1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2020 */
6 /* Copyright (c) The Exim maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
11 #include "appendfile.h"
13 #ifdef SUPPORT_MAILDIR
14 #include "tf_maildir.h"
18 /* Options specific to the appendfile transport. They must be in alphabetic
19 order (note that "_" comes before the lower case letters). Some of them are
20 stored in the publicly visible instance block - these are flagged with the
22 #define LOFF(field) OPT_OFF(appendfile_transport_options_block, field)
24 optionlist appendfile_transport_options[] = {
25 #ifdef SUPPORT_MAILDIR
26 { "*expand_maildir_use_size_file", opt_stringptr, LOFF(expand_maildir_use_size_file) },
28 { "*set_use_fcntl_lock",opt_bool | opt_hidden, LOFF(set_use_fcntl) },
29 { "*set_use_flock_lock",opt_bool | opt_hidden, LOFF(set_use_flock) },
30 { "*set_use_lockfile", opt_bool | opt_hidden, LOFF(set_use_lockfile) },
32 { "*set_use_mbx_lock", opt_bool | opt_hidden, LOFF(set_use_mbx_lock) },
34 { "allow_fifo", opt_bool, LOFF(allow_fifo) },
35 { "allow_symlink", opt_bool, LOFF(allow_symlink) },
36 { "batch_id", opt_stringptr | opt_public, OPT_OFF(transport_instance, batch_id) },
37 { "batch_max", opt_int | opt_public, OPT_OFF(transport_instance, batch_max) },
38 { "check_group", opt_bool, LOFF(check_group) },
39 { "check_owner", opt_bool, LOFF(check_owner) },
40 { "check_string", opt_stringptr, LOFF(check_string) },
41 { "create_directory", opt_bool, LOFF(create_directory) },
42 { "create_file", opt_stringptr, LOFF(create_file_string) },
43 { "directory", opt_stringptr, LOFF(dirname) },
44 { "directory_file", opt_stringptr, LOFF(dirfilename) },
45 { "directory_mode", opt_octint, LOFF(dirmode) },
46 { "escape_string", opt_stringptr, LOFF(escape_string) },
47 { "file", opt_stringptr, LOFF(filename) },
48 { "file_format", opt_stringptr, LOFF(file_format) },
49 { "file_must_exist", opt_bool, LOFF(file_must_exist) },
50 { "lock_fcntl_timeout", opt_time, LOFF(lock_fcntl_timeout) },
51 { "lock_flock_timeout", opt_time, LOFF(lock_flock_timeout) },
52 { "lock_interval", opt_time, LOFF(lock_interval) },
53 { "lock_retries", opt_int, LOFF(lock_retries) },
54 { "lockfile_mode", opt_octint, LOFF(lockfile_mode) },
55 { "lockfile_timeout", opt_time, LOFF(lockfile_timeout) },
56 { "mailbox_filecount", opt_stringptr, LOFF(mailbox_filecount_string) },
57 { "mailbox_size", opt_stringptr, LOFF(mailbox_size_string) },
58 #ifdef SUPPORT_MAILDIR
59 { "maildir_format", opt_bool, LOFF(maildir_format ) } ,
60 { "maildir_quota_directory_regex", opt_stringptr, LOFF(maildir_dir_regex) },
61 { "maildir_retries", opt_int, LOFF(maildir_retries) },
62 { "maildir_tag", opt_stringptr, LOFF(maildir_tag) },
63 { "maildir_use_size_file", opt_expand_bool, LOFF(maildir_use_size_file ) } ,
64 { "maildirfolder_create_regex", opt_stringptr, LOFF(maildirfolder_create_regex ) },
65 #endif /* SUPPORT_MAILDIR */
66 #ifdef SUPPORT_MAILSTORE
67 { "mailstore_format", opt_bool, LOFF(mailstore_format ) },
68 { "mailstore_prefix", opt_stringptr, LOFF(mailstore_prefix ) },
69 { "mailstore_suffix", opt_stringptr, LOFF(mailstore_suffix ) },
70 #endif /* SUPPORT_MAILSTORE */
72 { "mbx_format", opt_bool, LOFF(mbx_format ) } ,
73 #endif /* SUPPORT_MBX */
74 { "message_prefix", opt_stringptr, LOFF(message_prefix) },
75 { "message_suffix", opt_stringptr, LOFF(message_suffix) },
76 { "mode", opt_octint, LOFF(mode) },
77 { "mode_fail_narrower",opt_bool, LOFF(mode_fail_narrower) },
78 { "notify_comsat", opt_bool, LOFF(notify_comsat) },
79 { "quota", opt_stringptr, LOFF(quota) },
80 { "quota_directory", opt_stringptr, LOFF(quota_directory) },
81 { "quota_filecount", opt_stringptr, LOFF(quota_filecount) },
82 { "quota_is_inclusive", opt_bool, LOFF(quota_is_inclusive) },
83 { "quota_size_regex", opt_stringptr, LOFF(quota_size_regex) },
84 { "quota_warn_message", opt_stringptr | opt_public, OPT_OFF(transport_instance, warn_message) },
85 { "quota_warn_threshold", opt_stringptr, LOFF(quota_warn_threshold) },
86 { "use_bsmtp", opt_bool, LOFF(use_bsmtp) },
87 { "use_crlf", opt_bool, LOFF(use_crlf) },
88 { "use_fcntl_lock", opt_bool_set, LOFF(use_fcntl) },
89 { "use_flock_lock", opt_bool_set, LOFF(use_flock) },
90 { "use_lockfile", opt_bool_set, LOFF(use_lockfile) },
92 { "use_mbx_lock", opt_bool_set, LOFF(use_mbx_lock) },
93 #endif /* SUPPORT_MBX */
96 /* Size of the options list. An extern variable has to be used so that its
97 address can appear in the tables drtables.c. */
99 int appendfile_transport_options_count =
100 sizeof(appendfile_transport_options)/sizeof(optionlist);
106 appendfile_transport_options_block appendfile_transport_option_defaults = {0};
107 void appendfile_transport_init(transport_instance *tblock) {}
108 BOOL appendfile_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
110 #else /*!MACRO_PREDEF*/
112 /* Default private options block for the appendfile transport. */
114 appendfile_transport_options_block appendfile_transport_option_defaults = {
115 /* all non-mentioned members zero/null/false */
116 .dirfilename = US"q${base62:$tod_epoch}-$inode",
117 .create_file_string = US"anywhere",
118 .maildir_dir_regex = US"^(?:cur|new|\\..*)$",
119 .mailbox_size_value = -1,
120 .mailbox_filecount_value = -1,
121 .mode = APPENDFILE_MODE,
122 .dirmode = APPENDFILE_DIRECTORY_MODE,
123 .lockfile_mode = APPENDFILE_LOCKFILE_MODE,
124 .lockfile_timeout = 30*60,
127 .maildir_retries = 10,
128 .create_file = create_anywhere,
130 .create_directory = TRUE,
131 .notify_comsat = FALSE,
132 .use_lockfile = TRUE,
134 .mode_fail_narrower = TRUE,
135 .quota_is_inclusive = TRUE,
139 /* Encodings for mailbox formats, and their names. MBX format is actually
140 supported only if SUPPORT_MBX is set. */
142 enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
144 static const char *mailbox_formats[] = {
145 "unix", "mbx", "smail", "maildir", "mailstore" };
148 /* Check warn threshold only if quota size set or not a percentage threshold
149 percentage check should only be done if quota > 0 */
151 #define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \
152 (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
156 /*************************************************
157 * Setup entry point *
158 *************************************************/
160 /* Called for each delivery in the privileged state, just before the uid/gid
161 are changed and the main entry point is called. We use this function to
162 expand any quota settings, so that it can access files that may not be readable
163 by the user. It is also used to pick up external mailbox size information, if
167 tblock points to the transport instance
168 addrlist addresses about to be delivered (not used)
169 dummy not used (doesn't pass back data)
170 uid the uid that will be set (not used)
171 gid the gid that will be set (not used)
172 errmsg where to put an error message
174 Returns: OK, FAIL, or DEFER
181 appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
182 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
184 appendfile_transport_options_block *ob =
185 (appendfile_transport_options_block *)(tblock->options_block);
186 uschar *q = ob->quota;
187 double default_value = 0.0;
189 addrlist = addrlist; /* Keep picky compilers happy */
194 /* we can't wait until we're not privileged anymore */
197 if (ob->expand_maildir_use_size_file)
198 ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file,
199 US"`maildir_use_size_file` in transport", tblock->name);
201 /* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
204 for (int i = 0; i < 5; i++)
206 double d = default_value;
208 uschar *which = NULL;
214 if (!(s = expand_string(q)))
216 *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
217 "%s", q, tblock->name, expand_string_message);
218 return f.search_find_defer ? DEFER : FAIL;
221 d = Ustrtod(s, &rest);
223 /* Handle following characters K, M, G, %, the latter being permitted
224 for quota_warn_threshold only. A threshold with no quota setting is
227 if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
228 else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
229 else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
230 else if (*rest == '%' && i == 2)
232 if (ob->quota_value <= 0 && !ob->maildir_use_size_file)
234 else if ((int)d < 0 || (int)d > 100)
236 *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
237 " for %s transport", (int)d, tblock->name);
240 ob->quota_warn_threshold_is_percent = TRUE;
245 /* For quota and quota_filecount there may be options
246 appended. Currently only "no_check", so we can be lazy parsing it */
247 if (i < 2 && Ustrstr(rest, "/no_check") == rest)
250 rest += sizeof("/no_check") - 1;
253 Uskip_whitespace(&rest);
257 *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
258 "in %s transport", s, q, tblock->name);
263 /* Set each value, checking for possible overflow. */
268 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
270 ob->quota_value = (off_t)d;
271 ob->quota_no_check = no_check;
272 q = ob->quota_filecount;
276 if (d >= 2.0*1024.0*1024.0*1024.0)
277 which = US"quota_filecount";
278 ob->quota_filecount_value = (int)d;
279 ob->quota_filecount_no_check = no_check;
280 q = ob->quota_warn_threshold;
284 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
285 which = US"quota_warn_threshold";
286 ob->quota_warn_threshold_value = (off_t)d;
287 q = ob->mailbox_size_string;
288 default_value = -1.0;
292 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
293 which = US"mailbox_size";;
294 ob->mailbox_size_value = (off_t)d;
295 q = ob->mailbox_filecount_string;
299 if (d >= 2.0*1024.0*1024.0*1024.0)
300 which = US"mailbox_filecount";
301 ob->mailbox_filecount_value = (int)d;
307 *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
308 "%s transport", which, d, tblock->name);
318 /*************************************************
319 * Initialization entry point *
320 *************************************************/
322 /* Called for each instance, after its options have been read, to
323 enable consistency checks to be done, or anything else that needs
327 appendfile_transport_init(transport_instance *tblock)
329 appendfile_transport_options_block *ob =
330 (appendfile_transport_options_block *)(tblock->options_block);
333 /* Set up the setup entry point, to be called in the privileged state */
335 tblock->setup = appendfile_transport_setup;
337 /* Lock_retries must be greater than zero */
339 if (ob->lock_retries == 0) ob->lock_retries = 1;
341 /* Only one of a file name or directory name must be given. */
343 if (ob->filename && ob->dirname)
344 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
345 "only one of \"file\" or \"directory\" can be specified", tblock->name);
347 /* If a file name was specified, neither quota_filecount nor quota_directory
352 if (ob->quota_filecount)
353 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
354 "quota_filecount must not be set without \"directory\"", tblock->name);
355 if (ob->quota_directory)
356 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
357 "quota_directory must not be set without \"directory\"", tblock->name);
360 /* The default locking depends on whether MBX is set or not. Change the
361 built-in default if none of the lock options has been explicitly set. At least
362 one form of locking is required in all cases, but mbx locking changes the
363 meaning of fcntl and flock locking. */
365 /* Not all operating systems provide flock(). For those that do, if flock is
366 requested, the default for fcntl is FALSE. */
371 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
372 "flock() support was not available in the operating system when this "
373 "binary was built", tblock->name);
374 #endif /* NO_FLOCK */
375 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
380 if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
381 !ob->set_use_mbx_lock)
383 ob->use_lockfile = ob->use_flock = FALSE;
384 ob->use_mbx_lock = ob->use_fcntl = TRUE;
386 else if (ob->use_mbx_lock)
388 if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
389 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
390 if (!ob->set_use_flock) ob->use_flock = FALSE;
391 if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
393 #endif /* SUPPORT_MBX */
395 if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
396 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
397 "no locking configured", tblock->name);
399 /* Unset timeouts for non-used locking types */
401 if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
402 if (!ob->use_flock) ob->lock_flock_timeout = 0;
404 /* If a directory name was specified, only one of maildir or mailstore may be
405 specified, and if quota_filecount or quota_directory is given, quota must
410 if (ob->maildir_format && ob->mailstore_format)
411 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
412 "only one of maildir and mailstore may be specified", tblock->name);
413 if (ob->quota_filecount != NULL && ob->quota == NULL)
