1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 - 2021 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* The main code for delivering a message. */
13 #include "transports/smtp.h"
18 /* Data block for keeping track of subprocesses for parallel remote
21 typedef struct pardata {
22 address_item *addrlist; /* chain of addresses */
23 address_item *addr; /* next address data expected for */
24 pid_t pid; /* subprocess pid */
25 int fd; /* pipe fd for getting result from subprocess */
26 int transport_count; /* returned transport count value */
27 BOOL done; /* no more data needed */
28 uschar *msg; /* error message */
29 uschar *return_path; /* return_path for these addresses */
32 /* Values for the process_recipients variable */
34 enum { RECIP_ACCEPT, RECIP_IGNORE, RECIP_DEFER,
35 RECIP_FAIL, RECIP_FAIL_FILTER, RECIP_FAIL_TIMEOUT,
38 /* Mutually recursive functions for marking addresses done. */
40 static void child_done(address_item *, uschar *);
41 static void address_done(address_item *, uschar *);
43 /* Table for turning base-62 numbers into binary */
45 static uschar tab62[] =
46 {0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0, /* 0-9 */
47 0,10,11,12,13,14,15,16,17,18,19,20, /* A-K */
48 21,22,23,24,25,26,27,28,29,30,31,32, /* L-W */
49 33,34,35, 0, 0, 0, 0, 0, /* X-Z */
50 0,36,37,38,39,40,41,42,43,44,45,46, /* a-k */
51 47,48,49,50,51,52,53,54,55,56,57,58, /* l-w */
55 /*************************************************
56 * Local static variables *
57 *************************************************/
59 /* addr_duplicate is global because it needs to be seen from the Envelope-To
62 static address_item *addr_defer = NULL;
63 static address_item *addr_failed = NULL;
64 static address_item *addr_fallback = NULL;
65 static address_item *addr_local = NULL;
66 static address_item *addr_new = NULL;
67 static address_item *addr_remote = NULL;
68 static address_item *addr_route = NULL;
69 static address_item *addr_succeed = NULL;
70 static address_item *addr_senddsn = NULL;
72 static FILE *message_log = NULL;
73 static BOOL update_spool;
74 static BOOL remove_journal;
75 static int parcount = 0;
76 static pardata *parlist = NULL;
77 static struct pollfd *parpoll;
78 static int return_count;
79 static uschar *frozen_info = US"";
80 static uschar *used_return_path = NULL;
84 /*************************************************
85 * read as much as requested *
86 *************************************************/
88 /* The syscall read(2) doesn't always returns as much as we want. For
89 several reasons it might get less. (Not talking about signals, as syscalls
90 are restartable). When reading from a network or pipe connection the sender
91 might send in smaller chunks, with delays between these chunks. The read(2)
92 may return such a chunk.
94 The more the writer writes and the smaller the pipe between write and read is,
95 the more we get the chance of reading leass than requested. (See bug 2130)
97 This function read(2)s until we got all the data we *requested*.
99 Note: This function may block. Use it only if you're sure about the
100 amount of data you will get.
103 fd the file descriptor to read from
104 buffer pointer to a buffer of size len
105 len the requested(!) amount of bytes
107 Returns: the amount of bytes read
110 readn(int fd, void * buffer, size_t len)
112 uschar * next = buffer;
113 uschar * end = next + len;
117 ssize_t got = read(fd, next, end - next);
119 /* I'm not sure if there are signals that can interrupt us,
120 for now I assume the worst */
121 if (got == -1 && errno == EINTR) continue;
122 if (got <= 0) return next - US buffer;
130 /*************************************************
131 * Make a new address item *
132 *************************************************/
134 /* This function gets the store and initializes with default values. The
135 transport_return value defaults to DEFER, so that any unexpected failure to
136 deliver does not wipe out the message. The default unique string is set to a
137 copy of the address, so that its domain can be lowercased.
140 address the RFC822 address string
141 copy force a copy of the address
143 Returns: a pointer to an initialized address_item
147 deliver_make_addr(uschar *address, BOOL copy)
149 address_item *addr = store_get(sizeof(address_item), FALSE);
150 *addr = address_defaults;
151 if (copy) address = string_copy(address);
152 addr->address = address;
153 addr->unique = string_copy(address);
160 /*************************************************
161 * Set expansion values for an address *
162 *************************************************/
164 /* Certain expansion variables are valid only when handling an address or
165 address list. This function sets them up or clears the values, according to its
169 addr the address in question, or NULL to clear values
174 deliver_set_expansions(address_item *addr)
178 const uschar ***p = address_expansions;
179 while (*p) **p++ = NULL;
183 /* Exactly what gets set depends on whether there is one or more addresses, and
184 what they contain. These first ones are always set, taking their values from
185 the first address. */
187 if (!addr->host_list)
189 deliver_host = deliver_host_address = US"";
190 deliver_host_port = 0;
194 deliver_host = addr->host_list->name;
195 deliver_host_address = addr->host_list->address;
196 deliver_host_port = addr->host_list->port;
199 deliver_recipients = addr;
200 deliver_address_data = addr->prop.address_data;
201 deliver_domain_data = addr->prop.domain_data;
202 deliver_localpart_data = addr->prop.localpart_data;
203 router_var = addr->prop.variables;
205 /* These may be unset for multiple addresses */
207 deliver_domain = addr->domain;
208 self_hostname = addr->self_hostname;
210 #ifdef EXPERIMENTAL_BRIGHTMAIL
211 bmi_deliver = 1; /* deliver by default */
212 bmi_alt_location = NULL;
213 bmi_base64_verdict = NULL;
214 bmi_base64_tracker_verdict = NULL;
217 /* If there's only one address we can set everything. */
221 address_item *addr_orig;
223 deliver_localpart = addr->local_part;
224 deliver_localpart_prefix = addr->prefix;
225 deliver_localpart_prefix_v = addr->prefix_v;
226 deliver_localpart_suffix = addr->suffix;
227 deliver_localpart_suffix_v = addr->suffix_v;
229 for (addr_orig = addr; addr_orig->parent; addr_orig = addr_orig->parent) ;
230 deliver_domain_orig = addr_orig->domain;
232 /* Re-instate any prefix and suffix in the original local part. In all
233 normal cases, the address will have a router associated with it, and we can
234 choose the caseful or caseless version accordingly. However, when a system
235 filter sets up a pipe, file, or autoreply delivery, no router is involved.
236 In this case, though, there won't be any prefix or suffix to worry about. */
238 deliver_localpart_orig = !addr_orig->router
239 ? addr_orig->local_part
240 : addr_orig->router->caseful_local_part
241 ? addr_orig->cc_local_part
242 : addr_orig->lc_local_part;
244 /* If there's a parent, make its domain and local part available, and if
245 delivering to a pipe or file, or sending an autoreply, get the local
246 part from the parent. For pipes and files, put the pipe or file string
247 into address_pipe and address_file. */
251 deliver_domain_parent = addr->parent->domain;
252 deliver_localpart_parent = !addr->parent->router
253 ? addr->parent->local_part
254 : addr->parent->router->caseful_local_part
255 ? addr->parent->cc_local_part
256 : addr->parent->lc_local_part;
258 /* File deliveries have their own flag because they need to be picked out
259 as special more often. */
261 if (testflag(addr, af_pfr))
263 if (testflag(addr, af_file)) address_file = addr->local_part;
264 else if (deliver_localpart[0] == '|') address_pipe = addr->local_part;
265 deliver_localpart = addr->parent->local_part;
266 deliver_localpart_prefix = addr->parent->prefix;
267 deliver_localpart_prefix_v = addr->parent->prefix_v;
268 deliver_localpart_suffix = addr->parent->suffix;
269 deliver_localpart_suffix_v = addr->parent->suffix_v;
273 #ifdef EXPERIMENTAL_BRIGHTMAIL
274 /* Set expansion variables related to Brightmail AntiSpam */
275 bmi_base64_verdict = bmi_get_base64_verdict(deliver_localpart_orig, deliver_domain_orig);
276 bmi_base64_tracker_verdict = bmi_get_base64_tracker_verdict(bmi_base64_verdict);
277 /* get message delivery status (0 - don't deliver | 1 - deliver) */
278 bmi_deliver = bmi_get_delivery_status(bmi_base64_verdict);
279 /* if message is to be delivered, get eventual alternate location */
280 if (bmi_deliver == 1)
281 bmi_alt_location = bmi_get_alt_location(bmi_base64_verdict);
286 /* For multiple addresses, don't set local part, and leave the domain and
287 self_hostname set only if it is the same for all of them. It is possible to
288 have multiple pipe and file addresses, but only when all addresses have routed
289 to the same pipe or file. */
293 if (testflag(addr, af_pfr))
295 if (testflag(addr, af_file)) address_file = addr->local_part;
296 else if (addr->local_part[0] == '|') address_pipe = addr->local_part;
298 for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
300 if (deliver_domain && Ustrcmp(deliver_domain, addr2->domain) != 0)
301 deliver_domain = NULL;
303 && ( !addr2->self_hostname
304 || Ustrcmp(self_hostname, addr2->self_hostname) != 0
306 self_hostname = NULL;
307 if (!deliver_domain && !self_hostname) break;
315 /*************************************************
316 * Open a msglog file *
317 *************************************************/
319 /* This function is used both for normal message logs, and for files in the
320 msglog directory that are used to catch output from pipes. Try to create the
321 directory if it does not exist. From release 4.21, normal message logs should
322 be created when the message is received.
324 Called from deliver_message(), can be operating as root.
327 filename the file name
328 mode the mode required
329 error used for saying what failed
331 Returns: a file descriptor, or -1 (with errno set)
335 open_msglog_file(uschar *filename, int mode, uschar **error)
337 if (Ustrstr(filename, US"/../"))
338 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
339 "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);
341 for (int i = 2; i > 0; i--)
343 int fd = Uopen(filename,
350 O_WRONLY|O_APPEND|O_CREAT, mode);
353 /* Set the close-on-exec flag and change the owner to the exim uid/gid (this
354 function is called as root). Double check the mode, because the group setting
355 doesn't always get set automatically. */
358 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
360 if (exim_fchown(fd, exim_uid, exim_gid, filename) < 0)
365 if (fchmod(fd, mode) < 0)
375 (void)directory_make(spool_directory,
376 spool_sname(US"msglog", message_subdir),
377 MSGLOG_DIRECTORY_MODE, TRUE);
380 *error = US"create or open";
387 /*************************************************
388 * Write to msglog if required *
389 *************************************************/
391 /* Write to the message log, if configured. This function may also be called
395 format a string format
401 deliver_msglog(const char *format, ...)
404 if (!message_logs) return;
405 va_start(ap, format);
406 vfprintf(message_log, format, ap);
414 /*************************************************
415 * Replicate status for batch *
416 *************************************************/
418 /* When a transport handles a batch of addresses, it may treat them
419 individually, or it may just put the status in the first one, and return FALSE,
420 requesting that the status be copied to all the others externally. This is the
421 replication function. As well as the status, it copies the transport pointer,
422 which may have changed if appendfile passed the addresses on to a different
425 Argument: pointer to the first address in a chain
430 replicate_status(address_item *addr)
432 for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
434 addr2->transport = addr->transport;
435 addr2->transport_return = addr->transport_return;
436 addr2->basic_errno = addr->basic_errno;
437 addr2->more_errno = addr->more_errno;
438 addr2->delivery_time = addr->delivery_time;
439 addr2->special_action = addr->special_action;
440 addr2->message = addr->message;
441 addr2->user_message = addr->user_message;
447 /*************************************************
448 * Compare lists of hosts *
449 *************************************************/
451 /* This function is given two pointers to chains of host items, and it yields
452 TRUE if the lists refer to the same hosts in the same order, except that
454 (1) Multiple hosts with the same non-negative MX values are permitted to appear
455 in different orders. Round-robinning nameservers can cause this to happen.
457 (2) Multiple hosts with the same negative MX values less than MX_NONE are also
458 permitted to appear in different orders. This is caused by randomizing
461 This enables Exim to use a single SMTP transaction for sending to two entirely
462 different domains that happen to end up pointing at the same hosts.
464 We do not try to batch up different A-record host names that refer to the
468 one points to the first host list
469 two points to the second host list
471 Returns: TRUE if the lists refer to the same host set
475 same_hosts(host_item *one, host_item *two)
479 if (Ustrcmp(one->name, two->name) != 0)
482 host_item *end_one = one;
483 host_item *end_two = two;
485 /* Batch up only if there was no MX and the list was not randomized */
487 if (mx == MX_NONE) return FALSE;
489 /* Find the ends of the shortest sequence of identical MX values */
491 while ( end_one->next && end_one->next->mx == mx
492 && end_two->next && end_two->next->mx == mx)
494 end_one = end_one->next;
495 end_two = end_two->next;
498 /* If there aren't any duplicates, there's no match. */
500 if (end_one == one) return FALSE;
502 /* For each host in the 'one' sequence, check that it appears in the 'two'
503 sequence, returning FALSE if not. */
508 for (hi = two; hi != end_two->next; hi = hi->next)
509 if (Ustrcmp(one->name, hi->name) == 0) break;
510 if (hi == end_two->next) return FALSE;
511 if (one == end_one) break;
515 /* All the hosts in the 'one' sequence were found in the 'two' sequence.
516 Ensure both are pointing at the last host, and carry on as for equality. */
521 /* if the names matched but ports do not, mismatch */
522 else if (one->port != two->port)
526 /* DNSSEC equality */
527 if (one->dnssec != two->dnssec) return FALSE;
535 /* True if both are NULL */
542 /*************************************************
543 * Compare header lines *
544 *************************************************/
546 /* This function is given two pointers to chains of header items, and it yields
547 TRUE if they are the same header texts in the same order.
550 one points to the first header list
551 two points to the second header list
553 Returns: TRUE if the lists refer to the same header set
557 same_headers(header_line *one, header_line *two)
559 for (;; one = one->next, two = two->next)
561 if (one == two) return TRUE; /* Includes the case where both NULL */
562 if (!one || !two) return FALSE;
563 if (Ustrcmp(one->text, two->text) != 0) return FALSE;
569 /*************************************************
570 * Compare string settings *
571 *************************************************/
573 /* This function is given two pointers to strings, and it returns
574 TRUE if they are the same pointer, or if the two strings are the same.
577 one points to the first string
578 two points to the second string
580 Returns: TRUE or FALSE
584 same_strings(uschar *one, uschar *two)
586 if (one == two) return TRUE; /* Includes the case where both NULL */
587 if (!one || !two) return FALSE;
588 return (Ustrcmp(one, two) == 0);
593 /*************************************************
594 * Compare uid/gid for addresses *
595 *************************************************/
597 /* This function is given a transport and two addresses. It yields TRUE if the
598 uid/gid/initgroups settings for the two addresses are going to be the same when
603 addr1 the first address
604 addr2 the second address
606 Returns: TRUE or FALSE
610 same_ugid(transport_instance *tp, address_item *addr1, address_item *addr2)
612 if ( !tp->uid_set && !tp->expand_uid
613 && !tp->deliver_as_creator
614 && ( testflag(addr1, af_uid_set) != testflag(addr2, af_gid_set)
615 || ( testflag(addr1, af_uid_set)
616 && ( addr1->uid != addr2->uid
617 || testflag(addr1, af_initgroups) != testflag(addr2, af_initgroups)
621 if ( !tp->gid_set && !tp->expand_gid
622 && ( testflag(addr1, af_gid_set) != testflag(addr2, af_gid_set)
623 || ( testflag(addr1, af_gid_set)
624 && addr1->gid != addr2->gid
634 /*************************************************
635 * Record that an address is complete *
636 *************************************************/
638 /* This function records that an address is complete. This is straightforward
639 for most addresses, where the unique address is just the full address with the
640 domain lower cased. For homonyms (addresses that are the same as one of their
641 ancestors) their are complications. Their unique addresses have \x\ prepended
642 (where x = 0, 1, 2...), so that de-duplication works correctly for siblings and
645 Exim used to record the unique addresses of homonyms as "complete". This,
646 however, fails when the pattern of redirection varies over time (e.g. if taking
647 unseen copies at only some times of day) because the prepended numbers may vary
648 from one delivery run to the next. This problem is solved by never recording
649 prepended unique addresses as complete. Instead, when a homonymic address has
650 actually been delivered via a transport, we record its basic unique address
651 followed by the name of the transport. This is checked in subsequent delivery
652 runs whenever an address is routed to a transport.
654 If the completed address is a top-level one (has no parent, which means it
655 cannot be homonymic) we also add the original address to the non-recipients
656 tree, so that it gets recorded in the spool file and therefore appears as
657 "done" in any spool listings. The original address may differ from the unique
658 address in the case of the domain.
660 Finally, this function scans the list of duplicates, marks as done any that
661 match this address, and calls child_done() for their ancestors.
664 addr address item that has been completed
665 now current time as a string
671 address_done(address_item *addr, uschar *now)
673 update_spool = TRUE; /* Ensure spool gets updated */
675 /* Top-level address */
679 tree_add_nonrecipient(addr->unique);
680 tree_add_nonrecipient(addr->address);
683 /* Homonymous child address */
685 else if (testflag(addr, af_homonym))
688 tree_add_nonrecipient(
689 string_sprintf("%s/%s", addr->unique + 3, addr->transport->name));
692 /* Non-homonymous child address */
694 else tree_add_nonrecipient(addr->unique);
696 /* Check the list of duplicate addresses and ensure they are now marked
699 for (address_item * dup = addr_duplicate; dup; dup = dup->next)
700 if (Ustrcmp(addr->unique, dup->unique) == 0)
702 tree_add_nonrecipient(dup->unique);
703 child_done(dup, now);
710 /*************************************************
711 * Decrease counts in parents and mark done *
712 *************************************************/
714 /* This function is called when an address is complete. If there is a parent
715 address, its count of children is decremented. If there are still other
716 children outstanding, the function exits. Otherwise, if the count has become
717 zero, address_done() is called to mark the parent and its duplicates complete.
718 Then loop for any earlier ancestors.
721 addr points to the completed address item
722 now the current time as a string, for writing to the message log
728 child_done(address_item *addr, uschar *now)
735 if (--addr->child_count > 0) return; /* Incomplete parent */
736 address_done(addr, now);
738 /* Log the completion of all descendents only when there is no ancestor with
739 the same original address. */
741 for (aa = addr->parent; aa; aa = aa->parent)
742 if (Ustrcmp(aa->address, addr->address) == 0) break;
745 deliver_msglog("%s %s: children all complete\n", now, addr->address);
746 DEBUG(D_deliver) debug_printf("%s: children all complete\n", addr->address);
752 /*************************************************
753 * Delivery logging support functions *
754 *************************************************/
756 /* The LOGGING() checks in d_log_interface() are complicated for backwards
757 compatibility. When outgoing interface logging was originally added, it was
758 conditional on just incoming_interface (which is off by default). The
759 outgoing_interface option is on by default to preserve this behaviour, but
760 you can enable incoming_interface and disable outgoing_interface to get I=
761 fields on incoming lines only.
765 addr The address to be logged
767 Returns: New value for s
771 d_log_interface(gstring * g)
773 if (LOGGING(incoming_interface) && LOGGING(outgoing_interface)
774 && sending_ip_address)
776 g = string_fmt_append(g, " I=[%s]", sending_ip_address);
777 if (LOGGING(outgoing_port))
778 g = string_fmt_append(g, ":%d", sending_port);
786 d_hostlog(gstring * g, address_item * addr)
788 host_item * h = addr->host_used;
790 g = string_append(g, 2, US" H=", h->name);
792 if (LOGGING(dnssec) && h->dnssec == DS_YES)
793 g = string_catn(g, US" DS", 3);
795 g = string_append(g, 3, US" [", h->address, US"]");
797 if (LOGGING(outgoing_port))
798 g = string_fmt_append(g, ":%d", h->port);
800 if (continue_sequence > 1) /*XXX this is wrong for a dropped proxyconn. Would have to pass back from transport */
801 g = string_catn(g, US"*", 1);
804 if (LOGGING(proxy) && proxy_local_address)
806 g = string_append(g, 3, US" PRX=[", proxy_local_address, US"]");
807 if (LOGGING(outgoing_port))
808 g = string_fmt_append(g, ":%d", proxy_local_port);
812 g = d_log_interface(g);
814 if (testflag(addr, af_tcp_fastopen))
815 g = string_catn(g, US" TFO*", testflag(addr, af_tcp_fastopen_data) ? 5 : 4);
826 d_tlslog(gstring * g, address_item * addr)
828 if (LOGGING(tls_cipher) && addr->cipher)
830 g = string_append(g, 2, US" X=", addr->cipher);
831 #ifndef DISABLE_TLS_RESUME
832 if (LOGGING(tls_resumption) && testflag(addr, af_tls_resume))
833 g = string_catn(g, US"*", 1);
836 if (LOGGING(tls_certificate_verified) && addr->cipher)
837 g = string_append(g, 2, US" CV=",
838 testflag(addr, af_cert_verified)
841 testflag(addr, af_dane_verified)
847 if (LOGGING(tls_peerdn) && addr->peerdn)
848 g = string_append(g, 3, US" DN=\"", string_printing(addr->peerdn), US"\"");
856 #ifndef DISABLE_EVENT
857 /* Distribute a named event to any listeners.
859 Args: action config option specifying listener
860 event name of the event
861 ev_data associated data for the event
862 errnop pointer to errno for modification, or null
864 Return: string expansion from listener, or NULL
868 event_raise(uschar * action, const uschar * event, uschar * ev_data, int * errnop)
874 debug_printf("Event(%s): event_action=|%s| delivery_IP=%s\n",
876 action, deliver_host_address);
879 event_data = ev_data;
881 if (!(s = expand_string(action)) && *expand_string_message)
882 log_write(0, LOG_MAIN|LOG_PANIC,
883 "failed to expand event_action %s in %s: %s\n",
884 event, transport_name ? transport_name : US"main", expand_string_message);
886 event_name = event_data = NULL;
888 /* If the expansion returns anything but an empty string, flag for
889 the caller to modify his normal processing
894 debug_printf("Event(%s): event_action returned \"%s\"\n", event, s);
896 *errnop = ERRNO_EVENT;
904 msg_event_raise(const uschar * event, const address_item * addr)
906 const uschar * save_domain = deliver_domain;
907 uschar * save_local = deliver_localpart;
908 const uschar * save_host = deliver_host;
909 const uschar * save_address = deliver_host_address;
910 const int save_port = deliver_host_port;
912 router_name = addr->router ? addr->router->name : NULL;
913 deliver_domain = addr->domain;
914 deliver_localpart = addr->local_part;
915 deliver_host = addr->host_used ? addr->host_used->name : NULL;
917 if (!addr->transport)
919 if (Ustrcmp(event, "msg:fail:delivery") == 0)
921 /* An address failed with no transport involved. This happens when
922 a filter was used which triggered a fail command (in such a case
923 a transport isn't needed). Convert it to an internal fail event. */
925 (void) event_raise(event_action, US"msg:fail:internal", addr->message, NULL);
930 transport_name = addr->transport->name;
932 (void) event_raise(addr->transport->event_action, event,
934 || Ustrcmp(addr->transport->driver_name, "smtp") == 0
935 || Ustrcmp(addr->transport->driver_name, "lmtp") == 0
936 || Ustrcmp(addr->transport->driver_name, "autoreply") == 0
937 ? addr->message : NULL,
941 deliver_host_port = save_port;
942 deliver_host_address = save_address;
943 deliver_host = save_host;
944 deliver_localpart = save_local;
945 deliver_domain = save_domain;
946 router_name = transport_name = NULL;
948 #endif /*DISABLE_EVENT*/
952 /******************************************************************************/
955 /*************************************************
956 * Generate local prt for logging *
957 *************************************************/
959 /* This function is a subroutine for use in string_log_address() below.
962 addr the address being logged
963 yield the current dynamic buffer pointer
965 Returns: the new value of the buffer pointer
969 string_get_localpart(address_item * addr, gstring * yield)
974 if (testflag(addr, af_include_affixes) && s)
977 if (testflag(addr, af_utf8_downcvt))
978 s = string_localpart_utf8_to_alabel(s, NULL);
980 yield = string_cat(yield, s);
983 s = addr->local_part;
985 if (testflag(addr, af_utf8_downcvt))
986 s = string_localpart_utf8_to_alabel(s, NULL);
988 yield = string_cat(yield, s);
991 if (testflag(addr, af_include_affixes) && s)
994 if (testflag(addr, af_utf8_downcvt))
995 s = string_localpart_utf8_to_alabel(s, NULL);
997 yield = string_cat(yield, s);
1004 /*************************************************
1005 * Generate log address list *
1006 *************************************************/
1008 /* This function generates a list consisting of an address and its parents, for
1009 use in logging lines. For saved onetime aliased addresses, the onetime parent
1010 field is used. If the address was delivered by a transport with rcpt_include_
1011 affixes set, the af_include_affixes bit will be set in the address. In that
1012 case, we include the affixes here too.
1015 g points to growing-string struct
1016 addr bottom (ultimate) address
1017 all_parents if TRUE, include all parents
1018 success TRUE for successful delivery
1020 Returns: a growable string in dynamic store
1024 string_log_address(gstring * g,
1025 address_item *addr, BOOL all_parents, BOOL success)
1027 BOOL add_topaddr = TRUE;
1028 address_item *topaddr;
1030 /* Find the ultimate parent */
1032 for (topaddr = addr; topaddr->parent; topaddr = topaddr->parent) ;
1034 /* We start with just the local part for pipe, file, and reply deliveries, and
1035 for successful local deliveries from routers that have the log_as_local flag
1036 set. File deliveries from filters can be specified as non-absolute paths in
1037 cases where the transport is going to complete the path. If there is an error
1038 before this happens (expansion failure) the local part will not be updated, and
1039 so won't necessarily look like a path. Add extra text for this case. */
1041 if ( testflag(addr, af_pfr)
1043 && addr->router && addr->router->log_as_local
1044 && addr->transport && addr->transport->info->local
1047 if (testflag(addr, af_file) && addr->local_part[0] != '/')
1048 g = string_catn(g, CUS"save ", 5);
1049 g = string_get_localpart(addr, g);
1052 /* Other deliveries start with the full address. It we have split it into local
1053 part and domain, use those fields. Some early failures can happen before the
1054 splitting is done; in those cases use the original field. */
1059 int off = g->ptr; /* start of the "full address" */
1061 if (addr->local_part)
1064 g = string_get_localpart(addr, g);
1065 g = string_catn(g, US"@", 1);
1068 if (testflag(addr, af_utf8_downcvt))
1069 s = string_localpart_utf8_to_alabel(s, NULL);
1071 g = string_cat(g, s);
1074 g = string_cat(g, addr->address);
1076 /* If the address we are going to print is the same as the top address,
1077 and all parents are not being included, don't add on the top address. First
1078 of all, do a caseless comparison; if this succeeds, do a caseful comparison
1079 on the local parts. */
1081 cmp = g->s + off; /* only now, as rebuffer likely done */
1082 string_from_gstring(g); /* ensure nul-terminated */
1083 if ( strcmpic(cmp, topaddr->address) == 0
1084 && Ustrncmp(cmp, topaddr->address, Ustrchr(cmp, '@') - cmp) == 0
1085 && !addr->onetime_parent
1086 && (!all_parents || !addr->parent || addr->parent == topaddr)
1088 add_topaddr = FALSE;
1091 /* If all parents are requested, or this is a local pipe/file/reply, and
1092 there is at least one intermediate parent, show it in brackets, and continue
1093 with all of them if all are wanted. */
1095 if ( (all_parents || testflag(addr, af_pfr))
1097 && addr->parent != topaddr)
1100 for (address_item * addr2 = addr->parent; addr2 != topaddr; addr2 = addr2->parent)
1102 g = string_catn(g, s, 2);
1103 g = string_cat (g, addr2->address);
1104 if (!all_parents) break;
1107 g = string_catn(g, US")", 1);
1110 /* Add the top address if it is required */
1113 g = string_append(g, 3,
1115 addr->onetime_parent ? addr->onetime_parent : topaddr->address,
1123 /******************************************************************************/
1127 /* If msg is NULL this is a delivery log and logchar is used. Otherwise
1128 this is a nonstandard call; no two-character delivery flag is written
1129 but sender-host and sender are prefixed and "msg" is inserted in the log line.
1132 flags passed to log_write()
1135 delivery_log(int flags, address_item * addr, int logchar, uschar * msg)
1137 gstring * g; /* Used for a temporary, expanding buffer, for building log lines */
1140 /* Log the delivery on the main log. We use an extensible string to build up
1141 the log line, and reset the store afterwards. Remote deliveries should always
1142 have a pointer to the host item that succeeded; local deliveries can have a
1143 pointer to a single host item in their host list, for use by the transport. */
1145 #ifndef DISABLE_EVENT
1146 /* presume no successful remote delivery */
1147 lookup_dnssec_authenticated = NULL;
1150 reset_point = store_mark();
1151 g = string_get_tainted(256, TRUE); /* addrs will be tainted, so avoid copy */
1154 g = string_append(g, 2, host_and_ident(TRUE), US" ");
1157 g->s[0] = logchar; g->ptr = 1;
1158 g = string_catn(g, US"> ", 2);
1160 g = string_log_address(g, addr, LOGGING(all_parents), TRUE);
1162 if (LOGGING(sender_on_delivery) || msg)
1163 g = string_append(g, 3, US" F=<",
1165 testflag(addr, af_utf8_downcvt)
1166 ? string_address_utf8_to_alabel(sender_address, NULL)
1173 g = string_append(g, 2, US" Q=", queue_name);
1175 #ifdef EXPERIMENTAL_SRS_ALT
1176 if(addr->prop.srs_sender)
1177 g = string_append(g, 3, US" SRS=<", addr->prop.srs_sender, US">");
1180 /* You might think that the return path must always be set for a successful
1181 delivery; indeed, I did for some time, until this statement crashed. The case
1182 when it is not set is for a delivery to /dev/null which is optimised by not
1183 being run at all. */
1185 if (used_return_path && LOGGING(return_path_on_delivery))
1186 g = string_append(g, 3, US" P=<", used_return_path, US">");
1189 g = string_append(g, 2, US" ", msg);
1191 /* For a delivery from a system filter, there may not be a router */
1193 g = string_append(g, 2, US" R=", addr->router->name);
1195 g = string_append(g, 2, US" T=", addr->transport->name);
1197 if (LOGGING(delivery_size))
1198 g = string_fmt_append(g, " S=%d", transport_count);
1200 /* Local delivery */
1202 if (addr->transport->info->local)
1204 if (addr->host_list)
1205 g = string_append(g, 2, US" H=", addr->host_list->name);
1206 g = d_log_interface(g);
1207 if (addr->shadow_message)
1208 g = string_cat(g, addr->shadow_message);
1211 /* Remote delivery */
1215 if (addr->host_used)
1217 g = d_hostlog(g, addr);
1219 #ifndef DISABLE_EVENT
1220 deliver_host_address = addr->host_used->address;
1221 deliver_host_port = addr->host_used->port;
1222 deliver_host = addr->host_used->name;
1224 /* DNS lookup status */
1225 lookup_dnssec_authenticated = addr->host_used->dnssec==DS_YES ? US"yes"
1226 : addr->host_used->dnssec==DS_NO ? US"no"
1232 g = d_tlslog(g, addr);
1235 if (addr->authenticator)
1237 g = string_append(g, 2, US" A=", addr->authenticator);
1240 g = string_append(g, 2, US":", addr->auth_id);
1241 if (LOGGING(smtp_mailauth) && addr->auth_sndr)
1242 g = string_append(g, 2, US":", addr->auth_sndr);
1246 if (LOGGING(pipelining))
1248 if (testflag(addr, af_pipelining))
1249 g = string_catn(g, US" L", 2);
1250 #ifndef DISABLE_PIPE_CONNECT
1251 if (testflag(addr, af_early_pipe))
1252 g = string_catn(g, US"*", 1);
1256 #ifndef DISABLE_PRDR
1257 if (testflag(addr, af_prdr_used))
1258 g = string_catn(g, US" PRDR", 5);
1261 if (testflag(addr, af_chunking_used))
1262 g = string_catn(g, US" K", 2);
1265 /* confirmation message (SMTP (host_used) and LMTP (driver_name)) */
1267 if ( LOGGING(smtp_confirmation)
1269 && (addr->host_used || Ustrcmp(addr->transport->driver_name, "lmtp") == 0)
1272 unsigned lim = big_buffer_size < 1024 ? big_buffer_size : 1024;
1273 uschar *p = big_buffer;
1274 uschar *ss = addr->message;
1276 for (int i = 0; i < lim && ss[i] != 0; i++) /* limit logged amount */
1278 if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; /* quote \ and " */
1283 g = string_append(g, 2, US" C=", big_buffer);
1286 /* Time on queue and actual time taken to deliver */
1288 if (LOGGING(queue_time))
1289 g = string_append(g, 2, US" QT=", string_timesince(
1290 LOGGING(queue_time_exclusive) ? &received_time_complete : &received_time));
1292 if (LOGGING(deliver_time))
1293 g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time));
1295 /* string_cat() always leaves room for the terminator. Release the
1296 store we used to build the line after writing it. */
1298 log_write(0, flags, "%s", string_from_gstring(g));
1300 #ifndef DISABLE_EVENT
1301 if (!msg) msg_event_raise(US"msg:delivery", addr);
1304 store_reset(reset_point);
1311 deferral_log(address_item * addr, uschar * now,
1312 int logflags, uschar * driver_name, uschar * driver_kind)
1314 rmark reset_point = store_mark();
1315 gstring * g = string_get(256);
1317 /* Build up the line that is used for both the message log and the main
1320 /* Create the address string for logging. Must not do this earlier, because
1321 an OK result may be changed to FAIL when a pipe returns text. */
1323 g = string_log_address(g, addr, LOGGING(all_parents), FALSE);
1326 g = string_append(g, 2, US" Q=", queue_name);
1328 /* Either driver_name contains something and driver_kind contains
1329 " router" or " transport" (note the leading space), or driver_name is
1330 a null string and driver_kind contains "routing" without the leading
1331 space, if all routing has been deferred. When a domain has been held,
1332 so nothing has been done at all, both variables contain null strings. */
1336 if (driver_kind[1] == 't' && addr->router)
1337 g = string_append(g, 2, US" R=", addr->router->name);
1338 g = string_fmt_append(g, " %c=%s", toupper(driver_kind[1]), driver_name);
1340 else if (driver_kind)
1341 g = string_append(g, 2, US" ", driver_kind);
1343 g = string_fmt_append(g, " defer (%d)", addr->basic_errno);
1345 if (addr->basic_errno > 0)
1346 g = string_append(g, 2, US": ", US strerror(addr->basic_errno));
1348 if (addr->host_used)
1349 g = d_hostlog(g, addr);
1351 if (LOGGING(deliver_time))
1352 g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time));
1355 g = string_append(g, 2, US": ", addr->message);
1357 (void) string_from_gstring(g);
1359 /* Log the deferment in the message log, but don't clutter it
1360 up with retry-time defers after the first delivery attempt. */
1362 if (f.deliver_firsttime || addr->basic_errno > ERRNO_RETRY_BASE)
1363 deliver_msglog("%s %s\n", now, g->s);
1365 /* Write the main log and reset the store.
