 addr->return_filename =
1589 string_sprintf("%s/msglog/%s/%s-%d-%d", spool_directory, message_subdir,
1590 message_id, getpid(), return_count++);
1591 addr->return_file = open_msglog_file(addr->return_filename, 0400, &error);
1592 if (addr->return_file < 0)
1594 common_error(TRUE, addr, errno, US"Unable to %s file for %s transport "
1595 "to return message: %s", error, tp->name, strerror(errno));
1600 /* Create the pipe for inter-process communication. */
1604 common_error(TRUE, addr, ERRNO_PIPEFAIL, US"Creation of pipe failed: %s",
1609 /* Now fork the process to do the real work in the subprocess, but first
1610 ensure that all cached resources are freed so that the subprocess starts with
1611 a clean slate and doesn't interfere with the parent process. */
1615 if ((pid = fork()) == 0)
1617 BOOL replicate = TRUE;
1619 /* Prevent core dumps, as we don't want them in users' home directories.
1620 HP-UX doesn't have RLIMIT_CORE; I don't know how to do this in that
1621 system. Some experimental/developing systems (e.g. GNU/Hurd) may define
1622 RLIMIT_CORE but not support it in setrlimit(). For such systems, do not
1623 complain if the error is "not supported". */
1629 if (setrlimit(RLIMIT_CORE, &rl) < 0)
1631 #ifdef SETRLIMIT_NOT_SUPPORTED
1632 if (errno != ENOSYS && errno != ENOTSUP)
1634 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_CORE) failed: %s",
1639 /* Reset the random number generator, so different processes don't all
1640 have the same sequence. */
1644 /* If the transport has a setup entry, call this first, while still
1645 privileged. (Appendfile uses this to expand quota, for example, while
1646 able to read private files.) */
1648 if (addr->transport->setup != NULL)
1650 switch((addr->transport->setup)(addr->transport, addr, NULL,
1654 addr->transport_return = DEFER;
1658 addr->transport_return = PANIC;
1663 /* Ignore SIGINT and SIGTERM during delivery. Also ignore SIGUSR1, as
1664 when the process becomes unprivileged, it won't be able to write to the
1665 process log. SIGHUP is ignored throughout exim, except when it is being
1668 signal(SIGINT, SIG_IGN);
1669 signal(SIGTERM, SIG_IGN);
1670 signal(SIGUSR1, SIG_IGN);
1672 /* Close the unwanted half of the pipe, and set close-on-exec for the other
1673 half - for transports that exec things (e.g. pipe). Then set the required
1676 close(pfd[pipe_read]);
1677 fcntl(pfd[pipe_write], F_SETFD, fcntl(pfd[pipe_write], F_GETFD) |
1679 exim_setugid(uid, gid, use_initgroups,
1680 string_sprintf("local delivery to %s <%s> transport=%s", addr->local_part,
1681 addr->address, addr->transport->name));
1685 address_item *batched;
1686 debug_printf(" home=%s current=%s\n", deliver_home, working_directory);
1687 for (batched = addr->next; batched != NULL; batched = batched->next)
1688 debug_printf("additional batched address: %s\n", batched->address);
1691 /* Set an appropriate working directory. */
1693 if (Uchdir(working_directory) < 0)
1695 addr->transport_return = DEFER;
1696 addr->basic_errno = errno;
1697 addr->message = string_sprintf("failed to chdir to %s", working_directory);
1700 /* If successful, call the transport */
1705 set_process_info("delivering %s to %s using %s", message_id,
1706 addr->local_part, addr->transport->name);
1708 /* If a transport filter has been specified, set up its argument list.
1709 Any errors will get put into the address, and FALSE yielded. */
1711 if (addr->transport->filter_command != NULL)
1713 ok = transport_set_up_command(&transport_filter_argv,
1714 addr->transport->filter_command,
1715 TRUE, PANIC, addr, US"transport filter", NULL);
1716 transport_filter_timeout = addr->transport->filter_timeout;
1718 else transport_filter_argv = NULL;
1722 debug_print_string(addr->transport->debug_string);
1723 replicate = !(addr->transport->info->code)(addr->transport, addr);
1727 /* Pass the results back down the pipe. If necessary, first replicate the
1728 status in the top address to the others in the batch. The label is the
1729 subject of a goto when a call to the transport's setup function fails. We
1730 pass the pointer to the transport back in case it got changed as a result of
1731 file_format in appendfile. */
1735 if (replicate) replicate_status(addr);
1736 for (addr2 = addr; addr2 != NULL; addr2 = addr2->next)
1739 int local_part_length = Ustrlen(addr2->local_part);
1742 write(pfd[pipe_write], (void *)&(addr2->transport_return), sizeof(int));
1743 write(pfd[pipe_write], (void *)&transport_count, sizeof(transport_count));
1744 write(pfd[pipe_write], (void *)&(addr2->flags), sizeof(addr2->flags));
1745 write(pfd[pipe_write], (void *)&(addr2->basic_errno), sizeof(int));
1746 write(pfd[pipe_write], (void *)&(addr2->more_errno), sizeof(int));
1747 write(pfd[pipe_write], (void *)&(addr2->special_action), sizeof(int));
1748 write(pfd[pipe_write], (void *)&(addr2->transport),
1749 sizeof(transport_instance *));
1751 /* For a file delivery, pass back the local part, in case the original
1752 was only part of the final delivery path. This gives more complete
1755 if (testflag(addr2, af_file))
1757 write(pfd[pipe_write], (void *)&local_part_length, sizeof(int));
1758 write(pfd[pipe_write], addr2->local_part, local_part_length);
1761 /* Now any messages */
1763 for (i = 0, s = addr2->message; i < 2; i++, s = addr2->user_message)
1765 int message_length = (s == NULL)? 0 : Ustrlen(s) + 1;
1766 write(pfd[pipe_write], (void *)&message_length, sizeof(int));
1767 if (message_length > 0) write(pfd[pipe_write], s, message_length);
1771 /* OK, this process is now done. Free any cached resources that it opened,
1772 and close the pipe we were writing down before exiting. */
1774 close(pfd[pipe_write]);
1779 /* Back in the main process: panic if the fork did not succeed. This seems
1780 better than returning an error - if forking is failing it is probably best
1781 not to try other deliveries for this message. */
1784 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Fork failed for local delivery to %s",
1787 /* Read the pipe to get the delivery status codes and error messages. Our copy
1788 of the writing end must be closed first, as otherwise read() won't return zero
1789 on an empty pipe. We check that a status exists for each address before
1790 overwriting the address structure. If data is missing, the default DEFER status
1791 will remain. Afterwards, close the reading end. */
1793 close(pfd[pipe_write]);
1795 for (addr2 = addr; addr2 != NULL; addr2 = addr2->next)
1797 len = read(pfd[pipe_read], (void *)&status, sizeof(int));
1803 addr2->transport_return = status;
1804 len = read(pfd[pipe_read], (void *)&transport_count,
1805 sizeof(transport_count));
1806 len = read(pfd[pipe_read], (void *)&(addr2->flags), sizeof(addr2->flags));
1807 len = read(pfd[pipe_read], (void *)&(addr2->basic_errno), sizeof(int));
1808 len = read(pfd[pipe_read], (void *)&(addr2->more_errno), sizeof(int));
1809 len = read(pfd[pipe_read], (void *)&(addr2->special_action), sizeof(int));
1810 len = read(pfd[pipe_read], (void *)&(addr2->transport),
1811 sizeof(transport_instance *));
1813 if (testflag(addr2, af_file))
1815 int local_part_length;
1816 len = read(pfd[pipe_read], (void *)&local_part_length, sizeof(int));
1817 len = read(pfd[pipe_read], (void *)big_buffer, local_part_length);
1818 big_buffer[local_part_length] = 0;
1819 addr2->local_part = string_copy(big_buffer);
1822 for (i = 0, sptr = &(addr2->message); i < 2;
1823 i++, sptr = &(addr2->user_message))
1826 len = read(pfd[pipe_read], (void *)&message_length, sizeof(int));
1827 if (message_length > 0)
1829 len = read(pfd[pipe_read], (void *)big_buffer, message_length);
1830 if (len > 0) *sptr = string_copy(big_buffer);
1837 log_write(0, LOG_MAIN|LOG_PANIC, "failed to read delivery status for %s "
1838 "from delivery subprocess", addr2->unique);
1843 close(pfd[pipe_read]);
1845 /* Unless shadowing, write all successful addresses immediately to the journal
1846 file, to ensure they are recorded asap. For homonymic addresses, use the base
1847 address plus the transport name. Failure to write the journal is panic-worthy,
1848 but don't stop, as it may prove possible subsequently to update the spool file
1849 in order to record the delivery. */
1853 for (addr2 = addr; addr2 != NULL; addr2 = addr2->next)
1855 if (addr2->transport_return != OK) continue;
1857 if (testflag(addr2, af_homonym))
1858 sprintf(CS big_buffer, "%.500s/%s\n", addr2->unique + 3, tp->name);
1860 sprintf(CS big_buffer, "%.500s\n", addr2->unique);
1862 /* In the test harness, wait just a bit to let the subprocess finish off
1863 any debug output etc first. */
1865 if (running_in_test_harness) millisleep(300);
1867 DEBUG(D_deliver) debug_printf("journalling %s", big_buffer);
1868 len = Ustrlen(big_buffer);
1869 if (write(journal_fd, big_buffer, len) != len)
1870 log_write(0, LOG_MAIN|LOG_PANIC, "failed to update journal for %s: %s",
1871 big_buffer, strerror(errno));
1874 /* Ensure the journal file is pushed out to disk. */
1876 if (fsync(journal_fd) < 0)
1877 log_write(0, LOG_MAIN|LOG_PANIC, "failed to fsync journal: %s",
1881 /* Wait for the process to finish. If it terminates with a non-zero code,
1882 freeze the message (except for SIGTERM, SIGKILL and SIGQUIT), but leave the
1883 status values of all the addresses as they are. Take care to handle the case
1884 when the subprocess doesn't seem to exist. This has been seen on one system
1885 when Exim was called from an MUA that set SIGCHLD to SIG_IGN. When that
1886 happens, wait() doesn't recognize the termination of child processes. Exim now
1887 resets SIGCHLD to SIG_DFL, but this code should still be robust. */
1889 while ((rc = wait(&status)) != pid)
1891 if (rc < 0 && errno == ECHILD) /* Process has vanished */
1893 log_write(0, LOG_MAIN, "%s transport process vanished unexpectedly",
1894 addr->transport->driver_name);
1900 if ((status & 0xffff) != 0)
1902 int msb = (status >> 8) & 255;
1903 int lsb = status & 255;
1904 int code = (msb == 0)? (lsb & 0x7f) : msb;
1905 if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
1906 addr->special_action = SPECIAL_FREEZE;
1907 log_write(0, LOG_MAIN|LOG_PANIC, "%s transport process returned non-zero "
1908 "status 0x%04x: %s %d",
1909 addr->transport->driver_name,
1911 (msb == 0)? "terminated by signal" : "exit code",
1915 /* If SPECIAL_WARN is set in the top address, send a warning message. */
1917 if (addr->special_action == SPECIAL_WARN &&
1918 addr->transport->warn_message != NULL)
1921 uschar *warn_message;
1923 DEBUG(D_deliver) debug_printf("Warning message requested by transport\n");
1925 warn_message = expand_string(addr->transport->warn_message);
1926 if (warn_message == NULL)
1927 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand \"%s\" (warning "
1928 "message for %s transport): %s", addr->transport->warn_message,
1929 addr->transport->name, expand_string_message);
1932 pid_t pid = child_open_exim(&fd);
1935 FILE *f = fdopen(fd, "wb");
1937 if (errors_reply_to != NULL)
1938 fprintf(f, "Reply-To: %s\n", errors_reply_to);
1939 fprintf(f, "Auto-Submitted: auto-generated\n");
1940 fprintf(f, "From: Mail Delivery System <Mailer-Daemon@%s>\n",
1941 qualify_domain_sender);
1942 fprintf(f, "%s", CS warn_message);
1944 /* Close and wait for child process to complete, without a timeout. */
1947 (void)child_close(pid, 0);
1951 addr->special_action = SPECIAL_NONE;
1957 /*************************************************
1958 * Do local deliveries *
1959 *************************************************/
1961 /* This function processes the list of addresses in addr_local. True local
1962 deliveries are always done one address at a time. However, local deliveries can
1963 be batched up in some cases. Typically this is when writing batched SMTP output
1964 files for use by some external transport mechanism, or when running local
1965 deliveries over LMTP.
1972 do_local_deliveries(void)
1975 open_db *dbm_file = NULL;
1976 time_t now = time(NULL);
1978 /* Loop until we have exhausted the supply of local deliveries */
1980 while (addr_local != NULL)
1982 time_t delivery_start;
1984 address_item *addr2, *addr3, *nextaddr;
1985 int logflags = LOG_MAIN;
1986 int logchar = dont_deliver? '*' : '=';
1987 transport_instance *tp;
1989 /* Pick the first undelivered address off the chain */
1991 address_item *addr = addr_local;
1992 addr_local = addr->next;
1995 DEBUG(D_deliver|D_transport)
1996 debug_printf("--------> %s <--------\n", addr->address);
1998 /* An internal disaster if there is no transport. Should not occur! */
2000 if ((tp = addr->transport) == NULL)
2002 logflags |= LOG_PANIC;
2003 disable_logging = FALSE; /* Jic */
2005 (addr->router != NULL)?
2006 string_sprintf("No transport set by %s router", addr->router->name)
2008 string_sprintf("No transport set by system filter");
2009 post_process_one(addr, DEFER, logflags, DTYPE_TRANSPORT, 0);
2013 /* Check that this base address hasn't previously been delivered to this
2014 transport. The check is necessary at this point to handle homonymic addresses
2015 correctly in cases where the pattern of redirection changes between delivery
2016 attempts. Non-homonymic previous delivery is detected earlier, at routing
2019 if (previously_transported(addr)) continue;
2021 /* There are weird cases where logging is disabled */
2023 disable_logging = tp->disable_logging;
2025 /* Check for batched addresses and possible amalgamation. File deliveries can
2026 never be batched. Skip all the work if either batch_max <= 1 or there aren't
2027 any other addresses for local delivery. */
2029 if (!testflag(addr, af_file) && tp->batch_max > 1 && addr_local != NULL)
2031 int batch_count = 1;
2032 BOOL uses_dom = readconf_depends((driver_instance *)tp, US"domain");
2033 BOOL uses_lp = readconf_depends((driver_instance *)tp, US"local_part");
2034 uschar *batch_id = NULL;
2035 address_item **anchor = &addr_local;
2036 address_item *last = addr;
2039 /* Expand the batch_id string for comparison with other addresses.
2040 Expansion failure suppresses batching. */
2042 if (tp->batch_id != NULL)
2044 deliver_set_expansions(addr);
2045 batch_id = expand_string(tp->batch_id);
2046 deliver_set_expansions(NULL);
2047 if (batch_id == NULL)
2049 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
2050 "in %s transport (%s): %s", tp->name, addr->address,
2051 expand_string_message);
2052 batch_count = tp->batch_max;
2056 /* Until we reach the batch_max limit, pick off addresses which have the
2057 same characteristics. These are:
2060 same local part if the transport's configuration contains $local_part
2061 same domain if the transport's configuration contains $domain
2063 same additional headers
2064 same headers to be removed
2065 same uid/gid for running the transport
2066 same first host if a host list is set
2069 while ((next = *anchor) != NULL && batch_count < tp->batch_max)
2072 tp == next->transport &&
2073 (!uses_lp || Ustrcmp(next->local_part, addr->local_part) == 0) &&
2074 (!uses_dom || Ustrcmp(next->domain, addr->domain) == 0) &&
2075 same_strings(next->p.errors_address, addr->p.errors_address) &&
2076 same_headers(next->p.extra_headers, addr->p.extra_headers) &&
2077 same_strings(next->p.remove_headers, addr->p.remove_headers) &&
2078 same_ugid(tp, addr, next) &&
2079 ((addr->host_list == NULL && next->host_list == NULL) ||
2080 (addr->host_list != NULL && next->host_list != NULL &&
2081 Ustrcmp(addr->host_list->name, next->host_list->name) == 0));
2083 /* If the transport has a batch_id setting, batch_id will be non-NULL
2084 from the expansion outside the loop. Expand for this address and compare.
