1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
13 #ifdef TRANSPORT_APPENDFILE /* Remainder of file */
14 #include "appendfile.h"
16 #ifdef SUPPORT_MAILDIR
17 #include "tf_maildir.h"
21 /* Options specific to the appendfile transport. They must be in alphabetic
22 order (note that "_" comes before the lower case letters). Some of them are
23 stored in the publicly visible instance block - these are flagged with the
25 #define LOFF(field) OPT_OFF(appendfile_transport_options_block, field)
27 optionlist appendfile_transport_options[] = {
28 #ifdef SUPPORT_MAILDIR
29 { "*expand_maildir_use_size_file", opt_stringptr, LOFF(expand_maildir_use_size_file) },
31 { "*set_use_fcntl_lock",opt_bool | opt_hidden, LOFF(set_use_fcntl) },
32 { "*set_use_flock_lock",opt_bool | opt_hidden, LOFF(set_use_flock) },
33 { "*set_use_lockfile", opt_bool | opt_hidden, LOFF(set_use_lockfile) },
35 { "*set_use_mbx_lock", opt_bool | opt_hidden, LOFF(set_use_mbx_lock) },
37 { "allow_fifo", opt_bool, LOFF(allow_fifo) },
38 { "allow_symlink", opt_bool, LOFF(allow_symlink) },
39 { "batch_id", opt_stringptr | opt_public, OPT_OFF(transport_instance, batch_id) },
40 { "batch_max", opt_int | opt_public, OPT_OFF(transport_instance, batch_max) },
41 { "check_group", opt_bool, LOFF(check_group) },
42 { "check_owner", opt_bool, LOFF(check_owner) },
43 { "check_string", opt_stringptr, LOFF(check_string) },
44 { "create_directory", opt_bool, LOFF(create_directory) },
45 { "create_file", opt_stringptr, LOFF(create_file_string) },
46 { "directory", opt_stringptr, LOFF(dirname) },
47 { "directory_file", opt_stringptr, LOFF(dirfilename) },
48 { "directory_mode", opt_octint, LOFF(dirmode) },
49 { "escape_string", opt_stringptr, LOFF(escape_string) },
50 { "file", opt_stringptr, LOFF(filename) },
51 { "file_format", opt_stringptr, LOFF(file_format) },
52 { "file_must_exist", opt_bool, LOFF(file_must_exist) },
53 { "lock_fcntl_timeout", opt_time, LOFF(lock_fcntl_timeout) },
54 { "lock_flock_timeout", opt_time, LOFF(lock_flock_timeout) },
55 { "lock_interval", opt_time, LOFF(lock_interval) },
56 { "lock_retries", opt_int, LOFF(lock_retries) },
57 { "lockfile_mode", opt_octint, LOFF(lockfile_mode) },
58 { "lockfile_timeout", opt_time, LOFF(lockfile_timeout) },
59 { "mailbox_filecount", opt_stringptr, LOFF(mailbox_filecount_string) },
60 { "mailbox_size", opt_stringptr, LOFF(mailbox_size_string) },
61 #ifdef SUPPORT_MAILDIR
62 { "maildir_format", opt_bool, LOFF(maildir_format ) } ,
63 { "maildir_quota_directory_regex", opt_stringptr, LOFF(maildir_dir_regex) },
64 { "maildir_retries", opt_int, LOFF(maildir_retries) },
65 { "maildir_tag", opt_stringptr, LOFF(maildir_tag) },
66 { "maildir_use_size_file", opt_expand_bool, LOFF(maildir_use_size_file ) } ,
67 { "maildirfolder_create_regex", opt_stringptr, LOFF(maildirfolder_create_regex ) },
68 #endif /* SUPPORT_MAILDIR */
69 #ifdef SUPPORT_MAILSTORE
70 { "mailstore_format", opt_bool, LOFF(mailstore_format ) },
71 { "mailstore_prefix", opt_stringptr, LOFF(mailstore_prefix ) },
72 { "mailstore_suffix", opt_stringptr, LOFF(mailstore_suffix ) },
73 #endif /* SUPPORT_MAILSTORE */
75 { "mbx_format", opt_bool, LOFF(mbx_format ) } ,
76 #endif /* SUPPORT_MBX */
77 { "message_prefix", opt_stringptr, LOFF(message_prefix) },
78 { "message_suffix", opt_stringptr, LOFF(message_suffix) },
79 { "mode", opt_octint, LOFF(mode) },
80 { "mode_fail_narrower",opt_bool, LOFF(mode_fail_narrower) },
81 { "notify_comsat", opt_bool, LOFF(notify_comsat) },
82 { "quota", opt_stringptr, LOFF(quota) },
83 { "quota_directory", opt_stringptr, LOFF(quota_directory) },
84 { "quota_filecount", opt_stringptr, LOFF(quota_filecount) },
85 { "quota_is_inclusive", opt_bool, LOFF(quota_is_inclusive) },
86 { "quota_size_regex", opt_stringptr, LOFF(quota_size_regex) },
87 { "quota_warn_message", opt_stringptr | opt_public, OPT_OFF(transport_instance, warn_message) },
88 { "quota_warn_threshold", opt_stringptr, LOFF(quota_warn_threshold) },
89 { "use_bsmtp", opt_bool, LOFF(use_bsmtp) },
90 { "use_crlf", opt_bool, LOFF(use_crlf) },
91 { "use_fcntl_lock", opt_bool_set, LOFF(use_fcntl) },
92 { "use_flock_lock", opt_bool_set, LOFF(use_flock) },
93 { "use_lockfile", opt_bool_set, LOFF(use_lockfile) },
95 { "use_mbx_lock", opt_bool_set, LOFF(use_mbx_lock) },
96 #endif /* SUPPORT_MBX */
99 /* Size of the options list. An extern variable has to be used so that its
100 address can appear in the tables drtables.c. */
102 int appendfile_transport_options_count =
103 sizeof(appendfile_transport_options)/sizeof(optionlist);
109 appendfile_transport_options_block appendfile_transport_option_defaults = {0};
110 void appendfile_transport_init(driver_instance *tblock) {}
111 BOOL appendfile_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
113 #else /*!MACRO_PREDEF*/
115 /* Default private options block for the appendfile transport. */
117 appendfile_transport_options_block appendfile_transport_option_defaults = {
118 /* all non-mentioned members zero/null/false */
119 .dirfilename = US"q${base62:$tod_epoch}-$inode",
120 .create_file_string = US"anywhere",
121 .maildir_dir_regex = US"^(?:cur|new|\\..*)$",
122 .mailbox_size_value = -1,
123 .mailbox_filecount_value = -1,
124 .mode = APPENDFILE_MODE,
125 .dirmode = APPENDFILE_DIRECTORY_MODE,
126 .lockfile_mode = APPENDFILE_LOCKFILE_MODE,
127 .lockfile_timeout = 30*60,
130 .maildir_retries = 10,
131 .create_file = create_anywhere,
133 .create_directory = TRUE,
134 .notify_comsat = FALSE,
135 .use_lockfile = TRUE,
137 .mode_fail_narrower = TRUE,
138 .quota_is_inclusive = TRUE,
142 /* Encodings for mailbox formats, and their names. MBX format is actually
143 supported only if SUPPORT_MBX is set. */
145 enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
147 static const char *mailbox_formats[] = {
148 "unix", "mbx", "smail", "maildir", "mailstore" };
151 /* Check warn threshold only if quota size set or not a percentage threshold
152 percentage check should only be done if quota > 0 */
154 #define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \
155 (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
158 /*************************************************
159 * Setup entry point *
160 *************************************************/
162 /* Called for each delivery in the privileged state, just before the uid/gid
163 are changed and the main entry point is called. We use this function to
164 expand any quota settings, so that it can access files that may not be readable
165 by the user. It is also used to pick up external mailbox size information, if
169 tblock points to the transport instance
170 addrlist addresses about to be delivered (not used)
171 dummy not used (doesn't pass back data)
172 uid the uid that will be set (not used)
173 gid the gid that will be set (not used)
174 errmsg where to put an error message
176 Returns: OK, FAIL, or DEFER
180 appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
181 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
183 appendfile_transport_options_block * ob = tblock->drinst.options_block;
184 const uschar * trname = tblock->drinst.name;
186 double default_value = 0.0;
188 if (ob->expand_maildir_use_size_file)
190 GET_OPTION("maildir_use_size_file");
191 ob->maildir_use_size_file =
192 expand_check_condition(ob->expand_maildir_use_size_file,
193 US"`maildir_use_size_file` in transport", trname);
196 /* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
201 for (int i = 0; i < 5; i++)
203 double d = default_value;
205 uschar *which = NULL;
211 if (!(s = expand_string(q)))
213 *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
214 "%s", q, trname, expand_string_message);
215 return f.search_find_defer ? DEFER : FAIL;
218 d = Ustrtod(s, &rest);
220 /* Handle following characters K, M, G, %, the latter being permitted
221 for quota_warn_threshold only. A threshold with no quota setting is
224 if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
225 else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
226 else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
227 else if (*rest == '%' && i == 2)
229 if (ob->quota_value <= 0 && !ob->maildir_use_size_file)
231 else if ((int)d < 0 || (int)d > 100)
233 *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
234 " for %s transport", (int)d, trname);
237 ob->quota_warn_threshold_is_percent = TRUE;
242 /* For quota and quota_filecount there may be options
243 appended. Currently only "no_check", so we can be lazy parsing it */
244 if (i < 2 && Ustrstr(rest, "/no_check") == rest)
247 rest += sizeof("/no_check") - 1;
250 Uskip_whitespace(&rest);
254 *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
255 "in %s transport", s, q, trname);
260 /* Set each value, checking for possible overflow. */
265 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
267 ob->quota_value = (off_t)d;
268 ob->quota_no_check = no_check;
269 GET_OPTION("quota_filecount");
270 q = ob->quota_filecount;
274 if (d >= 2.0*1024.0*1024.0*1024.0)
275 which = US"quota_filecount";
276 ob->quota_filecount_value = (int)d;
277 ob->quota_filecount_no_check = no_check;
278 GET_OPTION("quota_warn_threshold");
279 q = ob->quota_warn_threshold;
283 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
284 which = US"quota_warn_threshold";
285 ob->quota_warn_threshold_value = (off_t)d;
286 GET_OPTION("mailbox_size");
287 q = ob->mailbox_size_string;
288 default_value = -1.0;
292 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
293 which = US"mailbox_size";;
294 ob->mailbox_size_value = (off_t)d;
295 GET_OPTION("mailbox_filecount");
296 q = ob->mailbox_filecount_string;
300 if (d >= 2.0*1024.0*1024.0*1024.0)
301 which = US"mailbox_filecount";
302 ob->mailbox_filecount_value = (int)d;
308 *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
309 "%s transport", which, d, trname);
319 /*************************************************
320 * Initialization entry point *
321 *************************************************/
323 /* Called for each instance, after its options have been read, to
324 enable consistency checks to be done, or anything else that needs
328 appendfile_transport_init(driver_instance * t)
330 transport_instance * tblock = (transport_instance *)t;
331 appendfile_transport_options_block * ob = tblock->drinst.options_block;
332 const uschar * trname = tblock->drinst.name;
335 /* Set up the setup entry point, to be called in the privileged state */
337 tblock->setup = appendfile_transport_setup;
339 /* Lock_retries must be greater than zero */
341 if (ob->lock_retries == 0) ob->lock_retries = 1;
343 /* Only one of a file name or directory name must be given. */
345 if (ob->filename && ob->dirname)
346 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
347 "only one of \"file\" or \"directory\" can be specified", trname);
349 /* If a file name was specified, neither quota_filecount nor quota_directory
354 if (ob->quota_filecount)
355 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
356 "quota_filecount must not be set without \"directory\"", trname);
357 if (ob->quota_directory)
358 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
359 "quota_directory must not be set without \"directory\"", trname);
362 /* The default locking depends on whether MBX is set or not. Change the
363 built-in default if none of the lock options has been explicitly set. At least
364 one form of locking is required in all cases, but mbx locking changes the
365 meaning of fcntl and flock locking. */
367 /* Not all operating systems provide flock(). For those that do, if flock is
368 requested, the default for fcntl is FALSE. */
373 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
374 "flock() support was not available in the operating system when this "
375 "binary was built", trname);
376 #endif /* NO_FLOCK */
377 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
382 if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
383 !ob->set_use_mbx_lock)
385 ob->use_lockfile = ob->use_flock = FALSE;
386 ob->use_mbx_lock = ob->use_fcntl = TRUE;
388 else if (ob->use_mbx_lock)
390 if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
391 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
392 if (!ob->set_use_flock) ob->use_flock = FALSE;
393 if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
395 #endif /* SUPPORT_MBX */
397 if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
398 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
399 "no locking configured", trname);
401 /* Unset timeouts for non-used locking types */
403 if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
404 if (!ob->use_flock) ob->lock_flock_timeout = 0;
406 /* If a directory name was specified, only one of maildir or mailstore may be
407 specified, and if quota_filecount or quota_directory is given, quota must
412 if (ob->maildir_format && ob->mailstore_format)
413 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
414 "only one of maildir and mailstore may be specified", trname);
415 if (ob->quota_filecount != NULL && !ob->quota)
416 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
417 "quota must be set if quota_filecount is set", trname);
