1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2024 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Functions for writing log files. The code for maintaining datestamped
11 log files was originally contributed by Tony Sheen. */
16 #define MAX_SYSLOG_LEN 870
18 #define LOG_MODE_FILE 1
19 #define LOG_MODE_SYSLOG 2
21 enum { lt_main, lt_reject, lt_panic, lt_debug };
23 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
27 /*************************************************
28 * Local static variables *
29 *************************************************/
31 static uschar mainlog_name[LOG_NAME_SIZE];
32 static uschar rejectlog_name[LOG_NAME_SIZE];
34 static uschar *mainlog_datestamp = NULL;
35 static uschar *rejectlog_datestamp = NULL;
37 static int mainlogfd = -1;
38 static int rejectlogfd = -1;
39 static ino_t mainlog_inode = 0;
40 static ino_t rejectlog_inode = 0;
42 static uschar *panic_save_buffer = NULL;
43 static BOOL panic_recurseflag = FALSE;
45 static BOOL syslog_open = FALSE;
46 static BOOL path_inspected = FALSE;
47 static int logging_mode = LOG_MODE_FILE;
48 static uschar *file_path = US"";
50 static size_t pid_position[2];
53 /* These should be kept in-step with the private delivery error
54 number definitions in macros.h */
56 static const uschar * exim_errstrings[] = {
58 [- ERRNO_UNKNOWNERROR] = US"unknown error",
59 [- ERRNO_USERSLASH] = US"user slash",
60 [- ERRNO_EXISTRACE] = US"exist race",
61 [- ERRNO_NOTREGULAR] = US"not regular",
62 [- ERRNO_NOTDIRECTORY] = US"not directory",
63 [- ERRNO_BADUGID] = US"bad ugid",
64 [- ERRNO_BADMODE] = US"bad mode",
65 [- ERRNO_INODECHANGED] = US"inode changed",
66 [- ERRNO_LOCKFAILED] = US"lock failed",
67 [- ERRNO_BADADDRESS2] = US"bad address2",
68 [- ERRNO_FORBIDPIPE] = US"forbid pipe",
69 [- ERRNO_FORBIDFILE] = US"forbid file",
70 [- ERRNO_FORBIDREPLY] = US"forbid reply",
71 [- ERRNO_MISSINGPIPE] = US"missing pipe",
72 [- ERRNO_MISSINGFILE] = US"missing file",
73 [- ERRNO_MISSINGREPLY] = US"missing reply",
74 [- ERRNO_BADREDIRECT] = US"bad redirect",
75 [- ERRNO_SMTPCLOSED] = US"smtp closed",
76 [- ERRNO_SMTPFORMAT] = US"smtp format",
77 [- ERRNO_SPOOLFORMAT] = US"spool format",
78 [- ERRNO_NOTABSOLUTE] = US"not absolute",
79 [- ERRNO_EXIMQUOTA] = US"Exim-imposed quota",
80 [- ERRNO_HELD] = US"held",
81 [- ERRNO_FILTER_FAIL] = US"Delivery filter process failure",
82 [- ERRNO_CHHEADER_FAIL] = US"Delivery add/remove header failure",
83 [- ERRNO_WRITEINCOMPLETE] = US"Delivery write incomplete error",
84 [- ERRNO_EXPANDFAIL] = US"Some expansion failed",
85 [- ERRNO_GIDFAIL] = US"Failed to get gid",
86 [- ERRNO_UIDFAIL] = US"Failed to get uid",
87 [- ERRNO_BADTRANSPORT] = US"Unset or non-existent transport",
88 [- ERRNO_MBXLENGTH] = US"MBX length mismatch",
89 [- ERRNO_UNKNOWNHOST] = US"Lookup failed routing or in smtp tpt",
90 [- ERRNO_FORMATUNKNOWN] = US"Can't match format in appendfile",
91 [- ERRNO_BADCREATE] = US"Creation outside home in appendfile",
92 [- ERRNO_LISTDEFER] = US"Can't check a list; lookup defer",
93 [- ERRNO_DNSDEFER] = US"DNS lookup defer",
94 [- ERRNO_TLSFAILURE] = US"Failed to start TLS session",
95 [- ERRNO_TLSREQUIRED] = US"Mandatory TLS session not started",
96 [- ERRNO_CHOWNFAIL] = US"Failed to chown a file",
97 [- ERRNO_PIPEFAIL] = US"Failed to create a pipe",
98 [- ERRNO_CALLOUTDEFER] = US"When verifying",
99 [- ERRNO_AUTHFAIL] = US"When required by client",
100 [- ERRNO_CONNECTTIMEOUT] = US"Used internally in smtp transport",
101 [- ERRNO_RCPT4XX] = US"RCPT gave 4xx error",
102 [- ERRNO_MAIL4XX] = US"MAIL gave 4xx error",
103 [- ERRNO_DATA4XX] = US"DATA gave 4xx error",
104 [- ERRNO_PROXYFAIL] = US"Negotiation failed for proxy configured host",
105 [- ERRNO_AUTHPROB] = US"Authenticator 'other' failure",
106 [- ERRNO_UTF8_FWD] = US"target not supporting SMTPUTF8",
107 [- ERRNO_HOST_IS_LOCAL] = US"host is local",
108 [- ERRNO_TAINT] = US"tainted filename",
110 [- ERRNO_RRETRY] = US"Not time for routing",
112 [- ERRNO_LRETRY] = US"Not time for local delivery",
113 [- ERRNO_HRETRY] = US"Not time for any remote host",
114 [- ERRNO_LOCAL_ONLY] = US"Local-only delivery",
115 [- ERRNO_QUEUE_DOMAIN] = US"Domain in queue_domains",
116 [- ERRNO_TRETRY] = US"Transport concurrency limit",
118 [- ERRNO_EVENT] = US"Event requests alternate response",
122 /************************************************/
126 return err < 0 ? exim_errstrings[-err] : CUS strerror(err);
129 /*************************************************
131 *************************************************/
133 /* The given string is split into sections according to length, or at embedded
134 newlines, and syslogged as a numbered sequence if it is overlong or if there is
135 more than one line. However, if we are running in the test harness, do not do
136 anything. (The test harness doesn't use syslog - for obvious reasons - but we
137 can get here if there is a failure to open the panic log.)