2085 Expansion failure makes this address ineligible for batching. */
2087 if (ok && batch_id != NULL)
2090 address_item *save_nextnext = next->next;
2091 next->next = NULL; /* Expansion for a single address */
2092 deliver_set_expansions(next);
2093 next->next = save_nextnext;
2094 bid = expand_string(tp->batch_id);
2095 deliver_set_expansions(NULL);
2098 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
2099 "in %s transport (%s): %s", tp->name, next->address,
2100 expand_string_message);
2103 else ok = (Ustrcmp(batch_id, bid) == 0);
2106 /* Take address into batch if OK. */
2110 *anchor = next->next; /* Include the address */
2116 else anchor = &(next->next); /* Skip the address */
2120 /* We now have one or more addresses that can be delivered in a batch. Check
2121 whether the transport is prepared to accept a message of this size. If not,
2122 fail them all forthwith. If the expansion fails, or does not yield an
2123 integer, defer delivery. */
2125 if (tp->message_size_limit != NULL)
2127 int rc = check_message_size(tp, addr);
2130 replicate_status(addr);
2131 while (addr != NULL)
2134 post_process_one(addr, rc, logflags, DTYPE_TRANSPORT, 0);
2137 continue; /* With next batch of addresses */
2141 /* If we are not running the queue, or if forcing, all deliveries will be
2142 attempted. Otherwise, we must respect the retry times for each address. Even
2143 when not doing this, we need to set up the retry key string, and determine
2144 whether a retry record exists, because after a successful delivery, a delete
2145 retry item must be set up. Keep the retry database open only for the duration
2146 of these checks, rather than for all local deliveries, because some local
2147 deliveries (e.g. to pipes) can take a substantial time. */
2149 dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE);
2150 if (dbm_file == NULL)
2152 DEBUG(D_deliver|D_retry|D_hints_lookup)
2153 debug_printf("no retry data available\n");
2158 while (addr2 != NULL)
2160 BOOL ok = TRUE; /* to deliver this address */
2163 /* Set up the retry key to include the domain or not, and change its
2164 leading character from "R" to "T". Must make a copy before doing this,
2165 because the old key may be pointed to from a "delete" retry item after
2168 retry_key = string_copy(
2169 (tp->retry_use_local_part)? addr2->address_retry_key :
2170 addr2->domain_retry_key);
2173 /* Inspect the retry data. If there is no hints file, delivery happens. */
2175 if (dbm_file != NULL)
2177 dbdata_retry *retry_record = dbfn_read(dbm_file, retry_key);
2179 /* If there is no retry record, delivery happens. If there is,
2180 remember it exists so it can be deleted after a successful delivery. */
2182 if (retry_record != NULL)
2184 setflag(addr2, af_lt_retry_exists);
2186 /* A retry record exists for this address. If queue running and not
2187 forcing, inspect its contents. If the record is too old, or if its
2188 retry time has come, or if it has passed its cutoff time, delivery
2193 debug_printf("retry record exists: age=%d (max=%d)\n",
2194 (int)(now - retry_record->time_stamp), retry_data_expire);
2195 debug_printf(" time to retry = %d expired = %d\n",
2196 (int)(now - retry_record->next_try), retry_record->expired);
2199 if (queue_running && !deliver_force)
2201 ok = (now - retry_record->time_stamp > retry_data_expire) ||
2202 (now >= retry_record->next_try) ||
2203 retry_record->expired;
2205 /* If we haven't reached the retry time, there is one more check
2206 to do, which is for the ultimate address timeout. */
2210 retry_config *retry =
2211 retry_find_config(retry_key+2, addr2->domain,
2212 retry_record->basic_errno,
2213 retry_record->more_errno);
2215 DEBUG(D_deliver|D_retry)
2216 debug_printf("retry time not reached for %s: "
2217 "checking ultimate address timeout\n", addr2->address);
2219 if (retry != NULL && retry->rules != NULL)
2221 retry_rule *last_rule;
2222 for (last_rule = retry->rules;
2223 last_rule->next != NULL;
2224 last_rule = last_rule->next);
2225 if (now - received_time > last_rule->timeout) ok = TRUE;
2227 else ok = TRUE; /* No rule => timed out */
2229 DEBUG(D_deliver|D_retry)
2231 if (ok) debug_printf("on queue longer than maximum retry for "
2232 "address - allowing delivery\n");
2237 else DEBUG(D_retry) debug_printf("no retry record exists\n");
2240 /* This address is to be delivered. Leave it on the chain. */
2245 addr2 = addr2->next;
2248 /* This address is to be deferred. Take it out of the chain, and
2249 post-process it as complete. Must take it out of the chain first,
2250 because post processing puts it on another chain. */
2254 address_item *this = addr2;
2255 this->message = US"Retry time not yet reached";
2256 this->basic_errno = ERRNO_LRETRY;
2257 if (addr3 == NULL) addr2 = addr = addr2->next;
2258 else addr2 = addr3->next = addr2->next;
2259 post_process_one(this, DEFER, logflags, DTYPE_TRANSPORT, 0);
2263 if (dbm_file != NULL) dbfn_close(dbm_file);
2265 /* If there are no addresses left on the chain, they all deferred. Loop
2266 for the next set of addresses. */
2268 if (addr == NULL) continue;
2270 /* So, finally, we do have some addresses that can be passed to the
2271 transport. Before doing so, set up variables that are relevant to a
2274 deliver_set_expansions(addr);
2275 delivery_start = time(NULL);
2276 deliver_local(addr, FALSE);
2277 deliver_time = (int)(time(NULL) - delivery_start);
2279 /* If a shadow transport (which must perforce be another local transport), is
2280 defined, and its condition is met, we must pass the message to the shadow
2281 too, but only those addresses that succeeded. We do this by making a new
2282 chain of addresses - also to keep the original chain uncontaminated. We must
2283 use a chain rather than doing it one by one, because the shadow transport may
2286 NOTE: if the condition fails because of a lookup defer, there is nothing we
2289 if (tp->shadow != NULL &&
2290 (tp->shadow_condition == NULL ||
2291 expand_check_condition(tp->shadow_condition, tp->name, US"transport")))
2293 transport_instance *stp;
2294 address_item *shadow_addr = NULL;
2295 address_item **last = &shadow_addr;
2297 for (stp = transports; stp != NULL; stp = stp->next)
2298 if (Ustrcmp(stp->name, tp->shadow) == 0) break;
2301 log_write(0, LOG_MAIN|LOG_PANIC, "shadow transport \"%s\" not found ",
2304 /* Pick off the addresses that have succeeded, and make clones. Put into
2305 the shadow_message field a pointer to the shadow_message field of the real
2308 else for (addr2 = addr; addr2 != NULL; addr2 = addr2->next)
2310 if (addr2->transport_return != OK) continue;
2311 addr3 = store_get(sizeof(address_item));
2314 addr3->shadow_message = (uschar *)(&(addr2->shadow_message));
2315 addr3->transport = stp;
2316 addr3->transport_return = DEFER;
2317 addr3->return_filename = NULL;
2318 addr3->return_file = -1;
2320 last = &(addr3->next);
2323 /* If we found any addresses to shadow, run the delivery, and stick any
2324 message back into the shadow_message field in the original. */
2326 if (shadow_addr != NULL)
2328 int save_count = transport_count;
2330 DEBUG(D_deliver|D_transport)
2331 debug_printf(">>>>>>>>>>>>>>>> Shadow delivery >>>>>>>>>>>>>>>>\n");
2332 deliver_local(shadow_addr, TRUE);
2334 for(; shadow_addr != NULL; shadow_addr = shadow_addr->next)
2336 int sresult = shadow_addr->transport_return;
2337 *((uschar **)(shadow_addr->shadow_message)) = (sresult == OK)?
2338 string_sprintf(" ST=%s", stp->name) :
2339 string_sprintf(" ST=%s (%s%s%s)", stp->name,
2340 (shadow_addr->basic_errno <= 0)?
2341 US"" : US strerror(shadow_addr->basic_errno),
2342 (shadow_addr->basic_errno <= 0 || shadow_addr->message == NULL)?
2344 (shadow_addr->message != NULL)? shadow_addr->message :
2345 (shadow_addr->basic_errno <= 0)? US"unknown error" : US"");
2347 DEBUG(D_deliver|D_transport)
2348 debug_printf("%s shadow transport returned %s for %s\n",
2350 (sresult == OK)? "OK" :
2351 (sresult == DEFER)? "DEFER" :
2352 (sresult == FAIL)? "FAIL" :
2353 (sresult == PANIC)? "PANIC" : "?",
2354 shadow_addr->address);
2357 DEBUG(D_deliver|D_transport)
2358 debug_printf(">>>>>>>>>>>>>>>> End shadow delivery >>>>>>>>>>>>>>>>\n");
2360 transport_count = save_count; /* Restore original transport count */
2364 /* Cancel the expansions that were set up for the delivery. */
2366 deliver_set_expansions(NULL);
2368 /* Now we can process the results of the real transport. We must take each
2369 address off the chain first, because post_process_one() puts it on another
2372 for (addr2 = addr; addr2 != NULL; addr2 = nextaddr)
2374 int result = addr2->transport_return;
2375 nextaddr = addr2->next;
2377 DEBUG(D_deliver|D_transport)
2378 debug_printf("%s transport returned %s for %s\n",
2380 (result == OK)? "OK" :
2381 (result == DEFER)? "DEFER" :
2382 (result == FAIL)? "FAIL" :
2383 (result == PANIC)? "PANIC" : "?",
2386 /* If there is a retry_record, or if delivery is deferred, build a retry
2387 item for setting a new retry time or deleting the old retry record from
2388 the database. These items are handled all together after all addresses
2389 have been handled (so the database is open just for a short time for
2392 if (result == DEFER || testflag(addr2, af_lt_retry_exists))
2394 int flags = (result == DEFER)? 0 : rf_delete;
2395 uschar *retry_key = string_copy((tp->retry_use_local_part)?
2396 addr2->address_retry_key : addr2->domain_retry_key);
2398 retry_add_item(addr2, retry_key, flags);
2401 /* Done with this address */
2403 if (result == OK) addr2->more_errno = deliver_time;
2404 post_process_one(addr2, result, logflags, DTYPE_TRANSPORT, logchar);
2406 /* If a pipe delivery generated text to be sent back, the result may be
2407 changed to FAIL, and we must copy this for subsequent addresses in the
2410 if (addr2->transport_return != result)
2412 for (addr3 = nextaddr; addr3 != NULL; addr3 = addr3->next)
2414 addr3->transport_return = addr2->transport_return;
2415 addr3->basic_errno = addr2->basic_errno;
2416 addr3->message = addr2->message;
2418 result = addr2->transport_return;
2421 /* Whether or not the result was changed to FAIL, we need to copy the
2422 return_file value from the first address into all the addresses of the
2423 batch, so they are all listed in the error message. */
2425 addr2->return_file = addr->return_file;
2427 /* Change log character for recording successful deliveries. */
2429 if (result == OK) logchar = '-';
2431 } /* Loop back for next batch of addresses */
2437 /*************************************************
2438 * Sort remote deliveries *
2439 *************************************************/
2441 /* This function is called if remote_sort_domains is set. It arranges that the
2442 chain of addresses for remote deliveries is ordered according to the strings
2443 specified. Try to make this shuffling reasonably efficient by handling
2444 sequences of addresses rather than just single ones.
2451 sort_remote_deliveries(void)
2454 address_item **aptr = &addr_remote;
2455 uschar *listptr = remote_sort_domains;
2459 while (*aptr != NULL &&
2460 (pattern = string_nextinlist(&listptr, &sep, patbuf, sizeof(patbuf)))
2463 address_item *moved = NULL;
2464 address_item **bptr = &moved;
2466 while (*aptr != NULL)
2468 address_item **next;
2469 deliver_domain = (*aptr)->domain; /* set $domain */
2470 if (match_isinlist(deliver_domain, &pattern, UCHAR_MAX+1,
2471 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
2473 aptr = &((*aptr)->next);
2477 next = &((*aptr)->next);
2478 while (*next != NULL &&
2479 (deliver_domain = (*next)->domain, /* Set $domain */
2480 match_isinlist(deliver_domain, &pattern, UCHAR_MAX+1,
2481 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) != OK)
2482 next = &((*next)->next);
2484 /* If the batch of non-matchers is at the end, add on any that were
2485 extracted further up the chain, and end this iteration. Otherwise,
2486 extract them from the chain and hang on the moved chain. */
2498 aptr = &((*aptr)->next);
2501 /* If the loop ended because the final address matched, *aptr will
2502 be NULL. Add on to the end any extracted non-matching addresses. If
2503 *aptr is not NULL, the loop ended via "break" when *next is null, that
2504 is, there was a string of non-matching addresses at the end. In this
2505 case the extracted addresses have already been added on the end. */
2507 if (*aptr == NULL) *aptr = moved;
2513 debug_printf("remote addresses after sorting:\n");
2514 for (addr = addr_remote; addr != NULL; addr = addr->next)
2515 debug_printf(" %s\n", addr->address);
2521 /*************************************************
2522 * Read from pipe for remote delivery subprocess *
2523 *************************************************/
2525 /* This function is called when the subprocess is complete, but can also be
2526 called before it is complete, in order to empty a pipe that is full (to prevent
2527 deadlock). It must therefore keep track of its progress in the parlist data
2530 We read the pipe to get the delivery status codes and a possible error message
2531 for each address, optionally preceded by unusability data for the hosts and
2532 also by optional retry data.
2534 Read in large chunks into the big buffer and then scan through, interpreting
2535 the data therein. In most cases, only a single read will be necessary. No
2536 individual item will ever be anywhere near 500 bytes in length, so by ensuring
2537 that we read the next chunk when there is less than 500 bytes left in the
2538 non-final chunk, we can assume each item is complete in store before handling
2539 it. Actually, each item is written using a single write(), which is atomic for
2540 small items (less than PIPE_BUF, which seems to be at least 512 in any Unix) so
2541 even if we are reading while the subprocess is still going, we should never
2542 have only a partial item in the buffer.
2545 poffset the offset of the parlist item
2546 eop TRUE if the process has completed
2548 Returns: TRUE if the terminating 'Z' item has been read,
2549 or there has been a disaster (i.e. no more data needed);
2554 par_read_pipe(int poffset, BOOL eop)
2557 pardata *p = parlist + poffset;
2558 address_item *addrlist = p->addrlist;
2559 address_item *addr = p->addr;
2562 uschar *endptr = big_buffer;
2563 uschar *ptr = endptr;
2564 uschar *msg = p->msg;
2565 BOOL done = p->done;
2566 BOOL unfinished = TRUE;
2568 /* Loop through all items, reading from the pipe when necessary. The pipe
2569 is set up to be non-blocking, but there are two different Unix mechanisms in
2570 use. Exim uses O_NONBLOCK if it is defined. This returns 0 for end of file,
2571 and EAGAIN for no more data. If O_NONBLOCK is not defined, Exim uses O_NDELAY,
2572 which returns 0 for both end of file and no more data. We distinguish the
2573 two cases by taking 0 as end of file only when we know the process has
2576 Each separate item is written to the pipe in a single write(), and as they are
2577 all short items, the writes will all be atomic and we should never find
2578 ourselves in the position of having read an incomplete item. */
2580 DEBUG(D_deliver) debug_printf("reading pipe for subprocess %d (%s)\n",
2581 (int)p->pid, eop? "ended" : "not ended");
2585 retry_item *r, **rp;
2586 int remaining = endptr - ptr;
2588 /* Read (first time) or top up the chars in the buffer if necessary.
2589 There will be only one read if we get all the available data (i.e. don't
2590 fill the buffer completely). */
2592 if (remaining < 500 && unfinished)
2595 int available = big_buffer_size - remaining;
2597 if (remaining > 0) memmove(big_buffer, ptr, remaining);
2600 endptr = big_buffer + remaining;
2601 len = read(fd, endptr, available);
2603 DEBUG(D_deliver) debug_printf("read() yielded %d\n", len);
2605 /* If the result is EAGAIN and the process is not complete, just
2606 stop reading any more and process what we have already. */
2610 if (!eop && errno == EAGAIN) len = 0; else
2612 msg = string_sprintf("failed to read pipe from transport process "
2613 "%d for transport %s: %s", pid, addr->transport->driver_name,
2619 /* If the length is zero (eof or no-more-data), just process what we
2620 already have. Note that if the process is still running and we have
2621 read all the data in the pipe (but less that "available") then we
2622 won't read any more, as "unfinished" will get set FALSE. */
2625 unfinished = len == available;
2628 /* If we are at the end of the available data, exit the loop. */
2630 if (ptr >= endptr) break;
2632 /* Handle each possible type of item, assuming the complete item is
2633 available in store. */
2637 /* Host items exist only if any hosts were marked unusable. Match
2638 up by checking the IP address. */
2641 for (h = addrlist->host_list; h != NULL; h = h->next)
2643 if (h->address == NULL || Ustrcmp(h->address, ptr+2) != 0) continue;
2651 /* Retry items are sent in a preceding R item for each address. This is
2652 kept separate to keep each message short enough to guarantee it won't
2653 be split in the pipe. Hopefully, in the majority of cases, there won't in
2654 fact be any retry items at all.
2656 The complete set of retry items might include an item to delete a
2657 routing retry if there was a previous routing delay. However, routing
2658 retries are also used when a remote transport identifies an address error.
2659 In that case, there may also be an "add" item for the same key. Arrange
2660 that a "delete" item is dropped in favour of an "add" item. */
2663 if (addr == NULL) goto ADDR_MISMATCH;
2665 DEBUG(D_deliver|D_retry)
2666 debug_printf("reading retry information for %s from subprocess\n",
2669 /* Cut out any "delete" items on the list. */
2671 for (rp = &(addr->retries); (r = *rp) != NULL; rp = &(r->next))
2673 if (Ustrcmp(r->key, ptr+1) == 0) /* Found item with same key */
2675 if ((r->flags & rf_delete) == 0) break; /* It was not "delete" */
2676 *rp = r->next; /* Excise a delete item */
2677 DEBUG(D_deliver|D_retry)
2678 debug_printf(" existing delete item dropped\n");
2682 /* We want to add a delete item only if there is no non-delete item;
2683 however we still have to step ptr through the data. */
2685 if (r == NULL || (*ptr & rf_delete) == 0)
2687 r = store_get(sizeof(retry_item));
2688 r->next = addr->retries;
2691 r->key = string_copy(ptr);
2693 memcpy(&(r->basic_errno), ptr, sizeof(r->basic_errno));
2694 ptr += sizeof(r->basic_errno);
2695 memcpy(&(r->more_errno), ptr, sizeof(r->more_errno));
2696 ptr += sizeof(r->more_errno);
2697 r->message = (*ptr)? string_copy(ptr) : NULL;
2698 DEBUG(D_deliver|D_retry)
2699 debug_printf(" added %s item\n",
2700 ((r->flags & rf_delete) == 0)? "retry" : "delete");
2705 DEBUG(D_deliver|D_retry)
2706 debug_printf(" delete item not added: non-delete item exists\n");
2709 ptr += sizeof(r->basic_errno) + sizeof(r->more_errno);
2715 /* Put the amount of data written into the parlist block */
2718 memcpy(&(p->transport_count), ptr, sizeof(transport_count));
2719 ptr += sizeof(transport_count);
2722 /* Address items are in the order of items on the address chain. We
2723 remember the current address value in case this function is called
2724 several times to empty the pipe in stages. Information about delivery
2725 over TLS is sent in a preceding X item for each address. We don't put
2726 it in with the other info, in order to keep each message short enough to
2727 guarantee it won't be split in the pipe. */
2731 if (addr == NULL) goto ADDR_MISMATCH; /* Below, in 'A' handler */
2732 addr->cipher = (*ptr)? string_copy(ptr) : NULL;
2734 addr->peerdn = (*ptr)? string_copy(ptr) : NULL;
2743 msg = string_sprintf("address count mismatch for data read from pipe "
2744 "for transport process %d for transport %s", pid,
2745 addrlist->transport->driver_name);
2750 addr->transport_return = *ptr++;
2751 addr->special_action = *ptr++;
2752 memcpy(&(addr->basic_errno), ptr, sizeof(addr->basic_errno));
2753 ptr += sizeof(addr->basic_errno);
2754 memcpy(&(addr->more_errno), ptr, sizeof(addr->more_errno));
2755 ptr += sizeof(addr->more_errno);
2756 memcpy(&(addr->flags), ptr, sizeof(addr->flags));
2757 ptr += sizeof(addr->flags);
2758 addr->message = (*ptr)? string_copy(ptr) : NULL;
2760 addr->user_message = (*ptr)? string_copy(ptr) : NULL;
2763 /* Always two strings for host information, followed by the port number */
2767 h = store_get(sizeof(host_item));
2768 h->name = string_copy(ptr);
2770 h->address = string_copy(ptr);
2772 memcpy(&(h->port), ptr, sizeof(h->port));
2773 ptr += sizeof(h->port);
2774 addr->host_used = h;
2778 /* Finished with this address */
2783 /* Z marks the logical end of the data. It is followed by '0' if
2784 continue_transport was NULL at the end of transporting, otherwise '1'.
2785 We need to know when it becomes NULL during a delivery down a passed SMTP
2786 channel so that we don't try to pass anything more down it. Of course, for
2787 most normal messages it will remain NULL all the time. */
2792 continue_transport = NULL;
2793 continue_hostname = NULL;
2796 DEBUG(D_deliver) debug_printf("Z%c item read\n", *ptr);
2799 /* Anything else is a disaster. */
2802 msg = string_sprintf("malformed data (%d) read from pipe for transport "
2803 "process %d for transport %s", ptr[-1], pid,
2804 addr->transport->driver_name);
2810 /* The done flag is inspected externally, to determine whether or not to
2811 call the function again when the process finishes. */
2815 /* If the process hadn't finished, and we haven't seen the end of the data
2816 or suffered a disaster, update the rest of the state, and return FALSE to
2817 indicate "not finished". */
2826 /* Close our end of the pipe, to prevent deadlock if the far end is still
2827 pushing stuff into it. */
2832 /* If we have finished without error, but haven't had data for every address,
2833 something is wrong. */
2835 if (msg == NULL && addr != NULL)
2836 msg = string_sprintf("insufficient address data read from pipe "
2837 "for transport process %d for transport %s", pid,
2838 addr->transport->driver_name);
2840 /* If an error message is set, something has gone wrong in getting back
2841 the delivery data. Put the message into each address and freeze it. */
2845 for (addr = addrlist; addr != NULL; addr = addr->next)
2847 addr->transport_return = DEFER;
2848 addr->special_action = SPECIAL_FREEZE;
2849 addr->message = msg;
2853 /* Return TRUE to indicate we have got all we need from this process, even
2854 if it hasn't actually finished yet. */
2861 /*************************************************
2862 * Post-process a set of remote addresses *
2863 *************************************************/
2865 /* Do what has to be done immediately after a remote delivery for each set of
2866 addresses, then re-write the spool if necessary. Note that post_process_one
2867 puts the address on an appropriate queue; hence we must fish off the next
2868 one first. This function is also called if there is a problem with setting
2869 up a subprocess to do a remote delivery in parallel. In this case, the final
2870 argument contains a message, and the action must be forced to DEFER.