1366 For errors of the type "retry time not reached" (also remotes skipped
1367 on queue run), logging is controlled by L_retry_defer. Note that this kind
1368 of error number is negative, and all the retry ones are less than any
1372 log_write(addr->basic_errno <= ERRNO_RETRY_BASE ? L_retry_defer : 0, logflags,
1375 store_reset(reset_point);
1382 failure_log(address_item * addr, uschar * driver_kind, uschar * now)
1384 rmark reset_point = store_mark();
1385 gstring * g = string_get(256);
1387 #ifndef DISABLE_EVENT
1388 /* Message failures for which we will send a DSN get their event raised
1389 later so avoid doing it here. */
1391 if ( !addr->prop.ignore_error
1392 && !(addr->dsn_flags & (rf_dsnflags & ~rf_notify_failure))
1394 msg_event_raise(US"msg:fail:delivery", addr);
1397 /* Build up the log line for the message and main logs */
1399 /* Create the address string for logging. Must not do this earlier, because
1400 an OK result may be changed to FAIL when a pipe returns text. */
1402 g = string_log_address(g, addr, LOGGING(all_parents), FALSE);
1404 if (LOGGING(sender_on_delivery))
1405 g = string_append(g, 3, US" F=<", sender_address, US">");
1408 g = string_append(g, 2, US" Q=", queue_name);
1410 /* Return path may not be set if no delivery actually happened */
1412 if (used_return_path && LOGGING(return_path_on_delivery))
1413 g = string_append(g, 3, US" P=<", used_return_path, US">");
1416 g = string_append(g, 2, US" R=", addr->router->name);
1417 if (addr->transport)
1418 g = string_append(g, 2, US" T=", addr->transport->name);
1420 if (addr->host_used)
1421 g = d_hostlog(g, addr);
1424 g = d_tlslog(g, addr);
1427 if (addr->basic_errno > 0)
1428 g = string_append(g, 2, US": ", US strerror(addr->basic_errno));
1431 g = string_append(g, 2, US": ", addr->message);
1433 if (LOGGING(deliver_time))
1434 g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time));
1436 (void) string_from_gstring(g);
1438 /* Do the logging. For the message log, "routing failed" for those cases,
1439 just to make it clearer. */
1442 deliver_msglog("%s %s failed for %s\n", now, driver_kind, g->s);
1444 deliver_msglog("%s %s\n", now, g->s);
1446 log_write(0, LOG_MAIN, "** %s", g->s);
1448 store_reset(reset_point);
1454 /*************************************************
1455 * Actions at the end of handling an address *
1456 *************************************************/
1458 /* This is a function for processing a single address when all that can be done
1459 with it has been done.
1462 addr points to the address block
1463 result the result of the delivery attempt
1464 logflags flags for log_write() (LOG_MAIN and/or LOG_PANIC)
1465 driver_type indicates which type of driver (transport, or router) was last
1466 to process the address
1467 logchar '=' or '-' for use when logging deliveries with => or ->
1473 post_process_one(address_item *addr, int result, int logflags, int driver_type,
1476 uschar *now = tod_stamp(tod_log);
1477 uschar *driver_kind = NULL;
1478 uschar *driver_name = NULL;
1480 DEBUG(D_deliver) debug_printf("post-process %s (%d)\n", addr->address, result);
1482 /* Set up driver kind and name for logging. Disable logging if the router or
1483 transport has disabled it. */
1485 if (driver_type == EXIM_DTYPE_TRANSPORT)
1487 if (addr->transport)
1489 driver_name = addr->transport->name;
1490 driver_kind = US" transport";
1491 f.disable_logging = addr->transport->disable_logging;
1493 else driver_kind = US"transporting";
1495 else if (driver_type == EXIM_DTYPE_ROUTER)
1499 driver_name = addr->router->name;
1500 driver_kind = US" router";
1501 f.disable_logging = addr->router->disable_logging;
1503 else driver_kind = US"routing";
1506 /* If there's an error message set, ensure that it contains only printing
1507 characters - it should, but occasionally things slip in and this at least
1508 stops the log format from getting wrecked. We also scan the message for an LDAP
1509 expansion item that has a password setting, and flatten the password. This is a
1510 fudge, but I don't know a cleaner way of doing this. (If the item is badly
1511 malformed, it won't ever have gone near LDAP.) */
1515 const uschar * s = string_printing(addr->message);
1517 /* deconst cast ok as string_printing known to have alloc'n'copied */
1518 addr->message = expand_hide_passwords(US s);
1521 /* If we used a transport that has one of the "return_output" options set, and
1522 if it did in fact generate some output, then for return_output we treat the
1523 message as failed if it was not already set that way, so that the output gets
1524 returned to the sender, provided there is a sender to send it to. For
1525 return_fail_output, do this only if the delivery failed. Otherwise we just
1526 unlink the file, and remove the name so that if the delivery failed, we don't
1527 try to send back an empty or unwanted file. The log_output options operate only
1528 on a non-empty file.
1530 In any case, we close the message file, because we cannot afford to leave a
1531 file-descriptor for one address while processing (maybe very many) others. */
1533 if (addr->return_file >= 0 && addr->return_filename)
1535 BOOL return_output = FALSE;
1536 struct stat statbuf;
1537 (void)EXIMfsync(addr->return_file);
1539 /* If there is no output, do nothing. */
1541 if (fstat(addr->return_file, &statbuf) == 0 && statbuf.st_size > 0)
1543 transport_instance *tb = addr->transport;
1545 /* Handle logging options */
1548 || result == FAIL && tb->log_fail_output
1549 || result == DEFER && tb->log_defer_output
1553 FILE *f = Ufopen(addr->return_filename, "rb");
1555 log_write(0, LOG_MAIN|LOG_PANIC, "failed to open %s to log output "
1556 "from %s transport: %s", addr->return_filename, tb->name,
1559 if ((s = US Ufgets(big_buffer, big_buffer_size, f)))
1561 uschar *p = big_buffer + Ustrlen(big_buffer);
1563 while (p > big_buffer && isspace(p[-1])) p--;
1565 sp = string_printing(big_buffer);
1566 log_write(0, LOG_MAIN, "<%s>: %s transport output: %s",
1567 addr->address, tb->name, sp);
1572 /* Handle returning options, but only if there is an address to return
1575 if (sender_address[0] != 0 || addr->prop.errors_address)
1576 if (tb->return_output)
1578 addr->transport_return = result = FAIL;
1579 if (addr->basic_errno == 0 && !addr->message)
1580 addr->message = US"return message generated";
1581 return_output = TRUE;
1584 if (tb->return_fail_output && result == FAIL) return_output = TRUE;
1587 /* Get rid of the file unless it might be returned, but close it in
1592 Uunlink(addr->return_filename);
1593 addr->return_filename = NULL;
1594 addr->return_file = -1;
1597 (void)close(addr->return_file);
1600 /* Check if the transport notifed continue-conn status explicitly, and
1601 update our knowlege. */
1603 if (testflag(addr, af_new_conn)) continue_sequence = 1;
1604 else if (testflag(addr, af_cont_conn)) continue_sequence++;
1606 /* The success case happens only after delivery by a transport. */
1610 addr->next = addr_succeed;
1611 addr_succeed = addr;
1613 /* Call address_done() to ensure that we don't deliver to this address again,
1614 and write appropriate things to the message log. If it is a child address, we
1615 call child_done() to scan the ancestors and mark them complete if this is the
1616 last child to complete. */
1618 address_done(addr, now);
1619 DEBUG(D_deliver) debug_printf("%s delivered\n", addr->address);
1622 deliver_msglog("%s %s: %s%s succeeded\n", now, addr->address,
1623 driver_name, driver_kind);
1626 deliver_msglog("%s %s <%s>: %s%s succeeded\n", now, addr->address,
1627 addr->parent->address, driver_name, driver_kind);
1628 child_done(addr, now);
1631 /* Certificates for logging (via events) */
1633 tls_out.ourcert = addr->ourcert;
1634 addr->ourcert = NULL;
1635 tls_out.peercert = addr->peercert;
1636 addr->peercert = NULL;
1638 tls_out.ver = addr->tlsver;
1639 tls_out.cipher = addr->cipher;
1640 tls_out.peerdn = addr->peerdn;
1641 tls_out.ocsp = addr->ocsp;
1642 # ifdef SUPPORT_DANE
1643 tls_out.dane_verified = testflag(addr, af_dane_verified);
1647 delivery_log(LOG_MAIN, addr, logchar, NULL);
1650 tls_free_cert(&tls_out.ourcert);
1651 tls_free_cert(&tls_out.peercert);
1653 tls_out.cipher = NULL;
1654 tls_out.peerdn = NULL;
1655 tls_out.ocsp = OCSP_NOT_REQ;
1656 # ifdef SUPPORT_DANE
1657 tls_out.dane_verified = FALSE;
1663 /* Soft failure, or local delivery process failed; freezing may be
1666 else if (result == DEFER || result == PANIC)
1668 if (result == PANIC) logflags |= LOG_PANIC;
1670 /* This puts them on the chain in reverse order. Do not change this, because
1671 the code for handling retries assumes that the one with the retry
1672 information is last. */
1674 addr->next = addr_defer;
1677 /* The only currently implemented special action is to freeze the
1678 message. Logging of this is done later, just before the -H file is
1681 if (addr->special_action == SPECIAL_FREEZE)
1683 f.deliver_freeze = TRUE;
1684 deliver_frozen_at = time(NULL);
1685 update_spool = TRUE;
1688 /* If doing a 2-stage queue run, we skip writing to either the message
1689 log or the main log for SMTP defers. */
1691 if (!f.queue_2stage || addr->basic_errno != 0)
1692 deferral_log(addr, now, logflags, driver_name, driver_kind);
1696 /* Hard failure. If there is an address to which an error message can be sent,
1697 put this address on the failed list. If not, put it on the deferred list and
1698 freeze the mail message for human attention. The latter action can also be
1699 explicitly requested by a router or transport. */
1703 /* If this is a delivery error, or a message for which no replies are
1704 wanted, and the message's age is greater than ignore_bounce_errors_after,
1705 force the af_ignore_error flag. This will cause the address to be discarded
1706 later (with a log entry). */
1708 if (!*sender_address && message_age >= ignore_bounce_errors_after)
1709 addr->prop.ignore_error = TRUE;
1711 /* Freeze the message if requested, or if this is a bounce message (or other
1712 message with null sender) and this address does not have its own errors
1713 address. However, don't freeze if errors are being ignored. The actual code
1714 to ignore occurs later, instead of sending a message. Logging of freezing
1715 occurs later, just before writing the -H file. */
1717 if ( !addr->prop.ignore_error
1718 && ( addr->special_action == SPECIAL_FREEZE
1719 || (sender_address[0] == 0 && !addr->prop.errors_address)
1722 frozen_info = addr->special_action == SPECIAL_FREEZE
1724 : f.sender_local && !f.local_error_message
1725 ? US" (message created with -f <>)"
1726 : US" (delivery error message)";
1727 f.deliver_freeze = TRUE;
1728 deliver_frozen_at = time(NULL);
1729 update_spool = TRUE;
1731 /* The address is put on the defer rather than the failed queue, because
1732 the message is being retained. */
1734 addr->next = addr_defer;
1738 /* Don't put the address on the nonrecipients tree yet; wait until an
1739 error message has been successfully sent. */
1743 addr->next = addr_failed;
1747 failure_log(addr, driver_name ? NULL : driver_kind, now);
1750 /* Ensure logging is turned on again in all cases */
1752 f.disable_logging = FALSE;
1758 /*************************************************
1759 * Address-independent error *
1760 *************************************************/
1762 /* This function is called when there's an error that is not dependent on a
1763 particular address, such as an expansion string failure. It puts the error into
1764 all the addresses in a batch, logs the incident on the main and panic logs, and
1765 clears the expansions. It is mostly called from local_deliver(), but can be
1766 called for a remote delivery via findugid().
1769 logit TRUE if (MAIN+PANIC) logging required
1770 addr the first of the chain of addresses
1772 format format string for error message, or NULL if already set in addr
1773 ... arguments for the format
1779 common_error(BOOL logit, address_item *addr, int code, uschar *format, ...)
1781 addr->basic_errno = code;
1788 va_start(ap, format);
1789 g = string_vformat(NULL, SVFMT_EXTEND|SVFMT_REBUFFER, CS format, ap);
1791 addr->message = string_from_gstring(g);
1794 for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
1796 addr2->basic_errno = code;
1797 addr2->message = addr->message;
1800 if (logit) log_write(0, LOG_MAIN|LOG_PANIC, "%s", addr->message);
1801 deliver_set_expansions(NULL);
1807 /*************************************************
1808 * Check a "never users" list *
1809 *************************************************/
1811 /* This function is called to check whether a uid is on one of the two "never
1815 uid the uid to be checked
1816 nusers the list to be scanned; the first item in the list is the count
1818 Returns: TRUE if the uid is on the list
1822 check_never_users(uid_t uid, uid_t *nusers)
1824 if (!nusers) return FALSE;
1825 for (int i = 1; i <= (int)(nusers[0]); i++) if (nusers[i] == uid) return TRUE;
1831 /*************************************************
1832 * Find uid and gid for a transport *
1833 *************************************************/
1835 /* This function is called for both local and remote deliveries, to find the
1836 uid/gid under which to run the delivery. The values are taken preferentially
1837 from the transport (either explicit or deliver_as_creator), then from the
1838 address (i.e. the router), and if nothing is set, the exim uid/gid are used. If
1839 the resulting uid is on the "never_users" or the "fixed_never_users" list, a
1840 panic error is logged, and the function fails (which normally leads to delivery
1844 addr the address (possibly a chain)
1846 uidp pointer to uid field
1847 gidp pointer to gid field
1848 igfp pointer to the use_initgroups field
1850 Returns: FALSE if failed - error has been set in address(es)
1854 findugid(address_item *addr, transport_instance *tp, uid_t *uidp, gid_t *gidp,
1858 BOOL gid_set = FALSE;
1860 /* Default initgroups flag comes from the transport */
1862 *igfp = tp->initgroups;
1864 /* First see if there's a gid on the transport, either fixed or expandable.
1865 The expanding function always logs failure itself. */
1872 else if (tp->expand_gid)
1874 if (!route_find_expanded_group(tp->expand_gid, tp->name, US"transport", gidp,
1877 common_error(FALSE, addr, ERRNO_GIDFAIL, NULL);
1883 /* If the transport did not set a group, see if the router did. */
1885 if (!gid_set && testflag(addr, af_gid_set))
1891 /* Pick up a uid from the transport if one is set. */
1893 if (tp->uid_set) *uidp = tp->uid;
1895 /* Otherwise, try for an expandable uid field. If it ends up as a numeric id,
1896 it does not provide a passwd value from which a gid can be taken. */
1898 else if (tp->expand_uid)
1901 if (!route_find_expanded_user(tp->expand_uid, tp->name, US"transport", &pw,
1902 uidp, &(addr->message)))
1904 common_error(FALSE, addr, ERRNO_UIDFAIL, NULL);
1914 /* If the transport doesn't set the uid, test the deliver_as_creator flag. */
1916 else if (tp->deliver_as_creator)
1918 *uidp = originator_uid;
1921 *gidp = originator_gid;
1926 /* Otherwise see if the address specifies the uid and if so, take it and its
1929 else if (testflag(addr, af_uid_set))
1932 *igfp = testflag(addr, af_initgroups);
1935 /* Nothing has specified the uid - default to the Exim user, and group if the
1948 /* If no gid is set, it is a disaster. We default to the Exim gid only if
1949 defaulting to the Exim uid. In other words, if the configuration has specified
1950 a uid, it must also provide a gid. */
1954 common_error(TRUE, addr, ERRNO_GIDFAIL, US"User set without group for "
1955 "%s transport", tp->name);
1959 /* Check that the uid is not on the lists of banned uids that may not be used
1960 for delivery processes. */
1962 nuname = check_never_users(*uidp, never_users)
1964 : check_never_users(*uidp, fixed_never_users)
1965 ? US"fixed_never_users"
1969 common_error(TRUE, addr, ERRNO_UIDFAIL, US"User %ld set for %s transport "
1970 "is on the %s list", (long int)(*uidp), tp->name, nuname);
1982 /*************************************************
1983 * Check the size of a message for a transport *
1984 *************************************************/
1986 /* Checks that the message isn't too big for the selected transport.
1987 This is called only when it is known that the limit is set.
1991 addr the (first) address being delivered
1994 DEFER expansion failed or did not yield an integer
1995 FAIL message too big
1999 check_message_size(transport_instance *tp, address_item *addr)
2004 deliver_set_expansions(addr);
2005 size_limit = expand_string_integer(tp->message_size_limit, TRUE);
2006 deliver_set_expansions(NULL);
2008 if (expand_string_message)
2011 addr->message = size_limit == -1
2012 ? string_sprintf("failed to expand message_size_limit "
2013 "in %s transport: %s", tp->name, expand_string_message)
2014 : string_sprintf("invalid message_size_limit "
2015 "in %s transport: %s", tp->name, expand_string_message);
2017 else if (size_limit > 0 && message_size > size_limit)
2021 string_sprintf("message is too big (transport limit = %d)",
2030 /*************************************************
2031 * Transport-time check for a previous delivery *
2032 *************************************************/
2034 /* Check that this base address hasn't previously been delivered to its routed
2035 transport. If it has been delivered, mark it done. The check is necessary at
2036 delivery time in order to handle homonymic addresses correctly in cases where
2037 the pattern of redirection changes between delivery attempts (so the unique
2038 fields change). Non-homonymic previous delivery is detected earlier, at routing
2039 time (which saves unnecessary routing).
2042 addr the address item
2043 testing TRUE if testing wanted only, without side effects
2045 Returns: TRUE if previously delivered by the transport
2049 previously_transported(address_item *addr, BOOL testing)
2051 uschar * s = string_sprintf("%s/%s",
2052 addr->unique + (testflag(addr, af_homonym)? 3:0), addr->transport->name);
2054 if (tree_search(tree_nonrecipients, s) != 0)
2056 DEBUG(D_deliver|D_route|D_transport)
2057 debug_printf("%s was previously delivered (%s transport): discarded\n",
2058 addr->address, addr->transport->name);
2059 if (!testing) child_done(addr, tod_stamp(tod_log));
2068 /******************************************************
2069 * Check for a given header in a header string *
2070 ******************************************************/
2072 /* This function is used when generating quota warnings. The configuration may
2073 specify any header lines it likes in quota_warn_message. If certain of them are
2074 missing, defaults are inserted, so we need to be able to test for the presence
2078 hdr the required header name
2079 hstring the header string
2081 Returns: TRUE the header is in the string
2082 FALSE the header is not in the string
2086 contains_header(uschar *hdr, uschar *hstring)
2088 int len = Ustrlen(hdr);
2089 uschar *p = hstring;
2092 if (strncmpic(p, hdr, len) == 0)
2095 while (*p == ' ' || *p == '\t') p++;
2096 if (*p == ':') return TRUE;
2098 while (*p != 0 && *p != '\n') p++;
2099 if (*p == '\n') p++;
2107 /*************************************************
2108 * Perform a local delivery *
2109 *************************************************/
2111 /* Each local delivery is performed in a separate process which sets its
2112 uid and gid as specified. This is a safer way than simply changing and
2113 restoring using seteuid(); there is a body of opinion that seteuid()
2114 cannot be used safely. From release 4, Exim no longer makes any use of
2115 it for delivery. Besides, not all systems have seteuid().
2117 If the uid/gid are specified in the transport_instance, they are used; the
2118 transport initialization must ensure that either both or neither are set.
2119 Otherwise, the values associated with the address are used. If neither are set,
2120 it is a configuration error.
2122 The transport or the address may specify a home directory (transport over-
2123 rides), and if they do, this is set as $home. If neither have set a working
2124 directory, this value is used for that as well. Otherwise $home is left unset
2125 and the cwd is set to "/" - a directory that should be accessible to all users.
2127 Using a separate process makes it more complicated to get error information
2128 back. We use a pipe to pass the return code and also an error code and error
2129 text string back to the parent process.
2132 addr points to an address block for this delivery; for "normal" local
2133 deliveries this is the only address to be delivered, but for
2134 pseudo-remote deliveries (e.g. by batch SMTP to a file or pipe)
2135 a number of addresses can be handled simultaneously, and in this
2136 case addr will point to a chain of addresses with the same
2139 shadowing TRUE if running a shadow transport; this causes output from pipes
2146 deliver_local(address_item *addr, BOOL shadowing)
2148 BOOL use_initgroups;
2151 int status, len, rc;
2154 uschar *working_directory;
2155 address_item *addr2;
2156 transport_instance *tp = addr->transport;
2158 /* Set up the return path from the errors or sender address. If the transport
2159 has its own return path setting, expand it and replace the existing value. */
2161 if(addr->prop.errors_address)
2162 return_path = addr->prop.errors_address;
2163 #ifdef EXPERIMENTAL_SRS_ALT
2164 else if (addr->prop.srs_sender)
2165 return_path = addr->prop.srs_sender;
2168 return_path = sender_address;
2170 if (tp->return_path)
2172 uschar * new_return_path = expand_string(tp->return_path);
2173 if (new_return_path)
2174 return_path = new_return_path;
2175 else if (!f.expand_string_forcedfail)
2177 common_error(TRUE, addr, ERRNO_EXPANDFAIL,
2178 US"Failed to expand return path \"%s\" in %s transport: %s",
2179 tp->return_path, tp->name, expand_string_message);
2184 /* For local deliveries, one at a time, the value used for logging can just be
2185 set directly, once and for all. */
2187 used_return_path = return_path;
2189 /* Sort out the uid, gid, and initgroups flag. If an error occurs, the message
2190 gets put into the address(es), and the expansions are unset, so we can just
2193 if (!findugid(addr, tp, &uid, &gid, &use_initgroups)) return;
2195 /* See if either the transport or the address specifies a home directory. A
2196 home directory set in the address may already be expanded; a flag is set to
2197 indicate that. In other cases we must expand it. */
2199 if ( (deliver_home = tp->home_dir) /* Set in transport, or */
2200 || ( (deliver_home = addr->home_dir) /* Set in address and */
2201 && !testflag(addr, af_home_expanded) /* not expanded */
2204 uschar *rawhome = deliver_home;
2205 deliver_home = NULL; /* in case it contains $home */
2206 if (!(deliver_home = expand_string(rawhome)))
2208 common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"home directory \"%s\" failed "
2209 "to expand for %s transport: %s", rawhome, tp->name,
2210 expand_string_message);
2213 if (*deliver_home != '/')
2215 common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"home directory path \"%s\" "
2216 "is not absolute for %s transport", deliver_home, tp->name);
2221 /* See if either the transport or the address specifies a current directory,
2222 and if so, expand it. If nothing is set, use the home directory, unless it is
2223 also unset in which case use "/", which is assumed to be a directory to which
2224 all users have access. It is necessary to be in a visible directory for some
2225 operating systems when running pipes, as some commands (e.g. "rm" under Solaris
2226 2.5) require this. */
2228 working_directory = tp->current_dir ? tp->current_dir : addr->current_dir;
2229 if (working_directory)
2231 uschar *raw = working_directory;
2232 if (!(working_directory = expand_string(raw)))
2234 common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"current directory \"%s\" "
2235 "failed to expand for %s transport: %s", raw, tp->name,
2236 expand_string_message);
2239 if (*working_directory != '/')
2241 common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"current directory path "
2242 "\"%s\" is not absolute for %s transport", working_directory, tp->name);
2246 else working_directory = deliver_home ? deliver_home : US"/";
2248 /* If one of the return_output flags is set on the transport, create and open a
2249 file in the message log directory for the transport to write its output onto.
2250 This is mainly used by pipe transports. The file needs to be unique to the
2251 address. This feature is not available for shadow transports. */
2254 && ( tp->return_output || tp->return_fail_output
2255 || tp->log_output || tp->log_fail_output || tp->log_defer_output
2260 addr->return_filename =
2261 spool_fname(US"msglog", message_subdir, message_id,
2262 string_sprintf("-%d-%d", getpid(), return_count++));
2264 if ((addr->return_file = open_msglog_file(addr->return_filename, 0400, &error)) < 0)
2266 common_error(TRUE, addr, errno, US"Unable to %s file for %s transport "
2267 "to return message: %s", error, tp->name, strerror(errno));
2272 /* Create the pipe for inter-process communication. */
2276 common_error(TRUE, addr, ERRNO_PIPEFAIL, US"Creation of pipe failed: %s",
2281 /* Now fork the process to do the real work in the subprocess, but first
2282 ensure that all cached resources are freed so that the subprocess starts with
2283 a clean slate and doesn't interfere with the parent process. */
2287 if ((pid = exim_fork(US"delivery-local")) == 0)
2289 BOOL replicate = TRUE;
2291 /* Prevent core dumps, as we don't want them in users' home directories.
2292 HP-UX doesn't have RLIMIT_CORE; I don't know how to do this in that
2293 system. Some experimental/developing systems (e.g. GNU/Hurd) may define
2294 RLIMIT_CORE but not support it in setrlimit(). For such systems, do not
2295 complain if the error is "not supported".
2297 There are two scenarios where changing the max limit has an effect. In one,
2298 the user is using a .forward and invoking a command of their choice via pipe;
2299 for these, we do need the max limit to be 0 unless the admin chooses to
2300 permit an increased limit. In the other, the command is invoked directly by
2301 the transport and is under administrator control, thus being able to raise
2302 the limit aids in debugging. So there's no general always-right answer.
2304 Thus we inhibit core-dumps completely but let individual transports, while
2305 still root, re-raise the limits back up to aid debugging. We make the
2306 default be no core-dumps -- few enough people can use core dumps in
2307 diagnosis that it's reasonable to make them something that has to be explicitly requested.
2314 if (setrlimit(RLIMIT_CORE, &rl) < 0)
2316 # ifdef SETRLIMIT_NOT_SUPPORTED
2317 if (errno != ENOSYS && errno != ENOTSUP)
2319 log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_CORE) failed: %s",
2324 /* Reset the random number generator, so different processes don't all
2325 have the same sequence. */
2329 /* If the transport has a setup entry, call this first, while still
2330 privileged. (Appendfile uses this to expand quota, for example, while
2331 able to read private files.) */
2333 if (addr->transport->setup)
2334 switch((addr->transport->setup)(addr->transport, addr, NULL, uid, gid,
2338 addr->transport_return = DEFER;
2342 addr->transport_return = PANIC;
2346 /* Ignore SIGINT and SIGTERM during delivery. Also ignore SIGUSR1, as
2347 when the process becomes unprivileged, it won't be able to write to the
2348 process log. SIGHUP is ignored throughout exim, except when it is being
2351 signal(SIGINT, SIG_IGN);
2352 signal(SIGTERM, SIG_IGN);
2353 signal(SIGUSR1, SIG_IGN);
2355 /* Close the unwanted half of the pipe, and set close-on-exec for the other
2356 half - for transports that exec things (e.g. pipe). Then set the required
2359 (void)close(pfd[pipe_read]);
2360 (void)fcntl(pfd[pipe_write], F_SETFD, fcntl(pfd[pipe_write], F_GETFD) |
2362 exim_setugid(uid, gid, use_initgroups,
2363 string_sprintf("local delivery to %s <%s> transport=%s", addr->local_part,
2364 addr->address, addr->transport->name));
2368 debug_printf(" home=%s current=%s\n", deliver_home, working_directory);
2369 for (address_item * batched = addr->next; batched; batched = batched->next)
2370 debug_printf("additional batched address: %s\n", batched->address);
2373 /* Set an appropriate working directory. */
2375 if (Uchdir(working_directory) < 0)
2377 addr->transport_return = DEFER;
2378 addr->basic_errno = errno;
2379 addr->message = string_sprintf("failed to chdir to %s", working_directory);
2382 /* If successful, call the transport */
2387 set_process_info("delivering %s to %s using %s", message_id,
2388 addr->local_part, addr->transport->name);
2390 /* Setting this global in the subprocess means we need never clear it */
2391 transport_name = addr->transport->name;
2393 /* If a transport filter has been specified, set up its argument list.