140 priority syslog priority
141 s the string to be written
147 write_syslog(int priority, const uschar *s)
152 if (!syslog_pid && LOGGING(pid))
153 s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]);
154 if (!syslog_timestamp)
156 len = log_timezone ? 26 : 20;
157 if (LOGGING(millisec)) len += 4;
164 if (!syslog_open && !f.running_in_test_harness)
166 # ifdef SYSLOG_LOG_PID
167 openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
169 openlog(CS syslog_processname, LOG_CONS, syslog_facility);
175 /* First do a scan through the message in order to determine how many lines
176 it is going to end up as. Then rescan to output it. */
178 for (int pass = 0; pass < 2; pass++)
180 const uschar * ss = s;
181 for (int i = 1, tlen = len; tlen > 0; i++)
184 uschar *nlptr = Ustrchr(ss, '\n');
185 if (nlptr != NULL) plen = nlptr - ss;
186 #ifndef SYSLOG_LONG_LINES
187 if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
190 if (ss[plen] == '\n') tlen--; /* chars left */
194 else if (f.running_in_test_harness)
196 fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss);
198 fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i,
199 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
200 linecount, plen, ss);
203 syslog(priority, "%.*s", plen, ss);
205 syslog(priority, "[%d%c%d] %.*s", i,
206 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
207 linecount, plen, ss);
210 if (*ss == '\n') ss++;
217 /*************************************************
219 *************************************************/
221 /* This is called when Exim is dying as a result of something going wrong in
222 the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
223 message to debug_file or a stderr file, if they exist. Then, if in the middle
224 of accepting a message, throw it away tidily by calling receive_bomb_out();
225 this will attempt to send an SMTP response if appropriate. Passing NULL as the
226 first argument stops it trying to run the NOTQUIT ACL (which might try further
227 logging and thus cause problems). Otherwise, try to close down an outstanding
231 s1 Error message to write to debug_file and/or stderr and syslog
232 s2 Error message for any SMTP call that is in progress
233 Returns: The function does not return
237 die(uschar *s1, uschar *s2)
241 write_syslog(LOG_CRIT, s1);
242 if (debug_file) debug_printf("%s\n", s1);
243 if (log_stderr && log_stderr != debug_file)
244 fprintf(log_stderr, "%s\n", s1);
246 if (f.receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */
247 if (smtp_input) smtp_closedown(s2);
248 exim_exit(EXIT_FAILURE);
253 /*************************************************
254 * Create a log file *
255 *************************************************/
257 /* This function is called to create and open a log file. It may be called in a
258 subprocess when the original process is root.
263 The file name has been build in a working buffer, so it is permissible to
264 overwrite it temporarily if it is necessary to create the directory.
266 Returns: a file descriptor, or < 0 on failure (errno set)
270 log_open_already_exim(const uschar * const name)
273 const int flags = O_WRONLY | O_APPEND | O_CREAT | O_NONBLOCK;
275 if (geteuid() != exim_uid)
281 fd = Uopen(name, flags, LOG_MODE);
283 /* If creation failed, attempt to build a log directory in case that is the
286 if (fd < 0 && errno == ENOENT)
289 uschar *lastslash = Ustrrchr(name, '/');
291 created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
294 debug_printf("created log directory %s\n", name);
296 debug_printf("failed to create log directory %s: %s\n", name, strerror(errno));
298 if (created) fd = Uopen(name, flags, LOG_MODE);
306 /* Inspired by OpenSSH's mm_send_fd(). Thanks!
307 Send fd over socketpair.
308 Return: true iff good.
312 send_fd_over_socket(const int sock, const int fd)
317 char buf[CMSG_SPACE(sizeof(int))];
319 struct cmsghdr *cmsg;
321 struct iovec vec = {.iov_base = &ch, .iov_len = 1};
324 memset(&msg, 0, sizeof(msg));
325 memset(&cmsgbuf, 0, sizeof(cmsgbuf));
326 msg.msg_control = &cmsgbuf.buf;
327 msg.msg_controllen = sizeof(cmsgbuf.buf);
329 cmsg = CMSG_FIRSTHDR(&msg);
330 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
331 cmsg->cmsg_level = SOL_SOCKET;
332 cmsg->cmsg_type = SCM_RIGHTS;
333 *(int *)CMSG_DATA(cmsg) = fd;
338 while ((n = sendmsg(sock, &msg, 0)) == -1 && errno == EINTR);
342 /* Inspired by OpenSSH's mm_receive_fd(). Thanks!