418 if (ob->quota_directory != NULL && !ob->quota)
419 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
420 "quota must be set if quota_directory is set", trname);
423 /* If a fixed uid field is set, then a gid field must also be set. */
425 if (tblock->uid_set && !tblock->gid_set && !tblock->expand_gid)
426 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
427 "user set without group for the %s transport", trname);
429 /* If "create_file" is set, check that a valid option is given, and set the
432 if ((s = ob->create_file_string ) && *s)
435 if (Ustrcmp(s, "anywhere") == 0) val = create_anywhere;
436 else if (*s == '/' || Ustrcmp(s, "belowhome") == 0) val = create_belowhome;
437 else if (Ustrcmp(s, "inhome") == 0) val = create_inhome;
439 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
440 "invalid value given for \"create_file\" for the %s transport: '%s'",
442 ob->create_file = val;
445 /* If quota_warn_threshold is set, set up default for warn_message. It may
446 not be used if the actual threshold for a given delivery ends up as zero,
447 of if it's given as a percentage and there's no quota setting. */
449 if (ob->quota_warn_threshold)
451 if (!tblock->warn_message) tblock->warn_message = US
452 "To: $local_part@$domain\n"
453 "Subject: Your mailbox\n\n"
454 "This message is automatically created by mail delivery software (Exim).\n\n"
455 "The size of your mailbox has exceeded a warning threshold that is\n"
456 "set by the system administrator.\n";
459 /* If batch SMTP is set, force the check and escape strings, and arrange that
460 headers are also escaped. */
464 ob->check_string = US".";
465 ob->escape_string = US"..";
466 ob->options |= topt_escape_headers;
469 /* If not batch SMTP, not maildir, not mailstore, and directory is not set,
470 insert default values for for the affixes and the check/escape strings. */
472 else if (!ob->dirname && !ob->maildir_format && !ob->mailstore_format)
474 if (!ob->message_prefix) ob->message_prefix =
475 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
476 if (!ob->message_suffix) ob->message_suffix = US"\n";
477 if (!ob->check_string) ob->check_string = US"From ";
478 if (!ob->escape_string) ob->escape_string = US">From ";
482 /* Set up the bitwise options for transport_write_message from the various
483 driver options. Only one of body_only and headers_only can be set. */
486 (tblock->body_only ? topt_no_headers : 0) |
487 (tblock->headers_only ? topt_no_body : 0) |
488 (tblock->return_path_add ? topt_add_return_path : 0) |
489 (tblock->delivery_date_add ? topt_add_delivery_date : 0) |
490 (tblock->envelope_to_add ? topt_add_envelope_to : 0) |
491 ((ob->use_crlf || ob->mbx_format) ? topt_use_crlf : 0);
496 /*************************************************
498 *************************************************/
500 /* The comsat daemon is the thing that provides asynchronous notification of
501 the arrival of local messages, if requested by the user by "biff y". It is a
502 BSD thing that uses a TCP/IP protocol for communication. A message consisting
503 of the text "user@offset" must be sent, where offset is the place in the
504 mailbox where new mail starts. There is no scope for telling it which file to
505 look at, which makes it a less than useful if mail is being delivered into a
506 non-standard place such as the user's home directory. In fact, it doesn't seem
507 to pay much attention to the offset.
511 offset offset in mailbox
517 notify_comsat(const uschar * user, off_t offset)
523 DEBUG(D_transport) debug_printf("notify_comsat called\n");
525 s = string_sprintf("%.200s@" OFF_T_FMT "\n", user, offset);
527 if ((sp = getservbyname("biff", "udp")) == NULL)
529 DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
533 host.name = US"localhost";
537 /* This code is all set up to look up "localhost" and use all its addresses
538 until one succeeds. However, it appears that at least on some systems, comsat
539 doesn't listen on the ::1 address. So for the moment, just force the address to
540 be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
541 can be changed. (But actually, comsat is probably dying out anyway.) */
544 if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
546 DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
551 host.address = US"127.0.0.1";
554 for (host_item * h = &host; h; h = h->next)
557 int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET;
559 DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
561 if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue;
563 /* Connect never fails for a UDP socket, so don't set a timeout. */
565 (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, NULL);
566 rc = send(sock, s, Ustrlen(s) + 1, 0);
571 debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
578 /*************************************************
579 * Check the format of a file *
580 *************************************************/
582 /* This function is called when file_format is set, to check that an existing
583 file has the right format. The format string contains text/transport pairs. The
584 string matching is literal. we just read big_buffer_size bytes, because this is
585 all about the first few bytes of a file.
589 tblock the transport block
590 addr the address block - for inserting error data
592 Returns: pointer to the required transport, or NULL
596 check_file_format(int cfd, transport_instance *tblock, address_item *addr)
598 appendfile_transport_options_block * ob = tblock->drinst.options_block;
599 const uschar * format = ob->file_format;
601 int len = read(cfd, data, sizeof(data));
605 DEBUG(D_transport) debug_printf("checking file format\n");
607 /* An empty file matches the current transport */
609 if (len == 0) return tblock;
611 /* Search the formats for a match */
613 /* not expanded so cannot be tainted */
614 while ((s = string_nextinlist(&format, &sep, big_buffer, big_buffer_size)))
616 int slen = Ustrlen(s);
617 BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
618 uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
622 for (transport_instance * tt = transports; tt; tt = tt->drinst.next)
623 if (Ustrcmp(tp, tt->drinst.name) == 0)
626 debug_printf("file format -> %s transport\n", tt->drinst.name);
629 addr->basic_errno = ERRNO_BADTRANSPORT;
630 addr->message = string_sprintf("%s transport (for %.*s format) not found",
636 /* Failed to find a match */
638 addr->basic_errno = ERRNO_FORMATUNKNOWN;
639 addr->message = US"mailbox file format unrecognized";
646 /*************************************************
647 * Check directory's files for quota *
648 *************************************************/
650 /* This function is called if quota is set for one of the delivery modes that
651 delivers into a specific directory. It scans the directory and stats all the
652 files in order to get a total size and count. This is an expensive thing to do,
653 but some people are prepared to bear the cost. Alternatively, if size_regex is
654 set, it is used as a regex to try to extract the size from the file name, a
655 strategy that some people use on maildir files on systems where the users have
658 The function is global, because it is also called from tf_maildir.c for maildir
659 folders (which should contain only regular files).
661 Note: Any problems can be written to debugging output, but cannot be written to
662 the log, because we are running as an unprivileged user here.
665 dirname the name of the directory
666 countptr where to add the file count (because this function recurses)
667 re a compiled regex to get the size from a name
669 Returns: the sum of the sizes of the stattable files
670 zero if the directory cannot be opened
674 check_dir_size(const uschar * dirname, int * countptr, const pcre2_code * re)
678 int count = *countptr, lcount = REGEX_LOOPCOUNT_STORE_RESET;
679 rmark reset_point = store_mark();
681 if (!(dir = exim_opendir(dirname))) return 0;
683 for (struct dirent * ent; ent = readdir(dir); )
685 uschar * path, * name = US ent->d_name;
688 if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
693 store_reset(reset_point); reset_point = store_mark();
694 lcount = REGEX_LOOPCOUNT_STORE_RESET;
697 /* If there's a regex, try to find the size using it */
701 pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx);
702 int rc = pcre2_match(re, (PCRE2_SPTR)name, PCRE2_ZERO_TERMINATED,
703 0, 0, md, pcre_gen_mtc_ctx);
704 PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
706 && (rc = pcre2_get_ovector_count(md)) >= 2)
709 off_t size = (off_t)Ustrtod(name + ovec[2], &endptr);
710 if (endptr == name + ovec[3])
714 debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
716 /* pcre2_match_data_free(md); gen ctx needs no free */
720 /* pcre2_match_data_free(md); gen ctx needs no free */
722 debug_printf("check_dir_size: regex did not match %s\n", name);
725 /* No regex or no match for the regex, or captured non-digits */
727 path = string_sprintf("%s/%s", dirname, name);
729 if (Ustat(path, &statbuf) < 0)
732 debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, path,
736 if ((statbuf.st_mode & S_IFMT) == S_IFREG)
737 sum += statbuf.st_size / statbuf.st_nlink;
738 else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
739 sum += check_dir_size(path, &count, re);
744 debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
747 store_reset(reset_point);
755 /*************************************************
756 * Apply a lock to a file descriptor *
757 *************************************************/
759 /* This function applies a lock to a file descriptor, using a blocking or
760 non-blocking lock, depending on the timeout value. It can apply either or
761 both of a fcntl() and a flock() lock. However, not all OS support flock();
762 for those that don't, the use_flock option cannot be set.
765 fd the file descriptor
766 fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in
767 fcntl() format); the flock() type is deduced if needed
768 dofcntl do fcntl() locking
769 fcntltime non-zero to use blocking fcntl()
770 doflock do flock() locking
771 flocktime non-zero to use blocking flock()
773 Returns: yield of the fcntl() or flock() call, with errno preserved;
774 sigalrm_seen set if there has been a timeout
778 apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
783 struct flock lock_data;
784 lock_data.l_type = fcntltype;
785 lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
787 sigalrm_seen = FALSE;
794 yield = fcntl(fd, F_SETLKW, &lock_data);
799 else yield = fcntl(fd, F_SETLK, &lock_data);
803 if (doflock && (yield >= 0))
805 int flocktype = (fcntltype == F_WRLCK) ? LOCK_EX : LOCK_SH;
809 yield = flock(fd, flocktype);
814 else yield = flock(fd, flocktype | LOCK_NB);
816 #endif /* NO_FLOCK */
825 /*************************************************
826 * Copy message into MBX mailbox *
827 *************************************************/
829 /* This function is called when a message intended for a MBX mailbox has been
830 written to a temporary file. We can now get the size of the message and then
831 copy it in MBX format to the mailbox.
834 to_fd fd to write to (the real mailbox)
835 from_fd fd to read from (the temporary file)
836 saved_size current size of mailbox
838 Returns: OK if all went well, DEFER otherwise, with errno preserved
839 the number of bytes written are added to transport_count
840 by virtue of calling transport_write_block()
843 /* Values taken from c-client */
845 #define MBX_HDRSIZE 2048
846 #define MBX_NUSERFLAGS 30
849 copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
854 transport_ctx tctx = { .u={.fd = to_fd}, .options = topt_not_socket };
856 /* If the current mailbox size is zero, write a header block */
861 memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
862 sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
863 (long int)time(NULL));
864 for (int i = 0; i < MBX_NUSERFLAGS; i++)
865 sprintf (CS(s += Ustrlen(s)), "\015\012");
866 if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE))
870 DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
872 /* Now construct the message's header from the time and the RFC822 file
873 size, including CRLFs, which is the size of the input (temporary) file. */
875 if (fstat(from_fd, &statbuf) < 0) return DEFER;
876 size = statbuf.st_size;
878 sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
879 tod_stamp(tod_mbx), size, 0L, 0, 0);
880 used = Ustrlen(deliver_out_buffer);
882 /* Rewind the temporary file, and copy it over in chunks. */
884 if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER;
888 int len = read(from_fd, deliver_out_buffer + used,
889 DELIVER_OUT_BUFFER_SIZE - used);
892 if (len == 0) errno = ERRNO_MBXLENGTH;
895 if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE))
903 #endif /* SUPPORT_MBX */
907 /*************************************************
908 * Check creation is permitted *
909 *************************************************/
911 /* This function checks whether a given file name is permitted to be created,
912 as controlled by the create_file option. If no home directory is set, however,
913 we can't do any tests.