414 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
415 "quota must be set if quota_filecount is set", tblock->name);
416 if (ob->quota_directory != NULL && ob->quota == NULL)
417 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
418 "quota must be set if quota_directory is set", tblock->name);
421 /* If a fixed uid field is set, then a gid field must also be set. */
423 if (tblock->uid_set && !tblock->gid_set && !tblock->expand_gid)
424 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
425 "user set without group for the %s transport", tblock->name);
427 /* If "create_file" is set, check that a valid option is given, and set the
430 if ((s = ob->create_file_string ) && *s)
433 if (Ustrcmp(s, "anywhere") == 0) val = create_anywhere;
434 else if (*s == '/' || Ustrcmp(s, "belowhome") == 0) val = create_belowhome;
435 else if (Ustrcmp(s, "inhome") == 0) val = create_inhome;
437 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
438 "invalid value given for \"file_create\" for the %s transport: '%s'",
440 ob->create_file = val;
443 /* If quota_warn_threshold is set, set up default for warn_message. It may
444 not be used if the actual threshold for a given delivery ends up as zero,
445 of if it's given as a percentage and there's no quota setting. */
447 if (ob->quota_warn_threshold)
449 if (!tblock->warn_message) tblock->warn_message = US
450 "To: $local_part@$domain\n"
451 "Subject: Your mailbox\n\n"
452 "This message is automatically created by mail delivery software (Exim).\n\n"
453 "The size of your mailbox has exceeded a warning threshold that is\n"
454 "set by the system administrator.\n";
457 /* If batch SMTP is set, force the check and escape strings, and arrange that
458 headers are also escaped. */
462 ob->check_string = US".";
463 ob->escape_string = US"..";
464 ob->options |= topt_escape_headers;
467 /* If not batch SMTP, not maildir, not mailstore, and directory is not set,
468 insert default values for for the affixes and the check/escape strings. */
470 else if (!ob->dirname && !ob->maildir_format && !ob->mailstore_format)
472 if (!ob->message_prefix) ob->message_prefix =
473 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
474 if (!ob->message_suffix) ob->message_suffix = US"\n";
475 if (!ob->check_string) ob->check_string = US"From ";
476 if (!ob->escape_string) ob->escape_string = US">From ";
480 /* Set up the bitwise options for transport_write_message from the various
481 driver options. Only one of body_only and headers_only can be set. */
484 (tblock->body_only ? topt_no_headers : 0) |
485 (tblock->headers_only ? topt_no_body : 0) |
486 (tblock->return_path_add ? topt_add_return_path : 0) |
487 (tblock->delivery_date_add ? topt_add_delivery_date : 0) |
488 (tblock->envelope_to_add ? topt_add_envelope_to : 0) |
489 ((ob->use_crlf || ob->mbx_format) ? topt_use_crlf : 0);
494 /*************************************************
496 *************************************************/
498 /* The comsat daemon is the thing that provides asynchronous notification of
499 the arrival of local messages, if requested by the user by "biff y". It is a
500 BSD thing that uses a TCP/IP protocol for communication. A message consisting
501 of the text "user@offset" must be sent, where offset is the place in the
502 mailbox where new mail starts. There is no scope for telling it which file to
503 look at, which makes it a less than useful if mail is being delivered into a
504 non-standard place such as the user's home directory. In fact, it doesn't seem
505 to pay much attention to the offset.
509 offset offset in mailbox
515 notify_comsat(uschar *user, off_t offset)
521 DEBUG(D_transport) debug_printf("notify_comsat called\n");
523 s = string_sprintf("%.200s@" OFF_T_FMT "\n", user, offset);
525 if ((sp = getservbyname("biff", "udp")) == NULL)
527 DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
531 host.name = US"localhost";
535 /* This code is all set up to look up "localhost" and use all its addresses
536 until one succeeds. However, it appears that at least on some systems, comsat
537 doesn't listen on the ::1 address. So for the moment, just force the address to
538 be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
539 can be changed. (But actually, comsat is probably dying out anyway.) */
542 if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
544 DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
549 host.address = US"127.0.0.1";
552 for (host_item * h = &host; h; h = h->next)
555 int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET;
557 DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
559 if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue;
561 /* Connect never fails for a UDP socket, so don't set a timeout. */
563 (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, NULL);
564 rc = send(sock, s, Ustrlen(s) + 1, 0);
569 debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
576 /*************************************************
577 * Check the format of a file *
578 *************************************************/
580 /* This function is called when file_format is set, to check that an existing
581 file has the right format. The format string contains text/transport pairs. The
582 string matching is literal. we just read big_buffer_size bytes, because this is
583 all about the first few bytes of a file.
587 tblock the transport block
588 addr the address block - for inserting error data
590 Returns: pointer to the required transport, or NULL
594 check_file_format(int cfd, transport_instance *tblock, address_item *addr)
596 const uschar *format =
597 ((appendfile_transport_options_block *)(tblock->options_block))->file_format;
599 int len = read(cfd, data, sizeof(data));
603 DEBUG(D_transport) debug_printf("checking file format\n");
605 /* An empty file matches the current transport */
607 if (len == 0) return tblock;
609 /* Search the formats for a match */
611 /* not expanded so cannot be tainted */
612 while ((s = string_nextinlist(&format, &sep, big_buffer, big_buffer_size)))
614 int slen = Ustrlen(s);
615 BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
616 uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
620 for (transport_instance * tt = transports; tt; tt = tt->next)
621 if (Ustrcmp(tp, tt->name) == 0)
624 debug_printf("file format -> %s transport\n", tt->name);
627 addr->basic_errno = ERRNO_BADTRANSPORT;
628 addr->message = string_sprintf("%s transport (for %.*s format) not found",
634 /* Failed to find a match */
636 addr->basic_errno = ERRNO_FORMATUNKNOWN;
637 addr->message = US"mailbox file format unrecognized";
644 /*************************************************
645 * Check directory's files for quota *
646 *************************************************/
648 /* This function is called if quota is set for one of the delivery modes that
649 delivers into a specific directory. It scans the directory and stats all the
650 files in order to get a total size and count. This is an expensive thing to do,
651 but some people are prepared to bear the cost. Alternatively, if size_regex is
652 set, it is used as a regex to try to extract the size from the file name, a
653 strategy that some people use on maildir files on systems where the users have
656 The function is global, because it is also called from tf_maildir.c for maildir
657 folders (which should contain only regular files).
659 Note: Any problems can be written to debugging output, but cannot be written to
660 the log, because we are running as an unprivileged user here.
663 dirname the name of the directory
664 countptr where to add the file count (because this function recurses)
665 re a compiled regex to get the size from a name
667 Returns: the sum of the sizes of the stattable files
668 zero if the directory cannot be opened
672 check_dir_size(const uschar * dirname, int * countptr, const pcre2_code * re)
676 int count = *countptr;
678 if (!(dir = exim_opendir(dirname))) return 0;
680 for (struct dirent *ent; ent = readdir(dir); )
682 uschar * path, * name = US ent->d_name;
685 if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
689 /* If there's a regex, try to find the size using it */
693 pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx);
694 int rc = pcre2_match(re, (PCRE2_SPTR)name, PCRE2_ZERO_TERMINATED,
695 0, 0, md, pcre_mtc_ctx);
696 PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
698 && (rc = pcre2_get_ovector_count(md)) >= 2)
701 off_t size = (off_t)Ustrtod(name + ovec[2], &endptr);
702 if (endptr == name + ovec[3])
706 debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
712 debug_printf("check_dir_size: regex did not match %s\n", name);
715 /* No regex or no match for the regex, or captured non-digits */
717 path = string_sprintf("%s/%s", dirname, name);
719 if (Ustat(path, &statbuf) < 0)
722 debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, path,
726 if ((statbuf.st_mode & S_IFMT) == S_IFREG)
727 sum += statbuf.st_size / statbuf.st_nlink;
728 else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
729 sum += check_dir_size(path, &count, re);
734 debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
744 /*************************************************
745 * Apply a lock to a file descriptor *
746 *************************************************/
748 /* This function applies a lock to a file descriptor, using a blocking or
749 non-blocking lock, depending on the timeout value. It can apply either or
750 both of a fcntl() and a flock() lock. However, not all OS support flock();
751 for those that don't, the use_flock option cannot be set.
754 fd the file descriptor
755 fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in
756 fcntl() format); the flock() type is deduced if needed
757 dofcntl do fcntl() locking
758 fcntltime non-zero to use blocking fcntl()
759 doflock do flock() locking
760 flocktime non-zero to use blocking flock()
762 Returns: yield of the fcntl() or flock() call, with errno preserved;
763 sigalrm_seen set if there has been a timeout
767 apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
772 struct flock lock_data;
773 lock_data.l_type = fcntltype;
774 lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
776 sigalrm_seen = FALSE;
783 yield = fcntl(fd, F_SETLKW, &lock_data);
788 else yield = fcntl(fd, F_SETLK, &lock_data);
792 if (doflock && (yield >= 0))
794 int flocktype = (fcntltype == F_WRLCK) ? LOCK_EX : LOCK_SH;
798 yield = flock(fd, flocktype);
803 else yield = flock(fd, flocktype | LOCK_NB);
805 #endif /* NO_FLOCK */
814 /*************************************************
815 * Copy message into MBX mailbox *
816 *************************************************/
818 /* This function is called when a message intended for a MBX mailbox has been
819 written to a temporary file. We can now get the size of the message and then
820 copy it in MBX format to the mailbox.
823 to_fd fd to write to (the real mailbox)
824 from_fd fd to read from (the temporary file)
825 saved_size current size of mailbox
827 Returns: OK if all went well, DEFER otherwise, with errno preserved
828 the number of bytes written are added to transport_count
829 by virtue of calling transport_write_block()
832 /* Values taken from c-client */
834 #define MBX_HDRSIZE 2048
835 #define MBX_NUSERFLAGS 30
838 copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
843 transport_ctx tctx = { .u={.fd = to_fd}, .options = topt_not_socket };
845 /* If the current mailbox size is zero, write a header block */
850 memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
851 sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
852 (long int)time(NULL));
853 for (int i = 0; i < MBX_NUSERFLAGS; i++)
854 sprintf (CS(s += Ustrlen(s)), "\015\012");
855 if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE))
859 DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
861 /* Now construct the message's header from the time and the RFC822 file
862 size, including CRLFs, which is the size of the input (temporary) file. */
864 if (fstat(from_fd, &statbuf) < 0) return DEFER;
865 size = statbuf.st_size;
867 sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
868 tod_stamp(tod_mbx), size, 0L, 0, 0);
869 used = Ustrlen(deliver_out_buffer);
871 /* Rewind the temporary file, and copy it over in chunks. */
873 if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER;
877 int len = read(from_fd, deliver_out_buffer + used,
878 DELIVER_OUT_BUFFER_SIZE - used);
881 if (len == 0) errno = ERRNO_MBXLENGTH;
884 if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE))
892 #endif /* SUPPORT_MBX */
896 /*************************************************
897 * Check creation is permitted *
898 *************************************************/
900 /* This function checks whether a given file name is permitted to be created,
901 as controlled by the create_file option. If no home directory is set, however,
902 we can't do any tests.