343 Return fd passed over socketpair, or -1 on error.
347 recv_fd_from_sock(const int sock)
352 char buf[CMSG_SPACE(sizeof(int))];
354 struct cmsghdr *cmsg;
356 struct iovec vec = {.iov_base = &ch, .iov_len = 1};
360 memset(&msg, 0, sizeof(msg));
364 memset(&cmsgbuf, 0, sizeof(cmsgbuf));
365 msg.msg_control = &cmsgbuf.buf;
366 msg.msg_controllen = sizeof(cmsgbuf.buf);
368 while ((n = recvmsg(sock, &msg, 0)) == -1 && errno == EINTR) ;
369 if (n != 1 || ch != 'A') return -1;
371 if (!(cmsg = CMSG_FIRSTHDR(&msg))) return -1;
372 if (cmsg->cmsg_type != SCM_RIGHTS) return -1;
373 if ((fd = *(const int *)CMSG_DATA(cmsg)) < 0) return -1;
379 /*************************************************
380 * Create a log file as the exim user *
381 *************************************************/
383 /* This function is called when we are root to spawn an exim:exim subprocess
384 in which we can create a log file. It must be signal-safe since it is called
385 by the usr1_handler().
390 Returns: a file descriptor, or < 0 on failure (errno set)
394 log_open_as_exim(const uschar * const name)
397 const uid_t euid = geteuid();
399 if (euid == exim_uid)
400 fd = log_open_already_exim(name);
401 else if (euid == root_uid)
404 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sock) == 0)
406 const pid_t pid = fork();
409 (void)close(sock[0]);
410 if ( setgroups(1, &exim_gid) != 0
411 || setgid(exim_gid) != 0
412 || setuid(exim_uid) != 0
414 || getuid() != exim_uid || geteuid() != exim_uid
415 || getgid() != exim_gid || getegid() != exim_gid
417 || (fd = log_open_already_exim(name)) < 0
418 || !send_fd_over_socket(sock[1], fd)
419 ) _exit(EXIT_FAILURE);
420 (void)close(sock[1]);
424 (void)close(sock[1]);
427 fd = recv_fd_from_sock(sock[0]);
428 while (waitpid(pid, NULL, 0) == -1 && errno == EINTR);
430 (void)close(sock[0]);
437 flags = fcntl(fd, F_GETFD);
438 if (flags != -1) (void)fcntl(fd, F_SETFD, flags | FD_CLOEXEC);
439 flags = fcntl(fd, F_GETFL);
440 if (flags != -1) (void)fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
451 /*************************************************
453 *************************************************/
455 /* This function opens one of a number of logs, creating the log directory if
456 it does not exist. This may be called recursively on failure, in order to open
459 The directory is in the static variable file_path. This is static so that
460 the work of sorting out the path is done just once per Exim process.
462 Exim is normally configured to avoid running as root wherever possible, the log
463 files must be owned by the non-privileged exim user. To ensure this, first try
464 an open without O_CREAT - most of the time this will succeed. If it fails, try
465 to create the file; if running as root, this must be done in a subprocess to
469 fd where to return the resulting file descriptor
470 type lt_main, lt_reject, lt_panic, or lt_debug
471 tag optional tag to include in the name (only hooked up for debug)
477 open_log(int * fd, int type, const uschar * tag)
481 uschar buffer[LOG_NAME_SIZE];
483 /* The names of the log files are controlled by file_path. The panic log is
484 written to the same directory as the main and reject logs, but its name does
485 not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
486 When opening the panic log, if %D or %M is present, we remove the datestamp
487 from the generated name; if it is at the start, remove a following
488 non-alphanumeric character as well; otherwise, remove a preceding
489 non-alphanumeric character. This is definitely kludgy, but it sort of does what
490 people want, I hope. */
492 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
497 /* Save the name of the mainlog for rollover processing. Without a datestamp,
498 it gets statted to see if it has been cycled. With a datestamp, the datestamp
499 will be compared. The static slot for saving it is the same size as buffer,
500 and the text has been checked above to fit, so this use of strcpy() is OK. */
501 Ustrcpy(mainlog_name, buffer);
502 if (string_datestamp_offset > 0)
503 mainlog_datestamp = mainlog_name + string_datestamp_offset;
507 /* Ditto for the reject log */
508 Ustrcpy(rejectlog_name, buffer);
509 if (string_datestamp_offset > 0)
510 rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
514 /* and deal with the debug log (which keeps the datestamp, but does not
516 Ustrcpy(debuglog_name, buffer);
520 die(US"exim: tainted tag for debug log filename",
521 US"Logging failure; please try later");
523 /* this won't change the offset of the datestamp */
524 ok2 = string_format(buffer, sizeof(buffer), "%s%s",
527 Ustrcpy(debuglog_name, buffer);
532 /* Remove any datestamp if this is the panic log. This is rare, so there's no
533 need to optimize getting the datestamp length. We remove one non-alphanumeric
534 char afterwards if at the start, otherwise one before. */
535 if (string_datestamp_offset >= 0)
537 uschar * from = buffer + string_datestamp_offset;
538 uschar * to = from + string_datestamp_length;
540 if (from == buffer || from[-1] == '/')
542 if (!isalnum(*to)) to++;
545 if (!isalnum(from[-1])) from--;
547 /* This copy is ok, because we know that to is a substring of from. But
548 due to overlap we must use memmove() not Ustrcpy(). */
549 memmove(from, to, Ustrlen(to)+1);
554 /* If the file name is too long, it is an unrecoverable disaster */
557 die(US"exim: log file path too long: aborting",
558 US"Logging failure; please try later");
560 /* We now have the file name. After a successful open, return. */
562 if ((*fd = log_open_as_exim(buffer)) >= 0)
567 /* Creation failed. There are some circumstances in which we get here when
568 the effective uid is not root or exim, which is the problem. (For example, a
569 non-setuid binary with log_arguments set, called in certain ways.) Rather than
570 just bombing out, force the log to stderr and carry on if stderr is available.
