1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions for writing log files. The code for maintaining datestamped
10 log files was originally contributed by Tony Sheen. */
15 #define LOG_NAME_SIZE 256
16 #define MAX_SYSLOG_LEN 870
18 #define LOG_MODE_FILE 1
19 #define LOG_MODE_SYSLOG 2
21 enum { lt_main, lt_reject, lt_panic, lt_debug };
23 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
27 /*************************************************
28 * Local static variables *
29 *************************************************/
31 static uschar mainlog_name[LOG_NAME_SIZE];
32 static uschar rejectlog_name[LOG_NAME_SIZE];
33 static uschar debuglog_name[LOG_NAME_SIZE];
35 static uschar *mainlog_datestamp = NULL;
36 static uschar *rejectlog_datestamp = NULL;
38 static int mainlogfd = -1;
39 static int rejectlogfd = -1;
40 static ino_t mainlog_inode = 0;
41 static ino_t rejectlog_inode = 0;
43 static uschar *panic_save_buffer = NULL;
44 static BOOL panic_recurseflag = FALSE;
46 static BOOL syslog_open = FALSE;
47 static BOOL path_inspected = FALSE;
48 static int logging_mode = LOG_MODE_FILE;
49 static uschar *file_path = US"";
51 static size_t pid_position[2];
54 /* These should be kept in-step with the private delivery error
55 number definitions in macros.h */
57 static const uschar * exim_errstrings[] = {
80 US"Exim-imposed quota",
82 US"Delivery filter process failure",
83 US"Delivery add/remove header failure",
84 US"Delivery write incomplete error",
85 US"Some expansion failed",
86 US"Failed to get gid",
87 US"Failed to get uid",
88 US"Unset or non-existent transport",
89 US"MBX length mismatch",
90 US"Lookup failed routing or in smtp tpt",
91 US"Can't match format in appendfile",
92 US"Creation outside home in appendfile",
93 US"Can't check a list; lookup defer",
95 US"Failed to start TLS session",
96 US"Mandatory TLS session not started",
97 US"Failed to chown a file",
98 US"Failed to create a pipe",
100 US"When required by client",
101 US"Used internally in smtp transport",
102 US"RCPT gave 4xx error",
103 US"MAIL gave 4xx error",
104 US"DATA gave 4xx error",
105 US"Negotiation failed for proxy configured host",
106 US"Authenticator 'other' failure",
107 US"target not supporting SMTPUTF8",
110 US"Not time for routing",
111 US"Not time for local delivery",
112 US"Not time for any remote host",
113 US"Local-only delivery",
114 US"Domain in queue_domains",
115 US"Transport concurrency limit",
116 US"Event requests alternate response",
120 /************************************************/
124 return err < 0 ? exim_errstrings[-err] : CUS strerror(err);
127 /*************************************************
129 *************************************************/
131 /* The given string is split into sections according to length, or at embedded
132 newlines, and syslogged as a numbered sequence if it is overlong or if there is
133 more than one line. However, if we are running in the test harness, do not do
134 anything. (The test harness doesn't use syslog - for obvious reasons - but we
135 can get here if there is a failure to open the panic log.)
138 priority syslog priority
139 s the string to be written
145 write_syslog(int priority, const uschar *s)
150 if (!syslog_pid && LOGGING(pid))
151 s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]);
152 if (!syslog_timestamp)
154 len = log_timezone ? 26 : 20;
155 if (LOGGING(millisec)) len += 4;
162 if (!syslog_open && !f.running_in_test_harness)
164 # ifdef SYSLOG_LOG_PID
165 openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
167 openlog(CS syslog_processname, LOG_CONS, syslog_facility);
173 /* First do a scan through the message in order to determine how many lines
174 it is going to end up as. Then rescan to output it. */
176 for (int pass = 0; pass < 2; pass++)
178 const uschar * ss = s;
179 for (int i = 1, tlen = len; tlen > 0; i++)
182 uschar *nlptr = Ustrchr(ss, '\n');
183 if (nlptr != NULL) plen = nlptr - ss;
184 #ifndef SYSLOG_LONG_LINES
185 if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
188 if (ss[plen] == '\n') tlen--; /* chars left */
192 else if (f.running_in_test_harness)
194 fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss);
196 fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i,
197 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
198 linecount, plen, ss);
201 syslog(priority, "%.*s", plen, ss);
203 syslog(priority, "[%d%c%d] %.*s", i,
204 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
205 linecount, plen, ss);
208 if (*ss == '\n') ss++;
215 /*************************************************
217 *************************************************/
219 /* This is called when Exim is dying as a result of something going wrong in
220 the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
221 message to debug_file or a stderr file, if they exist. Then, if in the middle
222 of accepting a message, throw it away tidily by calling receive_bomb_out();
223 this will attempt to send an SMTP response if appropriate. Passing NULL as the
224 first argument stops it trying to run the NOTQUIT ACL (which might try further
225 logging and thus cause problems). Otherwise, try to close down an outstanding
229 s1 Error message to write to debug_file and/or stderr and syslog
230 s2 Error message for any SMTP call that is in progress
231 Returns: The function does not return
235 die(uschar *s1, uschar *s2)
239 write_syslog(LOG_CRIT, s1);
240 if (debug_file) debug_printf("%s\n", s1);
241 if (log_stderr && log_stderr != debug_file)
242 fprintf(log_stderr, "%s\n", s1);
244 if (f.receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */
245 if (smtp_input) smtp_closedown(s2);
246 exim_exit(EXIT_FAILURE);
251 /*************************************************
252 * Create a log file *
253 *************************************************/
255 /* This function is called to create and open a log file. It may be called in a
256 subprocess when the original process is root.