2873 addr pointer to chain of address items
2874 logflags flags for logging
2875 msg NULL for normal cases; -> error message for unexpected problems
2876 fallback TRUE if processing fallback hosts
2882 remote_post_process(address_item *addr, int logflags, uschar *msg,
2887 /* If any host addresses were found to be unusable, add them to the unusable
2888 tree so that subsequent deliveries don't try them. */
2890 for (h = addr->host_list; h != NULL; h = h->next)
2892 if (h->address == NULL) continue;
2893 if (h->status >= hstatus_unusable) tree_add_unusable(h);
2896 /* Now handle each address on the chain. The transport has placed '=' or '-'
2897 into the special_action field for each successful delivery. */
2899 while (addr != NULL)
2901 address_item *next = addr->next;
2903 /* If msg == NULL (normal processing) and the result is DEFER and we are
2904 processing the main hosts and there are fallback hosts available, put the
2905 address on the list for fallback delivery. */
2907 if (addr->transport_return == DEFER &&
2908 addr->fallback_hosts != NULL &&
2912 addr->host_list = addr->fallback_hosts;
2913 addr->next = addr_fallback;
2914 addr_fallback = addr;
2915 DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", addr->address);
2918 /* If msg is set (=> unexpected problem), set it in the address before
2919 doing the ordinary post processing. */
2925 addr->message = msg;
2926 addr->transport_return = DEFER;
2928 (void)post_process_one(addr, addr->transport_return, logflags,
2929 DTYPE_TRANSPORT, addr->special_action);
2937 /* If we have just delivered down a passed SMTP channel, and that was
2938 the last address, the channel will have been closed down. Now that
2939 we have logged that delivery, set continue_sequence to 1 so that
2940 any subsequent deliveries don't get "*" incorrectly logged. */
2942 if (continue_transport == NULL) continue_sequence = 1;
2947 /*************************************************
2948 * Wait for one remote delivery subprocess *
2949 *************************************************/
2951 /* This function is called while doing remote deliveries when either the
2952 maximum number of processes exist and we need one to complete so that another
2953 can be created, or when waiting for the last ones to complete. It must wait for
2954 the completion of one subprocess, empty the control block slot, and return a
2955 pointer to the address chain.
2958 Returns: pointer to the chain of addresses handled by the process;
2959 NULL if no subprocess found - this is an unexpected error
2962 static address_item *
2965 int poffset, status;
2966 address_item *addr, *addrlist;
2969 set_process_info("delivering %s: waiting for a remote delivery subprocess "
2970 "to finish", message_id);
2972 /* Loop until either a subprocess completes, or there are no subprocesses in
2973 existence - in which case give an error return. We cannot proceed just by
2974 waiting for a completion, because a subprocess may have filled up its pipe, and
2975 be waiting for it to be emptied. Therefore, if no processes have finished, we
2976 wait for one of the pipes to acquire some data by calling select(), with a
2977 timeout just in case.
2979 The simple approach is just to iterate after reading data from a ready pipe.
2980 This leads to non-ideal behaviour when the subprocess has written its final Z
2981 item, closed the pipe, and is in the process of exiting (the common case). A
2982 call to waitpid() yields nothing completed, but select() shows the pipe ready -
2983 reading it yields EOF, so you end up with busy-waiting until the subprocess has
2986 To avoid this, if all the data that is needed has been read from a subprocess
2987 after select(), an explicit wait() for it is done. We know that all it is doing
2988 is writing to the pipe and then exiting, so the wait should not be long.
2990 The non-blocking waitpid() is to some extent just insurance; if we could
2991 reliably detect end-of-file on the pipe, we could always know when to do a
2992 blocking wait() for a completed process. However, because some systems use
2993 NDELAY, which doesn't distinguish between EOF and pipe empty, it is easier to
2994 use code that functions without the need to recognize EOF.
2996 There's a double loop here just in case we end up with a process that is not in
2997 the list of remote delivery processes. Something has obviously gone wrong if
2998 this is the case. (For example, a process that is incorrectly left over from
2999 routing or local deliveries might be found.) The damage can be minimized by
3000 looping back and looking for another process. If there aren't any, the error
3001 return will happen. */
3003 for (;;) /* Normally we do not repeat this loop */
3005 while ((pid = waitpid(-1, &status, WNOHANG)) <= 0)
3008 fd_set select_pipes;
3009 int maxpipe, readycount;
3011 /* A return value of -1 can mean several things. If errno != ECHILD, it
3012 either means invalid options (which we discount), or that this process was
3013 interrupted by a signal. Just loop to try the waitpid() again.
3015 If errno == ECHILD, waitpid() is telling us that there are no subprocesses
3016 in existence. This should never happen, and is an unexpected error.
3017 However, there is a nasty complication when running under Linux. If "strace
3018 -f" is being used under Linux to trace this process and its children,
3019 subprocesses are "stolen" from their parents and become the children of the
3020 tracing process. A general wait such as the one we've just obeyed returns
3021 as if there are no children while subprocesses are running. Once a
3022 subprocess completes, it is restored to the parent, and waitpid(-1) finds
3023 it. Thanks to Joachim Wieland for finding all this out and suggesting a
3026 This does not happen using "truss" on Solaris, nor (I think) with other
3027 tracing facilities on other OS. It seems to be specific to Linux.
3029 What we do to get round this is to use kill() to see if any of our
3030 subprocesses are still in existence. If kill() gives an OK return, we know
3031 it must be for one of our processes - it can't be for a re-use of the pid,
3032 because if our process had finished, waitpid() would have found it. If any
3033 of our subprocesses are in existence, we proceed to use select() as if
3034 waitpid() had returned zero. I think this is safe. */
3038 if (errno != ECHILD) continue; /* Repeats the waitpid() */
3041 debug_printf("waitpid() returned -1/ECHILD: checking explicitly "
3042 "for process existence\n");
3044 for (poffset = 0; poffset < remote_max_parallel; poffset++)
3046 if ((pid = parlist[poffset].pid) != 0 && kill(pid, 0) == 0)
3048 DEBUG(D_deliver) debug_printf("process %d still exists: assume "
3049 "stolen by strace\n", (int)pid);
3050 break; /* With poffset set */
3054 if (poffset >= remote_max_parallel)
3056 DEBUG(D_deliver) debug_printf("*** no delivery children found\n");
3057 return NULL; /* This is the error return */
3061 /* A pid value greater than 0 breaks the "while" loop. A negative value has
3062 been handled above. A return value of zero means that there is at least one
3063 subprocess, but there are no completed subprocesses. See if any pipes are
3064 ready with any data for reading. */
3066 DEBUG(D_deliver) debug_printf("selecting on subprocess pipes\n");
3069 FD_ZERO(&select_pipes);
3070 for (poffset = 0; poffset < remote_max_parallel; poffset++)
3072 if (parlist[poffset].pid != 0)
3074 int fd = parlist[poffset].fd;
3075 FD_SET(fd, &select_pipes);
3076 if (fd > maxpipe) maxpipe = fd;
3080 /* Stick in a 60-second timeout, just in case. */
3085 readycount = select(maxpipe + 1, (SELECT_ARG2_TYPE *)&select_pipes,
3088 /* Scan through the pipes and read any that are ready; use the count
3089 returned by select() to stop when there are no more. Select() can return
3090 with no processes (e.g. if interrupted). This shouldn't matter.
3092 If par_read_pipe() returns TRUE, it means that either the terminating Z was
3093 read, or there was a disaster. In either case, we are finished with this
3094 process. Do an explicit wait() for the process and break the main loop if
3097 It turns out that we have to deal with the case of an interrupted system
3098 call, which can happen on some operating systems if the signal handling is
3099 set up to do that by default. */
3102 readycount > 0 && poffset < remote_max_parallel;
3105 if ((pid = parlist[poffset].pid) != 0 &&
3106 FD_ISSET(parlist[poffset].fd, &select_pipes))
3109 if (par_read_pipe(poffset, FALSE)) /* Finished with this pipe */
3111 for (;;) /* Loop for signals */
3113 pid_t endedpid = waitpid(pid, &status, 0);
3114 if (endedpid == pid) goto PROCESS_DONE;
3115 if (endedpid != (pid_t)(-1) || errno != EINTR)
3116 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Unexpected error return "
3117 "%d (errno = %d) from waitpid() for process %d",
3118 (int)endedpid, errno, (int)pid);
3124 /* Now go back and look for a completed subprocess again. */
3127 /* A completed process was detected by the non-blocking waitpid(). Find the
3128 data block that corresponds to this subprocess. */
3130 for (poffset = 0; poffset < remote_max_parallel; poffset++)
3131 if (pid == parlist[poffset].pid) break;
3133 /* Found the data block; this is a known remote delivery process. We don't
3134 need to repeat the outer loop. This should be what normally happens. */
3136 if (poffset < remote_max_parallel) break;
3138 /* This situation is an error, but it's probably better to carry on looking
3139 for another process than to give up (as we used to do). */
3141 log_write(0, LOG_MAIN|LOG_PANIC, "Process %d finished: not found in remote "
3142 "transport process list", pid);
3143 } /* End of the "for" loop */
3145 /* Come here when all the data was completely read after a select(), and
3146 the process in pid has been wait()ed for. */
3153 debug_printf("remote delivery process %d ended\n", (int)pid);
3155 debug_printf("remote delivery process %d ended: status=%04x\n", (int)pid,
3159 set_process_info("delivering %s", message_id);
3161 /* Get the chain of processed addresses */
3163 addrlist = parlist[poffset].addrlist;
3165 /* If the process did not finish cleanly, record an error and freeze (except
3166 for SIGTERM, SIGKILL and SIGQUIT), and also ensure the journal is not removed,
3167 in case the delivery did actually happen. */
3169 if ((status & 0xffff) != 0)
3172 int msb = (status >> 8) & 255;
3173 int lsb = status & 255;
3174 int code = (msb == 0)? (lsb & 0x7f) : msb;
3176 msg = string_sprintf("%s transport process returned non-zero status 0x%04x: "
3178 addrlist->transport->driver_name,
3180 (msb == 0)? "terminated by signal" : "exit code",
3183 if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
3184 addrlist->special_action = SPECIAL_FREEZE;
3186 for (addr = addrlist; addr != NULL; addr = addr->next)
3188 addr->transport_return = DEFER;
3189 addr->message = msg;
3192 remove_journal = FALSE;
3195 /* Else complete reading the pipe to get the result of the delivery, if all
3196 the data has not yet been obtained. */
3198 else if (!parlist[poffset].done) (void)par_read_pipe(poffset, TRUE);
3200 /* Put the data count and return path into globals, mark the data slot unused,
3201 decrement the count of subprocesses, and return the address chain. */
3203 transport_count = parlist[poffset].transport_count;
3204 used_return_path = parlist[poffset].return_path;
3205 parlist[poffset].pid = 0;
3212 /*************************************************
3213 * Wait for subprocesses and post-process *
3214 *************************************************/
3216 /* This function waits for subprocesses until the number that are still running
3217 is below a given threshold. For each complete subprocess, the addresses are
3218 post-processed. If we can't find a running process, there is some shambles.
3219 Better not bomb out, as that might lead to multiple copies of the message. Just
3220 log and proceed as if all done.
3223 max maximum number of subprocesses to leave running
3224 fallback TRUE if processing fallback hosts
3230 par_reduce(int max, BOOL fallback)
3232 while (parcount > max)
3234 address_item *doneaddr = par_wait();
3235 if (doneaddr == NULL)
3237 log_write(0, LOG_MAIN|LOG_PANIC,
3238 "remote delivery process count got out of step");
3241 else remote_post_process(doneaddr, LOG_MAIN, NULL, fallback);
3248 /*************************************************
3249 * Do remote deliveries *
3250 *************************************************/
3252 /* This function is called to process the addresses in addr_remote. We must
3253 pick off the queue all addresses that have the same transport, remote
3254 destination, and errors address, and hand them to the transport in one go,
3255 subject to some configured limitations. If this is a run to continue delivering
3256 to an existing delivery channel, skip all but those addresses that can go to
3257 that channel. The skipped addresses just get deferred.
3259 If mua_wrapper is set, all addresses must be able to be sent in a single
3260 transaction. If not, this function yields FALSE.
3262 In Exim 4, remote deliveries are always done in separate processes, even
3263 if remote_max_parallel = 1 or if there's only one delivery to do. The reason
3264 is so that the base process can retain privilege. This makes the
3265 implementation of fallback transports feasible (though not initially done.)
3267 We create up to the configured number of subprocesses, each of which passes
3268 back the delivery state via a pipe. (However, when sending down an existing
3269 connection, remote_max_parallel is forced to 1.)
3272 fallback TRUE if processing fallback hosts
3274 Returns: TRUE normally
3275 FALSE if mua_wrapper is set and the addresses cannot all be sent
3280 do_remote_deliveries(BOOL fallback)
3286 parcount = 0; /* Number of executing subprocesses */
3288 /* When sending down an existing channel, only do one delivery at a time.
3289 We use a local variable (parmax) to hold the maximum number of processes;
3290 this gets reduced from remote_max_parallel if we can't create enough pipes. */
3292 if (continue_transport != NULL) remote_max_parallel = 1;
3293 parmax = remote_max_parallel;
3295 /* If the data for keeping a list of processes hasn't yet been
3298 if (parlist == NULL)
3300 parlist = store_get(remote_max_parallel * sizeof(pardata));
3301 for (poffset = 0; poffset < remote_max_parallel; poffset++)
3302 parlist[poffset].pid = 0;
3305 /* Now loop for each remote delivery */
3307 for (delivery_count = 0; addr_remote != NULL; delivery_count++)
3313 int address_count = 1;
3314 int address_count_max;
3316 BOOL use_initgroups;
3317 BOOL pipe_done = FALSE;
3318 transport_instance *tp;
3319 address_item **anchor = &addr_remote;
3320 address_item *addr = addr_remote;
3321 address_item *last = addr;
3324 /* Pull the first address right off the list. */
3326 addr_remote = addr->next;
3329 DEBUG(D_deliver|D_transport)
3330 debug_printf("--------> %s <--------\n", addr->address);
3332 /* If no transport has been set, there has been a big screw-up somewhere. */
3334 if ((tp = addr->transport) == NULL)
3336 disable_logging = FALSE; /* Jic */
3337 remote_post_process(addr, LOG_MAIN|LOG_PANIC,
3338 US"No transport set by router", fallback);
3342 /* Check that this base address hasn't previously been delivered to this
3343 transport. The check is necessary at this point to handle homonymic addresses
3344 correctly in cases where the pattern of redirection changes between delivery
3345 attempts. Non-homonymic previous delivery is detected earlier, at routing
3348 if (previously_transported(addr)) continue;
3350 /* Force failure if the message is too big. */
3352 if (tp->message_size_limit != NULL)
3354 int rc = check_message_size(tp, addr);
3357 addr->transport_return = rc;
3358 remote_post_process(addr, LOG_MAIN, NULL, fallback);
3363 /* Get the flag which specifies whether the transport can handle different
3364 domains that nevertheless resolve to the same set of hosts. */
3366 multi_domain = tp->multi_domain;
3368 /* Get the maximum it can handle in one envelope, with zero meaning
3369 unlimited, which is forced for the MUA wrapper case. */
3371 address_count_max = tp->max_addresses;
3372 if (address_count_max == 0 || mua_wrapper) address_count_max = 999999;
3375 /************************************************************************/
3376 /***** This is slightly experimental code, but should be safe. *****/
3378 /* The address_count_max value is the maximum number of addresses that the
3379 transport can send in one envelope. However, the transport must be capable of
3380 dealing with any number of addresses. If the number it gets exceeds its
3381 envelope limitation, it must send multiple copies of the message. This can be
3382 done over a single connection for SMTP, so uses less resources than making
3383 multiple connections. On the other hand, if remote_max_parallel is greater
3384 than one, it is perhaps a good idea to use parallel processing to move the
3385 message faster, even if that results in multiple simultaneous connections to
3388 How can we come to some compromise between these two ideals? What we do is to
3389 limit the number of addresses passed to a single instance of a transport to
3390 the greater of (a) its address limit (rcpt_max for SMTP) and (b) the total
3391 number of addresses routed to remote transports divided by
3392 remote_max_parallel. For example, if the message has 100 remote recipients,
3393 remote max parallel is 2, and rcpt_max is 10, we'd never send more than 50 at
3394 once. But if rcpt_max is 100, we could send up to 100.
3396 Of course, not all the remotely addresses in a message are going to go to the
3397 same set of hosts (except in smarthost configurations), so this is just a
3398 heuristic way of dividing up the work.
3400 Furthermore (1), because this may not be wanted in some cases, and also to
3401 cope with really pathological cases, there is also a limit to the number of
3402 messages that are sent over one connection. This is the same limit that is
3403 used when sending several different messages over the same connection.
3404 Continue_sequence is set when in this situation, to the number sent so
3405 far, including this message.
3407 Furthermore (2), when somebody explicitly sets the maximum value to 1, it
3408 is probably because they are using VERP, in which case they want to pass only
3409 one address at a time to the transport, in order to be able to use
3410 $local_part and $domain in constructing a new return path. We could test for
3411 the use of these variables, but as it is so likely they will be used when the
3412 maximum is 1, we don't bother. Just leave the value alone. */
3414 if (address_count_max != 1 &&
3415 address_count_max < remote_delivery_count/remote_max_parallel)
3417 int new_max = remote_delivery_count/remote_max_parallel;
3418 int message_max = tp->connection_max_messages;
3419 if (connection_max_messages >= 0) message_max = connection_max_messages;
3420 message_max -= continue_sequence - 1;
3421 if (message_max > 0 && new_max > address_count_max * message_max)
3422 new_max = address_count_max * message_max;
3423 address_count_max = new_max;
3426 /************************************************************************/
3429 /* Pick off all addresses which have the same transport, errors address,
3430 destination, and extra headers. In some cases they point to the same host
3431 list, but we also need to check for identical host lists generated from
3432 entirely different domains. The host list pointers can be NULL in the case
3433 where the hosts are defined in the transport. There is also a configured
3434 maximum limit of addresses that can be handled at once (see comments above
3435 for how it is computed). */
3437 while ((next = *anchor) != NULL && address_count < address_count_max)
3439 if ((multi_domain || Ustrcmp(next->domain, addr->domain) == 0)
3441 tp == next->transport
3443 same_hosts(next->host_list, addr->host_list)
3445 same_strings(next->p.errors_address, addr->p.errors_address)
3447 same_headers(next->p.extra_headers, addr->p.extra_headers)
3449 same_ugid(tp, next, addr)
3451 (next->p.remove_headers == addr->p.remove_headers ||
3452 (next->p.remove_headers != NULL &&
3453 addr->p.remove_headers != NULL &&
3454 Ustrcmp(next->p.remove_headers, addr->p.remove_headers) == 0)))
3456 *anchor = next->next;
3458 next->first = addr; /* remember top one (for retry processing) */
3463 else anchor = &(next->next);
3466 /* If we are acting as an MUA wrapper, all addresses must go in a single
3467 transaction. If not, put them back on the chain and yield FALSE. */
3469 if (mua_wrapper && addr_remote != NULL)
3471 last->next = addr_remote;
3476 /* Set up the expansion variables for this set of addresses */
3478 deliver_set_expansions(addr);
3480 /* Compute the return path, expanding a new one if required. The old one
3481 must be set first, as it might be referred to in the expansion. */
3483 return_path = (addr->p.errors_address != NULL)?
