1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions concerned with running Exim as a daemon */
15 /* Structure for holding data for each SMTP connection */
17 typedef struct smtp_slot {
18 pid_t pid; /* pid of the spawned reception process */
19 uschar *host_address; /* address of the client host */
22 /* An empty slot for initializing (Standard C does not allow constructor
23 expressions in assignments except as initializers in declarations). */
25 static smtp_slot empty_smtp_slot = { .pid = 0, .host_address = NULL };
29 /*************************************************
30 * Local static variables *
31 *************************************************/
33 static SIGNAL_BOOL sigchld_seen;
34 static SIGNAL_BOOL sighup_seen;
35 static SIGNAL_BOOL sigterm_seen;
37 static int accept_retry_count = 0;
38 static int accept_retry_errno;
39 static BOOL accept_retry_select_failed;
41 static int queue_run_count = 0;
42 static pid_t *queue_pid_slots = NULL;
43 static smtp_slot *smtp_slots = NULL;
45 static BOOL write_pid = TRUE;
49 /*************************************************
51 *************************************************/
53 /* All this handler does is to set a flag and re-enable the signal.
55 Argument: the signal number
60 sighup_handler(int sig)
62 sig = sig; /* Keep picky compilers happy */
64 signal(SIGHUP, sighup_handler);
69 /*************************************************
70 * SIGCHLD handler for main daemon process *
71 *************************************************/
73 /* Don't re-enable the handler here, since we aren't doing the
74 waiting here. If the signal is re-enabled, there will just be an
75 infinite sequence of calls to this handler. The SIGCHLD signal is
76 used just as a means of waking up the daemon so that it notices
77 terminated subprocesses as soon as possible.
79 Argument: the signal number
84 main_sigchld_handler(int sig)
86 sig = sig; /* Keep picky compilers happy */
87 os_non_restarting_signal(SIGCHLD, SIG_DFL);
92 /* SIGTERM handler. Try to get the damon pif file removed
96 main_sigterm_handler(int sig)
104 /*************************************************
105 * Unexpected errors in SMTP calls *
106 *************************************************/
108 /* This function just saves a bit of repetitious coding.
111 log_msg Text of message to be logged
112 smtp_msg Text of SMTP error message
113 was_errno The failing errno
119 never_error(uschar *log_msg, uschar *smtp_msg, int was_errno)
121 uschar *emsg = was_errno <= 0
122 ? US"" : string_sprintf(": %s", strerror(was_errno));
123 log_write(0, LOG_MAIN|LOG_PANIC, "%s%s", log_msg, emsg);
124 if (smtp_out) smtp_printf("421 %s\r\n", FALSE, smtp_msg);
130 /*************************************************
131 *************************************************/
133 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
135 unlink_notifier_socket(void)
137 uschar * s = expand_string(notifier_socket);
138 DEBUG(D_any) debug_printf("unlinking notifier socket %s\n", s);
145 close_daemon_sockets(int daemon_notifier_fd,
146 int * listen_sockets, int listen_socket_count)
148 if (daemon_notifier_fd >= 0)
150 (void) close(daemon_notifier_fd);
151 daemon_notifier_fd = -1;
152 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
153 unlink_notifier_socket();
157 for (int i = 0; i < listen_socket_count; i++) (void) close(listen_sockets[i]);
161 /*************************************************
162 * Handle a connected SMTP call *
163 *************************************************/
165 /* This function is called when an SMTP connection has been accepted.
166 If there are too many, give an error message and close down. Otherwise
167 spin off a sub-process to handle the call. The list of listening sockets
168 is required so that they can be closed in the sub-process. Take care not to
169 leak store in this process - reset the stacking pool at the end.
172 listen_sockets sockets which are listening for incoming calls
173 listen_socket_count count of listening sockets
174 accept_socket socket of the current accepted call
175 accepted socket information about the current call
181 handle_smtp_call(int *listen_sockets, int listen_socket_count,
182 int accept_socket, struct sockaddr *accepted)
185 union sockaddr_46 interface_sockaddr;
186 EXIM_SOCKLEN_T ifsize = sizeof(interface_sockaddr);
187 int dup_accept_socket = -1;
188 int max_for_this_host = 0;
189 int save_log_selector = *log_selector;
192 rmark reset_point = store_mark();
194 /* Make the address available in ASCII representation, and also fish out
197 sender_host_address = host_ntoa(-1, accepted, NULL, &sender_host_port);
198 DEBUG(D_any) debug_printf("Connection request from %s port %d\n",
199 sender_host_address, sender_host_port);
201 /* Set up the output stream, check the socket has duplicated, and set up the
202 input stream. These operations fail only the exceptional circumstances. Note
203 that never_error() won't use smtp_out if it is NULL. */
205 if (!(smtp_out = fdopen(accept_socket, "wb")))
207 never_error(US"daemon: fdopen() for smtp_out failed", US"", errno);
211 if ((dup_accept_socket = dup(accept_socket)) < 0)
213 never_error(US"daemon: couldn't dup socket descriptor",
214 US"Connection setup failed", errno);
218 if (!(smtp_in = fdopen(dup_accept_socket, "rb")))
220 never_error(US"daemon: fdopen() for smtp_in failed",
221 US"Connection setup failed", errno);