261 The file name has been build in a working buffer, so it is permissible to
262 overwrite it temporarily if it is necessary to create the directory.
264 Returns: a file descriptor, or < 0 on failure (errno set)
268 log_create(uschar *name)
274 O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
276 /* If creation failed, attempt to build a log directory in case that is the
279 if (fd < 0 && errno == ENOENT)
282 uschar *lastslash = Ustrrchr(name, '/');
284 created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
285 DEBUG(D_any) debug_printf("%s log directory %s\n",
286 created ? "created" : "failed to create", name);
288 if (created) fd = Uopen(name,
292 O_CREAT|O_APPEND|O_WRONLY, LOG_MODE);
300 /*************************************************
301 * Create a log file as the exim user *
302 *************************************************/
304 /* This function is called when we are root to spawn an exim:exim subprocess
305 in which we can create a log file. It must be signal-safe since it is called
306 by the usr1_handler().
311 Returns: a file descriptor, or < 0 on failure (errno set)
315 log_create_as_exim(uschar *name)
317 pid_t pid = exim_fork(US"logfile-create");
321 /* In the subprocess, change uid/gid and do the creation. Return 0 from the
322 subprocess on success. If we don't check for setuid failures, then the file
323 can be created as root, so vulnerabilities which cause setuid to fail mean
324 that the Exim user can use symlinks to cause a file to be opened/created as
325 root. We always open for append, so can't nuke existing content but it would
326 still be Rather Bad. */
330 if (setgid(exim_gid) < 0)
331 die(US"exim: setgid for log-file creation failed, aborting",
332 US"Unexpected log failure, please try later");
333 if (setuid(exim_uid) < 0)
334 die(US"exim: setuid for log-file creation failed, aborting",
335 US"Unexpected log failure, please try later");
336 _exit((log_create(name) < 0)? 1 : 0);
339 /* If we created a subprocess, wait for it. If it succeeded, try the open. */
341 while (pid > 0 && waitpid(pid, &status, 0) != pid);
342 if (status == 0) fd = Uopen(name,
346 O_APPEND|O_WRONLY, LOG_MODE);
348 /* If we failed to create a subprocess, we are in a bad way. We return
349 with fd still < 0, and errno set, letting the caller handle the error. */
357 /*************************************************
359 *************************************************/
361 /* This function opens one of a number of logs, creating the log directory if
362 it does not exist. This may be called recursively on failure, in order to open
365 The directory is in the static variable file_path. This is static so that it
366 the work of sorting out the path is done just once per Exim process.