3484 addr->p.errors_address : sender_address;
3486 if (tp->return_path != NULL)
3488 uschar *new_return_path = expand_string(tp->return_path);
3489 if (new_return_path == NULL)
3491 if (!expand_string_forcedfail)
3493 remote_post_process(addr, LOG_MAIN|LOG_PANIC,
3494 string_sprintf("Failed to expand return path \"%s\": %s",
3495 tp->return_path, expand_string_message), fallback);
3499 else return_path = new_return_path;
3502 /* If this transport has a setup function, call it now so that it gets
3503 run in this process and not in any subprocess. That way, the results of
3504 any setup that are retained by the transport can be reusable. */
3506 if (tp->setup != NULL)
3507 (void)((tp->setup)(addr->transport, addr, NULL, NULL));
3509 /* If this is a run to continue delivery down an already-established
3510 channel, check that this set of addresses matches the transport and
3511 the channel. If it does not, defer the addresses. If a host list exists,
3512 we must check that the continue host is on the list. Otherwise, the
3513 host is set in the transport. */
3515 continue_more = FALSE; /* In case got set for the last lot */
3516 if (continue_transport != NULL)
3518 BOOL ok = Ustrcmp(continue_transport, tp->name) == 0;
3519 if (ok && addr->host_list != NULL)
3523 for (h = addr->host_list; h != NULL; h = h->next)
3525 if (Ustrcmp(h->name, continue_hostname) == 0)
3526 { ok = TRUE; break; }
3530 /* Addresses not suitable; defer or queue for fallback hosts (which
3531 might be the continue host) and skip to next address. */
3535 DEBUG(D_deliver) debug_printf("not suitable for continue_transport\n");
3538 if (addr->fallback_hosts != NULL && !fallback)
3542 next->host_list = next->fallback_hosts;
3543 DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", next->address);
3544 if (next->next == NULL) break;
3547 next->next = addr_fallback;
3548 addr_fallback = addr;
3553 while (next->next != NULL) next = next->next;
3554 next->next = addr_defer;
3561 /* Set a flag indicating whether there are further addresses that list
3562 the continued host. This tells the transport to leave the channel open,
3563 but not to pass it to another delivery process. */
3565 for (next = addr_remote; next != NULL; next = next->next)
3568 for (h = next->host_list; h != NULL; h = h->next)
3570 if (Ustrcmp(h->name, continue_hostname) == 0)
3571 { continue_more = TRUE; break; }
3576 /* The transports set up the process info themselves as they may connect
3577 to more than one remote machine. They also have to set up the filter
3578 arguments, if required, so that the host name and address are available
3581 transport_filter_argv = NULL;
3583 /* Find the uid, gid, and use_initgroups setting for this transport. Failure
3584 logs and sets up error messages, so we just post-process and continue with
3585 the next address. */
3587 if (!findugid(addr, tp, &uid, &gid, &use_initgroups))
3589 remote_post_process(addr, LOG_MAIN|LOG_PANIC, NULL, fallback);
3593 /* Create the pipe for inter-process communication. If pipe creation
3594 fails, it is probably because the value of remote_max_parallel is so
3595 large that too many file descriptors for pipes have been created. Arrange
3596 to wait for a process to finish, and then try again. If we still can't
3597 create a pipe when all processes have finished, break the retry loop. */
3601 if (pipe(pfd) == 0) pipe_done = TRUE;
3602 else if (parcount > 0) parmax = parcount;
3605 /* We need to make the reading end of the pipe non-blocking. There are
3606 two different options for this. Exim is cunningly (I hope!) coded so
3607 that it can use either of them, though it prefers O_NONBLOCK, which
3608 distinguishes between EOF and no-more-data. */
3611 fcntl(pfd[pipe_read], F_SETFL, O_NONBLOCK);
3613 fcntl(pfd[pipe_read], F_SETFL, O_NDELAY);
3616 /* If the maximum number of subprocesses already exist, wait for a process
3617 to finish. If we ran out of file descriptors, parmax will have been reduced
3618 from its initial value of remote_max_parallel. */
3620 par_reduce(parmax - 1, fallback);
3623 /* If we failed to create a pipe and there were no processes to wait
3624 for, we have to give up on this one. Do this outside the above loop
3625 so that we can continue the main loop. */
3629 remote_post_process(addr, LOG_MAIN|LOG_PANIC,
3630 string_sprintf("unable to create pipe: %s", strerror(errno)), fallback);
3634 /* Find a free slot in the pardata list. Must do this after the possible
3635 waiting for processes to finish, because a terminating process will free
3638 for (poffset = 0; poffset < remote_max_parallel; poffset++)
3639 if (parlist[poffset].pid == 0) break;
3641 /* If there isn't one, there has been a horrible disaster. */
3643 if (poffset >= remote_max_parallel)
3645 close(pfd[pipe_write]);
3646 close(pfd[pipe_read]);
3647 remote_post_process(addr, LOG_MAIN|LOG_PANIC,
3648 US"Unexpectedly no free subprocess slot", fallback);
3652 /* Now fork a subprocess to do the remote delivery, but before doing so,
3653 ensure that any cached resourses are released so as not to interfere with
3654 what happens in the subprocess. */
3658 if ((pid = fork()) == 0)
3660 int fd = pfd[pipe_write];
3663 /* There are weird circumstances in which logging is disabled */
3665 disable_logging = tp->disable_logging;
3667 /* Show pids on debug output if parallelism possible */
3669 if (parmax > 1 && (parcount > 0 || addr_remote != NULL))
3671 DEBUG(D_any|D_v) debug_selector |= D_pid;
3672 DEBUG(D_deliver) debug_printf("Remote delivery process started\n");
3675 /* Reset the random number generator, so different processes don't all
3676 have the same sequence. In the test harness we want different, but
3677 predictable settings for each delivery process, so do something explicit
3678 here rather they rely on the fixed reset in the random number function. */
3680 random_seed = running_in_test_harness? 42 + 2*delivery_count : 0;
3682 /* Set close-on-exec on the pipe so that it doesn't get passed on to
3683 a new process that may be forked to do another delivery down the same
3686 fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
3688 /* Close open file descriptors for the pipes of other processes
3689 that are running in parallel. */
3691 for (poffset = 0; poffset < remote_max_parallel; poffset++)
3692 if (parlist[poffset].pid != 0) close(parlist[poffset].fd);
3694 /* This process has inherited a copy of the file descriptor
3695 for the data file, but its file pointer is shared with all the
3696 other processes running in parallel. Therefore, we have to re-open
3697 the file in order to get a new file descriptor with its own
3698 file pointer. We don't need to lock it, as the lock is held by
3699 the parent process. There doesn't seem to be any way of doing
3700 a dup-with-new-file-pointer. */
3702 close(deliver_datafile);
3703 sprintf(CS spoolname, "%s/input/%s/%s-D", spool_directory, message_subdir,
3705 deliver_datafile = Uopen(spoolname, O_RDWR | O_APPEND, 0);
3707 if (deliver_datafile < 0)
3708 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to reopen %s for remote "
3709 "parallel delivery: %s", spoolname, strerror(errno));
3711 /* Set the close-on-exec flag */
3713 fcntl(deliver_datafile, F_SETFD, fcntl(deliver_datafile, F_GETFD) |
3716 /* Set the uid/gid of this process; bombs out on failure. */
3718 exim_setugid(uid, gid, use_initgroups,
3719 string_sprintf("remote delivery to %s with transport=%s",
3720 addr->address, tp->name));
3722 /* Close the unwanted half of this process' pipe, set the process state,
3723 and run the transport. Afterwards, transport_count will contain the number
3724 of bytes written. */
3726 close(pfd[pipe_read]);
3727 set_process_info("delivering %s using %s", message_id, tp->name);
3728 debug_print_string(tp->debug_string);
3729 if (!(tp->info->code)(addr->transport, addr)) replicate_status(addr);
3731 set_process_info("delivering %s (just run %s for %s%s in subprocess)",
3732 message_id, tp->name, addr->address, (addr->next == NULL)? "" : ", ...");
3734 /* Ensure any cached resources that we used are now released */
3738 /* Pass the result back down the pipe. This is a lot more information
3739 than is needed for a local delivery. We have to send back the error
3740 status for each address, the usability status for each host that is
3741 flagged as unusable, and all the retry items. When TLS is in use, we
3742 send also the cipher and peerdn information. Each type of information
3743 is flagged by an identifying byte, and is then in a fixed format (with
3744 strings terminated by zeros), and there is a final terminator at the
3745 end. The host information and retry information is all attached to
3746 the first address, so that gets sent at the start. */
3748 /* Host unusability information: for most success cases this will
3751 for (h = addr->host_list; h != NULL; h = h->next)
3753 if (h->address == NULL || h->status < hstatus_unusable) continue;
3754 sprintf(CS big_buffer, "H%c%c%s", h->status, h->why, h->address);
3755 write(fd, big_buffer, Ustrlen(big_buffer+3) + 4);
3758 /* The number of bytes written. This is the same for each address. Even
3759 if we sent several copies of the message down the same connection, the
3760 size of each one is the same, and it's that value we have got because
3761 transport_count gets reset before calling transport_write_message(). */
3763 big_buffer[0] = 'S';
3764 memcpy(big_buffer+1, &transport_count, sizeof(transport_count));
3765 write(fd, big_buffer, sizeof(transport_count) + 1);
3767 /* Information about what happened to each address. Three item types are
3768 used: an optional 'X' item first, for TLS information, followed by 'R'
3769 items for any retry settings, and finally an 'A' item for the remaining
3772 for(; addr != NULL; addr = addr->next)
3777 /* The certificate verification status goes into the flags */
3779 if (tls_certificate_verified) setflag(addr, af_cert_verified);
3781 /* Use an X item only if there's something to send */
3784 if (addr->cipher != NULL)
3788 sprintf(CS ptr, "%.128s", addr->cipher);
3790 if (addr->peerdn == NULL) *ptr++ = 0; else
3792 sprintf(CS ptr, "%.512s", addr->peerdn);
3795 write(fd, big_buffer, ptr - big_buffer);
3799 /* Retry information: for most success cases this will be null. */
3801 for (r = addr->retries; r != NULL; r = r->next)
3804 sprintf(CS big_buffer, "R%c%.500s", r->flags, r->key);
3805 ptr = big_buffer + Ustrlen(big_buffer+2) + 3;
3806 memcpy(ptr, &(r->basic_errno), sizeof(r->basic_errno));
3807 ptr += sizeof(r->basic_errno);
3808 memcpy(ptr, &(r->more_errno), sizeof(r->more_errno));
3809 ptr += sizeof(r->more_errno);
3810 if (r->message == NULL) *ptr++ = 0; else
3812 sprintf(CS ptr, "%.512s", r->message);
3815 write(fd, big_buffer, ptr - big_buffer);
3818 /* The rest of the information goes in an 'A' item. */
3820 ptr = big_buffer + 3;
3821 sprintf(CS big_buffer, "A%c%c", addr->transport_return,
3822 addr->special_action);
3823 memcpy(ptr, &(addr->basic_errno), sizeof(addr->basic_errno));
3824 ptr += sizeof(addr->basic_errno);
3825 memcpy(ptr, &(addr->more_errno), sizeof(addr->more_errno));
3826 ptr += sizeof(addr->more_errno);
3827 memcpy(ptr, &(addr->flags), sizeof(addr->flags));
3828 ptr += sizeof(addr->flags);
3830 if (addr->message == NULL) *ptr++ = 0; else
3832 sprintf(CS ptr, "%.1024s", addr->message);
3836 if (addr->user_message == NULL) *ptr++ = 0; else
3838 sprintf(CS ptr, "%.1024s", addr->user_message);
3842 if (addr->host_used == NULL) *ptr++ = 0; else
3844 sprintf(CS ptr, "%.256s", addr->host_used->name);
3846 sprintf(CS ptr, "%.64s", addr->host_used->address);
3848 memcpy(ptr, &(addr->host_used->port), sizeof(addr->host_used->port));
3849 ptr += sizeof(addr->host_used->port);
3851 write(fd, big_buffer, ptr - big_buffer);
3854 /* Add termination flag, close the pipe, and that's it. The character
3855 after 'Z' indicates whether continue_transport is now NULL or not.
3856 A change from non-NULL to NULL indicates a problem with a continuing
3859 big_buffer[0] = 'Z';
3860 big_buffer[1] = (continue_transport == NULL)? '0' : '1';
3861 write(fd, big_buffer, 2);
3866 /* Back in the mainline: close the unwanted half of the pipe. */
3868 close(pfd[pipe_write]);
3870 /* Fork failed; defer with error message */
3874 close(pfd[pipe_read]);
3875 remote_post_process(addr, LOG_MAIN|LOG_PANIC,
3876 string_sprintf("fork failed for remote delivery to %s: %s",
3877 addr->domain, strerror(errno)), fallback);
3881 /* Fork succeeded; increment the count, and remember relevant data for
3882 when the process finishes. */
3885 parlist[poffset].addrlist = parlist[poffset].addr = addr;
3886 parlist[poffset].pid = pid;
3887 parlist[poffset].fd = pfd[pipe_read];
3888 parlist[poffset].done = FALSE;
3889 parlist[poffset].msg = NULL;
3890 parlist[poffset].return_path = return_path;
3892 /* If the process we've just started is sending a message down an existing
3893 channel, wait for it now. This ensures that only one such process runs at
3894 once, whatever the value of remote_max parallel. Otherwise, we might try to
3895 send two or more messages simultaneously down the same channel. This could
3896 happen if there are different domains that include the same host in otherwise
3897 different host lists.
3899 Also, if the transport closes down the channel, this information gets back
3900 (continue_transport gets set to NULL) before we consider any other addresses
3903 if (continue_transport != NULL) par_reduce(0, fallback);
3905 /* Otherwise, if we are running in the test harness, wait a bit, to let the
3906 newly created process get going before we create another process. This should
3907 ensure repeatability in the tests. We only need to wait a tad. */
3909 else if (running_in_test_harness) millisleep(500);
3912 /* Reached the end of the list of addresses. Wait for all the subprocesses that
3913 are still running and post-process their addresses. */
3915 par_reduce(0, fallback);
3922 /*************************************************
3923 * Split an address into local part and domain *
3924 *************************************************/
3926 /* This function initializes an address for routing by splitting it up into a
3927 local part and a domain. The local part is set up twice - once in its original
3928 casing, and once in lower case, and it is dequoted. We also do the "percent
3929 hack" for configured domains. This may lead to a DEFER result if a lookup
3930 defers. When a percent-hacking takes place, we insert a copy of the original
3931 address as a new parent of this address, as if we have had a redirection.
3934 addr points to an addr_item block containing the address
3937 DEFER - could not determine if domain is %-hackable
3941 deliver_split_address(address_item *addr)
3943 uschar *address = addr->address;
3944 uschar *domain = Ustrrchr(address, '@');
3946 int len = domain - address;
3948 addr->domain = string_copylc(domain+1); /* Domains are always caseless */
3950 /* The implication in the RFCs (though I can't say I've seen it spelled out
3951 explicitly) is that quoting should be removed from local parts at the point
3952 where they are locally interpreted. [The new draft "821" is more explicit on
3953 this, Jan 1999.] We know the syntax is valid, so this can be done by simply
3954 removing quoting backslashes and any unquoted doublequotes. */
3956 t = addr->cc_local_part = store_get(len+1);
3959 register int c = *address++;
3960 if (c == '\"') continue;
3970 /* We do the percent hack only for those domains that are listed in
3971 percent_hack_domains. A loop is required, to copy with multiple %-hacks. */
3973 if (percent_hack_domains != NULL)
3976 uschar *new_address = NULL;
3977 uschar *local_part = addr->cc_local_part;
3979 deliver_domain = addr->domain; /* set $domain */
3981 while ((rc = match_isinlist(deliver_domain, &percent_hack_domains, 0,
3982 &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
3984 (t = Ustrrchr(local_part, '%')) != NULL)
3986 new_address = string_copy(local_part);
3987 new_address[t - local_part] = '@';
3988 deliver_domain = string_copylc(t+1);
3989 local_part = string_copyn(local_part, t - local_part);
3992 if (rc == DEFER) return DEFER; /* lookup deferred */
3994 /* If hackery happened, set up new parent and alter the current address. */
3996 if (new_address != NULL)
3998 address_item *new_parent = store_get(sizeof(address_item));
3999 *new_parent = *addr;
4000 addr->parent = new_parent;
4001 addr->address = new_address;
4002 addr->unique = string_copy(new_address);
4003 addr->domain = deliver_domain;
4004 addr->cc_local_part = local_part;
4005 DEBUG(D_deliver) debug_printf("%%-hack changed address to: %s\n",
4010 /* Create the lowercased version of the final local part, and make that the
4011 default one to be used. */
4013 addr->local_part = addr->lc_local_part = string_copylc(addr->cc_local_part);
4020 /*************************************************
4021 * Get next error message text *
4022 *************************************************/
4024 /* If f is not NULL, read the next "paragraph", from a customized error message
4025 text file, terminated by a line containing ****, and expand it.
4028 f NULL or a file to read from
4029 which string indicating which string (for errors)
4031 Returns: NULL or an expanded string
4035 next_emf(FILE *f, uschar *which)
4039 uschar *para, *yield;
4042 if (f == NULL) return NULL;
4044 if (Ufgets(buffer, sizeof(buffer), f) == NULL ||
4045 Ustrcmp(buffer, "****\n") == 0) return NULL;
4047 para = store_get(size);
4050 para = string_cat(para, &size, &ptr, buffer, Ustrlen(buffer));
4051 if (Ufgets(buffer, sizeof(buffer), f) == NULL ||
4052 Ustrcmp(buffer, "****\n") == 0) break;
4056 yield = expand_string(para);
4057 if (yield != NULL) return yield;
4059 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand string from "
4060 "bounce_message_file or warn_message_file (%s): %s", which,
4061 expand_string_message);
4068 /*************************************************
4069 * Close down a passed transport channel *
4070 *************************************************/
4072 /* This function is called when a passed transport channel cannot be used.
4073 It attempts to close it down tidily. The yield is always DELIVER_NOT_ATTEMPTED
4074 so that the function call can be the argument of a "return" statement.
4077 Returns: DELIVER_NOT_ATTEMPTED
4081 continue_closedown(void)
4083 if (continue_transport != NULL)
4085 transport_instance *t;
4086 for (t = transports; t != NULL; t = t->next)
4088 if (Ustrcmp(t->name, continue_transport) == 0)
4090 if (t->info->closedown != NULL) (t->info->closedown)(t);
4095 return DELIVER_NOT_ATTEMPTED;
4101 /*************************************************
4102 * Print address information *
4103 *************************************************/
4105 /* This function is called to output an address, or information about an
4106 address, for bounce or defer messages. If the hide_child flag is set, all we
4107 output is the original ancestor address.
4110 addr points to the address
4111 f the FILE to print to
4112 si an initial string
4113 sc a continuation string for before "generated"
4116 Returns: TRUE if the address is not hidden
4120 print_address_information(address_item *addr, FILE *f, uschar *si, uschar *sc,
4124 uschar *printed = US"";
4125 address_item *ancestor = addr;
4126 while (ancestor->parent != NULL) ancestor = ancestor->parent;
4128 fprintf(f, "%s", CS si);
4130 if (addr->parent != NULL && testflag(addr, af_hide_child))
4132 printed = US"an undisclosed address";
4136 else if (!testflag(addr, af_pfr) || addr->parent == NULL)
4137 printed = addr->address;
4141 uschar *s = addr->address;
4144 if (addr->address[0] == '>') { ss = US"mail"; s++; }
4145 else if (addr->address[0] == '|') ss = US"pipe";
4148 fprintf(f, "%s to %s%sgenerated by ", ss, s, sc);
4149 printed = addr->parent->address;
4152 fprintf(f, "%s", CS string_printing(printed));
4154 if (ancestor != addr)
4156 uschar *original = (ancestor->onetime_parent == NULL)?
4157 ancestor->address : ancestor->onetime_parent;
4158 if (strcmpic(original, printed) != 0)
4159 fprintf(f, "%s(%sgenerated from %s)", sc,
4160 (ancestor != addr->parent)? "ultimately " : "",
4161 string_printing(original));
4164 fprintf(f, "%s", CS se);
4173 /*************************************************
4174 * Print error for an address *
4175 *************************************************/
4177 /* This function is called to print the error information out of an address for
4178 a bounce or a warning message. It tries to format the message reasonably by
4179 introducing newlines. All lines are indented by 4; the initial printing
4180 position must be set before calling.