225 /* Get the data for the local interface address. Panic for most errors, but
226 "connection reset by peer" just means the connection went away. */
228 if (getsockname(accept_socket, (struct sockaddr *)(&interface_sockaddr),
231 log_write(0, LOG_MAIN | ((errno == ECONNRESET)? 0 : LOG_PANIC),
232 "getsockname() failed: %s", strerror(errno));
233 smtp_printf("421 Local problem: getsockname() failed; please try again later\r\n", FALSE);
237 interface_address = host_ntoa(-1, &interface_sockaddr, NULL, &interface_port);
238 DEBUG(D_interface) debug_printf("interface address=%s port=%d\n",
239 interface_address, interface_port);
241 /* Build a string identifying the remote host and, if requested, the port and
242 the local interface data. This is for logging; at the end of this function the
243 memory is reclaimed. */
245 whofrom = string_append(NULL, 3, "[", sender_host_address, "]");
247 if (LOGGING(incoming_port))
248 whofrom = string_fmt_append(whofrom, ":%d", sender_host_port);
250 if (LOGGING(incoming_interface))
251 whofrom = string_fmt_append(whofrom, " I=[%s]:%d",
252 interface_address, interface_port);
254 (void) string_from_gstring(whofrom); /* Terminate the newly-built string */
256 /* Check maximum number of connections. We do not check for reserved
257 connections or unacceptable hosts here. That is done in the subprocess because
258 it might take some time. */
260 if (smtp_accept_max > 0 && smtp_accept_count >= smtp_accept_max)
262 DEBUG(D_any) debug_printf("rejecting SMTP connection: count=%d max=%d\n",
263 smtp_accept_count, smtp_accept_max);
264 smtp_printf("421 Too many concurrent SMTP connections; "
265 "please try again later.\r\n", FALSE);
266 log_write(L_connection_reject,
267 LOG_MAIN, "Connection from %s refused: too many connections",
272 /* If a load limit above which only reserved hosts are acceptable is defined,
273 get the load average here, and if there are in fact no reserved hosts, do
274 the test right away (saves a fork). If there are hosts, do the check in the
275 subprocess because it might take time. */
277 if (smtp_load_reserve >= 0)
279 load_average = OS_GETLOADAVG();
280 if (smtp_reserve_hosts == NULL && load_average > smtp_load_reserve)
282 DEBUG(D_any) debug_printf("rejecting SMTP connection: load average = %.2f\n",
283 (double)load_average/1000.0);
284 smtp_printf("421 Too much load; please try again later.\r\n", FALSE);
285 log_write(L_connection_reject,
286 LOG_MAIN, "Connection from %s refused: load average = %.2f",
287 whofrom->s, (double)load_average/1000.0);
292 /* Check that one specific host (strictly, IP address) is not hogging
293 resources. This is done here to prevent a denial of service attack by someone
294 forcing you to fork lots of times before denying service. The value of
295 smtp_accept_max_per_host is a string which is expanded. This makes it possible
296 to provide host-specific limits according to $sender_host address, but because
297 this is in the daemon mainline, only fast expansions (such as inline address
298 checks) should be used. The documentation is full of warnings. */
300 if (smtp_accept_max_per_host != NULL)
302 uschar *expanded = expand_string(smtp_accept_max_per_host);
303 if (expanded == NULL)
305 if (!f.expand_string_forcedfail)
306 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
307 "failed for %s: %s", whofrom->s, expand_string_message);
309 /* For speed, interpret a decimal number inline here */
312 uschar *s = expanded;
314 max_for_this_host = max_for_this_host * 10 + *s++ - '0';
316 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
317 "for %s contains non-digit: %s", whofrom->s, expanded);
321 /* If we have fewer connections than max_for_this_host, we can skip the tedious
322 per host_address checks. Note that at this stage smtp_accept_count contains the
323 count of *other* connections, not including this one. */
325 if ((max_for_this_host > 0) &&
326 (smtp_accept_count >= max_for_this_host))
328 int host_accept_count = 0;
329 int other_host_count = 0; /* keep a count of non matches to optimise */
331 for (int i = 0; i < smtp_accept_max; ++i)
332 if (smtp_slots[i].host_address)
334 if (Ustrcmp(sender_host_address, smtp_slots[i].host_address) == 0)
339 /* Testing all these strings is expensive - see if we can drop out
340 early, either by hitting the target, or finding there are not enough
341 connections left to make the target. */
343 if ((host_accept_count >= max_for_this_host) ||
344 ((smtp_accept_count - other_host_count) < max_for_this_host))
348 if (host_accept_count >= max_for_this_host)
350 DEBUG(D_any) debug_printf("rejecting SMTP connection: too many from this "
351 "IP address: count=%d max=%d\n",
352 host_accept_count, max_for_this_host);
353 smtp_printf("421 Too many concurrent SMTP connections "
354 "from this IP address; please try again later.\r\n", FALSE);
355 log_write(L_connection_reject,
356 LOG_MAIN, "Connection from %s refused: too many connections "
357 "from that IP address", whofrom->s);
363 /* OK, the connection count checks have been passed. Before we can fork the
364 accepting process, we must first log the connection if requested. This logging
365 used to happen in the subprocess, but doing that means that the value of
366 smtp_accept_count can be out of step by the time it is logged. So we have to do
367 the logging here and accept the performance cost. Note that smtp_accept_count
368 hasn't yet been incremented to take account of this connection.