905 filename the file name
906 create_file the ob->create_file option
907 deliver_dir the delivery directory
909 Returns: TRUE if creation is permitted
913 check_creation(uschar *filename, int create_file, const uschar * deliver_dir)
917 if (deliver_dir && create_file != create_anywhere)
919 int len = Ustrlen(deliver_dir);
920 uschar *file = filename;
922 while (file[0] == '/' && file[1] == '/') file++;
923 if ( Ustrncmp(file, deliver_dir, len) != 0
925 || Ustrchr(file+len+2, '/') != NULL
926 && ( create_file != create_belowhome
927 || Ustrstr(file+len, "/../") != NULL
931 /* If yield is TRUE, the file name starts with the home directory, and does
932 not contain any instances of "/../" in the "belowhome" case. However, it may
933 still contain symbolic links. We can check for this by making use of
934 realpath(), which most Unixes seem to have (but make it possible to cut this
935 out). We can't just use realpath() on the whole file name, because we know
936 the file itself doesn't exist, and intermediate directories may also not
937 exist. What we want to know is the real path of the longest existing part of
938 the path. That must match the home directory's beginning, whichever is the
942 if (yield && create_file == create_belowhome)
946 for (uschar * slash = Ustrrchr(file, '/'); /* There is known to be one */
947 !rp && slash > file; /* Stop if reached beginning */
951 rp = US realpath(CS file, CS big_buffer);
952 next = Ustrrchr(file, '/');
956 /* If rp == NULL it means that none of the relevant directories exist.
957 This is not a problem here - it means that no symbolic links can exist,
958 which is all we are worried about. Otherwise, we must compare it
959 against the start of the home directory. However, that may itself
960 contain symbolic links, so we have to "realpath" it as well, if
965 uschar hdbuffer[PATH_MAX+1];
966 const uschar * rph = deliver_dir;
967 int rlen = Ustrlen(big_buffer);
969 if ((rp = US realpath(CS deliver_dir, CS hdbuffer)))
975 if (rlen > len) rlen = len;
976 if (Ustrncmp(rph, big_buffer, rlen) != 0)
979 DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
980 big_buffer, deliver_dir);
984 #endif /* NO_REALPATH */
992 /*************************************************
994 *************************************************/
996 /* See local README for general interface details. This transport always
997 returns FALSE, indicating that the status which has been placed in the first
998 address should be copied to any other addresses in a batch.
1000 Appendfile delivery is tricky and has led to various security problems in other
1001 mailers. The logic used here is therefore laid out in some detail. When this
1002 function is called, we are running in a subprocess which has had its gid and
1003 uid set to the appropriate values. Therefore, we cannot write directly to the
1004 exim logs. Any errors must be handled by setting appropriate return codes.
1005 Note that the default setting for addr->transport_return is DEFER, so it need
1006 not be set unless some other value is required.
1008 The code below calls geteuid() rather than getuid() to get the current uid
1009 because in weird configurations not running setuid root there may be a
1010 difference. In the standard configuration, where setuid() has been used in the
1011 delivery process, there will be no difference between the uid and the euid.
1013 (1) If the af_file flag is set, this is a delivery to a file after .forward or
1014 alias expansion. Otherwise, there must be a configured file name or
1017 The following items apply in the case when a file name (as opposed to a
1018 directory name) is given, that is, when appending to a single file:
1020 (2f) Expand the file name.
1022 (3f) If the file name is /dev/null, return success (optimization).
1024 (4f) If the file_format options is set, open the file for reading, and check
1025 that the bytes at the start of the file match one of the given strings.
1026 If the check indicates a transport other than the current one should be
1027 used, pass control to that other transport. Otherwise continue. An empty
1028 or non-existent file matches the current transport. The file is closed
1031 (5f) If a lock file is required, create it (see extensive separate comments
1032 below about the algorithm for doing this). It is important to do this
1033 before opening the mailbox if NFS is in use.
1035 (6f) Stat the file, using lstat() rather than stat(), in order to pick up
1036 details of any symbolic link.
1038 (7f) If the file already exists:
1040 Check the owner and group if necessary, and defer if they are wrong.
1042 If it is a symbolic link AND the allow_symlink option is set (NOT the
1043 default), go back to (6f) but this time use stat() instead of lstat().
1045 If it's not a regular file (or FIFO when permitted), defer delivery.
1047 Check permissions. If the required permissions are *less* than the
1048 existing ones, or supplied by the address (often by the user via filter),
1049 chmod() the file. Otherwise, defer.
1051 Save the inode number.
1053 Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
1055 If open fails because the file does not exist, go to (6f); on any other
1058 Check the inode number hasn't changed - I realize this isn't perfect (an
1059 inode can be reused) but it's cheap and will catch some of the races.
1061 Check it's still a regular file (or FIFO if permitted).
1063 Check that the owner and permissions haven't changed.
1065 If file_format is set, check that the file still matches the format for
1066 the current transport. If not, defer delivery.
1068 (8f) If file does not exist initially:
1070 Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
1071 this is via a symbolic link (only possible if allow_symlinks is set), in
1072 which case don't use O_EXCL, as it doesn't work.
1074 If open fails because the file already exists, go to (6f). To avoid
1075 looping for ever in a situation where the file is continuously being
1076 created and deleted, all of this happens inside a loop that operates
1077 lock_retries times and includes the fcntl and flock locking. If the
1078 loop completes without the file getting opened, defer and request
1079 freezing, because something really weird is happening.
1081 If open fails for any other reason, defer for subsequent delivery except
1082 when this is a file delivery resulting from an alias or forward expansion
1083 and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
1084 most likely a user rather than a configuration error.
1086 (9f) We now have the file checked and open for writing. If so configured, lock
1087 it using fcntl, flock, or MBX locking rules. If this fails, close the file
1088 and goto (6f), up to lock_retries times, after sleeping for a while. If it
1089 still fails, give up and defer delivery.
1091 (10f)Save the access time (for subsequent restoration) and the size of the
1092 file, for comsat and for re-setting if delivery fails in the middle -
1093 e.g. for quota exceeded.
1095 The following items apply in the case when a directory name is given:
1097 (2d) Create a new file in the directory using a temporary name, by opening for
1098 writing and with O_CREAT. If maildir format is being used, the file
1099 is created in a temporary subdirectory with a prescribed name. If
1100 mailstore format is being used, the envelope file is first created with a
1101 temporary name, then the data file.
1103 The following items apply in all cases:
1105 (11) We now have the file open for writing, and locked if it was given as a
1106 file name. Write the message and flush the file, unless there is a setting
1107 of the local quota option, in which case we can check for its excession
1108 without doing any writing.
1110 In the case of MBX format mailboxes, the message is first written to a
1111 temporary file, in order to get its correct length. This is then copied to
1112 the real file, preceded by an MBX header.
1114 If there is a quota error on writing, defer the address. Timeout logic
1115 will determine for how long retries are attempted. We restore the mailbox
1116 to its original length if it's a single file. There doesn't seem to be a
1117 uniform error code for quota excession (it even differs between SunOS4
1118 and some versions of SunOS5) so a system-dependent macro called
1119 ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
1122 For any other error (most commonly disk full), do the same.
1124 The following applies after appending to a file:
1126 (12f)Restore the atime; notify_comsat if required; close the file (which
1127 unlocks it if it was locked). Delete the lock file if it exists.
1129 The following applies after writing a unique file in a directory:
1131 (12d)For maildir format, rename the file into the new directory. For mailstore
1132 format, rename the envelope file to its correct name. Otherwise, generate
1133 a unique name from the directory_file option, and rename to that, possibly
1134 trying a few times if the file exists and re-expanding the name gives a
1137 This transport yields FAIL only when a file name is generated by an alias or
1138 forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
1139 All other failures return DEFER (in addr->transport_return). */
1143 appendfile_transport_entry(
1144 transport_instance *tblock, /* data for this instantiation */
1145 address_item *addr) /* address we are working on */
1147 appendfile_transport_options_block *ob =
1148 (appendfile_transport_options_block *)(tblock->options_block);
1149 struct stat statbuf;
1150 const uschar * deliver_dir;
1151 uschar *fdname = NULL;
1152 uschar *filename = NULL;
1153 uschar *hitchname = NULL;
1154 uschar *dataname = NULL;
1155 uschar *lockname = NULL;
1156 uschar *newname = NULL;
1157 uschar *nametag = NULL;
1159 uschar *filecount_msg = US"";
1161 struct utimbuf times;
1162 struct timeval msg_tv;
1163 BOOL disable_quota = FALSE;
1164 BOOL isdirectory = FALSE;
1165 BOOL isfifo = FALSE;
1166 BOOL wait_for_tick = FALSE;
1167 uid_t uid = geteuid(); /* See note above */
1168 gid_t gid = getegid();
1170 int mode = (addr->mode > 0) ? addr->mode : ob->mode;
1171 off_t saved_size = -1;
1172 off_t mailbox_size = ob->mailbox_size_value;
1173 int mailbox_filecount = ob->mailbox_filecount_value;
1181 int mbx_lockfd = -1;
1182 uschar mbx_lockname[40];
1183 FILE *temp_file = NULL;
1184 #endif /* SUPPORT_MBX */
1186 #ifdef SUPPORT_MAILDIR
1187 int maildirsize_fd = -1; /* fd for maildirsize file */
1188 int maildir_save_errno;
1192 DEBUG(D_transport) debug_printf("appendfile transport entered\n");
1194 /* An "address_file" or "address_directory" transport is used to deliver to
1195 files specified via .forward or an alias file. Prior to release 4.20, the
1196 "file" and "directory" options were ignored in this case. This has been changed
1197 to allow the redirection data to specify what is in effect a folder, whose
1198 location is determined by the options on the transport.
1200 Compatibility with the case when neither option is set is retained by forcing a
1201 value for the file or directory name. A directory delivery is assumed if the
1202 last character of the path from the router is '/'.