4183 addr points to the address
4184 f the FILE to print on
4190 print_address_error(address_item *addr, FILE *f)
4192 uschar *s = (addr->user_message != NULL)? addr->user_message : addr->message;
4193 if (addr->basic_errno > 0)
4195 fprintf(f, "%s%s", strerror(addr->basic_errno),
4196 (s == NULL)? "" : ":\n ");
4200 if (addr->basic_errno <= 0) fprintf(f, "unknown error");
4207 if (*s == '\\' && s[1] == 'n')
4217 if (*s++ == ':' && isspace(*s) && count > 45)
4219 fprintf(f, "\n "); /* sic (because space follows) */
4230 /*************************************************
4231 * Deliver one message *
4232 *************************************************/
4234 /* This is the function which is called when a message is to be delivered. It
4235 is passed the id of the message. It is possible that the message no longer
4236 exists, if some other process has delivered it, and it is also possible that
4237 the message is being worked on by another process, in which case the data file
4240 If no delivery is attempted for any of the above reasons, the function returns
4241 DELIVER_NOT_ATTEMPTED.
4243 If the give_up flag is set true, do not attempt any deliveries, but instead
4244 fail all outstanding addresses and return the message to the sender (or
4247 A delivery operation has a process all to itself; we never deliver more than
4248 one message in the same process. Therefore we needn't worry too much about
4252 id the id of the message to be delivered
4253 forced TRUE if delivery was forced by an administrator; this overrides
4254 retry delays and causes a delivery to be tried regardless
4255 give_up TRUE if an administrator has requested that delivery attempts
4258 Returns: When the global variable mua_wrapper is FALSE:
4259 DELIVER_ATTEMPTED_NORMAL if a delivery attempt was made
4260 DELIVER_NOT_ATTEMPTED otherwise (see comment above)
4261 When the global variable mua_wrapper is TRUE:
4262 DELIVER_MUA_SUCCEEDED if delivery succeeded
4263 DELIVER_MUA_FAILED if delivery failed
4264 DELIVER_NOT_ATTEMPTED if not attempted (should not occur)
4268 deliver_message(uschar *id, BOOL forced, BOOL give_up)
4271 int final_yield = DELIVER_ATTEMPTED_NORMAL;
4272 time_t now = time(NULL);
4273 address_item *addr_last = NULL;
4274 uschar *filter_message = NULL;
4276 int process_recipients = RECIP_ACCEPT;
4280 uschar *info = (queue_run_pid == (pid_t)0)?
4281 string_sprintf("delivering %s", id) :
4282 string_sprintf("delivering %s (queue run pid %d)", id, queue_run_pid);
4284 /* If the D_process_info bit is on, set_process_info() will output debugging
4285 information. If not, we want to show this initial information if D_deliver or
4286 D_queue_run is set or in verbose mode. */
4288 set_process_info("%s", info);
4290 if ((debug_selector & D_process_info) == 0 &&
4291 (debug_selector & (D_deliver|D_queue_run|D_v)) != 0)
4292 debug_printf("%s\n", info);
4294 /* Ensure that we catch any subprocesses that are created. Although Exim
4295 sets SIG_DFL as its initial default, some routes through the code end up
4296 here with it set to SIG_IGN - cases where a non-synchronous delivery process
4297 has been forked, but no re-exec has been done. We use sigaction rather than
4298 plain signal() on those OS where SA_NOCLDWAIT exists, because we want to be
4299 sure it is turned off. (There was a problem on AIX with this.) */
4303 struct sigaction act;
4304 act.sa_handler = SIG_DFL;
4305 sigemptyset(&(act.sa_mask));
4307 sigaction(SIGCHLD, &act, NULL);
4310 signal(SIGCHLD, SIG_DFL);
4313 /* Make the forcing flag available for routers and transports, set up the
4314 global message id field, and initialize the count for returned files and the
4315 message size. This use of strcpy() is OK because the length id is checked when
4316 it is obtained from a command line (the -M or -q options), and otherwise it is
4317 known to be a valid message id. */
4319 Ustrcpy(message_id, id);
4320 deliver_force = forced;
4324 /* Initialize some flags */
4326 update_spool = FALSE;
4327 remove_journal = TRUE;
4329 /* Reset the random number generator, so that if several delivery processes are
4330 started from a queue runner that has already used random numbers (for sorting),
4331 they don't all get the same sequence. */
4335 /* Open and lock the message's data file. Exim locks on this one because the
4336 header file may get replaced as it is re-written during the delivery process.
4337 Any failures cause messages to be written to the log, except for missing files
4338 while queue running - another process probably completed delivery. As part of
4339 opening the data file, message_subdir gets set. */
4341 if (!spool_open_datafile(id))
4342 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
4344 /* The value of message_size at this point has been set to the data length,
4345 plus one for the blank line that notionally precedes the data. */
4347 /* Now read the contents of the header file, which will set up the headers in
4348 store, and also the list of recipients and the tree of non-recipients and
4349 assorted flags. It updates message_size. If there is a reading or format error,
4350 give up; if the message has been around for sufficiently long, remove it. */
4352 sprintf(CS spoolname, "%s-H", id);
4353 if ((rc = spool_read_header(spoolname, TRUE, TRUE)) != spool_read_OK)
4355 if (errno == ERRNO_SPOOLFORMAT)
4357 struct stat statbuf;
4358 sprintf(CS big_buffer, "%s/input/%s/%s", spool_directory, message_subdir,
4360 if (Ustat(big_buffer, &statbuf) == 0)
4362 int size = statbuf.st_size; /* Because might be a long */
4363 log_write(0, LOG_MAIN, "Format error in spool file %s: size=%d",
4366 else log_write(0, LOG_MAIN, "Format error in spool file %s", spoolname);
4369 log_write(0, LOG_MAIN, "Error reading spool file %s: %s", spoolname,
4372 /* If we managed to read the envelope data, received_time contains the
4373 time the message was received. Otherwise, we can calculate it from the
4376 if (rc != spool_read_hdrerror)
4379 for (i = 0; i < 6; i++)
4380 received_time = received_time * BASE_62 + tab62[id[i] - '0'];
4383 /* If we've had this malformed message too long, sling it. */
4385 if (now - received_time > keep_malformed)
4387 sprintf(CS spoolname, "%s/msglog/%s/%s", spool_directory, message_subdir, id);
4389 sprintf(CS spoolname, "%s/input/%s/%s-D", spool_directory, message_subdir, id);
4391 sprintf(CS spoolname, "%s/input/%s/%s-H", spool_directory, message_subdir, id);
4393 sprintf(CS spoolname, "%s/input/%s/%s-J", spool_directory, message_subdir, id);
4395 log_write(0, LOG_MAIN, "Message removed because older than %s",
4396 readconf_printtime(keep_malformed));
4399 close(deliver_datafile);
4400 deliver_datafile = -1;
4401 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
4404 /* The spool header file has been read. Look to see if there is an existing
4405 journal file for this message. If there is, it means that a previous delivery
4406 attempt crashed (program or host) before it could update the spool header file.
4407 Read the list of delivered addresses from the journal and add them to the
4408 nonrecipients tree. Then update the spool file. We can leave the journal in
4409 existence, as it will get further successful deliveries added to it in this
4410 run, and it will be deleted if this function gets to its end successfully.
4411 Otherwise it might be needed again. */
4413 sprintf(CS spoolname, "%s/input/%s/%s-J", spool_directory, message_subdir, id);
4414 jread = Ufopen(spoolname, "rb");
4417 while (Ufgets(big_buffer, big_buffer_size, jread) != NULL)
4419 int n = Ustrlen(big_buffer);
4420 big_buffer[n-1] = 0;
4421 tree_add_nonrecipient(big_buffer);
4422 DEBUG(D_deliver) debug_printf("Previously delivered address %s taken from "
4423 "journal file\n", big_buffer);
4426 /* Panic-dies on error */
4427 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
4429 else if (errno != ENOENT)
4431 log_write(0, LOG_MAIN|LOG_PANIC, "attempt to open journal for reading gave: "
4432 "%s", strerror(errno));
4433 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
4436 /* A null recipients list indicates some kind of disaster. */
4438 if (recipients_list == NULL)
4440 close(deliver_datafile);
4441 deliver_datafile = -1;
4442 log_write(0, LOG_MAIN, "Spool error: no recipients for %s", spoolname);
4443 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
4447 /* Handle a message that is frozen. There are a number of different things that
4448 can happen, but in the default situation, unless forced, no delivery is
4453 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
4454 /* Moving to another directory removes the message from Exim's view. Other
4455 tools must be used to deal with it. Logging of this action happens in
4456 spool_move_message() and its subfunctions. */
4458 if (move_frozen_messages &&
4459 spool_move_message(id, message_subdir, US"", US"F"))
4460 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
4463 /* For all frozen messages (bounces or not), timeout_frozen_after sets the
4464 maximum time to keep messages that are frozen. Thaw if we reach it, with a
4465 flag causing all recipients to be failed. The time is the age of the
4466 message, not the time since freezing. */
4468 if (timeout_frozen_after > 0 && message_age >= timeout_frozen_after)
4470 log_write(0, LOG_MAIN, "cancelled by timeout_frozen_after");
4471 process_recipients = RECIP_FAIL_TIMEOUT;
4474 /* For bounce messages (and others with no sender), thaw if the error message
4475 ignore timer is exceeded. The message will be discarded if this delivery
4478 else if (sender_address[0] == 0 && message_age >= ignore_bounce_errors_after)
4480 log_write(0, LOG_MAIN, "Unfrozen by errmsg timer");
4483 /* If there's no auto thaw, or we haven't reached the auto thaw time yet, and
4484 this delivery is not forced by an admin user, do not attempt delivery of this
4485 message. Note that forced is set for continuing messages down the same
4486 channel, in order to skip load checking and ignore hold domains, but we
4487 don't want unfreezing in that case. */
4491 if ((auto_thaw <= 0 || now <= deliver_frozen_at + auto_thaw) &&
4492 (!forced || !deliver_force_thaw || !admin_user ||
4493 continue_hostname != NULL))
4495 close(deliver_datafile);
4496 deliver_datafile = -1;
4497 log_write(L_skip_delivery, LOG_MAIN, "Message is frozen");
4498 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
4501 /* If delivery was forced (by an admin user), assume a manual thaw.
4502 Otherwise it's an auto thaw. */
4506 deliver_manual_thaw = TRUE;
4507 log_write(0, LOG_MAIN, "Unfrozen by forced delivery");
4509 else log_write(0, LOG_MAIN, "Unfrozen by auto-thaw");
4512 /* We get here if any of the rules for unfreezing have triggered. */
4514 deliver_freeze = FALSE;
4515 update_spool = TRUE;
4519 /* Open the message log file if we are using them. This records details of
4520 deliveries, deferments, and failures for the benefit of the mail administrator.
4521 The log is not used by exim itself to track the progress of a message; that is
4522 done by rewriting the header spool file. */
4529 sprintf(CS spoolname, "%s/msglog/%s/%s", spool_directory, message_subdir, id);
4530 fd = open_msglog_file(spoolname, SPOOL_MODE, &error);
4534 log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't %s message log %s: %s", error,
4535 spoolname, strerror(errno));
4536 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
4539 /* Make a C stream out of it. */
4541 message_log = fdopen(fd, "a");
4542 if (message_log == NULL)
4544 log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't fdopen message log %s: %s",
4545 spoolname, strerror(errno));
4546 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
4551 /* If asked to give up on a message, log who did it, and set the action for all
4556 struct passwd *pw = getpwuid(real_uid);
4557 log_write(0, LOG_MAIN, "cancelled by %s", (pw != NULL)?
4558 US pw->pw_name : string_sprintf("uid %ld", (long int)real_uid));
4559 process_recipients = RECIP_FAIL;
4562 /* Otherwise, if there are too many Received: headers, fail all recipients. */
4564 else if (received_count > received_headers_max)
4565 process_recipients = RECIP_FAIL_LOOP;
4567 /* Otherwise, if a system-wide, address-independent message filter is
4568 specified, run it now, except in the case when we are failing all recipients as
4569 a result of timeout_frozen_after. If the system filter yields "delivered", then
4570 ignore the true recipients of the message. Failure of the filter file is
4571 logged, and the delivery attempt fails. */
4573 else if (system_filter != NULL && process_recipients != RECIP_FAIL_TIMEOUT)
4578 redirect_block redirect;
4580 if (system_filter_uid_set)
4582 ugid.uid = system_filter_uid;
4583 ugid.gid = system_filter_gid;
4584 ugid.uid_set = ugid.gid_set = TRUE;
4588 ugid.uid_set = ugid.gid_set = FALSE;
4591 return_path = sender_address;
4592 enable_dollar_recipients = TRUE; /* Permit $recipients in system filter */
4593 system_filtering = TRUE;
4595 /* Any error in the filter file causes a delivery to be abandoned. */
4597 redirect.string = system_filter;
4598 redirect.isfile = TRUE;
4599 redirect.check_owner = redirect.check_group = FALSE;
4600 redirect.owners = NULL;
4601 redirect.owngroups = NULL;
4603 redirect.modemask = 0;
4605 DEBUG(D_deliver|D_filter) debug_printf("running system filter\n");
4608 &redirect, /* Where the data is */
4609 RDO_DEFER | /* Turn on all the enabling options */
4610 RDO_FAIL | /* Leave off all the disabling options */
4615 NULL, /* No :include: restriction (not used in filter) */
4616 NULL, /* No sieve vacation directory (not sieve!) */
4617 &ugid, /* uid/gid data */
4618 &addr_new, /* Where to hang generated addresses */
4619 &filter_message, /* Where to put error message */
4620 NULL, /* Don't skip syntax errors */
4621 &filtertype, /* Will always be set to FILTER_EXIM for this call */
4622 US"system filter"); /* For error messages */
4624 DEBUG(D_deliver|D_filter) debug_printf("system filter returned %d\n", rc);
4626 if (rc == FF_ERROR || rc == FF_NONEXIST)
4628 close(deliver_datafile);
4629 deliver_datafile = -1;
4630 log_write(0, LOG_MAIN|LOG_PANIC, "Error in system filter: %s",
4631 string_printing(filter_message));
4632 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
4635 /* Reset things. If the filter message is an empty string, which can happen
4636 for a filter "fail" or "freeze" command with no text, reset it to NULL. */
4638 system_filtering = FALSE;
4639 enable_dollar_recipients = FALSE;
4640 if (filter_message != NULL && filter_message[0] == 0) filter_message = NULL;
4642 /* Save the values of the system filter variables so that user filters
4645 memcpy(filter_sn, filter_n, sizeof(filter_sn));
4647 /* The filter can request that delivery of the original addresses be
4652 process_recipients = RECIP_DEFER;
4653 deliver_msglog("Delivery deferred by system filter\n");
4654 log_write(0, LOG_MAIN, "Delivery deferred by system filter");
4657 /* The filter can request that a message be frozen, but this does not
4658 take place if the message has been manually thawed. In that case, we must
4659 unset "delivered", which is forced by the "freeze" command to make -bF
4662 else if (rc == FF_FREEZE && !deliver_manual_thaw)
4664 deliver_freeze = TRUE;
4665 deliver_frozen_at = time(NULL);
4666 process_recipients = RECIP_DEFER;
4667 frozen_info = string_sprintf(" by the system filter%s%s",
4668 (filter_message == NULL)? US"" : US": ",
4669 (filter_message == NULL)? US"" : filter_message);
4672 /* The filter can request that a message be failed. The error message may be
4673 quite long - it is sent back to the sender in the bounce - but we don't want
4674 to fill up the log with repetitions of it. If it starts with << then the text
4675 between << and >> is written to the log, with the rest left for the bounce
4678 else if (rc == FF_FAIL)
4680 uschar *colon = US"";
4681 uschar *logmsg = US"";
4684 process_recipients = RECIP_FAIL_FILTER;
4686 if (filter_message != NULL)
4690 if (filter_message[0] == '<' && filter_message[1] == '<' &&
4691 (logend = Ustrstr(filter_message, ">>")) != NULL)
4693 logmsg = filter_message + 2;
4694 loglen = logend - logmsg;
4695 filter_message = logend + 2;
4696 if (filter_message[0] == 0) filter_message = NULL;
4700 logmsg = filter_message;
4701 loglen = Ustrlen(filter_message);
4705 log_write(0, LOG_MAIN, "cancelled by system filter%s%.*s", colon, loglen,
4709 /* Delivery can be restricted only to those recipients (if any) that the
4710 filter specified. */
4712 else if (rc == FF_DELIVERED)
4714 process_recipients = RECIP_IGNORE;
4715 if (addr_new == NULL)
4716 log_write(0, LOG_MAIN, "=> discarded (system filter)");
4718 log_write(0, LOG_MAIN, "original recipients ignored (system filter)");
4721 /* If any new addresses were created by the filter, fake up a "parent"
4722 for them. This is necessary for pipes, etc., which are expected to have
4723 parents, and it also gives some sensible logging for others. Allow
4724 pipes, files, and autoreplies, and run them as the filter uid if set,
4725 otherwise as the current uid. */
4727 if (addr_new != NULL)
4729 int uid = (system_filter_uid_set)? system_filter_uid : geteuid();
4730 int gid = (system_filter_gid_set)? system_filter_gid : getegid();
4732 /* The text "system-filter" is tested in transport_set_up_command() and in
4733 set_up_shell_command() in the pipe transport, to enable them to permit
4734 $recipients, so don't change it here without also changing it there. */
4736 address_item *p = addr_new;
4737 address_item *parent = deliver_make_addr(US"system-filter", FALSE);
4739 parent->domain = string_copylc(qualify_domain_recipient);
4740 parent->local_part = US"system-filter";
4742 /* As part of this loop, we arrange for addr_last to end up pointing
4743 at the final address. This is used if we go on to add addresses for the
4744 original recipients. */
4748 parent->child_count++;
4751 if (testflag(p, af_pfr))
4757 setflag(p, af_uid_set |
4763 /* Find the name of the system filter's appropriate pfr transport */
4765 if (p->address[0] == '|')
4768 tpname = system_filter_pipe_transport;
4769 address_pipe = p->address;
4771 else if (p->address[0] == '>')
4774 tpname = system_filter_reply_transport;
4778 if (p->address[Ustrlen(p->address)-1] == '/')
4780 type = US"directory";
4781 tpname = system_filter_directory_transport;
4786 tpname = system_filter_file_transport;
4788 address_file = p->address;
4791 /* Now find the actual transport, first expanding the name. We have
4792 set address_file or address_pipe above. */
4796 uschar *tmp = expand_string(tpname);
4797 address_file = address_pipe = NULL;
4799 p->message = string_sprintf("failed to expand \"%s\" as a "
4800 "system filter transport name", tpname);
4805 p->message = string_sprintf("system_filter_%s_transport is unset",
4811 transport_instance *tp;
4812 for (tp = transports; tp != NULL; tp = tp->next)
4814 if (Ustrcmp(tp->name, tpname) == 0)
4821 p->message = string_sprintf("failed to find \"%s\" transport "
4822 "for system filter delivery", tpname);
4825 /* If we couldn't set up a transport, defer the delivery, putting the
4826 error on the panic log as well as the main log. */
4828 if (p->transport == NULL)
4830 address_item *badp = p;
4832 if (addr_last == NULL) addr_new = p; else addr_last->next = p;
4833 badp->local_part = badp->address; /* Needed for log line */
4834 post_process_one(badp, DEFER, LOG_MAIN|LOG_PANIC, DTYPE_ROUTER, 0);
4837 } /* End of pfr handling */
4839 /* Either a non-pfr delivery, or we found a transport */
4841 DEBUG(D_deliver|D_filter)
4842 debug_printf("system filter added %s\n", p->address);
4846 } /* Loop through all addr_new addresses */
4851 /* Scan the recipients list, and for every one that is not in the non-
4852 recipients tree, add an addr item to the chain of new addresses. If the pno
4853 value is non-negative, we must set the onetime parent from it. This which
4854 points to the relevant entry in the recipients list.