916 filename the file name
917 create_file the ob->create_file option
918 deliver_dir the delivery directory
920 Returns: TRUE if creation is permitted
924 check_creation(uschar *filename, int create_file, const uschar * deliver_dir)
928 if (deliver_dir && create_file != create_anywhere)
930 int len = Ustrlen(deliver_dir);
931 uschar *file = filename;
933 while (file[0] == '/' && file[1] == '/') file++;
934 if ( Ustrncmp(file, deliver_dir, len) != 0
936 || Ustrchr(file+len+2, '/') != NULL
937 && ( create_file != create_belowhome
938 || Ustrstr(file+len, "/../") != NULL
942 /* If yield is TRUE, the file name starts with the home directory, and does
943 not contain any instances of "/../" in the "belowhome" case. However, it may
944 still contain symbolic links. We can check for this by making use of
945 realpath(), which most Unixes seem to have (but make it possible to cut this
946 out). We can't just use realpath() on the whole file name, because we know
947 the file itself doesn't exist, and intermediate directories may also not
948 exist. What we want to know is the real path of the longest existing part of
949 the path. That must match the home directory's beginning, whichever is the
953 if (yield && create_file == create_belowhome)
957 for (uschar * slash = Ustrrchr(file, '/'); /* There is known to be one */
958 !rp && slash > file; /* Stop if reached beginning */
962 rp = US realpath(CS file, CS big_buffer);
963 next = Ustrrchr(file, '/');
967 /* If rp == NULL it means that none of the relevant directories exist.
968 This is not a problem here - it means that no symbolic links can exist,
969 which is all we are worried about. Otherwise, we must compare it
970 against the start of the home directory. However, that may itself
971 contain symbolic links, so we have to "realpath" it as well, if
976 uschar hdbuffer[PATH_MAX+1];
977 const uschar * rph = deliver_dir;
978 int rlen = Ustrlen(big_buffer);
980 if ((rp = US realpath(CS deliver_dir, CS hdbuffer)))
986 if (rlen > len) rlen = len;
987 if (Ustrncmp(rph, big_buffer, rlen) != 0)
990 DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
991 big_buffer, deliver_dir);
995 #endif /* NO_REALPATH */
1003 /*************************************************
1004 * Main entry point *
1005 *************************************************/
1007 /* See local README for general interface details. This transport always
1008 returns FALSE, indicating that the status which has been placed in the first
1009 address should be copied to any other addresses in a batch.
1011 Appendfile delivery is tricky and has led to various security problems in other
1012 mailers. The logic used here is therefore laid out in some detail. When this
1013 function is called, we are running in a subprocess which has had its gid and
1014 uid set to the appropriate values. Therefore, we cannot write directly to the
1015 exim logs. Any errors must be handled by setting appropriate return codes.
1016 Note that the default setting for addr->transport_return is DEFER, so it need
1017 not be set unless some other value is required.
1019 The code below calls geteuid() rather than getuid() to get the current uid
1020 because in weird configurations not running setuid root there may be a
1021 difference. In the standard configuration, where setuid() has been used in the
1022 delivery process, there will be no difference between the uid and the euid.
1024 (1) If the af_file flag is set, this is a delivery to a file after .forward or
1025 alias expansion. Otherwise, there must be a configured file name or
1028 The following items apply in the case when a file name (as opposed to a
1029 directory name) is given, that is, when appending to a single file:
1031 (2f) Expand the file name.
1033 (3f) If the file name is /dev/null, return success (optimization).
1035 (4f) If the file_format options is set, open the file for reading, and check
1036 that the bytes at the start of the file match one of the given strings.
1037 If the check indicates a transport other than the current one should be
1038 used, pass control to that other transport. Otherwise continue. An empty
1039 or non-existent file matches the current transport. The file is closed
1042 (5f) If a lock file is required, create it (see extensive separate comments
1043 below about the algorithm for doing this). It is important to do this
1044 before opening the mailbox if NFS is in use.
1046 (6f) Stat the file, using lstat() rather than stat(), in order to pick up
1047 details of any symbolic link.
1049 (7f) If the file already exists:
1051 Check the owner and group if necessary, and defer if they are wrong.
1053 If it is a symbolic link AND the allow_symlink option is set (NOT the
1054 default), go back to (6f) but this time use stat() instead of lstat().
1056 If it's not a regular file (or FIFO when permitted), defer delivery.
1058 Check permissions. If the required permissions are *less* than the
1059 existing ones, or supplied by the address (often by the user via filter),
1060 chmod() the file. Otherwise, defer.
1062 Save the inode number.
1064 Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
1066 If open fails because the file does not exist, go to (6f); on any other
1069 Check the inode number hasn't changed - I realize this isn't perfect (an
1070 inode can be reused) but it's cheap and will catch some of the races.
1072 Check it's still a regular file (or FIFO if permitted).
1074 Check that the owner and permissions haven't changed.
1076 If file_format is set, check that the file still matches the format for
1077 the current transport. If not, defer delivery.
1079 (8f) If file does not exist initially:
1081 Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
1082 this is via a symbolic link (only possible if allow_symlinks is set), in
1083 which case don't use O_EXCL, as it doesn't work.
1085 If open fails because the file already exists, go to (6f). To avoid
1086 looping for ever in a situation where the file is continuously being
1087 created and deleted, all of this happens inside a loop that operates
1088 lock_retries times and includes the fcntl and flock locking. If the
1089 loop completes without the file getting opened, defer and request
1090 freezing, because something really weird is happening.
1092 If open fails for any other reason, defer for subsequent delivery except
1093 when this is a file delivery resulting from an alias or forward expansion
1094 and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
1095 most likely a user rather than a configuration error.
1097 (9f) We now have the file checked and open for writing. If so configured, lock
1098 it using fcntl, flock, or MBX locking rules. If this fails, close the file
1099 and goto (6f), up to lock_retries times, after sleeping for a while. If it
1100 still fails, give up and defer delivery.
1102 (10f)Save the access time (for subsequent restoration) and the size of the
1103 file, for comsat and for re-setting if delivery fails in the middle -
1104 e.g. for quota exceeded.
1106 The following items apply in the case when a directory name is given:
1108 (2d) Create a new file in the directory using a temporary name, by opening for
1109 writing and with O_CREAT. If maildir format is being used, the file
1110 is created in a temporary subdirectory with a prescribed name. If
1111 mailstore format is being used, the envelope file is first created with a
1112 temporary name, then the data file.
1114 The following items apply in all cases:
1116 (11) We now have the file open for writing, and locked if it was given as a
1117 file name. Write the message and flush the file, unless there is a setting
1118 of the local quota option, in which case we can check for its excession
1119 without doing any writing.
1121 In the case of MBX format mailboxes, the message is first written to a
1122 temporary file, in order to get its correct length. This is then copied to
1123 the real file, preceded by an MBX header.
1125 If there is a quota error on writing, defer the address. Timeout logic
1126 will determine for how long retries are attempted. We restore the mailbox
1127 to its original length if it's a single file. There doesn't seem to be a
1128 uniform error code for quota excession (it even differs between SunOS4
1129 and some versions of SunOS5) so a system-dependent macro called
1130 ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
1133 For any other error (most commonly disk full), do the same.
1135 The following applies after appending to a file:
1137 (12f)Restore the atime; notify_comsat if required; close the file (which
1138 unlocks it if it was locked). Delete the lock file if it exists.
1140 The following applies after writing a unique file in a directory:
1142 (12d)For maildir format, rename the file into the new directory. For mailstore
1143 format, rename the envelope file to its correct name. Otherwise, generate
1144 a unique name from the directory_file option, and rename to that, possibly
1145 trying a few times if the file exists and re-expanding the name gives a
1148 This transport yields FAIL only when a file name is generated by an alias or
1149 forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
1150 All other failures return DEFER (in addr->transport_return). */
1154 appendfile_transport_entry(
1155 transport_instance *tblock, /* data for this instantiation */
1156 address_item *addr) /* address we are working on */
1158 appendfile_transport_options_block * ob = tblock->drinst.options_block;
1159 const uschar * trname = tblock->drinst.name;
1160 struct stat statbuf;
1161 const uschar * deliver_dir;
1162 uschar * fdname = NULL, * filename = NULL;
1163 uschar * hitchname = NULL, * dataname = NULL;
1164 uschar * lockname = NULL, * newname = NULL;
1165 uschar * nametag = NULL, * cr = US"";
1166 uschar * filecount_msg = US"";
1168 struct utimbuf times;
1169 struct timeval msg_tv;
1170 BOOL disable_quota = FALSE, isdirectory = FALSE, isfifo = FALSE;
1171 BOOL wait_for_tick = FALSE;
1172 uid_t uid = geteuid(); /* See note above */
1173 gid_t gid = getegid();
1175 int mode = addr->mode > 0 ? addr->mode : ob->mode;
1176 off_t saved_size = -1, mailbox_size = ob->mailbox_size_value;
1177 int mailbox_filecount = ob->mailbox_filecount_value;
1178 int hd = -1, fd = -1, yield = FAIL, i;
1182 int mbx_lockfd = -1;
1183 uschar mbx_lockname[40];
1184 FILE *temp_file = NULL;
1185 #endif /* SUPPORT_MBX */
1187 #ifdef SUPPORT_MAILDIR
1188 int maildirsize_fd = -1; /* fd for maildirsize file */
1189 int maildir_save_errno;
1193 DEBUG(D_transport) debug_printf("appendfile transport entered\n");
1195 /* An "address_file" or "address_directory" transport is used to deliver to
1196 files specified via .forward or an alias file. Prior to release 4.20, the
1197 "file" and "directory" options were ignored in this case. This has been changed
1198 to allow the redirection data to specify what is in effect a folder, whose
1199 location is determined by the options on the transport.
1201 Compatibility with the case when neither option is set is retained by forcing a
1202 value for the file or directory name. A directory delivery is assumed if the
1203 last character of the path from the router is '/'.