2394 Any errors will get put into the address, and FALSE yielded. */
2396 if (addr->transport->filter_command)
2398 ok = transport_set_up_command(&transport_filter_argv,
2399 addr->transport->filter_command,
2400 TRUE, PANIC, addr, US"transport filter", NULL);
2401 transport_filter_timeout = addr->transport->filter_timeout;
2403 else transport_filter_argv = NULL;
2407 debug_print_string(addr->transport->debug_string);
2408 replicate = !(addr->transport->info->code)(addr->transport, addr);
2412 /* Pass the results back down the pipe. If necessary, first replicate the
2413 status in the top address to the others in the batch. The label is the
2414 subject of a goto when a call to the transport's setup function fails. We
2415 pass the pointer to the transport back in case it got changed as a result of
2416 file_format in appendfile. */
2420 if (replicate) replicate_status(addr);
2421 for (addr2 = addr; addr2; addr2 = addr2->next)
2424 int local_part_length = Ustrlen(addr2->local_part);
2428 if( (i = addr2->transport_return, (ret = write(pfd[pipe_write], &i, sizeof(int))) != sizeof(int))
2429 || (ret = write(pfd[pipe_write], &transport_count, sizeof(transport_count))) != sizeof(transport_count)
2430 || (ret = write(pfd[pipe_write], &addr2->flags, sizeof(addr2->flags))) != sizeof(addr2->flags)
2431 || (ret = write(pfd[pipe_write], &addr2->basic_errno, sizeof(int))) != sizeof(int)
2432 || (ret = write(pfd[pipe_write], &addr2->more_errno, sizeof(int))) != sizeof(int)
2433 || (ret = write(pfd[pipe_write], &addr2->delivery_time, sizeof(struct timeval))) != sizeof(struct timeval)
2434 || (i = addr2->special_action, (ret = write(pfd[pipe_write], &i, sizeof(int))) != sizeof(int))
2435 || (ret = write(pfd[pipe_write], &addr2->transport,
2436 sizeof(transport_instance *))) != sizeof(transport_instance *)
2438 /* For a file delivery, pass back the local part, in case the original
2439 was only part of the final delivery path. This gives more complete
2442 || (testflag(addr2, af_file)
2443 && ( (ret = write(pfd[pipe_write], &local_part_length, sizeof(int))) != sizeof(int)
2444 || (ret = write(pfd[pipe_write], addr2->local_part, local_part_length)) != local_part_length
2448 log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
2449 ret == -1 ? strerror(errno) : "short write");
2451 /* Now any messages */
2453 for (i = 0, s = addr2->message; i < 2; i++, s = addr2->user_message)
2455 int message_length = s ? Ustrlen(s) + 1 : 0;
2456 if( (ret = write(pfd[pipe_write], &message_length, sizeof(int))) != sizeof(int)
2457 || message_length > 0 && (ret = write(pfd[pipe_write], s, message_length)) != message_length
2459 log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
2460 ret == -1 ? strerror(errno) : "short write");
2464 /* OK, this process is now done. Free any cached resources that it opened,
2465 and close the pipe we were writing down before exiting. */
2467 (void)close(pfd[pipe_write]);
2472 /* Back in the main process: panic if the fork did not succeed. This seems
2473 better than returning an error - if forking is failing it is probably best
2474 not to try other deliveries for this message. */
2477 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Fork failed for local delivery to %s",
2480 /* Read the pipe to get the delivery status codes and error messages. Our copy
2481 of the writing end must be closed first, as otherwise read() won't return zero
2482 on an empty pipe. We check that a status exists for each address before
2483 overwriting the address structure. If data is missing, the default DEFER status
2484 will remain. Afterwards, close the reading end. */
2486 (void)close(pfd[pipe_write]);
2488 for (addr2 = addr; addr2; addr2 = addr2->next)
2490 if ((len = read(pfd[pipe_read], &status, sizeof(int))) > 0)
2495 addr2->transport_return = status;
2496 len = read(pfd[pipe_read], &transport_count,
2497 sizeof(transport_count));
2498 len = read(pfd[pipe_read], &addr2->flags, sizeof(addr2->flags));
2499 len = read(pfd[pipe_read], &addr2->basic_errno, sizeof(int));
2500 len = read(pfd[pipe_read], &addr2->more_errno, sizeof(int));
2501 len = read(pfd[pipe_read], &addr2->delivery_time, sizeof(struct timeval));
2502 len = read(pfd[pipe_read], &i, sizeof(int)); addr2->special_action = i;
2503 len = read(pfd[pipe_read], &addr2->transport,
2504 sizeof(transport_instance *));
2506 if (testflag(addr2, af_file))
2509 if ( read(pfd[pipe_read], &llen, sizeof(int)) != sizeof(int)
2510 || llen > 64*4 /* limit from rfc 5821, times I18N factor */
2513 log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part length read"
2514 " from delivery subprocess");
2517 /* sanity-checked llen so disable the Coverity error */
2518 /* coverity[tainted_data] */
2519 if (read(pfd[pipe_read], big_buffer, llen) != llen)
2521 log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part read"
2522 " from delivery subprocess");
2525 big_buffer[llen] = 0;
2526 addr2->local_part = string_copy(big_buffer);
2529 for (i = 0, sptr = &addr2->message; i < 2; i++, sptr = &addr2->user_message)
2532 len = read(pfd[pipe_read], &message_length, sizeof(int));
2533 if (message_length > 0)
2535 len = read(pfd[pipe_read], big_buffer, message_length);
2536 big_buffer[big_buffer_size-1] = '\0'; /* guard byte */
2537 if (len > 0) *sptr = string_copy(big_buffer);
2544 log_write(0, LOG_MAIN|LOG_PANIC, "failed to read delivery status for %s "
2545 "from delivery subprocess", addr2->unique);
2550 (void)close(pfd[pipe_read]);
2552 /* Unless shadowing, write all successful addresses immediately to the journal
2553 file, to ensure they are recorded asap. For homonymic addresses, use the base
2554 address plus the transport name. Failure to write the journal is panic-worthy,
2555 but don't stop, as it may prove possible subsequently to update the spool file
2556 in order to record the delivery. */
2560 for (addr2 = addr; addr2; addr2 = addr2->next)
2561 if (addr2->transport_return == OK)
2563 if (testflag(addr2, af_homonym))
2564 sprintf(CS big_buffer, "%.500s/%s\n", addr2->unique + 3, tp->name);
2566 sprintf(CS big_buffer, "%.500s\n", addr2->unique);
2568 /* In the test harness, wait just a bit to let the subprocess finish off
2569 any debug output etc first. */
2571 testharness_pause_ms(300);
2573 DEBUG(D_deliver) debug_printf("journalling %s", big_buffer);
2574 len = Ustrlen(big_buffer);
2575 if (write(journal_fd, big_buffer, len) != len)
2576 log_write(0, LOG_MAIN|LOG_PANIC, "failed to update journal for %s: %s",
2577 big_buffer, strerror(errno));
2580 /* Ensure the journal file is pushed out to disk. */
2582 if (EXIMfsync(journal_fd) < 0)
2583 log_write(0, LOG_MAIN|LOG_PANIC, "failed to fsync journal: %s",
2587 /* Wait for the process to finish. If it terminates with a non-zero code,
2588 freeze the message (except for SIGTERM, SIGKILL and SIGQUIT), but leave the
2589 status values of all the addresses as they are. Take care to handle the case
2590 when the subprocess doesn't seem to exist. This has been seen on one system
2591 when Exim was called from an MUA that set SIGCHLD to SIG_IGN. When that
2592 happens, wait() doesn't recognize the termination of child processes. Exim now
2593 resets SIGCHLD to SIG_DFL, but this code should still be robust. */
2595 while ((rc = wait(&status)) != pid)
2596 if (rc < 0 && errno == ECHILD) /* Process has vanished */
2598 log_write(0, LOG_MAIN, "%s transport process vanished unexpectedly",
2599 addr->transport->driver_name);
2604 if ((status & 0xffff) != 0)
2606 int msb = (status >> 8) & 255;
2607 int lsb = status & 255;
2608 int code = (msb == 0)? (lsb & 0x7f) : msb;
2609 if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
2610 addr->special_action = SPECIAL_FREEZE;
2611 log_write(0, LOG_MAIN|LOG_PANIC, "%s transport process returned non-zero "
2612 "status 0x%04x: %s %d",
2613 addr->transport->driver_name,
2615 msb == 0 ? "terminated by signal" : "exit code",
2619 /* If SPECIAL_WARN is set in the top address, send a warning message. */
2621 if (addr->special_action == SPECIAL_WARN && addr->transport->warn_message)
2624 uschar *warn_message;
2627 DEBUG(D_deliver) debug_printf("Warning message requested by transport\n");
2629 if (!(warn_message = expand_string(addr->transport->warn_message)))
2630 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand \"%s\" (warning "
2631 "message for %s transport): %s", addr->transport->warn_message,
2632 addr->transport->name, expand_string_message);
2634 else if ((pid = child_open_exim(&fd, US"tpt-warning-message")) > 0)
2636 FILE *f = fdopen(fd, "wb");
2637 if (errors_reply_to && !contains_header(US"Reply-To", warn_message))
2638 fprintf(f, "Reply-To: %s\n", errors_reply_to);
2639 fprintf(f, "Auto-Submitted: auto-replied\n");
2640 if (!contains_header(US"From", warn_message))
2642 fprintf(f, "%s", CS warn_message);
2644 /* Close and wait for child process to complete, without a timeout. */
2647 (void)child_close(pid, 0);
2650 addr->special_action = SPECIAL_NONE;
2657 /* Check transport for the given concurrency limit. Return TRUE if over
2658 the limit (or an expansion failure), else FALSE and if there was a limit,
2659 the key for the hints database used for the concurrency count. */
2662 tpt_parallel_check(transport_instance * tp, address_item * addr, uschar ** key)
2664 unsigned max_parallel;
2666 if (!tp->max_parallel) return FALSE;
2668 max_parallel = (unsigned) expand_string_integer(tp->max_parallel, TRUE);
2669 if (expand_string_message)
2671 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand max_parallel option "
2672 "in %s transport (%s): %s", tp->name, addr->address,
2673 expand_string_message);
2677 if (max_parallel > 0)
2679 uschar * serialize_key = string_sprintf("tpt-serialize-%s", tp->name);
2680 if (!enq_start(serialize_key, max_parallel))
2682 address_item * next;
2684 debug_printf("skipping tpt %s because concurrency limit %u reached\n",
2685 tp->name, max_parallel);
2689 addr->message = US"concurrency limit reached for transport";
2690 addr->basic_errno = ERRNO_TRETRY;
2691 post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0);
2692 } while ((addr = next));
2695 *key = serialize_key;
2702 /*************************************************
2703 * Do local deliveries *
2704 *************************************************/
2706 /* This function processes the list of addresses in addr_local. True local
2707 deliveries are always done one address at a time. However, local deliveries can
2708 be batched up in some cases. Typically this is when writing batched SMTP output
2709 files for use by some external transport mechanism, or when running local
2710 deliveries over LMTP.
2717 do_local_deliveries(void)
2720 open_db *dbm_file = NULL;
2721 time_t now = time(NULL);
2723 /* Loop until we have exhausted the supply of local deliveries */
2727 struct timeval delivery_start;
2728 struct timeval deliver_time;
2729 address_item *addr2, *addr3, *nextaddr;
2730 int logflags = LOG_MAIN;
2731 int logchar = f.dont_deliver? '*' : '=';
2732 transport_instance *tp;
2733 uschar * serialize_key = NULL;
2735 /* Pick the first undelivered address off the chain */
2737 address_item *addr = addr_local;
2738 addr_local = addr->next;
2741 DEBUG(D_deliver|D_transport)
2742 debug_printf("--------> %s <--------\n", addr->address);
2744 /* An internal disaster if there is no transport. Should not occur! */
2746 if (!(tp = addr->transport))
2748 logflags |= LOG_PANIC;
2749 f.disable_logging = FALSE; /* Jic */
2750 addr->message = addr->router
2751 ? string_sprintf("No transport set by %s router", addr->router->name)
2752 : US"No transport set by system filter";
2753 post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
2757 /* Check that this base address hasn't previously been delivered to this
2758 transport. The check is necessary at this point to handle homonymic addresses
2759 correctly in cases where the pattern of redirection changes between delivery
2760 attempts. Non-homonymic previous delivery is detected earlier, at routing
2763 if (previously_transported(addr, FALSE)) continue;
2765 /* There are weird cases where logging is disabled */
2767 f.disable_logging = tp->disable_logging;
2769 /* Check for batched addresses and possible amalgamation. Skip all the work
2770 if either batch_max <= 1 or there aren't any other addresses for local
2773 if (tp->batch_max > 1 && addr_local)
2775 int batch_count = 1;
2776 BOOL uses_dom = readconf_depends((driver_instance *)tp, US"domain");
2777 BOOL uses_lp = ( testflag(addr, af_pfr)
2778 && (testflag(addr, af_file) || addr->local_part[0] == '|')
2780 || readconf_depends((driver_instance *)tp, US"local_part");
2781 uschar *batch_id = NULL;
2782 address_item **anchor = &addr_local;
2783 address_item *last = addr;
2786 /* Expand the batch_id string for comparison with other addresses.
2787 Expansion failure suppresses batching. */
2791 deliver_set_expansions(addr);
2792 batch_id = expand_string(tp->batch_id);
2793 deliver_set_expansions(NULL);
2796 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
2797 "in %s transport (%s): %s", tp->name, addr->address,
2798 expand_string_message);
2799 batch_count = tp->batch_max;
2803 /* Until we reach the batch_max limit, pick off addresses which have the
2804 same characteristics. These are:
2807 not previously delivered (see comment about 50 lines above)
2808 same local part if the transport's configuration contains $local_part
2809 or if this is a file or pipe delivery from a redirection
2810 same domain if the transport's configuration contains $domain
2812 same additional headers
2813 same headers to be removed
2814 same uid/gid for running the transport
2815 same first host if a host list is set
2818 while ((next = *anchor) && batch_count < tp->batch_max)
2821 tp == next->transport
2822 && !previously_transported(next, TRUE)
2823 && testflag(addr, af_pfr) == testflag(next, af_pfr)
2824 && testflag(addr, af_file) == testflag(next, af_file)
2825 && (!uses_lp || Ustrcmp(next->local_part, addr->local_part) == 0)
2826 && (!uses_dom || Ustrcmp(next->domain, addr->domain) == 0)
2827 && same_strings(next->prop.errors_address, addr->prop.errors_address)
2828 && same_headers(next->prop.extra_headers, addr->prop.extra_headers)
2829 && same_strings(next->prop.remove_headers, addr->prop.remove_headers)
2830 && same_ugid(tp, addr, next)
2831 && ( !addr->host_list && !next->host_list
2834 && Ustrcmp(addr->host_list->name, next->host_list->name) == 0
2837 /* If the transport has a batch_id setting, batch_id will be non-NULL
2838 from the expansion outside the loop. Expand for this address and compare.
2839 Expansion failure makes this address ineligible for batching. */
2844 address_item *save_nextnext = next->next;
2845 next->next = NULL; /* Expansion for a single address */
2846 deliver_set_expansions(next);
2847 next->next = save_nextnext;
2848 bid = expand_string(tp->batch_id);
2849 deliver_set_expansions(NULL);
2852 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
2853 "in %s transport (%s): %s", tp->name, next->address,
2854 expand_string_message);
2857 else ok = (Ustrcmp(batch_id, bid) == 0);
2860 /* Take address into batch if OK. */
2864 *anchor = next->next; /* Include the address */
2870 else anchor = &next->next; /* Skip the address */
2874 /* We now have one or more addresses that can be delivered in a batch. Check
2875 whether the transport is prepared to accept a message of this size. If not,
2876 fail them all forthwith. If the expansion fails, or does not yield an
2877 integer, defer delivery. */
2879 if (tp->message_size_limit)
2881 int rc = check_message_size(tp, addr);
2884 replicate_status(addr);
2888 post_process_one(addr, rc, logflags, EXIM_DTYPE_TRANSPORT, 0);
2891 continue; /* With next batch of addresses */
2895 /* If we are not running the queue, or if forcing, all deliveries will be
2896 attempted. Otherwise, we must respect the retry times for each address. Even
2897 when not doing this, we need to set up the retry key string, and determine
2898 whether a retry record exists, because after a successful delivery, a delete
2899 retry item must be set up. Keep the retry database open only for the duration
2900 of these checks, rather than for all local deliveries, because some local
2901 deliveries (e.g. to pipes) can take a substantial time. */
2903 if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE, TRUE)))
2904 DEBUG(D_deliver|D_retry|D_hints_lookup)
2905 debug_printf("no retry data available\n");
2911 BOOL ok = TRUE; /* to deliver this address */
2914 /* Set up the retry key to include the domain or not, and change its
2915 leading character from "R" to "T". Must make a copy before doing this,
2916 because the old key may be pointed to from a "delete" retry item after
2919 retry_key = string_copy(
2920 tp->retry_use_local_part ? addr2->address_retry_key :
2921 addr2->domain_retry_key);
2924 /* Inspect the retry data. If there is no hints file, delivery happens. */
2928 dbdata_retry *retry_record = dbfn_read(dbm_file, retry_key);
2930 /* If there is no retry record, delivery happens. If there is,
2931 remember it exists so it can be deleted after a successful delivery. */
2935 setflag(addr2, af_lt_retry_exists);
2937 /* A retry record exists for this address. If queue running and not
2938 forcing, inspect its contents. If the record is too old, or if its
2939 retry time has come, or if it has passed its cutoff time, delivery
2944 debug_printf("retry record exists: age=%s ",
2945 readconf_printtime(now - retry_record->time_stamp));
2946 debug_printf("(max %s)\n", readconf_printtime(retry_data_expire));
2947 debug_printf(" time to retry = %s expired = %d\n",
2948 readconf_printtime(retry_record->next_try - now),
2949 retry_record->expired);
2952 if (f.queue_running && !f.deliver_force)
2954 ok = (now - retry_record->time_stamp > retry_data_expire)
2955 || (now >= retry_record->next_try)
2956 || retry_record->expired;
2958 /* If we haven't reached the retry time, there is one more check
2959 to do, which is for the ultimate address timeout. */
2962 ok = retry_ultimate_address_timeout(retry_key, addr2->domain,
2966 else DEBUG(D_retry) debug_printf("no retry record exists\n");
2969 /* This address is to be delivered. Leave it on the chain. */
2974 addr2 = addr2->next;
2977 /* This address is to be deferred. Take it out of the chain, and
2978 post-process it as complete. Must take it out of the chain first,
2979 because post processing puts it on another chain. */
2983 address_item *this = addr2;
2984 this->message = US"Retry time not yet reached";
2985 this->basic_errno = ERRNO_LRETRY;
2986 addr2 = addr3 ? (addr3->next = addr2->next)
2987 : (addr = addr2->next);
2988 post_process_one(this, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
2992 if (dbm_file) dbfn_close(dbm_file);
2994 /* If there are no addresses left on the chain, they all deferred. Loop
2995 for the next set of addresses. */
2997 if (!addr) continue;
2999 /* If the transport is limited for parallellism, enforce that here.
3000 We use a hints DB entry, incremented here and decremented after
3001 the transport (and any shadow transport) completes. */
3003 if (tpt_parallel_check(tp, addr, &serialize_key))
3005 if (expand_string_message)
3007 logflags |= LOG_PANIC;
3011 post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
3012 } while ((addr = addr2));
3014 continue; /* Loop for the next set of addresses. */
3018 /* So, finally, we do have some addresses that can be passed to the
3019 transport. Before doing so, set up variables that are relevant to a
3022 deliver_set_expansions(addr);
3024 gettimeofday(&delivery_start, NULL);
3025 deliver_local(addr, FALSE);
3026 timesince(&deliver_time, &delivery_start);
3028 /* If a shadow transport (which must perforce be another local transport), is
3029 defined, and its condition is met, we must pass the message to the shadow
3030 too, but only those addresses that succeeded. We do this by making a new
3031 chain of addresses - also to keep the original chain uncontaminated. We must
3032 use a chain rather than doing it one by one, because the shadow transport may
3035 NOTE: if the condition fails because of a lookup defer, there is nothing we
3039 && ( !tp->shadow_condition
3040 || expand_check_condition(tp->shadow_condition, tp->name, US"transport")
3043 transport_instance *stp;
3044 address_item *shadow_addr = NULL;
3045 address_item **last = &shadow_addr;
3047 for (stp = transports; stp; stp = stp->next)
3048 if (Ustrcmp(stp->name, tp->shadow) == 0) break;
3051 log_write(0, LOG_MAIN|LOG_PANIC, "shadow transport \"%s\" not found ",
3054 /* Pick off the addresses that have succeeded, and make clones. Put into
3055 the shadow_message field a pointer to the shadow_message field of the real
3058 else for (addr2 = addr; addr2; addr2 = addr2->next)
3059 if (addr2->transport_return == OK)
3061 addr3 = store_get(sizeof(address_item), FALSE);
3064 addr3->shadow_message = US &addr2->shadow_message;
3065 addr3->transport = stp;
3066 addr3->transport_return = DEFER;
3067 addr3->return_filename = NULL;
3068 addr3->return_file = -1;
3070 last = &addr3->next;
3073 /* If we found any addresses to shadow, run the delivery, and stick any
3074 message back into the shadow_message field in the original. */
3078 int save_count = transport_count;
3080 DEBUG(D_deliver|D_transport)
3081 debug_printf(">>>>>>>>>>>>>>>> Shadow delivery >>>>>>>>>>>>>>>>\n");
3082 deliver_local(shadow_addr, TRUE);
3084 for(; shadow_addr; shadow_addr = shadow_addr->next)
3086 int sresult = shadow_addr->transport_return;
3087 *(uschar **)shadow_addr->shadow_message =
3089 ? string_sprintf(" ST=%s", stp->name)
3090 : string_sprintf(" ST=%s (%s%s%s)", stp->name,
3091 shadow_addr->basic_errno <= 0
3093 : US strerror(shadow_addr->basic_errno),
3094 shadow_addr->basic_errno <= 0 || !shadow_addr->message
3097 shadow_addr->message
3098 ? shadow_addr->message
3099 : shadow_addr->basic_errno <= 0
3103 DEBUG(D_deliver|D_transport)
3104 debug_printf("%s shadow transport returned %s for %s\n",
3105 stp->name, rc_to_string(sresult), shadow_addr->address);
3108 DEBUG(D_deliver|D_transport)
3109 debug_printf(">>>>>>>>>>>>>>>> End shadow delivery >>>>>>>>>>>>>>>>\n");
3111 transport_count = save_count; /* Restore original transport count */
3115 /* Cancel the expansions that were set up for the delivery. */
3117 deliver_set_expansions(NULL);
3119 /* If the transport was parallelism-limited, decrement the hints DB record. */
3121 if (serialize_key) enq_end(serialize_key);
3123 /* Now we can process the results of the real transport. We must take each
3124 address off the chain first, because post_process_one() puts it on another
3127 for (addr2 = addr; addr2; addr2 = nextaddr)
3129 int result = addr2->transport_return;
3130 nextaddr = addr2->next;
3132 DEBUG(D_deliver|D_transport)
3133 debug_printf("%s transport returned %s for %s\n",
3134 tp->name, rc_to_string(result), addr2->address);
3136 /* If there is a retry_record, or if delivery is deferred, build a retry
3137 item for setting a new retry time or deleting the old retry record from
3138 the database. These items are handled all together after all addresses
3139 have been handled (so the database is open just for a short time for
3142 if (result == DEFER || testflag(addr2, af_lt_retry_exists))
3144 int flags = result == DEFER ? 0 : rf_delete;
3145 uschar *retry_key = string_copy(tp->retry_use_local_part
3146 ? addr2->address_retry_key : addr2->domain_retry_key);
3148 retry_add_item(addr2, retry_key, flags);
3151 /* Done with this address */
3153 addr2->delivery_time = deliver_time;
3154 post_process_one(addr2, result, logflags, EXIM_DTYPE_TRANSPORT, logchar);
3156 /* If a pipe delivery generated text to be sent back, the result may be
3157 changed to FAIL, and we must copy this for subsequent addresses in the
3160 if (addr2->transport_return != result)
3162 for (addr3 = nextaddr; addr3; addr3 = addr3->next)
3164 addr3->transport_return = addr2->transport_return;
3165 addr3->basic_errno = addr2->basic_errno;
3166 addr3->message = addr2->message;
3168 result = addr2->transport_return;
3171 /* Whether or not the result was changed to FAIL, we need to copy the
3172 return_file value from the first address into all the addresses of the
3173 batch, so they are all listed in the error message. */
3175 addr2->return_file = addr->return_file;
3177 /* Change log character for recording successful deliveries. */
3179 if (result == OK) logchar = '-';
3181 } /* Loop back for next batch of addresses */
3187 /*************************************************
3188 * Sort remote deliveries *
3189 *************************************************/
3191 /* This function is called if remote_sort_domains is set. It arranges that the
3192 chain of addresses for remote deliveries is ordered according to the strings
3193 specified. Try to make this shuffling reasonably efficient by handling
3194 sequences of addresses rather than just single ones.
3201 sort_remote_deliveries(void)
3204 address_item **aptr = &addr_remote;
3205 const uschar *listptr = remote_sort_domains;
3209 /*XXX The list is used before expansion. Not sure how that ties up with the docs */
3211 && (pattern = string_nextinlist(&listptr, &sep, patbuf, sizeof(patbuf)))
3214 address_item *moved = NULL;
3215 address_item **bptr = &moved;
3219 address_item **next;
3220 deliver_domain = (*aptr)->domain; /* set $domain */
3221 if (match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
3222 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
3224 aptr = &(*aptr)->next;
3228 next = &(*aptr)->next;
3230 && (deliver_domain = (*next)->domain, /* Set $domain */
3231 match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
3232 &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) != OK
3234 next = &(*next)->next;
3236 /* If the batch of non-matchers is at the end, add on any that were
3237 extracted further up the chain, and end this iteration. Otherwise,
3238 extract them from the chain and hang on the moved chain. */
3250 aptr = &(*aptr)->next;
3253 /* If the loop ended because the final address matched, *aptr will
3254 be NULL. Add on to the end any extracted non-matching addresses. If
3255 *aptr is not NULL, the loop ended via "break" when *next is null, that
3256 is, there was a string of non-matching addresses at the end. In this
3257 case the extracted addresses have already been added on the end. */
3259 if (!*aptr) *aptr = moved;
3264 debug_printf("remote addresses after sorting:\n");
3265 for (address_item * addr = addr_remote; addr; addr = addr->next)
3266 debug_printf(" %s\n", addr->address);
3272 /*************************************************
3273 * Read from pipe for remote delivery subprocess *
3274 *************************************************/
3276 /* This function is called when the subprocess is complete, but can also be
3277 called before it is complete, in order to empty a pipe that is full (to prevent
3278 deadlock). It must therefore keep track of its progress in the parlist data
3281 We read the pipe to get the delivery status codes and a possible error message
3282 for each address, optionally preceded by unusability data for the hosts and
3283 also by optional retry data.
3285 Read in large chunks into the big buffer and then scan through, interpreting
3286 the data therein. In most cases, only a single read will be necessary. No
3287 individual item will ever be anywhere near 2500 bytes in length, so by ensuring
3288 that we read the next chunk when there is less than 2500 bytes left in the
3289 non-final chunk, we can assume each item is complete in the buffer before
3290 handling it. Each item is written using a single write(), which is atomic for
3291 small items (less than PIPE_BUF, which seems to be at least 512 in any Unix and
3292 often bigger) so even if we are reading while the subprocess is still going, we
3293 should never have only a partial item in the buffer.
3295 hs12: This assumption is not true anymore, since we get quite large items (certificate
3296 information and such).
3299 poffset the offset of the parlist item
3300 eop TRUE if the process has completed
3302 Returns: TRUE if the terminating 'Z' item has been read,
3303 or there has been a disaster (i.e. no more data needed);
3308 par_read_pipe(int poffset, BOOL eop)
3311 pardata *p = parlist + poffset;
3312 address_item *addrlist = p->addrlist;
3313 address_item *addr = p->addr;
3317 uschar *msg = p->msg;
3318 BOOL done = p->done;
3320 /* Loop through all items, reading from the pipe when necessary. The pipe
3321 used to be non-blocking. But I do not see a reason for using non-blocking I/O
3322 here, as the preceding poll() tells us, if data is available for reading.
3324 A read() on a "selected" handle should never block, but(!) it may return
3325 less data then we expected. (The buffer size we pass to read() shouldn't be
3326 understood as a "request", but as a "limit".)
3328 Each separate item is written to the pipe in a timely manner. But, especially for
3329 larger items, the read(2) may already return partial data from the write(2).
3331 The write is atomic mostly (depending on the amount written), but atomic does
3332 not imply "all or noting", it just is "not intermixed" with other writes on the
3333 same channel (pipe).
3337 DEBUG(D_deliver) debug_printf("reading pipe for subprocess %d (%s)\n",
3338 (int)p->pid, eop? "ended" : "not ended yet");
3342 retry_item *r, **rp;
3343 uschar pipeheader[PIPE_HEADER_SIZE+1];
3344 uschar *id = &pipeheader[0];
3345 uschar *subid = &pipeheader[1];
3346 uschar *ptr = big_buffer;
3347 size_t required = PIPE_HEADER_SIZE; /* first the pipehaeder, later the data */
3350 DEBUG(D_deliver) debug_printf(
3351 "expect %lu bytes (pipeheader) from tpt process %d\n", (u_long)required, pid);
3353 /* We require(!) all the PIPE_HEADER_SIZE bytes here, as we know,
3354 they're written in a timely manner, so waiting for the write shouldn't hurt a lot.
3355 If we get less, we can assume the subprocess do be done and do not expect any further
3356 information from it. */
3358 if ((got = readn(fd, pipeheader, required)) != required)
3360 msg = string_sprintf("got " SSIZE_T_FMT " of %d bytes (pipeheader) "
3361 "from transport process %d for transport %s",
3362 got, PIPE_HEADER_SIZE, pid, addr->transport->driver_name);
3367 pipeheader[PIPE_HEADER_SIZE] = '\0';
3369 debug_printf("got %ld bytes (pipeheader) from transport process %d\n",
3373 /* If we can't decode the pipeheader, the subprocess seems to have a
3374 problem, we do not expect any furher information from it. */
3376 required = Ustrtol(pipeheader+2, &endc, 10);
3379 msg = string_sprintf("failed to read pipe "
3380 "from transport process %d for transport %s: error decoding size from header",
3381 pid, addr->transport->driver_name);
3388 debug_printf("expect %lu bytes (pipedata) from transport process %d\n",
3389 (u_long)required, pid);
3391 /* Same as above, the transport process will write the bytes announced
3392 in a timely manner, so we can just wait for the bytes, getting less than expected
3393 is considered a problem of the subprocess, we do not expect anything else from it. */
3394 if ((got = readn(fd, big_buffer, required)) != required)
3396 msg = string_sprintf("got only " SSIZE_T_FMT " of " SIZE_T_FMT
3397 " bytes (pipedata) from transport process %d for transport %s",
3398 got, required, pid, addr->transport->driver_name);
3403 /* Handle each possible type of item, assuming the complete item is
3404 available in store. */
3408 /* Host items exist only if any hosts were marked unusable. Match
3409 up by checking the IP address. */
3412 for (h = addrlist->host_list; h; h = h->next)
3414 if (!h->address || Ustrcmp(h->address, ptr+2) != 0) continue;
3422 /* Retry items are sent in a preceding R item for each address. This is
3423 kept separate to keep each message short enough to guarantee it won't
3424 be split in the pipe. Hopefully, in the majority of cases, there won't in
3425 fact be any retry items at all.
3427 The complete set of retry items might include an item to delete a
3428 routing retry if there was a previous routing delay. However, routing
3429 retries are also used when a remote transport identifies an address error.