368 Exim is normally configured to avoid running as root wherever possible, the log
369 files must be owned by the non-privileged exim user. To ensure this, first try
370 an open without O_CREAT - most of the time this will succeed. If it fails, try
371 to create the file; if running as root, this must be done in a subprocess to
375 fd where to return the resulting file descriptor
376 type lt_main, lt_reject, lt_panic, or lt_debug
377 tag optional tag to include in the name (only hooked up for debug)
383 open_log(int *fd, int type, uschar *tag)
387 uschar buffer[LOG_NAME_SIZE];
389 /* The names of the log files are controlled by file_path. The panic log is
390 written to the same directory as the main and reject logs, but its name does
391 not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
392 When opening the panic log, if %D or %M is present, we remove the datestamp
393 from the generated name; if it is at the start, remove a following
394 non-alphanumeric character as well; otherwise, remove a preceding
395 non-alphanumeric character. This is definitely kludgy, but it sort of does what
396 people want, I hope. */
398 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
400 /* Save the name of the mainlog for rollover processing. Without a datestamp,
401 it gets statted to see if it has been cycled. With a datestamp, the datestamp
402 will be compared. The static slot for saving it is the same size as buffer,
403 and the text has been checked above to fit, so this use of strcpy() is OK. */
407 Ustrcpy(mainlog_name, buffer);
408 if (string_datestamp_offset > 0)
409 mainlog_datestamp = mainlog_name + string_datestamp_offset;
412 /* Ditto for the reject log */
414 else if (type == lt_reject)
416 Ustrcpy(rejectlog_name, buffer);
417 if (string_datestamp_offset > 0)
418 rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
421 /* and deal with the debug log (which keeps the datestamp, but does not
424 else if (type == lt_debug)
426 Ustrcpy(debuglog_name, buffer);
429 /* this won't change the offset of the datestamp */
430 ok2 = string_format(buffer, sizeof(buffer), "%s%s",
433 Ustrcpy(debuglog_name, buffer);
437 /* Remove any datestamp if this is the panic log. This is rare, so there's no
438 need to optimize getting the datestamp length. We remove one non-alphanumeric
439 char afterwards if at the start, otherwise one before. */
441 else if (string_datestamp_offset >= 0)
443 uschar * from = buffer + string_datestamp_offset;
444 uschar * to = from + string_datestamp_length;
446 if (from == buffer || from[-1] == '/')
448 if (!isalnum(*to)) to++;
451 if (!isalnum(from[-1])) from--;
453 /* This copy is ok, because we know that to is a substring of from. But
454 due to overlap we must use memmove() not Ustrcpy(). */
455 memmove(from, to, Ustrlen(to)+1);
458 /* If the file name is too long, it is an unrecoverable disaster */
461 die(US"exim: log file path too long: aborting",
462 US"Logging failure; please try later");
464 /* We now have the file name. Try to open an existing file. After a successful
465 open, arrange for automatic closure on exec(), and then return. */
471 O_APPEND|O_WRONLY, LOG_MODE);
476 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
481 /* Open was not successful: try creating the file. If this is a root process,
482 we must do the creating in a subprocess set to exim:exim in order to ensure
483 that the file is created with the right ownership. Otherwise, there can be a
484 race if another Exim process is trying to write to the log at the same time.
485 The use of SIGUSR1 by the exiwhat utility can provoke a lot of simultaneous
490 /* If we are already running as the Exim user (even if that user is root),
491 we can go ahead and create in the current process. */
493 if (euid == exim_uid) *fd = log_create(buffer);
495 /* Otherwise, if we are root, do the creation in an exim:exim subprocess. If we
496 are neither exim nor root, creation is not attempted. */
498 else if (euid == root_uid) *fd = log_create_as_exim(buffer);
500 /* If we now have an open file, set the close-on-exec flag and return. */
505 (void)fcntl(*fd, F_SETFD, fcntl(*fd, F_GETFD) | FD_CLOEXEC);
510 /* Creation failed. There are some circumstances in which we get here when
511 the effective uid is not root or exim, which is the problem. (For example, a
512 non-setuid binary with log_arguments set, called in certain ways.) Rather than
513 just bombing out, force the log to stderr and carry on if stderr is available.
516 if (euid != root_uid && euid != exim_uid && log_stderr)
518 *fd = fileno(log_stderr);
522 /* Otherwise this is a disaster. This call is deliberately ONLY to the panic
523 log. If possible, save a copy of the original line that was being logged. If we
524 are recursing (can't open the panic log either), the pointer will already be
525 set. Also, when we had to use a subprocess for the create we didn't retrieve
526 errno from it, so get the error from the open attempt above (which is often
527 meaningful enough, so leave it). */
529 if (!panic_save_buffer)
530 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
531 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
533 log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
534 "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
542 if (type == lt_debug) unlink(CS debuglog_name);
547 /*************************************************
548 * Add configuration file info to log line *
549 *************************************************/
551 /* This is put in a function because it's needed twice (once for debugging,
555 ptr pointer to the end of the line we are building
558 Returns: updated pointer
562 log_config_info(gstring * g, int flags)
564 g = string_cat(g, US"Exim configuration error");
566 if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG))
567 return string_cat(g, US" for ");
569 if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG))
570 g = string_fmt_append(g, " in line %d of %s", config_lineno, config_filename);
572 return string_catn(g, US":\n ", 4);
576 /*************************************************
577 * A write() operation failed *
578 *************************************************/
580 /* This function is called when write() fails on anything other than the panic
581 log, which can happen if a disk gets full or a file gets too large or whatever.