1205 The file path is in the local part of the address, but not in the $local_part
1206 variable (that holds the parent local part). It is, however, in the
1207 $address_file variable. Below, we update the local part in the address if it
1208 changes by expansion, so that the final path ends up in the log. */
1210 if (testflag(addr, af_file) && !ob->filename && !ob->dirname)
1212 fdname = US"$address_file";
1213 if (address_file[Ustrlen(address_file)-1] == '/' ||
1214 ob->maildir_format ||
1215 ob->mailstore_format)
1219 /* Handle (a) an "address file" delivery where "file" or "directory" is
1220 explicitly set and (b) a non-address_file delivery, where one of "file" or
1221 "directory" must be set; initialization ensures that they are not both set. */
1225 if (!(fdname = ob->filename))
1227 GET_OPTION("directory");
1228 fdname = ob->dirname;
1233 addr->message = string_sprintf("Mandatory file or directory option "
1234 "missing from %s transport", trname);
1239 /* Maildir and mailstore require a directory */
1241 if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
1243 addr->message = string_sprintf("mail%s_format requires \"directory\" "
1244 "to be specified for the %s transport",
1245 ob->maildir_format ? "dir" : "store", trname);
1249 if (!(path = expand_string(fdname)))
1251 addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
1252 "name for %s transport) failed: %s", fdname, trname,
1253 expand_string_message);
1259 addr->message = string_sprintf("appendfile: file or directory name "
1260 "\"%s\" is not absolute", path);
1261 addr->basic_errno = ERRNO_NOTABSOLUTE;
1265 /* For a file delivery, make sure the local part in the address(es) is updated
1266 to the true local part. */
1268 if (testflag(addr, af_file))
1269 for (address_item * addr2 = addr; addr2; addr2 = addr2->next)
1270 addr2->local_part = string_copy(path);
1272 /* The available mailbox formats depend on whether it is a directory or a file
1278 #ifdef SUPPORT_MAILDIR
1279 ob->maildir_format ? mbf_maildir :
1281 #ifdef SUPPORT_MAILSTORE
1282 ob->mailstore_format ? mbf_mailstore :
1290 ob->mbx_format ? mbf_mbx :
1297 debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
1299 " warning=" OFF_T_FMT "%s\n"
1300 " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n "
1301 "maildir_use_size_file=%s\n",
1302 mode, ob->notify_comsat, ob->quota_value,
1303 ob->quota_no_check ? " (no_check)" : "",
1304 ob->quota_filecount_no_check ? " (no_check_filecount)" : "",
1305 ob->quota_warn_threshold_value,
1306 ob->quota_warn_threshold_is_percent ? "%" : "",
1307 isdirectory ? "directory" : "file",
1308 path, mailbox_formats[mbformat],
1309 !ob->message_prefix ? US"null" : string_printing(ob->message_prefix),
1310 !ob->message_suffix ? US"null" : string_printing(ob->message_suffix),
1311 ob->maildir_use_size_file ? "yes" : "no");
1313 if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n",
1314 ob->use_lockfile ? "lockfile " : "",
1315 ob->use_mbx_lock ? "mbx locking (" : "",
1316 ob->use_fcntl ? "fcntl " : "",
1317 ob->use_flock ? "flock" : "",
1318 ob->use_mbx_lock ? ")" : "");
1321 /* If the -N option is set, can't do any more. */
1326 debug_printf("*** delivery by %s transport bypassed by -N option\n",
1328 addr->transport_return = OK;
1332 /* If an absolute path was given for create_file the it overrides deliver_home
1333 (here) and de-taints the filename (below, after check_creation() */
1335 deliver_dir = *ob->create_file_string == '/'
1336 ? ob->create_file_string : deliver_home;
1338 /* Handle the case of a file name. If the file name is /dev/null, we can save
1339 ourselves some effort and just give a success return right away. */
1343 BOOL use_lstat = TRUE;
1344 BOOL file_opened = FALSE;
1345 BOOL allow_creation_here = TRUE;
1347 if (Ustrcmp(path, "/dev/null") == 0)
1349 addr->transport_return = OK;
1353 /* Set the name of the file to be opened, and the file to which the data
1354 is written, and find out if we are permitted to create a non-existent file.
1355 If the create_file option is an absolute path and the file was within it,
1356 de-taint. Chaeck for a tainted path. */
1358 if ( (allow_creation_here = check_creation(path, ob->create_file, deliver_dir))
1359 && ob->create_file == create_belowhome)
1360 if (is_tainted(path))
1362 DEBUG(D_transport) debug_printf("below-home: de-tainting path '%s'\n", path);
1363 path = string_copy_taint(path, GET_UNTAINTED);
1366 if (is_tainted(path)) goto tainted_ret_panic;
1367 dataname = filename = path;
1369 /* If ob->create_directory is set, attempt to create the directories in
1370 which this mailbox lives, but only if we are permitted to create the file
1371 itself. We know we are dealing with an absolute path, because this was
1374 if (ob->create_directory && allow_creation_here)
1376 uschar *p = Ustrrchr(path, '/');
1377 p = string_copyn(path, p - path);
1378 if (!directory_make(NULL, p, ob->dirmode, FALSE))
1380 addr->basic_errno = errno;
1382 string_sprintf("failed to create directories for %s: %s", path,
1383 exim_errstr(errno));
1384 DEBUG(D_transport) debug_printf("%s transport: %s\n", trname, path);
1389 /* If file_format is set we must check that any existing file matches one of
1390 the configured formats by checking the bytes it starts with. A match then
1391 indicates a specific transport - if it is not this one, pass control to it.
1392 Otherwise carry on here. An empty or non-existent file matches the current
1393 transport. We don't need to distinguish between non-existence and other open
1394 failures because if an existing file fails to open here, it will also fail
1395 again later when O_RDWR is used. */
1397 if (ob->file_format)
1399 int cfd = Uopen(path, O_RDONLY, 0);
1402 transport_instance *tt = check_file_format(cfd, tblock, addr);
1405 /* If another transport is indicated, call it and return; if no transport
1406 was found, just return - the error data will have been set up.*/
1412 transport_info * ti = tt->drinst.info;
1413 set_process_info("delivering %s to %s using %s", message_id,
1414 addr->local_part, tt->drinst.name);
1415 debug_print_string(tt->debug_string);
1416 addr->transport = tt;
1417 (ti->code)(tt, addr);
1424 /* The locking of mailbox files is worse than the naming of cats, which is
1425 known to be "a difficult matter" (T.S. Eliot) and just as cats must have
1426 three different names, so several different styles of locking are used.
1428 Research in other programs that lock mailboxes shows that there is no
1429 universally standard method. Having mailboxes NFS-mounted on the system that
1430 is delivering mail is not the best thing, but people do run like this,
1431 and so the code must do its best to cope.
1433 Three different locking mechanisms are supported. The initialization function
1434 checks that at least one is configured.
1438 Unless no_use_lockfile is set, we attempt to build a lock file in a way that
1439 will work over NFS. Only after that is done do we actually open the mailbox
1440 and apply locks to it (if configured).
1442 Originally, Exim got the file opened before doing anything about locking.
1443 However, a very occasional problem was observed on Solaris 2 when delivering
1444 over NFS. It is seems that when a file is opened with O_APPEND, the file size
1445 gets remembered at open time. If another process on another host (that's
1446 important) has the file open and locked and writes to it and then releases
1447 the lock while the first process is waiting to get the lock, the first
1448 process may fail to write at the new end point of the file - despite the very
1449 definite statement about O_APPEND in the man page for write(). Experiments
1450 have reproduced this problem, but I do not know any way of forcing a host to
1451 update its attribute cache for an open NFS file. It would be nice if it did
1452 so when a lock was taken out, but this does not seem to happen. Anyway, to
1453 reduce the risk of this problem happening, we now create the lock file
1454 (if configured) *before* opening the mailbox. That will prevent two different
1455 Exims opening the file simultaneously. It may not prevent clashes with MUAs,
1456 however, but Pine at least seems to operate in the same way.
1458 Lockfiles should normally be used when NFS is involved, because of the above
1461 The logic for creating the lock file is:
1463 . The name of the lock file is <mailbox-name>.lock
1465 . First, create a "hitching post" name by adding the primary host name,
1466 current time and pid to the lock file name. This should be unique.
1468 . Create the hitching post file using WRONLY + CREAT + EXCL.
1470 . If that fails EACCES, we assume it means that the user is unable to create
1471 files in the mail spool directory. Some installations might operate in this
1472 manner, so there is a configuration option to allow this state not to be an
1473 error - we proceed to lock using fcntl only, after the file is open.
1475 . Otherwise, an error causes a deferment of the address.
1477 . Hard link the hitching post to the lock file name.
1479 . If the link succeeds, we have successfully created the lock file. Simply
1480 close and unlink the hitching post file.
1482 . If the link does not succeed, proceed as follows:
1484 o Fstat the hitching post file, and then close and unlink it.
1486 o Now examine the stat data. If the number of links to the file is exactly
1487 2, the linking succeeded but for some reason, e.g. an NFS server crash,
1488 the return never made it back, so the link() function gave a failure
1491 . This method allows for the lock file to be created by some other process
1492 right up to the moment of the attempt to hard link it, and is also robust
1493 against NFS server crash-reboots, which would probably result in timeouts
1494 in the middle of link().
1496 . System crashes may cause lock files to get left lying around, and some means
1497 of flushing them is required. The approach of writing a pid (used by smail
1498 and by elm) into the file isn't useful when NFS may be in use. Pine uses a
1499 timeout, which seems a better approach. Since any program that writes to a
1500 mailbox using a lock file should complete its task very quickly, Pine
1501 removes lock files that are older than 5 minutes. We allow the value to be
1502 configurable on the transport.
1506 If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
1507 mailbox once it is open. This is done by default with a non-blocking lock.
1508 Failures to lock cause retries after a sleep, but only for a certain number
1509 of tries. A blocking lock is deliberately not used so that we don't hold the
1510 mailbox open. This minimizes the possibility of the NFS problem described
1511 under LOCK FILES above, if for some reason NFS deliveries are happening
1512 without lock files. However, the use of a non-blocking lock and sleep, though
1513 the safest approach, does not give the best performance on very busy systems.
1514 A blocking lock plus timeout does better. Therefore Exim has an option to
1515 allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
1516 enables the use of blocking fcntl() calls.
1520 If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
1521 same manner as for fcntl locking above. No-blocking/timeout is also set as
1522 above in lock_flock_timeout. Not all operating systems provide or support
1523 flock(). For those that don't (as determined by the definition of LOCK_SH in
1524 /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
1525 is implemented (not precisely) on top of fcntl(), which means there's no
1526 point in actually using it.
1530 If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
1531 then the rules used for locking in c-client are used. Exim takes out a shared
1532 lock on the mailbox file, and an exclusive lock on the file whose name is
1533 /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
1534 any other MBX client from getting an exclusive lock on it and expunging it.
1535 It also stops any other MBX client from unlinking the /tmp lock when it has
1538 The exclusive lock on the /tmp file prevents any other MBX client from
1539 updating the mailbox in any way. When writing is finished, if an exclusive
1540 lock on the mailbox can be obtained, indicating there are no current sharers,
1541 the /tmp file is unlinked.
1543 MBX locking can use either fcntl() or flock() locking. If neither
1544 use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
1545 The calls for getting these locks are by default non-blocking, as for non-mbx
1546 locking, but can be made blocking by setting lock_fcntl_timeout and/or
1547 lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it
1548 probably makes sense to set timeouts for any MBX deliveries. */
1551 /* Build a lock file if configured to do so - the existence of a lock
1552 file is subsequently checked by looking for a non-negative value of the
1553 file descriptor hd - even though the file is no longer open. */
1555 if (ob->use_lockfile)
1557 /* cf. exim_lock.c */
1558 lockname = string_sprintf("%s.lock", filename);
1559 hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
1560 (unsigned int)(time(NULL)), (unsigned int)getpid());
1562 DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
1565 /* Lock file creation retry loop */
1567 for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
1571 hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
1574 addr->basic_errno = errno;
1576 string_sprintf("creating lock file hitching post %s "
1577 "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
1578 (long int)getegid());
1582 /* Attempt to hitch the hitching post to the lock file. If link()
1583 succeeds (the common case, we hope) all is well. Otherwise, fstat the
1584 file, and get rid of the hitching post. If the number of links was 2,
1585 the link was created, despite the failure of link(). If the hitch was
1586 not successful, try again, having unlinked the lock file if it is too
1589 There's a version of Linux (2.0.27) which doesn't update its local cache
1590 of the inode after link() by default - which many think is a bug - but
1591 if the link succeeds, this code will be OK. It just won't work in the
1592 case when link() fails after having actually created the link. The Linux
1593 NFS person is fixing this; a temporary patch is available if anyone is
1594 sufficiently worried. */
1596 if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
1599 if (rc != 0 && statbuf.st_nlink != 2)
1601 if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
1602 time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
1604 DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
1607 DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
1611 DEBUG(D_transport) debug_printf("lock file created\n");
1615 /* Check for too many tries at creating the lock file */
1617 if (i >= ob->lock_retries)
1619 addr->basic_errno = ERRNO_LOCKFAILED;
1620 addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
1627 /* We now have to get the file open. First, stat() it and act on existence or
1628 non-existence. This is in a loop to handle the case of a file's being created
1629 or deleted as we watch, and also to handle retries when the locking fails.
1630 Rather than holding the file open while waiting for the fcntl() and/or
1631 flock() lock, we close and do the whole thing again. This should be safer,
1632 especially for NFS files, which might get altered from other hosts, making
1633 their cached sizes incorrect.