1204 The file path is in the local part of the address, but not in the $local_part
1205 variable (that holds the parent local part). It is, however, in the
1206 $address_file variable. Below, we update the local part in the address if it
1207 changes by expansion, so that the final path ends up in the log. */
1209 if (testflag(addr, af_file) && !ob->filename && !ob->dirname)
1211 fdname = US"$address_file";
1212 if (address_file[Ustrlen(address_file)-1] == '/' ||
1213 ob->maildir_format ||
1214 ob->mailstore_format)
1218 /* Handle (a) an "address file" delivery where "file" or "directory" is
1219 explicitly set and (b) a non-address_file delivery, where one of "file" or
1220 "directory" must be set; initialization ensures that they are not both set. */
1224 if (!(fdname = ob->filename))
1226 fdname = ob->dirname;
1231 addr->message = string_sprintf("Mandatory file or directory option "
1232 "missing from %s transport", tblock->name);
1237 /* Maildir and mailstore require a directory */
1239 if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
1241 addr->message = string_sprintf("mail%s_format requires \"directory\" "
1242 "to be specified for the %s transport",
1243 ob->maildir_format ? "dir" : "store", tblock->name);
1247 if (!(path = expand_string(fdname)))
1249 addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
1250 "name for %s transport) failed: %s", fdname, tblock->name,
1251 expand_string_message);
1257 addr->message = string_sprintf("appendfile: file or directory name "
1258 "\"%s\" is not absolute", path);
1259 addr->basic_errno = ERRNO_NOTABSOLUTE;
1263 /* For a file delivery, make sure the local part in the address(es) is updated
1264 to the true local part. */
1266 if (testflag(addr, af_file))
1267 for (address_item * addr2 = addr; addr2; addr2 = addr2->next)
1268 addr2->local_part = string_copy(path);
1270 /* The available mailbox formats depend on whether it is a directory or a file
1276 #ifdef SUPPORT_MAILDIR
1277 ob->maildir_format ? mbf_maildir :
1279 #ifdef SUPPORT_MAILSTORE
1280 ob->mailstore_format ? mbf_mailstore :
1288 ob->mbx_format ? mbf_mbx :
1295 debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
1297 " warning=" OFF_T_FMT "%s\n"
1298 " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n "
1299 "maildir_use_size_file=%s\n",
1300 mode, ob->notify_comsat, ob->quota_value,
1301 ob->quota_no_check ? " (no_check)" : "",
1302 ob->quota_filecount_no_check ? " (no_check_filecount)" : "",
1303 ob->quota_warn_threshold_value,
1304 ob->quota_warn_threshold_is_percent ? "%" : "",
1305 isdirectory ? "directory" : "file",
1306 path, mailbox_formats[mbformat],
1307 !ob->message_prefix ? US"null" : string_printing(ob->message_prefix),
1308 !ob->message_suffix ? US"null" : string_printing(ob->message_suffix),
1309 ob->maildir_use_size_file ? "yes" : "no");
1311 if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n",
1312 ob->use_lockfile ? "lockfile " : "",
1313 ob->use_mbx_lock ? "mbx locking (" : "",
1314 ob->use_fcntl ? "fcntl " : "",
1315 ob->use_flock ? "flock" : "",
1316 ob->use_mbx_lock ? ")" : "");
1319 /* If the -N option is set, can't do any more. */
1324 debug_printf("*** delivery by %s transport bypassed by -N option\n",
1326 addr->transport_return = OK;
1330 /* If an absolute path was given for create_file the it overrides deliver_home
1331 (here) and de-taints the filename (below, after check_creation() */
1333 deliver_dir = *ob->create_file_string == '/'
1334 ? ob->create_file_string : deliver_home;
1336 /* Handle the case of a file name. If the file name is /dev/null, we can save
1337 ourselves some effort and just give a success return right away. */
1341 BOOL use_lstat = TRUE;
1342 BOOL file_opened = FALSE;
1343 BOOL allow_creation_here = TRUE;
1345 if (Ustrcmp(path, "/dev/null") == 0)
1347 addr->transport_return = OK;
1351 /* Set the name of the file to be opened, and the file to which the data
1352 is written, and find out if we are permitted to create a non-existent file.
1353 If the create_file option is an absolute path and the file was within it,
1354 de-taint. Chaeck for a tainted path. */
1356 if ( (allow_creation_here = check_creation(path, ob->create_file, deliver_dir))
1357 && ob->create_file == create_belowhome)
1358 if (is_tainted(path))
1360 DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
1361 path = string_copy_taint(path, FALSE);
1364 if (is_tainted(path)) goto tainted_ret_panic;
1365 dataname = filename = path;
1367 /* If ob->create_directory is set, attempt to create the directories in
1368 which this mailbox lives, but only if we are permitted to create the file
1369 itself. We know we are dealing with an absolute path, because this was
1372 if (ob->create_directory && allow_creation_here)
1374 uschar *p = Ustrrchr(path, '/');
1375 p = string_copyn(path, p - path);
1376 if (!directory_make(NULL, p, ob->dirmode, FALSE))
1378 addr->basic_errno = errno;
1380 string_sprintf("failed to create directories for %s: %s", path,
1381 exim_errstr(errno));
1382 DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path);
1387 /* If file_format is set we must check that any existing file matches one of
1388 the configured formats by checking the bytes it starts with. A match then
1389 indicates a specific transport - if it is not this one, pass control to it.
1390 Otherwise carry on here. An empty or non-existent file matches the current
1391 transport. We don't need to distinguish between non-existence and other open
1392 failures because if an existing file fails to open here, it will also fail
1393 again later when O_RDWR is used. */
1395 if (ob->file_format)
1397 int cfd = Uopen(path, O_RDONLY, 0);
1400 transport_instance *tt = check_file_format(cfd, tblock, addr);
1403 /* If another transport is indicated, call it and return; if no transport
1404 was found, just return - the error data will have been set up.*/
1410 set_process_info("delivering %s to %s using %s", message_id,
1411 addr->local_part, tt->name);
1412 debug_print_string(tt->debug_string);
1413 addr->transport = tt;
1414 (tt->info->code)(tt, addr);
1421 /* The locking of mailbox files is worse than the naming of cats, which is
1422 known to be "a difficult matter" (T.S. Eliot) and just as cats must have
1423 three different names, so several different styles of locking are used.
1425 Research in other programs that lock mailboxes shows that there is no
1426 universally standard method. Having mailboxes NFS-mounted on the system that
1427 is delivering mail is not the best thing, but people do run like this,
1428 and so the code must do its best to cope.
1430 Three different locking mechanisms are supported. The initialization function
1431 checks that at least one is configured.
1435 Unless no_use_lockfile is set, we attempt to build a lock file in a way that
1436 will work over NFS. Only after that is done do we actually open the mailbox
1437 and apply locks to it (if configured).
1439 Originally, Exim got the file opened before doing anything about locking.
1440 However, a very occasional problem was observed on Solaris 2 when delivering
1441 over NFS. It is seems that when a file is opened with O_APPEND, the file size
1442 gets remembered at open time. If another process on another host (that's
1443 important) has the file open and locked and writes to it and then releases
1444 the lock while the first process is waiting to get the lock, the first
1445 process may fail to write at the new end point of the file - despite the very
1446 definite statement about O_APPEND in the man page for write(). Experiments
1447 have reproduced this problem, but I do not know any way of forcing a host to
1448 update its attribute cache for an open NFS file. It would be nice if it did
1449 so when a lock was taken out, but this does not seem to happen. Anyway, to
1450 reduce the risk of this problem happening, we now create the lock file
1451 (if configured) *before* opening the mailbox. That will prevent two different
1452 Exims opening the file simultaneously. It may not prevent clashes with MUAs,
1453 however, but Pine at least seems to operate in the same way.
1455 Lockfiles should normally be used when NFS is involved, because of the above
1458 The logic for creating the lock file is:
1460 . The name of the lock file is <mailbox-name>.lock
1462 . First, create a "hitching post" name by adding the primary host name,
1463 current time and pid to the lock file name. This should be unique.
1465 . Create the hitching post file using WRONLY + CREAT + EXCL.
1467 . If that fails EACCES, we assume it means that the user is unable to create
1468 files in the mail spool directory. Some installations might operate in this
1469 manner, so there is a configuration option to allow this state not to be an
1470 error - we proceed to lock using fcntl only, after the file is open.
1472 . Otherwise, an error causes a deferment of the address.
1474 . Hard link the hitching post to the lock file name.
1476 . If the link succeeds, we have successfully created the lock file. Simply
1477 close and unlink the hitching post file.
1479 . If the link does not succeed, proceed as follows:
1481 o Fstat the hitching post file, and then close and unlink it.
1483 o Now examine the stat data. If the number of links to the file is exactly
1484 2, the linking succeeded but for some reason, e.g. an NFS server crash,
1485 the return never made it back, so the link() function gave a failure
1488 . This method allows for the lock file to be created by some other process
1489 right up to the moment of the attempt to hard link it, and is also robust
1490 against NFS server crash-reboots, which would probably result in timeouts
1491 in the middle of link().
1493 . System crashes may cause lock files to get left lying around, and some means
1494 of flushing them is required. The approach of writing a pid (used by smail
1495 and by elm) into the file isn't useful when NFS may be in use. Pine uses a
1496 timeout, which seems a better approach. Since any program that writes to a
1497 mailbox using a lock file should complete its task very quickly, Pine
1498 removes lock files that are older than 5 minutes. We allow the value to be
1499 configurable on the transport.
1503 If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
1504 mailbox once it is open. This is done by default with a non-blocking lock.
1505 Failures to lock cause retries after a sleep, but only for a certain number
1506 of tries. A blocking lock is deliberately not used so that we don't hold the
1507 mailbox open. This minimizes the possibility of the NFS problem described
1508 under LOCK FILES above, if for some reason NFS deliveries are happening
1509 without lock files. However, the use of a non-blocking lock and sleep, though
1510 the safest approach, does not give the best performance on very busy systems.
1511 A blocking lock plus timeout does better. Therefore Exim has an option to
1512 allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
1513 enables the use of blocking fcntl() calls.
1517 If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
1518 same manner as for fcntl locking above. No-blocking/timeout is also set as
1519 above in lock_flock_timeout. Not all operating systems provide or support
1520 flock(). For those that don't (as determined by the definition of LOCK_SH in
1521 /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
1522 is implemented (not precisely) on top of fcntl(), which means there's no
1523 point in actually using it.
1527 If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
1528 then the rules used for locking in c-client are used. Exim takes out a shared
1529 lock on the mailbox file, and an exclusive lock on the file whose name is
1530 /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
1531 any other MBX client from getting an exclusive lock on it and expunging it.
1532 It also stops any other MBX client from unlinking the /tmp lock when it has
1535 The exclusive lock on the /tmp file prevents any other MBX client from
1536 updating the mailbox in any way. When writing is finished, if an exclusive
1537 lock on the mailbox can be obtained, indicating there are no current sharers,
1538 the /tmp file is unlinked.
1540 MBX locking can use either fcntl() or flock() locking. If neither
1541 use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
1542 The calls for getting these locks are by default non-blocking, as for non-mbx
1543 locking, but can be made blocking by setting lock_fcntl_timeout and/or
1544 lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it
1545 probably makes sense to set timeouts for any MBX deliveries. */
1548 /* Build a lock file if configured to do so - the existence of a lock
1549 file is subsequently checked by looking for a non-negative value of the
1550 file descriptor hd - even though the file is no longer open. */
1552 if (ob->use_lockfile)
1554 /* cf. exim_lock.c */
1555 lockname = string_sprintf("%s.lock", filename);
1556 hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
1557 (unsigned int)(time(NULL)), (unsigned int)getpid());
1559 DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
1562 /* Lock file creation retry loop */
1564 for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
1568 hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
1571 addr->basic_errno = errno;
1573 string_sprintf("creating lock file hitching post %s "
1574 "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
1575 (long int)getegid());
1579 /* Attempt to hitch the hitching post to the lock file. If link()
1580 succeeds (the common case, we hope) all is well. Otherwise, fstat the
1581 file, and get rid of the hitching post. If the number of links was 2,
1582 the link was created, despite the failure of link(). If the hitch was
1583 not successful, try again, having unlinked the lock file if it is too
1586 There's a version of Linux (2.0.27) which doesn't update its local cache
1587 of the inode after link() by default - which many think is a bug - but
1588 if the link succeeds, this code will be OK. It just won't work in the
1589 case when link() fails after having actually created the link. The Linux
1590 NFS person is fixing this; a temporary patch is available if anyone is
1591 sufficiently worried. */
1593 if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
1596 if (rc != 0 && statbuf.st_nlink != 2)
1598 if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
1599 time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
1601 DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
1604 DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
1608 DEBUG(D_transport) debug_printf("lock file created\n");
1612 /* Check for too many tries at creating the lock file */
1614 if (i >= ob->lock_retries)
1616 addr->basic_errno = ERRNO_LOCKFAILED;
1617 addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
1624 /* We now have to get the file open. First, stat() it and act on existence or
1625 non-existence. This is in a loop to handle the case of a file's being created
1626 or deleted as we watch, and also to handle retries when the locking fails.
1627 Rather than holding the file open while waiting for the fcntl() and/or
1628 flock() lock, we close and do the whole thing again. This should be safer,
1629 especially for NFS files, which might get altered from other hosts, making
1630 their cached sizes incorrect.
1632 With the default settings, no symlinks are permitted, but there is an option
1633 to permit symlinks for those sysadmins that know what they are doing.