582 We try to save the relevant message in the panic_save buffer before crashing
585 The potential invoker should probably not call us for EINTR -1 writes. But
586 otherwise, short writes are bad as we don't do non-blocking writes to fds
587 subject to flow control. (If we do, that's new and the logic of this should
591 name the name of the log being written
592 length the string length being written
593 rc the return value from write()
595 Returns: does not return
599 log_write_failed(uschar *name, int length, int rc)
601 int save_errno = errno;
603 if (!panic_save_buffer)
604 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
605 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
607 log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
608 "errno=%d (%s)", name, length, rc, save_errno,
609 (save_errno == 0)? "write incomplete" : strerror(save_errno));
615 /*************************************************
616 * Write to an fd, retrying after signals *
617 *************************************************/
619 /* Basic write to fd for logs, handling EINTR.
622 fd the fd to write to
623 buf the string to write
624 length the string length being written
627 length actually written, persisting an errno from write()
630 write_to_fd_buf(int fd, const uschar *buf, size_t length)
633 size_t total_written = 0;
634 const uschar *p = buf;
635 size_t left = length;
639 wrote = write(fd, p, left);
640 if (wrote == (ssize_t)-1)
642 if (errno == EINTR) continue;
645 total_written += wrote;
654 return total_written;
662 int sep = ':'; /* Fixed separator - outside use */
664 const uschar *tt = US LOG_FILE_PATH;
665 while ((t = string_nextinlist(&tt, &sep, log_buffer, LOG_BUFFER_SIZE)))
667 if (Ustrcmp(t, "syslog") == 0 || t[0] == 0) continue;
668 file_path = string_copy(t);
677 if (mainlogfd < 0) return;
678 (void)close(mainlogfd);
683 /*************************************************
684 * Write message to log file *
685 *************************************************/
687 /* Exim can be configured to log to local files, or use syslog, or both. This
688 is controlled by the setting of log_file_path. The following cases are
691 log_file_path = "" write files in the spool/log directory
692 log_file_path = "xxx" write files in the xxx directory
693 log_file_path = "syslog" write to syslog
694 log_file_path = "syslog : xxx" write to syslog and to files (any order)
696 The message always gets '\n' added on the end of it, since more than one
697 process may be writing to the log at once and we don't want intermingling to
698 happen in the middle of lines. To be absolutely sure of this we write the data
699 into a private buffer and then put it out in a single write() call.
701 The flags determine which log(s) the message is written to, or for syslogging,
702 which priority to use, and in the case of the panic log, whether the process
703 should die afterwards.
705 The variable really_exim is TRUE only when exim is running in privileged state
706 (i.e. not with a changed configuration or with testing options such as -brw).
707 If it is not, don't try to write to the log because permission will probably be
710 Avoid actually writing to the logs when exim is called with -bv or -bt to
711 test an address, but take other actions, such as panicking.
713 In Exim proper, the buffer for building the message is got at start-up, so that
714 nothing gets done if it can't be got. However, some functions that are also
715 used in utilities occasionally obey log_write calls in error situations, and it
716 is simplest to put a single malloc() here rather than put one in each utility.
717 Malloc is used directly because the store functions may call log_write().
719 If a message_id exists, we include it after the timestamp.
722 selector write to main log or LOG_INFO only if this value is zero, or if
723 its bit is set in log_selector[0]
724 flags each bit indicates some independent action:
725 LOG_SENDER add raw sender to the message
726 LOG_RECIPIENTS add raw recipients list to message
727 LOG_CONFIG add "Exim configuration error"
728 LOG_CONFIG_FOR add " for " instead of ":\n "
729 LOG_CONFIG_IN add " in line x[ of file y]"
730 LOG_MAIN write to main log or syslog LOG_INFO
731 LOG_REJECT write to reject log or syslog LOG_NOTICE
732 LOG_PANIC write to panic log or syslog LOG_ALERT
733 LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash
734 format a printf() format
735 ... arguments for format
741 log_write(unsigned int selector, int flags, const char *format, ...)