573 if (euid != root_uid && euid != exim_uid && log_stderr)
575 *fd = fileno(log_stderr);
579 /* Otherwise this is a disaster. This call is deliberately ONLY to the panic
580 log. If possible, save a copy of the original line that was being logged. If we
581 are recursing (can't open the panic log either), the pointer will already be
582 set. Also, when we had to use a subprocess for the create we didn't retrieve
583 errno from it, so get the error from the open attempt above (which is often
584 meaningful enough, so leave it). */
586 if (!panic_save_buffer)
587 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
588 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
590 log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
591 "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
599 if (type == lt_debug) unlink(CS debuglog_name);
604 /* Append to a gstring, in no-extend (or rebuffer) mode
605 and without taint-checking. Thanks to the no-extend, the
606 gstring struct never needs reallocation; we ignore the
607 infore that the initial space allocation for the string
608 was exceeded, and just leave it potentially truncated. */
611 string_fmt_append_noextend(gstring * g, char * fmt, ...)
615 /* can return NULL if it truncates; just ignore */
616 (void) string_vformat(g, SVFMT_TAINT_NOCHK, fmt, ap);
620 /*************************************************
621 * Add configuration file info to log line *
622 *************************************************/
624 /* This is put in a function because it's needed twice (once for debugging,
628 g extensible-string referring to static buffer,
636 log_config_info(gstring * g, int flags)
638 string_fmt_append_noextend(g, "Exim configuration error");
640 if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG))
641 string_fmt_append_noextend(g, " for ");
644 if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG))
645 string_fmt_append_noextend(g, " in line %d of %s",
646 config_lineno, config_filename);
648 string_fmt_append_noextend(g, ":\n ");
653 /*************************************************
654 * A write() operation failed *
655 *************************************************/
657 /* This function is called when write() fails on anything other than the panic
658 log, which can happen if a disk gets full or a file gets too large or whatever.
659 We try to save the relevant message in the panic_save buffer before crashing
662 The potential invoker should probably not call us for EINTR -1 writes. But
663 otherwise, short writes are bad as we don't do non-blocking writes to fds
664 subject to flow control. (If we do, that's new and the logic of this should
668 name the name of the log being written
669 length the string length being written
670 rc the return value from write()
672 Returns: does not return
676 log_write_failed(uschar *name, int length, int rc)
678 int save_errno = errno;
680 if (!panic_save_buffer)
681 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
682 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
684 log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
685 "errno=%d (%s)", name, length, rc, save_errno,
686 (save_errno == 0)? "write incomplete" : strerror(save_errno));
692 /*************************************************
693 * Write to an fd, retrying after signals *
694 *************************************************/
696 /* Basic write to fd for logs, handling EINTR.
699 fd the fd to write to
700 buf the string to write
701 length the string length being written
704 length actually written, persisting an errno from write()
707 write_to_fd_buf(int fd, const uschar * buf, size_t length)
710 size_t total_written = 0;
711 const uschar * p = buf;
712 size_t left = length;
716 wrote = write(fd, p, left);
717 if (wrote == (ssize_t)-1)
719 if (errno == EINTR) continue;
722 total_written += wrote;
731 return total_written;
734 static inline ssize_t
735 write_gstring_to_fd_buf(int fd, const gstring * g)
737 return write_to_fd_buf(fd, g->s, g->ptr);
745 int sep = ':'; /* Fixed separator - outside use */
747 const uschar *tt = US LOG_FILE_PATH;
748 while ((t = string_nextinlist(&tt, &sep, log_buffer, LOG_BUFFER_SIZE)))
750 if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue;
751 file_path = string_copy(t);
757 /* Close mainlog, unless we do not see a chance to open the file mainlog later
758 again. This will happen if we log from a transport process (which has dropped
759 privs); something we traditionally avoid, but the introduction of taint-tracking
760 and resulting detection of errors is makinng harder. */
766 || !(geteuid() == 0 || geteuid() == exim_uid))
768 (void)close(mainlogfd);
773 /*************************************************
774 * Write message to log file *
775 *************************************************/
777 /* Exim can be configured to log to local files, or use syslog, or both. This
778 is controlled by the setting of log_file_path. The following cases are
781 log_file_path = "" write files in the spool/log directory
782 log_file_path = "xxx" write files in the xxx directory
783 log_file_path = "syslog" write to syslog
784 log_file_path = "syslog : xxx" write to syslog and to files (any order)
786 The message always gets '\n' added on the end of it, since more than one
787 process may be writing to the log at once and we don't want intermingling to
788 happen in the middle of lines. To be absolutely sure of this we write the data
789 into a private buffer and then put it out in a single write() call.
791 The flags determine which log(s) the message is written to, or for syslogging,
792 which priority to use, and in the case of the panic log, whether the process
793 should die afterwards.
795 The variable really_exim is TRUE only when exim is running in privileged state
796 (i.e. not with a changed configuration or with testing options such as -brw).