4856 This processing can be altered by the setting of the process_recipients
4857 variable, which is changed if recipients are to be ignored, failed, or
4858 deferred. This can happen as a result of system filter activity, or if the -Mg
4859 option is used to fail all of them.
4861 Duplicate addresses are handled later by a different tree structure; we can't
4862 just extend the non-recipients tree, because that will be re-written to the
4863 spool if the message is deferred, and in any case there are casing
4864 complications for local addresses. */
4866 if (process_recipients != RECIP_IGNORE)
4868 for (i = 0; i < recipients_count; i++)
4870 if (tree_search(tree_nonrecipients, recipients_list[i].address) == NULL)
4872 recipient_item *r = recipients_list + i;
4873 address_item *new = deliver_make_addr(r->address, FALSE);
4874 new->p.errors_address = r->errors_to;
4877 new->onetime_parent = recipients_list[r->pno].address;
4879 switch (process_recipients)
4881 /* RECIP_DEFER is set when a system filter freezes a message. */
4884 new->next = addr_defer;
4889 /* RECIP_FAIL_FILTER is set when a system filter has obeyed a "fail"
4892 case RECIP_FAIL_FILTER:
4894 (filter_message == NULL)? US"delivery cancelled" : filter_message;
4895 goto RECIP_QUEUE_FAILED; /* below */
4898 /* RECIP_FAIL_TIMEOUT is set when a message is frozen, but is older
4899 than the value in timeout_frozen_after. Treat non-bounce messages
4900 similarly to -Mg; for bounce messages we just want to discard, so
4901 don't put the address on the failed list. The timeout has already
4904 case RECIP_FAIL_TIMEOUT:
4905 new->message = US"delivery cancelled; message timed out";
4906 goto RECIP_QUEUE_FAILED; /* below */
4909 /* RECIP_FAIL is set when -Mg has been used. */
4912 new->message = US"delivery cancelled by administrator";
4915 /* Common code for the failure cases above. If this is not a bounce
4916 message, put the address on the failed list so that it is used to
4917 create a bounce. Otherwise do nothing - this just discards the address.
4918 The incident has already been logged. */
4921 if (sender_address[0] != 0)
4923 new->next = addr_failed;
4929 /* RECIP_FAIL_LOOP is set when there are too many Received: headers
4930 in the message. Process each address as a routing failure; if this
4931 is a bounce message, it will get frozen. */
4933 case RECIP_FAIL_LOOP:
4934 new->message = US"Too many \"Received\" headers - suspected mail loop";
4935 post_process_one(new, FAIL, LOG_MAIN, DTYPE_ROUTER, 0);
4939 /* Value should be RECIP_ACCEPT; take this as the safe default. */
4942 if (addr_new == NULL) addr_new = new; else addr_last->next = new;
4952 address_item *p = addr_new;
4953 debug_printf("Delivery address list:\n");
4956 debug_printf(" %s %s\n", p->address, (p->onetime_parent == NULL)? US"" :
4962 /* Set up the buffers used for copying over the file when delivering. */
4964 deliver_in_buffer = store_malloc(DELIVER_IN_BUFFER_SIZE);
4965 deliver_out_buffer = store_malloc(DELIVER_OUT_BUFFER_SIZE);
4969 /* Until there are no more new addresses, handle each one as follows:
4971 . If this is a generated address (indicated by the presence of a parent
4972 pointer) then check to see whether it is a pipe, file, or autoreply, and
4973 if so, handle it directly here. The router that produced the address will
4974 have set the allow flags into the address, and also set the uid/gid required.
4975 Having the routers generate new addresses and then checking them here at
4976 the outer level is tidier than making each router do the checking, and
4977 means that routers don't need access to the failed address queue.
4979 . Break up the address into local part and domain, and make lowercased
4980 versions of these strings. We also make unquoted versions of the local part.
4982 . Handle the percent hack for those domains for which it is valid.
4984 . For child addresses, determine if any of the parents have the same address.
4985 If so, generate a different string for previous delivery checking. Without
4986 this code, if the address spqr generates spqr via a forward or alias file,
4987 delivery of the generated spqr stops further attempts at the top level spqr,
4988 which is not what is wanted - it may have generated other addresses.
4990 . Check on the retry database to see if routing was previously deferred, but
4991 only if in a queue run. Addresses that are to be routed are put on the
4992 addr_route chain. Addresses that are to be deferred are put on the
4993 addr_defer chain. We do all the checking first, so as not to keep the
4994 retry database open any longer than necessary.
4996 . Now we run the addresses through the routers. A router may put the address
4997 on either the addr_local or the addr_remote chain for local or remote
4998 delivery, respectively, or put it on the addr_failed chain if it is
4999 undeliveable, or it may generate child addresses and put them on the
5000 addr_new chain, or it may defer an address. All the chain anchors are
5001 passed as arguments so that the routers can be called for verification
5004 . If new addresses have been generated by the routers, da capo.
5007 header_rewritten = FALSE; /* No headers rewritten yet */
5008 while (addr_new != NULL) /* Loop until all addresses dealt with */
5010 address_item *addr, *parent;
5011 dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE);
5013 /* Failure to open the retry database is treated the same as if it does
5014 not exist. In both cases, dbm_file is NULL. */
5016 if (dbm_file == NULL)
5018 DEBUG(D_deliver|D_retry|D_route|D_hints_lookup)
5019 debug_printf("no retry data available\n");
5022 /* Scan the current batch of new addresses, to handle pipes, files and
5023 autoreplies, and determine which others are ready for routing. */
5025 while (addr_new != NULL)
5030 dbdata_retry *domain_retry_record;
5031 dbdata_retry *address_retry_record;
5034 addr_new = addr->next;
5036 DEBUG(D_deliver|D_retry|D_route)
5038 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
5039 debug_printf("Considering: %s\n", addr->address);
5042 /* Handle generated address that is a pipe or a file or an autoreply. */
5044 if (testflag(addr, af_pfr))
5046 int offset = testflag(addr->parent, af_homonym)? 3:0;
5048 /* If two different users specify delivery to the same pipe or file or
5049 autoreply, there should be two different deliveries, so build a unique
5050 string that incorporates the original address, and use this for
5051 duplicate testing and recording delivery, and also for retrying. */
5054 string_sprintf("%s:%s", addr->address, addr->parent->unique + offset);
5056 addr->address_retry_key = addr->domain_retry_key =
5057 string_sprintf("T:%s", addr->unique);
5059 /* If a filter file specifies two deliveries to the same pipe or file,
5060 we want to de-duplicate, but this is probably not wanted for two mail
5061 commands to the same address, where probably both should be delivered.
5062 So, we have to invent a different unique string in that case. Just
5063 keep piling '>' characters on the front. */
5065 if (addr->address[0] == '>')
5067 while (tree_search(tree_duplicates, addr->unique) != NULL)
5068 addr->unique = string_sprintf(">%s", addr->unique);
5071 else if ((tnode = tree_search(tree_duplicates, addr->unique)) != NULL)
5073 DEBUG(D_deliver|D_route)
5074 debug_printf("%s is a duplicate address: discarded\n", addr->address);
5075 addr->dupof = tnode->data.ptr;
5076 addr->next = addr_duplicate;
5077 addr_duplicate = addr;
5081 DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique);
5083 /* Check for previous delivery */
5085 if (tree_search(tree_nonrecipients, addr->unique) != NULL)
5087 DEBUG(D_deliver|D_route)
5088 debug_printf("%s was previously delivered: discarded\n", addr->address);
5089 child_done(addr, tod_stamp(tod_log));
5093 /* Save for checking future duplicates */
5095 tree_add_duplicate(addr->unique, addr);
5097 /* Set local part and domain */
5099 addr->local_part = addr->address;
5100 addr->domain = addr->parent->domain;
5102 /* Ensure that the delivery is permitted. */
5104 if (testflag(addr, af_file))
5106 if (!testflag(addr, af_allow_file))
5108 addr->basic_errno = ERRNO_FORBIDFILE;
5109 addr->message = US"delivery to file forbidden";
5110 (void)post_process_one(addr, FAIL, LOG_MAIN, DTYPE_ROUTER, 0);
5111 continue; /* with the next new address */
5114 else if (addr->address[0] == '|')
5116 if (!testflag(addr, af_allow_pipe))
5118 addr->basic_errno = ERRNO_FORBIDPIPE;
5119 addr->message = US"delivery to pipe forbidden";
5120 (void)post_process_one(addr, FAIL, LOG_MAIN, DTYPE_ROUTER, 0);
5121 continue; /* with the next new address */
5124 else if (!testflag(addr, af_allow_reply))
5126 addr->basic_errno = ERRNO_FORBIDREPLY;
5127 addr->message = US"autoreply forbidden";
5128 (void)post_process_one(addr, FAIL, LOG_MAIN, DTYPE_ROUTER, 0);
5129 continue; /* with the next new address */
5132 /* If the errno field is already set to BADTRANSPORT, it indicates
5133 failure to expand a transport string, or find the associated transport,
5134 or an unset transport when one is required. Leave this test till now so
5135 that the forbid errors are given in preference. */
5137 if (addr->basic_errno == ERRNO_BADTRANSPORT)
5139 (void)post_process_one(addr, DEFER, LOG_MAIN, DTYPE_ROUTER, 0);
5143 /* Treat /dev/null as a special case and abandon the delivery. This
5144 avoids having to specify a uid on the transport just for this case.
5145 Arrange for the transport name to be logged as "**bypassed**". */
5147 if (Ustrcmp(addr->address, "/dev/null") == 0)
5149 uschar *save = addr->transport->name;
5150 addr->transport->name = US"**bypassed**";
5151 (void)post_process_one(addr, OK, LOG_MAIN, DTYPE_TRANSPORT, '=');
5152 addr->transport->name = save;
5153 continue; /* with the next new address */
5156 /* Pipe, file, or autoreply delivery is to go ahead as a normal local
5159 DEBUG(D_deliver|D_route)
5160 debug_printf("queued for %s transport\n", addr->transport->name);
5161 addr->next = addr_local;
5163 continue; /* with the next new address */
5166 /* Handle normal addresses. First, split up into local part and domain,
5167 handling the %-hack if necessary. There is the possibility of a defer from
5168 a lookup in percent_hack_domains. */
5170 if ((rc = deliver_split_address(addr)) == DEFER)
5172 addr->message = US"cannot check percent_hack_domains";
5173 addr->basic_errno = ERRNO_LISTDEFER;
5174 (void)post_process_one(addr, DEFER, LOG_MAIN, DTYPE_NONE, 0);
5178 /* Check to see if the domain is held. If so, proceed only if the
5179 delivery was forced by hand. */
5181 deliver_domain = addr->domain; /* set $domain */
5182 if (!forced && hold_domains != NULL &&
5183 (rc = match_isinlist(addr->domain, &hold_domains, 0,
5184 &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE,
5189 addr->message = US"hold_domains lookup deferred";
5190 addr->basic_errno = ERRNO_LISTDEFER;
5194 addr->message = US"domain is held";
5195 addr->basic_errno = ERRNO_HELD;
5197 (void)post_process_one(addr, DEFER, LOG_MAIN, DTYPE_NONE, 0);
5201 /* Now we can check for duplicates and previously delivered addresses. In
5202 order to do this, we have to generate a "unique" value for each address,
5203 because there may be identical actual addresses in a line of descendents.
5204 The "unique" field is initialized to the same value as the "address" field,
5205 but gets changed here to cope with identically-named descendents. */
5207 for (parent = addr->parent; parent != NULL; parent = parent->parent)
5208 if (strcmpic(addr->address, parent->address) == 0) break;
5210 /* If there's an ancestor with the same name, set the homonym flag. This
5211 influences how deliveries are recorded. Then add a prefix on the front of
5212 the unique address. We use \n\ where n starts at 0 and increases each time.
5213 It is unlikely to pass 9, but if it does, it may look odd but will still
5214 work. This means that siblings or cousins with the same names are treated
5215 as duplicates, which is what we want. */
5219 setflag(addr, af_homonym);
5220 if (parent->unique[0] != '\\')
5221 addr->unique = string_sprintf("\\0\\%s", addr->address);
5223 addr->unique = string_sprintf("\\%c\\%s", parent->unique[1] + 1,
5227 /* Ensure that the domain in the unique field is lower cased, because
5228 domains are always handled caselessly. */
5230 p = Ustrrchr(addr->unique, '@');
5231 while (*p != 0) { *p = tolower(*p); p++; }
5233 DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique);
5235 if (tree_search(tree_nonrecipients, addr->unique) != NULL)
5237 DEBUG(D_deliver|D_route)
5238 debug_printf("%s was previously delivered: discarded\n", addr->unique);
5239 child_done(addr, tod_stamp(tod_log));
5243 /* If it's a duplicate, remember what it's a duplicate of */
5245 if ((tnode = tree_search(tree_duplicates, addr->unique)) != NULL)
5247 DEBUG(D_deliver|D_route)
5248 debug_printf("%s is a duplicate address: discarded\n", addr->unique);
5249 addr->dupof = tnode->data.ptr;
5250 addr->next = addr_duplicate;
5251 addr_duplicate = addr;
5255 /* Record this address, so subsequent duplicates get picked up. */
5257 tree_add_duplicate(addr->unique, addr);
5259 /* Get the routing retry status, saving the two retry keys (with and
5260 without the local part) for subsequent use. Ignore retry records that
5263 addr->domain_retry_key = string_sprintf("R:%s", addr->domain);
5264 addr->address_retry_key = string_sprintf("R:%s@%s", addr->local_part,
5267 if (dbm_file == NULL)
5268 domain_retry_record = address_retry_record = NULL;
5271 domain_retry_record = dbfn_read(dbm_file, addr->domain_retry_key);
5272 if (domain_retry_record != NULL &&
5273 now - domain_retry_record->time_stamp > retry_data_expire)
5274 domain_retry_record = NULL;
5276 address_retry_record = dbfn_read(dbm_file, addr->address_retry_key);
5277 if (address_retry_record != NULL &&
5278 now - address_retry_record->time_stamp > retry_data_expire)
5279 address_retry_record = NULL;
5282 DEBUG(D_deliver|D_retry)
5284 if (domain_retry_record == NULL)
5285 debug_printf("no domain retry record\n");
5286 if (address_retry_record == NULL)
5287 debug_printf("no address retry record\n");
5290 /* If we are sending a message down an existing SMTP connection, we must
5291 assume that the message which created the connection managed to route
5292 an address to that connection. We do not want to run the risk of taking
5293 a long time over routing here, because if we do, the server at the other
5294 end of the connection may time it out. This is especially true for messages
5295 with lots of addresses. For this kind of delivery, queue_running is not
5296 set, so we would normally route all addresses. We take a pragmatic approach
5297 and defer routing any addresses that have any kind of domain retry record.
5298 That is, we don't even look at their retry times. It doesn't matter if this
5299 doesn't work occasionally. This is all just an optimization, after all.
5301 The reason for not doing the same for address retries is that they normally
5302 arise from 4xx responses, not DNS timeouts. */
5304 if (continue_hostname != NULL && domain_retry_record != NULL)
5306 addr->message = US"reusing SMTP connection skips previous routing defer";
5307 addr->basic_errno = ERRNO_RRETRY;
5308 (void)post_process_one(addr, DEFER, LOG_MAIN, DTYPE_ROUTER, 0);
5311 /* If queue_running, defer routing unless no retry data or we've
5312 passed the next retry time, or this message is forced. However,
5313 if the retry time has expired, allow the routing attempt.
5314 If it fails again, the address will be failed. This ensures that
5315 each address is routed at least once, even after long-term routing
5318 If there is an address retry, check that too; just wait for the next
5319 retry time. This helps with the case when the temporary error on the
5320 address was really message-specific rather than address specific, since
5321 it allows other messages through. */
5323 else if (!deliver_force && queue_running &&
5324 ((domain_retry_record != NULL &&
5325 now < domain_retry_record->next_try &&
5326 !domain_retry_record->expired)
5328 (address_retry_record != NULL &&
5329 now < address_retry_record->next_try))
5332 addr->message = US"retry time not reached";
5333 addr->basic_errno = ERRNO_RRETRY;
5334 (void)post_process_one(addr, DEFER, LOG_MAIN, DTYPE_ROUTER, 0);
5337 /* The domain is OK for routing. Remember if retry data exists so it
5338 can be cleaned up after a successful delivery. */
5342 if (domain_retry_record != NULL || address_retry_record != NULL)
5343 setflag(addr, af_dr_retry_exists);
5344 addr->next = addr_route;
5346 DEBUG(D_deliver|D_route)
5347 debug_printf("%s: queued for routing\n", addr->address);
5351 /* The database is closed while routing is actually happening. Requests to
5352 update it are put on a chain and all processed together at the end. */
5354 if (dbm_file != NULL) dbfn_close(dbm_file);
5356 /* If queue_domains is set, we don't even want to try routing addresses in
5357 those domains. During queue runs, queue_domains is forced to be unset.
5358 Optimize by skipping this pass through the addresses if nothing is set. */
5360 if (!deliver_force && queue_domains != NULL)
5362 address_item *okaddr = NULL;
5363 while (addr_route != NULL)
5365 address_item *addr = addr_route;
5366 addr_route = addr->next;
5368 deliver_domain = addr->domain; /* set $domain */
5369 if ((rc = match_isinlist(addr->domain, &queue_domains, 0,
5370 &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
5375 addr->basic_errno = ERRNO_LISTDEFER;
5376 addr->message = US"queue_domains lookup deferred";
5377 (void)post_process_one(addr, DEFER, LOG_MAIN, DTYPE_ROUTER, 0);
5381 addr->next = okaddr;
5387 addr->basic_errno = ERRNO_QUEUE_DOMAIN;
5388 addr->message = US"domain is in queue_domains";
5389 (void)post_process_one(addr, DEFER, LOG_MAIN, DTYPE_ROUTER, 0);
5393 addr_route = okaddr;
5396 /* Now route those addresses that are not deferred. */
5398 while (addr_route != NULL)
5401 address_item *addr = addr_route;
5402 uschar *old_domain = addr->domain;
5403 uschar *old_unique = addr->unique;
5404 addr_route = addr->next;
5407 /* Just in case some router parameter refers to it. */
5409 return_path = (addr->p.errors_address != NULL)?
5410 addr->p.errors_address : sender_address;
5412 /* If a router defers an address, add a retry item. Whether or not to
5413 use the local part in the key is a property of the router. */
5415 if ((rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
5416 &addr_succeed, v_none)) == DEFER)
5417 retry_add_item(addr, (addr->router->retry_use_local_part)?
5418 string_sprintf("R:%s@%s", addr->local_part, addr->domain) :
5419 string_sprintf("R:%s", addr->domain), 0);
5421 /* Otherwise, if there is an existing retry record in the database, add
5422 retry items to delete both forms. Since the domain might have been
5423 rewritten (expanded to fully qualified) as a result of routing, ensure
5424 that the rewritten form is also deleted. */
5426 else if (testflag(addr, af_dr_retry_exists))
5428 retry_add_item(addr, addr->address_retry_key, rf_delete);
5429 retry_add_item(addr, addr->domain_retry_key, rf_delete);
5430 if (Ustrcmp(addr->domain, old_domain) != 0)
5431 retry_add_item(addr, string_sprintf("R:%s", old_domain), rf_delete);
5434 /* DISCARD is given for :blackhole: and "seen finish". The event has been
5435 logged, but we need to ensure the address (and maybe parents) is marked
5440 address_done(addr, tod_stamp(tod_log));
5441 continue; /* route next address */
5444 /* The address is finished with (failed or deferred). */
5448 (void)post_process_one(addr, rc, LOG_MAIN, DTYPE_ROUTER, 0);
5449 continue; /* route next address */
5452 /* The address has been routed. If the router changed the domain, it will
5453 also have changed the unique address. We have to test whether this address
5454 has already been delivered, because it's the unique address that finally
5457 if (addr->unique != old_unique &&
5458 tree_search(tree_nonrecipients, addr->unique) != 0)
5460 DEBUG(D_deliver|D_route) debug_printf("%s was previously delivered: "
5461 "discarded\n", addr->address);
5462 if (addr_remote == addr) addr_remote = addr->next;
5463 else if (addr_local == addr) addr_local = addr->next;
5466 /* If the router has same_domain_copy_routing set, we are permitted to copy
5467 the routing for any other addresses with the same domain. This is an
5468 optimisation to save repeated DNS lookups for "standard" remote domain
5469 routing. The option is settable only on routers that generate host lists.