1635 With the default settings, no symlinks are permitted, but there is an option
1636 to permit symlinks for those sysadmins that know what they are doing.
1637 Shudder. However, insist that the initial symlink is owned by the right user.
1638 Thus lstat() is used initially; if a symlink is discovered, the loop is
1639 repeated such that stat() is used, to look at the end file. */
1641 for (i = 0; i < ob->lock_retries; i++)
1643 int sleep_before_retry = TRUE;
1644 file_opened = FALSE;
1646 if ((use_lstat ? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
1648 /* Let's hope that failure to stat (other than non-existence) is a
1651 if (errno != ENOENT)
1653 addr->basic_errno = errno;
1654 addr->message = string_sprintf("attempting to stat mailbox %s",
1659 /* File does not exist. If it is required to pre-exist this state is an
1662 if (ob->file_must_exist)
1664 addr->basic_errno = errno;
1665 addr->message = string_sprintf("mailbox %s does not exist, "
1666 "but file_must_exist is set", filename);
1670 /* If not permitted to create this file because it isn't in or below
1671 the home directory, generate an error. */
1673 if (!allow_creation_here)
1675 addr->basic_errno = ERRNO_BADCREATE;
1676 addr->message = string_sprintf("mailbox %s does not exist, "
1677 "but creation outside the home directory is not permitted",
1682 /* Attempt to create and open the file. If open fails because of
1683 pre-existence, go round the loop again. For any other error, defer the
1684 address, except for an alias or forward generated file name with EPERM,
1685 ENOENT, or EACCES, as those are most likely to be user errors rather
1686 than Exim config errors. When a symbolic link is permitted and points
1687 to a non-existent file, we get here with use_lstat = FALSE. In this case
1688 we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
1689 consistency and because MBX locking requires it in order to be able to
1690 get a shared lock. */
1692 fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
1693 (use_lstat ? O_EXCL : 0), mode);
1696 if (errno == EEXIST) continue;
1697 addr->basic_errno = errno;
1698 addr->message = string_sprintf("while creating mailbox %s",
1700 if (testflag(addr, af_file) &&
1701 (errno == EPERM || errno == ENOENT || errno == EACCES))
1702 addr->transport_return = FAIL;
1706 /* We have successfully created and opened the file. Ensure that the group
1707 and the mode are correct. */
1709 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
1711 addr->basic_errno = errno;
1712 addr->message = string_sprintf("while setting perms on mailbox %s",
1714 addr->transport_return = FAIL;
1720 /* The file already exists. Test its type, ownership, and permissions, and
1721 save the inode for checking later. If symlinks are permitted (not the
1722 default or recommended state) it may be a symlink that already exists.
1723 Check its ownership and then look for the file at the end of the link(s).
1724 This at least prevents one user creating a symlink for another user in
1725 a sticky directory. */
1729 int oldmode = (int)statbuf.st_mode;
1730 ino_t inode = statbuf.st_ino;
1731 BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
1733 isfifo = FALSE; /* In case things are changing */
1735 /* Check owner if required - the default. */
1737 if (ob->check_owner && statbuf.st_uid != uid)
1739 addr->basic_errno = ERRNO_BADUGID;
1740 addr->message = string_sprintf("mailbox %s%s has wrong uid "
1741 "(%ld != %ld)", filename,
1742 islink ? " (symlink)" : "",
1743 (long int)(statbuf.st_uid), (long int)uid);
1747 /* Group is checked only if check_group is set. */
1749 if (ob->check_group && statbuf.st_gid != gid)
1751 addr->basic_errno = ERRNO_BADUGID;
1752 addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
1753 filename, islink ? " (symlink)" : "", statbuf.st_gid, gid);
1757 /* Just in case this is a sticky-bit mail directory, we don't want
1758 users to be able to create hard links to other users' files. */
1760 if (statbuf.st_nlink != 1)
1762 addr->basic_errno = ERRNO_NOTREGULAR;
1763 addr->message = string_sprintf("mailbox %s%s has too many links (%lu)",
1764 filename, islink ? " (symlink)" : "", (unsigned long)statbuf.st_nlink);
1769 /* If symlinks are permitted (not recommended), the lstat() above will
1770 have found the symlink. Its ownership has just been checked; go round
1771 the loop again, using stat() instead of lstat(). That will never yield a
1774 if (islink && ob->allow_symlink)
1777 i--; /* Don't count this time round */
1781 /* An actual file exists. Check that it is a regular file, or FIFO
1784 if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
1786 else if ((oldmode & S_IFMT) != S_IFREG)
1788 addr->basic_errno = ERRNO_NOTREGULAR;
1789 addr->message = string_sprintf("mailbox %s is not a regular file%s",
1790 filename, ob->allow_fifo ? " or named pipe" : "");
1794 /* If the mode is not what it would be for a newly created file, change
1795 the permissions if the mode is supplied for the address. Otherwise,
1796 reduce but do not extend the permissions. If the newly created
1797 permissions are greater than the existing permissions, don't change
1798 things when the mode is not from the address. */
1800 if ((oldmode &= 07777) != mode)
1802 int diffs = oldmode ^ mode;
1803 if (addr->mode > 0 || (diffs & oldmode) == diffs)
1805 DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
1806 if (Uchmod(filename, mode) < 0)
1808 addr->basic_errno = errno;
1809 addr->message = string_sprintf("attempting to chmod mailbox %s",
1816 /* Mode not from address, and newly-created permissions are greater
1817 than existing permissions. Default is to complain, but it can be
1818 configured to go ahead and try to deliver anyway if that's what
1819 the administration wants. */
1821 else if (ob->mode_fail_narrower)
1823 addr->basic_errno = ERRNO_BADMODE;
1824 addr->message = string_sprintf("mailbox %s has the wrong mode %o "
1825 "(%o expected)", filename, oldmode, mode);
1830 /* We are happy with the existing file. Open it, and then do further
1831 tests to ensure that it is the same file that we were just looking at.
1832 If the file does not now exist, restart this loop, going back to using
1833 lstat again. For an NFS error, just defer; other opening errors are
1834 more serious. The file is opened RDWR so that its format can be checked,
1835 and also MBX locking requires the use of a shared (read) lock. However,
1836 a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
1837 reading the pipe. */
1839 fd = Uopen(filename, isfifo ? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
1843 if (errno == ENOENT)
1848 addr->basic_errno = errno;
1850 addr->message = string_sprintf("while opening named pipe %s "
1851 "(could mean no process is reading it)", filename);
1852 else if (errno != EWOULDBLOCK)
1853 addr->message = string_sprintf("while opening mailbox %s", filename);
1857 /* This fstat really shouldn't fail, as we have an open file! There's a
1858 dilemma here. We use fstat in order to be sure we are peering at the file
1859 we have got open. However, that won't tell us if the file was reached
1860 via a symbolic link. We checked this above, but there is a race exposure
1861 if the link was created between the previous lstat and the open. However,
1862 it would have to be created with the same inode in order to pass the
1863 check below. If ob->allow_symlink is set, causing the use of stat rather
1864 than lstat above, symbolic links may be there anyway, and the checking is
1867 if (fstat(fd, &statbuf) < 0)
1869 addr->basic_errno = errno;
1870 addr->message = string_sprintf("attempting to stat open mailbox %s",
1875 /* Check the inode; this is isn't a perfect check, but gives some
1878 if (inode != statbuf.st_ino)
1880 addr->basic_errno = ERRNO_INODECHANGED;
1881 addr->message = string_sprintf("opened mailbox %s inode number changed "
1882 "from " INO_T_FMT " to " INO_T_FMT, filename, inode, statbuf.st_ino);
1883 addr->special_action = SPECIAL_FREEZE;
1887 /* Check it's still a regular file or FIFO, and the uid, gid, and
1888 permissions have not changed. */
1890 if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
1891 (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
1893 addr->basic_errno = ERRNO_NOTREGULAR;
1895 string_sprintf("opened mailbox %s is no longer a %s", filename,
1896 isfifo ? "named pipe" : "regular file");
1897 addr->special_action = SPECIAL_FREEZE;
1901 if ((ob->check_owner && statbuf.st_uid != uid) ||
1902 (ob->check_group && statbuf.st_gid != gid))
1904 addr->basic_errno = ERRNO_BADUGID;
1906 string_sprintf("opened mailbox %s has wrong uid or gid", filename);
1907 addr->special_action = SPECIAL_FREEZE;
1911 if ((statbuf.st_mode & 07777) != oldmode)
1913 addr->basic_errno = ERRNO_BADMODE;
1914 addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
1915 "(%o expected)", filename, statbuf.st_mode & 07777, mode);
1916 addr->special_action = SPECIAL_FREEZE;
1920 /* If file_format is set, check that the format of the file has not
1921 changed. Error data is set by the testing function. */
1923 if (ob->file_format && check_file_format(fd, tblock, addr) != tblock)
1925 addr->message = US"open mailbox has changed format";
1929 /* The file is OK. Carry on to do the locking. */
1932 /* We now have an open file, and must lock it using fcntl(), flock() or MBX
1933 locking rules if configured to do so. If a lock file is also required, it
1934 was created above and hd was left >= 0. At least one form of locking is
1935 required by the initialization function. If locking fails here, close the
1936 file and go round the loop all over again, after waiting for a bit, unless
1937 blocking locking was used. */
1940 if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
1941 sleep_before_retry = FALSE;
1943 /* Simple fcntl() and/or flock() locking */
1945 if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
1947 if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1948 ob->use_flock, ob->lock_flock_timeout) >= 0) break;
1951 /* MBX locking rules */
1954 else if (ob->use_mbx_lock)
1957 struct stat lstatbuf, statbuf2;
1958 if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1959 ob->use_flock, ob->lock_flock_timeout) >= 0 &&
1960 fstat(fd, &statbuf) >= 0)
1962 sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
1963 (long)statbuf.st_ino);
1966 * 2010-05-29: SECURITY
1967 * Dan Rosenberg reported the presence of a race-condition in the
1968 * original code here. Beware that many systems still allow symlinks
1969 * to be followed in /tmp so an attacker can create a symlink pointing
1970 * elsewhere between a stat and an open, which we should avoid
1973 * It's unfortunate that we can't just use all the heavily debugged
1974 * locking from above.
1976 * Also: remember to mirror changes into exim_lock.c */
1978 /* first leave the old pre-check in place, it provides better
1979 * diagnostics for common cases */
1980 if (Ulstat(mbx_lockname, &statbuf) >= 0)
1982 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
1984 addr->basic_errno = ERRNO_LOCKFAILED;
1985 addr->message = string_sprintf("symbolic link on MBX lock file %s",
1989 if (statbuf.st_nlink > 1)
1991 addr->basic_errno = ERRNO_LOCKFAILED;
1992 addr->message = string_sprintf("hard link to MBX lock file %s",
1998 /* If we could just declare "we must be the ones who create this
1999 * file" then a hitching post in a subdir would work, since a
2000 * subdir directly in /tmp/ which we create wouldn't follow links
2001 * but this isn't our locking logic, so we can't safely change the
2002 * file existence rules. */
2004 /* On systems which support O_NOFOLLOW, it's the easiest and most
2005 * obviously correct security fix */
2006 mbx_tmp_oflags = O_RDWR | O_CREAT;
2008 mbx_tmp_oflags |= O_NOFOLLOW;
2010 mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
2013 addr->basic_errno = ERRNO_LOCKFAILED;
2014 addr->message = string_sprintf("failed to open MBX lock file %s :%s",
2015 mbx_lockname, strerror(errno));
2019 if (Ulstat(mbx_lockname, &lstatbuf) < 0)
2021 addr->basic_errno = ERRNO_LOCKFAILED;
2022 addr->message = string_sprintf("attempting to lstat open MBX "
2023 "lock file %s: %s", mbx_lockname, strerror(errno));
2026 if (fstat(mbx_lockfd, &statbuf2) < 0)
2028 addr->basic_errno = ERRNO_LOCKFAILED;
2029 addr->message = string_sprintf("attempting to stat fd of open MBX "
2030 "lock file %s: %s", mbx_lockname, strerror(errno));
2036 * statbuf: if exists, is file which existed prior to opening the
2037 * lockfile, might have been replaced since then
2038 * statbuf2: result of stat'ing the open fd, is what was actually
2040 * lstatbuf: result of lstat'ing the filename immediately after
2041 * the open but there's a race condition again between
2042 * those two steps: before open, symlink to foo, after
2043 * open but before lstat have one of:
2044 * * was no symlink, so is the opened file
2045 * (we created it, no messing possible after that point)
2047 * * symlink elsewhere
2048 * * hardlink elsewhere
2050 * Don't want to compare to device of /tmp because some modern systems
2051 * have regressed to having /tmp be the safe actual filesystem as
2052 * valuable data, so is mostly worthless, unless we assume that *only*
2053 * Linux systems do this and that all Linux has O_NOFOLLOW. Something
2054 * for further consideration.