797 If it is not, don't try to write to the log because permission will probably be
800 Avoid actually writing to the logs when exim is called with -bv or -bt to
801 test an address, but take other actions, such as panicking.
803 In Exim proper, the buffer for building the message is got at start-up, so that
804 nothing gets done if it can't be got. However, some functions that are also
805 used in utilities occasionally obey log_write calls in error situations, and it
806 is simplest to put a single malloc() here rather than put one in each utility.
807 Malloc is used directly because the store functions may call log_write().
809 If a message_id exists, we include it after the timestamp.
812 selector write to main log or LOG_INFO only if this value is zero, or if
813 its bit is set in log_selector[0]
814 flags each bit indicates some independent action:
815 LOG_SENDER add raw sender to the message
816 LOG_RECIPIENTS add raw recipients list to message
817 LOG_CONFIG add "Exim configuration error"
818 LOG_CONFIG_FOR add " for " instead of ":\n "
819 LOG_CONFIG_IN add " in line x[ of file y]"
820 LOG_MAIN write to main log or syslog LOG_INFO
821 LOG_REJECT write to reject log or syslog LOG_NOTICE
822 LOG_PANIC write to panic log or syslog LOG_ALERT
823 LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash
824 format a printf() format
825 ... arguments for format
831 log_write(unsigned int selector, int flags, const char *format, ...)
835 gstring gs = { .size = LOG_BUFFER_SIZE-2, .ptr = 0, .s = log_buffer };
839 /* If panic_recurseflag is set, we have failed to open the panic log. This is
840 the ultimate disaster. First try to write the message to a debug file and/or
841 stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
842 original log line that caused the problem. Afterwards, expire. */
844 if (panic_recurseflag)
846 uschar * extra = panic_save_buffer ? panic_save_buffer : US"";
847 if (debug_file) debug_printf("%s%s", extra, log_buffer);
848 if (log_stderr && log_stderr != debug_file)
849 fprintf(log_stderr, "%s%s", extra, log_buffer);
850 if (*extra) write_syslog(LOG_CRIT, extra);
851 write_syslog(LOG_CRIT, log_buffer);
852 die(US"exim: could not open panic log - aborting: see message(s) above",
853 US"Unexpected log failure, please try later");
856 /* Ensure we have a buffer (see comment above); this should never be obeyed
857 when running Exim proper, only when running utilities. */
860 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
862 fprintf(stderr, "exim: failed to get store for log buffer\n");
863 exim_exit(EXIT_FAILURE);
866 /* If we haven't already done so, inspect the setting of log_file_path to
867 determine whether to log to files and/or to syslog. Bits in logging_mode
868 control this, and for file logging, the path must end up in file_path. This
869 variable must be in permanent store because it may be required again later in
874 BOOL multiple = FALSE;
875 int old_pool = store_pool;
877 store_pool = POOL_PERM;
879 /* If nothing has been set, don't waste effort... the default values for the
880 statics are file_path="" and logging_mode = LOG_MODE_FILE. */
884 int sep = ':'; /* Fixed separator - outside use */
886 const uschar *ss = log_file_path;
889 while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
891 if (Ustrcmp(s, "syslog") == 0)
892 logging_mode |= LOG_MODE_SYSLOG;
893 else if (logging_mode & LOG_MODE_FILE)
897 logging_mode |= LOG_MODE_FILE;
899 /* If a non-empty path is given, use it */
902 file_path = string_copy(s);
904 /* If the path is empty, we want to use the first non-empty, non-
905 syslog item in LOG_FILE_PATH, if there is one, since the value of
906 log_file_path may have been set at runtime. If there is no such item,
907 use the ultimate default in the spool directory. */
910 set_file_path(); /* Empty item in log_file_path */
911 } /* First non-syslog item in log_file_path */
912 } /* Scan of log_file_path */
915 /* If no modes have been selected, it is a major disaster */
917 if (logging_mode == 0)
918 die(US"Neither syslog nor file logging set in log_file_path",
919 US"Unexpected logging failure");
921 /* Set up the ultimate default if necessary. Then revert to the old store
922 pool, and record that we've sorted out the path. */
924 if (logging_mode & LOG_MODE_FILE && !file_path[0])
925 file_path = string_sprintf("%s/log/%%slog", spool_directory);
926 store_pool = old_pool;
927 path_inspected = TRUE;
929 /* If more than one file path was given, log a complaint. This recursive call
930 should work since we have now set up the routing. */
933 log_write(0, LOG_MAIN|LOG_PANIC,
934 "More than one path given in log_file_path: using %s", file_path);
937 /* Optionally trigger debug */
939 if (flags & LOG_PANIC && dtrigger_selector & BIT(DTi_panictrigger))
940 debug_trigger_fire();
942 /* If debugging, show all log entries, but don't show headers. Do it all
943 in one go so that it doesn't get split when multi-processing. */
947 string_fmt_append_noextend(g, "LOG:");
949 /* Show the selector that was passed into the call. */
951 for (int i = 0; i < log_options_count; i++)
953 unsigned int bitnum = log_options[i].bit;
954 if (bitnum < BITWORDSIZE && selector == BIT(bitnum))
955 string_fmt_append_noextend(g, " %s", log_options[i].name);
958 string_fmt_append_noextend(g, "%s%s%s%s\n ",