370 In order to minimize the cost (because this is going to happen for every
371 connection), do a preliminary selector test here. This saves ploughing through
372 the generalized logging code each time when the selector is false. If the
373 selector is set, check whether the host is on the list for logging. If not,
374 arrange to unset the selector in the subprocess. */
376 if (LOGGING(smtp_connection))
378 uschar *list = hosts_connection_nolog;
379 memset(sender_host_cache, 0, sizeof(sender_host_cache));
380 if (list != NULL && verify_check_host(&list) == OK)
381 save_log_selector &= ~L_smtp_connection;
383 log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %s "
384 "(TCP/IP connection count = %d)", whofrom->s, smtp_accept_count + 1);
387 /* Now we can fork the accepting process; do a lookup tidy, just in case any
388 expansion above did a lookup. */
391 pid = exim_fork(US"daemon-accept");
393 /* Handle the child process */
397 int queue_only_reason = 0;
398 int old_pool = store_pool;
399 int save_debug_selector = debug_selector;
400 BOOL local_queue_only;
401 BOOL session_local_queue_only;
403 struct sigaction act;
406 smtp_accept_count++; /* So that it includes this process */
408 /* May have been modified for the subprocess */
410 *log_selector = save_log_selector;
412 /* Get the local interface address into permanent store */
414 store_pool = POOL_PERM;
415 interface_address = string_copy(interface_address);
416 store_pool = old_pool;
418 /* Check for a tls-on-connect port */
420 if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
422 /* Expand smtp_active_hostname if required. We do not do this any earlier,
423 because it may depend on the local interface address (indeed, that is most
424 likely what it depends on.) */
426 smtp_active_hostname = primary_hostname;
427 if (raw_active_hostname)
429 uschar * nah = expand_string(raw_active_hostname);
432 if (!f.expand_string_forcedfail)
434 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" "
435 "(smtp_active_hostname): %s", raw_active_hostname,
436 expand_string_message);
437 smtp_printf("421 Local configuration error; "
438 "please try again later.\r\n", FALSE);
441 exim_underbar_exit(EXIT_FAILURE);
444 else if (*nah) smtp_active_hostname = nah;
447 /* Initialize the queueing flags */
450 session_local_queue_only = queue_only;
452 /* Close the listening sockets, and set the SIGCHLD handler to SIG_IGN.
453 We also attempt to set things up so that children are automatically reaped,
454 but just in case this isn't available, there's a paranoid waitpid() in the
455 loop too (except for systems where we are sure it isn't needed). See the more
456 extensive comment before the reception loop in exim.c for a fuller
457 explanation of this logic. */
459 close_daemon_sockets(daemon_notifier_fd, listen_sockets, listen_socket_count);
461 /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes
462 to be able to communicate with them, under any circumstances. */
463 (void)fcntl(accept_socket, F_SETFD,
464 fcntl(accept_socket, F_GETFD) | FD_CLOEXEC);
465 (void)fcntl(dup_accept_socket, F_SETFD,
466 fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
469 act.sa_handler = SIG_IGN;
470 sigemptyset(&(act.sa_mask));
471 act.sa_flags = SA_NOCLDWAIT;
472 sigaction(SIGCHLD, &act, NULL);
474 signal(SIGCHLD, SIG_IGN);
476 signal(SIGTERM, SIG_DFL);
477 signal(SIGINT, SIG_DFL);
479 /* Attempt to get an id from the sending machine via the RFC 1413
480 protocol. We do this in the sub-process in order not to hold up the
481 main process if there is any delay. Then set up the fullhost information
482 in case there is no HELO/EHLO.
484 If debugging is enabled only for the daemon, we must turn if off while
485 finding the id, but turn it on again afterwards so that information about the
486 incoming connection is output. */
488 if (f.debug_daemon) debug_selector = 0;
489 verify_get_ident(IDENT_PORT);
490 host_build_sender_fullhost();
491 debug_selector = save_debug_selector;
494 debug_printf("Process %d is handling incoming connection from %s\n",
495 (int)getpid(), sender_fullhost);
497 /* Now disable debugging permanently if it's required only for the daemon
500 if (f.debug_daemon) debug_selector = 0;
502 /* If there are too many child processes for immediate delivery,
503 set the session_local_queue_only flag, which is initialized from the
504 configured value and may therefore already be TRUE. Leave logging
505 till later so it will have a message id attached. Note that there is no
506 possibility of re-calculating this per-message, because the value of
507 smtp_accept_count does not change in this subprocess. */
509 if (smtp_accept_queue > 0 && smtp_accept_count > smtp_accept_queue)
511 session_local_queue_only = TRUE;
512 queue_only_reason = 1;
515 /* Handle the start of the SMTP session, then loop, accepting incoming
516 messages from the SMTP connection. The end will come at the QUIT command,
517 when smtp_setup_msg() returns 0. A break in the connection causes the
518 process to die (see accept.c).
520 NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
521 because a log line has already been written for all its failure exists
522 (usually "connection refused: <reason>") and writing another one is
523 unnecessary clutter. */
525 if (!smtp_start_session())
529 exim_underbar_exit(EXIT_SUCCESS);
535 message_id[0] = 0; /* Clear out any previous message_id */
536 reset_point = store_mark(); /* Save current store high water point */
539 debug_printf("Process %d is ready for new message\n", (int)getpid());
541 /* Smtp_setup_msg() returns 0 on QUIT or if the call is from an
542 unacceptable host or if an ACL "drop" command was triggered, -1 on
543 connection lost, and +1 on validly reaching DATA. Receive_msg() almost
544 always returns TRUE when smtp_input is true; just retry if no message was
545 accepted (can happen for invalid message parameters). However, it can yield
546 FALSE if the connection was forcibly dropped by the DATA ACL. */
548 if ((rc = smtp_setup_msg()) > 0)
550 BOOL ok = receive_msg(FALSE);
551 search_tidyup(); /* Close cached databases */
552 if (!ok) /* Connection was dropped */
554 cancel_cutthrough_connection(TRUE, US"receive dropped");
556 smtp_log_no_mail(); /* Log no mail if configured */
557 exim_underbar_exit(EXIT_SUCCESS);
559 if (message_id[0] == 0) continue; /* No message was accepted */
565 int fd = fileno(smtp_in);
569 /* drain socket, for clean TCP FINs */
570 if (fcntl(fd, F_SETFL, O_NONBLOCK) == 0)
571 for(int i = 16; read(fd, buf, sizeof(buf)) > 0 && i > 0; ) i--;
573 cancel_cutthrough_connection(TRUE, US"message setup dropped");
575 smtp_log_no_mail(); /* Log no mail if configured */
577 /*XXX should we pause briefly, hoping that the client will be the
578 active TCP closer hence get the TCP_WAIT endpoint? */
579 DEBUG(D_receive) debug_printf("SMTP>>(close on process exit)\n");
580 exim_underbar_exit(rc ? EXIT_FAILURE : EXIT_SUCCESS);
583 /* Show the recipients when debugging */
588 debug_printf("Sender: %s\n", sender_address);
591 debug_printf("Recipients:\n");
592 for (int i = 0; i < recipients_count; i++)
593 debug_printf(" %s\n", recipients_list[i].address);
597 /* A message has been accepted. Clean up any previous delivery processes
598 that have completed and are defunct, on systems where they don't go away
599 by themselves (see comments when setting SIG_IGN above). On such systems
600 (if any) these delivery processes hang around after termination until
601 the next message is received. */
603 #ifndef SIG_IGN_WORKS
604 while (waitpid(-1, NULL, WNOHANG) > 0);
607 /* Reclaim up the store used in accepting this message */
610 int r = receive_messagecount;
611 BOOL q = f.queue_only_policy;
612 smtp_reset(reset_point);
614 f.queue_only_policy = q;
615 receive_messagecount = r;
618 /* If queue_only is set or if there are too many incoming connections in
619 existence, session_local_queue_only will be TRUE. If it is not, check
620 whether we have received too many messages in this session for immediate
623 if (!session_local_queue_only &&
624 smtp_accept_queue_per_connection > 0 &&
625 receive_messagecount > smtp_accept_queue_per_connection)
627 session_local_queue_only = TRUE;
628 queue_only_reason = 2;
631 /* Initialize local_queue_only from session_local_queue_only. If it is not
632 true, and queue_only_load is set, check that the load average is below it.