5470 We play it very safe, and do the optimization only if the address is routed
5471 to a remote transport, there are no header changes, and the domain was not
5472 modified by the router. */
5474 if (addr_remote == addr &&
5475 addr->router->same_domain_copy_routing &&
5476 addr->p.extra_headers == NULL &&
5477 addr->p.remove_headers == NULL &&
5478 old_domain == addr->domain)
5480 address_item **chain = &addr_route;
5481 while (*chain != NULL)
5483 address_item *addr2 = *chain;
5484 if (Ustrcmp(addr2->domain, addr->domain) != 0)
5486 chain = &(addr2->next);
5490 /* Found a suitable address; take it off the routing list and add it to
5491 the remote delivery list. */
5493 *chain = addr2->next;
5494 addr2->next = addr_remote;
5495 addr_remote = addr2;
5497 /* Copy the routing data */
5499 addr2->domain = addr->domain;
5500 addr2->router = addr->router;
5501 addr2->transport = addr->transport;
5502 addr2->host_list = addr->host_list;
5503 addr2->fallback_hosts = addr->fallback_hosts;
5504 addr2->p.errors_address = addr->p.errors_address;
5505 copyflag(addr2, addr, af_hide_child | af_local_host_removed);
5507 DEBUG(D_deliver|D_route)
5509 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
5511 "Routing for %s copied from %s\n",
5512 addr2->address, addr2->address, addr->address);
5516 } /* Continue with routing the next address. */
5517 } /* Loop to process any child addresses that the routers created, and
5518 any rerouted addresses that got put back on the new chain. */
5521 /* Debugging: show the results of the routing */
5523 DEBUG(D_deliver|D_retry|D_route)
5525 address_item *p = addr_local;
5526 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
5527 debug_printf("After routing:\n Local deliveries:\n");
5530 debug_printf(" %s\n", p->address);
5535 debug_printf(" Remote deliveries:\n");
5538 debug_printf(" %s\n", p->address);
5543 debug_printf(" Failed addresses:\n");
5546 debug_printf(" %s\n", p->address);
5551 debug_printf(" Deferred addresses:\n");
5554 debug_printf(" %s\n", p->address);
5559 /* Free any resources that were cached during routing. */
5564 /* These two variables are set only during routing, after check_local_user.
5565 Ensure they are not set in transports. */
5567 local_user_gid = (gid_t)(-1);
5568 local_user_uid = (uid_t)(-1);
5570 /* When acting as an MUA wrapper, we proceed only if all addresses route to a
5571 remote transport. The check that they all end up in one transaction happens in
5572 the do_remote_deliveries() function. */
5574 if (mua_wrapper && (addr_local != NULL || addr_failed != NULL ||
5575 addr_defer != NULL))
5578 uschar *which, *colon, *msg;
5580 if (addr_local != NULL)
5585 else if (addr_defer != NULL)
5588 which = US"deferred";
5596 while (addr->parent != NULL) addr = addr->parent;
5598 if (addr->message != NULL)
5601 msg = addr->message;
5603 else colon = msg = US"";
5605 /* We don't need to log here for a forced failure as it will already
5606 have been logged. Defer will also have been logged, but as a defer, so we do
5607 need to do the failure logging. */
5609 if (addr != addr_failed)
5610 log_write(0, LOG_MAIN, "** %s routing yielded a %s delivery",
5611 addr->address, which);
5613 /* Always write an error to the caller */
5615 fprintf(stderr, "routing %s yielded a %s delivery%s%s\n", addr->address,
5618 final_yield = DELIVER_MUA_FAILED;
5619 addr_failed = addr_defer = NULL; /* So that we remove the message */
5620 goto DELIVERY_TIDYUP;
5624 /* If this is a run to continue deliveries to an external channel that is
5625 already set up, defer any local deliveries. */
5627 if (continue_transport != NULL)
5629 if (addr_defer == NULL) addr_defer = addr_local; else
5631 address_item *addr = addr_defer;
5632 while (addr->next != NULL) addr = addr->next;
5633 addr->next = addr_local;
5639 /* Because address rewriting can happen in the routers, we should not really do
5640 ANY deliveries until all addresses have been routed, so that all recipients of
5641 the message get the same headers. However, this is in practice not always
5642 possible, since sometimes remote addresses give DNS timeouts for days on end.
5643 The pragmatic approach is to deliver what we can now, saving any rewritten
5644 headers so that at least the next lot of recipients benefit from the rewriting
5645 that has already been done.
5647 If any headers have been rewritten during routing, update the spool file to
5648 remember them for all subsequent deliveries. This can be delayed till later if
5649 there is only address to be delivered - if it succeeds the spool write need not
5652 if (header_rewritten &&
5653 ((addr_local != NULL &&
5654 (addr_local->next != NULL || addr_remote != NULL)) ||
5655 (addr_remote != NULL && addr_remote->next != NULL)))
5657 /* Panic-dies on error */
5658 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
5659 header_rewritten = FALSE;
5663 /* If there are any deliveries to be done, open the journal file. This is used
5664 to record successful deliveries as soon as possible after each delivery is
5665 known to be complete. A file opened with O_APPEND is used so that several
5666 processes can run simultaneously.
5668 The journal is just insurance against crashes. When the spool file is
5669 ultimately updated at the end of processing, the journal is deleted. If a
5670 journal is found to exist at the start of delivery, the addresses listed
5671 therein are added to the non-recipients. */
5673 if (addr_local != NULL || addr_remote != NULL)
5675 sprintf(CS spoolname, "%s/input/%s/%s-J", spool_directory, message_subdir, id);
5676 journal_fd = Uopen(spoolname, O_WRONLY|O_APPEND|O_CREAT, SPOOL_MODE);
5680 log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open journal file %s: %s",
5681 spoolname, strerror(errno));
5682 return DELIVER_NOT_ATTEMPTED;
5685 /* Set the close-on-exec flag, make the file owned by Exim, and ensure
5686 that the mode is correct - the group setting doesn't always seem to get
5687 set automatically. */
5689 fcntl(journal_fd, F_SETFD, fcntl(journal_fd, F_GETFD) | FD_CLOEXEC);
5690 fchown(journal_fd, exim_uid, exim_gid);
5691 fchmod(journal_fd, SPOOL_MODE);
5695 /* Now we can get down to the business of actually doing deliveries. Local
5696 deliveries are done first, then remote ones. If ever the problems of how to
5697 handle fallback transports are figured out, this section can be put into a loop
5698 for handling fallbacks, though the uid switching will have to be revised. */
5700 if (addr_local != NULL)
5702 DEBUG(D_deliver|D_transport)
5703 debug_printf(">>>>>>>>>>>>>>>> Local deliveries >>>>>>>>>>>>>>>>\n");
5704 do_local_deliveries();
5705 disable_logging = FALSE;
5708 /* If queue_run_local is set, we do not want to attempt any remote deliveries,
5709 so just queue them all. */
5711 if (queue_run_local)
5713 while (addr_remote != NULL)
5715 address_item *addr = addr_remote;
5716 addr_remote = addr->next;
5718 addr->basic_errno = ERRNO_LOCAL_ONLY;
5719 addr->message = US"remote deliveries suppressed";
5720 (void)post_process_one(addr, DEFER, LOG_MAIN, DTYPE_TRANSPORT, 0);
5724 /* Handle remote deliveries */
5726 if (addr_remote != NULL)
5728 DEBUG(D_deliver|D_transport)
5729 debug_printf(">>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>\n");
5731 /* Precompile some regex that are used to recognize parameters in response
5732 to an EHLO command, if they aren't already compiled. */
5734 if (regex_PIPELINING == NULL) regex_PIPELINING =
5735 regex_must_compile(US"\\n250[\\s\\-]PIPELINING(\\s|\\n|$)", FALSE, TRUE);
5737 if (regex_SIZE == NULL) regex_SIZE =
5738 regex_must_compile(US"\\n250[\\s\\-]SIZE(\\s|\\n|$)", FALSE, TRUE);
5740 if (regex_AUTH == NULL) regex_AUTH =
5741 regex_must_compile(US"\\n250[\\s\\-]AUTH\\s+([\\-\\w\\s]+)(?:\\n|$)",
5745 if (regex_STARTTLS == NULL) regex_STARTTLS =
5746 regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
5749 /* Now sort the addresses if required, and do the deliveries. The yield of
5750 do_remote_deliveries is FALSE when mua_wrapper is set and all addresses
5751 cannot be delivered in one transaction. */
5753 if (remote_sort_domains != NULL) sort_remote_deliveries();
5754 if (!do_remote_deliveries(FALSE))
5756 log_write(0, LOG_MAIN, "** mua_wrapper is set but recipients cannot all "
5757 "be delivered in one transaction");
5758 fprintf(stderr, "delivery to smarthost failed (configuration problem)\n");
5760 final_yield = DELIVER_MUA_FAILED;
5761 addr_failed = addr_defer = NULL; /* So that we remove the message */
5762 goto DELIVERY_TIDYUP;
5765 /* See if any of the addresses that failed got put on the queue for delivery
5766 to their fallback hosts. We do it this way because often the same fallback
5767 host is used for many domains, so all can be sent in a single transaction
5768 (if appropriately configured). */
5770 if (addr_fallback != NULL && !mua_wrapper)
5772 DEBUG(D_deliver) debug_printf("Delivering to fallback hosts\n");
5773 addr_remote = addr_fallback;
5774 addr_fallback = NULL;
5775 if (remote_sort_domains != NULL) sort_remote_deliveries();
5776 do_remote_deliveries(TRUE);
5778 disable_logging = FALSE;
5782 /* All deliveries are now complete. Ignore SIGTERM during this tidying up
5783 phase, to minimize cases of half-done things. */
5786 debug_printf(">>>>>>>>>>>>>>>> deliveries are done >>>>>>>>>>>>>>>>\n");
5788 /* Root privilege is no longer needed */
5790 exim_setugid(exim_uid, exim_gid, FALSE, US"post-delivery tidying");
5792 set_process_info("tidying up after delivering %s", message_id);
5793 signal(SIGTERM, SIG_IGN);
5795 /* When we are acting as an MUA wrapper, the smtp transport will either have
5796 succeeded for all addresses, or failed them all. We do not ever want to retry,
5797 nor do we want to send a bounce message. */
5801 if (addr_failed == NULL) final_yield = DELIVER_MUA_SUCCEEDED; else
5803 uschar *s = (addr_failed->user_message != NULL)?
5804 addr_failed->user_message : addr_failed->message;
5806 fprintf(stderr, "Delivery failed: ");
5807 if (addr_failed->basic_errno > 0)
5809 fprintf(stderr, "%s", strerror(addr_failed->basic_errno));
5810 if (s != NULL) fprintf(stderr, ": ");
5814 if (addr_failed->basic_errno <= 0) fprintf(stderr, "unknown error");
5816 else fprintf(stderr, "%s", CS s);
5817 fprintf(stderr, "\n");
5819 final_yield = DELIVER_MUA_FAILED;
5824 /* In a normal configuration, we now update the retry database. This is done in
5825 one fell swoop at the end in order not to keep opening and closing (and
5826 locking) the database. The code for handling retries is hived off into a
5827 separate module for convenience. We pass it the addresses of the various
5828 chains, because deferred addresses can get moved onto the failed chain if the
5829 retry cutoff time has expired for all alternative destinations. Bypass the
5830 updating of the database if the -N flag is set, which is a debugging thing that
5831 prevents actual delivery. */
5833 else if (!dont_deliver) retry_update(&addr_defer, &addr_failed, &addr_succeed);
5835 /* If any addresses failed, we must send a message to somebody, unless
5836 af_ignore_error is set, in which case no action is taken. It is possible for
5837 several messages to get sent if there are addresses with different
5840 while (addr_failed != NULL)
5844 uschar *logtod = tod_stamp(tod_log);
5846 address_item *handled_addr = NULL;
5847 address_item **paddr;
5848 address_item *msgchain = NULL;
5849 address_item **pmsgchain = &msgchain;
5851 /* There are weird cases when logging is disabled in the transport. However,
5852 there may not be a transport (address failed by a router). */
5854 disable_logging = FALSE;
5855 if (addr_failed->transport != NULL)
5856 disable_logging = addr_failed->transport->disable_logging;
5859 debug_printf("processing failed address %s\n", addr_failed->address);
5861 /* There are only two ways an address in a bounce message can get here:
5863 (1) When delivery was initially deferred, but has now timed out (in the call
5864 to retry_update() above). We can detect this by testing for
5865 af_retry_timedout. If the address does not have its own errors address,
5866 we arrange to ignore the error.
5868 (2) If delivery failures for bounce messages are being ignored. We can detect
5869 this by testing for af_ignore_error. This will also be set if a bounce
5870 message has been autothawed and the ignore_bounce_errors_after time has
5871 passed. It might also be set if a router was explicitly configured to
5872 ignore errors (errors_to = "").
5874 If neither of these cases obtains, something has gone wrong. Log the
5875 incident, but then ignore the error. */
5877 if (sender_address[0] == 0 && addr_failed->p.errors_address == NULL)
5879 if (!testflag(addr_failed, af_retry_timedout) &&
5880 !testflag(addr_failed, af_ignore_error))
5882 log_write(0, LOG_MAIN|LOG_PANIC, "internal error: bounce message "
5883 "failure is neither frozen nor ignored (it's been ignored)");
5885 setflag(addr_failed, af_ignore_error);
5888 /* If the first address on the list has af_ignore_error set, just remove
5889 it from the list, throw away any saved message file, log it, and
5890 mark the recipient done. */
5892 if (testflag(addr_failed, af_ignore_error))
5895 addr_failed = addr->next;
5896 if (addr->return_filename != NULL) Uunlink(addr->return_filename);
5898 log_write(0, LOG_MAIN, "%s%s%s%s: error ignored",
5900 (addr->parent == NULL)? US"" : US" <",
5901 (addr->parent == NULL)? US"" : addr->parent->address,
5902 (addr->parent == NULL)? US"" : US">");
5904 address_done(addr, logtod);
5905 child_done(addr, logtod);
5906 /* Panic-dies on error */
5907 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
5910 /* Otherwise, handle the sending of a message. Find the error address for
5911 the first address, then send a message that includes all failed addresses
5912 that have the same error address. Note the bounce_recipient is a global so
5913 that it can be accesssed by $bounce_recipient while creating a customized
5918 bounce_recipient = (addr_failed->p.errors_address == NULL)?
5919 sender_address : addr_failed->p.errors_address;
5921 /* Make a subprocess to send a message */
5923 pid = child_open_exim(&fd);
5925 /* Creation of child failed */
5928 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %d (parent %d) failed to "
5929 "create child process to send failure message: %s", getpid(),
5930 getppid(), strerror(errno));
5932 /* Creation of child succeeded */
5939 uschar *bcc, *emf_text;
5940 FILE *f = fdopen(fd, "wb");
5942 BOOL to_sender = strcmpic(sender_address, bounce_recipient) == 0;
5943 int max = (bounce_return_size_limit/DELIVER_IN_BUFFER_SIZE + 1) *
5944 DELIVER_IN_BUFFER_SIZE;
5947 debug_printf("sending error message to: %s\n", bounce_recipient);
5949 /* Scan the addresses for all that have the same errors address, removing
5950 them from the addr_failed chain, and putting them on msgchain. */
5952 paddr = &addr_failed;
5953 for (addr = addr_failed; addr != NULL; addr = *paddr)
5955 if (Ustrcmp(bounce_recipient, (addr->p.errors_address == NULL)?
5956 sender_address : addr->p.errors_address) != 0)
5958 paddr = &(addr->next); /* Not the same; skip */
5960 else /* The same - dechain */
5962 *paddr = addr->next;
5965 pmsgchain = &(addr->next);
5969 /* Include X-Failed-Recipients: for automatic interpretation, but do
5970 not let any one header line get too long. We do this by starting a
5971 new header every 50 recipients. Omit any addresses for which the
5972 "hide_child" flag is set. */
5974 for (addr = msgchain; addr != NULL; addr = addr->next)
5976 if (testflag(addr, af_hide_child)) continue;
5983 (rcount++ == 0)? "X-Failed-Recipients: " : ",\n ",
5984 (testflag(addr, af_pfr) && addr->parent != NULL)?
5985 string_printing(addr->parent->address) :
5986 string_printing(addr->address));
5988 if (rcount > 0) fprintf(f, "\n");
5990 /* Output the standard headers */
5992 if (errors_reply_to != NULL)
5993 fprintf(f, "Reply-To: %s\n", errors_reply_to);
5994 fprintf(f, "Auto-Submitted: auto-generated\n");
5995 fprintf(f, "From: Mail Delivery System <Mailer-Daemon@%s>\n",
5996 qualify_domain_sender);
5997 fprintf(f, "To: %s\n", bounce_recipient);
5999 /* Open a template file if one is provided. Log failure to open, but
6000 carry on - default texts will be used. */
6002 if (bounce_message_file != NULL)
6004 emf = Ufopen(bounce_message_file, "rb");
6006 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for error "
6007 "message texts: %s", bounce_message_file, strerror(errno));
6010 /* Quietly copy to configured additional addresses if required. */
6012 bcc = moan_check_errorcopy(bounce_recipient);
6013 if (bcc != NULL) fprintf(f, "Bcc: %s\n", bcc);
6015 /* The texts for the message can be read from a template file; if there
6016 isn't one, or if it is too short, built-in texts are used. The first
6017 emf text is a Subject: and any other headers. */
6019 emf_text = next_emf(emf, US"header");
6020 if (emf_text != NULL) fprintf(f, "%s\n", emf_text); else
6022 fprintf(f, "Subject: Mail delivery failed%s\n\n",
6023 to_sender? ": returning message to sender" : "");
6026 emf_text = next_emf(emf, US"intro");
6027 if (emf_text != NULL) fprintf(f, "%s", CS emf_text); else
6030 /* This message has been reworded several times. It seems to be confusing to
6031 somebody, however it is worded. I have retreated to the original, simple
6033 "This message was created automatically by mail delivery software.\n");
6034 if (bounce_message_text != NULL) fprintf(f, "%s", CS bounce_message_text);
6038 "\nA message that you sent could not be delivered to one or more of its\n"
6039 "recipients. This is a permanent error. The following address(es) failed:\n");
6044 "\nA message sent by\n\n <%s>\n\n"
6045 "could not be delivered to one or more of its recipients. The following\n"
6046 "address(es) failed:\n", sender_address);
6051 /* Process the addresses, leaving them on the msgchain if they have a
6052 file name for a return message. (There has already been a check in
6053 post_process_one() for the existence of data in the message file.) */
6056 for (addr = msgchain; addr != NULL; addr = *paddr)
6058 if (print_address_information(addr, f, US" ", US"\n ", US""))
6060 /* A TRUE return from print_address_information() means that the
6061 address is not hidden. If there is a return file, it has already
6062 been checked to ensure it is not empty. Omit the bland "return
6063 message generated" error, but otherwise include error information. */
6065 if (addr->return_file < 0 ||
6066 addr->message == NULL ||
6067 Ustrcmp(addr->message, "return message generated") != 0)
6070 print_address_error(addr, f);
6074 /* End the final line for the address */
6078 /* Leave on msgchain if there's a return file. */
6080 if (addr->return_file >= 0)
6082 paddr = &(addr->next);
6086 /* Else save so that we can tick off the recipient when the
6091 *paddr = addr->next;
6092 addr->next = handled_addr;
6093 handled_addr = addr;
6099 /* Get the next text, whether we need it or not, so as to be
6100 positioned for the one after. */
6102 emf_text = next_emf(emf, US"generated text");
6104 /* If there were any file messages passed by the local transports,
6105 include them in the message. Then put the address on the handled chain.