959 flags & LOG_MAIN ? " MAIN" : "",
960 flags & LOG_PANIC ? " PANIC" : "",
961 (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "",
962 flags & LOG_REJECT ? " REJECT" : "");
964 if (flags & LOG_CONFIG) log_config_info(g, flags);
966 /* We want to be able to log tainted info, but log_buffer is directly
967 malloc'd. So use deliberately taint-nonchecking routines to build into
968 it, trusting that we will never expand the results. */
970 va_start(ap, format);
971 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
973 uschar * s = US"**** log string overflowed log buffer ****";
974 gstring_trim(g, Ustrlen(s));
975 string_fmt_append_noextend(g, "%s", s);
979 debug_printf("%Y\n", g);
981 /* Having used the buffer for debug output, reset it for the real use. */
985 /* If no log file is specified, we are in a mess. */
987 if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)))
988 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
991 /* There are some weird circumstances in which logging is disabled. */
993 if (f.disable_logging)
995 DEBUG(D_any) debug_printf("log writing disabled\n");
996 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
1000 /* Handle disabled reject log */
1002 if (!write_rejectlog) flags &= ~LOG_REJECT;
1004 /* Create the main message in the log buffer. Do not include the message id
1005 when called by a utility. */
1007 string_fmt_append_noextend(&gs, "%s ", tod_stamp(tod_log));
1011 if (!syslog_pid) pid_position[0] = g->ptr; /* remember begin … */
1012 string_fmt_append_noextend(g, "[%ld] ", (long)getpid());
1013 if (!syslog_pid) pid_position[1] = g->ptr; /* … and end+1 of the PID */
1016 if (f.really_exim && message_id[0])
1017 string_fmt_append_noextend(g, "%s ", message_id);
1019 if (flags & LOG_CONFIG)
1020 log_config_info(g, flags);
1022 va_start(ap, format);
1024 /* We want to be able to log tainted info, but log_buffer is directly
1025 malloc'd. So use deliberately taint-nonchecking routines to build into
1026 it, trusting that we will never expand the results. */
1028 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
1030 uschar * s = US"**** log string overflowed log buffer ****\n";
1031 gstring_trim(g, Ustrlen(s));
1032 string_fmt_append_noextend(g, "%s", s);
1037 /* Add the raw, unrewritten, sender to the message if required. This is done
1038 this way because it kind of fits with LOG_RECIPIENTS. */
1040 if (flags & LOG_SENDER)
1041 string_fmt_append_noextend(g, " from <%s>", raw_sender);
1043 /* Add list of recipients to the message if required; the raw list,
1044 before rewriting, was saved in raw_recipients. There may be none, if an ACL
1045 discarded them all. */
1047 if (flags & LOG_RECIPIENTS && raw_recipients_count > 0)
1049 string_fmt_append_noextend(g, " for");
1050 for (int i = 0; i < raw_recipients_count; i++)
1051 if (!string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", raw_recipients[i]))
1053 uschar * s = US"<trunc>";
1054 gstring_trim(g, Ustrlen(s));
1055 string_fmt_append_noextend(g, "%s", s);
1060 /* actual size, now we are placing the newline (and space for NUL) */
1061 gs.size = LOG_BUFFER_SIZE;
1062 string_fmt_append_noextend(g, "\n");
1063 string_from_gstring(g);
1065 /* Handle loggable errors when running a utility, or when address testing.
1066 Write to log_stderr unless debugging (when it will already have been written),
1067 or unless there is no log_stderr (expn called from daemon, for example). */
1069 if (!f.really_exim || f.log_testing_mode)
1071 if ( !debug_selector
1073 && (selector == 0 || (selector & log_selector[0]) != 0)
1076 fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */
1078 fprintf(log_stderr, "%s", CS log_buffer);
1080 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
1084 /* Handle the main log. We know that either syslog or file logging (or both) is
1085 set up. A real file gets left open during reception or delivery once it has
1086 been opened, but we don't want to keep on writing to it for too long after it
1087 has been renamed. Therefore, do a stat() and see if the inode has changed, and
1090 if ( flags & LOG_MAIN
1091 && (!selector || selector & log_selector[0]))
1093 if ( logging_mode & LOG_MODE_SYSLOG
1094 && (syslog_duplication || !(flags & (LOG_REJECT|LOG_PANIC))))
1095 write_syslog(LOG_INFO, log_buffer);
1097 if (logging_mode & LOG_MODE_FILE)
1099 struct stat statbuf;
1101 /* Check for a change to the mainlog file name when datestamping is in
1102 operation. This happens at midnight, at which point we want to roll over
1103 the file. Closing it has the desired effect. */
1105 if (mainlog_datestamp)
1107 uschar *nowstamp = tod_stamp(string_datestamp_type);
1108 if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1110 (void)close(mainlogfd); /* Close the file */
1111 mainlogfd = -1; /* Clear the file descriptor */
1112 mainlog_inode = 0; /* Unset the inode */
1113 mainlog_datestamp = NULL; /* Clear the datestamp */
1117 /* Otherwise, we want to check whether the file has been renamed by a
1118 cycling script. This could be "if else", but for safety's sake, leave it as
1119 "if" so that renaming the log starts a new file even when datestamping is
1123 if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
1126 /* If the log is closed, open it. Then write the line. */
1130 open_log(&mainlogfd, lt_main, NULL); /* No return on error */