2055 * No point in doing a readlink on the lockfile as that will always be
2056 * at a different point in time from when we open it, so tells us
2057 * nothing; attempts to clean up and delete after ourselves would risk
2058 * deleting a *third* filename.
2060 if ((statbuf2.st_nlink > 1) ||
2061 (lstatbuf.st_nlink > 1) ||
2062 (!S_ISREG(lstatbuf.st_mode)) ||
2063 (lstatbuf.st_dev != statbuf2.st_dev) ||
2064 (lstatbuf.st_ino != statbuf2.st_ino))
2066 addr->basic_errno = ERRNO_LOCKFAILED;
2067 addr->message = string_sprintf("RACE CONDITION detected: "
2068 "mismatch post-initial-checks between \"%s\" and opened "
2069 "fd lead us to abort!", mbx_lockname);
2073 (void)Uchmod(mbx_lockname, ob->lockfile_mode);
2075 if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
2076 ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
2078 struct stat ostatbuf;
2080 /* This tests for a specific race condition. Ensure that we still
2081 have the same file. */
2083 if (Ulstat(mbx_lockname, &statbuf) == 0 &&
2084 fstat(mbx_lockfd, &ostatbuf) == 0 &&
2085 statbuf.st_dev == ostatbuf.st_dev &&
2086 statbuf.st_ino == ostatbuf.st_ino)
2088 DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
2089 "between creation and locking\n", mbx_lockname);
2092 DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
2094 (void)close(mbx_lockfd);
2099 DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
2100 filename, strerror(errno));
2103 #endif /* SUPPORT_MBX */
2105 else break; /* No on-file locking required; break the open/lock loop */
2108 debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
2112 use_lstat = TRUE; /* Reset to use lstat first */
2115 /* If a blocking call timed out, break the retry loop if the total time
2116 so far is not less than than retries * interval. Use the larger of the
2117 flock() and fcntl() timeouts. */
2120 (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
2121 ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
2122 ob->lock_retries * ob->lock_interval)
2123 i = ob->lock_retries;
2125 /* Wait a bit before retrying, except when it was a blocked fcntl() or
2126 flock() that caused the problem. */
2128 if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
2131 /* Test for exceeding the maximum number of tries. Either the file remains
2132 locked, or, if we haven't got it open, something is terribly wrong... */
2134 if (i >= ob->lock_retries)
2138 addr->basic_errno = ERRNO_EXISTRACE;
2139 addr->message = string_sprintf("mailbox %s: existence unclear", filename);
2140 addr->special_action = SPECIAL_FREEZE;
2144 addr->basic_errno = ERRNO_LOCKFAILED;
2145 addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
2151 DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
2153 /* Save access time (for subsequent restoration), modification time (for
2154 restoration if updating fails), size of file (for comsat and for re-setting if
2155 delivery fails in the middle - e.g. for quota exceeded). */
2157 if (fstat(fd, &statbuf) < 0)
2159 addr->basic_errno = errno;
2160 addr->message = string_sprintf("while fstatting opened mailbox %s",
2165 times.actime = statbuf.st_atime;
2166 times.modtime = statbuf.st_mtime;
2167 saved_size = statbuf.st_size;
2168 if (mailbox_size < 0) mailbox_size = saved_size;
2169 mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */
2172 /* Prepare for writing to a new file (as opposed to appending to an old one).
2173 There are several different formats, but there is preliminary stuff concerned
2174 with quotas that applies to all of them. Finding the current size by directory
2175 scanning is expensive; for maildirs some fudges have been invented:
2177 (1) A regex can be used to extract a file size from its name;
2178 (2) If maildir_use_size is set, a maildirsize file is used to cache the
2184 uschar *check_path; /* Default quota check path */
2185 const pcre2_code * re = NULL; /* Regex for file size from file name */
2187 if (!check_creation(string_sprintf("%s/any", path),
2188 ob->create_file, deliver_dir))
2190 addr->basic_errno = ERRNO_BADCREATE;
2191 addr->message = string_sprintf("tried to create file in %s, but "
2192 "file creation outside the home directory is not permitted", path);
2196 /* If the create_file option is an absolute path and the file was within
2197 it, de-taint. Otherwise check for taint. */
2199 if (is_tainted(path))
2200 if (ob->create_file == create_belowhome)
2202 DEBUG(D_transport) debug_printf("below-home: de-tainting path '%s'\n", path);
2203 path = string_copy_taint(path, GET_UNTAINTED);
2206 goto tainted_ret_panic;
2210 #ifdef SUPPORT_MAILDIR
2211 /* For a maildir delivery, ensure that all the relevant directories exist,
2212 and a maildirfolder file if necessary. */
2214 if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
2215 ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
2217 #endif /* SUPPORT_MAILDIR */
2219 /* If we are going to do a quota check, of if maildir_use_size_file is set
2220 for a maildir delivery, compile the regular expression if there is one. We
2221 may also need to adjust the path that is used. We need to do this for
2222 maildir_use_size_file even if the quota is unset, because we still want to
2223 create the file. When maildir support is not compiled,
2224 ob->maildir_use_size_file is always FALSE. */
2226 if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
2228 /* Compile the regex if there is one. */
2230 if (ob->quota_size_regex)
2232 if (!(re = regex_compile(ob->quota_size_regex,
2233 MCS_NOFLAGS, &addr->message, pcre_gen_cmp_ctx)))
2236 DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
2237 ob->quota_size_regex);
2240 /* Use an explicitly configured directory if set */
2242 GET_OPTION("quota_directory");
2243 if (ob->quota_directory)
2245 if (!(check_path = expand_string(ob->quota_directory)))
2247 addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
2248 "name for %s transport) failed: %s", ob->quota_directory,
2249 trname, expand_string_message);
2253 if (check_path[0] != '/')
2255 addr->message = string_sprintf("appendfile: quota_directory name "
2256 "\"%s\" is not absolute", check_path);
2257 addr->basic_errno = ERRNO_NOTABSOLUTE;
2262 #ifdef SUPPORT_MAILDIR
2263 /* Otherwise, if we are handling a maildir delivery, and the directory
2264 contains a file called maildirfolder, this is a maildir++ feature telling
2265 us that this is a sub-directory of the real inbox. We should therefore do
2266 the quota check on the parent directory. Beware of the special case when
2267 the directory name itself ends in a slash. */
2269 else if (mbformat == mbf_maildir)
2271 struct stat statbuf;
2272 if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
2274 uschar *new_check_path = string_copy(check_path);
2275 uschar *slash = Ustrrchr(new_check_path, '/');
2281 slash = Ustrrchr(new_check_path, '/');
2286 check_path = new_check_path;
2287 DEBUG(D_transport) debug_printf("maildirfolder file exists: "
2288 "quota check directory changed to %s\n", check_path);
2293 #endif /* SUPPORT_MAILDIR */
2296 /* If we are using maildirsize files, we need to ensure that such a file
2297 exists and, if necessary, recalculate its contents. As a byproduct of this,
2298 we obtain the current size of the maildir. If no quota is to be enforced
2299 (ob->quota_value == 0), we still need the size if a threshold check will
2302 Another regular expression is used to determine which directories inside the
2303 maildir are going to be counted. */
2305 #ifdef SUPPORT_MAILDIR
2306 if (ob->maildir_use_size_file)
2308 const pcre2_code * dir_regex = NULL;
2310 if (ob->maildir_dir_regex)
2312 int check_path_len = Ustrlen(check_path);
2314 if (!(dir_regex = regex_compile(ob->maildir_dir_regex,
2315 MCS_NOFLAGS, &addr->message, pcre_gen_cmp_ctx)))
2319 debug_printf("using regex for maildir directory selection: %s\n",
2320 ob->maildir_dir_regex);
2322 /* Check to see if we are delivering into an ignored directory, that is,
2323 if the delivery path starts with the quota check path, and the rest
2324 of the deliver path matches the regex; if so, set a flag to disable quota
2325 checking and maildirsize updating. */
2327 if (Ustrncmp(path, check_path, check_path_len) == 0)
2329 uschar *s = path + check_path_len;
2330 while (*s == '/') s++;
2331 s = *s ? string_sprintf("%s/new", s) : US"new";
2332 if (!regex_match(dir_regex, s, -1, NULL))
2334 disable_quota = TRUE;
2335 DEBUG(D_transport) debug_printf("delivery directory does not match "
2336 "maildir_quota_directory_regex: disabling quota\n");
2341 /* Quota enforcement; create and check the file. There is some discussion
2342 about whether this should happen if the quota is unset. At present, Exim
2343 always creates the file. If we ever want to change this, uncomment
2344 appropriate lines below, possibly doing a check on some option. */
2346 /* if (???? || ob->quota_value > 0) */
2353 if ((maildirsize_fd = maildir_ensure_sizefile(check_path, ob, re, dir_regex,
2354 &size, &filecount)) == -1)
2356 addr->basic_errno = errno;
2357 addr->message = string_sprintf("while opening or reading "
2358 "%s/maildirsize", check_path);
2361 /* can also return -2, which means that the file was removed because of
2362 raciness; but in this case, the size & filecount will still have been
2365 if (mailbox_size < 0) mailbox_size = size;
2366 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2369 /* No quota enforcement; ensure file does *not* exist; calculate size if
2374 * time_t old_latest;
2375 * (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
2376 * if (THRESHOLD_CHECK)
2377 * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
2378 * re, dir_regex, FALSE);
2383 #endif /* SUPPORT_MAILDIR */
2385 /* Otherwise if we are going to do a quota check later on, and the mailbox
2386 size is not set, find the current size of the mailbox. Ditto for the file
2387 count. Note that ob->quota_filecount_value cannot be set without
2388 ob->quota_value being set. */
2391 && (ob->quota_value > 0 || THRESHOLD_CHECK)
2392 && ( mailbox_size < 0
2393 || mailbox_filecount < 0 && ob->quota_filecount_value > 0
2399 debug_printf("quota checks on directory %s\n", check_path);
2400 size = check_dir_size(check_path, &filecount, re);
2401 if (mailbox_size < 0) mailbox_size = size;
2402 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2405 /* Handle the case of creating a unique file in a given directory (not in
2406 maildir or mailstore format - this is how smail did it). A temporary name is
2407 used to create the file. Later, when it is written, the name is changed to a
2408 unique one. There is no need to lock the file. An attempt is made to create
2409 the directory if it does not exist. */
2411 if (mbformat == mbf_smail)
2414 debug_printf("delivering to new file in %s\n", path);
2415 filename = dataname =
2416 string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
2417 fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
2418 if (fd < 0 && /* failed to open, and */
2419 (errno != ENOENT || /* either not non-exist */
2420 !ob->create_directory || /* or not allowed to make */
2421 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2422 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2424 addr->basic_errno = errno;
2425 addr->message = string_sprintf("while creating file %s", filename);
2430 #ifdef SUPPORT_MAILDIR
2432 /* Handle the case of a unique file in maildir format. The file is written to
2433 the tmp subdirectory, with a prescribed form of name. */
2435 else if (mbformat == mbf_maildir)
2438 debug_printf("delivering in maildir format in %s\n", path);
2440 GET_OPTION("maildir_tag");
2441 nametag = ob->maildir_tag;
2443 /* Check that nametag expands successfully; a hard failure causes a panic
2444 return. The actual expansion for use happens again later, when
2445 $message_size is accurately known. */
2447 if (nametag && !expand_string(nametag) && !f.expand_string_forcedfail)
2449 addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
2450 "for %s transport) failed: %s", nametag, trname,
2451 expand_string_message);
2455 /* We ensured the existence of all the relevant directories above. Attempt
2456 to open the temporary file a limited number of times. I think this rather
2457 scary-looking for statement is actually OK. If open succeeds, the loop is
2458 broken; if not, there is a test on the value of i. Get the time again
2459 afresh each time round the loop. Its value goes into a variable that is
2460 checked at the end, to make sure we don't release this process until the
2461 clock has ticked. */
2463 for (int i = 1;; i++)
2467 (void)gettimeofday(&msg_tv, NULL);
2468 basename = string_sprintf(TIME_T_FMT ".M%luP" PID_T_FMT ".%s",
2469 msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname);
2471 filename = dataname = string_sprintf("tmp/%s", basename);