3430 In that case, there may also be an "add" item for the same key. Arrange
3431 that a "delete" item is dropped in favour of an "add" item. */
3434 if (!addr) goto ADDR_MISMATCH;
3436 DEBUG(D_deliver|D_retry)
3437 debug_printf("reading retry information for %s from subprocess\n",
3440 /* Cut out any "delete" items on the list. */
3442 for (rp = &addr->retries; (r = *rp); rp = &r->next)
3443 if (Ustrcmp(r->key, ptr+1) == 0) /* Found item with same key */
3445 if (!(r->flags & rf_delete)) break; /* It was not "delete" */
3446 *rp = r->next; /* Excise a delete item */
3447 DEBUG(D_deliver|D_retry)
3448 debug_printf(" existing delete item dropped\n");
3451 /* We want to add a delete item only if there is no non-delete item;
3452 however we still have to step ptr through the data. */
3454 if (!r || !(*ptr & rf_delete))
3456 r = store_get(sizeof(retry_item), FALSE);
3457 r->next = addr->retries;
3460 r->key = string_copy(ptr);
3462 memcpy(&r->basic_errno, ptr, sizeof(r->basic_errno));
3463 ptr += sizeof(r->basic_errno);
3464 memcpy(&r->more_errno, ptr, sizeof(r->more_errno));
3465 ptr += sizeof(r->more_errno);
3466 r->message = *ptr ? string_copy(ptr) : NULL;
3467 DEBUG(D_deliver|D_retry) debug_printf(" added %s item\n",
3468 r->flags & rf_delete ? "delete" : "retry");
3473 DEBUG(D_deliver|D_retry)
3474 debug_printf(" delete item not added: non-delete item exists\n");
3477 ptr += sizeof(r->basic_errno) + sizeof(r->more_errno);
3483 /* Put the amount of data written into the parlist block */
3486 memcpy(&(p->transport_count), ptr, sizeof(transport_count));
3487 ptr += sizeof(transport_count);
3490 /* Address items are in the order of items on the address chain. We
3491 remember the current address value in case this function is called
3492 several times to empty the pipe in stages. Information about delivery
3493 over TLS is sent in a preceding X item for each address. We don't put
3494 it in with the other info, in order to keep each message short enough to
3495 guarantee it won't be split in the pipe. */
3499 if (!addr) goto ADDR_MISMATCH; /* Below, in 'A' handler */
3503 addr->tlsver = addr->cipher = addr->peerdn = NULL;
3507 addr->cipher = string_copy(ptr);
3508 addr->tlsver = string_copyn(ptr, Ustrchr(ptr, ':') - ptr);
3512 addr->peerdn = string_copy(ptr);
3517 (void) tls_import_cert(ptr, &addr->peercert);
3519 addr->peercert = NULL;
3524 (void) tls_import_cert(ptr, &addr->ourcert);
3526 addr->ourcert = NULL;
3529 # ifndef DISABLE_OCSP
3531 addr->ocsp = *ptr ? *ptr - '0' : OCSP_NOT_REQ;
3537 #endif /*DISABLE_TLS*/
3539 case 'C': /* client authenticator information */
3542 case '1': addr->authenticator = *ptr ? string_copy(ptr) : NULL; break;
3543 case '2': addr->auth_id = *ptr ? string_copy(ptr) : NULL; break;
3544 case '3': addr->auth_sndr = *ptr ? string_copy(ptr) : NULL; break;
3549 #ifndef DISABLE_PRDR
3551 setflag(addr, af_prdr_used);
3558 #ifndef DISABLE_PIPE_CONNECT
3559 case 2: setflag(addr, af_early_pipe); /*FALLTHROUGH*/
3561 case 1: setflag(addr, af_pipelining); break;
3566 setflag(addr, af_chunking_used);
3570 setflag(addr, af_tcp_fastopen_conn);
3571 if (*subid > '0') setflag(addr, af_tcp_fastopen);
3572 if (*subid > '1') setflag(addr, af_tcp_fastopen_data);
3576 if (!addr) goto ADDR_MISMATCH;
3577 memcpy(&(addr->dsn_aware), ptr, sizeof(addr->dsn_aware));
3578 ptr += sizeof(addr->dsn_aware);
3579 DEBUG(D_deliver) debug_printf("DSN read: addr->dsn_aware = %d\n", addr->dsn_aware);
3586 msg = string_sprintf("address count mismatch for data read from pipe "
3587 "for transport process %d for transport %s", pid,
3588 addrlist->transport->driver_name);
3595 case 3: /* explicit notification of continued-connection (non)use;
3596 overrides caller's knowlege. */
3597 if (*ptr & BIT(1)) setflag(addr, af_new_conn);
3598 else if (*ptr & BIT(2)) setflag(addr, af_cont_conn);
3601 #ifdef SUPPORT_SOCKS
3602 case '2': /* proxy information; must arrive before A0 and applies to that addr XXX oops*/
3603 proxy_session = TRUE; /*XXX should this be cleared somewhere? */
3608 proxy_local_address = string_copy(ptr);
3610 memcpy(&proxy_local_port, ptr, sizeof(proxy_local_port));
3611 ptr += sizeof(proxy_local_port);
3616 #ifdef EXPERIMENTAL_DSN_INFO
3617 case '1': /* must arrive before A0, and applies to that addr */
3618 /* Two strings: smtp_greeting and helo_response */
3619 addr->smtp_greeting = string_copy(ptr);
3621 addr->helo_response = string_copy(ptr);
3627 DEBUG(D_deliver) debug_printf("A0 %s tret %d\n", addr->address, *ptr);
3628 addr->transport_return = *ptr++;
3629 addr->special_action = *ptr++;
3630 memcpy(&addr->basic_errno, ptr, sizeof(addr->basic_errno));
3631 ptr += sizeof(addr->basic_errno);
3632 memcpy(&addr->more_errno, ptr, sizeof(addr->more_errno));
3633 ptr += sizeof(addr->more_errno);
3634 memcpy(&addr->delivery_time, ptr, sizeof(addr->delivery_time));
3635 ptr += sizeof(addr->delivery_time);
3636 memcpy(&addr->flags, ptr, sizeof(addr->flags));
3637 ptr += sizeof(addr->flags);
3638 addr->message = *ptr ? string_copy(ptr) : NULL;
3640 addr->user_message = *ptr ? string_copy(ptr) : NULL;
3643 /* Always two strings for host information, followed by the port number and DNSSEC mark */
3647 h = store_get(sizeof(host_item), FALSE);
3648 h->name = string_copy(ptr);
3650 h->address = string_copy(ptr);
3652 memcpy(&h->port, ptr, sizeof(h->port));
3653 ptr += sizeof(h->port);
3654 h->dnssec = *ptr == '2' ? DS_YES
3655 : *ptr == '1' ? DS_NO
3658 addr->host_used = h;
3662 /* Finished with this address */
3669 /* Local interface address/port */
3671 if (*ptr) sending_ip_address = string_copy(ptr);
3673 if (*ptr) sending_port = atoi(CS ptr);
3677 /* Z marks the logical end of the data. It is followed by '0' if
3678 continue_transport was NULL at the end of transporting, otherwise '1'.
3679 We need to know when it becomes NULL during a delivery down a passed SMTP
3680 channel so that we don't try to pass anything more down it. Of course, for
3681 most normal messages it will remain NULL all the time. */
3686 continue_transport = NULL;
3687 continue_hostname = NULL;
3690 DEBUG(D_deliver) debug_printf("Z0%c item read\n", *ptr);
3693 /* Anything else is a disaster. */
3696 msg = string_sprintf("malformed data (%d) read from pipe for transport "
3697 "process %d for transport %s", ptr[-1], pid,
3698 addr->transport->driver_name);
3704 /* The done flag is inspected externally, to determine whether or not to
3705 call the function again when the process finishes. */
3709 /* If the process hadn't finished, and we haven't seen the end of the data
3710 or if we suffered a disaster, update the rest of the state, and return FALSE to
3711 indicate "not finished". */
3720 /* Close our end of the pipe, to prevent deadlock if the far end is still
3721 pushing stuff into it. */
3726 /* If we have finished without error, but haven't had data for every address,
3727 something is wrong. */
3730 msg = string_sprintf("insufficient address data read from pipe "
3731 "for transport process %d for transport %s", pid,
3732 addr->transport->driver_name);
3734 /* If an error message is set, something has gone wrong in getting back
3735 the delivery data. Put the message into each address and freeze it. */
3738 for (addr = addrlist; addr; addr = addr->next)
3740 addr->transport_return = DEFER;
3741 addr->special_action = SPECIAL_FREEZE;
3742 addr->message = msg;
3743 log_write(0, LOG_MAIN|LOG_PANIC, "Delivery status for %s: %s\n", addr->address, addr->message);
3746 /* Return TRUE to indicate we have got all we need from this process, even
3747 if it hasn't actually finished yet. */
3754 /*************************************************
3755 * Post-process a set of remote addresses *
3756 *************************************************/
3758 /* Do what has to be done immediately after a remote delivery for each set of
3759 addresses, then re-write the spool if necessary. Note that post_process_one
3760 puts the address on an appropriate queue; hence we must fish off the next
3761 one first. This function is also called if there is a problem with setting
3762 up a subprocess to do a remote delivery in parallel. In this case, the final
3763 argument contains a message, and the action must be forced to DEFER.
3766 addr pointer to chain of address items
3767 logflags flags for logging
3768 msg NULL for normal cases; -> error message for unexpected problems
3769 fallback TRUE if processing fallback hosts
3775 remote_post_process(address_item *addr, int logflags, uschar *msg,
3778 /* If any host addresses were found to be unusable, add them to the unusable
3779 tree so that subsequent deliveries don't try them. */
3781 for (host_item * h = addr->host_list; h; h = h->next)
3783 if (h->status >= hstatus_unusable) tree_add_unusable(h);
3785 /* Now handle each address on the chain. The transport has placed '=' or '-'
3786 into the special_action field for each successful delivery. */
3790 address_item *next = addr->next;
3792 /* If msg == NULL (normal processing) and the result is DEFER and we are
3793 processing the main hosts and there are fallback hosts available, put the
3794 address on the list for fallback delivery. */
3796 if ( addr->transport_return == DEFER
3797 && addr->fallback_hosts
3802 addr->host_list = addr->fallback_hosts;
3803 addr->next = addr_fallback;
3804 addr_fallback = addr;
3805 DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", addr->address);
3808 /* If msg is set (=> unexpected problem), set it in the address before
3809 doing the ordinary post processing. */
3815 addr->message = msg;
3816 addr->transport_return = DEFER;
3818 (void)post_process_one(addr, addr->transport_return, logflags,
3819 EXIM_DTYPE_TRANSPORT, addr->special_action);
3827 /* If we have just delivered down a passed SMTP channel, and that was
3828 the last address, the channel will have been closed down. Now that
3829 we have logged that delivery, set continue_sequence to 1 so that
3830 any subsequent deliveries don't get "*" incorrectly logged. */
3832 if (!continue_transport) continue_sequence = 1;
3837 /*************************************************
3838 * Wait for one remote delivery subprocess *
3839 *************************************************/
3841 /* This function is called while doing remote deliveries when either the
3842 maximum number of processes exist and we need one to complete so that another
3843 can be created, or when waiting for the last ones to complete. It must wait for
3844 the completion of one subprocess, empty the control block slot, and return a
3845 pointer to the address chain.
3848 Returns: pointer to the chain of addresses handled by the process;
3849 NULL if no subprocess found - this is an unexpected error
3852 static address_item *
3855 int poffset, status;
3856 address_item * addr, * addrlist;
3859 set_process_info("delivering %s: waiting for a remote delivery subprocess "
3860 "to finish", message_id);
3862 /* Loop until either a subprocess completes, or there are no subprocesses in
3863 existence - in which case give an error return. We cannot proceed just by
3864 waiting for a completion, because a subprocess may have filled up its pipe, and
3865 be waiting for it to be emptied. Therefore, if no processes have finished, we
3866 wait for one of the pipes to acquire some data by calling poll(), with a
3867 timeout just in case.
3869 The simple approach is just to iterate after reading data from a ready pipe.
3870 This leads to non-ideal behaviour when the subprocess has written its final Z
3871 item, closed the pipe, and is in the process of exiting (the common case). A
3872 call to waitpid() yields nothing completed, but poll() shows the pipe ready -
3873 reading it yields EOF, so you end up with busy-waiting until the subprocess has
3876 To avoid this, if all the data that is needed has been read from a subprocess
3877 after poll(), an explicit wait() for it is done. We know that all it is doing
3878 is writing to the pipe and then exiting, so the wait should not be long.
3880 The non-blocking waitpid() is to some extent just insurance; if we could
3881 reliably detect end-of-file on the pipe, we could always know when to do a
3882 blocking wait() for a completed process. However, because some systems use
3883 NDELAY, which doesn't distinguish between EOF and pipe empty, it is easier to
3884 use code that functions without the need to recognize EOF.
3886 There's a double loop here just in case we end up with a process that is not in
3887 the list of remote delivery processes. Something has obviously gone wrong if
3888 this is the case. (For example, a process that is incorrectly left over from
3889 routing or local deliveries might be found.) The damage can be minimized by
3890 looping back and looking for another process. If there aren't any, the error
3891 return will happen. */
3893 for (;;) /* Normally we do not repeat this loop */
3895 while ((pid = waitpid(-1, &status, WNOHANG)) <= 0)
3899 /* A return value of -1 can mean several things. If errno != ECHILD, it
3900 either means invalid options (which we discount), or that this process was
3901 interrupted by a signal. Just loop to try the waitpid() again.
3903 If errno == ECHILD, waitpid() is telling us that there are no subprocesses
3904 in existence. This should never happen, and is an unexpected error.
3905 However, there is a nasty complication when running under Linux. If "strace
3906 -f" is being used under Linux to trace this process and its children,
3907 subprocesses are "stolen" from their parents and become the children of the
3908 tracing process. A general wait such as the one we've just obeyed returns
3909 as if there are no children while subprocesses are running. Once a
3910 subprocess completes, it is restored to the parent, and waitpid(-1) finds
3911 it. Thanks to Joachim Wieland for finding all this out and suggesting a
3914 This does not happen using "truss" on Solaris, nor (I think) with other
3915 tracing facilities on other OS. It seems to be specific to Linux.
3917 What we do to get round this is to use kill() to see if any of our
3918 subprocesses are still in existence. If kill() gives an OK return, we know
3919 it must be for one of our processes - it can't be for a re-use of the pid,
3920 because if our process had finished, waitpid() would have found it. If any
3921 of our subprocesses are in existence, we proceed to use poll() as if
3922 waitpid() had returned zero. I think this is safe. */
3926 if (errno != ECHILD) continue; /* Repeats the waitpid() */
3929 debug_printf("waitpid() returned -1/ECHILD: checking explicitly "
3930 "for process existence\n");
3932 for (poffset = 0; poffset < remote_max_parallel; poffset++)
3934 if ((pid = parlist[poffset].pid) != 0 && kill(pid, 0) == 0)
3936 DEBUG(D_deliver) debug_printf("process %d still exists: assume "
3937 "stolen by strace\n", (int)pid);
3938 break; /* With poffset set */
3942 if (poffset >= remote_max_parallel)
3944 DEBUG(D_deliver) debug_printf("*** no delivery children found\n");
3945 return NULL; /* This is the error return */
3949 /* A pid value greater than 0 breaks the "while" loop. A negative value has
3950 been handled above. A return value of zero means that there is at least one
3951 subprocess, but there are no completed subprocesses. See if any pipes are
3952 ready with any data for reading. */
3954 DEBUG(D_deliver) debug_printf("polling subprocess pipes\n");
3956 for (poffset = 0; poffset < remote_max_parallel; poffset++)
3957 if (parlist[poffset].pid != 0)
3959 parpoll[poffset].fd = parlist[poffset].fd;
3960 parpoll[poffset].events = POLLIN;
3963 parpoll[poffset].fd = -1;
3965 /* Stick in a 60-second timeout, just in case. */
3967 readycount = poll(parpoll, remote_max_parallel, 60 * 1000);
3969 /* Scan through the pipes and read any that are ready; use the count
3970 returned by poll() to stop when there are no more. Select() can return
3971 with no processes (e.g. if interrupted). This shouldn't matter.
3973 If par_read_pipe() returns TRUE, it means that either the terminating Z was
3974 read, or there was a disaster. In either case, we are finished with this
3975 process. Do an explicit wait() for the process and break the main loop if
3978 It turns out that we have to deal with the case of an interrupted system
3979 call, which can happen on some operating systems if the signal handling is
3980 set up to do that by default. */
3983 readycount > 0 && poffset < remote_max_parallel;
3986 if ( (pid = parlist[poffset].pid) != 0
3987 && parpoll[poffset].revents
3991 if (par_read_pipe(poffset, FALSE)) /* Finished with this pipe */
3992 for (;;) /* Loop for signals */
3994 pid_t endedpid = waitpid(pid, &status, 0);
3995 if (endedpid == pid) goto PROCESS_DONE;
3996 if (endedpid != (pid_t)(-1) || errno != EINTR)
3997 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Unexpected error return "
3998 "%d (errno = %d) from waitpid() for process %d",
3999 (int)endedpid, errno, (int)pid);
4004 /* Now go back and look for a completed subprocess again. */
4007 /* A completed process was detected by the non-blocking waitpid(). Find the
4008 data block that corresponds to this subprocess. */
4010 for (poffset = 0; poffset < remote_max_parallel; poffset++)
4011 if (pid == parlist[poffset].pid) break;
4013 /* Found the data block; this is a known remote delivery process. We don't
4014 need to repeat the outer loop. This should be what normally happens. */
4016 if (poffset < remote_max_parallel) break;
4018 /* This situation is an error, but it's probably better to carry on looking
4019 for another process than to give up (as we used to do). */
4021 log_write(0, LOG_MAIN|LOG_PANIC, "Process %d finished: not found in remote "
4022 "transport process list", pid);
4023 } /* End of the "for" loop */
4025 /* Come here when all the data was completely read after a poll(), and
4026 the process in pid has been wait()ed for. */
4033 debug_printf("remote delivery process %d ended\n", (int)pid);
4035 debug_printf("remote delivery process %d ended: status=%04x\n", (int)pid,
4039 set_process_info("delivering %s", message_id);
4041 /* Get the chain of processed addresses */
4043 addrlist = parlist[poffset].addrlist;
4045 /* If the process did not finish cleanly, record an error and freeze (except
4046 for SIGTERM, SIGKILL and SIGQUIT), and also ensure the journal is not removed,
4047 in case the delivery did actually happen. */
4049 if ((status & 0xffff) != 0)
4052 int msb = (status >> 8) & 255;
4053 int lsb = status & 255;
4054 int code = (msb == 0)? (lsb & 0x7f) : msb;
4056 msg = string_sprintf("%s transport process returned non-zero status 0x%04x: "
4058 addrlist->transport->driver_name,
4060 msb == 0 ? "terminated by signal" : "exit code",
4063 if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
4064 addrlist->special_action = SPECIAL_FREEZE;
4066 for (addr = addrlist; addr; addr = addr->next)
4068 addr->transport_return = DEFER;
4069 addr->message = msg;
4072 remove_journal = FALSE;
4075 /* Else complete reading the pipe to get the result of the delivery, if all
4076 the data has not yet been obtained. */
4078 else if (!parlist[poffset].done)
4079 (void) par_read_pipe(poffset, TRUE);
4081 /* Put the data count and return path into globals, mark the data slot unused,
4082 decrement the count of subprocesses, and return the address chain. */
4084 transport_count = parlist[poffset].transport_count;
4085 used_return_path = parlist[poffset].return_path;
4086 parlist[poffset].pid = 0;
4093 /*************************************************
4094 * Wait for subprocesses and post-process *
4095 *************************************************/
4097 /* This function waits for subprocesses until the number that are still running
4098 is below a given threshold. For each complete subprocess, the addresses are
4099 post-processed. If we can't find a running process, there is some shambles.
4100 Better not bomb out, as that might lead to multiple copies of the message. Just
4101 log and proceed as if all done.
4104 max maximum number of subprocesses to leave running
4105 fallback TRUE if processing fallback hosts
4111 par_reduce(int max, BOOL fallback)
4113 while (parcount > max)
4115 address_item *doneaddr = par_wait();
4118 log_write(0, LOG_MAIN|LOG_PANIC,
4119 "remote delivery process count got out of step");
4124 transport_instance * tp = doneaddr->transport;
4125 if (tp->max_parallel)
4126 enq_end(string_sprintf("tpt-serialize-%s", tp->name));
4128 remote_post_process(doneaddr, LOG_MAIN, NULL, fallback);
4134 rmt_dlv_checked_write(int fd, char id, char subid, void * buf, ssize_t size)
4136 uschar pipe_header[PIPE_HEADER_SIZE+1];
4137 size_t total_len = PIPE_HEADER_SIZE + size;
4139 struct iovec iov[2] = {
4140 { pipe_header, PIPE_HEADER_SIZE }, /* indication about the data to expect */
4141 { buf, size } /* *the* data */
4146 /* we assume that size can't get larger then BIG_BUFFER_SIZE which currently is set to 16k */
4147 /* complain to log if someone tries with buffer sizes we can't handle*/
4149 if (size > BIG_BUFFER_SIZE-1)
4151 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
4152 "Failed writing transport result to pipe: can't handle buffers > %d bytes. truncating!\n",
4154 size = BIG_BUFFER_SIZE;
4157 /* Should we check that we do not write more than PIPE_BUF? What would
4160 /* convert size to human readable string prepended by id and subid */
4161 if (PIPE_HEADER_SIZE != snprintf(CS pipe_header, PIPE_HEADER_SIZE+1, "%c%c%05ld",
4162 id, subid, (long)size))
4163 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "header snprintf failed\n");
4165 DEBUG(D_deliver) debug_printf("header write id:%c,subid:%c,size:%ld,final:%s\n",
4166 id, subid, (long)size, pipe_header);
4168 if ((ret = writev(fd, iov, 2)) != total_len)
4169 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
4170 "Failed writing transport result to pipe (%ld of %ld bytes): %s",
4171 (long)ret, (long)total_len, ret == -1 ? strerror(errno) : "short write");
4174 /*************************************************
4175 * Do remote deliveries *
4176 *************************************************/
4178 /* This function is called to process the addresses in addr_remote. We must
4179 pick off the queue all addresses that have the same transport, remote
4180 destination, and errors address, and hand them to the transport in one go,
4181 subject to some configured limitations. If this is a run to continue delivering
4182 to an existing delivery channel, skip all but those addresses that can go to
4183 that channel. The skipped addresses just get deferred.
4185 If mua_wrapper is set, all addresses must be able to be sent in a single
4186 transaction. If not, this function yields FALSE.
4188 In Exim 4, remote deliveries are always done in separate processes, even
4189 if remote_max_parallel = 1 or if there's only one delivery to do. The reason
4190 is so that the base process can retain privilege. This makes the
4191 implementation of fallback transports feasible (though not initially done.)
4193 We create up to the configured number of subprocesses, each of which passes
4194 back the delivery state via a pipe. (However, when sending down an existing
4195 connection, remote_max_parallel is forced to 1.)
4198 fallback TRUE if processing fallback hosts
4200 Returns: TRUE normally
4201 FALSE if mua_wrapper is set and the addresses cannot all be sent
4206 do_remote_deliveries(BOOL fallback)
4211 parcount = 0; /* Number of executing subprocesses */
4213 /* When sending down an existing channel, only do one delivery at a time.
4214 We use a local variable (parmax) to hold the maximum number of processes;
4215 this gets reduced from remote_max_parallel if we can't create enough pipes. */
4217 if (continue_transport) remote_max_parallel = 1;
4218 parmax = remote_max_parallel;
4220 /* If the data for keeping a list of processes hasn't yet been
4225 parlist = store_get(remote_max_parallel * sizeof(pardata), FALSE);
4226 for (poffset = 0; poffset < remote_max_parallel; poffset++)
4227 parlist[poffset].pid = 0;
4228 parpoll = store_get(remote_max_parallel * sizeof(struct pollfd), FALSE);
4231 /* Now loop for each remote delivery */
4233 for (int delivery_count = 0; addr_remote; delivery_count++)
4239 int address_count = 1;
4240 int address_count_max;
4242 BOOL use_initgroups;
4243 BOOL pipe_done = FALSE;
4244 transport_instance *tp;
4245 address_item **anchor = &addr_remote;
4246 address_item *addr = addr_remote;
4247 address_item *last = addr;
4250 uschar * serialize_key = NULL;
4252 /* Pull the first address right off the list. */
4254 addr_remote = addr->next;
4257 DEBUG(D_deliver|D_transport)
4258 debug_printf("--------> %s <--------\n", addr->address);
4260 /* If no transport has been set, there has been a big screw-up somewhere. */
4262 if (!(tp = addr->transport))
4264 f.disable_logging = FALSE; /* Jic */
4265 panicmsg = US"No transport set by router";
4266 goto panic_continue;
4269 /* Check that this base address hasn't previously been delivered to this
4270 transport. The check is necessary at this point to handle homonymic addresses
4271 correctly in cases where the pattern of redirection changes between delivery
4272 attempts. Non-homonymic previous delivery is detected earlier, at routing
4275 if (previously_transported(addr, FALSE)) continue;
4277 /* Force failure if the message is too big. */
4279 if (tp->message_size_limit)
4281 int rc = check_message_size(tp, addr);
4284 addr->transport_return = rc;
4285 remote_post_process(addr, LOG_MAIN, NULL, fallback);
4290 /*XXX need to defeat this when DANE is used - but we don't know that yet.
4291 So look out for the place it gets used.
4294 /* Get the flag which specifies whether the transport can handle different
4295 domains that nevertheless resolve to the same set of hosts. If it needs
4296 expanding, get variables set: $address_data, $domain_data, $localpart_data,
4297 $host, $host_address, $host_port. */
4298 if (tp->expand_multi_domain)
4299 deliver_set_expansions(addr);
4301 if (exp_bool(addr, US"transport", tp->name, D_transport,
4302 US"multi_domain", tp->multi_domain, tp->expand_multi_domain,
4303 &multi_domain) != OK)
4305 deliver_set_expansions(NULL);
4306 panicmsg = addr->message;
4307 goto panic_continue;
4310 /* Get the maximum it can handle in one envelope, with zero meaning
4311 unlimited, which is forced for the MUA wrapper case. */
4313 address_count_max = tp->max_addresses;
4314 if (address_count_max == 0 || mua_wrapper) address_count_max = 999999;
4317 /************************************************************************/
4318 /***** This is slightly experimental code, but should be safe. *****/
4320 /* The address_count_max value is the maximum number of addresses that the
4321 transport can send in one envelope. However, the transport must be capable of
4322 dealing with any number of addresses. If the number it gets exceeds its
4323 envelope limitation, it must send multiple copies of the message. This can be
4324 done over a single connection for SMTP, so uses less resources than making
4325 multiple connections. On the other hand, if remote_max_parallel is greater
4326 than one, it is perhaps a good idea to use parallel processing to move the
4327 message faster, even if that results in multiple simultaneous connections to
4330 How can we come to some compromise between these two ideals? What we do is to
4331 limit the number of addresses passed to a single instance of a transport to
4332 the greater of (a) its address limit (rcpt_max for SMTP) and (b) the total
4333 number of addresses routed to remote transports divided by
4334 remote_max_parallel. For example, if the message has 100 remote recipients,
4335 remote max parallel is 2, and rcpt_max is 10, we'd never send more than 50 at
4336 once. But if rcpt_max is 100, we could send up to 100.
4338 Of course, not all the remotely addresses in a message are going to go to the
4339 same set of hosts (except in smarthost configurations), so this is just a
4340 heuristic way of dividing up the work.
4342 Furthermore (1), because this may not be wanted in some cases, and also to
4343 cope with really pathological cases, there is also a limit to the number of
4344 messages that are sent over one connection. This is the same limit that is
4345 used when sending several different messages over the same connection.
4346 Continue_sequence is set when in this situation, to the number sent so
4347 far, including this message.
4349 Furthermore (2), when somebody explicitly sets the maximum value to 1, it
4350 is probably because they are using VERP, in which case they want to pass only
4351 one address at a time to the transport, in order to be able to use
4352 $local_part and $domain in constructing a new return path. We could test for
4353 the use of these variables, but as it is so likely they will be used when the
4354 maximum is 1, we don't bother. Just leave the value alone. */
4356 if ( address_count_max != 1
4357 && address_count_max < remote_delivery_count/remote_max_parallel
4360 int new_max = remote_delivery_count/remote_max_parallel;
4361 int message_max = tp->connection_max_messages;
4362 if (connection_max_messages >= 0) message_max = connection_max_messages;
4363 message_max -= continue_sequence - 1;
4364 if (message_max > 0 && new_max > address_count_max * message_max)
4365 new_max = address_count_max * message_max;
4366 address_count_max = new_max;
4369 /************************************************************************/
4372 /*XXX don't know yet if DANE will be used. So tpt will have to
4373 check at the point if gets next addr from list, and skip/defer any
4377 /* Pick off all addresses which have the same transport, errors address,
4378 destination, and extra headers. In some cases they point to the same host
4379 list, but we also need to check for identical host lists generated from
4380 entirely different domains. The host list pointers can be NULL in the case
4381 where the hosts are defined in the transport. There is also a configured
4382 maximum limit of addresses that can be handled at once (see comments above
4383 for how it is computed).
4384 If the transport does not handle multiple domains, enforce that also,
4385 and if it might need a per-address check for this, re-evaluate it.
4388 while ((next = *anchor) && address_count < address_count_max)
4391 if ( (multi_domain || Ustrcmp(next->domain, addr->domain) == 0)
4392 && tp == next->transport
4393 && same_hosts(next->host_list, addr->host_list)
4394 && same_strings(next->prop.errors_address, addr->prop.errors_address)
4395 && same_headers(next->prop.extra_headers, addr->prop.extra_headers)
4396 && same_ugid(tp, next, addr)
4397 && ( next->prop.remove_headers == addr->prop.remove_headers
4398 || ( next->prop.remove_headers
4399 && addr->prop.remove_headers
4400 && Ustrcmp(next->prop.remove_headers, addr->prop.remove_headers) == 0
4404 (void)(!tp->expand_multi_domain || ((void)deliver_set_expansions(next), 1)),
4406 US"transport", next->transport->name, D_transport,
4407 US"multi_domain", next->transport->multi_domain,
4408 next->transport->expand_multi_domain, &md) == OK
4413 *anchor = next->next;
4415 next->first = addr; /* remember top one (for retry processing) */
4420 else anchor = &(next->next);
4421 deliver_set_expansions(NULL);
4424 /* If we are acting as an MUA wrapper, all addresses must go in a single
4425 transaction. If not, put them back on the chain and yield FALSE. */
4427 if (mua_wrapper && addr_remote)
4429 last->next = addr_remote;
4434 /* If the transport is limited for parallellism, enforce that here.
4435 The hints DB entry is decremented in par_reduce(), when we reap the
4436 transport process. */
4438 if (tpt_parallel_check(tp, addr, &serialize_key))
4439 if ((panicmsg = expand_string_message))
4440 goto panic_continue;
4442 continue; /* Loop for the next set of addresses. */
4444 /* Set up the expansion variables for this set of addresses */
4446 deliver_set_expansions(addr);
4448 /* Ensure any transport-set auth info is fresh */
4449 addr->authenticator = addr->auth_id = addr->auth_sndr = NULL;
4451 /* Compute the return path, expanding a new one if required. The old one
4452 must be set first, as it might be referred to in the expansion. */
4454 if(addr->prop.errors_address)
4455 return_path = addr->prop.errors_address;
4456 #ifdef EXPERIMENTAL_SRS_ALT
4457 else if(addr->prop.srs_sender)
4458 return_path = addr->prop.srs_sender;
4461 return_path = sender_address;
4463 if (tp->return_path)
4465 uschar *new_return_path = expand_string(tp->return_path);
4466 if (new_return_path)
4467 return_path = new_return_path;
4468 else if (!f.expand_string_forcedfail)
4470 panicmsg = string_sprintf("Failed to expand return path \"%s\": %s",
4471 tp->return_path, expand_string_message);
4476 /* Find the uid, gid, and use_initgroups setting for this transport. Failure
4477 logs and sets up error messages, so we just post-process and continue with
4478 the next address. */
4480 if (!findugid(addr, tp, &uid, &gid, &use_initgroups))
4486 /* If this transport has a setup function, call it now so that it gets
4487 run in this process and not in any subprocess. That way, the results of
4488 any setup that are retained by the transport can be reusable. One of the
4489 things the setup does is to set the fallback host lists in the addresses.