633 If local_queue_only is set by this means, we also set if for the session if
634 queue_only_load_latch is true (the default). This means that, once set,
635 local_queue_only remains set for any subsequent messages on the same SMTP
636 connection. This is a deliberate choice; even though the load average may
637 fall, it doesn't seem right to deliver later messages on the same call when
638 not delivering earlier ones. However, the are special circumstances such as
639 very long-lived connections from scanning appliances where this is not the
640 best strategy. In such cases, queue_only_load_latch should be set false. */
642 if ( !(local_queue_only = session_local_queue_only)
643 && queue_only_load >= 0
644 && (local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load)
647 queue_only_reason = 3;
648 if (queue_only_load_latch) session_local_queue_only = TRUE;
651 /* Log the queueing here, when it will get a message id attached, but
652 not if queue_only is set (case 0). */
654 if (local_queue_only) switch(queue_only_reason)
656 case 1: log_write(L_delay_delivery,
657 LOG_MAIN, "no immediate delivery: too many connections "
658 "(%d, max %d)", smtp_accept_count, smtp_accept_queue);
661 case 2: log_write(L_delay_delivery,
662 LOG_MAIN, "no immediate delivery: more than %d messages "
663 "received in one connection", smtp_accept_queue_per_connection);
666 case 3: log_write(L_delay_delivery,
667 LOG_MAIN, "no immediate delivery: load average %.2f",
668 (double)load_average/1000.0);
672 /* If a delivery attempt is required, spin off a new process to handle it.
673 If we are not root, we have to re-exec exim unless deliveries are being
674 done unprivileged. */
676 else if ( (!f.queue_only_policy || f.queue_smtp)
677 && !f.deliver_freeze)
681 /* Before forking, ensure that the C output buffer is flushed. Otherwise
682 anything that it in it will get duplicated, leading to duplicate copies
683 of the pending output. */
687 if ((dpid = exim_fork(US"daemon-accept-delivery")) == 0)
689 (void)fclose(smtp_in);
690 (void)fclose(smtp_out);
692 /* Don't ever molest the parent's SSL connection, but do clean up
693 the data structures if necessary. */
696 tls_close(NULL, TLS_NO_SHUTDOWN);
699 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
701 signal(SIGHUP, SIG_DFL);
702 signal(SIGCHLD, SIG_DFL);
703 signal(SIGTERM, SIG_DFL);
704 signal(SIGINT, SIG_DFL);
706 if (geteuid() != root_uid && !deliver_drop_privilege)
708 signal(SIGALRM, SIG_DFL);
709 delivery_re_exec(CEE_EXEC_PANIC);
710 /* Control does not return here. */
713 /* No need to re-exec; SIGALRM remains set to the default handler */
715 (void) deliver_message(message_id, FALSE, FALSE);
717 exim_underbar_exit(EXIT_SUCCESS);
722 release_cutthrough_connection(US"passed for delivery");
723 DEBUG(D_any) debug_printf("forked delivery process %d\n", (int)dpid);
727 cancel_cutthrough_connection(TRUE, US"delivery fork failed");
728 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: delivery process fork "
729 "failed: %s", strerror(errno));
736 /* Carrying on in the parent daemon process... Can't do much if the fork
737 failed. Otherwise, keep count of the number of accepting processes and
738 remember the pid for ticking off when the child completes. */
741 never_error(US"daemon: accept process fork failed", US"Fork failed", errno);
744 for (int i = 0; i < smtp_accept_max; ++i)
745 if (smtp_slots[i].pid <= 0)
747 smtp_slots[i].pid = pid;
748 /* Connection closes come asyncronously, so we cannot stack this store */
749 if (smtp_accept_max_per_host)
750 smtp_slots[i].host_address = string_copy_malloc(sender_host_address);
754 DEBUG(D_any) debug_printf("%d SMTP accept process%s running\n",
755 smtp_accept_count, smtp_accept_count == 1 ? "" : "es");
758 /* Get here via goto in error cases */
762 /* Close the streams associated with the socket which will also close the
763 socket fds in this process. We can't do anything if fclose() fails, but
764 logging brings it to someone's attention. However, "connection reset by peer"
765 isn't really a problem, so skip that one. On Solaris, a dropped connection can
766 manifest itself as a broken pipe, so drop that one too. If the streams don't
767 exist, something went wrong while setting things up. Make sure the socket
768 descriptors are closed, in order to drop the connection. */
772 if (fclose(smtp_out) != 0 && errno != ECONNRESET && errno != EPIPE)
773 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_out) failed: %s",
777 else (void)close(accept_socket);
781 if (fclose(smtp_in) != 0 && errno != ECONNRESET && errno != EPIPE)
782 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_in) failed: %s",
786 else (void)close(dup_accept_socket);
788 /* Release any store used in this process, including the store used for holding
789 the incoming host address and an expanded active_hostname. */
793 sender_host_address = NULL;
794 store_reset(reset_point);
795 sender_host_address = NULL;
801 /*************************************************
802 * Check wildcard listen special cases *
803 *************************************************/
805 /* This function is used when binding and listening on lists of addresses and
806 ports. It tests for special cases of wildcard listening, when IPv4 and IPv6
807 sockets may interact in different ways in different operating systems. It is
808 passed an error number, the list of listening addresses, and the current
809 address. Two checks are available: for a previous wildcard IPv6 address, or for
810 a following wildcard IPv4 address, in both cases on the same port.