1634 Shudder. However, insist that the initial symlink is owned by the right user.
1635 Thus lstat() is used initially; if a symlink is discovered, the loop is
1636 repeated such that stat() is used, to look at the end file. */
1638 for (i = 0; i < ob->lock_retries; i++)
1640 int sleep_before_retry = TRUE;
1641 file_opened = FALSE;
1643 if ((use_lstat ? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
1645 /* Let's hope that failure to stat (other than non-existence) is a
1648 if (errno != ENOENT)
1650 addr->basic_errno = errno;
1651 addr->message = string_sprintf("attempting to stat mailbox %s",
1656 /* File does not exist. If it is required to pre-exist this state is an
1659 if (ob->file_must_exist)
1661 addr->basic_errno = errno;
1662 addr->message = string_sprintf("mailbox %s does not exist, "
1663 "but file_must_exist is set", filename);
1667 /* If not permitted to create this file because it isn't in or below
1668 the home directory, generate an error. */
1670 if (!allow_creation_here)
1672 addr->basic_errno = ERRNO_BADCREATE;
1673 addr->message = string_sprintf("mailbox %s does not exist, "
1674 "but creation outside the home directory is not permitted",
1679 /* Attempt to create and open the file. If open fails because of
1680 pre-existence, go round the loop again. For any other error, defer the
1681 address, except for an alias or forward generated file name with EPERM,
1682 ENOENT, or EACCES, as those are most likely to be user errors rather
1683 than Exim config errors. When a symbolic link is permitted and points
1684 to a non-existent file, we get here with use_lstat = FALSE. In this case
1685 we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
1686 consistency and because MBX locking requires it in order to be able to
1687 get a shared lock. */
1689 fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
1690 (use_lstat ? O_EXCL : 0), mode);
1693 if (errno == EEXIST) continue;
1694 addr->basic_errno = errno;
1695 addr->message = string_sprintf("while creating mailbox %s",
1697 if (testflag(addr, af_file) &&
1698 (errno == EPERM || errno == ENOENT || errno == EACCES))
1699 addr->transport_return = FAIL;
1703 /* We have successfully created and opened the file. Ensure that the group
1704 and the mode are correct. */
1706 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
1708 addr->basic_errno = errno;
1709 addr->message = string_sprintf("while setting perms on mailbox %s",
1711 addr->transport_return = FAIL;
1717 /* The file already exists. Test its type, ownership, and permissions, and
1718 save the inode for checking later. If symlinks are permitted (not the
1719 default or recommended state) it may be a symlink that already exists.
1720 Check its ownership and then look for the file at the end of the link(s).
1721 This at least prevents one user creating a symlink for another user in
1722 a sticky directory. */
1726 int oldmode = (int)statbuf.st_mode;
1727 ino_t inode = statbuf.st_ino;
1728 BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
1730 isfifo = FALSE; /* In case things are changing */
1732 /* Check owner if required - the default. */
1734 if (ob->check_owner && statbuf.st_uid != uid)
1736 addr->basic_errno = ERRNO_BADUGID;
1737 addr->message = string_sprintf("mailbox %s%s has wrong uid "
1738 "(%ld != %ld)", filename,
1739 islink ? " (symlink)" : "",
1740 (long int)(statbuf.st_uid), (long int)uid);
1744 /* Group is checked only if check_group is set. */
1746 if (ob->check_group && statbuf.st_gid != gid)
1748 addr->basic_errno = ERRNO_BADUGID;
1749 addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
1750 filename, islink ? " (symlink)" : "", statbuf.st_gid, gid);
1754 /* Just in case this is a sticky-bit mail directory, we don't want
1755 users to be able to create hard links to other users' files. */
1757 if (statbuf.st_nlink != 1)
1759 addr->basic_errno = ERRNO_NOTREGULAR;
1760 addr->message = string_sprintf("mailbox %s%s has too many links (%lu)",
1761 filename, islink ? " (symlink)" : "", (unsigned long)statbuf.st_nlink);
1766 /* If symlinks are permitted (not recommended), the lstat() above will
1767 have found the symlink. Its ownership has just been checked; go round
1768 the loop again, using stat() instead of lstat(). That will never yield a
1771 if (islink && ob->allow_symlink)
1774 i--; /* Don't count this time round */
1778 /* An actual file exists. Check that it is a regular file, or FIFO
1781 if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
1783 else if ((oldmode & S_IFMT) != S_IFREG)
1785 addr->basic_errno = ERRNO_NOTREGULAR;
1786 addr->message = string_sprintf("mailbox %s is not a regular file%s",
1787 filename, ob->allow_fifo ? " or named pipe" : "");
1791 /* If the mode is not what it would be for a newly created file, change
1792 the permissions if the mode is supplied for the address. Otherwise,
1793 reduce but do not extend the permissions. If the newly created
1794 permissions are greater than the existing permissions, don't change
1795 things when the mode is not from the address. */
1797 if ((oldmode &= 07777) != mode)
1799 int diffs = oldmode ^ mode;
1800 if (addr->mode > 0 || (diffs & oldmode) == diffs)
1802 DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
1803 if (Uchmod(filename, mode) < 0)
1805 addr->basic_errno = errno;
1806 addr->message = string_sprintf("attempting to chmod mailbox %s",
1813 /* Mode not from address, and newly-created permissions are greater
1814 than existing permissions. Default is to complain, but it can be
1815 configured to go ahead and try to deliver anyway if that's what
1816 the administration wants. */
1818 else if (ob->mode_fail_narrower)
1820 addr->basic_errno = ERRNO_BADMODE;
1821 addr->message = string_sprintf("mailbox %s has the wrong mode %o "
1822 "(%o expected)", filename, oldmode, mode);
1827 /* We are happy with the existing file. Open it, and then do further
1828 tests to ensure that it is the same file that we were just looking at.
1829 If the file does not now exist, restart this loop, going back to using
1830 lstat again. For an NFS error, just defer; other opening errors are
1831 more serious. The file is opened RDWR so that its format can be checked,
1832 and also MBX locking requires the use of a shared (read) lock. However,
1833 a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
1834 reading the pipe. */
1836 fd = Uopen(filename, isfifo ? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
1840 if (errno == ENOENT)
1845 addr->basic_errno = errno;
1847 addr->message = string_sprintf("while opening named pipe %s "
1848 "(could mean no process is reading it)", filename);
1849 else if (errno != EWOULDBLOCK)
1850 addr->message = string_sprintf("while opening mailbox %s", filename);
1854 /* This fstat really shouldn't fail, as we have an open file! There's a
1855 dilemma here. We use fstat in order to be sure we are peering at the file
1856 we have got open. However, that won't tell us if the file was reached
1857 via a symbolic link. We checked this above, but there is a race exposure
1858 if the link was created between the previous lstat and the open. However,
1859 it would have to be created with the same inode in order to pass the
1860 check below. If ob->allow_symlink is set, causing the use of stat rather
1861 than lstat above, symbolic links may be there anyway, and the checking is
1864 if (fstat(fd, &statbuf) < 0)
1866 addr->basic_errno = errno;
1867 addr->message = string_sprintf("attempting to stat open mailbox %s",
1872 /* Check the inode; this is isn't a perfect check, but gives some
1875 if (inode != statbuf.st_ino)
1877 addr->basic_errno = ERRNO_INODECHANGED;
1878 addr->message = string_sprintf("opened mailbox %s inode number changed "
1879 "from " INO_T_FMT " to " INO_T_FMT, filename, inode, statbuf.st_ino);
1880 addr->special_action = SPECIAL_FREEZE;
1884 /* Check it's still a regular file or FIFO, and the uid, gid, and
1885 permissions have not changed. */
1887 if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
1888 (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
1890 addr->basic_errno = ERRNO_NOTREGULAR;
1892 string_sprintf("opened mailbox %s is no longer a %s", filename,
1893 isfifo ? "named pipe" : "regular file");
1894 addr->special_action = SPECIAL_FREEZE;
1898 if ((ob->check_owner && statbuf.st_uid != uid) ||
1899 (ob->check_group && statbuf.st_gid != gid))
1901 addr->basic_errno = ERRNO_BADUGID;
1903 string_sprintf("opened mailbox %s has wrong uid or gid", filename);
1904 addr->special_action = SPECIAL_FREEZE;
1908 if ((statbuf.st_mode & 07777) != oldmode)
1910 addr->basic_errno = ERRNO_BADMODE;
1911 addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
1912 "(%o expected)", filename, statbuf.st_mode & 07777, mode);
1913 addr->special_action = SPECIAL_FREEZE;
1917 /* If file_format is set, check that the format of the file has not
1918 changed. Error data is set by the testing function. */
1920 if (ob->file_format && check_file_format(fd, tblock, addr) != tblock)
1922 addr->message = US"open mailbox has changed format";
1926 /* The file is OK. Carry on to do the locking. */
1929 /* We now have an open file, and must lock it using fcntl(), flock() or MBX
1930 locking rules if configured to do so. If a lock file is also required, it
1931 was created above and hd was left >= 0. At least one form of locking is
1932 required by the initialization function. If locking fails here, close the
1933 file and go round the loop all over again, after waiting for a bit, unless
1934 blocking locking was used. */
1937 if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
1938 sleep_before_retry = FALSE;
1940 /* Simple fcntl() and/or flock() locking */
1942 if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
1944 if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1945 ob->use_flock, ob->lock_flock_timeout) >= 0) break;
1948 /* MBX locking rules */
1951 else if (ob->use_mbx_lock)
1954 struct stat lstatbuf, statbuf2;
1955 if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1956 ob->use_flock, ob->lock_flock_timeout) >= 0 &&
1957 fstat(fd, &statbuf) >= 0)
1959 sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
1960 (long)statbuf.st_ino);
1963 * 2010-05-29: SECURITY
1964 * Dan Rosenberg reported the presence of a race-condition in the
1965 * original code here. Beware that many systems still allow symlinks
1966 * to be followed in /tmp so an attacker can create a symlink pointing
1967 * elsewhere between a stat and an open, which we should avoid
1970 * It's unfortunate that we can't just use all the heavily debugged
1971 * locking from above.
1973 * Also: remember to mirror changes into exim_lock.c */
1975 /* first leave the old pre-check in place, it provides better
1976 * diagnostics for common cases */
1977 if (Ulstat(mbx_lockname, &statbuf) >= 0)
1979 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
1981 addr->basic_errno = ERRNO_LOCKFAILED;
1982 addr->message = string_sprintf("symbolic link on MBX lock file %s",
1986 if (statbuf.st_nlink > 1)
1988 addr->basic_errno = ERRNO_LOCKFAILED;
1989 addr->message = string_sprintf("hard link to MBX lock file %s",
1995 /* If we could just declare "we must be the ones who create this
1996 * file" then a hitching post in a subdir would work, since a
1997 * subdir directly in /tmp/ which we create wouldn't follow links
1998 * but this isn't our locking logic, so we can't safely change the
1999 * file existence rules. */
2001 /* On systems which support O_NOFOLLOW, it's the easiest and most
2002 * obviously correct security fix */
2003 mbx_tmp_oflags = O_RDWR | O_CREAT;
2005 mbx_tmp_oflags |= O_NOFOLLOW;
2007 mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
2010 addr->basic_errno = ERRNO_LOCKFAILED;
2011 addr->message = string_sprintf("failed to open MBX lock file %s :%s",
2012 mbx_lockname, strerror(errno));
2016 if (Ulstat(mbx_lockname, &lstatbuf) < 0)
2018 addr->basic_errno = ERRNO_LOCKFAILED;
2019 addr->message = string_sprintf("attempting to lstat open MBX "
2020 "lock file %s: %s", mbx_lockname, strerror(errno));
2023 if (fstat(mbx_lockfd, &statbuf2) < 0)
2025 addr->basic_errno = ERRNO_LOCKFAILED;
2026 addr->message = string_sprintf("attempting to stat fd of open MBX "
2027 "lock file %s: %s", mbx_lockname, strerror(errno));
2033 * statbuf: if exists, is file which existed prior to opening the
2034 * lockfile, might have been replaced since then
2035 * statbuf2: result of stat'ing the open fd, is what was actually
2037 * lstatbuf: result of lstat'ing the filename immediately after
2038 * the open but there's a race condition again between
2039 * those two steps: before open, symlink to foo, after
2040 * open but before lstat have one of:
2041 * * was no symlink, so is the opened file
2042 * (we created it, no messing possible after that point)
2044 * * symlink elsewhere
2045 * * hardlink elsewhere
2047 * Don't want to compare to device of /tmp because some modern systems
2048 * have regressed to having /tmp be the safe actual filesystem as
2049 * valuable data, so is mostly worthless, unless we assume that *only*
2050 * Linux systems do this and that all Linux has O_NOFOLLOW. Something
2051 * for further consideration.