4490 That is why it is called at this point, before the continue delivery
4491 processing, because that might use the fallback hosts. */
4494 (void)((tp->setup)(addr->transport, addr, NULL, uid, gid, NULL));
4496 /* If we have a connection still open from a verify stage (lazy-close)
4497 treat it as if it is a continued connection (apart from the counter used
4498 for the log line mark). */
4500 if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
4503 debug_printf("lazy-callout-close: have conn still open from verification\n");
4504 continue_transport = cutthrough.transport;
4505 continue_hostname = string_copy(cutthrough.host.name);
4506 continue_host_address = string_copy(cutthrough.host.address);
4507 continue_sequence = 1;
4508 sending_ip_address = cutthrough.snd_ip;
4509 sending_port = cutthrough.snd_port;
4510 smtp_peer_options = cutthrough.peer_options;
4513 /* If this is a run to continue delivery down an already-established
4514 channel, check that this set of addresses matches the transport and
4515 the channel. If it does not, defer the addresses. If a host list exists,
4516 we must check that the continue host is on the list. Otherwise, the
4517 host is set in the transport. */
4519 f.continue_more = FALSE; /* In case got set for the last lot */
4520 if (continue_transport)
4522 BOOL ok = Ustrcmp(continue_transport, tp->name) == 0;
4523 /*XXX do we need to check for a DANEd conn vs. a change of domain? */
4525 /* If the transport is about to override the host list do not check
4526 it here but take the cost of running the transport process to discover
4527 if the continued_hostname connection is suitable. This is a layering
4528 violation which is unfortunate as it requires we haul in the smtp
4533 smtp_transport_options_block * ob;
4535 if ( !( Ustrcmp(tp->info->driver_name, "smtp") == 0
4536 && (ob = (smtp_transport_options_block *)tp->options_block)
4537 && ob->hosts_override && ob->hosts
4543 for (host_item * h = addr->host_list; h; h = h->next)
4544 if (Ustrcmp(h->name, continue_hostname) == 0)
4545 /*XXX should also check port here */
4546 { ok = TRUE; break; }
4550 /* Addresses not suitable; defer or queue for fallback hosts (which
4551 might be the continue host) and skip to next address. */
4555 DEBUG(D_deliver) debug_printf("not suitable for continue_transport (%s)\n",
4556 Ustrcmp(continue_transport, tp->name) != 0
4557 ? string_sprintf("tpt %s vs %s", continue_transport, tp->name)
4558 : string_sprintf("no host matching %s", continue_hostname));
4559 if (serialize_key) enq_end(serialize_key);
4561 if (addr->fallback_hosts && !fallback)
4563 for (next = addr; ; next = next->next)
4565 next->host_list = next->fallback_hosts;
4566 DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", next->address);
4567 if (!next->next) break;
4569 next->next = addr_fallback;
4570 addr_fallback = addr;
4575 for (next = addr; ; next = next->next)
4577 DEBUG(D_deliver) debug_printf(" %s to def list\n", next->address);
4578 if (!next->next) break;
4580 next->next = addr_defer;
4587 /* Set a flag indicating whether there are further addresses that list
4588 the continued host. This tells the transport to leave the channel open,
4589 but not to pass it to another delivery process. We'd like to do that
4590 for non-continue_transport cases too but the knowlege of which host is
4591 connected to is too hard to manage. Perhaps we need a finer-grain
4592 interface to the transport. */
4594 for (next = addr_remote; next && !f.continue_more; next = next->next)
4595 for (host_item * h = next->host_list; h; h = h->next)
4596 if (Ustrcmp(h->name, continue_hostname) == 0)
4597 { f.continue_more = TRUE; break; }
4600 /* The transports set up the process info themselves as they may connect
4601 to more than one remote machine. They also have to set up the filter
4602 arguments, if required, so that the host name and address are available
4605 transport_filter_argv = NULL;
4607 /* Create the pipe for inter-process communication. If pipe creation
4608 fails, it is probably because the value of remote_max_parallel is so
4609 large that too many file descriptors for pipes have been created. Arrange
4610 to wait for a process to finish, and then try again. If we still can't
4611 create a pipe when all processes have finished, break the retry loop. */
4615 if (pipe(pfd) == 0) pipe_done = TRUE;
4616 else if (parcount > 0) parmax = parcount;
4619 /* We need to make the reading end of the pipe non-blocking. There are
4620 two different options for this. Exim is cunningly (I hope!) coded so
4621 that it can use either of them, though it prefers O_NONBLOCK, which
4622 distinguishes between EOF and no-more-data. */
4624 /* The data appears in a timely manner and we already did a poll on
4625 all pipes, so I do not see a reason to use non-blocking IO here
4628 (void)fcntl(pfd[pipe_read], F_SETFL, O_NONBLOCK);
4630 (void)fcntl(pfd[pipe_read], F_SETFL, O_NDELAY);
4634 /* If the maximum number of subprocesses already exist, wait for a process
4635 to finish. If we ran out of file descriptors, parmax will have been reduced
4636 from its initial value of remote_max_parallel. */
4638 par_reduce(parmax - 1, fallback);
4641 /* If we failed to create a pipe and there were no processes to wait
4642 for, we have to give up on this one. Do this outside the above loop
4643 so that we can continue the main loop. */
4647 panicmsg = string_sprintf("unable to create pipe: %s", strerror(errno));
4651 /* Find a free slot in the pardata list. Must do this after the possible
4652 waiting for processes to finish, because a terminating process will free
4655 for (poffset = 0; poffset < remote_max_parallel; poffset++)
4656 if (parlist[poffset].pid == 0)
4659 /* If there isn't one, there has been a horrible disaster. */
4661 if (poffset >= remote_max_parallel)
4663 (void)close(pfd[pipe_write]);
4664 (void)close(pfd[pipe_read]);
4665 panicmsg = US"Unexpectedly no free subprocess slot";
4669 /* Now fork a subprocess to do the remote delivery, but before doing so,
4670 ensure that any cached resources are released so as not to interfere with
4671 what happens in the subprocess. */
4675 if ((pid = exim_fork(US"transport")) == 0)
4677 int fd = pfd[pipe_write];
4680 /* Setting this global in the subprocess means we need never clear it */
4681 transport_name = tp->name;
4683 /* There are weird circumstances in which logging is disabled */
4684 f.disable_logging = tp->disable_logging;
4686 /* Show pids on debug output if parallelism possible */
4688 if (parmax > 1 && (parcount > 0 || addr_remote))
4689 DEBUG(D_any|D_v) debug_selector |= D_pid;
4691 /* Reset the random number generator, so different processes don't all
4692 have the same sequence. In the test harness we want different, but
4693 predictable settings for each delivery process, so do something explicit
4694 here rather they rely on the fixed reset in the random number function. */
4696 random_seed = f.running_in_test_harness ? 42 + 2*delivery_count : 0;
4698 /* Set close-on-exec on the pipe so that it doesn't get passed on to
4699 a new process that may be forked to do another delivery down the same
4702 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
4704 /* Close open file descriptors for the pipes of other processes
4705 that are running in parallel. */
4707 for (poffset = 0; poffset < remote_max_parallel; poffset++)
4708 if (parlist[poffset].pid != 0) (void)close(parlist[poffset].fd);
4710 /* This process has inherited a copy of the file descriptor
4711 for the data file, but its file pointer is shared with all the
4712 other processes running in parallel. Therefore, we have to re-open
4713 the file in order to get a new file descriptor with its own
4714 file pointer. We don't need to lock it, as the lock is held by
4715 the parent process. There doesn't seem to be any way of doing
4716 a dup-with-new-file-pointer. */
4718 (void)close(deliver_datafile);
4720 uschar * fname = spool_fname(US"input", message_subdir, message_id, US"-D");
4722 if ((deliver_datafile = Uopen(fname,
4726 O_RDWR | O_APPEND, 0)) < 0)
4727 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to reopen %s for remote "
4728 "parallel delivery: %s", fname, strerror(errno));
4731 /* Set the close-on-exec flag */
4733 (void)fcntl(deliver_datafile, F_SETFD, fcntl(deliver_datafile, F_GETFD) |
4737 /* Set the uid/gid of this process; bombs out on failure. */
4739 exim_setugid(uid, gid, use_initgroups,
4740 string_sprintf("remote delivery to %s with transport=%s",
4741 addr->address, tp->name));
4743 /* Close the unwanted half of this process' pipe, set the process state,
4744 and run the transport. Afterwards, transport_count will contain the number
4745 of bytes written. */
4747 (void)close(pfd[pipe_read]);
4748 set_process_info("delivering %s using %s", message_id, tp->name);
4749 debug_print_string(tp->debug_string);
4750 if (!(tp->info->code)(addr->transport, addr)) replicate_status(addr);
4752 set_process_info("delivering %s (just run %s for %s%s in subprocess)",
4753 message_id, tp->name, addr->address, addr->next ? ", ..." : "");
4755 /* Ensure any cached resources that we used are now released */
4759 /* Pass the result back down the pipe. This is a lot more information
4760 than is needed for a local delivery. We have to send back the error
4761 status for each address, the usability status for each host that is
4762 flagged as unusable, and all the retry items. When TLS is in use, we
4763 send also the cipher and peerdn information. Each type of information
4764 is flagged by an identifying byte, and is then in a fixed format (with
4765 strings terminated by zeros), and there is a final terminator at the
4766 end. The host information and retry information is all attached to
4767 the first address, so that gets sent at the start. */
4769 /* Host unusability information: for most success cases this will
4772 for (h = addr->host_list; h; h = h->next)
4774 if (!h->address || h->status < hstatus_unusable) continue;
4775 sprintf(CS big_buffer, "%c%c%s", h->status, h->why, h->address);
4776 rmt_dlv_checked_write(fd, 'H', '0', big_buffer, Ustrlen(big_buffer+2) + 3);
4779 /* The number of bytes written. This is the same for each address. Even
4780 if we sent several copies of the message down the same connection, the
4781 size of each one is the same, and it's that value we have got because
4782 transport_count gets reset before calling transport_write_message(). */
4784 memcpy(big_buffer, &transport_count, sizeof(transport_count));
4785 rmt_dlv_checked_write(fd, 'S', '0', big_buffer, sizeof(transport_count));
4787 /* Information about what happened to each address. Four item types are
4788 used: an optional 'X' item first, for TLS information, then an optional "C"
4789 item for any client-auth info followed by 'R' items for any retry settings,
4790 and finally an 'A' item for the remaining data. */
4792 for(; addr; addr = addr->next)
4796 /* The certificate verification status goes into the flags */
4797 if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
4799 if (tls_out.dane_verified) setflag(addr, af_dane_verified);
4801 # ifndef DISABLE_TLS_RESUME
4802 if (tls_out.resumption & RESUME_USED) setflag(addr, af_tls_resume);
4805 /* Use an X item only if there's something to send */
4809 ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->cipher) + 1;
4813 ptr += sprintf(CS ptr, "%.512s", addr->peerdn) + 1;
4815 rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
4817 else if (continue_proxy_cipher)
4819 ptr = big_buffer + sprintf(CS big_buffer, "%.128s", continue_proxy_cipher) + 1;
4821 rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
4827 if (tls_export_cert(ptr, big_buffer_size-2, addr->peercert))
4831 rmt_dlv_checked_write(fd, 'X', '2', big_buffer, ptr - big_buffer);
4836 if (tls_export_cert(ptr, big_buffer_size-2, addr->ourcert))
4840 rmt_dlv_checked_write(fd, 'X', '3', big_buffer, ptr - big_buffer);
4842 # ifndef DISABLE_OCSP
4843 if (addr->ocsp > OCSP_NOT_REQ)
4845 ptr = big_buffer + sprintf(CS big_buffer, "%c", addr->ocsp + '0') + 1;
4846 rmt_dlv_checked_write(fd, 'X', '4', big_buffer, ptr - big_buffer);
4849 #endif /*DISABLE_TLS*/
4851 if (client_authenticator)
4853 ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticator) + 1;
4854 rmt_dlv_checked_write(fd, 'C', '1', big_buffer, ptr - big_buffer);
4856 if (client_authenticated_id)
4858 ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticated_id) + 1;
4859 rmt_dlv_checked_write(fd, 'C', '2', big_buffer, ptr - big_buffer);
4861 if (client_authenticated_sender)
4863 ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticated_sender) + 1;
4864 rmt_dlv_checked_write(fd, 'C', '3', big_buffer, ptr - big_buffer);
4867 #ifndef DISABLE_PRDR
4868 if (testflag(addr, af_prdr_used))
4869 rmt_dlv_checked_write(fd, 'P', '0', NULL, 0);
4872 if (testflag(addr, af_pipelining))
4873 #ifndef DISABLE_PIPE_CONNECT
4874 if (testflag(addr, af_early_pipe))
4875 rmt_dlv_checked_write(fd, 'L', '2', NULL, 0);
4878 rmt_dlv_checked_write(fd, 'L', '1', NULL, 0);
4880 if (testflag(addr, af_chunking_used))
4881 rmt_dlv_checked_write(fd, 'K', '0', NULL, 0);
4883 if (testflag(addr, af_tcp_fastopen_conn))
4884 rmt_dlv_checked_write(fd, 'T',
4885 testflag(addr, af_tcp_fastopen) ? testflag(addr, af_tcp_fastopen_data)
4889 memcpy(big_buffer, &addr->dsn_aware, sizeof(addr->dsn_aware));
4890 rmt_dlv_checked_write(fd, 'D', '0', big_buffer, sizeof(addr->dsn_aware));
4892 /* Retry information: for most success cases this will be null. */
4894 for (retry_item * r = addr->retries; r; r = r->next)
4896 sprintf(CS big_buffer, "%c%.500s", r->flags, r->key);
4897 ptr = big_buffer + Ustrlen(big_buffer+2) + 3;
4898 memcpy(ptr, &r->basic_errno, sizeof(r->basic_errno));
4899 ptr += sizeof(r->basic_errno);
4900 memcpy(ptr, &r->more_errno, sizeof(r->more_errno));
4901 ptr += sizeof(r->more_errno);
4902 if (!r->message) *ptr++ = 0; else
4904 sprintf(CS ptr, "%.512s", r->message);
4907 rmt_dlv_checked_write(fd, 'R', '0', big_buffer, ptr - big_buffer);
4910 if (testflag(addr, af_new_conn) || testflag(addr, af_cont_conn))
4912 DEBUG(D_deliver) debug_printf("%scontinued-connection\n",
4913 testflag(addr, af_new_conn) ? "non-" : "");
4914 big_buffer[0] = testflag(addr, af_new_conn) ? BIT(1) : BIT(2);
4915 rmt_dlv_checked_write(fd, 'A', '3', big_buffer, 1);
4918 #ifdef SUPPORT_SOCKS
4919 if (LOGGING(proxy) && proxy_session)
4922 if (proxy_local_address)
4924 DEBUG(D_deliver) debug_printf("proxy_local_address '%s'\n", proxy_local_address);
4925 ptr = big_buffer + sprintf(CS ptr, "%.128s", proxy_local_address) + 1;
4926 DEBUG(D_deliver) debug_printf("proxy_local_port %d\n", proxy_local_port);
4927 memcpy(ptr, &proxy_local_port, sizeof(proxy_local_port));
4928 ptr += sizeof(proxy_local_port);
4932 rmt_dlv_checked_write(fd, 'A', '2', big_buffer, ptr - big_buffer);
4936 #ifdef EXPERIMENTAL_DSN_INFO
4937 /*um, are they really per-addr? Other per-conn stuff is not (auth, tls). But host_used is! */
4938 if (addr->smtp_greeting)
4940 DEBUG(D_deliver) debug_printf("smtp_greeting '%s'\n", addr->smtp_greeting);
4941 ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->smtp_greeting) + 1;
4942 if (addr->helo_response)
4944 DEBUG(D_deliver) debug_printf("helo_response '%s'\n", addr->helo_response);
4945 ptr += sprintf(CS ptr, "%.128s", addr->helo_response) + 1;
4949 rmt_dlv_checked_write(fd, 'A', '1', big_buffer, ptr - big_buffer);
4953 /* The rest of the information goes in an 'A0' item. */
4955 sprintf(CS big_buffer, "%c%c", addr->transport_return, addr->special_action);
4956 ptr = big_buffer + 2;
4957 memcpy(ptr, &addr->basic_errno, sizeof(addr->basic_errno));
4958 ptr += sizeof(addr->basic_errno);
4959 memcpy(ptr, &addr->more_errno, sizeof(addr->more_errno));
4960 ptr += sizeof(addr->more_errno);
4961 memcpy(ptr, &addr->delivery_time, sizeof(addr->delivery_time));
4962 ptr += sizeof(addr->delivery_time);
4963 memcpy(ptr, &addr->flags, sizeof(addr->flags));
4964 ptr += sizeof(addr->flags);
4966 if (!addr->message) *ptr++ = 0; else
4967 ptr += sprintf(CS ptr, "%.1024s", addr->message) + 1;
4969 if (!addr->user_message) *ptr++ = 0; else
4970 ptr += sprintf(CS ptr, "%.1024s", addr->user_message) + 1;
4972 if (!addr->host_used) *ptr++ = 0; else
4974 ptr += sprintf(CS ptr, "%.256s", addr->host_used->name) + 1;
4975 ptr += sprintf(CS ptr, "%.64s", addr->host_used->address) + 1;
4976 memcpy(ptr, &addr->host_used->port, sizeof(addr->host_used->port));
4977 ptr += sizeof(addr->host_used->port);
4979 /* DNS lookup status */
4980 *ptr++ = addr->host_used->dnssec==DS_YES ? '2'
4981 : addr->host_used->dnssec==DS_NO ? '1' : '0';
4984 rmt_dlv_checked_write(fd, 'A', '0', big_buffer, ptr - big_buffer);
4987 /* Local interface address/port */
4988 #ifdef EXPERIMENTAL_DSN_INFO
4989 if (sending_ip_address)
4991 if (LOGGING(incoming_interface) && sending_ip_address)
4995 ptr = big_buffer + sprintf(CS big_buffer, "%.128s", sending_ip_address) + 1;
4996 ptr += sprintf(CS ptr, "%d", sending_port) + 1;
4997 rmt_dlv_checked_write(fd, 'I', '0', big_buffer, ptr - big_buffer);
5000 /* Add termination flag, close the pipe, and that's it. The character
5001 after 'Z' indicates whether continue_transport is now NULL or not.
5002 A change from non-NULL to NULL indicates a problem with a continuing
5005 big_buffer[0] = continue_transport ? '1' : '0';
5006 rmt_dlv_checked_write(fd, 'Z', '0', big_buffer, 1);
5011 /* Back in the mainline: close the unwanted half of the pipe. */
5013 (void)close(pfd[pipe_write]);
5015 /* If we have a connection still open from a verify stage (lazy-close)
5016 release its TLS library context (if any) as responsibility was passed to
5017 the delivery child process. */
5019 if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
5022 if (cutthrough.is_tls)
5023 tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN);
5025 (void) close(cutthrough.cctx.sock);
5026 release_cutthrough_connection(US"passed to transport proc");
5029 /* Fork failed; defer with error message */
5033 (void)close(pfd[pipe_read]);
5034 panicmsg = string_sprintf("fork failed for remote delivery to %s: %s",
5035 addr->domain, strerror(errno));
5039 /* Fork succeeded; increment the count, and remember relevant data for
5040 when the process finishes. */
5043 parlist[poffset].addrlist = parlist[poffset].addr = addr;
5044 parlist[poffset].pid = pid;
5045 parlist[poffset].fd = pfd[pipe_read];
5046 parlist[poffset].done = FALSE;
5047 parlist[poffset].msg = NULL;
5048 parlist[poffset].return_path = return_path;
5050 /* If the process we've just started is sending a message down an existing
5051 channel, wait for it now. This ensures that only one such process runs at
5052 once, whatever the value of remote_max parallel. Otherwise, we might try to
5053 send two or more messages simultaneously down the same channel. This could
5054 happen if there are different domains that include the same host in otherwise
5055 different host lists.
5057 Also, if the transport closes down the channel, this information gets back
5058 (continue_transport gets set to NULL) before we consider any other addresses
5061 if (continue_transport) par_reduce(0, fallback);
5063 /* Otherwise, if we are running in the test harness, wait a bit, to let the
5064 newly created process get going before we create another process. This should
5065 ensure repeatability in the tests. Wait long enough for most cases to complete
5068 else testharness_pause_ms(600);
5073 if (serialize_key) enq_end(serialize_key);
5075 remote_post_process(addr, LOG_MAIN|LOG_PANIC, panicmsg, fallback);
5079 /* Reached the end of the list of addresses. Wait for all the subprocesses that
5080 are still running and post-process their addresses. */
5082 par_reduce(0, fallback);
5089 /*************************************************
5090 * Split an address into local part and domain *
5091 *************************************************/
5093 /* This function initializes an address for routing by splitting it up into a
5094 local part and a domain. The local part is set up twice - once in its original
5095 casing, and once in lower case, and it is dequoted. We also do the "percent
5096 hack" for configured domains. This may lead to a DEFER result if a lookup
5097 defers. When a percent-hacking takes place, we insert a copy of the original
5098 address as a new parent of this address, as if we have had a redirection.
5101 addr points to an addr_item block containing the address
5104 DEFER - could not determine if domain is %-hackable
5108 deliver_split_address(address_item * addr)
5110 uschar * address = addr->address;
5115 if (!(domain = Ustrrchr(address, '@')))
5116 return DEFER; /* should always have a domain, but just in case... */
5118 len = domain - address;
5119 addr->domain = string_copylc(domain+1); /* Domains are always caseless */
5121 /* The implication in the RFCs (though I can't say I've seen it spelled out
5122 explicitly) is that quoting should be removed from local parts at the point
5123 where they are locally interpreted. [The new draft "821" is more explicit on
5124 this, Jan 1999.] We know the syntax is valid, so this can be done by simply
5125 removing quoting backslashes and any unquoted doublequotes. */
5127 t = addr->cc_local_part = store_get(len+1, is_tainted(address));
5131 if (c == '\"') continue;
5141 /* We do the percent hack only for those domains that are listed in
5142 percent_hack_domains. A loop is required, to copy with multiple %-hacks. */
5144 if (percent_hack_domains)
5147 uschar *new_address = NULL;
5148 uschar *local_part = addr->cc_local_part;
5150 deliver_domain = addr->domain; /* set $domain */
5152 while ( (rc = match_isinlist(deliver_domain, (const uschar **)&percent_hack_domains, 0,
5153 &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
5155 && (t = Ustrrchr(local_part, '%')) != NULL
5158 new_address = string_copy(local_part);
5159 new_address[t - local_part] = '@';
5160 deliver_domain = string_copylc(t+1);
5161 local_part = string_copyn(local_part, t - local_part);
5164 if (rc == DEFER) return DEFER; /* lookup deferred */
5166 /* If hackery happened, set up new parent and alter the current address. */
5170 address_item *new_parent = store_get(sizeof(address_item), FALSE);
5171 *new_parent = *addr;
5172 addr->parent = new_parent;
5173 new_parent->child_count = 1;
5174 addr->address = new_address;
5175 addr->unique = string_copy(new_address);
5176 addr->domain = deliver_domain;
5177 addr->cc_local_part = local_part;
5178 DEBUG(D_deliver) debug_printf("%%-hack changed address to: %s\n",
5183 /* Create the lowercased version of the final local part, and make that the
5184 default one to be used. */
5186 addr->local_part = addr->lc_local_part = string_copylc(addr->cc_local_part);
5193 /*************************************************
5194 * Get next error message text *
5195 *************************************************/
5197 /* If f is not NULL, read the next "paragraph", from a customized error message
5198 text file, terminated by a line containing ****, and expand it.
5201 f NULL or a file to read from
5202 which string indicating which string (for errors)
5204 Returns: NULL or an expanded string
5208 next_emf(FILE *f, uschar *which)
5214 if (!f) return NULL;
5216 if (!Ufgets(buffer, sizeof(buffer), f) || Ustrcmp(buffer, "****\n") == 0)
5219 para = string_get(256);
5222 para = string_cat(para, buffer);
5223 if (!Ufgets(buffer, sizeof(buffer), f) || Ustrcmp(buffer, "****\n") == 0)
5226 if ((yield = expand_string(string_from_gstring(para))))
5229 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand string from "
5230 "bounce_message_file or warn_message_file (%s): %s", which,
5231 expand_string_message);
5238 /*************************************************
5239 * Close down a passed transport channel *
5240 *************************************************/
5242 /* This function is called when a passed transport channel cannot be used.
5243 It attempts to close it down tidily. The yield is always DELIVER_NOT_ATTEMPTED
5244 so that the function call can be the argument of a "return" statement.
5247 Returns: DELIVER_NOT_ATTEMPTED
5251 continue_closedown(void)
5253 if (continue_transport)
5254 for (transport_instance * t = transports; t; t = t->next)
5255 if (Ustrcmp(t->name, continue_transport) == 0)
5257 if (t->info->closedown) (t->info->closedown)(t);
5260 return DELIVER_NOT_ATTEMPTED;
5266 /*************************************************
5267 * Print address information *
5268 *************************************************/
5270 /* This function is called to output an address, or information about an
5271 address, for bounce or defer messages. If the hide_child flag is set, all we
5272 output is the original ancestor address.
5275 addr points to the address
5276 f the FILE to print to
5277 si an initial string
5278 sc a continuation string for before "generated"
5281 Returns: TRUE if the address is not hidden
5285 print_address_information(address_item *addr, FILE *f, uschar *si, uschar *sc,
5289 uschar *printed = US"";
5290 address_item *ancestor = addr;
5291 while (ancestor->parent) ancestor = ancestor->parent;
5293 fprintf(f, "%s", CS si);
5295 if (addr->parent && testflag(addr, af_hide_child))
5297 printed = US"an undisclosed address";
5300 else if (!testflag(addr, af_pfr) || !addr->parent)
5301 printed = addr->address;
5305 uschar *s = addr->address;
5308 if (addr->address[0] == '>') { ss = US"mail"; s++; }
5309 else if (addr->address[0] == '|') ss = US"pipe";
5312 fprintf(f, "%s to %s%sgenerated by ", ss, s, sc);
5313 printed = addr->parent->address;
5316 fprintf(f, "%s", CS string_printing(printed));
5318 if (ancestor != addr)
5320 uschar *original = ancestor->onetime_parent;
5321 if (!original) original= ancestor->address;
5322 if (strcmpic(original, printed) != 0)
5323 fprintf(f, "%s(%sgenerated from %s)", sc,
5324 ancestor != addr->parent ? "ultimately " : "",
5325 string_printing(original));
5328 if (addr->host_used)
5329 fprintf(f, "\n host %s [%s]",
5330 addr->host_used->name, addr->host_used->address);
5332 fprintf(f, "%s", CS se);
5340 /*************************************************
5341 * Print error for an address *
5342 *************************************************/
5344 /* This function is called to print the error information out of an address for
5345 a bounce or a warning message. It tries to format the message reasonably by
5346 introducing newlines. All lines are indented by 4; the initial printing
5347 position must be set before calling.
5349 This function used always to print the error. Nowadays we want to restrict it
5350 to cases such as LMTP/SMTP errors from a remote host, and errors from :fail:
5351 and filter "fail". We no longer pass other information willy-nilly in bounce
5352 and warning messages. Text in user_message is always output; text in message
5353 only if the af_pass_message flag is set.
5357 f the FILE to print on
5364 print_address_error(address_item *addr, FILE *f, uschar *t)
5366 int count = Ustrlen(t);
5367 uschar *s = testflag(addr, af_pass_message) ? addr->message : NULL;
5369 if (!s && !(s = addr->user_message))
5372 fprintf(f, "\n %s", t);
5375 if (*s == '\\' && s[1] == 'n')
5385 if (*s++ == ':' && isspace(*s) && count > 45)
5387 fprintf(f, "\n "); /* sic (because space follows) */
5394 /***********************************************************
5395 * Print Diagnostic-Code for an address *
5396 ************************************************************/
5398 /* This function is called to print the error information out of an address for
5399 a bounce or a warning message. It tries to format the message reasonably as
5400 required by RFC 3461 by adding a space after each newline
5402 it uses the same logic as print_address_error() above. if af_pass_message is true
5403 and addr->message is set it uses the remote host answer. if not addr->user_message
5404 is used instead if available.
5408 f the FILE to print on
5414 print_dsn_diagnostic_code(const address_item *addr, FILE *f)
5416 uschar * s = testflag(addr, af_pass_message) ? addr->message : NULL;
5419 /* af_pass_message and addr->message set ? print remote host answer */
5423 debug_printf("DSN Diagnostic-Code: addr->message = %s\n", addr->message);
5425 /* search first ": ". we assume to find the remote-MTA answer there */
5426 if (!(s = Ustrstr(addr->message, ": ")))
5427 return; /* not found, bail out */
5428 s += 2; /* skip ": " */
5429 cnt = fprintf(f, "Diagnostic-Code: smtp; ");
5431 /* no message available. do nothing */
5436 if (cnt > 950) /* RFC line length limit: 998 */
5438 DEBUG(D_deliver) debug_printf("print_dsn_diagnostic_code() truncated line\n");
5439 fputs("[truncated]", f);
5443 if (*s == '\\' && s[1] == 'n')
5445 fputs("\n ", f); /* as defined in RFC 3461 */
5460 /*************************************************
5461 * Check list of addresses for duplication *
5462 *************************************************/
5464 /* This function was introduced when the test for duplicate addresses that are
5465 not pipes, files, or autoreplies was moved from the middle of routing to when
5466 routing was complete. That was to fix obscure cases when the routing history
5467 affects the subsequent routing of identical addresses. This function is called
5468 after routing, to check that the final routed addresses are not duplicates.