812 In practice, pairs of wildcard addresses should be adjacent in the address list
813 because they are sorted that way below.
817 addresses the list of addresses
818 ipa the current IP address
819 back if TRUE, check for previous wildcard IPv6 address
820 if FALSE, check for a following wildcard IPv4 address
822 Returns: TRUE or FALSE
826 check_special_case(int eno, ip_address_item *addresses, ip_address_item *ipa,
829 ip_address_item *ipa2;
831 /* For the "back" case, if the failure was "address in use" for a wildcard IPv4
832 address, seek a previous IPv6 wildcard address on the same port. As it is
833 previous, it must have been successfully bound and be listening. Flag it as a
834 "6 including 4" listener. */
838 if (eno != EADDRINUSE || ipa->address[0] != 0) return FALSE;
839 for (ipa2 = addresses; ipa2 != ipa; ipa2 = ipa2->next)
841 if (ipa2->address[1] == 0 && ipa2->port == ipa->port)
843 ipa2->v6_include_v4 = TRUE;
849 /* For the "forward" case, if the current address is a wildcard IPv6 address,
850 we seek a following wildcard IPv4 address on the same port. */
854 if (ipa->address[0] != ':' || ipa->address[1] != 0) return FALSE;
855 for (ipa2 = ipa->next; ipa2 != NULL; ipa2 = ipa2->next)
856 if (ipa2->address[0] == 0 && ipa->port == ipa2->port) return TRUE;
865 /*************************************************
866 * Handle terminating subprocesses *
867 *************************************************/
869 /* Handle the termination of child processes. Theoretically, this need be done
870 only when sigchld_seen is TRUE, but rumour has it that some systems lose
871 SIGCHLD signals at busy times, so to be on the safe side, this function is
872 called each time round. It shouldn't be too expensive.
879 handle_ending_processes(void)
884 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
888 debug_printf("child %d ended: status=0x%x\n", (int)pid, status);
890 if (WIFEXITED(status))
891 debug_printf(" normal exit, %d\n", WEXITSTATUS(status));
892 else if (WIFSIGNALED(status))
893 debug_printf(" signal exit, signal %d%s\n", WTERMSIG(status),
894 WCOREDUMP(status) ? " (core dumped)" : "");
898 /* If it's a listening daemon for which we are keeping track of individual
899 subprocesses, deal with an accepting process that has terminated. */
904 for (i = 0; i < smtp_accept_max; i++)
905 if (smtp_slots[i].pid == pid)
907 if (smtp_slots[i].host_address)
908 store_free(smtp_slots[i].host_address);
909 smtp_slots[i] = empty_smtp_slot;
910 if (--smtp_accept_count < 0) smtp_accept_count = 0;
911 DEBUG(D_any) debug_printf("%d SMTP accept process%s now running\n",
912 smtp_accept_count, (smtp_accept_count == 1)? "" : "es");
915 if (i < smtp_accept_max) continue; /* Found an accepting process */
918 /* If it wasn't an accepting process, see if it was a queue-runner
919 process that we are tracking. */
923 int max = atoi(CS expand_string(queue_run_max));
924 for (int i = 0; i < max; i++)
925 if (queue_pid_slots[i] == pid)
927 queue_pid_slots[i] = 0;
928 if (--queue_run_count < 0) queue_run_count = 0;
929 DEBUG(D_any) debug_printf("%d queue-runner process%s now running\n",
930 queue_run_count, (queue_run_count == 1)? "" : "es");
939 set_pid_file_path(void)
941 if (override_pid_file_path)
942 pid_file_path = override_pid_file_path;
945 pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory);
947 if (pid_file_path[0] != '/')
948 log_write(0, LOG_PANIC_DIE, "pid file path %s must be absolute\n", pid_file_path);
952 enum pid_op { PID_WRITE, PID_CHECK, PID_DELETE };
954 /* Do various pid file operations as safe as possible. Ideally we'd just
955 drop the privileges for creation of the pid file and not care at all about removal of
957 Returns: true on success, false + errno==EACCES otherwise
960 operate_on_pid_file(const enum pid_op operation, const pid_t pid)
962 char pid_line[sizeof(int) * 3 + 2];
963 const int pid_len = snprintf(pid_line, sizeof(pid_line), "%d\n", (int)pid);
964 BOOL lines_match = FALSE;
970 const int dir_flags = O_RDONLY | O_NONBLOCK;
971 const int base_flags = O_NOFOLLOW | O_NONBLOCK;
972 const mode_t base_mode = 0644;
979 BOOL success = FALSE;
983 if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid) goto cleanup;
984 if (pid_len < 2 || pid_len >= (int)sizeof(pid_line)) goto cleanup;
986 path = CS string_copy(pid_file_path);
987 if ((base = Ustrrchr(path, '/')) == NULL) /* should not happen, but who knows */
988 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid file path \"%s\" does not contain a '/'", pid_file_path);
990 dir = (base != path) ? path : "/";
993 if (!dir || !*dir || *dir != '/') goto cleanup;