2472 newname = string_sprintf("new/%s", basename);
2474 if (Ustat(filename, &statbuf) == 0)
2476 else if (errno == ENOENT)
2478 if ((fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode)) >= 0)
2480 DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
2481 filename, strerror(errno));
2484 /* Too many retries - give up */
2486 if (i >= ob->maildir_retries)
2488 addr->message = string_sprintf ("failed to open %s (%d tr%s)",
2489 filename, i, (i == 1) ? "y" : "ies");
2490 addr->basic_errno = errno;
2491 if (errno == errno_quota || errno == ENOSPC)
2492 addr->user_message = US"mailbox is full";
2496 /* Open or stat failed but we haven't tried too many times yet. */
2501 /* Note that we have to ensure the clock has ticked before leaving */
2503 wait_for_tick = TRUE;
2505 /* Why are these here? Put in because they are present in the non-maildir
2506 directory case above. */
2508 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2510 addr->basic_errno = errno;
2511 addr->message = string_sprintf("while setting perms on maildir %s",
2517 #endif /* SUPPORT_MAILDIR */
2519 #ifdef SUPPORT_MAILSTORE
2521 /* Handle the case of a unique file in mailstore format. First write the
2522 envelope to a temporary file, then open the main file. The unique base name
2523 for the files consists of the message id plus the pid of this delivery
2529 mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
2530 string_base62_64((long int)getpid()));
2533 debug_printf("delivering in mailstore format in %s\n", path);
2535 filename = string_sprintf("%s.tmp", mailstore_basename);
2536 newname = string_sprintf("%s.env", mailstore_basename);
2537 dataname = string_sprintf("%s.msg", mailstore_basename);
2539 fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2540 if ( fd < 0 /* failed to open, and */
2541 && ( errno != ENOENT /* either not non-exist */
2542 || !ob->create_directory /* or not allowed to make */
2543 || !directory_make(NULL, path, ob->dirmode, FALSE) /* or failed to create dir */
2544 || (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0 /* or then failed to open */
2547 addr->basic_errno = errno;
2548 addr->message = string_sprintf("while creating file %s", filename);
2552 /* Why are these here? Put in because they are present in the non-maildir
2553 directory case above. */
2555 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2557 addr->basic_errno = errno;
2558 addr->message = string_sprintf("while setting perms on file %s",
2563 /* Built a C stream from the open file descriptor. */
2565 if (!(env_file = fdopen(fd, "wb")))
2567 addr->basic_errno = errno;
2568 addr->message = string_sprintf("fdopen of %s ("
2569 "for %s transport) failed", filename, trname);
2575 /* Write the envelope file, then close it. */
2577 GET_OPTION("mailstore_prefix");
2578 if (ob->mailstore_prefix)
2580 uschar * s = expand_string(ob->mailstore_prefix);
2583 if (!f.expand_string_forcedfail)
2585 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2586 "prefix for %s transport) failed: %s", ob->mailstore_prefix,
2587 trname, expand_string_message);
2588 (void)fclose(env_file);
2596 fprintf(env_file, "%s", CS s);
2597 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2601 fprintf(env_file, "%s\n", sender_address);
2603 for (address_item * taddr = addr; taddr; taddr = taddr->next)
2604 fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
2606 GET_OPTION("mailstore_suffix");
2607 if (ob->mailstore_suffix)
2609 uschar * s = expand_string(ob->mailstore_suffix);
2612 if (!f.expand_string_forcedfail)
2614 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2615 "suffix for %s transport) failed: %s", ob->mailstore_suffix,
2616 trname, expand_string_message);
2617 (void)fclose(env_file);
2625 fprintf(env_file, "%s", CS s);
2626 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2630 if (fclose(env_file) != 0)
2632 addr->basic_errno = errno;
2633 addr->message = string_sprintf("while closing %s", filename);
2638 DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
2640 /* Now open the data file, and ensure that it has the correct ownership and
2643 if ((fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)
2645 addr->basic_errno = errno;
2646 addr->message = string_sprintf("while creating file %s", dataname);
2650 if (exim_chown(dataname, uid, gid) || Uchmod(dataname, mode))
2652 addr->basic_errno = errno;
2653 addr->message = string_sprintf("while setting perms on file %s",
2659 #endif /* SUPPORT_MAILSTORE */
2662 /* In all cases of writing to a new file, ensure that the file which is
2663 going to be renamed has the correct ownership and mode. */
2665 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2667 addr->basic_errno = errno;
2668 addr->message = string_sprintf("while setting perms on file %s",
2675 /* At last we can write the message to the file, preceded by any configured
2676 prefix line, and followed by any configured suffix line. If there are any
2677 writing errors, we must defer. */
2679 DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
2684 /* If there is a local quota setting, check that we are not going to exceed it
2685 with this message if quota_is_inclusive is set; if it is not set, the check
2686 is for the mailbox already being over quota (i.e. the current message is not
2687 included in the check). */
2689 if (!disable_quota && ob->quota_value > 0)
2693 debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
2694 " this message = %d (%sincluded)\n",
2695 ob->quota_value, mailbox_size, message_size,
2696 ob->quota_is_inclusive ? "" : "not ");
2697 debug_printf(" file count quota = %d count = %d\n",
2698 ob->quota_filecount_value, mailbox_filecount);
2701 if (mailbox_size + (ob->quota_is_inclusive ? message_size:0) > ob->quota_value)
2702 if (!ob->quota_no_check)
2704 DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
2706 errno = ERRNO_EXIMQUOTA;
2709 DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n");
2711 if (ob->quota_filecount_value > 0
2712 && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
2713 ob->quota_filecount_value)
2714 if (!ob->quota_filecount_no_check)
2716 DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
2718 errno = ERRNO_EXIMQUOTA;
2719 filecount_msg = US" filecount";
2721 else DEBUG(D_transport) if (ob->quota_filecount_no_check)
2722 debug_printf("mailbox file count quota exceeded but ignored\n");
2728 addr->basic_errno = errno;
2729 addr->message = US"Over quota";
2730 addr->transport_return = yield;
2732 debug_printf("appendfile (verify) yields %d with errno=%d more_errno=%d\n",
2733 yield, addr->basic_errno, addr->more_errno);
2738 /* If we are writing in MBX format, what we actually do is to write the message
2739 to a temporary file, and then copy it to the real file once we know its size.
2740 This is the most straightforward way of getting the correct length in the
2741 separator line. So, what we do here is to save the real file descriptor, and
2742 replace it with one for a temporary file. The temporary file gets unlinked once
2743 opened, so that it goes away on closure. */
2746 if (yield == OK && ob->mbx_format)
2748 if (!(temp_file = tmpfile()))
2750 addr->basic_errno = errno;
2751 addr->message = US"while setting up temporary file";
2756 fd = fileno(temp_file);
2757 DEBUG(D_transport) debug_printf("writing to temporary file\n");
2759 #endif /* SUPPORT_MBX */
2761 /* Zero the count of bytes written. It is incremented by the transport_xxx()
2764 transport_count = 0;
2765 transport_newlines = 0;
2767 /* Write any configured prefix text first */
2771 uschar * prefix = ob->message_prefix;
2772 GET_OPTION("message_prefix");
2773 if (prefix && *prefix)
2774 if (!(prefix = expand_string(prefix)))
2776 errno = ERRNO_EXPANDFAIL;
2777 addr->transport_return = PANIC;
2778 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
2779 "transport) failed", ob->message_prefix, trname);
2782 else if (!transport_write_string(fd, "%s", prefix))
2786 /* If the use_bsmtp option is on, we need to write SMTP prefix information. The
2787 various different values for batching are handled outside; if there is more
2788 than one address available here, all must be included. If any address is a
2789 file, use its parent in the RCPT TO. */
2791 if (yield == OK && ob->use_bsmtp)
2793 transport_count = 0;
2794 transport_newlines = 0;
2795 if (ob->use_crlf) cr = US"\r";
2796 if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
2800 transport_newlines++;
2801 for (address_item * a = addr; a; a = a->next)
2803 address_item * b = testflag(a, af_pfr) ? a->parent : a;
2804 if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
2805 transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
2806 { yield = DEFER; break; }
2807 transport_newlines++;
2809 if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
2812 transport_newlines++;
2816 /* Now the message itself. The options for transport_write_message were set up
2817 at initialization time. */
2821 transport_ctx tctx = {
2825 .check_string = ob->check_string,
2826 .escape_string = ob->escape_string,
2827 .options = ob->options | topt_not_socket
2829 if (!transport_write_message(&tctx, 0))
2833 /* Now a configured suffix. */
2837 uschar * suffix = ob->message_suffix;
2838 GET_OPTION("message_suffix");
2839 if (suffix && *suffix)
2840 if (!(suffix = expand_string(suffix)))
2842 errno = ERRNO_EXPANDFAIL;
2843 addr->transport_return = PANIC;
2844 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
2845 "transport) failed", ob->message_suffix, trname);
2848 else if (!transport_write_string(fd, "%s", suffix))
2852 /* If batch smtp, write the terminating dot. */
2854 if (yield == OK && ob->use_bsmtp)
2855 if (!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
2856 else transport_newlines++;
2858 /* If MBX format is being used, all that writing was to the temporary file.
2859 However, if there was an earlier failure (Exim quota exceeded, for example),
2860 the temporary file won't have got opened - and no writing will have been done.
2861 If writing was OK, we restore the fd, and call a function that copies the
2862 message in MBX format into the real file. Otherwise use the temporary name in
2866 if (temp_file && ob->mbx_format)
2873 transport_count = 0; /* Reset transport count for actual write */
2874 /* No need to reset transport_newlines as we're just using a block copy
2875 * routine so the number won't be affected */
2876 yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
2878 else if (errno >= 0) dataname = US"temporary file";
2880 /* Preserve errno while closing the temporary file. */
2882 mbx_save_errno = errno;
2883 (void)fclose(temp_file);
2884 errno = mbx_save_errno;
2886 #endif /* SUPPORT_MBX */
2888 /* Force out the remaining data to check for any errors; some OS don't allow
2889 fsync() to be called for a FIFO. */
2891 if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
2893 /* Update message_size and message_linecount to the accurate count of bytes
2894 written, including added headers. Note; we subtract 1 from message_linecount as
2895 this variable doesn't count the new line between the header and the body of the
2898 message_size = transport_count;
2899 message_linecount = transport_newlines - 1;
2901 /* If using a maildir++ quota file, add this message's size to it, and
2902 close the file descriptor, except when the quota has been disabled because we
2903 are delivering into an uncounted folder. */
2905 #ifdef SUPPORT_MAILDIR
2908 if (yield == OK && maildirsize_fd >= 0)
2909 maildir_record_length(maildirsize_fd, message_size);
2910 maildir_save_errno = errno; /* Preserve errno while closing the file */
2911 if (maildirsize_fd >= 0)
2912 (void)close(maildirsize_fd);
2913 errno = maildir_save_errno;
2915 #endif /* SUPPORT_MAILDIR */
2917 /* If there is a quota warning threshold and we are have crossed it with this
2918 message, set the SPECIAL_WARN flag in the address, to cause a warning message
2921 if (!disable_quota && THRESHOLD_CHECK)
2923 off_t threshold = ob->quota_warn_threshold_value;
2924 if (ob->quota_warn_threshold_is_percent)
2925 threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
2927 debug_printf("quota = " OFF_T_FMT
2928 " threshold = " OFF_T_FMT
2929 " old size = " OFF_T_FMT
2930 " message size = %d\n",
2931 ob->quota_value, threshold, mailbox_size,
2933 if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
2934 addr->special_action = SPECIAL_WARN;
2936 /******* You might think that the test ought to be this:
2938 * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
2939 * mailbox_size <= threshold && mailbox_size + message_size > threshold)
2941 * (indeed, I was sent a patch with that in). However, it is possible to
2942 * have a warning threshold without actually imposing a quota, and I have
2943 * therefore kept Exim backwards compatible.