5470 If we detect a duplicate, we remember what it is a duplicate of. Note that
5471 pipe, file, and autoreply de-duplication is handled during routing, so we must
5472 leave such "addresses" alone here, as otherwise they will incorrectly be
5475 Argument: address of list anchor
5480 do_duplicate_check(address_item **anchor)
5483 while ((addr = *anchor))
5486 if (testflag(addr, af_pfr))
5488 anchor = &(addr->next);
5490 else if ((tnode = tree_search(tree_duplicates, addr->unique)))
5492 DEBUG(D_deliver|D_route)
5493 debug_printf("%s is a duplicate address: discarded\n", addr->unique);
5494 *anchor = addr->next;
5495 addr->dupof = tnode->data.ptr;
5496 addr->next = addr_duplicate;
5497 addr_duplicate = addr;
5501 tree_add_duplicate(addr->unique, addr);
5502 anchor = &(addr->next);
5510 /************************************************/
5513 print_dsn_addr_action(FILE * f, address_item * addr,
5514 uschar * action, uschar * status)
5518 if (addr->dsn_orcpt)
5519 fprintf(f,"Original-Recipient: %s\n", addr->dsn_orcpt);
5521 for (pa = addr; pa->parent; ) pa = pa->parent;
5522 fprintf(f, "Action: %s\n"
5523 "Final-Recipient: rfc822;%s\n"
5525 action, pa->address, status);
5530 /* When running in the test harness, there's an option that allows us to
5531 fudge this time so as to get repeatability of the tests. Take the first
5532 time off the list. In queue runs, the list pointer gets updated in the
5536 test_harness_fudged_queue_time(int actual_time)
5539 if ( f.running_in_test_harness && *fudged_queue_times
5540 && (qt = readconf_readtime(fudged_queue_times, '/', FALSE)) >= 0)
5542 DEBUG(D_deliver) debug_printf("fudged queue_times = %s\n",
5543 fudged_queue_times);
5549 /************************************************/
5552 expand_open(const uschar * filename,
5553 const uschar * varname, const uschar * reason)
5555 const uschar * s = expand_cstring(filename);
5559 log_write(0, LOG_MAIN|LOG_PANIC,
5560 "Failed to expand %s: '%s'\n", varname, filename);
5562 log_write(0, LOG_MAIN|LOG_PANIC, "%s is not absolute after expansion: '%s'\n",
5564 else if (is_tainted2(s, LOG_MAIN|LOG_PANIC, "Tainted %s after expansion: '%s'\n", varname, s))
5566 else if (!(fp = Ufopen(s, "rb")))
5567 log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for %s "
5568 "message texts: %s", s, reason, strerror(errno));
5572 /*************************************************
5573 * Deliver one message *
5574 *************************************************/
5576 /* This is the function which is called when a message is to be delivered. It
5577 is passed the id of the message. It is possible that the message no longer
5578 exists, if some other process has delivered it, and it is also possible that
5579 the message is being worked on by another process, in which case the data file
5582 If no delivery is attempted for any of the above reasons, the function returns
5583 DELIVER_NOT_ATTEMPTED.
5585 If the give_up flag is set true, do not attempt any deliveries, but instead
5586 fail all outstanding addresses and return the message to the sender (or
5589 A delivery operation has a process all to itself; we never deliver more than
5590 one message in the same process. Therefore we needn't worry too much about
5593 Liable to be called as root.
5596 id the id of the message to be delivered
5597 forced TRUE if delivery was forced by an administrator; this overrides
5598 retry delays and causes a delivery to be tried regardless
5599 give_up TRUE if an administrator has requested that delivery attempts
5602 Returns: When the global variable mua_wrapper is FALSE:
5603 DELIVER_ATTEMPTED_NORMAL if a delivery attempt was made
5604 DELIVER_NOT_ATTEMPTED otherwise (see comment above)
5605 When the global variable mua_wrapper is TRUE:
5606 DELIVER_MUA_SUCCEEDED if delivery succeeded
5607 DELIVER_MUA_FAILED if delivery failed
5608 DELIVER_NOT_ATTEMPTED if not attempted (should not occur)
5612 deliver_message(uschar *id, BOOL forced, BOOL give_up)
5615 int final_yield = DELIVER_ATTEMPTED_NORMAL;
5616 time_t now = time(NULL);
5617 address_item *addr_last = NULL;
5618 uschar *filter_message = NULL;
5619 int process_recipients = RECIP_ACCEPT;
5622 extern int acl_where;
5625 #ifdef MEASURE_TIMING
5626 report_time_since(×tamp_startup, US"delivery start"); /* testcase 0022, 2100 */
5629 info = queue_run_pid == (pid_t)0
5630 ? string_sprintf("delivering %s", id)
5631 : string_sprintf("delivering %s (queue run pid %d)", id, queue_run_pid);
5633 /* If the D_process_info bit is on, set_process_info() will output debugging
5634 information. If not, we want to show this initial information if D_deliver or
5635 D_queue_run is set or in verbose mode. */
5637 set_process_info("%s", info);
5639 if ( !(debug_selector & D_process_info)
5640 && (debug_selector & (D_deliver|D_queue_run|D_v))
5642 debug_printf("%s\n", info);
5644 /* Ensure that we catch any subprocesses that are created. Although Exim
5645 sets SIG_DFL as its initial default, some routes through the code end up
5646 here with it set to SIG_IGN - cases where a non-synchronous delivery process
5647 has been forked, but no re-exec has been done. We use sigaction rather than
5648 plain signal() on those OS where SA_NOCLDWAIT exists, because we want to be
5649 sure it is turned off. (There was a problem on AIX with this.) */
5653 struct sigaction act;
5654 act.sa_handler = SIG_DFL;
5655 sigemptyset(&(act.sa_mask));
5657 sigaction(SIGCHLD, &act, NULL);
5660 signal(SIGCHLD, SIG_DFL);
5663 /* Make the forcing flag available for routers and transports, set up the
5664 global message id field, and initialize the count for returned files and the
5665 message size. This use of strcpy() is OK because the length id is checked when
5666 it is obtained from a command line (the -M or -q options), and otherwise it is
5667 known to be a valid message id. */
5669 if (id != message_id)
5670 Ustrcpy(message_id, id);
5671 f.deliver_force = forced;
5675 /* Initialize some flags */
5677 update_spool = FALSE;
5678 remove_journal = TRUE;
5680 /* Set a known context for any ACLs we call via expansions */
5681 acl_where = ACL_WHERE_DELIVERY;
5683 /* Reset the random number generator, so that if several delivery processes are
5684 started from a queue runner that has already used random numbers (for sorting),
5685 they don't all get the same sequence. */
5689 /* Open and lock the message's data file. Exim locks on this one because the
5690 header file may get replaced as it is re-written during the delivery process.
5691 Any failures cause messages to be written to the log, except for missing files
5692 while queue running - another process probably completed delivery. As part of
5693 opening the data file, message_subdir gets set. */
5695 if ((deliver_datafile = spool_open_datafile(id)) < 0)
5696 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
5698 /* The value of message_size at this point has been set to the data length,
5699 plus one for the blank line that notionally precedes the data. */
5701 /* Now read the contents of the header file, which will set up the headers in
5702 store, and also the list of recipients and the tree of non-recipients and
5703 assorted flags. It updates message_size. If there is a reading or format error,
5704 give up; if the message has been around for sufficiently long, remove it. */
5707 uschar * spoolname = string_sprintf("%s-H", id);
5708 if ((rc = spool_read_header(spoolname, TRUE, TRUE)) != spool_read_OK)
5710 if (errno == ERRNO_SPOOLFORMAT)
5712 struct stat statbuf;
5713 if (Ustat(spool_fname(US"input", message_subdir, spoolname, US""),
5715 log_write(0, LOG_MAIN, "Format error in spool file %s: "
5716 "size=" OFF_T_FMT, spoolname, statbuf.st_size);
5718 log_write(0, LOG_MAIN, "Format error in spool file %s", spoolname);
5721 log_write(0, LOG_MAIN, "Error reading spool file %s: %s", spoolname,
5724 /* If we managed to read the envelope data, received_time contains the
5725 time the message was received. Otherwise, we can calculate it from the
5728 if (rc != spool_read_hdrerror)
5730 received_time.tv_sec = received_time.tv_usec = 0;
5731 /*XXX subsec precision?*/
5732 for (i = 0; i < 6; i++)
5733 received_time.tv_sec = received_time.tv_sec * BASE_62 + tab62[id[i] - '0'];
5736 /* If we've had this malformed message too long, sling it. */
5738 if (now - received_time.tv_sec > keep_malformed)
5740 Uunlink(spool_fname(US"msglog", message_subdir, id, US""));
5741 Uunlink(spool_fname(US"input", message_subdir, id, US"-D"));
5742 Uunlink(spool_fname(US"input", message_subdir, id, US"-H"));
5743 Uunlink(spool_fname(US"input", message_subdir, id, US"-J"));
5744 log_write(0, LOG_MAIN, "Message removed because older than %s",
5745 readconf_printtime(keep_malformed));
5748 (void)close(deliver_datafile);
5749 deliver_datafile = -1;
5750 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
5754 /* The spool header file has been read. Look to see if there is an existing
5755 journal file for this message. If there is, it means that a previous delivery
5756 attempt crashed (program or host) before it could update the spool header file.
5757 Read the list of delivered addresses from the journal and add them to the
5758 nonrecipients tree. Then update the spool file. We can leave the journal in
5759 existence, as it will get further successful deliveries added to it in this
5760 run, and it will be deleted if this function gets to its end successfully.
5761 Otherwise it might be needed again. */
5764 uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
5767 if ( (journal_fd = Uopen(fname, O_RDWR|O_APPEND
5775 && lseek(journal_fd, 0, SEEK_SET) == 0
5776 && (jread = fdopen(journal_fd, "rb"))
5779 while (Ufgets(big_buffer, big_buffer_size, jread))
5781 int n = Ustrlen(big_buffer);
5782 big_buffer[n-1] = 0;
5783 tree_add_nonrecipient(big_buffer);
5784 DEBUG(D_deliver) debug_printf("Previously delivered address %s taken from "
5785 "journal file\n", big_buffer);
5788 if ((journal_fd = dup(fileno(jread))) < 0)
5789 journal_fd = fileno(jread);
5791 (void) fclose(jread); /* Try to not leak the FILE resource */
5793 /* Panic-dies on error */
5794 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
5796 else if (errno != ENOENT)
5798 log_write(0, LOG_MAIN|LOG_PANIC, "attempt to open journal for reading gave: "
5799 "%s", strerror(errno));
5800 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
5803 /* A null recipients list indicates some kind of disaster. */
5805 if (!recipients_list)
5807 (void)close(deliver_datafile);
5808 deliver_datafile = -1;
5809 log_write(0, LOG_MAIN, "Spool error: no recipients for %s", fname);
5810 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
5815 /* Handle a message that is frozen. There are a number of different things that
5816 can happen, but in the default situation, unless forced, no delivery is
5819 if (f.deliver_freeze)
5821 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
5822 /* Moving to another directory removes the message from Exim's view. Other
5823 tools must be used to deal with it. Logging of this action happens in
5824 spool_move_message() and its subfunctions. */
5826 if ( move_frozen_messages
5827 && spool_move_message(id, message_subdir, US"", US"F")
5829 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
5832 /* For all frozen messages (bounces or not), timeout_frozen_after sets the
5833 maximum time to keep messages that are frozen. Thaw if we reach it, with a
5834 flag causing all recipients to be failed. The time is the age of the
5835 message, not the time since freezing. */
5837 if (timeout_frozen_after > 0 && message_age >= timeout_frozen_after)
5839 log_write(0, LOG_MAIN, "cancelled by timeout_frozen_after");
5840 process_recipients = RECIP_FAIL_TIMEOUT;
5843 /* For bounce messages (and others with no sender), thaw if the error message
5844 ignore timer is exceeded. The message will be discarded if this delivery
5847 else if (!*sender_address && message_age >= ignore_bounce_errors_after)
5848 log_write(0, LOG_MAIN, "Unfrozen by errmsg timer");
5850 /* If this is a bounce message, or there's no auto thaw, or we haven't
5851 reached the auto thaw time yet, and this delivery is not forced by an admin
5852 user, do not attempt delivery of this message. Note that forced is set for
5853 continuing messages down the same channel, in order to skip load checking and
5854 ignore hold domains, but we don't want unfreezing in that case. */
5858 if ( ( sender_address[0] == 0
5860 || now <= deliver_frozen_at + auto_thaw
5862 && ( !forced || !f.deliver_force_thaw
5863 || !f.admin_user || continue_hostname
5866 (void)close(deliver_datafile);
5867 deliver_datafile = -1;
5868 log_write(L_skip_delivery, LOG_MAIN, "Message is frozen");
5869 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
5872 /* If delivery was forced (by an admin user), assume a manual thaw.
5873 Otherwise it's an auto thaw. */
5877 f.deliver_manual_thaw = TRUE;
5878 log_write(0, LOG_MAIN, "Unfrozen by forced delivery");
5880 else log_write(0, LOG_MAIN, "Unfrozen by auto-thaw");
5883 /* We get here if any of the rules for unfreezing have triggered. */
5885 f.deliver_freeze = FALSE;
5886 update_spool = TRUE;
5890 /* Open the message log file if we are using them. This records details of
5891 deliveries, deferments, and failures for the benefit of the mail administrator.
5892 The log is not used by exim itself to track the progress of a message; that is
5893 done by rewriting the header spool file. */
5897 uschar * fname = spool_fname(US"msglog", message_subdir, id, US"");
5901 if ((fd = open_msglog_file(fname, SPOOL_MODE, &error)) < 0)
5903 log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't %s message log %s: %s", error,
5904 fname, strerror(errno));
5905 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
5908 /* Make a C stream out of it. */
5910 if (!(message_log = fdopen(fd, "a")))
5912 log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't fdopen message log %s: %s",
5913 fname, strerror(errno));
5914 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
5919 /* If asked to give up on a message, log who did it, and set the action for all
5924 struct passwd *pw = getpwuid(real_uid);
5925 log_write(0, LOG_MAIN, "cancelled by %s",
5926 pw ? US pw->pw_name : string_sprintf("uid %ld", (long int)real_uid));
5927 process_recipients = RECIP_FAIL;
5930 /* Otherwise, if there are too many Received: headers, fail all recipients. */
5932 else if (received_count > received_headers_max)
5933 process_recipients = RECIP_FAIL_LOOP;
5935 /* Otherwise, if a system-wide, address-independent message filter is
5936 specified, run it now, except in the case when we are failing all recipients as
5937 a result of timeout_frozen_after. If the system filter yields "delivered", then
5938 ignore the true recipients of the message. Failure of the filter file is
5939 logged, and the delivery attempt fails. */
5941 else if (system_filter && process_recipients != RECIP_FAIL_TIMEOUT)
5946 redirect_block redirect;
5948 if (system_filter_uid_set)
5950 ugid.uid = system_filter_uid;
5951 ugid.gid = system_filter_gid;
5952 ugid.uid_set = ugid.gid_set = TRUE;
5955 ugid.uid_set = ugid.gid_set = FALSE;
5957 return_path = sender_address;
5958 f.enable_dollar_recipients = TRUE; /* Permit $recipients in system filter */
5959 f.system_filtering = TRUE;
5961 /* Any error in the filter file causes a delivery to be abandoned. */
5963 redirect.string = system_filter;
5964 redirect.isfile = TRUE;
5965 redirect.check_owner = redirect.check_group = FALSE;
5966 redirect.owners = NULL;
5967 redirect.owngroups = NULL;
5969 redirect.modemask = 0;
5971 DEBUG(D_deliver|D_filter) debug_printf("running system filter\n");
5974 &redirect, /* Where the data is */
5975 RDO_DEFER | /* Turn on all the enabling options */
5976 RDO_FAIL | /* Leave off all the disabling options */
5981 NULL, /* No :include: restriction (not used in filter) */
5982 NULL, /* No sieve vacation directory (not sieve!) */
5983 NULL, /* No sieve enotify mailto owner (not sieve!) */
5984 NULL, /* No sieve user address (not sieve!) */
5985 NULL, /* No sieve subaddress (not sieve!) */
5986 &ugid, /* uid/gid data */
5987 &addr_new, /* Where to hang generated addresses */
5988 &filter_message, /* Where to put error message */
5989 NULL, /* Don't skip syntax errors */
5990 &filtertype, /* Will always be set to FILTER_EXIM for this call */
5991 US"system filter"); /* For error messages */
5993 DEBUG(D_deliver|D_filter) debug_printf("system filter returned %d\n", rc);
5995 if (rc == FF_ERROR || rc == FF_NONEXIST)
5997 (void)close(deliver_datafile);
5998 deliver_datafile = -1;
5999 log_write(0, LOG_MAIN|LOG_PANIC, "Error in system filter: %s",
6000 string_printing(filter_message));
6001 return continue_closedown(); /* yields DELIVER_NOT_ATTEMPTED */
6004 /* Reset things. If the filter message is an empty string, which can happen
6005 for a filter "fail" or "freeze" command with no text, reset it to NULL. */
6007 f.system_filtering = FALSE;
6008 f.enable_dollar_recipients = FALSE;
6009 if (filter_message && filter_message[0] == 0) filter_message = NULL;
6011 /* Save the values of the system filter variables so that user filters
6014 memcpy(filter_sn, filter_n, sizeof(filter_sn));
6016 /* The filter can request that delivery of the original addresses be
6021 process_recipients = RECIP_DEFER;
6022 deliver_msglog("Delivery deferred by system filter\n");
6023 log_write(0, LOG_MAIN, "Delivery deferred by system filter");
6026 /* The filter can request that a message be frozen, but this does not
6027 take place if the message has been manually thawed. In that case, we must
6028 unset "delivered", which is forced by the "freeze" command to make -bF
6031 else if (rc == FF_FREEZE && !f.deliver_manual_thaw)
6033 f.deliver_freeze = TRUE;
6034 deliver_frozen_at = time(NULL);
6035 process_recipients = RECIP_DEFER;
6036 frozen_info = string_sprintf(" by the system filter%s%s",
6037 filter_message ? US": " : US"",
6038 filter_message ? filter_message : US"");
6041 /* The filter can request that a message be failed. The error message may be
6042 quite long - it is sent back to the sender in the bounce - but we don't want
6043 to fill up the log with repetitions of it. If it starts with << then the text
6044 between << and >> is written to the log, with the rest left for the bounce
6047 else if (rc == FF_FAIL)
6049 uschar *colon = US"";
6050 uschar *logmsg = US"";
6053 process_recipients = RECIP_FAIL_FILTER;
6059 if ( filter_message[0] == '<'
6060 && filter_message[1] == '<'
6061 && (logend = Ustrstr(filter_message, ">>"))
6064 logmsg = filter_message + 2;
6065 loglen = logend - logmsg;
6066 filter_message = logend + 2;
6067 if (filter_message[0] == 0) filter_message = NULL;
6071 logmsg = filter_message;
6072 loglen = Ustrlen(filter_message);
6076 log_write(0, LOG_MAIN, "cancelled by system filter%s%.*s", colon, loglen,
6080 /* Delivery can be restricted only to those recipients (if any) that the
6081 filter specified. */
6083 else if (rc == FF_DELIVERED)
6085 process_recipients = RECIP_IGNORE;
6087 log_write(0, LOG_MAIN, "original recipients ignored (system filter)");
6089 log_write(0, LOG_MAIN, "=> discarded (system filter)");
6092 /* If any new addresses were created by the filter, fake up a "parent"
6093 for them. This is necessary for pipes, etc., which are expected to have
6094 parents, and it also gives some sensible logging for others. Allow
6095 pipes, files, and autoreplies, and run them as the filter uid if set,
6096 otherwise as the current uid. */
6100 int uid = system_filter_uid_set ? system_filter_uid : geteuid();
6101 int gid = system_filter_gid_set ? system_filter_gid : getegid();
6103 /* The text "system-filter" is tested in transport_set_up_command() and in
6104 set_up_shell_command() in the pipe transport, to enable them to permit
6105 $recipients, so don't change it here without also changing it there. */
6107 address_item *p = addr_new;
6108 address_item *parent = deliver_make_addr(US"system-filter", FALSE);
6110 parent->domain = string_copylc(qualify_domain_recipient);
6111 parent->local_part = US"system-filter";
6113 /* As part of this loop, we arrange for addr_last to end up pointing
6114 at the final address. This is used if we go on to add addresses for the
6115 original recipients. */
6119 if (parent->child_count == USHRT_MAX)
6120 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "system filter generated more "
6121 "than %d delivery addresses", USHRT_MAX);
6122 parent->child_count++;
6125 if (testflag(p, af_pfr))
6131 setflag(p, af_uid_set);
6132 setflag(p, af_gid_set);
6133 setflag(p, af_allow_file);
6134 setflag(p, af_allow_pipe);
6135 setflag(p, af_allow_reply);
6137 /* Find the name of the system filter's appropriate pfr transport */
6139 if (p->address[0] == '|')
6142 tpname = system_filter_pipe_transport;
6143 address_pipe = p->address;
6145 else if (p->address[0] == '>')
6148 tpname = system_filter_reply_transport;
6152 if (p->address[Ustrlen(p->address)-1] == '/')
6154 type = US"directory";
6155 tpname = system_filter_directory_transport;
6160 tpname = system_filter_file_transport;
6162 address_file = p->address;
6165 /* Now find the actual transport, first expanding the name. We have
6166 set address_file or address_pipe above. */
6170 uschar *tmp = expand_string(tpname);
6171 address_file = address_pipe = NULL;
6173 p->message = string_sprintf("failed to expand \"%s\" as a "
6174 "system filter transport name", tpname);
6176 if ((m = is_tainted2(tmp, 0, "Tainted values '%s' " "for transport '%s' as a system filter", tmp, tpname)))
6182 p->message = string_sprintf("system_filter_%s_transport is unset",
6187 transport_instance *tp;
6188 for (tp = transports; tp; tp = tp->next)
6189 if (Ustrcmp(tp->name, tpname) == 0)
6195 p->message = string_sprintf("failed to find \"%s\" transport "
6196 "for system filter delivery", tpname);
6199 /* If we couldn't set up a transport, defer the delivery, putting the
6200 error on the panic log as well as the main log. */
6204 address_item *badp = p;
6206 if (!addr_last) addr_new = p; else addr_last->next = p;
6207 badp->local_part = badp->address; /* Needed for log line */
6208 post_process_one(badp, DEFER, LOG_MAIN|LOG_PANIC, EXIM_DTYPE_ROUTER, 0);
6211 } /* End of pfr handling */
6213 /* Either a non-pfr delivery, or we found a transport */
6215 DEBUG(D_deliver|D_filter)
6216 debug_printf("system filter added %s\n", p->address);
6220 } /* Loop through all addr_new addresses */
6225 /* Scan the recipients list, and for every one that is not in the non-
6226 recipients tree, add an addr item to the chain of new addresses. If the pno
6227 value is non-negative, we must set the onetime parent from it. This which
6228 points to the relevant entry in the recipients list.
6230 This processing can be altered by the setting of the process_recipients
6231 variable, which is changed if recipients are to be ignored, failed, or
6232 deferred. This can happen as a result of system filter activity, or if the -Mg
6233 option is used to fail all of them.
6235 Duplicate addresses are handled later by a different tree structure; we can't
6236 just extend the non-recipients tree, because that will be re-written to the
6237 spool if the message is deferred, and in any case there are casing
6238 complications for local addresses. */
6240 if (process_recipients != RECIP_IGNORE)
6241 for (i = 0; i < recipients_count; i++)
6242 if (!tree_search(tree_nonrecipients, recipients_list[i].address))
6244 recipient_item *r = recipients_list + i;
6245 address_item *new = deliver_make_addr(r->address, FALSE);
6246 new->prop.errors_address = r->errors_to;
6248 if ((new->prop.utf8_msg = message_smtputf8))
6250 new->prop.utf8_downcvt = message_utf8_downconvert == 1;
6251 new->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
6252 DEBUG(D_deliver) debug_printf("utf8, downconvert %s\n",
6253 new->prop.utf8_downcvt ? "yes"
6254 : new->prop.utf8_downcvt_maybe ? "ifneeded"
6260 new->onetime_parent = recipients_list[r->pno].address;
6262 /* If DSN support is enabled, set the dsn flags and the original receipt
6263 to be passed on to other DSN enabled MTAs */
6265 new->dsn_flags = r->dsn_flags & rf_dsnflags;
6266 new->dsn_orcpt = r->orcpt;
6267 DEBUG(D_deliver) debug_printf("DSN: set orcpt: %s flags: 0x%x\n",
6268 new->dsn_orcpt ? new->dsn_orcpt : US"", new->dsn_flags);
6270 switch (process_recipients)
6272 /* RECIP_DEFER is set when a system filter freezes a message. */
6275 new->next = addr_defer;
6280 /* RECIP_FAIL_FILTER is set when a system filter has obeyed a "fail"
6283 case RECIP_FAIL_FILTER:
6285 filter_message ? filter_message : US"delivery cancelled";
6286 setflag(new, af_pass_message);
6287 goto RECIP_QUEUE_FAILED; /* below */
6290 /* RECIP_FAIL_TIMEOUT is set when a message is frozen, but is older
6291 than the value in timeout_frozen_after. Treat non-bounce messages
6292 similarly to -Mg; for bounce messages we just want to discard, so
6293 don't put the address on the failed list. The timeout has already
6296 case RECIP_FAIL_TIMEOUT:
6297 new->message = US"delivery cancelled; message timed out";
6298 goto RECIP_QUEUE_FAILED; /* below */
6301 /* RECIP_FAIL is set when -Mg has been used. */
6304 new->message = US"delivery cancelled by administrator";
6307 /* Common code for the failure cases above. If this is not a bounce
6308 message, put the address on the failed list so that it is used to
6309 create a bounce. Otherwise do nothing - this just discards the address.
6310 The incident has already been logged. */
6313 if (sender_address[0])
6315 new->next = addr_failed;
6321 /* RECIP_FAIL_LOOP is set when there are too many Received: headers
6322 in the message. Process each address as a routing failure; if this
6323 is a bounce message, it will get frozen. */
6325 case RECIP_FAIL_LOOP:
6326 new->message = US"Too many \"Received\" headers - suspected mail loop";
6327 post_process_one(new, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6331 /* Value should be RECIP_ACCEPT; take this as the safe default. */
6334 if (!addr_new) addr_new = new; else addr_last->next = new;
6339 #ifndef DISABLE_EVENT
6340 if (process_recipients != RECIP_ACCEPT && event_action)
6342 uschar * save_local = deliver_localpart;
6343 const uschar * save_domain = deliver_domain;
6344 uschar * addr = new->address, * errmsg = NULL;
6345 int start, end, dom;
6347 if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
6348 log_write(0, LOG_MAIN|LOG_PANIC,
6349 "failed to parse address '%.100s': %s\n", addr, errmsg);
6353 string_copyn(addr+start, dom ? (dom-1) - start : end - start);
6354 deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";
6356 (void) event_raise(event_action, US"msg:fail:internal", new->message, NULL);
6358 deliver_localpart = save_local;
6359 deliver_domain = save_domain;
6367 debug_printf("Delivery address list:\n");
6368 for (address_item * p = addr_new; p; p = p->next)
6369 debug_printf(" %s %s\n", p->address,
6370 p->onetime_parent ? p->onetime_parent : US"");
6373 /* Set up the buffers used for copying over the file when delivering. */
6375 deliver_in_buffer = store_malloc(DELIVER_IN_BUFFER_SIZE);
6376 deliver_out_buffer = store_malloc(DELIVER_OUT_BUFFER_SIZE);
6380 /* Until there are no more new addresses, handle each one as follows:
6382 . If this is a generated address (indicated by the presence of a parent
6383 pointer) then check to see whether it is a pipe, file, or autoreply, and
6384 if so, handle it directly here. The router that produced the address will
6385 have set the allow flags into the address, and also set the uid/gid required.
6386 Having the routers generate new addresses and then checking them here at
6387 the outer level is tidier than making each router do the checking, and
6388 means that routers don't need access to the failed address queue.
6390 . Break up the address into local part and domain, and make lowercased
6391 versions of these strings. We also make unquoted versions of the local part.
6393 . Handle the percent hack for those domains for which it is valid.
6395 . For child addresses, determine if any of the parents have the same address.
6396 If so, generate a different string for previous delivery checking. Without
6397 this code, if the address spqr generates spqr via a forward or alias file,
6398 delivery of the generated spqr stops further attempts at the top level spqr,
6399 which is not what is wanted - it may have generated other addresses.
6401 . Check on the retry database to see if routing was previously deferred, but
6402 only if in a queue run. Addresses that are to be routed are put on the
6403 addr_route chain. Addresses that are to be deferred are put on the
6404 addr_defer chain. We do all the checking first, so as not to keep the
6405 retry database open any longer than necessary.
6407 . Now we run the addresses through the routers. A router may put the address
6408 on either the addr_local or the addr_remote chain for local or remote
6409 delivery, respectively, or put it on the addr_failed chain if it is
6410 undeliveable, or it may generate child addresses and put them on the
6411 addr_new chain, or it may defer an address. All the chain anchors are
6412 passed as arguments so that the routers can be called for verification
6415 . If new addresses have been generated by the routers, da capo.
6418 f.header_rewritten = FALSE; /* No headers rewritten yet */
6419 while (addr_new) /* Loop until all addresses dealt with */
6421 address_item *addr, *parent;
6423 /* Failure to open the retry database is treated the same as if it does
6424 not exist. In both cases, dbm_file is NULL. */
6426 if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE, TRUE)))
6427 DEBUG(D_deliver|D_retry|D_route|D_hints_lookup)
6428 debug_printf("no retry data available\n");
6430 /* Scan the current batch of new addresses, to handle pipes, files and
6431 autoreplies, and determine which others are ready for routing. */
6438 dbdata_retry *domain_retry_record;
6439 dbdata_retry *address_retry_record;
6442 addr_new = addr->next;
6444 DEBUG(D_deliver|D_retry|D_route)
6446 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
6447 debug_printf("Considering: %s\n", addr->address);
6450 /* Handle generated address that is a pipe or a file or an autoreply. */
6452 if (testflag(addr, af_pfr))
6454 /* If an autoreply in a filter could not generate a syntactically valid
6455 address, give up forthwith. Set af_ignore_error so that we don't try to
6456 generate a bounce. */
6458 if (testflag(addr, af_bad_reply))
6460 addr->basic_errno = ERRNO_BADADDRESS2;
6461 addr->local_part = addr->address;
6463 US"filter autoreply generated syntactically invalid recipient";
6464 addr->prop.ignore_error = TRUE;
6465 (void) post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6466 continue; /* with the next new address */
6469 /* If two different users specify delivery to the same pipe or file or
6470 autoreply, there should be two different deliveries, so build a unique
6471 string that incorporates the original address, and use this for
6472 duplicate testing and recording delivery, and also for retrying. */
6475 string_sprintf("%s:%s", addr->address, addr->parent->unique +
6476 (testflag(addr->parent, af_homonym)? 3:0));
6478 addr->address_retry_key = addr->domain_retry_key =
6479 string_sprintf("T:%s", addr->unique);
6481 /* If a filter file specifies two deliveries to the same pipe or file,
6482 we want to de-duplicate, but this is probably not wanted for two mail
6483 commands to the same address, where probably both should be delivered.
6484 So, we have to invent a different unique string in that case. Just
6485 keep piling '>' characters on the front. */
6487 if (addr->address[0] == '>')
6488 while (tree_search(tree_duplicates, addr->unique))
6489 addr->unique = string_sprintf(">%s", addr->unique);
6491 else if ((tnode = tree_search(tree_duplicates, addr->unique)))
6493 DEBUG(D_deliver|D_route)
6494 debug_printf("%s is a duplicate address: discarded\n", addr->address);
6495 addr->dupof = tnode->data.ptr;
6496 addr->next = addr_duplicate;
6497 addr_duplicate = addr;
6501 DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique);
6503 /* Check for previous delivery */
6505 if (tree_search(tree_nonrecipients, addr->unique))
6507 DEBUG(D_deliver|D_route)
6508 debug_printf("%s was previously delivered: discarded\n", addr->address);
6509 child_done(addr, tod_stamp(tod_log));
6513 /* Save for checking future duplicates */
6515 tree_add_duplicate(addr->unique, addr);
6517 /* Set local part and domain */
6519 addr->local_part = addr->address;
6520 addr->domain = addr->parent->domain;
6522 /* Ensure that the delivery is permitted. */
6524 if (testflag(addr, af_file))
6526 if (!testflag(addr, af_allow_file))
6528 addr->basic_errno = ERRNO_FORBIDFILE;
6529 addr->message = US"delivery to file forbidden";
6530 (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6531 continue; /* with the next new address */
6534 else if (addr->address[0] == '|')
6536 if (!testflag(addr, af_allow_pipe))
6538 addr->basic_errno = ERRNO_FORBIDPIPE;
6539 addr->message = US"delivery to pipe forbidden";
6540 (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6541 continue; /* with the next new address */
6544 else if (!testflag(addr, af_allow_reply))
6546 addr->basic_errno = ERRNO_FORBIDREPLY;
6547 addr->message = US"autoreply forbidden";
6548 (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6549 continue; /* with the next new address */
6552 /* If the errno field is already set to BADTRANSPORT, it indicates
6553 failure to expand a transport string, or find the associated transport,
6554 or an unset transport when one is required. Leave this test till now so
6555 that the forbid errors are given in preference. */
6557 if (addr->basic_errno == ERRNO_BADTRANSPORT)
6559 (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6563 /* Treat /dev/null as a special case and abandon the delivery. This
6564 avoids having to specify a uid on the transport just for this case.