994 if (!base || !*base || strchr(base, '/') != NULL) goto cleanup;
996 cwd_fd = open(".", dir_flags);
997 if (cwd_fd < 0 || fstat(cwd_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
998 dir_fd = open(dir, dir_flags);
999 if (dir_fd < 0 || fstat(dir_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
1001 /* emulate openat */
1002 if (fchdir(dir_fd) != 0) goto cleanup;
1003 base_fd = open(base, O_RDONLY | base_flags);
1004 if (fchdir(cwd_fd) != 0)
1005 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1009 char line[sizeof(pid_line)];
1012 if (fstat(base_fd, &sb) != 0 || !S_ISREG(sb.st_mode)) goto cleanup;
1013 if ((sb.st_mode & 07777) != base_mode || sb.st_nlink != 1) goto cleanup;
1014 if (sb.st_size < 2 || sb.st_size >= (off_t)sizeof(line)) goto cleanup;
1016 len = read(base_fd, line, sizeof(line));
1017 if (len != (ssize_t)sb.st_size) goto cleanup;
1020 if (strspn(line, "0123456789") != (size_t)len-1) goto cleanup;
1021 if (line[len-1] != '\n') goto cleanup;
1022 lines_match = (len == pid_len && strcmp(line, pid_line) == 0);
1025 if (operation == PID_WRITE)
1032 /* emulate unlinkat */
1033 if (fchdir(dir_fd) != 0) goto cleanup;
1034 error = unlink(base);
1035 if (fchdir(cwd_fd) != 0)
1036 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1037 if (error) goto cleanup;
1038 (void)close(base_fd);
1041 /* emulate openat */
1042 if (fchdir(dir_fd) != 0) goto cleanup;
1043 base_fd = open(base, O_WRONLY | O_CREAT | O_EXCL | base_flags, base_mode);
1044 if (fchdir(cwd_fd) != 0)
1045 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1046 if (base_fd < 0) goto cleanup;
1047 if (fchmod(base_fd, base_mode) != 0) goto cleanup;
1048 if (write(base_fd, pid_line, pid_len) != pid_len) goto cleanup;
1049 DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
1054 if (!lines_match) goto cleanup;
1055 if (operation == PID_DELETE)
1058 /* emulate unlinkat */
1059 if (fchdir(dir_fd) != 0) goto cleanup;
1060 error = unlink(base);
1061 if (fchdir(cwd_fd) != 0)
1062 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1063 if (error) goto cleanup;
1071 if (cwd_fd >= 0) (void)close(cwd_fd);
1072 if (dir_fd >= 0) (void)close(dir_fd);
1073 if (base_fd >= 0) (void)close(base_fd);
1078 /* Remove the daemon's pidfile. Note: runs with root privilege,
1079 as a direct child of the daemon. Does not return. */
1082 delete_pid_file(void)
1084 const BOOL success = operate_on_pid_file(PID_DELETE, getppid());
1087 debug_printf("delete pid file %s %s: %s\n", pid_file_path,
1088 success ? "success" : "failure", strerror(errno));
1090 exim_exit(EXIT_SUCCESS);
1094 /* Called by the daemon; exec a child to get the pid file deleted
1095 since we may require privs for the containing directory */
1102 DEBUG(D_any) debug_printf("SIGTERM/SIGINT seen\n");
1103 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
1104 tls_watch_invalidate();
1107 if (daemon_notifier_fd >= 0)
1109 close(daemon_notifier_fd);
1110 daemon_notifier_fd = -1;
1111 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1112 unlink_notifier_socket();
1116 if (f.running_in_test_harness || write_pid)
1118 if ((pid = exim_fork(US"daemon-del-pidfile")) == 0)
1120 if (override_pid_file_path)
1121 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 3,
1122 "-oP", override_pid_file_path, "-oPX");
1124 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 1, "-oPX");
1126 /* Control never returns here. */
1129 child_close(pid, 1);
1131 exim_exit(EXIT_SUCCESS);
1135 /*************************************************
1136 * Listener socket for local work prompts *
1137 *************************************************/
1140 daemon_notifier_socket(void)
1143 const uschar * where;
1144 struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
1147 if (override_local_interfaces && !override_pid_file_path)
1150 debug_printf("-oX used without -oP so not creating notifier socket\n");
1154 DEBUG(D_any) debug_printf("creating notifier socket\n");
1157 if ((fd = socket(PF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0)
1158 { where = US"socket"; goto bad; }
1160 if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0)
1161 { where = US"socket"; goto bad; }
1162 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
1165 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1166 sa_un.sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1167 len = offsetof(struct sockaddr_un, sun_path) + 1
1168 + snprintf(sa_un.sun_path+1, sizeof(sa_un.sun_path)-1, "%s",
1169 expand_string(notifier_socket));
1170 DEBUG(D_any) debug_printf(" @%s\n", sa_un.sun_path+1);
1171 #else /* filesystem-visible and persistent; will neeed removal */