745 gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
749 /* If panic_recurseflag is set, we have failed to open the panic log. This is
750 the ultimate disaster. First try to write the message to a debug file and/or
751 stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
752 original log line that caused the problem. Afterwards, expire. */
754 if (panic_recurseflag)
756 uschar *extra = panic_save_buffer ? panic_save_buffer : US"";
757 if (debug_file) debug_printf("%s%s", extra, log_buffer);
758 if (log_stderr && log_stderr != debug_file)
759 fprintf(log_stderr, "%s%s", extra, log_buffer);
760 if (*extra) write_syslog(LOG_CRIT, extra);
761 write_syslog(LOG_CRIT, log_buffer);
762 die(US"exim: could not open panic log - aborting: see message(s) above",
763 US"Unexpected log failure, please try later");
766 /* Ensure we have a buffer (see comment above); this should never be obeyed
767 when running Exim proper, only when running utilities. */
770 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
772 fprintf(stderr, "exim: failed to get store for log buffer\n");
773 exim_exit(EXIT_FAILURE);
776 /* If we haven't already done so, inspect the setting of log_file_path to
777 determine whether to log to files and/or to syslog. Bits in logging_mode
778 control this, and for file logging, the path must end up in file_path. This
779 variable must be in permanent store because it may be required again later in
784 BOOL multiple = FALSE;
785 int old_pool = store_pool;
787 store_pool = POOL_PERM;
789 /* If nothing has been set, don't waste effort... the default values for the
790 statics are file_path="" and logging_mode = LOG_MODE_FILE. */
794 int sep = ':'; /* Fixed separator - outside use */
796 const uschar *ss = log_file_path;
799 while ((s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE)))
801 if (Ustrcmp(s, "syslog") == 0)
802 logging_mode |= LOG_MODE_SYSLOG;
803 else if (logging_mode & LOG_MODE_FILE)
807 logging_mode |= LOG_MODE_FILE;
809 /* If a non-empty path is given, use it */
812 file_path = string_copy(s);
814 /* If the path is empty, we want to use the first non-empty, non-
815 syslog item in LOG_FILE_PATH, if there is one, since the value of
816 log_file_path may have been set at runtime. If there is no such item,
817 use the ultimate default in the spool directory. */
820 set_file_path(); /* Empty item in log_file_path */
821 } /* First non-syslog item in log_file_path */
822 } /* Scan of log_file_path */
825 /* If no modes have been selected, it is a major disaster */
827 if (logging_mode == 0)
828 die(US"Neither syslog nor file logging set in log_file_path",
829 US"Unexpected logging failure");
831 /* Set up the ultimate default if necessary. Then revert to the old store
832 pool, and record that we've sorted out the path. */
834 if (logging_mode & LOG_MODE_FILE && !file_path[0])
835 file_path = string_sprintf("%s/log/%%slog", spool_directory);
836 store_pool = old_pool;
837 path_inspected = TRUE;
839 /* If more than one file path was given, log a complaint. This recursive call
840 should work since we have now set up the routing. */
843 log_write(0, LOG_MAIN|LOG_PANIC,
844 "More than one path given in log_file_path: using %s", file_path);
847 /* If debugging, show all log entries, but don't show headers. Do it all
848 in one go so that it doesn't get split when multi-processing. */
854 g = string_catn(&gs, US"LOG:", 4);
856 /* Show the selector that was passed into the call. */
858 for (i = 0; i < log_options_count; i++)
860 unsigned int bitnum = log_options[i].bit;
861 if (bitnum < BITWORDSIZE && selector == BIT(bitnum))
862 g = string_fmt_append(g, " %s", log_options[i].name);
865 g = string_fmt_append(g, "%s%s%s%s\n ",
866 flags & LOG_MAIN ? " MAIN" : "",
867 flags & LOG_PANIC ? " PANIC" : "",
868 (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "",
869 flags & LOG_REJECT ? " REJECT" : "");
871 if (flags & LOG_CONFIG) g = log_config_info(g, flags);
873 /* We want to be able to log tainted info, but log_buffer is directly
874 malloc'd. So use deliberately taint-nonchecking routines to build into
875 it, trusting that we will never expand the results. */
877 va_start(ap, format);
879 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
882 g = string_cat(g, US"**** log string overflowed log buffer ****");
886 g->size = LOG_BUFFER_SIZE;
887 g = string_catn(g, US"\n", 1);
888 debug_printf("%s", string_from_gstring(g));
890 gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */
891 gs.ptr = 0; /* reset it for the real use. */
894 /* If no log file is specified, we are in a mess. */
896 if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)))
897 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
900 /* There are some weird circumstances in which logging is disabled. */