2052 * No point in doing a readlink on the lockfile as that will always be
2053 * at a different point in time from when we open it, so tells us
2054 * nothing; attempts to clean up and delete after ourselves would risk
2055 * deleting a *third* filename.
2057 if ((statbuf2.st_nlink > 1) ||
2058 (lstatbuf.st_nlink > 1) ||
2059 (!S_ISREG(lstatbuf.st_mode)) ||
2060 (lstatbuf.st_dev != statbuf2.st_dev) ||
2061 (lstatbuf.st_ino != statbuf2.st_ino))
2063 addr->basic_errno = ERRNO_LOCKFAILED;
2064 addr->message = string_sprintf("RACE CONDITION detected: "
2065 "mismatch post-initial-checks between \"%s\" and opened "
2066 "fd lead us to abort!", mbx_lockname);
2070 (void)Uchmod(mbx_lockname, ob->lockfile_mode);
2072 if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
2073 ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
2075 struct stat ostatbuf;
2077 /* This tests for a specific race condition. Ensure that we still
2078 have the same file. */
2080 if (Ulstat(mbx_lockname, &statbuf) == 0 &&
2081 fstat(mbx_lockfd, &ostatbuf) == 0 &&
2082 statbuf.st_dev == ostatbuf.st_dev &&
2083 statbuf.st_ino == ostatbuf.st_ino)
2085 DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
2086 "between creation and locking\n", mbx_lockname);
2089 DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
2091 (void)close(mbx_lockfd);
2096 DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
2097 filename, strerror(errno));
2100 #endif /* SUPPORT_MBX */
2102 else break; /* No on-file locking required; break the open/lock loop */
2105 debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
2109 use_lstat = TRUE; /* Reset to use lstat first */
2112 /* If a blocking call timed out, break the retry loop if the total time
2113 so far is not less than than retries * interval. Use the larger of the
2114 flock() and fcntl() timeouts. */
2117 (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
2118 ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
2119 ob->lock_retries * ob->lock_interval)
2120 i = ob->lock_retries;
2122 /* Wait a bit before retrying, except when it was a blocked fcntl() or
2123 flock() that caused the problem. */
2125 if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
2128 /* Test for exceeding the maximum number of tries. Either the file remains
2129 locked, or, if we haven't got it open, something is terribly wrong... */
2131 if (i >= ob->lock_retries)
2135 addr->basic_errno = ERRNO_EXISTRACE;
2136 addr->message = string_sprintf("mailbox %s: existence unclear", filename);
2137 addr->special_action = SPECIAL_FREEZE;
2141 addr->basic_errno = ERRNO_LOCKFAILED;
2142 addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
2148 DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
2150 /* Save access time (for subsequent restoration), modification time (for
2151 restoration if updating fails), size of file (for comsat and for re-setting if
2152 delivery fails in the middle - e.g. for quota exceeded). */
2154 if (fstat(fd, &statbuf) < 0)
2156 addr->basic_errno = errno;
2157 addr->message = string_sprintf("while fstatting opened mailbox %s",
2162 times.actime = statbuf.st_atime;
2163 times.modtime = statbuf.st_mtime;
2164 saved_size = statbuf.st_size;
2165 if (mailbox_size < 0) mailbox_size = saved_size;
2166 mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */
2169 /* Prepare for writing to a new file (as opposed to appending to an old one).
2170 There are several different formats, but there is preliminary stuff concerned
2171 with quotas that applies to all of them. Finding the current size by directory
2172 scanning is expensive; for maildirs some fudges have been invented:
2174 (1) A regex can be used to extract a file size from its name;
2175 (2) If maildir_use_size is set, a maildirsize file is used to cache the
2181 uschar *check_path; /* Default quota check path */
2182 const pcre2_code * re = NULL; /* Regex for file size from file name */
2184 if (!check_creation(string_sprintf("%s/any", path),
2185 ob->create_file, deliver_dir))
2187 addr->basic_errno = ERRNO_BADCREATE;
2188 addr->message = string_sprintf("tried to create file in %s, but "
2189 "file creation outside the home directory is not permitted", path);
2193 /* If the create_file option is an absolute path and the file was within
2194 it, de-taint. Otherwise check for taint. */
2196 if (is_tainted(path))
2197 if (ob->create_file == create_belowhome)
2199 DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
2200 path = string_copy_taint(path, FALSE);
2203 goto tainted_ret_panic;
2207 #ifdef SUPPORT_MAILDIR
2208 /* For a maildir delivery, ensure that all the relevant directories exist,
2209 and a maildirfolder file if necessary. */
2211 if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
2212 ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
2214 #endif /* SUPPORT_MAILDIR */
2216 /* If we are going to do a quota check, of if maildir_use_size_file is set
2217 for a maildir delivery, compile the regular expression if there is one. We
2218 may also need to adjust the path that is used. We need to do this for
2219 maildir_use_size_file even if the quota is unset, because we still want to
2220 create the file. When maildir support is not compiled,
2221 ob->maildir_use_size_file is always FALSE. */
2223 if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
2228 /* Compile the regex if there is one. */
2230 if (ob->quota_size_regex)
2232 if (!(re = pcre2_compile((PCRE2_SPTR)ob->quota_size_regex,
2233 PCRE2_ZERO_TERMINATED, PCRE_COPT, &err, &offset, pcre_cmp_ctx)))
2236 pcre2_get_error_message(err, errbuf, sizeof(errbuf));
2237 addr->message = string_sprintf("appendfile: regular expression "
2238 "error: %s at offset %l while compiling %s", errbuf, (long)offset,
2239 ob->quota_size_regex);
2242 DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
2243 ob->quota_size_regex);
2246 /* Use an explicitly configured directory if set */
2248 if (ob->quota_directory)
2250 if (!(check_path = expand_string(ob->quota_directory)))
2252 addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
2253 "name for %s transport) failed: %s", ob->quota_directory,
2254 tblock->name, expand_string_message);
2258 if (check_path[0] != '/')
2260 addr->message = string_sprintf("appendfile: quota_directory name "
2261 "\"%s\" is not absolute", check_path);
2262 addr->basic_errno = ERRNO_NOTABSOLUTE;
2267 #ifdef SUPPORT_MAILDIR
2268 /* Otherwise, if we are handling a maildir delivery, and the directory
2269 contains a file called maildirfolder, this is a maildir++ feature telling
2270 us that this is a sub-directory of the real inbox. We should therefore do
2271 the quota check on the parent directory. Beware of the special case when
2272 the directory name itself ends in a slash. */
2274 else if (mbformat == mbf_maildir)
2276 struct stat statbuf;
2277 if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
2279 uschar *new_check_path = string_copy(check_path);
2280 uschar *slash = Ustrrchr(new_check_path, '/');
2286 slash = Ustrrchr(new_check_path, '/');
2291 check_path = new_check_path;
2292 DEBUG(D_transport) debug_printf("maildirfolder file exists: "
2293 "quota check directory changed to %s\n", check_path);
2298 #endif /* SUPPORT_MAILDIR */
2301 /* If we are using maildirsize files, we need to ensure that such a file
2302 exists and, if necessary, recalculate its contents. As a byproduct of this,
2303 we obtain the current size of the maildir. If no quota is to be enforced
2304 (ob->quota_value == 0), we still need the size if a threshold check will
2307 Another regular expression is used to determine which directories inside the
2308 maildir are going to be counted. */
2310 #ifdef SUPPORT_MAILDIR
2311 if (ob->maildir_use_size_file)
2313 const pcre2_code * dir_regex = NULL;
2317 if (ob->maildir_dir_regex)
2319 int check_path_len = Ustrlen(check_path);
2321 if (!(dir_regex = pcre2_compile((PCRE2_SPTR)ob->maildir_dir_regex,
2322 PCRE2_ZERO_TERMINATED, PCRE_COPT, &err, &offset, pcre_cmp_ctx)))
2325 pcre2_get_error_message(err, errbuf, sizeof(errbuf));
2326 addr->message = string_sprintf("appendfile: regular expression "
2327 "error: %s at offset %l while compiling %s", errbuf, (long)offset,
2328 ob->maildir_dir_regex);
2333 debug_printf("using regex for maildir directory selection: %s\n",
2334 ob->maildir_dir_regex);
2336 /* Check to see if we are delivering into an ignored directory, that is,
2337 if the delivery path starts with the quota check path, and the rest
2338 of the deliver path matches the regex; if so, set a flag to disable quota
2339 checking and maildirsize updating. */
2341 if (Ustrncmp(path, check_path, check_path_len) == 0)
2343 uschar *s = path + check_path_len;
2344 while (*s == '/') s++;
2345 s = *s ? string_sprintf("%s/new", s) : US"new";
2346 if (!regex_match(dir_regex, s, -1, NULL))
2348 disable_quota = TRUE;
2349 DEBUG(D_transport) debug_printf("delivery directory does not match "
2350 "maildir_quota_directory_regex: disabling quota\n");
2355 /* Quota enforcement; create and check the file. There is some discussion
2356 about whether this should happen if the quota is unset. At present, Exim
2357 always creates the file. If we ever want to change this, uncomment
2358 appropriate lines below, possibly doing a check on some option. */
2360 /* if (???? || ob->quota_value > 0) */
2367 if ((maildirsize_fd = maildir_ensure_sizefile(check_path, ob, re, dir_regex,
2368 &size, &filecount)) == -1)
2370 addr->basic_errno = errno;
2371 addr->message = string_sprintf("while opening or reading "
2372 "%s/maildirsize", check_path);
2375 /* can also return -2, which means that the file was removed because of
2376 raciness; but in this case, the size & filecount will still have been
2379 if (mailbox_size < 0) mailbox_size = size;
2380 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2383 /* No quota enforcement; ensure file does *not* exist; calculate size if
2388 * time_t old_latest;
2389 * (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
2390 * if (THRESHOLD_CHECK)
2391 * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
2392 * re, dir_regex, FALSE);
2397 #endif /* SUPPORT_MAILDIR */
2399 /* Otherwise if we are going to do a quota check later on, and the mailbox
2400 size is not set, find the current size of the mailbox. Ditto for the file
2401 count. Note that ob->quota_filecount_value cannot be set without
2402 ob->quota_value being set. */
2405 && (ob->quota_value > 0 || THRESHOLD_CHECK)
2406 && ( mailbox_size < 0
2407 || mailbox_filecount < 0 && ob->quota_filecount_value > 0
2413 debug_printf("quota checks on directory %s\n", check_path);
2414 size = check_dir_size(check_path, &filecount, re);
2415 if (mailbox_size < 0) mailbox_size = size;
2416 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2419 /* Handle the case of creating a unique file in a given directory (not in
2420 maildir or mailstore format - this is how smail did it). A temporary name is
2421 used to create the file. Later, when it is written, the name is changed to a
2422 unique one. There is no need to lock the file. An attempt is made to create
2423 the directory if it does not exist. */
2425 if (mbformat == mbf_smail)
2428 debug_printf("delivering to new file in %s\n", path);
2429 filename = dataname =
2430 string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
2431 fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
2432 if (fd < 0 && /* failed to open, and */
2433 (errno != ENOENT || /* either not non-exist */
2434 !ob->create_directory || /* or not allowed to make */
2435 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2436 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2438 addr->basic_errno = errno;
2439 addr->message = string_sprintf("while creating file %s", filename);
2444 #ifdef SUPPORT_MAILDIR
2446 /* Handle the case of a unique file in maildir format. The file is written to
2447 the tmp subdirectory, with a prescribed form of name. */
2449 else if (mbformat == mbf_maildir)
2452 debug_printf("delivering in maildir format in %s\n", path);
2454 nametag = ob->maildir_tag;
2456 /* Check that nametag expands successfully; a hard failure causes a panic
2457 return. The actual expansion for use happens again later, when
2458 $message_size is accurately known. */
2460 if (nametag && !expand_string(nametag) && !f.expand_string_forcedfail)
2462 addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
2463 "for %s transport) failed: %s", nametag, tblock->name,
2464 expand_string_message);
2468 /* We ensured the existence of all the relevant directories above. Attempt
2469 to open the temporary file a limited number of times. I think this rather
2470 scary-looking for statement is actually OK. If open succeeds, the loop is
2471 broken; if not, there is a test on the value of i. Get the time again
2472 afresh each time round the loop. Its value goes into a variable that is
2473 checked at the end, to make sure we don't release this process until the
2474 clock has ticked. */