1172 len = offsetof(struct sockaddr_un, sun_path)
1173 + snprintf(sa_un.sun_path, sizeof(sa_un.sun_path), "%s",
1174 expand_string(notifier_socket));
1175 DEBUG(D_any) debug_printf(" %s\n", sa_un.sun_path);
1178 if (bind(fd, (const struct sockaddr *)&sa_un, len) < 0)
1179 { where = US"bind"; goto bad; }
1181 #ifdef SO_PASSCRED /* Linux */
1182 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on)) < 0)
1183 { where = US"SO_PASSCRED"; goto bad2; }
1184 #elif defined(LOCAL_CREDS) /* FreeBSD-ish */
1185 if (setsockopt(fd, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
1186 { where = US"LOCAL_CREDS"; goto bad2; }
1189 /* debug_printf("%s: fd %d\n", __FUNCTION__, fd); */
1190 daemon_notifier_fd = fd;
1194 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1195 Uunlink(sa_un.sun_path);
1198 log_write(0, LOG_MAIN|LOG_PANIC, "%s %s: %s",
1199 __FUNCTION__, where, strerror(errno));
1205 static uschar queuerun_msgid[MESSAGE_ID_LENGTH+1];
1207 /* Return TRUE if a sigalrm should be emulated */
1209 daemon_notification(void)
1211 uschar buf[256], cbuf[256];
1212 struct sockaddr_un sa_un;
1213 struct iovec iov = {.iov_base = buf, .iov_len = sizeof(buf)-1};
1214 struct msghdr msg = { .msg_name = &sa_un,
1215 .msg_namelen = sizeof(sa_un),
1218 .msg_control = cbuf,
1219 .msg_controllen = sizeof(cbuf)
1223 buf[sizeof(buf)-1] = 0;
1224 if ((sz = recvmsg(daemon_notifier_fd, &msg, 0)) <= 0) return FALSE;
1225 if (sz >= sizeof(buf)) return FALSE;
1228 debug_printf("addrlen %d\n", msg.msg_namelen);
1230 DEBUG(D_queue_run) debug_printf("%s from addr '%s%.*s'\n", __FUNCTION__,
1231 *sa_un.sun_path ? "" : "@",
1232 (int)msg.msg_namelen - (*sa_un.sun_path ? 0 : 1),
1233 sa_un.sun_path + (*sa_un.sun_path ? 0 : 1));
1235 /* Refuse to handle the item unless the peer has good credentials */
1236 #ifdef SCM_CREDENTIALS
1237 # define EXIM_SCM_CR_TYPE SCM_CREDENTIALS
1238 #elif defined(LOCAL_CREDS) && defined(SCM_CREDS)
1239 # define EXIM_SCM_CR_TYPE SCM_CREDS
1241 /* The OS has no way to get the creds of the caller (for a unix/datagram socket.
1242 Punt; don't try to check. */
1245 #ifdef EXIM_SCM_CR_TYPE
1246 for (struct cmsghdr * cp = CMSG_FIRSTHDR(&msg);
1248 cp = CMSG_NXTHDR(&msg, cp))
1249 if (cp->cmsg_level == SOL_SOCKET && cp->cmsg_type == EXIM_SCM_CR_TYPE)
1251 # ifdef SCM_CREDENTIALS /* Linux */
1252 struct ucred * cr = (struct ucred *) CMSG_DATA(cp);
1253 if (cr->uid && cr->uid != exim_uid)
1255 DEBUG(D_queue_run) debug_printf("%s: sender creds pid %d uid %d gid %d\n",
1256 __FUNCTION__, (int)cr->pid, (int)cr->uid, (int)cr->gid);
1259 # elif defined(LOCAL_CREDS) /* BSD-ish */
1260 struct sockcred * cr = (struct sockcred *) CMSG_DATA(cp);
1261 if (cr->sc_uid && cr->sc_uid != exim_uid)
1263 DEBUG(D_queue_run) debug_printf("%s: sender creds pid ??? uid %d gid %d\n",
1264 __FUNCTION__, (int)cr->sc_uid, (int)cr->sc_gid);
1275 #ifdef EXPERIMENTAL_QUEUE_RAMP
1276 case NOTIFY_MSG_QRUN:
1277 /* this should be a message_id */
1279 debug_printf("%s: qrunner trigger: %s\n", __FUNCTION__, buf+1);
1280 memcpy(queuerun_msgid, buf+1, MESSAGE_ID_LENGTH+1);
1282 #endif /*EXPERIMENTAL_QUEUE_RAMP*/
1284 case NOTIFY_QUEUE_SIZE_REQ:
1287 int len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached());
1290 debug_printf("%s: queue size request: %s\n", __FUNCTION__, buf);
1292 if (sendto(daemon_notifier_fd, buf, len, 0,
1293 (const struct sockaddr *)&sa_un, msg.msg_namelen) < 0)
1294 log_write(0, LOG_MAIN|LOG_PANIC,
1295 "%s: sendto: %s\n", __FUNCTION__, strerror(errno));
1303 /*************************************************
1304 * Exim Daemon Mainline *
1305 *************************************************/
1307 /* The daemon can do two jobs, either of which is optional:
1309 (1) Listens for incoming SMTP calls and spawns off a sub-process to handle
1310 each one. This is requested by the -bd option, with -oX specifying the SMTP
1311 port on which to listen (for testing).
1313 (2) Spawns a queue-running process every so often. This is controlled by the
1314 -q option with a an interval time. (If no time is given, a single queue run
1315 is done from the main function, and control doesn't get here.)
1317 Root privilege is required in order to attach to port 25. Some systems require
1318 it when calling socket() rather than bind(). To cope with all cases, we run as
1319 root for both socket() and bind(). Some systems also require root in order to
1320 write to the pid file directory. This function must therefore be called as root
1321 if it is to work properly in all circumstances. Once the socket is bound and
1322 the pid file written, root privilege is given up if there is an exim uid.