902 if (f.disable_logging)
904 DEBUG(D_any) debug_printf("log writing disabled\n");
908 /* Handle disabled reject log */
910 if (!write_rejectlog) flags &= ~LOG_REJECT;
912 /* Create the main message in the log buffer. Do not include the message id
913 when called by a utility. */
915 g = string_fmt_append(&gs, "%s ", tod_stamp(tod_log));
919 if (!syslog_pid) pid_position[0] = g->ptr; /* remember begin … */
920 g = string_fmt_append(g, "[%d] ", (int)getpid());
921 if (!syslog_pid) pid_position[1] = g->ptr; /* … and end+1 of the PID */
924 if (f.really_exim && message_id[0] != 0)
925 g = string_fmt_append(g, "%s ", message_id);
927 if (flags & LOG_CONFIG)
928 g = log_config_info(g, flags);
930 va_start(ap, format);
934 /* We want to be able to log tainted info, but log_buffer is directly
935 malloc'd. So use deliberately taint-nonchecking routines to build into
936 it, trusting that we will never expand the results. */
938 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
941 g = string_cat(g, US"**** log string overflowed log buffer ****\n");
946 /* Add the raw, unrewritten, sender to the message if required. This is done
947 this way because it kind of fits with LOG_RECIPIENTS. */
949 if ( flags & LOG_SENDER
950 && g->ptr < LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
951 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " from <%s>", raw_sender);
953 /* Add list of recipients to the message if required; the raw list,
954 before rewriting, was saved in raw_recipients. There may be none, if an ACL
955 discarded them all. */
957 if ( flags & LOG_RECIPIENTS
958 && g->ptr < LOG_BUFFER_SIZE - 6
959 && raw_recipients_count > 0)
962 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " for", NULL);
963 for (i = 0; i < raw_recipients_count; i++)
965 uschar * s = raw_recipients[i];
966 if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
967 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s);
971 g = string_catn(g, US"\n", 1);
972 string_from_gstring(g);
974 /* Handle loggable errors when running a utility, or when address testing.
975 Write to log_stderr unless debugging (when it will already have been written),
976 or unless there is no log_stderr (expn called from daemon, for example). */
978 if (!f.really_exim || f.log_testing_mode)
982 && (selector == 0 || (selector & log_selector[0]) != 0)
985 fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */
987 fprintf(log_stderr, "%s", CS log_buffer);
989 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
993 /* Handle the main log. We know that either syslog or file logging (or both) is
994 set up. A real file gets left open during reception or delivery once it has
995 been opened, but we don't want to keep on writing to it for too long after it
996 has been renamed. Therefore, do a stat() and see if the inode has changed, and
999 if ( flags & LOG_MAIN
1000 && (!selector || selector & log_selector[0]))
1002 if ( logging_mode & LOG_MODE_SYSLOG
1003 && (syslog_duplication || !(flags & (LOG_REJECT|LOG_PANIC))))
1004 write_syslog(LOG_INFO, log_buffer);
1006 if (logging_mode & LOG_MODE_FILE)
1008 struct stat statbuf;
1010 /* Check for a change to the mainlog file name when datestamping is in
1011 operation. This happens at midnight, at which point we want to roll over
1012 the file. Closing it has the desired effect. */
1014 if (mainlog_datestamp)
1016 uschar *nowstamp = tod_stamp(string_datestamp_type);
1017 if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1019 (void)close(mainlogfd); /* Close the file */
1020 mainlogfd = -1; /* Clear the file descriptor */
1021 mainlog_inode = 0; /* Unset the inode */
1022 mainlog_datestamp = NULL; /* Clear the datestamp */
1026 /* Otherwise, we want to check whether the file has been renamed by a
1027 cycling script. This could be "if else", but for safety's sake, leave it as
1028 "if" so that renaming the log starts a new file even when datestamping is
1032 if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
1035 /* If the log is closed, open it. Then write the line. */
1039 open_log(&mainlogfd, lt_main, NULL); /* No return on error */
1040 if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
1043 /* Failing to write to the log is disastrous */
1045 written_len = write_to_fd_buf(mainlogfd, g->s, g->ptr);
1046 if (written_len != g->ptr)
1048 log_write_failed(US"main log", g->ptr, written_len);
1049 /* That function does not return */
1054 /* Handle the log for rejected messages. This can be globally disabled, in
1055 which case the flags are altered above. If there are any header lines (i.e. if
1056 the rejection is happening after the DATA phase), log the recipients and the
1059 if (flags & LOG_REJECT)
1061 if (header_list && LOGGING(rejected_header))