2476 for (int i = 1;; i++)
2480 (void)gettimeofday(&msg_tv, NULL);
2481 basename = string_sprintf(TIME_T_FMT ".M%luP" PID_T_FMT ".%s",
2482 msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname);
2484 filename = dataname = string_sprintf("tmp/%s", basename);
2485 newname = string_sprintf("new/%s", basename);
2487 if (Ustat(filename, &statbuf) == 0)
2489 else if (errno == ENOENT)
2491 if ((fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode)) >= 0)
2493 DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
2494 filename, strerror(errno));
2497 /* Too many retries - give up */
2499 if (i >= ob->maildir_retries)
2501 addr->message = string_sprintf ("failed to open %s (%d tr%s)",
2502 filename, i, (i == 1) ? "y" : "ies");
2503 addr->basic_errno = errno;
2504 if (errno == errno_quota || errno == ENOSPC)
2505 addr->user_message = US"mailbox is full";
2509 /* Open or stat failed but we haven't tried too many times yet. */
2514 /* Note that we have to ensure the clock has ticked before leaving */
2516 wait_for_tick = TRUE;
2518 /* Why are these here? Put in because they are present in the non-maildir
2519 directory case above. */
2521 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2523 addr->basic_errno = errno;
2524 addr->message = string_sprintf("while setting perms on maildir %s",
2530 #endif /* SUPPORT_MAILDIR */
2532 #ifdef SUPPORT_MAILSTORE
2534 /* Handle the case of a unique file in mailstore format. First write the
2535 envelope to a temporary file, then open the main file. The unique base name
2536 for the files consists of the message id plus the pid of this delivery
2542 mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
2543 string_base62((long int)getpid()));
2546 debug_printf("delivering in mailstore format in %s\n", path);
2548 filename = string_sprintf("%s.tmp", mailstore_basename);
2549 newname = string_sprintf("%s.env", mailstore_basename);
2550 dataname = string_sprintf("%s.msg", mailstore_basename);
2552 fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2553 if ( fd < 0 /* failed to open, and */
2554 && ( errno != ENOENT /* either not non-exist */
2555 || !ob->create_directory /* or not allowed to make */
2556 || !directory_make(NULL, path, ob->dirmode, FALSE) /* or failed to create dir */
2557 || (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0 /* or then failed to open */
2560 addr->basic_errno = errno;
2561 addr->message = string_sprintf("while creating file %s", filename);
2565 /* Why are these here? Put in because they are present in the non-maildir
2566 directory case above. */
2568 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2570 addr->basic_errno = errno;
2571 addr->message = string_sprintf("while setting perms on file %s",
2576 /* Built a C stream from the open file descriptor. */
2578 if (!(env_file = fdopen(fd, "wb")))
2580 addr->basic_errno = errno;
2581 addr->message = string_sprintf("fdopen of %s ("
2582 "for %s transport) failed", filename, tblock->name);
2588 /* Write the envelope file, then close it. */
2590 if (ob->mailstore_prefix)
2592 uschar *s = expand_string(ob->mailstore_prefix);
2595 if (!f.expand_string_forcedfail)
2597 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2598 "prefix for %s transport) failed: %s", ob->mailstore_prefix,
2599 tblock->name, expand_string_message);
2600 (void)fclose(env_file);
2608 fprintf(env_file, "%s", CS s);
2609 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2613 fprintf(env_file, "%s\n", sender_address);
2615 for (address_item * taddr = addr; taddr; taddr = taddr->next)
2616 fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
2618 if (ob->mailstore_suffix)
2620 uschar *s = expand_string(ob->mailstore_suffix);
2623 if (!f.expand_string_forcedfail)
2625 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2626 "suffix for %s transport) failed: %s", ob->mailstore_suffix,
2627 tblock->name, expand_string_message);
2628 (void)fclose(env_file);
2636 fprintf(env_file, "%s", CS s);
2637 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2641 if (fclose(env_file) != 0)
2643 addr->basic_errno = errno;
2644 addr->message = string_sprintf("while closing %s", filename);
2649 DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
2651 /* Now open the data file, and ensure that it has the correct ownership and
2654 if ((fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)
2656 addr->basic_errno = errno;
2657 addr->message = string_sprintf("while creating file %s", dataname);
2661 if (exim_chown(dataname, uid, gid) || Uchmod(dataname, mode))
2663 addr->basic_errno = errno;
2664 addr->message = string_sprintf("while setting perms on file %s",
2670 #endif /* SUPPORT_MAILSTORE */
2673 /* In all cases of writing to a new file, ensure that the file which is
2674 going to be renamed has the correct ownership and mode. */
2676 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2678 addr->basic_errno = errno;
2679 addr->message = string_sprintf("while setting perms on file %s",
2686 /* At last we can write the message to the file, preceded by any configured
2687 prefix line, and followed by any configured suffix line. If there are any
2688 writing errors, we must defer. */
2690 DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
2695 /* If there is a local quota setting, check that we are not going to exceed it
2696 with this message if quota_is_inclusive is set; if it is not set, the check
2697 is for the mailbox already being over quota (i.e. the current message is not
2698 included in the check). */
2700 if (!disable_quota && ob->quota_value > 0)
2704 debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
2705 " this message = %d (%sincluded)\n",
2706 ob->quota_value, mailbox_size, message_size,
2707 ob->quota_is_inclusive ? "" : "not ");
2708 debug_printf(" file count quota = %d count = %d\n",
2709 ob->quota_filecount_value, mailbox_filecount);
2712 if (mailbox_size + (ob->quota_is_inclusive ? message_size:0) > ob->quota_value)
2713 if (!ob->quota_no_check)
2715 DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
2717 errno = ERRNO_EXIMQUOTA;
2720 DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n");
2722 if (ob->quota_filecount_value > 0
2723 && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
2724 ob->quota_filecount_value)
2725 if (!ob->quota_filecount_no_check)
2727 DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
2729 errno = ERRNO_EXIMQUOTA;
2730 filecount_msg = US" filecount";
2732 else DEBUG(D_transport) if (ob->quota_filecount_no_check)
2733 debug_printf("mailbox file count quota exceeded but ignored\n");
2739 addr->basic_errno = errno;
2740 addr->message = US"Over quota";
2741 addr->transport_return = yield;
2743 debug_printf("appendfile (verify) yields %d with errno=%d more_errno=%d\n",
2744 yield, addr->basic_errno, addr->more_errno);
2749 /* If we are writing in MBX format, what we actually do is to write the message
2750 to a temporary file, and then copy it to the real file once we know its size.
2751 This is the most straightforward way of getting the correct length in the
2752 separator line. So, what we do here is to save the real file descriptor, and
2753 replace it with one for a temporary file. The temporary file gets unlinked once
2754 opened, so that it goes away on closure. */
2757 if (yield == OK && ob->mbx_format)
2759 if (!(temp_file = tmpfile()))
2761 addr->basic_errno = errno;
2762 addr->message = US"while setting up temporary file";
2767 fd = fileno(temp_file);
2768 DEBUG(D_transport) debug_printf("writing to temporary file\n");
2770 #endif /* SUPPORT_MBX */
2772 /* Zero the count of bytes written. It is incremented by the transport_xxx()
2775 transport_count = 0;
2776 transport_newlines = 0;
2778 /* Write any configured prefix text first */
2780 if (yield == OK && ob->message_prefix && *ob->message_prefix)
2782 uschar *prefix = expand_string(ob->message_prefix);
2785 errno = ERRNO_EXPANDFAIL;
2786 addr->transport_return = PANIC;
2787 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
2788 "transport) failed", ob->message_prefix, tblock->name);
2791 else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER;
2794 /* If the use_bsmtp option is on, we need to write SMTP prefix information. The
2795 various different values for batching are handled outside; if there is more
2796 than one address available here, all must be included. If any address is a
2797 file, use its parent in the RCPT TO. */
2799 if (yield == OK && ob->use_bsmtp)
2801 transport_count = 0;
2802 transport_newlines = 0;
2803 if (ob->use_crlf) cr = US"\r";
2804 if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
2808 transport_newlines++;
2809 for (address_item * a = addr; a; a = a->next)
2811 address_item * b = testflag(a, af_pfr) ? a->parent : a;
2812 if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
2813 transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
2814 { yield = DEFER; break; }
2815 transport_newlines++;
2817 if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
2820 transport_newlines++;
2824 /* Now the message itself. The options for transport_write_message were set up
2825 at initialization time. */
2829 transport_ctx tctx = {
2833 .check_string = ob->check_string,
2834 .escape_string = ob->escape_string,
2835 .options = ob->options | topt_not_socket
2837 if (!transport_write_message(&tctx, 0))
2841 /* Now a configured suffix. */
2843 if (yield == OK && ob->message_suffix && *ob->message_suffix)
2845 uschar *suffix = expand_string(ob->message_suffix);
2848 errno = ERRNO_EXPANDFAIL;
2849 addr->transport_return = PANIC;
2850 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
2851 "transport) failed", ob->message_suffix, tblock->name);
2854 else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER;
2857 /* If batch smtp, write the terminating dot. */
2859 if (yield == OK && ob->use_bsmtp)
2860 if (!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
2861 else transport_newlines++;
2863 /* If MBX format is being used, all that writing was to the temporary file.
2864 However, if there was an earlier failure (Exim quota exceeded, for example),
2865 the temporary file won't have got opened - and no writing will have been done.
2866 If writing was OK, we restore the fd, and call a function that copies the
2867 message in MBX format into the real file. Otherwise use the temporary name in
2871 if (temp_file && ob->mbx_format)
2878 transport_count = 0; /* Reset transport count for actual write */
2879 /* No need to reset transport_newlines as we're just using a block copy
2880 * routine so the number won't be affected */
2881 yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
2883 else if (errno >= 0) dataname = US"temporary file";
2885 /* Preserve errno while closing the temporary file. */
2887 mbx_save_errno = errno;
2888 (void)fclose(temp_file);
2889 errno = mbx_save_errno;
2891 #endif /* SUPPORT_MBX */
2893 /* Force out the remaining data to check for any errors; some OS don't allow
2894 fsync() to be called for a FIFO. */
2896 if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
2898 /* Update message_size and message_linecount to the accurate count of bytes
2899 written, including added headers. Note; we subtract 1 from message_linecount as
2900 this variable doesn't count the new line between the header and the body of the
2903 message_size = transport_count;
2904 message_linecount = transport_newlines - 1;
2906 /* If using a maildir++ quota file, add this message's size to it, and
2907 close the file descriptor, except when the quota has been disabled because we
2908 are delivering into an uncounted folder. */
2910 #ifdef SUPPORT_MAILDIR
2913 if (yield == OK && maildirsize_fd >= 0)
2914 maildir_record_length(maildirsize_fd, message_size);
2915 maildir_save_errno = errno; /* Preserve errno while closing the file */
2916 if (maildirsize_fd >= 0)
2917 (void)close(maildirsize_fd);
2918 errno = maildir_save_errno;
2920 #endif /* SUPPORT_MAILDIR */
2922 /* If there is a quota warning threshold and we are have crossed it with this
2923 message, set the SPECIAL_WARN flag in the address, to cause a warning message
2926 if (!disable_quota && THRESHOLD_CHECK)
2928 off_t threshold = ob->quota_warn_threshold_value;
2929 if (ob->quota_warn_threshold_is_percent)
2930 threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
2932 debug_printf("quota = " OFF_T_FMT
2933 " threshold = " OFF_T_FMT
2934 " old size = " OFF_T_FMT
2935 " message size = %d\n",
2936 ob->quota_value, threshold, mailbox_size,
2938 if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
2939 addr->special_action = SPECIAL_WARN;
2941 /******* You might think that the test ought to be this:
2943 * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
2944 * mailbox_size <= threshold && mailbox_size + message_size > threshold)
2946 * (indeed, I was sent a patch with that in). However, it is possible to
2947 * have a warning threshold without actually imposing a quota, and I have
2948 * therefore kept Exim backwards compatible.