2948 /* Handle error while writing the file. Control should come here directly after
2949 the error, with the reason in errno. In the case of expansion failure in prefix
2950 or suffix, it will be ERRNO_EXPANDFAIL. */
2954 addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */
2956 /* Save the error number. If positive, it will ultimately cause a strerror()
2957 call to generate some text. */
2959 addr->basic_errno = errno;
2961 /* For system or Exim quota excession, or disk full, set more_errno to the
2962 time since the file was last read. If delivery was into a directory, the
2963 time since last read logic is not relevant, in general. However, for maildir
2964 deliveries we can approximate it by looking at the last modified time of the
2965 "new" subdirectory. Since Exim won't be adding new messages, a change to the
2966 "new" subdirectory implies that an MUA has moved a message from there to the
2969 if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
2971 addr->more_errno = 0;
2972 if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
2974 #ifdef SUPPORT_MAILDIR
2975 else if (mbformat == mbf_maildir)
2977 struct stat statbuf;
2978 if (Ustat("new", &statbuf) < 0)
2980 DEBUG(D_transport) debug_printf("maildir quota exceeded: "
2981 "stat error %d for \"new\": %s\n", errno, strerror(errno));
2983 else /* Want a repeatable time when in test harness */
2984 addr->more_errno = f.running_in_test_harness ? 10 :
2985 (int)time(NULL) - statbuf.st_mtime;
2988 debug_printf("maildir: time since \"new\" directory modified = %s\n",
2989 readconf_printtime(addr->more_errno));
2991 #endif /* SUPPORT_MAILDIR */
2994 /* Handle system quota excession. Add an explanatory phrase for the error
2995 message, since some systems don't have special quota-excession errors,
2996 and on those that do, "quota" doesn't always mean anything to the user. */
2998 if (errno == errno_quota)
3001 addr->message = string_sprintf("mailbox is full "
3002 "(quota exceeded while writing to file %s)", filename);
3004 addr->message = US"mailbox is full";
3006 addr->user_message = US"mailbox is full";
3007 DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
3009 isdirectory ? US"" : US": time since file read = ",
3010 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3013 /* Handle Exim's own quota-imposition */
3015 else if (errno == ERRNO_EXIMQUOTA)
3017 addr->message = string_sprintf("mailbox is full "
3018 "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
3020 addr->user_message = US"mailbox is full";
3021 DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
3022 filecount_msg, dataname,
3023 isdirectory ? US"" : US": time since file read = ",
3024 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3027 /* Handle a process failure while writing via a filter; the return
3028 from child_close() is in more_errno. */
3030 else if (errno == ERRNO_FILTER_FAIL)
3033 addr->message = string_sprintf("transport filter process failed (%d) "
3034 "while writing to %s%s", addr->more_errno, dataname,
3035 (addr->more_errno == EX_EXECFAILED) ? ": unable to execute command" : "");
3038 /* Handle failure to expand header changes */
3040 else if (errno == ERRNO_CHHEADER_FAIL)
3044 string_sprintf("failed to expand headers_add or headers_remove while "
3045 "writing to %s: %s", dataname, expand_string_message);
3048 /* Handle failure to complete writing of a data block */
3050 else if (errno == ERRNO_WRITEINCOMPLETE)
3051 addr->message = string_sprintf("failed to write data block while "
3052 "writing to %s", dataname);
3054 /* Handle length mismatch on MBX copying */
3057 else if (errno == ERRNO_MBXLENGTH)
3058 addr->message = string_sprintf("length mismatch while copying MBX "
3059 "temporary file to %s", dataname);
3060 #endif /* SUPPORT_MBX */
3062 /* For other errors, a general-purpose explanation, if the message is
3065 else if (addr->message == NULL)
3066 addr->message = string_sprintf("error while writing to %s", dataname);
3068 /* For a file, reset the file size to what it was before we started, leaving
3069 the last modification time unchanged, so it will get reset also. All systems
3070 investigated so far have ftruncate(), whereas not all have the F_FREESP
3071 fcntl() call (BSDI & FreeBSD do not). */
3073 if (!isdirectory && ftruncate(fd, saved_size))
3074 DEBUG(D_transport) debug_printf("Error resetting file size\n");
3077 /* Handle successful writing - we want the modification time to be now for
3078 appended files. Remove the default backstop error number. For a directory, now
3079 is the time to rename the file with a unique name. As soon as such a name
3080 appears it may get used by another process, so we close the file first and
3081 check that all is well. */
3085 times.modtime = time(NULL);
3086 addr->basic_errno = 0;
3088 /* Handle the case of writing to a new file in a directory. This applies
3089 to all single-file formats - maildir, mailstore, and "smail format". */
3093 if (fstat(fd, &statbuf) < 0)
3095 addr->basic_errno = errno;
3096 addr->message = string_sprintf("while fstatting opened message file %s",
3101 else if (close(fd) < 0)
3103 addr->basic_errno = errno;
3104 addr->message = string_sprintf("close() error for %s",
3105 (ob->mailstore_format) ? dataname : filename);
3109 /* File is successfully written and closed. Arrange to rename it. For the
3110 different kinds of single-file delivery, some games can be played with the
3111 name. The message size is by this time set to the accurate value so that
3112 its value can be used in expansions. */
3116 uschar *renamename = newname;
3119 DEBUG(D_transport) debug_printf("renaming temporary file\n");
3121 /* If there is no rename name set, we are in a non-maildir, non-mailstore
3122 situation. The name is built by expanding the directory_file option, and
3123 we make the inode number available for use in this. The expansion was
3124 checked for syntactic validity above, before we wrote the file.
3126 We have to be careful here, in case the file name exists. (In the other
3127 cases, the names used are constructed to be unique.) The rename()
3128 function just replaces an existing file - we don't want that! So instead
3129 of calling rename(), we must use link() and unlink().
3131 In this case, if the link fails because of an existing file, we wait
3132 for one second and try the expansion again, to see if it produces a
3133 different value. Do this up to 5 times unless the name stops changing.
3134 This makes it possible to build values that are based on the time, and
3135 still cope with races from multiple simultaneous deliveries. */
3140 uschar *old_renameleaf = US"";
3142 for (int i = 0; ; sleep(1), i++)
3144 deliver_inode = statbuf.st_ino;
3145 renameleaf = expand_string(ob->dirfilename);
3150 addr->transport_return = PANIC;
3151 addr->message = string_sprintf("Expansion of \"%s\" "
3152 "(directory_file for %s transport) failed: %s",
3153 ob->dirfilename, trname, expand_string_message);
3157 renamename = string_sprintf("%s/%s", path, renameleaf);
3158 if (Ulink(filename, renamename) < 0)
3160 DEBUG(D_transport) debug_printf("link failed: %s\n",
3162 if (errno != EEXIST || i >= 4 ||
3163 Ustrcmp(renameleaf, old_renameleaf) == 0)
3165 addr->basic_errno = errno;
3166 addr->message = string_sprintf("while renaming %s as %s",
3167 filename, renamename);
3171 old_renameleaf = renameleaf;
3172 DEBUG(D_transport) debug_printf("%s exists - trying again\n",
3181 } /* re-expand loop */
3182 } /* not mailstore or maildir */
3184 /* For maildir and mailstore formats, the new name was created earlier,
3185 except that for maildir, there is the possibility of adding a "tag" on
3186 the end of the name by expanding the value of nametag. This usually
3187 includes a reference to the message size. The expansion of nametag was
3188 checked above, before the file was opened. It either succeeded, or
3189 provoked a soft failure. So any failure here can be treated as soft.
3190 Ignore non-printing characters and / and put a colon at the start if the
3191 first character is alphanumeric. */
3197 uschar *iptr = expand_string(nametag);
3200 uschar *etag = store_get(Ustrlen(iptr) + 2, iptr);
3201 uschar *optr = etag;
3202 for ( ; *iptr; iptr++)
3203 if (mac_isgraph(*iptr) && *iptr != '/')
3205 if (optr == etag && isalnum(*iptr)) *optr++ = ':';
3209 renamename = string_sprintf("%s%s", newname, etag);
3213 /* Do the rename. If the name is too long and a tag exists, try again
3216 if (Urename(filename, renamename) < 0 &&
3217 (nametag == NULL || errno != ENAMETOOLONG ||
3218 (renamename = newname, Urename(filename, renamename) < 0)))
3220 addr->basic_errno = errno;
3221 addr->message = string_sprintf("while renaming %s as %s",
3222 filename, renamename);
3226 /* Rename succeeded */
3230 DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename,
3232 filename = dataname = NULL; /* Prevents attempt to unlink at end */
3234 } /* maildir or mailstore */
3235 } /* successful write + close */
3237 } /* write success */
3240 /* For a file, restore the last access time (atime), and set the modification
3241 time as required - changed if write succeeded, unchanged if not. */
3243 if (!isdirectory) utime(CS filename, ×);
3245 /* Notify comsat if configured to do so. It only makes sense if the configured
3246 file is the one that the comsat daemon knows about. */
3248 if (ob->notify_comsat && yield == OK && deliver_localpart)
3249 notify_comsat(deliver_localpart, saved_size);
3251 /* Pass back the final return code in the address structure */
3254 debug_printf("appendfile yields %d with errno=%d more_errno=%d\n",
3255 yield, addr->basic_errno, addr->more_errno);
3257 addr->transport_return = yield;
3259 /* Close the file, which will release the fcntl lock. For a directory write it
3260 is closed above, except in cases of error which goto RETURN, when we also need
3261 to remove the original file(s). For MBX locking, if all has gone well, before
3262 closing the file, see if we can get an exclusive lock on it, in which case we
3263 can unlink the /tmp lock file before closing it. This is always a non-blocking
3264 lock; there's no need to wait if we can't get it. If everything has gone right
3265 but close fails, defer the message. Then unlink the lock file, if present. This
3266 point in the code is jumped to from a number of places when errors are
3267 detected, in order to get the file closed and the lock file tidied away. */
3272 if (mbx_lockfd >= 0)
3274 if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0,
3275 ob->use_flock, 0) >= 0)
3278 debug_printf("unlinking MBX lock file %s\n", mbx_lockname);
3279 Uunlink(mbx_lockname);
3281 (void)close(mbx_lockfd);
3283 #endif /* SUPPORT_MBX */
3285 if (fd >= 0 && close(fd) < 0 && yield == OK)
3287 addr->basic_errno = errno;
3288 addr->message = string_sprintf("while closing %s", filename);
3289 addr->transport_return = DEFER;
3292 if (hd >= 0) Uunlink(lockname);
3294 /* We get here with isdirectory and filename set only in error situations. */
3296 if (isdirectory && filename)
3299 if (dataname != filename) Uunlink(dataname);
3302 /* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a
3303 file name relies on time + pid. We must not allow the process to finish until
3304 the clock has move on by at least one microsecond. Usually we expect this
3305 already to be the case, but machines keep getting faster... */
3307 if (wait_for_tick) exim_wait_tick(&msg_tv, 1);
3309 /* A return of FALSE means that if there was an error, a common error was
3310 put in the first address of a batch. */
3315 addr->message = string_sprintf("Tainted '%s' (file or directory "
3316 "name for %s transport) not permitted", path, trname);
3318 addr->transport_return = PANIC;
3322 #endif /*!MACRO_PREDEF*/
3323 #endif /*TRANSPORT_APPENDFILE*/
3324 /* End of transport/appendfile.c */