1066 if (recipients_count > 0)
1068 /* List the sender */
1070 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1071 "Envelope-from: <%s>\n", sender_address);
1074 /* List up to 5 recipients */
1076 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1077 "Envelope-to: <%s>\n", recipients_list[0].address);
1080 for (i = 1; i < recipients_count && i < 5; i++)
1082 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1083 " <%s>\n", recipients_list[i].address);
1087 if (i < recipients_count)
1089 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " ...\n", NULL);
1094 /* A header with a NULL text is an unfilled in Received: header */
1096 for (header_line * h = header_list; h; h = h->next) if (h->text)
1098 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1099 "%c %s", h->type, h->text);
1102 else /* Buffer is full; truncate */
1104 g->ptr -= 100; /* For message and separator */
1105 if (g->s[g->ptr-1] == '\n') g->ptr--;
1106 g = string_cat(g, US"\n*** truncated ***\n");
1112 /* Write to syslog or to a log file */
1114 if ( logging_mode & LOG_MODE_SYSLOG
1115 && (syslog_duplication || !(flags & LOG_PANIC)))
1116 write_syslog(LOG_NOTICE, string_from_gstring(g));
1118 /* Check for a change to the rejectlog file name when datestamping is in
1119 operation. This happens at midnight, at which point we want to roll over
1120 the file. Closing it has the desired effect. */
1122 if (logging_mode & LOG_MODE_FILE)
1124 struct stat statbuf;
1126 if (rejectlog_datestamp)
1128 uschar *nowstamp = tod_stamp(string_datestamp_type);
1129 if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1131 (void)close(rejectlogfd); /* Close the file */
1132 rejectlogfd = -1; /* Clear the file descriptor */
1133 rejectlog_inode = 0; /* Unset the inode */
1134 rejectlog_datestamp = NULL; /* Clear the datestamp */
1138 /* Otherwise, we want to check whether the file has been renamed by a
1139 cycling script. This could be "if else", but for safety's sake, leave it as
1140 "if" so that renaming the log starts a new file even when datestamping is
1143 if (rejectlogfd >= 0)
1144 if (Ustat(rejectlog_name, &statbuf) < 0 ||
1145 statbuf.st_ino != rejectlog_inode)
1147 (void)close(rejectlogfd);
1149 rejectlog_inode = 0;
1152 /* Open the file if necessary, and write the data */
1154 if (rejectlogfd < 0)
1156 open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
1157 if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
1160 written_len = write_to_fd_buf(rejectlogfd, g->s, g->ptr);
1161 if (written_len != g->ptr)
1163 log_write_failed(US"reject log", g->ptr, written_len);
1164 /* That function does not return */
1170 /* Handle the panic log, which is not kept open like the others. If it fails to
1171 open, there will be a recursive call to log_write(). We detect this above and
1172 attempt to write to the system log as a last-ditch try at telling somebody. In
1173 all cases except mua_wrapper, try to write to log_stderr. */
1175 if (flags & LOG_PANIC)
1177 if (log_stderr && log_stderr != debug_file && !mua_wrapper)
1178 fprintf(log_stderr, "%s", CS string_from_gstring(g));
1180 if (logging_mode & LOG_MODE_SYSLOG)
1181 write_syslog(LOG_ALERT, log_buffer);
1183 /* If this panic logging was caused by a failure to open the main log,
1184 the original log line is in panic_save_buffer. Make an attempt to write it. */
1186 if (logging_mode & LOG_MODE_FILE)
1188 panic_recurseflag = TRUE;
1189 open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */
1190 panic_recurseflag = FALSE;
1192 if (panic_save_buffer)
1194 int i = write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
1195 i = i; /* compiler quietening */
1198 written_len = write_to_fd_buf(paniclogfd, g->s, g->ptr);
1199 if (written_len != g->ptr)
1201 int save_errno = errno;
1202 write_syslog(LOG_CRIT, log_buffer);
1203 sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
1204 "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno));
1205 write_syslog(LOG_CRIT, string_from_gstring(g));
1206 flags |= LOG_PANIC_DIE;
1209 (void)close(paniclogfd);
1212 /* Give up if the DIE flag is set */
1214 if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
1215 die(NULL, US"Unexpected failure, please try later");
1221 /*************************************************
1222 * Close any open log files *
1223 *************************************************/
1229 { (void)close(mainlogfd); mainlogfd = -1; }
1230 if (rejectlogfd >= 0)
1231 { (void)close(rejectlogfd); rejectlogfd = -1; }
1233 syslog_open = FALSE;
1238 /*************************************************
1239 * Multi-bit set or clear *
1240 *************************************************/
1242 /* These functions take a list of bit indexes (terminated by -1) and
1243 clear or set the corresponding bits in the selector.