1131 if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
1134 /* Failing to write to the log is disastrous */
1136 if ((written_len = write_gstring_to_fd_buf(mainlogfd, g)) != g->ptr)
1138 log_write_failed(US"main log", g->ptr, written_len);
1139 /* That function does not return */
1144 /* Handle the log for rejected messages. This can be globally disabled, in
1145 which case the flags are altered above. If there are any header lines (i.e. if
1146 the rejection is happening after the DATA phase), log the recipients and the
1149 if (flags & LOG_REJECT)
1151 if (header_list && LOGGING(rejected_header))
1155 if (recipients_count > 0)
1157 /* List the sender */
1159 string_fmt_append_noextend(g,
1160 "Envelope-from: <%s>\n", sender_address);
1162 /* List up to 5 recipients */
1164 string_fmt_append_noextend(g,
1165 "Envelope-to: <%s>\n", recipients_list[0].address);
1167 for (i = 1; i < recipients_count && i < 5; i++)
1168 string_fmt_append_noextend(g,
1169 " <%s>\n", recipients_list[i].address);
1171 if (i < recipients_count)
1172 string_fmt_append_noextend(g, " ...\n", NULL);
1175 /* A header with a NULL text is an unfilled-in Received: header */
1177 for (header_line * h = header_list; h; h = h->next) if (h->text)
1178 if (!string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1179 "%c %s", h->type, h->text))
1180 { /* Buffer is full; truncate */
1181 gstring_trim(g, 100); /* space for message and separator */
1182 gstring_trim_trailing(g, '\n');
1183 string_fmt_append_noextend(g, "\n*** truncated ***\n");
1188 /* Write to syslog or to a log file */
1190 if ( logging_mode & LOG_MODE_SYSLOG
1191 && (syslog_duplication || !(flags & LOG_PANIC)))
1192 write_syslog(LOG_NOTICE, string_from_gstring(g));
1194 /* Check for a change to the rejectlog file name when datestamping is in
1195 operation. This happens at midnight, at which point we want to roll over
1196 the file. Closing it has the desired effect. */
1198 if (logging_mode & LOG_MODE_FILE)
1200 struct stat statbuf;
1202 if (rejectlog_datestamp)
1204 uschar *nowstamp = tod_stamp(string_datestamp_type);
1205 if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1207 (void)close(rejectlogfd); /* Close the file */
1208 rejectlogfd = -1; /* Clear the file descriptor */
1209 rejectlog_inode = 0; /* Unset the inode */
1210 rejectlog_datestamp = NULL; /* Clear the datestamp */
1214 /* Otherwise, we want to check whether the file has been renamed by a
1215 cycling script. This could be "if else", but for safety's sake, leave it as
1216 "if" so that renaming the log starts a new file even when datestamping is
1219 if (rejectlogfd >= 0)
1220 if (Ustat(rejectlog_name, &statbuf) < 0 ||
1221 statbuf.st_ino != rejectlog_inode)
1223 (void)close(rejectlogfd);
1225 rejectlog_inode = 0;
1228 /* Open the file if necessary, and write the data */
1230 if (rejectlogfd < 0)
1232 open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
1233 if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
1236 if ((written_len = write_gstring_to_fd_buf(rejectlogfd, g)) != g->ptr)
1238 log_write_failed(US"reject log", g->ptr, written_len);
1239 /* That function does not return */
1245 /* Handle the panic log, which is not kept open like the others. If it fails to
1246 open, there will be a recursive call to log_write(). We detect this above and
1247 attempt to write to the system log as a last-ditch try at telling somebody. In
1248 all cases except mua_wrapper, try to write to log_stderr. */
1250 if (flags & LOG_PANIC)
1252 if (log_stderr && log_stderr != debug_file && !mua_wrapper)
1253 fprintf(log_stderr, "%s", CS string_from_gstring(g));
1255 if (logging_mode & LOG_MODE_SYSLOG)
1256 write_syslog(LOG_ALERT, log_buffer);
1258 /* If this panic logging was caused by a failure to open the main log,
1259 the original log line is in panic_save_buffer. Make an attempt to write it. */
1261 if (logging_mode & LOG_MODE_FILE)
1263 panic_recurseflag = TRUE;
1264 open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */
1265 panic_recurseflag = FALSE;
1267 if (panic_save_buffer)
1268 (void) write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
1270 if ((written_len = write_gstring_to_fd_buf(paniclogfd, g)) != g->ptr)
1272 int save_errno = errno;
1273 write_syslog(LOG_CRIT, log_buffer);
1274 sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
1275 "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno));
1276 write_syslog(LOG_CRIT, string_from_gstring(g));
1277 flags |= LOG_PANIC_DIE;
1280 (void)close(paniclogfd);
1283 /* Give up if the DIE flag is set */
1285 if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
1287 kill(getpid(), SIGSEGV); /* deliberate trap */
1289 die(NULL, US"Unexpected failure, please try later");
1295 /*************************************************
1296 * Close any open log files *
1297 *************************************************/
1303 { (void)close(mainlogfd); mainlogfd = -1; }
1304 if (rejectlogfd >= 0)
1305 { (void)close(rejectlogfd); rejectlogfd = -1; }
1307 syslog_open = FALSE;
1312 /*************************************************
1313 * Multi-bit set or clear *
1314 *************************************************/
1316 /* These functions take a list of bit indexes (terminated by -1) and
1317 clear or set the corresponding bits in the selector.