2953 /* Handle error while writing the file. Control should come here directly after
2954 the error, with the reason in errno. In the case of expansion failure in prefix
2955 or suffix, it will be ERRNO_EXPANDFAIL. */
2959 addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */
2961 /* Save the error number. If positive, it will ultimately cause a strerror()
2962 call to generate some text. */
2964 addr->basic_errno = errno;
2966 /* For system or Exim quota excession, or disk full, set more_errno to the
2967 time since the file was last read. If delivery was into a directory, the
2968 time since last read logic is not relevant, in general. However, for maildir
2969 deliveries we can approximate it by looking at the last modified time of the
2970 "new" subdirectory. Since Exim won't be adding new messages, a change to the
2971 "new" subdirectory implies that an MUA has moved a message from there to the
2974 if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
2976 addr->more_errno = 0;
2977 if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
2979 #ifdef SUPPORT_MAILDIR
2980 else if (mbformat == mbf_maildir)
2982 struct stat statbuf;
2983 if (Ustat("new", &statbuf) < 0)
2985 DEBUG(D_transport) debug_printf("maildir quota exceeded: "
2986 "stat error %d for \"new\": %s\n", errno, strerror(errno));
2988 else /* Want a repeatable time when in test harness */
2989 addr->more_errno = f.running_in_test_harness ? 10 :
2990 (int)time(NULL) - statbuf.st_mtime;
2993 debug_printf("maildir: time since \"new\" directory modified = %s\n",
2994 readconf_printtime(addr->more_errno));
2996 #endif /* SUPPORT_MAILDIR */
2999 /* Handle system quota excession. Add an explanatory phrase for the error
3000 message, since some systems don't have special quota-excession errors,
3001 and on those that do, "quota" doesn't always mean anything to the user. */
3003 if (errno == errno_quota)
3006 addr->message = string_sprintf("mailbox is full "
3007 "(quota exceeded while writing to file %s)", filename);
3009 addr->message = US"mailbox is full";
3011 addr->user_message = US"mailbox is full";
3012 DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
3014 isdirectory ? US"" : US": time since file read = ",
3015 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3018 /* Handle Exim's own quota-imposition */
3020 else if (errno == ERRNO_EXIMQUOTA)
3022 addr->message = string_sprintf("mailbox is full "
3023 "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
3025 addr->user_message = US"mailbox is full";
3026 DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
3027 filecount_msg, dataname,
3028 isdirectory ? US"" : US": time since file read = ",
3029 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3032 /* Handle a process failure while writing via a filter; the return
3033 from child_close() is in more_errno. */
3035 else if (errno == ERRNO_FILTER_FAIL)
3038 addr->message = string_sprintf("transport filter process failed (%d) "
3039 "while writing to %s%s", addr->more_errno, dataname,
3040 (addr->more_errno == EX_EXECFAILED) ? ": unable to execute command" : "");
3043 /* Handle failure to expand header changes */
3045 else if (errno == ERRNO_CHHEADER_FAIL)
3049 string_sprintf("failed to expand headers_add or headers_remove while "
3050 "writing to %s: %s", dataname, expand_string_message);
3053 /* Handle failure to complete writing of a data block */
3055 else if (errno == ERRNO_WRITEINCOMPLETE)
3056 addr->message = string_sprintf("failed to write data block while "
3057 "writing to %s", dataname);
3059 /* Handle length mismatch on MBX copying */
3062 else if (errno == ERRNO_MBXLENGTH)
3063 addr->message = string_sprintf("length mismatch while copying MBX "
3064 "temporary file to %s", dataname);
3065 #endif /* SUPPORT_MBX */
3067 /* For other errors, a general-purpose explanation, if the message is
3070 else if (addr->message == NULL)
3071 addr->message = string_sprintf("error while writing to %s", dataname);
3073 /* For a file, reset the file size to what it was before we started, leaving
3074 the last modification time unchanged, so it will get reset also. All systems
3075 investigated so far have ftruncate(), whereas not all have the F_FREESP
3076 fcntl() call (BSDI & FreeBSD do not). */
3078 if (!isdirectory && ftruncate(fd, saved_size))
3079 DEBUG(D_transport) debug_printf("Error resetting file size\n");
3082 /* Handle successful writing - we want the modification time to be now for
3083 appended files. Remove the default backstop error number. For a directory, now
3084 is the time to rename the file with a unique name. As soon as such a name
3085 appears it may get used by another process, so we close the file first and
3086 check that all is well. */
3090 times.modtime = time(NULL);
3091 addr->basic_errno = 0;
3093 /* Handle the case of writing to a new file in a directory. This applies
3094 to all single-file formats - maildir, mailstore, and "smail format". */
3098 if (fstat(fd, &statbuf) < 0)
3100 addr->basic_errno = errno;
3101 addr->message = string_sprintf("while fstatting opened message file %s",
3106 else if (close(fd) < 0)
3108 addr->basic_errno = errno;
3109 addr->message = string_sprintf("close() error for %s",
3110 (ob->mailstore_format) ? dataname : filename);
3114 /* File is successfully written and closed. Arrange to rename it. For the
3115 different kinds of single-file delivery, some games can be played with the
3116 name. The message size is by this time set to the accurate value so that
3117 its value can be used in expansions. */
3121 uschar *renamename = newname;
3124 DEBUG(D_transport) debug_printf("renaming temporary file\n");
3126 /* If there is no rename name set, we are in a non-maildir, non-mailstore
3127 situation. The name is built by expanding the directory_file option, and
3128 we make the inode number available for use in this. The expansion was
3129 checked for syntactic validity above, before we wrote the file.
3131 We have to be careful here, in case the file name exists. (In the other
3132 cases, the names used are constructed to be unique.) The rename()
3133 function just replaces an existing file - we don't want that! So instead
3134 of calling rename(), we must use link() and unlink().
3136 In this case, if the link fails because of an existing file, we wait
3137 for one second and try the expansion again, to see if it produces a
3138 different value. Do this up to 5 times unless the name stops changing.
3139 This makes it possible to build values that are based on the time, and
3140 still cope with races from multiple simultaneous deliveries. */
3145 uschar *old_renameleaf = US"";
3147 for (int i = 0; ; sleep(1), i++)
3149 deliver_inode = statbuf.st_ino;
3150 renameleaf = expand_string(ob->dirfilename);
3155 addr->transport_return = PANIC;
3156 addr->message = string_sprintf("Expansion of \"%s\" "
3157 "(directory_file for %s transport) failed: %s",
3158 ob->dirfilename, tblock->name, expand_string_message);
3162 renamename = string_sprintf("%s/%s", path, renameleaf);
3163 if (Ulink(filename, renamename) < 0)
3165 DEBUG(D_transport) debug_printf("link failed: %s\n",
3167 if (errno != EEXIST || i >= 4 ||
3168 Ustrcmp(renameleaf, old_renameleaf) == 0)
3170 addr->basic_errno = errno;
3171 addr->message = string_sprintf("while renaming %s as %s",
3172 filename, renamename);
3176 old_renameleaf = renameleaf;
3177 DEBUG(D_transport) debug_printf("%s exists - trying again\n",
3186 } /* re-expand loop */
3187 } /* not mailstore or maildir */
3189 /* For maildir and mailstore formats, the new name was created earlier,
3190 except that for maildir, there is the possibility of adding a "tag" on
3191 the end of the name by expanding the value of nametag. This usually
3192 includes a reference to the message size. The expansion of nametag was
3193 checked above, before the file was opened. It either succeeded, or
3194 provoked a soft failure. So any failure here can be treated as soft.
3195 Ignore non-printing characters and / and put a colon at the start if the
3196 first character is alphanumeric. */
3202 uschar *iptr = expand_string(nametag);
3205 uschar *etag = store_get(Ustrlen(iptr) + 2, is_tainted(iptr));
3206 uschar *optr = etag;
3207 for ( ; *iptr; iptr++)
3208 if (mac_isgraph(*iptr) && *iptr != '/')
3210 if (optr == etag && isalnum(*iptr)) *optr++ = ':';
3214 renamename = string_sprintf("%s%s", newname, etag);
3218 /* Do the rename. If the name is too long and a tag exists, try again
3221 if (Urename(filename, renamename) < 0 &&
3222 (nametag == NULL || errno != ENAMETOOLONG ||
3223 (renamename = newname, Urename(filename, renamename) < 0)))
3225 addr->basic_errno = errno;
3226 addr->message = string_sprintf("while renaming %s as %s",
3227 filename, renamename);
3231 /* Rename succeeded */
3235 DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename,
3237 filename = dataname = NULL; /* Prevents attempt to unlink at end */
3239 } /* maildir or mailstore */
3240 } /* successful write + close */
3242 } /* write success */
3245 /* For a file, restore the last access time (atime), and set the modification
3246 time as required - changed if write succeeded, unchanged if not. */
3248 if (!isdirectory) utime(CS filename, ×);
3250 /* Notify comsat if configured to do so. It only makes sense if the configured
3251 file is the one that the comsat daemon knows about. */
3253 if (ob->notify_comsat && yield == OK && deliver_localpart)
3254 notify_comsat(deliver_localpart, saved_size);
3256 /* Pass back the final return code in the address structure */
3259 debug_printf("appendfile yields %d with errno=%d more_errno=%d\n",
3260 yield, addr->basic_errno, addr->more_errno);
3262 addr->transport_return = yield;
3264 /* Close the file, which will release the fcntl lock. For a directory write it
3265 is closed above, except in cases of error which goto RETURN, when we also need
3266 to remove the original file(s). For MBX locking, if all has gone well, before
3267 closing the file, see if we can get an exclusive lock on it, in which case we
3268 can unlink the /tmp lock file before closing it. This is always a non-blocking
3269 lock; there's no need to wait if we can't get it. If everything has gone right
3270 but close fails, defer the message. Then unlink the lock file, if present. This
3271 point in the code is jumped to from a number of places when errors are
3272 detected, in order to get the file closed and the lock file tidied away. */
3277 if (mbx_lockfd >= 0)
3279 if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0,
3280 ob->use_flock, 0) >= 0)
3283 debug_printf("unlinking MBX lock file %s\n", mbx_lockname);
3284 Uunlink(mbx_lockname);
3286 (void)close(mbx_lockfd);
3288 #endif /* SUPPORT_MBX */
3290 if (fd >= 0 && close(fd) < 0 && yield == OK)
3292 addr->basic_errno = errno;
3293 addr->message = string_sprintf("while closing %s", filename);
3294 addr->transport_return = DEFER;
3297 if (hd >= 0) Uunlink(lockname);
3299 /* We get here with isdirectory and filename set only in error situations. */
3301 if (isdirectory && filename)
3304 if (dataname != filename) Uunlink(dataname);
3307 /* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a
3308 file name relies on time + pid. We must not allow the process to finish until
3309 the clock has move on by at least one microsecond. Usually we expect this
3310 already to be the case, but machines keep getting faster... */
3312 if (wait_for_tick) exim_wait_tick(&msg_tv, 1);
3314 /* A return of FALSE means that if there was an error, a common error was
3315 put in the first address of a batch. */
3320 addr->message = string_sprintf("Tainted '%s' (file or directory "
3321 "name for %s transport) not permitted", path, tblock->name);
3323 addr->transport_return = PANIC;
3327 #endif /*!MACRO_PREDEF*/
3328 /* End of transport/appendfile.c */
git://git.exim.org / exim.git / blob