1246 selector address of the bit string
1247 selsize number of words in the bit string
1248 bits list of bits to set
1252 bits_clear(unsigned int *selector, size_t selsize, int *bits)
1254 for(; *bits != -1; ++bits)
1255 BIT_CLEAR(selector, selsize, *bits);
1259 bits_set(unsigned int *selector, size_t selsize, int *bits)
1261 for(; *bits != -1; ++bits)
1262 BIT_SET(selector, selsize, *bits);
1267 /*************************************************
1268 * Decode bit settings for log/debug *
1269 *************************************************/
1271 /* This function decodes a string containing bit settings in the form of +name
1272 and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
1273 also recognizes a numeric setting of the form =<number>, but this is not
1274 intended for user use. It's an easy way for Exim to pass the debug settings
1275 when it is re-exec'ed.
1277 The option table is a list of names and bit indexes. The index -1
1278 means "set all bits, except for those listed in notall". The notall
1279 list is terminated by -1.
1281 The action taken for bad values varies depending upon why we're here.
1282 For log messages, or if the debugging is triggered from config, then we write
1283 to the log on the way out. For debug setting triggered from the command-line,
1284 we treat it as an unknown option: error message to stderr and die.
1287 selector address of the bit string
1288 selsize number of words in the bit string
1289 notall list of bits to exclude from "all"
1290 string the configured string
1291 options the table of option names
1293 which "log" or "debug"
1294 flags DEBUG_FROM_CONFIG
1296 Returns: nothing on success - bomb out on failure
1300 decode_bits(unsigned int *selector, size_t selsize, int *notall,
1301 uschar *string, bit_table *options, int count, uschar *which, int flags)
1304 if (!string) return;
1308 char *end; /* Not uschar */
1309 memset(selector, 0, sizeof(*selector)*selsize);
1310 *selector = strtoul(CS string+1, &end, 0);
1312 errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
1317 /* Handle symbolic setting */
1324 bit_table *start, *end;
1326 Uskip_whitespace(&string);
1327 if (!*string) return;
1329 if (*string != '+' && *string != '-')
1331 errmsg = string_sprintf("malformed %s_selector setting: "
1332 "+ or - expected but found \"%s\"", which, string);
1336 adding = *string++ == '+';
1338 while (isalnum(*string) || *string == '_') string++;
1342 end = options + count;
1346 bit_table *middle = start + (end - start)/2;
1347 int c = Ustrncmp(s, middle->name, len);
1349 if (middle->name[len] != 0) c = -1; else
1351 unsigned int bit = middle->bit;
1357 memset(selector, -1, sizeof(*selector)*selsize);
1358 bits_clear(selector, selsize, notall);
1361 memset(selector, 0, sizeof(*selector)*selsize);
1364 BIT_SET(selector, selsize, bit);
1366 BIT_CLEAR(selector, selsize, bit);
1368 break; /* Out of loop to match selector name */
1370 if (c < 0) end = middle; else start = middle + 1;
1371 } /* Loop to match selector name */
1375 errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
1376 adding? '+' : '-', len, s);
1379 } /* Loop for selector names */
1381 /* Handle disasters */
1384 if (Ustrcmp(which, "debug") == 0)
1386 if (flags & DEBUG_FROM_CONFIG)
1388 log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
1391 fprintf(stderr, "exim: %s\n", errmsg);
1394 else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
1399 /*************************************************
1400 * Activate a debug logfile (late) *
1401 *************************************************/
1403 /* Normally, debugging is activated from the command-line; it may be useful
1404 within the configuration to activate debugging later, based on certain
1405 conditions. If debugging is already in progress, we return early, no action
1406 taken (besides debug-logging that we wanted debug-logging).
1408 Failures in options are not fatal but will result in paniclog entries for the
1411 The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
1412 which can be combined with conditions, etc, to activate extra logging only
1413 for certain sources. The second use is inetd wait mode debug preservation. */
1416 debug_logging_activate(uschar *tag_name, uschar *opts)
1422 debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
1423 "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US"");
1427 if (tag_name != NULL && (Ustrchr(tag_name, '/') != NULL))
1429 log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
1434 debug_selector = D_default;
1436 decode_bits(&debug_selector, 1, debug_notall, opts,
1437 debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
1439 /* When activating from a transport process we may never have logged at all
1440 resulting in certain setup not having been done. Hack this for now so we
1441 do not segfault; note that nondefault log locations will not work */
1443 if (!*file_path) set_file_path();
1445 open_log(&fd, lt_debug, tag_name);
1448 debug_file = fdopen(fd, "w");
1450 log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");
1455 debug_logging_stop(void)
1457 if (!debug_file || !debuglog_name[0]) return;
1462 unlink_log(lt_debug);