6565 Arrange for the transport name to be logged as "**bypassed**".
6566 Copy the transport for this fairly unusual case rather than having
6567 to make all transports mutable. */
6569 if (Ustrcmp(addr->address, "/dev/null") == 0)
6571 transport_instance * save_t = addr->transport;
6572 transport_instance * t = store_get(sizeof(*t), is_tainted(save_t));
6574 t->name = US"**bypassed**";
6575 addr->transport = t;
6576 (void)post_process_one(addr, OK, LOG_MAIN, EXIM_DTYPE_TRANSPORT, '=');
6577 addr->transport= save_t;
6578 continue; /* with the next new address */
6581 /* Pipe, file, or autoreply delivery is to go ahead as a normal local
6584 DEBUG(D_deliver|D_route)
6585 debug_printf("queued for %s transport\n", addr->transport->name);
6586 addr->next = addr_local;
6588 continue; /* with the next new address */
6591 /* Handle normal addresses. First, split up into local part and domain,
6592 handling the %-hack if necessary. There is the possibility of a defer from
6593 a lookup in percent_hack_domains. */
6595 if ((rc = deliver_split_address(addr)) == DEFER)
6597 addr->message = US"cannot check percent_hack_domains";
6598 addr->basic_errno = ERRNO_LISTDEFER;
6599 (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_NONE, 0);
6603 /* Check to see if the domain is held. If so, proceed only if the
6604 delivery was forced by hand. */
6606 deliver_domain = addr->domain; /* set $domain */
6607 if ( !forced && hold_domains
6608 && (rc = match_isinlist(addr->domain, (const uschar **)&hold_domains, 0,
6609 &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE,
6615 addr->message = US"hold_domains lookup deferred";
6616 addr->basic_errno = ERRNO_LISTDEFER;
6620 addr->message = US"domain is held";
6621 addr->basic_errno = ERRNO_HELD;
6623 (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_NONE, 0);
6627 /* Now we can check for duplicates and previously delivered addresses. In
6628 order to do this, we have to generate a "unique" value for each address,
6629 because there may be identical actual addresses in a line of descendents.
6630 The "unique" field is initialized to the same value as the "address" field,
6631 but gets changed here to cope with identically-named descendents. */
6633 for (parent = addr->parent; parent; parent = parent->parent)
6634 if (strcmpic(addr->address, parent->address) == 0) break;
6636 /* If there's an ancestor with the same name, set the homonym flag. This
6637 influences how deliveries are recorded. Then add a prefix on the front of
6638 the unique address. We use \n\ where n starts at 0 and increases each time.
6639 It is unlikely to pass 9, but if it does, it may look odd but will still
6640 work. This means that siblings or cousins with the same names are treated
6641 as duplicates, which is what we want. */
6645 setflag(addr, af_homonym);
6646 if (parent->unique[0] != '\\')
6647 addr->unique = string_sprintf("\\0\\%s", addr->address);
6649 addr->unique = string_sprintf("\\%c\\%s", parent->unique[1] + 1,
6653 /* Ensure that the domain in the unique field is lower cased, because
6654 domains are always handled caselessly. */
6656 p = Ustrrchr(addr->unique, '@');
6657 while (*p != 0) { *p = tolower(*p); p++; }
6659 DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique);
6661 if (tree_search(tree_nonrecipients, addr->unique))
6663 DEBUG(D_deliver|D_route)
6664 debug_printf("%s was previously delivered: discarded\n", addr->unique);
6665 child_done(addr, tod_stamp(tod_log));
6669 /* Get the routing retry status, saving the two retry keys (with and
6670 without the local part) for subsequent use. If there is no retry record for
6671 the standard address routing retry key, we look for the same key with the
6672 sender attached, because this form is used by the smtp transport after a
6673 4xx response to RCPT when address_retry_include_sender is true. */
6675 addr->domain_retry_key = string_sprintf("R:%s", addr->domain);
6676 addr->address_retry_key = string_sprintf("R:%s@%s", addr->local_part,
6681 domain_retry_record = dbfn_read(dbm_file, addr->domain_retry_key);
6682 if ( domain_retry_record
6683 && now - domain_retry_record->time_stamp > retry_data_expire
6686 DEBUG(D_deliver|D_retry)
6687 debug_printf("domain retry record present but expired\n");
6688 domain_retry_record = NULL; /* Ignore if too old */
6691 address_retry_record = dbfn_read(dbm_file, addr->address_retry_key);
6692 if ( address_retry_record
6693 && now - address_retry_record->time_stamp > retry_data_expire
6696 DEBUG(D_deliver|D_retry)
6697 debug_printf("address retry record present but expired\n");
6698 address_retry_record = NULL; /* Ignore if too old */
6701 if (!address_retry_record)
6703 uschar *altkey = string_sprintf("%s:<%s>", addr->address_retry_key,
6705 address_retry_record = dbfn_read(dbm_file, altkey);
6706 if ( address_retry_record
6707 && now - address_retry_record->time_stamp > retry_data_expire)
6709 DEBUG(D_deliver|D_retry)
6710 debug_printf("address<sender> retry record present but expired\n");
6711 address_retry_record = NULL; /* Ignore if too old */
6716 domain_retry_record = address_retry_record = NULL;
6718 DEBUG(D_deliver|D_retry)
6720 if (!domain_retry_record)
6721 debug_printf("no domain retry record\n");
6723 debug_printf("have domain retry record; next_try = now%+d\n",
6724 f.running_in_test_harness ? 0 :
6725 (int)(domain_retry_record->next_try - now));
6727 if (!address_retry_record)
6728 debug_printf("no address retry record\n");
6730 debug_printf("have address retry record; next_try = now%+d\n",
6731 f.running_in_test_harness ? 0 :
6732 (int)(address_retry_record->next_try - now));
6735 /* If we are sending a message down an existing SMTP connection, we must
6736 assume that the message which created the connection managed to route
6737 an address to that connection. We do not want to run the risk of taking
6738 a long time over routing here, because if we do, the server at the other
6739 end of the connection may time it out. This is especially true for messages
6740 with lots of addresses. For this kind of delivery, queue_running is not
6741 set, so we would normally route all addresses. We take a pragmatic approach
6742 and defer routing any addresses that have any kind of domain retry record.
6743 That is, we don't even look at their retry times. It doesn't matter if this
6744 doesn't work occasionally. This is all just an optimization, after all.
6746 The reason for not doing the same for address retries is that they normally
6747 arise from 4xx responses, not DNS timeouts. */
6749 if (continue_hostname && domain_retry_record)
6751 addr->message = US"reusing SMTP connection skips previous routing defer";
6752 addr->basic_errno = ERRNO_RRETRY;
6753 (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6755 addr->message = domain_retry_record->text;
6756 setflag(addr, af_pass_message);
6759 /* If we are in a queue run, defer routing unless there is no retry data or
6760 we've passed the next retry time, or this message is forced. In other
6761 words, ignore retry data when not in a queue run.
6763 However, if the domain retry time has expired, always allow the routing
6764 attempt. If it fails again, the address will be failed. This ensures that
6765 each address is routed at least once, even after long-term routing
6768 If there is an address retry, check that too; just wait for the next
6769 retry time. This helps with the case when the temporary error on the
6770 address was really message-specific rather than address specific, since
6771 it allows other messages through.
6773 We also wait for the next retry time if this is a message sent down an
6774 existing SMTP connection (even though that will be forced). Otherwise there
6775 will be far too many attempts for an address that gets a 4xx error. In
6776 fact, after such an error, we should not get here because, the host should
6777 not be remembered as one this message needs. However, there was a bug that
6778 used to cause this to happen, so it is best to be on the safe side.
6780 Even if we haven't reached the retry time in the hints, there is one more
6781 check to do, which is for the ultimate address timeout. We only do this
6782 check if there is an address retry record and there is not a domain retry
6783 record; this implies that previous attempts to handle the address had the
6784 retry_use_local_parts option turned on. We use this as an approximation
6785 for the destination being like a local delivery, for example delivery over
6786 LMTP to an IMAP message store. In this situation users are liable to bump
6787 into their quota and thereby have intermittently successful deliveries,
6788 which keep the retry record fresh, which can lead to us perpetually
6789 deferring messages. */
6791 else if ( ( f.queue_running && !f.deliver_force
6792 || continue_hostname
6794 && ( ( domain_retry_record
6795 && now < domain_retry_record->next_try
6796 && !domain_retry_record->expired
6798 || ( address_retry_record
6799 && now < address_retry_record->next_try
6801 && ( domain_retry_record
6802 || !address_retry_record
6803 || !retry_ultimate_address_timeout(addr->address_retry_key,
6804 addr->domain, address_retry_record, now)
6807 addr->message = US"retry time not reached";
6808 addr->basic_errno = ERRNO_RRETRY;
6809 (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6811 /* For remote-retry errors (here and just above) that we've not yet
6812 hit the retry time, use the error recorded in the retry database
6813 as info in the warning message. This lets us send a message even
6814 when we're not failing on a fresh attempt. We assume that this
6815 info is not sensitive. */
6817 addr->message = domain_retry_record
6818 ? domain_retry_record->text : address_retry_record->text;
6819 setflag(addr, af_pass_message);
6822 /* The domain is OK for routing. Remember if retry data exists so it
6823 can be cleaned up after a successful delivery. */
6827 if (domain_retry_record || address_retry_record)
6828 setflag(addr, af_dr_retry_exists);
6829 addr->next = addr_route;
6831 DEBUG(D_deliver|D_route)
6832 debug_printf("%s: queued for routing\n", addr->address);
6836 /* The database is closed while routing is actually happening. Requests to
6837 update it are put on a chain and all processed together at the end. */
6839 if (dbm_file) dbfn_close(dbm_file);
6841 /* If queue_domains is set, we don't even want to try routing addresses in
6842 those domains. During queue runs, queue_domains is forced to be unset.
6843 Optimize by skipping this pass through the addresses if nothing is set. */
6845 if (!f.deliver_force && queue_domains)
6847 address_item *okaddr = NULL;
6850 address_item *addr = addr_route;
6851 addr_route = addr->next;
6853 deliver_domain = addr->domain; /* set $domain */
6854 if ((rc = match_isinlist(addr->domain, CUSS &queue_domains, 0,
6855 &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
6859 addr->basic_errno = ERRNO_LISTDEFER;
6860 addr->message = US"queue_domains lookup deferred";
6861 (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6865 addr->next = okaddr;
6870 addr->basic_errno = ERRNO_QUEUE_DOMAIN;
6871 addr->message = US"domain is in queue_domains";
6872 (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6876 addr_route = okaddr;
6879 /* Now route those addresses that are not deferred. */
6884 address_item *addr = addr_route;
6885 const uschar *old_domain = addr->domain;
6886 uschar *old_unique = addr->unique;
6887 addr_route = addr->next;
6890 /* Just in case some router parameter refers to it. */
6892 if (!(return_path = addr->prop.errors_address))
6893 return_path = sender_address;
6895 /* If a router defers an address, add a retry item. Whether or not to
6896 use the local part in the key is a property of the router. */
6898 if ((rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
6899 &addr_succeed, v_none)) == DEFER)
6900 retry_add_item(addr,
6901 addr->router->retry_use_local_part
6902 ? string_sprintf("R:%s@%s", addr->local_part, addr->domain)
6903 : string_sprintf("R:%s", addr->domain),
6906 /* Otherwise, if there is an existing retry record in the database, add
6907 retry items to delete both forms. We must also allow for the possibility
6908 of a routing retry that includes the sender address. Since the domain might
6909 have been rewritten (expanded to fully qualified) as a result of routing,
6910 ensure that the rewritten form is also deleted. */
6912 else if (testflag(addr, af_dr_retry_exists))
6914 uschar *altkey = string_sprintf("%s:<%s>", addr->address_retry_key,
6916 retry_add_item(addr, altkey, rf_delete);
6917 retry_add_item(addr, addr->address_retry_key, rf_delete);
6918 retry_add_item(addr, addr->domain_retry_key, rf_delete);
6919 if (Ustrcmp(addr->domain, old_domain) != 0)
6920 retry_add_item(addr, string_sprintf("R:%s", old_domain), rf_delete);
6923 /* DISCARD is given for :blackhole: and "seen finish". The event has been
6924 logged, but we need to ensure the address (and maybe parents) is marked
6929 address_done(addr, tod_stamp(tod_log));
6930 continue; /* route next address */
6933 /* The address is finished with (failed or deferred). */
6937 (void)post_process_one(addr, rc, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
6938 continue; /* route next address */
6941 /* The address has been routed. If the router changed the domain, it will
6942 also have changed the unique address. We have to test whether this address
6943 has already been delivered, because it's the unique address that finally
6946 if ( addr->unique != old_unique
6947 && tree_search(tree_nonrecipients, addr->unique) != 0
6950 DEBUG(D_deliver|D_route) debug_printf("%s was previously delivered: "
6951 "discarded\n", addr->address);
6952 if (addr_remote == addr) addr_remote = addr->next;
6953 else if (addr_local == addr) addr_local = addr->next;
6956 /* If the router has same_domain_copy_routing set, we are permitted to copy
6957 the routing for any other addresses with the same domain. This is an
6958 optimisation to save repeated DNS lookups for "standard" remote domain
6959 routing. The option is settable only on routers that generate host lists.
6960 We play it very safe, and do the optimization only if the address is routed
6961 to a remote transport, there are no header changes, and the domain was not
6962 modified by the router. */
6964 if ( addr_remote == addr
6965 && addr->router->same_domain_copy_routing
6966 && !addr->prop.extra_headers
6967 && !addr->prop.remove_headers
6968 && old_domain == addr->domain
6971 address_item **chain = &addr_route;
6974 address_item *addr2 = *chain;
6975 if (Ustrcmp(addr2->domain, addr->domain) != 0)
6977 chain = &(addr2->next);
6981 /* Found a suitable address; take it off the routing list and add it to
6982 the remote delivery list. */
6984 *chain = addr2->next;
6985 addr2->next = addr_remote;
6986 addr_remote = addr2;
6988 /* Copy the routing data */
6990 addr2->domain = addr->domain;
6991 addr2->router = addr->router;
6992 addr2->transport = addr->transport;
6993 addr2->host_list = addr->host_list;
6994 addr2->fallback_hosts = addr->fallback_hosts;
6995 addr2->prop.errors_address = addr->prop.errors_address;
6996 copyflag(addr2, addr, af_hide_child);
6997 copyflag(addr2, addr, af_local_host_removed);
6999 DEBUG(D_deliver|D_route)
7000 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
7002 "Routing for %s copied from %s\n",
7003 addr2->address, addr2->address, addr->address);
7006 } /* Continue with routing the next address. */
7007 } /* Loop to process any child addresses that the routers created, and
7008 any rerouted addresses that got put back on the new chain. */
7011 /* Debugging: show the results of the routing */
7013 DEBUG(D_deliver|D_retry|D_route)
7015 debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
7016 debug_printf("After routing:\n Local deliveries:\n");
7017 for (address_item * p = addr_local; p; p = p->next)
7018 debug_printf(" %s\n", p->address);
7020 debug_printf(" Remote deliveries:\n");
7021 for (address_item * p = addr_remote; p; p = p->next)
7022 debug_printf(" %s\n", p->address);
7024 debug_printf(" Failed addresses:\n");
7025 for (address_item * p = addr_failed; p; p = p->next)
7026 debug_printf(" %s\n", p->address);
7028 debug_printf(" Deferred addresses:\n");
7029 for (address_item * p = addr_defer; p; p = p->next)
7030 debug_printf(" %s\n", p->address);
7033 /* Free any resources that were cached during routing. */
7038 /* These two variables are set only during routing, after check_local_user.
7039 Ensure they are not set in transports. */
7041 local_user_gid = (gid_t)(-1);
7042 local_user_uid = (uid_t)(-1);
7044 /* Check for any duplicate addresses. This check is delayed until after
7045 routing, because the flexibility of the routing configuration means that
7046 identical addresses with different parentage may end up being redirected to
7047 different addresses. Checking for duplicates too early (as we previously used
7048 to) makes this kind of thing not work. */
7050 do_duplicate_check(&addr_local);
7051 do_duplicate_check(&addr_remote);
7053 /* When acting as an MUA wrapper, we proceed only if all addresses route to a
7054 remote transport. The check that they all end up in one transaction happens in
7055 the do_remote_deliveries() function. */
7058 && (addr_local || addr_failed || addr_defer)
7062 uschar *which, *colon, *msg;
7069 else if (addr_defer)
7072 which = US"deferred";
7080 while (addr->parent) addr = addr->parent;
7085 msg = addr->message;
7087 else colon = msg = US"";
7089 /* We don't need to log here for a forced failure as it will already
7090 have been logged. Defer will also have been logged, but as a defer, so we do
7091 need to do the failure logging. */
7093 if (addr != addr_failed)
7094 log_write(0, LOG_MAIN, "** %s routing yielded a %s delivery",
7095 addr->address, which);
7097 /* Always write an error to the caller */
7099 fprintf(stderr, "routing %s yielded a %s delivery%s%s\n", addr->address,
7102 final_yield = DELIVER_MUA_FAILED;
7103 addr_failed = addr_defer = NULL; /* So that we remove the message */
7104 goto DELIVERY_TIDYUP;
7108 /* If this is a run to continue deliveries to an external channel that is
7109 already set up, defer any local deliveries.
7111 jgh 2020/12/20: I don't see why; locals should be quick.
7112 The defer goes back to version 1.62 in 1997. A local being still deliverable
7113 during a continued run might result from something like a defer during the
7114 original delivery, eg. in a DB lookup. Unlikely but possible.
7116 To avoid delaying a local when combined with a callout-hold for a remote
7117 delivery, test continue_sequence rather than continue_transport. */
7119 if (continue_sequence > 1 && addr_local)
7121 DEBUG(D_deliver|D_retry|D_route)
7122 debug_printf("deferring local deliveries due to continued-transport\n");
7125 address_item * addr = addr_defer;
7126 while (addr->next) addr = addr->next;
7127 addr->next = addr_local;
7130 addr_defer = addr_local;
7135 /* Because address rewriting can happen in the routers, we should not really do
7136 ANY deliveries until all addresses have been routed, so that all recipients of
7137 the message get the same headers. However, this is in practice not always
7138 possible, since sometimes remote addresses give DNS timeouts for days on end.
7139 The pragmatic approach is to deliver what we can now, saving any rewritten
7140 headers so that at least the next lot of recipients benefit from the rewriting
7141 that has already been done.
7143 If any headers have been rewritten during routing, update the spool file to
7144 remember them for all subsequent deliveries. This can be delayed till later if
7145 there is only address to be delivered - if it succeeds the spool write need not
7148 if ( f.header_rewritten
7149 && ( addr_local && (addr_local->next || addr_remote)
7150 || addr_remote && addr_remote->next
7153 /* Panic-dies on error */
7154 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
7155 f.header_rewritten = FALSE;
7159 /* If there are any deliveries to do and we do not already have the journal
7160 file, create it. This is used to record successful deliveries as soon as
7161 possible after each delivery is known to be complete. A file opened with
7162 O_APPEND is used so that several processes can run simultaneously.
7164 The journal is just insurance against crashes. When the spool file is
7165 ultimately updated at the end of processing, the journal is deleted. If a
7166 journal is found to exist at the start of delivery, the addresses listed
7167 therein are added to the non-recipients. */
7169 if (addr_local || addr_remote)
7173 uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
7175 if ((journal_fd = Uopen(fname,
7179 O_WRONLY|O_APPEND|O_CREAT|O_EXCL, SPOOL_MODE)) < 0)
7181 log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open journal file %s: %s",
7182 fname, strerror(errno));
7183 return DELIVER_NOT_ATTEMPTED;
7186 /* Set the close-on-exec flag, make the file owned by Exim, and ensure
7187 that the mode is correct - the group setting doesn't always seem to get
7188 set automatically. */
7190 if( exim_fchown(journal_fd, exim_uid, exim_gid, fname)
7191 || fchmod(journal_fd, SPOOL_MODE)
7193 || fcntl(journal_fd, F_SETFD, fcntl(journal_fd, F_GETFD) | FD_CLOEXEC)
7197 int ret = Uunlink(fname);
7198 log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't set perms on journal file %s: %s",
7199 fname, strerror(errno));
7200 if(ret && errno != ENOENT)
7201 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
7202 fname, strerror(errno));
7203 return DELIVER_NOT_ATTEMPTED;
7207 else if (journal_fd >= 0)
7215 /* Now we can get down to the business of actually doing deliveries. Local
7216 deliveries are done first, then remote ones. If ever the problems of how to
7217 handle fallback transports are figured out, this section can be put into a loop
7218 for handling fallbacks, though the uid switching will have to be revised. */
7220 /* Precompile a regex that is used to recognize a parameter in response
7221 to an LHLO command, if is isn't already compiled. This may be used on both
7222 local and remote LMTP deliveries. */
7224 if (!regex_IGNOREQUOTA)
7226 regex_must_compile(US"\\n250[\\s\\-]IGNOREQUOTA(\\s|\\n|$)", FALSE, TRUE);
7228 /* Handle local deliveries */
7232 DEBUG(D_deliver|D_transport)
7233 debug_printf(">>>>>>>>>>>>>>>> Local deliveries >>>>>>>>>>>>>>>>\n");
7234 do_local_deliveries();
7235 f.disable_logging = FALSE;
7238 /* If queue_run_local is set, we do not want to attempt any remote deliveries,
7239 so just queue them all. */
7241 if (f.queue_run_local)
7244 address_item *addr = addr_remote;
7245 addr_remote = addr->next;
7247 addr->basic_errno = ERRNO_LOCAL_ONLY;
7248 addr->message = US"remote deliveries suppressed";
7249 (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0);
7252 /* Handle remote deliveries */
7256 DEBUG(D_deliver|D_transport)
7257 debug_printf(">>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>\n");
7259 /* Precompile some regex that are used to recognize parameters in response
7260 to an EHLO command, if they aren't already compiled. */
7262 smtp_deliver_init();
7264 /* Now sort the addresses if required, and do the deliveries. The yield of
7265 do_remote_deliveries is FALSE when mua_wrapper is set and all addresses
7266 cannot be delivered in one transaction. */
7268 if (remote_sort_domains) sort_remote_deliveries();
7269 if (!do_remote_deliveries(FALSE))
7271 log_write(0, LOG_MAIN, "** mua_wrapper is set but recipients cannot all "
7272 "be delivered in one transaction");
7273 fprintf(stderr, "delivery to smarthost failed (configuration problem)\n");
7275 final_yield = DELIVER_MUA_FAILED;
7276 addr_failed = addr_defer = NULL; /* So that we remove the message */
7277 goto DELIVERY_TIDYUP;
7280 /* See if any of the addresses that failed got put on the queue for delivery
7281 to their fallback hosts. We do it this way because often the same fallback
7282 host is used for many domains, so all can be sent in a single transaction
7283 (if appropriately configured). */
7285 if (addr_fallback && !mua_wrapper)
7287 DEBUG(D_deliver) debug_printf("Delivering to fallback hosts\n");
7288 addr_remote = addr_fallback;
7289 addr_fallback = NULL;
7290 if (remote_sort_domains) sort_remote_deliveries();
7291 do_remote_deliveries(TRUE);
7293 f.disable_logging = FALSE;
7297 /* All deliveries are now complete. Ignore SIGTERM during this tidying up
7298 phase, to minimize cases of half-done things. */
7301 debug_printf(">>>>>>>>>>>>>>>> deliveries are done >>>>>>>>>>>>>>>>\n");
7302 cancel_cutthrough_connection(TRUE, US"deliveries are done");
7304 /* Root privilege is no longer needed */
7306 exim_setugid(exim_uid, exim_gid, FALSE, US"post-delivery tidying");
7308 set_process_info("tidying up after delivering %s", message_id);
7309 signal(SIGTERM, SIG_IGN);
7311 /* When we are acting as an MUA wrapper, the smtp transport will either have
7312 succeeded for all addresses, or failed them all in normal cases. However, there
7313 are some setup situations (e.g. when a named port does not exist) that cause an
7314 immediate exit with deferral of all addresses. Convert those into failures. We
7315 do not ever want to retry, nor do we want to send a bounce message. */
7321 address_item * nextaddr;
7322 for (address_item * addr = addr_defer; addr; addr = nextaddr)
7324 log_write(0, LOG_MAIN, "** %s mua_wrapper forced failure for deferred "
7325 "delivery", addr->address);
7326 nextaddr = addr->next;
7327 addr->next = addr_failed;
7333 /* Now all should either have succeeded or failed. */
7336 final_yield = DELIVER_MUA_SUCCEEDED;
7340 uschar *s = addr_failed->user_message;
7342 if (!s) s = addr_failed->message;
7344 fprintf(stderr, "Delivery failed: ");
7345 if (addr_failed->basic_errno > 0)
7347 fprintf(stderr, "%s", strerror(addr_failed->basic_errno));
7348 if (s) fprintf(stderr, ": ");
7350 if ((host = addr_failed->host_used))
7351 fprintf(stderr, "H=%s [%s]: ", host->name, host->address);
7353 fprintf(stderr, "%s", CS s);
7354 else if (addr_failed->basic_errno <= 0)
7355 fprintf(stderr, "unknown error");
7356 fprintf(stderr, "\n");
7358 final_yield = DELIVER_MUA_FAILED;
7363 /* In a normal configuration, we now update the retry database. This is done in
7364 one fell swoop at the end in order not to keep opening and closing (and
7365 locking) the database. The code for handling retries is hived off into a
7366 separate module for convenience. We pass it the addresses of the various
7367 chains, because deferred addresses can get moved onto the failed chain if the
7368 retry cutoff time has expired for all alternative destinations. Bypass the
7369 updating of the database if the -N flag is set, which is a debugging thing that
7370 prevents actual delivery. */
7372 else if (!f.dont_deliver)
7373 retry_update(&addr_defer, &addr_failed, &addr_succeed);
7375 /* Send DSN for successful messages if requested */
7376 addr_senddsn = NULL;
7378 for (address_item * a = addr_succeed; a; a = a->next)
7380 /* af_ignore_error not honored here. it's not an error */
7381 DEBUG(D_deliver) debug_printf("DSN: processing router : %s\n"
7382 "DSN: processing successful delivery address: %s\n"
7383 "DSN: Sender_address: %s\n"
7384 "DSN: orcpt: %s flags: 0x%x\n"
7385 "DSN: envid: %s ret: %d\n"
7386 "DSN: Final recipient: %s\n"
7387 "DSN: Remote SMTP server supports DSN: %d\n",
7388 a->router ? a->router->name : US"(unknown)",
7391 a->dsn_orcpt ? a->dsn_orcpt : US"NULL",
7393 dsn_envid ? dsn_envid : US"NULL", dsn_ret,
7398 /* send report if next hop not DSN aware or a router flagged "last DSN hop"
7399 and a report was requested */
7401 if ( (a->dsn_aware != dsn_support_yes || a->dsn_flags & rf_dsnlasthop)
7402 && a->dsn_flags & rf_notify_success
7405 /* copy and relink address_item and send report with all of them at once later */
7406 address_item * addr_next = addr_senddsn;
7407 addr_senddsn = store_get(sizeof(address_item), FALSE);
7409 addr_senddsn->next = addr_next;
7412 DEBUG(D_deliver) debug_printf("DSN: not sending DSN success message\n");
7420 /* create exim process to send message */
7421 pid = child_open_exim(&fd, US"DSN");
7423 DEBUG(D_deliver) debug_printf("DSN: child_open_exim returns: %d\n", pid);
7425 if (pid < 0) /* Creation of child failed */
7427 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %d (parent %d) failed to "
7428 "create child process to send success-dsn message: %s", getpid(),
7429 getppid(), strerror(errno));
7431 DEBUG(D_deliver) debug_printf("DSN: child_open_exim failed\n");
7433 else /* Creation of child succeeded */
7435 FILE * f = fdopen(fd, "wb");
7436 /* header only as required by RFC. only failure DSN needs to honor RET=FULL */
7438 transport_ctx tctx = {{0}};
7441 debug_printf("sending success-dsn to: %s\n", sender_address);
7443 /* build unique id for MIME boundary */
7444 bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());
7445 DEBUG(D_deliver) debug_printf("DSN: MIME boundary: %s\n", bound);
7447 if (errors_reply_to)
7448 fprintf(f, "Reply-To: %s\n", errors_reply_to);
7451 fprintf(f, "Auto-Submitted: auto-generated\n"
7453 "Subject: Delivery Status Notification\n",
7455 moan_write_references(f, NULL);
7456 fprintf(f, "Content-Type: multipart/report;"
7457 " report-type=delivery-status; boundary=%s\n"
7458 "MIME-Version: 1.0\n\n"
7461 "Content-type: text/plain; charset=us-ascii\n\n"
7463 "This message was created automatically by mail delivery software.\n"
7464 " ----- The following addresses had successful delivery notifications -----\n",
7467 for (address_item * a = addr_senddsn; a; a = a->next)
7468 fprintf(f, "<%s> (relayed %s)\n\n",
7470 a->dsn_flags & rf_dsnlasthop ? "via non DSN router"
7471 : a->dsn_aware == dsn_support_no ? "to non-DSN-aware mailer"
7472 : "via non \"Remote SMTP\" router"
7476 "Content-type: message/delivery-status\n\n"
7477 "Reporting-MTA: dns; %s\n",
7478 bound, smtp_active_hostname);
7481 { /* must be decoded from xtext: see RFC 3461:6.3a */
7483 if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
7484 fprintf(f, "Original-Envelope-ID: %s\n", dsn_envid);
7486 fprintf(f, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
7490 for (address_item * a = addr_senddsn; a; a = a->next)
7494 print_dsn_addr_action(f, a, US"delivered", US"2.0.0");
7496 if ((hu = a->host_used) && hu->name)
7497 fprintf(f, "Remote-MTA: dns; %s\nDiagnostic-Code: smtp; 250 Ok\n\n",
7500 fprintf(f, "Diagnostic-Code: X-Exim; relayed via non %s router\n\n",
7501 a->dsn_flags & rf_dsnlasthop ? "DSN" : "SMTP");
7504 fprintf(f, "--%s\nContent-type: text/rfc822-headers\n\n", bound);
7507 transport_filter_argv = NULL; /* Just in case */
7508 return_path = sender_address; /* In case not previously set */
7510 /* Write the original email out */
7513 tctx.options = topt_add_return_path | topt_no_body;
7514 /*XXX hmm, FALSE(fail) retval ignored.
7515 Could error for any number of reasons, and they are not handled. */
7516 transport_write_message(&tctx, 0);
7519 fprintf(f,"\n--%s--\n", bound);
7523 rc = child_close(pid, 0); /* Waits for child to close, no timeout */
7527 /* If any addresses failed, we must send a message to somebody, unless
7528 af_ignore_error is set, in which case no action is taken. It is possible for
7529 several messages to get sent if there are addresses with different
7536 uschar *logtod = tod_stamp(tod_log);
7538 address_item *handled_addr = NULL;
7539 address_item **paddr;
7540 address_item *msgchain = NULL;
7541 address_item **pmsgchain = &msgchain;
7543 /* There are weird cases when logging is disabled in the transport. However,
7544 there may not be a transport (address failed by a router). */
7546 f.disable_logging = FALSE;
7547 if (addr_failed->transport)
7548 f.disable_logging = addr_failed->transport->disable_logging;
7551 debug_printf("processing failed address %s\n", addr_failed->address);
7553 /* There are only two ways an address in a bounce message can get here:
7555 (1) When delivery was initially deferred, but has now timed out (in the call
7556 to retry_update() above). We can detect this by testing for
7557 af_retry_timedout. If the address does not have its own errors address,
7558 we arrange to ignore the error.
7560 (2) If delivery failures for bounce messages are being ignored. We can detect
7561 this by testing for af_ignore_error. This will also be set if a bounce
7562 message has been autothawed and the ignore_bounce_errors_after time has
7563 passed. It might also be set if a router was explicitly configured to
7564 ignore errors (errors_to = "").