6106 In the case of a batch of addresses that were all sent to the same
6107 transport, the return_file field in all of them will contain the same
6108 fd, and the return_filename field in the *last* one will be set (to the
6109 name of the file). */
6111 if (msgchain != NULL)
6113 address_item *nextaddr;
6115 if (emf_text != NULL) fprintf(f, "%s", CS emf_text); else
6117 "The following text was generated during the delivery "
6118 "attempt%s:\n", (filecount > 1)? "s" : "");
6120 for (addr = msgchain; addr != NULL; addr = nextaddr)
6123 address_item *topaddr = addr;
6125 /* List all the addresses that relate to this file */
6128 while(addr != NULL) /* Insurance */
6130 print_address_information(addr, f, US"------ ", US"\n ",
6132 if (addr->return_filename != NULL) break;
6137 /* Now copy the file */
6139 fm = Ufopen(addr->return_filename, "rb");
6142 fprintf(f, " +++ Exim error... failed to open text file: %s\n",
6146 while ((ch = fgetc(fm)) != EOF) fputc(ch, f);
6149 Uunlink(addr->return_filename);
6151 /* Can now add to handled chain, first fishing off the next
6152 address on the msgchain. */
6154 nextaddr = addr->next;
6155 addr->next = handled_addr;
6156 handled_addr = topaddr;
6161 /* Now copy the message, trying to give an intelligible comment if
6162 it is too long for it all to be copied. The limit isn't strictly
6163 applied because of the buffering. There is, however, an option
6164 to suppress copying altogether. */
6166 emf_text = next_emf(emf, US"copy");
6168 if (bounce_return_message)
6170 int topt = topt_add_return_path;
6171 if (!bounce_return_body) topt |= topt_no_body;
6173 if (emf_text != NULL) fprintf(f, "%s", CS emf_text); else
6175 if (bounce_return_body) fprintf(f,
6176 "------ This is a copy of the message, including all the headers. ------\n");
6178 "------ This is a copy of the message's headers. ------\n");
6181 /* While reading the "truncated" message, set return_size_limit to
6182 the actual max testing value, rounded. We need to read the message
6183 whether we are going to use it or not. */
6186 int temp = bounce_return_size_limit;
6187 bounce_return_size_limit = (max/1000)*1000;
6188 emf_text = next_emf(emf, US"truncated");
6189 bounce_return_size_limit = temp;
6192 if (bounce_return_body && bounce_return_size_limit > 0)
6194 struct stat statbuf;
6195 if (fstat(deliver_datafile, &statbuf) == 0 && statbuf.st_size > max)
6197 if (emf_text != NULL) fprintf(f, "%s", CS emf_text); else
6200 "------ The body of the message is %d characters long; only the first\n"
6201 "------ %d or so are included here.\n", (int)statbuf.st_size, max);
6208 transport_filter_argv = NULL; /* Just in case */
6209 return_path = sender_address; /* In case not previously set */
6210 transport_write_message(NULL, fileno(f), topt,
6211 bounce_return_size_limit, NULL, NULL, NULL, NULL, NULL, 0);
6214 /* Write final text and close the template file if one is open */
6218 emf_text = next_emf(emf, US"final");
6219 if (emf_text != NULL) fprintf(f, "%s", CS emf_text);
6223 /* Close the file, which should send an EOF to the child process
6224 that is receiving the message. Wait for it to finish. */
6227 rc = child_close(pid, 0); /* Waits for child to close, no timeout */
6229 /* In the test harness, let the child do it's thing first. */
6231 if (running_in_test_harness) millisleep(500);
6233 /* If the process failed, there was some disaster in setting up the
6234 error message. Unless the message is very old, ensure that addr_defer
6235 is non-null, which will have the effect of leaving the message on the
6236 spool. The failed addresses will get tried again next time. However, we
6237 don't really want this to happen too often, so freeze the message unless
6238 there are some genuine deferred addresses to try. To do this we have
6239 to call spool_write_header() here, because with no genuine deferred
6240 addresses the normal code below doesn't get run. */
6245 if (now - received_time < retry_maximum_timeout && addr_defer == NULL)
6247 addr_defer = (address_item *)(+1);
6248 deliver_freeze = TRUE;
6249 deliver_frozen_at = time(NULL);
6250 /* Panic-dies on error */
6251 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
6254 deliver_msglog("Process failed (%d) when writing error message "
6255 "to %s%s", rc, bounce_recipient, s);
6256 log_write(0, LOG_MAIN, "Process failed (%d) when writing error message "
6257 "to %s%s", rc, bounce_recipient, s);
6260 /* The message succeeded. Ensure that the recipients that failed are
6261 now marked finished with on the spool and their parents updated. */
6265 for (addr = handled_addr; addr != NULL; addr = addr->next)
6267 address_done(addr, logtod);
6268 child_done(addr, logtod);
6270 /* Panic-dies on error */
6271 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
6277 disable_logging = FALSE; /* In case left set */
6279 /* Come here from the mua_wrapper case if routing goes wrong */
6283 /* If there are now no deferred addresses, we are done. Preserve the
6284 message log if so configured, and we are using them. Otherwise, sling it.
6285 Then delete the message itself. */
6287 if (addr_defer == NULL)
6291 sprintf(CS spoolname, "%s/msglog/%s/%s", spool_directory, message_subdir,
6293 if (preserve_message_logs)
6296 sprintf(CS big_buffer, "%s/msglog.OLD/%s", spool_directory, id);
6297 if ((rc = Urename(spoolname, big_buffer)) < 0)
6299 (void)directory_make(spool_directory, US"msglog.OLD",
6300 MSGLOG_DIRECTORY_MODE, TRUE);
6301 rc = Urename(spoolname, big_buffer);
6304 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to move %s to the "
6305 "msglog.OLD directory", spoolname);
6309 if (Uunlink(spoolname) < 0)
6310 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s", spoolname);
6314 /* Remove the two message files. */
6316 sprintf(CS spoolname, "%s/input/%s/%s-D", spool_directory, message_subdir, id);
6317 if (Uunlink(spoolname) < 0)
6318 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s", spoolname);
6319 sprintf(CS spoolname, "%s/input/%s/%s-H", spool_directory, message_subdir, id);
6320 if (Uunlink(spoolname) < 0)
6321 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s", spoolname);
6322 log_write(0, LOG_MAIN, "Completed");
6325 /* If there are deferred addresses, we are keeping this message because it is
6326 not yet completed. Lose any temporary files that were catching output from
6327 pipes for any of the deferred addresses, handle one-time aliases, and see if
6328 the message has been on the queue for so long that it is time to send a warning
6329 message to the sender, unless it is a mailer-daemon. If all deferred addresses
6330 have the same domain, we can set deliver_domain for the expansion of
6331 delay_warning_ condition - if any of them are pipes, files, or autoreplies, use
6332 the parent's domain.
6334 If all the deferred addresses have an error number that indicates "retry time
6335 not reached", skip sending the warning message, because it won't contain the
6336 reason for the delay. It will get sent at the next real delivery attempt.
6337 However, if at least one address has tried, we'd better include all of them in
6340 If we can't make a process to send the message, don't worry.
6342 For mailing list expansions we want to send the warning message to the
6343 mailing list manager. We can't do a perfect job here, as some addresses may
6344 have different errors addresses, but if we take the errors address from
6345 each deferred address it will probably be right in most cases.
6347 If addr_defer == +1, it means there was a problem sending an error message
6348 for failed addresses, and there were no "real" deferred addresses. The value
6349 was set just to keep the message on the spool, so there is nothing to do here.
6352 else if (addr_defer != (address_item *)(+1))
6355 uschar *recipients = US"";
6356 BOOL delivery_attempted = FALSE;
6358 deliver_domain = testflag(addr_defer, af_pfr)?
6359 addr_defer->parent->domain : addr_defer->domain;
6361 for (addr = addr_defer; addr != NULL; addr = addr->next)
6363 address_item *otaddr;
6365 if (addr->basic_errno > ERRNO_RETRY_BASE) delivery_attempted = TRUE;
6367 if (deliver_domain != NULL)
6369 uschar *d = (testflag(addr, af_pfr))? addr->parent->domain : addr->domain;
6371 /* The domain may be unset for an address that has never been routed
6372 because the system filter froze the message. */
6374 if (d == NULL || Ustrcmp(d, deliver_domain) != 0) deliver_domain = NULL;
6377 if (addr->return_filename != NULL) Uunlink(addr->return_filename);
6379 /* Handle the case of one-time aliases. If any address in the ancestry
6380 of this one is flagged, ensure it is in the recipients list, suitably
6381 flagged, and that its parent is marked delivered. */
6383 for (otaddr = addr; otaddr != NULL; otaddr = otaddr->parent)
6384 if (otaddr->onetime_parent != NULL) break;
6389 int t = recipients_count;
6391 for (i = 0; i < recipients_count; i++)
6393 uschar *r = recipients_list[i].address;
6394 if (Ustrcmp(otaddr->onetime_parent, r) == 0) t = i;
6395 if (Ustrcmp(otaddr->address, r) == 0) break;
6398 /* Didn't find the address already in the list, and did find the
6399 ultimate parent's address in the list. After adding the recipient,
6400 update the errors address in the recipients list. */
6402 if (i >= recipients_count && t < recipients_count)
6404 DEBUG(D_deliver) debug_printf("one_time: adding %s in place of %s\n",
6405 otaddr->address, otaddr->parent->address);
6406 receive_add_recipient(otaddr->address, t);
6407 recipients_list[recipients_count-1].errors_to = otaddr->p.errors_address;
6408 tree_add_nonrecipient(otaddr->parent->address);
6409 update_spool = TRUE;
6413 /* Except for error messages, ensure that either the errors address for
6414 this deferred address or, if there is none, the sender address, is on the
6415 list of recipients for a warning message. */
6417 if (sender_address[0] != 0)
6419 if (addr->p.errors_address == NULL)
6421 if (Ustrstr(recipients, sender_address) == NULL)
6422 recipients = string_sprintf("%s%s%s", recipients,
6423 (recipients[0] == 0)? "" : ",", sender_address);
6427 if (Ustrstr(recipients, addr->p.errors_address) == NULL)
6428 recipients = string_sprintf("%s%s%s", recipients,
6429 (recipients[0] == 0)? "" : ",", addr->p.errors_address);
6434 /* Send a warning message if the conditions are right. If the condition check
6435 fails because of a lookup defer, there is nothing we can do. The warning
6436 is not sent. Another attempt will be made at the next delivery attempt (if
6439 if (!queue_2stage && delivery_attempted &&
6440 delay_warning[1] > 0 && sender_address[0] != 0 &&
6441 (delay_warning_condition == NULL ||
6442 expand_check_condition(delay_warning_condition,
6443 US"delay_warning", US"option")))
6447 int queue_time = time(NULL) - received_time;
6449 /* When running in the test harness, there's an option that allows us to
6450 fudge this time so as to get repeatability of the tests. Take the first
6451 time off the list. In queue runs, the list pointer gets updated in the
6454 if (running_in_test_harness && fudged_queue_times[0] != 0)
6456 int qt = readconf_readtime(fudged_queue_times, '/', FALSE);
6459 DEBUG(D_deliver) debug_printf("fudged queue_times = %s\n",
6460 fudged_queue_times);
6465 /* See how many warnings we should have sent by now */
6467 for (count = 0; count < delay_warning[1]; count++)
6468 if (queue_time < delay_warning[count+2]) break;
6470 show_time = delay_warning[count+1];
6472 if (count >= delay_warning[1])
6475 int last_gap = show_time;
6476 if (count > 1) last_gap -= delay_warning[count];
6477 extra = (queue_time - delay_warning[count+1])/last_gap;
6478 show_time += last_gap * extra;
6484 debug_printf("time on queue = %s\n", readconf_printtime(queue_time));
6485 debug_printf("warning counts: required %d done %d\n", count,
6489 /* We have computed the number of warnings there should have been by now.
6490 If there haven't been enough, send one, and up the count to what it should
6493 if (warning_count < count)
6497 pid_t pid = child_open_exim(&fd);
6503 FILE *f = fdopen(fd, "wb");
6505 if (warn_message_file != NULL)
6507 wmf = Ufopen(warn_message_file, "rb");
6509 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for warning "
6510 "message texts: %s", warn_message_file, strerror(errno));
6513 warnmsg_recipients = recipients;
6514 warnmsg_delay = (queue_time < 120*60)?
6515 string_sprintf("%d minutes", show_time/60):
6516 string_sprintf("%d hours", show_time/3600);
6518 if (errors_reply_to != NULL)
6519 fprintf(f, "Reply-To: %s\n", errors_reply_to);
6520 fprintf(f, "Auto-Submitted: auto-generated\n");
6521 fprintf(f, "From: Mail Delivery System <Mailer-Daemon@%s>\n",
6522 qualify_domain_sender);
6523 fprintf(f, "To: %s\n", recipients);
6525 wmf_text = next_emf(wmf, US"header");
6526 if (wmf_text != NULL)
6527 fprintf(f, "%s\n", wmf_text);
6529 fprintf(f, "Subject: Warning: message %s delayed %s\n\n",
6530 message_id, warnmsg_delay);
6532 wmf_text = next_emf(wmf, US"intro");
6533 if (wmf_text != NULL) fprintf(f, "%s", CS wmf_text); else
6536 "This message was created automatically by mail delivery software.\n");
6538 if (Ustrcmp(recipients, sender_address) == 0)
6540 "A message that you sent has not yet been delivered to one or more of its\n"
6541 "recipients after more than ");
6544 "A message sent by\n\n <%s>\n\n"
6545 "has not yet been delivered to one or more of its recipients after more than \n",
6548 fprintf(f, "%s on the queue on %s.\n\n", warnmsg_delay,
6550 fprintf(f, "The message identifier is: %s\n", message_id);
6552 for (h = header_list; h != NULL; h = h->next)
6554 if (strncmpic(h->text, US"Subject:", 8) == 0)
6555 fprintf(f, "The subject of the message is: %s", h->text + 9);
6556 else if (strncmpic(h->text, US"Date:", 5) == 0)
6557 fprintf(f, "The date of the message is: %s", h->text + 6);
6561 fprintf(f, "The address%s to which the message has not yet been "
6563 (addr_defer->next == NULL)? "" : "es",
6564 (addr_defer->next == NULL)? "is": "are");
6567 /* List the addresses. For any that are hidden, don't give the delay
6568 reason, because it might expose that which is hidden. Also, do not give
6569 "retry time not reached" because that isn't helpful. */
6572 while (addr_defer != NULL)
6574 address_item *addr = addr_defer;
6575 addr_defer = addr->next;
6576 if (print_address_information(addr, f, US" ", US"\n ", US"") &&
6577 addr->basic_errno > ERRNO_RETRY_BASE)
6579 fprintf(f, "\n Delay reason: ");
6580 print_address_error(addr, f);
6590 wmf_text = next_emf(wmf, US"final");
6591 if (wmf_text != NULL) fprintf(f, "%s", CS wmf_text);
6597 "No action is required on your part. Delivery attempts will continue for\n"
6598 "some time, and this warning may be repeated at intervals if the message\n"
6599 "remains undelivered. Eventually the mail delivery software will give up,\n"
6600 "and when that happens, the message will be returned to you.\n");
6603 /* Close and wait for child process to complete, without a timeout.
6604 If there's an error, don't update the count. */
6607 if (child_close(pid, 0) == 0)
6609 warning_count = count;
6610 update_spool = TRUE; /* Ensure spool rewritten */
6616 /* Clear deliver_domain */
6618 deliver_domain = NULL;
6620 /* If this was a first delivery attempt, unset the first time flag, and
6621 ensure that the spool gets updated. */
6623 if (deliver_firsttime)
6625 deliver_firsttime = FALSE;
6626 update_spool = TRUE;
6629 /* If delivery was frozen and freeze_tell is set, generate an appropriate
6630 message, unless the message is a local error message (to avoid loops). Then
6631 log the freezing. If the text in "frozen_info" came from a system filter,
6632 it has been escaped into printing characters so as not to mess up log lines.
6633 For the "tell" message, we turn \n back into newline. Also, insert a newline
6634 near the start instead of the ": " string. */
6638 if (freeze_tell != NULL && freeze_tell[0] != 0 && !local_error_message)
6640 uschar *s = string_copy(frozen_info);
6641 uschar *ss = Ustrstr(s, " by the system filter: ");
6652 if (*ss == '\\' && ss[1] == 'n')
6659 moan_tell_someone(freeze_tell, addr_defer, US"Message frozen",
6660 "Message %s has been frozen%s.\nThe sender is <%s>.\n", message_id,
6664 /* Log freezing just before we update the -H file, to minimize the chance
6665 of a race problem. */
6667 deliver_msglog("*** Frozen%s\n", frozen_info);
6668 log_write(0, LOG_MAIN, "Frozen%s", frozen_info);
6671 /* If there have been any updates to the non-recipients list, or other things
6672 that get written to the spool, we must now update the spool header file so
6673 that it has the right information for the next delivery attempt. If there
6674 was more than one address being delivered, the header_change update is done
6675 earlier, in case one succeeds and then something crashes. */
6678 debug_printf("delivery deferred: update_spool=%d header_rewritten=%d\n",
6679 update_spool, header_rewritten);
6681 if (update_spool || header_rewritten)
6682 /* Panic-dies on error */
6683 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
6686 /* Finished with the message log. If the message is complete, it will have
6687 been unlinked or renamed above. */
6689 if (message_logs) fclose(message_log);
6691 /* Now we can close and remove the journal file. Its only purpose is to record
6692 successfully completed deliveries asap so that this information doesn't get
6693 lost if Exim (or the machine) crashes. Forgetting about a failed delivery is
6694 not serious, as trying it again is not harmful. The journal might not be open
6695 if all addresses were deferred at routing or directing. Nevertheless, we must
6696 remove it if it exists (may have been lying around from a crash during the
6697 previous delivery attempt). We don't remove the journal if a delivery
6698 subprocess failed to pass back delivery information; this is controlled by
6699 the remove_journal flag. When the journal is left, we also don't move the
6700 message off the main spool if frozen and the option is set. It should get moved
6701 at the next attempt, after the journal has been inspected. */
6703 if (journal_fd >= 0) close(journal_fd);
6707 sprintf(CS spoolname, "%s/input/%s/%s-J", spool_directory, message_subdir, id);
6708 if (Uunlink(spoolname) < 0 && errno != ENOENT)
6709 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", spoolname,
6712 /* Move the message off the spool if reqested */
6714 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
6715 if (deliver_freeze && move_frozen_messages)
6716 (void)spool_move_message(id, message_subdir, US"", US"F");
6720 /* Closing the data file frees the lock; if the file has been unlinked it
6721 will go away. Otherwise the message becomes available for another process
6724 close(deliver_datafile);
6725 deliver_datafile = -1;
6726 DEBUG(D_deliver) debug_printf("end delivery of %s\n", id);
6728 /* It is unlikely that there will be any cached resources, since they are
6729 released after routing, and in the delivery subprocesses. However, it's
6730 possible for an expansion for something afterwards (for example,
6731 expand_check_condition) to do a lookup. We must therefore be sure everything is
6738 /* End of deliver.c */
git://git.exim.org / exim.git / blob