1320 selector address of the bit string
1321 selsize number of words in the bit string
1322 bits list of bits to set
1326 bits_clear(unsigned int *selector, size_t selsize, int *bits)
1328 for(; *bits != -1; ++bits)
1329 BIT_CLEAR(selector, selsize, *bits);
1333 bits_set(unsigned int *selector, size_t selsize, int *bits)
1335 for(; *bits != -1; ++bits)
1336 BIT_SET(selector, selsize, *bits);
1341 /*************************************************
1342 * Decode bit settings for log/debug *
1343 *************************************************/
1345 /* This function decodes a string containing bit settings in the form of +name
1346 and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
1347 also recognizes a numeric setting of the form =<number>, but this is not
1348 intended for user use. It's an easy way for Exim to pass the debug settings
1349 when it is re-exec'ed.
1351 The option table is a list of names and bit indexes. The index -1
1352 means "set all bits, except for those listed in notall". The notall
1353 list is terminated by -1.
1355 The action taken for bad values varies depending upon why we're here.
1356 For log messages, or if the debugging is triggered from config, then we write
1357 to the log on the way out. For debug setting triggered from the command-line,
1358 we treat it as an unknown option: error message to stderr and die.
1361 selector address of the bit string
1362 selsize number of words in the bit string
1363 notall list of bits to exclude from "all"
1364 string the configured string
1365 options the table of option names
1367 which "log" or "debug"
1368 flags DEBUG_FROM_CONFIG
1370 Returns: nothing on success - bomb out on failure
1374 decode_bits(unsigned int * selector, size_t selsize, int * notall,
1375 const uschar * string, bit_table * options, int count, uschar * which,
1379 if (!string) return;
1383 char *end; /* Not uschar */
1384 memset(selector, 0, sizeof(*selector)*selsize);
1385 *selector = strtoul(CCS string+1, &end, 0);
1387 errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
1392 /* Handle symbolic setting */
1399 bit_table * start, * end;
1401 Uskip_whitespace(&string);
1402 if (!*string) return;
1404 if (*string != '+' && *string != '-')
1406 errmsg = string_sprintf("malformed %s_selector setting: "
1407 "+ or - expected but found \"%s\"", which, string);
1411 adding = *string++ == '+';
1413 while (isalnum(*string) || *string == '_') string++;
1417 end = options + count;
1421 bit_table *middle = start + (end - start)/2;
1422 int c = Ustrncmp(s, middle->name, len);
1424 if (middle->name[len] != 0) c = -1; else
1426 unsigned int bit = middle->bit;
1432 memset(selector, -1, sizeof(*selector)*selsize);
1433 bits_clear(selector, selsize, notall);
1436 memset(selector, 0, sizeof(*selector)*selsize);
1439 BIT_SET(selector, selsize, bit);
1441 BIT_CLEAR(selector, selsize, bit);
1443 break; /* Out of loop to match selector name */
1445 if (c < 0) end = middle; else start = middle + 1;
1446 } /* Loop to match selector name */
1450 errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
1451 adding? '+' : '-', len, s);
1454 } /* Loop for selector names */
1456 /* Handle disasters */
1459 if (Ustrcmp(which, "debug") == 0)
1461 if (flags & DEBUG_FROM_CONFIG)
1463 log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
1466 fprintf(stderr, "exim: %s\n", errmsg);
1467 exim_exit(EXIT_FAILURE);
1469 else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
1474 /*************************************************
1475 * Activate a debug logfile (late) *
1476 *************************************************/
1478 /* Normally, debugging is activated from the command-line; it may be useful
1479 within the configuration to activate debugging later, based on certain
1480 conditions. If debugging is already in progress, we return early, no action
1481 taken (besides debug-logging that we wanted debug-logging).
1483 Failures in options are not fatal but will result in paniclog entries for the
1486 The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
1487 which can be combined with conditions, etc, to activate extra logging only
1488 for certain sources. The second use is inetd wait mode debug preservation.
1490 It might be nice, in ACL-initiated pretrigger mode, to not create the file
1491 immediately but only upon a trigger - but we'd need another cmdline option
1492 to pass the name through child_exxec_exim(). */
1495 debug_logging_activate(const uschar * tag_name, const uschar * opts)
1499 debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
1500 "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US"");
1504 if (tag_name && (Ustrchr(tag_name, '/') != NULL))
1506 log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
1511 debug_selector = D_default;
1513 decode_bits(&debug_selector, 1, debug_notall, opts,
1514 debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
1516 /* When activating from a transport process we may never have logged at all
1517 resulting in certain setup not having been done. Hack this for now so we
1518 do not segfault; note that nondefault log locations will not work */
1520 if (!*file_path) set_file_path();
1522 open_log(&debug_fd, lt_debug, tag_name);
1525 debug_file = fdopen(debug_fd, "w");
1527 log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");
1532 debug_logging_from_spool(const uschar * filename)
1536 Ustrncpy(debuglog_name, filename, sizeof(debuglog_name));
1537 if ((debug_fd = log_open_as_exim(filename)) >= 0)
1538 debug_file = fdopen(debug_fd, "w");
1539 DEBUG(D_deliver) debug_printf("debug enabled by spoolfile\n");
1542 else DEBUG(D_deliver)
1543 debug_printf("debug already active; ignoring spoolfile '%s'\n", filename);
1549 debug_logging_stop(BOOL kill)
1551 debug_printf("debug terminated by %s\n", kill ? "kill" : "stop");
1552 debug_pretrigger_discard();
1553 if (!debug_file || !debuglog_name[0]) return;
1559 if (kill) unlink_log(lt_debug);