7566 If neither of these cases obtains, something has gone wrong. Log the
7567 incident, but then ignore the error. */
7569 if (sender_address[0] == 0 && !addr_failed->prop.errors_address)
7571 if ( !testflag(addr_failed, af_retry_timedout)
7572 && !addr_failed->prop.ignore_error)
7573 log_write(0, LOG_MAIN|LOG_PANIC, "internal error: bounce message "
7574 "failure is neither frozen nor ignored (it's been ignored)");
7576 addr_failed->prop.ignore_error = TRUE;
7579 /* If the first address on the list has af_ignore_error set, just remove
7580 it from the list, throw away any saved message file, log it, and
7581 mark the recipient done. */
7583 if ( addr_failed->prop.ignore_error
7584 || addr_failed->dsn_flags & rf_dsnflags
7585 && !(addr_failed->dsn_flags & rf_notify_failure)
7589 addr_failed = addr->next;
7590 if (addr->return_filename) Uunlink(addr->return_filename);
7592 #ifndef DISABLE_EVENT
7593 msg_event_raise(US"msg:fail:delivery", addr);
7595 log_write(0, LOG_MAIN, "%s%s%s%s: error ignored%s",
7597 !addr->parent ? US"" : US" <",
7598 !addr->parent ? US"" : addr->parent->address,
7599 !addr->parent ? US"" : US">",
7600 addr->prop.ignore_error
7601 ? US"" : US": RFC 3461 DSN, failure notify not requested");
7603 address_done(addr, logtod);
7604 child_done(addr, logtod);
7605 /* Panic-dies on error */
7606 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
7609 /* Otherwise, handle the sending of a message. Find the error address for
7610 the first address, then send a message that includes all failed addresses
7611 that have the same error address. Note the bounce_recipient is a global so
7612 that it can be accessed by $bounce_recipient while creating a customized
7617 if (!(bounce_recipient = addr_failed->prop.errors_address))
7618 bounce_recipient = sender_address;
7620 /* Make a subprocess to send a message */
7622 if ((pid = child_open_exim(&fd, US"bounce-message")) < 0)
7623 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %d (parent %d) failed to "
7624 "create child process to send failure message: %s", getpid(),
7625 getppid(), strerror(errno));
7627 /* Creation of child succeeded */
7634 uschar *bcc, *emf_text;
7635 FILE * fp = fdopen(fd, "wb");
7637 BOOL to_sender = strcmpic(sender_address, bounce_recipient) == 0;
7638 int max = (bounce_return_size_limit/DELIVER_IN_BUFFER_SIZE + 1) *
7639 DELIVER_IN_BUFFER_SIZE;
7641 uschar *dsnlimitmsg;
7642 uschar *dsnnotifyhdr;
7646 debug_printf("sending error message to: %s\n", bounce_recipient);
7648 /* Scan the addresses for all that have the same errors address, removing
7649 them from the addr_failed chain, and putting them on msgchain. */
7651 paddr = &addr_failed;
7652 for (addr = addr_failed; addr; addr = *paddr)
7653 if (Ustrcmp(bounce_recipient, addr->prop.errors_address
7654 ? addr->prop.errors_address : sender_address) == 0)
7655 { /* The same - dechain */
7656 *paddr = addr->next;
7659 pmsgchain = &(addr->next);
7662 paddr = &addr->next; /* Not the same; skip */
7664 /* Include X-Failed-Recipients: for automatic interpretation, but do
7665 not let any one header line get too long. We do this by starting a
7666 new header every 50 recipients. Omit any addresses for which the
7667 "hide_child" flag is set. */
7669 for (addr = msgchain; addr; addr = addr->next)
7671 if (testflag(addr, af_hide_child)) continue;
7679 ? "X-Failed-Recipients: "
7681 testflag(addr, af_pfr) && addr->parent
7682 ? string_printing(addr->parent->address)
7683 : string_printing(addr->address));
7685 if (rcount > 0) fprintf(fp, "\n");
7687 /* Output the standard headers */
7689 if (errors_reply_to)
7690 fprintf(fp, "Reply-To: %s\n", errors_reply_to);
7691 fprintf(fp, "Auto-Submitted: auto-replied\n");
7692 moan_write_from(fp);
7693 fprintf(fp, "To: %s\n", bounce_recipient);
7694 moan_write_references(fp, NULL);
7696 /* generate boundary string and output MIME-Headers */
7697 bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());
7699 fprintf(fp, "Content-Type: multipart/report;"
7700 " report-type=delivery-status; boundary=%s\n"
7701 "MIME-Version: 1.0\n",
7704 /* Open a template file if one is provided. Log failure to open, but
7705 carry on - default texts will be used. */
7707 if (bounce_message_file)
7708 emf = expand_open(bounce_message_file,
7709 US"bounce_message_file", US"error");
7711 /* Quietly copy to configured additional addresses if required. */
7713 if ((bcc = moan_check_errorcopy(bounce_recipient)))
7714 fprintf(fp, "Bcc: %s\n", bcc);
7716 /* The texts for the message can be read from a template file; if there
7717 isn't one, or if it is too short, built-in texts are used. The first
7718 emf text is a Subject: and any other headers. */
7720 if ((emf_text = next_emf(emf, US"header")))
7721 fprintf(fp, "%s\n", emf_text);
7723 fprintf(fp, "Subject: Mail delivery failed%s\n\n",
7724 to_sender? ": returning message to sender" : "");
7726 /* output human readable part as text/plain section */
7727 fprintf(fp, "--%s\n"
7728 "Content-type: text/plain; charset=us-ascii\n\n",
7731 if ((emf_text = next_emf(emf, US"intro")))
7732 fprintf(fp, "%s", CS emf_text);
7736 /* This message has been reworded several times. It seems to be confusing to
7737 somebody, however it is worded. I have retreated to the original, simple
7739 "This message was created automatically by mail delivery software.\n");
7741 if (bounce_message_text)
7742 fprintf(fp, "%s", CS bounce_message_text);
7745 "\nA message that you sent could not be delivered to one or more of its\n"
7746 "recipients. This is a permanent error. The following address(es) failed:\n");
7749 "\nA message sent by\n\n <%s>\n\n"
7750 "could not be delivered to one or more of its recipients. The following\n"
7751 "address(es) failed:\n", sender_address);
7755 /* Process the addresses, leaving them on the msgchain if they have a
7756 file name for a return message. (There has already been a check in
7757 post_process_one() for the existence of data in the message file.) A TRUE
7758 return from print_address_information() means that the address is not
7762 for (addr = msgchain; addr; addr = *paddr)
7764 if (print_address_information(addr, fp, US" ", US"\n ", US""))
7765 print_address_error(addr, fp, US"");
7767 /* End the final line for the address */
7771 /* Leave on msgchain if there's a return file. */
7773 if (addr->return_file >= 0)
7775 paddr = &(addr->next);
7779 /* Else save so that we can tick off the recipient when the
7784 *paddr = addr->next;
7785 addr->next = handled_addr;
7786 handled_addr = addr;
7792 /* Get the next text, whether we need it or not, so as to be
7793 positioned for the one after. */
7795 emf_text = next_emf(emf, US"generated text");
7797 /* If there were any file messages passed by the local transports,
7798 include them in the message. Then put the address on the handled chain.
7799 In the case of a batch of addresses that were all sent to the same
7800 transport, the return_file field in all of them will contain the same
7801 fd, and the return_filename field in the *last* one will be set (to the
7802 name of the file). */
7806 address_item *nextaddr;
7809 fprintf(fp, "%s", CS emf_text);
7812 "The following text was generated during the delivery "
7813 "attempt%s:\n", (filecount > 1)? "s" : "");
7815 for (addr = msgchain; addr; addr = nextaddr)
7818 address_item *topaddr = addr;
7820 /* List all the addresses that relate to this file */
7823 while(addr) /* Insurance */
7825 print_address_information(addr, fp, US"------ ", US"\n ",
7827 if (addr->return_filename) break;
7832 /* Now copy the file */
7834 if (!(fm = Ufopen(addr->return_filename, "rb")))
7835 fprintf(fp, " +++ Exim error... failed to open text file: %s\n",
7839 while ((ch = fgetc(fm)) != EOF) fputc(ch, fp);
7842 Uunlink(addr->return_filename);
7844 /* Can now add to handled chain, first fishing off the next
7845 address on the msgchain. */
7847 nextaddr = addr->next;
7848 addr->next = handled_addr;
7849 handled_addr = topaddr;
7854 /* output machine readable part */
7856 if (message_smtputf8)
7857 fprintf(fp, "--%s\n"
7858 "Content-type: message/global-delivery-status\n\n"
7859 "Reporting-MTA: dns; %s\n",
7860 bound, smtp_active_hostname);
7863 fprintf(fp, "--%s\n"
7864 "Content-type: message/delivery-status\n\n"
7865 "Reporting-MTA: dns; %s\n",
7866 bound, smtp_active_hostname);
7870 /* must be decoded from xtext: see RFC 3461:6.3a */
7872 if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
7873 fprintf(fp, "Original-Envelope-ID: %s\n", dsn_envid);
7875 fprintf(fp, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
7879 for (addr = handled_addr; addr; addr = addr->next)
7883 print_dsn_addr_action(fp, addr, US"failed", US"5.0.0");
7885 if ((hu = addr->host_used) && hu->name)
7887 fprintf(fp, "Remote-MTA: dns; %s\n", hu->name);
7888 #ifdef EXPERIMENTAL_DSN_INFO
7893 uschar * p = hu->port == 25
7894 ? US"" : string_sprintf(":%d", hu->port);
7895 fprintf(fp, "Remote-MTA: X-ip; [%s]%s\n", hu->address, p);
7897 if ((s = addr->smtp_greeting) && *s)
7898 fprintf(fp, "X-Remote-MTA-smtp-greeting: X-str; %.900s\n", s);
7899 if ((s = addr->helo_response) && *s)
7900 fprintf(fp, "X-Remote-MTA-helo-response: X-str; %.900s\n", s);
7901 if ((s = addr->message) && *s)
7902 fprintf(fp, "X-Exim-Diagnostic: X-str; %.900s\n", s);
7905 print_dsn_diagnostic_code(addr, fp);
7910 /* Now copy the message, trying to give an intelligible comment if
7911 it is too long for it all to be copied. The limit isn't strictly
7912 applied because of the buffering. There is, however, an option
7913 to suppress copying altogether. */
7915 emf_text = next_emf(emf, US"copy");
7918 we ignore the intro text from template and add
7919 the text for bounce_return_size_limit at the end.
7921 bounce_return_message is ignored
7922 in case RET= is defined we honor these values
7923 otherwise bounce_return_body is honored.
7925 bounce_return_size_limit is always honored.
7928 fprintf(fp, "--%s\n", bound);
7930 dsnlimitmsg = US"X-Exim-DSN-Information: Due to administrative limits only headers are returned";
7931 dsnnotifyhdr = NULL;
7932 topt = topt_add_return_path;
7934 /* RET=HDRS? top priority */
7935 if (dsn_ret == dsn_ret_hdrs)
7936 topt |= topt_no_body;
7939 struct stat statbuf;
7941 /* no full body return at all? */
7942 if (!bounce_return_body)
7944 topt |= topt_no_body;
7945 /* add header if we overrule RET=FULL */
7946 if (dsn_ret == dsn_ret_full)
7947 dsnnotifyhdr = dsnlimitmsg;
7949 /* line length limited... return headers only if oversize */
7950 /* size limited ... return headers only if limit reached */
7951 else if ( max_received_linelength > bounce_return_linesize_limit
7952 || ( bounce_return_size_limit > 0
7953 && fstat(deliver_datafile, &statbuf) == 0
7954 && statbuf.st_size > max
7957 topt |= topt_no_body;
7958 dsnnotifyhdr = dsnlimitmsg;
7963 if (message_smtputf8)
7964 fputs(topt & topt_no_body ? "Content-type: message/global-headers\n\n"
7965 : "Content-type: message/global\n\n",
7969 fputs(topt & topt_no_body ? "Content-type: text/rfc822-headers\n\n"
7970 : "Content-type: message/rfc822\n\n",
7974 transport_filter_argv = NULL; /* Just in case */
7975 return_path = sender_address; /* In case not previously set */
7976 { /* Dummy transport for headers add */
7977 transport_ctx tctx = {{0}};
7978 transport_instance tb = {0};
7980 tctx.u.fd = fileno(fp);
7982 tctx.options = topt;
7983 tb.add_headers = dsnnotifyhdr;
7985 /*XXX no checking for failure! buggy! */
7986 transport_write_message(&tctx, 0);
7990 /* we never add the final text. close the file */
7994 fprintf(fp, "\n--%s--\n", bound);
7996 /* Close the file, which should send an EOF to the child process
7997 that is receiving the message. Wait for it to finish. */
8000 rc = child_close(pid, 0); /* Waits for child to close, no timeout */
8002 /* If the process failed, there was some disaster in setting up the
8003 error message. Unless the message is very old, ensure that addr_defer
8004 is non-null, which will have the effect of leaving the message on the
8005 spool. The failed addresses will get tried again next time. However, we
8006 don't really want this to happen too often, so freeze the message unless
8007 there are some genuine deferred addresses to try. To do this we have
8008 to call spool_write_header() here, because with no genuine deferred
8009 addresses the normal code below doesn't get run. */
8014 if (now - received_time.tv_sec < retry_maximum_timeout && !addr_defer)
8016 addr_defer = (address_item *)(+1);
8017 f.deliver_freeze = TRUE;
8018 deliver_frozen_at = time(NULL);
8019 /* Panic-dies on error */
8020 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
8023 deliver_msglog("Process failed (%d) when writing error message "
8024 "to %s%s", rc, bounce_recipient, s);
8025 log_write(0, LOG_MAIN, "Process failed (%d) when writing error message "
8026 "to %s%s", rc, bounce_recipient, s);
8029 /* The message succeeded. Ensure that the recipients that failed are
8030 now marked finished with on the spool and their parents updated. */
8034 for (addr = handled_addr; addr; addr = addr->next)
8036 address_done(addr, logtod);
8037 child_done(addr, logtod);
8039 /* Panic-dies on error */
8040 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
8046 f.disable_logging = FALSE; /* In case left set */
8048 /* Come here from the mua_wrapper case if routing goes wrong */
8052 /* If there are now no deferred addresses, we are done. Preserve the
8053 message log if so configured, and we are using them. Otherwise, sling it.
8054 Then delete the message itself. */
8062 fname = spool_fname(US"msglog", message_subdir, id, US"");
8063 if (preserve_message_logs)
8066 uschar * moname = spool_fname(US"msglog.OLD", US"", id, US"");
8068 if ((rc = Urename(fname, moname)) < 0)
8070 (void)directory_make(spool_directory,
8071 spool_sname(US"msglog.OLD", US""),
8072 MSGLOG_DIRECTORY_MODE, TRUE);
8073 rc = Urename(fname, moname);
8076 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to move %s to the "
8077 "msglog.OLD directory", fname);
8080 if (Uunlink(fname) < 0)
8081 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
8082 fname, strerror(errno));
8085 /* Remove the two message files. */
8087 fname = spool_fname(US"input", message_subdir, id, US"-D");
8088 if (Uunlink(fname) < 0)
8089 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
8090 fname, strerror(errno));
8091 fname = spool_fname(US"input", message_subdir, id, US"-H");
8092 if (Uunlink(fname) < 0)
8093 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
8094 fname, strerror(errno));
8096 /* Log the end of this message, with queue time if requested. */
8098 if (LOGGING(queue_time_overall))
8099 log_write(0, LOG_MAIN, "Completed QT=%s", string_timesince(&received_time));
8101 log_write(0, LOG_MAIN, "Completed");
8103 /* Unset deliver_freeze so that we won't try to move the spool files further down */
8104 f.deliver_freeze = FALSE;
8106 #ifndef DISABLE_EVENT
8107 (void) event_raise(event_action, US"msg:complete", NULL, NULL);
8111 /* If there are deferred addresses, we are keeping this message because it is
8112 not yet completed. Lose any temporary files that were catching output from
8113 pipes for any of the deferred addresses, handle one-time aliases, and see if
8114 the message has been on the queue for so long that it is time to send a warning
8115 message to the sender, unless it is a mailer-daemon. If all deferred addresses
8116 have the same domain, we can set deliver_domain for the expansion of
8117 delay_warning_ condition - if any of them are pipes, files, or autoreplies, use
8118 the parent's domain.
8120 If all the deferred addresses have an error number that indicates "retry time
8121 not reached", skip sending the warning message, because it won't contain the
8122 reason for the delay. It will get sent at the next real delivery attempt.
8123 Exception: for retries caused by a remote peer we use the error message
8124 store in the retry DB as the reason.
8125 However, if at least one address has tried, we'd better include all of them in
8128 If we can't make a process to send the message, don't worry.
8130 For mailing list expansions we want to send the warning message to the
8131 mailing list manager. We can't do a perfect job here, as some addresses may
8132 have different errors addresses, but if we take the errors address from
8133 each deferred address it will probably be right in most cases.
8135 If addr_defer == +1, it means there was a problem sending an error message
8136 for failed addresses, and there were no "real" deferred addresses. The value
8137 was set just to keep the message on the spool, so there is nothing to do here.
8140 else if (addr_defer != (address_item *)(+1))
8142 uschar *recipients = US"";
8143 BOOL want_warning_msg = FALSE;
8145 deliver_domain = testflag(addr_defer, af_pfr)
8146 ? addr_defer->parent->domain : addr_defer->domain;
8148 for (address_item * addr = addr_defer; addr; addr = addr->next)
8150 address_item *otaddr;
8152 if (addr->basic_errno > ERRNO_WARN_BASE) want_warning_msg = TRUE;
8156 const uschar *d = testflag(addr, af_pfr)
8157 ? addr->parent->domain : addr->domain;
8159 /* The domain may be unset for an address that has never been routed
8160 because the system filter froze the message. */
8162 if (!d || Ustrcmp(d, deliver_domain) != 0)
8163 deliver_domain = NULL;
8166 if (addr->return_filename) Uunlink(addr->return_filename);
8168 /* Handle the case of one-time aliases. If any address in the ancestry
8169 of this one is flagged, ensure it is in the recipients list, suitably
8170 flagged, and that its parent is marked delivered. */
8172 for (otaddr = addr; otaddr; otaddr = otaddr->parent)
8173 if (otaddr->onetime_parent) break;
8178 int t = recipients_count;
8180 for (i = 0; i < recipients_count; i++)
8182 uschar *r = recipients_list[i].address;
8183 if (Ustrcmp(otaddr->onetime_parent, r) == 0) t = i;
8184 if (Ustrcmp(otaddr->address, r) == 0) break;
8187 /* Didn't find the address already in the list, and did find the
8188 ultimate parent's address in the list, and they really are different
8189 (i.e. not from an identity-redirect). After adding the recipient,
8190 update the errors address in the recipients list. */
8192 if ( i >= recipients_count && t < recipients_count
8193 && Ustrcmp(otaddr->address, otaddr->parent->address) != 0)
8195 DEBUG(D_deliver) debug_printf("one_time: adding %s in place of %s\n",
8196 otaddr->address, otaddr->parent->address);
8197 receive_add_recipient(otaddr->address, t);
8198 recipients_list[recipients_count-1].errors_to = otaddr->prop.errors_address;
8199 tree_add_nonrecipient(otaddr->parent->address);
8200 update_spool = TRUE;
8204 /* Except for error messages, ensure that either the errors address for
8205 this deferred address or, if there is none, the sender address, is on the
8206 list of recipients for a warning message. */
8208 if (sender_address[0])
8210 uschar * s = addr->prop.errors_address;
8211 if (!s) s = sender_address;
8212 if (Ustrstr(recipients, s) == NULL)
8213 recipients = string_sprintf("%s%s%s", recipients,
8214 recipients[0] ? "," : "", s);
8218 /* Send a warning message if the conditions are right. If the condition check
8219 fails because of a lookup defer, there is nothing we can do. The warning
8220 is not sent. Another attempt will be made at the next delivery attempt (if
8223 if ( !f.queue_2stage
8225 && ( !(addr_defer->dsn_flags & rf_dsnflags)
8226 || addr_defer->dsn_flags & rf_notify_delay
8228 && delay_warning[1] > 0
8229 && sender_address[0] != 0
8230 && ( !delay_warning_condition
8231 || expand_check_condition(delay_warning_condition,
8232 US"delay_warning", US"option")
8238 int queue_time = time(NULL) - received_time.tv_sec;
8240 queue_time = test_harness_fudged_queue_time(queue_time);
8242 /* See how many warnings we should have sent by now */
8244 for (count = 0; count < delay_warning[1]; count++)
8245 if (queue_time < delay_warning[count+2]) break;
8247 show_time = delay_warning[count+1];
8249 if (count >= delay_warning[1])
8252 int last_gap = show_time;
8253 if (count > 1) last_gap -= delay_warning[count];
8254 extra = (queue_time - delay_warning[count+1])/last_gap;
8255 show_time += last_gap * extra;
8261 debug_printf("time on queue = %s id %s addr %s\n",
8262 readconf_printtime(queue_time), message_id, addr_defer->address);
8263 debug_printf("warning counts: required %d done %d\n", count,
8267 /* We have computed the number of warnings there should have been by now.
8268 If there haven't been enough, send one, and up the count to what it should
8271 if (warning_count < count)
8275 pid_t pid = child_open_exim(&fd, US"delay-warning-message");
8281 FILE * f = fdopen(fd, "wb");
8283 transport_ctx tctx = {{0}};
8285 if (warn_message_file)
8286 wmf = expand_open(warn_message_file,
8287 US"warn_message_file", US"warning");
8289 warnmsg_recipients = recipients;
8290 warnmsg_delay = queue_time < 120*60
8291 ? string_sprintf("%d minutes", show_time/60)
8292 : string_sprintf("%d hours", show_time/3600);
8294 if (errors_reply_to)
8295 fprintf(f, "Reply-To: %s\n", errors_reply_to);
8296 fprintf(f, "Auto-Submitted: auto-replied\n");
8298 fprintf(f, "To: %s\n", recipients);
8299 moan_write_references(f, NULL);
8301 /* generated boundary string and output MIME-Headers */
8302 bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());
8304 fprintf(f, "Content-Type: multipart/report;"
8305 " report-type=delivery-status; boundary=%s\n"
8306 "MIME-Version: 1.0\n",
8309 if ((wmf_text = next_emf(wmf, US"header")))
8310 fprintf(f, "%s\n", wmf_text);
8312 fprintf(f, "Subject: Warning: message %s delayed %s\n\n",
8313 message_id, warnmsg_delay);
8315 /* output human readable part as text/plain section */
8317 "Content-type: text/plain; charset=us-ascii\n\n",
8320 if ((wmf_text = next_emf(wmf, US"intro")))
8321 fprintf(f, "%s", CS wmf_text);
8325 "This message was created automatically by mail delivery software.\n");
8327 if (Ustrcmp(recipients, sender_address) == 0)
8329 "A message that you sent has not yet been delivered to one or more of its\n"
8330 "recipients after more than ");
8334 "A message sent by\n\n <%s>\n\n"
8335 "has not yet been delivered to one or more of its recipients after more than \n",
8338 fprintf(f, "%s on the queue on %s.\n\n"
8339 "The message identifier is: %s\n",
8340 warnmsg_delay, primary_hostname, message_id);
8342 for (h = header_list; h; h = h->next)
8343 if (strncmpic(h->text, US"Subject:", 8) == 0)
8344 fprintf(f, "The subject of the message is: %s", h->text + 9);
8345 else if (strncmpic(h->text, US"Date:", 5) == 0)
8346 fprintf(f, "The date of the message is: %s", h->text + 6);
8349 fprintf(f, "The address%s to which the message has not yet been "
8351 !addr_defer->next ? "" : "es",
8352 !addr_defer->next ? "is": "are");
8355 /* List the addresses, with error information if allowed */
8358 for (address_item * addr = addr_defer; addr; addr = addr->next)
8360 if (print_address_information(addr, f, US" ", US"\n ", US""))
8361 print_address_error(addr, f, US"Delay reason: ");
8370 if ((wmf_text = next_emf(wmf, US"final")))
8371 fprintf(f, "%s", CS wmf_text);
8377 "No action is required on your part. Delivery attempts will continue for\n"
8378 "some time, and this warning may be repeated at intervals if the message\n"
8379 "remains undelivered. Eventually the mail delivery software will give up,\n"
8380 "and when that happens, the message will be returned to you.\n");
8383 /* output machine readable part */
8384 fprintf(f, "\n--%s\n"
8385 "Content-type: message/delivery-status\n\n"
8386 "Reporting-MTA: dns; %s\n",
8388 smtp_active_hostname);
8393 /* must be decoded from xtext: see RFC 3461:6.3a */
8395 if (auth_xtextdecode(dsn_envid, &xdec_envid) > 0)
8396 fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid);
8398 fprintf(f,"X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
8402 for (address_item * addr = addr_defer; addr; addr = addr->next)
8406 print_dsn_addr_action(f, addr, US"delayed", US"4.0.0");
8408 if ((hu = addr->host_used) && hu->name)
8410 fprintf(f, "Remote-MTA: dns; %s\n", hu->name);
8411 print_dsn_diagnostic_code(addr, f);
8417 "Content-type: text/rfc822-headers\n\n",
8421 /* header only as required by RFC. only failure DSN needs to honor RET=FULL */
8422 tctx.u.fd = fileno(f);
8423 tctx.options = topt_add_return_path | topt_no_body;
8424 transport_filter_argv = NULL; /* Just in case */
8425 return_path = sender_address; /* In case not previously set */
8427 /* Write the original email out */
8428 /*XXX no checking for failure! buggy! */
8429 transport_write_message(&tctx, 0);
8432 fprintf(f,"\n--%s--\n", bound);
8436 /* Close and wait for child process to complete, without a timeout.
8437 If there's an error, don't update the count. */
8440 if (child_close(pid, 0) == 0)
8442 warning_count = count;
8443 update_spool = TRUE; /* Ensure spool rewritten */
8449 /* Clear deliver_domain */
8451 deliver_domain = NULL;
8453 /* If this was a first delivery attempt, unset the first time flag, and
8454 ensure that the spool gets updated. */
8456 if (f.deliver_firsttime && !f.queue_2stage)
8458 f.deliver_firsttime = FALSE;
8459 update_spool = TRUE;
8462 /* If delivery was frozen and freeze_tell is set, generate an appropriate
8463 message, unless the message is a local error message (to avoid loops). Then
8464 log the freezing. If the text in "frozen_info" came from a system filter,
8465 it has been escaped into printing characters so as not to mess up log lines.
8466 For the "tell" message, we turn \n back into newline. Also, insert a newline
8467 near the start instead of the ": " string. */
8469 if (f.deliver_freeze)
8471 if (freeze_tell && freeze_tell[0] != 0 && !f.local_error_message)
8473 uschar *s = string_copy(frozen_info);
8474 uschar *ss = Ustrstr(s, " by the system filter: ");
8485 if (*ss == '\\' && ss[1] == 'n')
8492 moan_tell_someone(freeze_tell, addr_defer, US"Message frozen",
8493 "Message %s has been frozen%s.\nThe sender is <%s>.\n", message_id,
8497 /* Log freezing just before we update the -H file, to minimize the chance
8498 of a race problem. */
8500 deliver_msglog("*** Frozen%s\n", frozen_info);
8501 log_write(0, LOG_MAIN, "Frozen%s", frozen_info);
8504 /* If there have been any updates to the non-recipients list, or other things
8505 that get written to the spool, we must now update the spool header file so
8506 that it has the right information for the next delivery attempt. If there
8507 was more than one address being delivered, the header_change update is done
8508 earlier, in case one succeeds and then something crashes. */
8511 debug_printf("delivery deferred: update_spool=%d header_rewritten=%d\n",
8512 update_spool, f.header_rewritten);
8514 if (update_spool || f.header_rewritten)
8515 /* Panic-dies on error */
8516 (void)spool_write_header(message_id, SW_DELIVERING, NULL);
8519 /* Finished with the message log. If the message is complete, it will have
8520 been unlinked or renamed above. */
8522 if (message_logs) (void)fclose(message_log);
8524 /* Now we can close and remove the journal file. Its only purpose is to record
8525 successfully completed deliveries asap so that this information doesn't get
8526 lost if Exim (or the machine) crashes. Forgetting about a failed delivery is
8527 not serious, as trying it again is not harmful. The journal might not be open
8528 if all addresses were deferred at routing or directing. Nevertheless, we must
8529 remove it if it exists (may have been lying around from a crash during the
8530 previous delivery attempt). We don't remove the journal if a delivery
8531 subprocess failed to pass back delivery information; this is controlled by
8532 the remove_journal flag. When the journal is left, we also don't move the
8533 message off the main spool if frozen and the option is set. It should get moved
8534 at the next attempt, after the journal has been inspected. */
8536 if (journal_fd >= 0) (void)close(journal_fd);
8540 uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
8542 if (Uunlink(fname) < 0 && errno != ENOENT)
8543 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", fname,
8546 /* Move the message off the spool if requested */
8548 #ifdef SUPPORT_MOVE_FROZEN_MESSAGES
8549 if (f.deliver_freeze && move_frozen_messages)
8550 (void)spool_move_message(id, message_subdir, US"", US"F");
8554 /* Closing the data file frees the lock; if the file has been unlinked it
8555 will go away. Otherwise the message becomes available for another process
8558 (void)close(deliver_datafile);
8559 deliver_datafile = -1;
8560 DEBUG(D_deliver) debug_printf("end delivery of %s\n", id);
8561 #ifdef MEASURE_TIMING
8562 report_time_since(×tamp_startup, US"delivery end"); /* testcase 0005 */
8565 /* It is unlikely that there will be any cached resources, since they are
8566 released after routing, and in the delivery subprocesses. However, it's
8567 possible for an expansion for something afterwards (for example,
8568 expand_check_condition) to do a lookup. We must therefore be sure everything is
8572 acl_where = ACL_WHERE_UNKNOWN;
8581 #ifdef EXIM_TFO_PROBE
8584 f.tcp_fastopen_ok = TRUE;
8590 /* Called from a commandline, or from the daemon, to do a delivery.
8591 We need to regain privs; do this by exec of the exim binary. */
8594 delivery_re_exec(int exec_type)
8598 if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
8600 int channel_fd = cutthrough.cctx.sock;
8602 smtp_peer_options = cutthrough.peer_options;
8603 continue_sequence = 0;
8606 if (cutthrough.is_tls)
8610 smtp_peer_options |= OPTION_TLS;
8611 sending_ip_address = cutthrough.snd_ip;
8612 sending_port = cutthrough.snd_port;
8614 where = US"socketpair";
8615 if (socketpair(AF_UNIX, SOCK_STREAM, 0, pfd) != 0)
8619 testharness_pause_ms(150);
8620 if ((pid = exim_fork(US"tls-proxy-interproc")) < 0)
8623 if (pid == 0) /* child: will fork again to totally disconnect */
8625 smtp_proxy_tls(cutthrough.cctx.tls_ctx, big_buffer, big_buffer_size,
8627 /* does not return */
8631 waitpid(pid, NULL, 0);
8632 (void) close(channel_fd); /* release the client socket */
8633 channel_fd = pfd[1];
8637 transport_do_pass_socket(cutthrough.transport, cutthrough.host.name,
8638 cutthrough.host.address, message_id, channel_fd);
8642 cancel_cutthrough_connection(TRUE, US"non-continued delivery");
8643 (void) child_exec_exim(exec_type, FALSE, NULL, FALSE, 2, US"-Mc", message_id);
8645 return; /* compiler quietening; control does not reach here. */
8650 LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
8651 "delivery re-exec %s failed: %s", where, strerror(errno));
8653 /* Get here if exec_type == CEE_EXEC_EXIT.
8654 Note: this must be _exit(), not exit(). */
8656 _exit(EX_EXECFAILED);
8662 /* End of deliver.c */
git://git.exim.org / exim.git / blob