1324 There are no arguments to this function, and it never returns. */
1330 int *listen_sockets = NULL;
1331 int listen_socket_count = 0;
1332 ip_address_item *addresses = NULL;
1333 time_t last_connection_time = (time_t)0;
1334 int local_queue_run_max = atoi(CS expand_string(queue_run_max));
1336 process_purpose = US"daemon";
1338 /* If any debugging options are set, turn on the D_pid bit so that all
1339 debugging lines get the pid added. */
1341 DEBUG(D_any|D_v) debug_selector |= D_pid;
1343 if (f.inetd_wait_mode)
1345 listen_socket_count = 1;
1346 listen_sockets = store_get(sizeof(int), FALSE);
1348 if (dup2(0, 3) == -1)
1349 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1350 "failed to dup inetd socket safely away: %s", strerror(errno));
1352 listen_sockets[0] = 3;
1358 if (debug_file == stderr)
1360 /* need a call to log_write before call to open debug_file, so that
1361 log.c:file_path has been initialised. This is unfortunate. */
1362 log_write(0, LOG_MAIN, "debugging Exim in inetd wait mode starting");
1366 exim_nullstd(); /* re-open fd2 after we just closed it again */
1367 debug_logging_activate(US"-wait", NULL);
1370 DEBUG(D_any) debug_printf("running in inetd wait mode\n");
1372 /* As per below, when creating sockets ourselves, we handle tcp_nodelay for
1373 our own buffering; we assume though that inetd set the socket REUSEADDR. */
1376 if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
1377 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s",
1382 if (f.inetd_wait_mode || f.daemon_listen)
1384 /* If any option requiring a load average to be available during the
1385 reception of a message is set, call os_getloadavg() while we are root
1386 for those OS for which this is necessary the first time it is called (in
1387 order to perform an "open" on the kernel memory file). */
1389 #ifdef LOAD_AVG_NEEDS_ROOT
1390 if (queue_only_load >= 0 || smtp_load_reserve >= 0 ||
1391 (deliver_queue_load_max >= 0 && deliver_drop_privilege))
1392 (void)os_getloadavg();
1397 /* Do the preparation for setting up a listener on one or more interfaces, and
1398 possible on various ports. This is controlled by the combination of
1399 local_interfaces (which can set IP addresses and ports) and daemon_smtp_port
1400 (which is a list of default ports to use for those items in local_interfaces
1401 that do not specify a port). The -oX command line option can be used to
1402 override one or both of these options.
1404 If local_interfaces is not set, the default is to listen on all interfaces.
1405 When it is set, it can include "all IPvx interfaces" as an item. This is useful
1406 when different ports are in use.
1408 It turns out that listening on all interfaces is messy in an IPv6 world,
1409 because several different implementation approaches have been taken. This code
1410 is now supposed to work with all of them. The point of difference is whether an
1411 IPv6 socket that is listening on all interfaces will receive incoming IPv4
1412 calls or not. We also have to cope with the case when IPv6 libraries exist, but
1413 there is no IPv6 support in the kernel.
1415 . On Solaris, an IPv6 socket will accept IPv4 calls, and give them as mapped
1416 addresses. However, if an IPv4 socket is also listening on all interfaces,
1417 calls are directed to the appropriate socket.
1419 . On (some versions of) Linux, an IPv6 socket will accept IPv4 calls, and
1420 give them as mapped addresses, but an attempt also to listen on an IPv4
1421 socket on all interfaces causes an error.
1423 . On OpenBSD, an IPv6 socket will not accept IPv4 calls. You have to set up
1424 two sockets if you want to accept both kinds of call.
1426 . FreeBSD is like OpenBSD, but it has the IPV6_V6ONLY socket option, which
1427 can be turned off, to make it behave like the versions of Linux described
1430 . I heard a report that the USAGI IPv6 stack for Linux has implemented
1433 So, what we do when IPv6 is supported is as follows:
1435 (1) After it is set up, the list of interfaces is scanned for wildcard
1436 addresses. If an IPv6 and an IPv4 wildcard are both found for the same
1437 port, the list is re-arranged so that they are together, with the IPv6
1440 (2) If the creation of a wildcard IPv6 socket fails, we just log the error and
1441 carry on if an IPv4 wildcard socket for the same port follows later in the
1442 list. This allows Exim to carry on in the case when the kernel has no IPv6
1445 (3) Having created an IPv6 wildcard socket, we try to set IPV6_V6ONLY if that
1446 option is defined. However, if setting fails, carry on regardless (but log
1449 (4) If binding or listening on an IPv6 wildcard socket fails, it is a serious
1452 (5) If binding or listening on an IPv4 wildcard socket fails with the error
1453 EADDRINUSE, and a previous interface was an IPv6 wildcard for the same
1454 port (which must have succeeded or we wouldn't have got this far), we
1455 assume we are in the situation where just a single socket is permitted,
1456 and ignore the error.
1460 The preparation code decodes options and sets up the relevant data. We do this
1461 first, so that we can return non-zero if there are any syntax errors, and also
1464 if (f.daemon_listen && !f.inetd_wait_mode)
1466 int *default_smtp_port;
1470 const uschar * list;
1471 uschar *local_iface_source = US"local_interfaces";
1472 ip_address_item *ipa;
1473 ip_address_item **pipa;
1475 /* If -oX was used, disable the writing of a pid file unless -oP was
1476 explicitly used to force it. Then scan the string given to -oX. Any items
1477 that contain neither a dot nor a colon are used to override daemon_smtp_port.
1478 Any other items are used to override local_interfaces. */
1480 if (override_local_interfaces)
1482 gstring * new_smtp_port = NULL;
1483 gstring * new_local_interfaces = NULL;
1485 if (!override_pid_file_path) write_pid = FALSE;
1487 list = override_local_interfaces;
1489 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1492 gstring ** gp = Ustrpbrk(s, ".:") ? &new_local_interfaces : &new_smtp_port;
1498 *gp = string_catn(*gp, US"<", 1);
1501 *gp = string_catn(*gp, joinstr, 2);
1502 *gp = string_cat (*gp, s);
1507 daemon_smtp_port = string_from_gstring(new_smtp_port);
1508 DEBUG(D_any) debug_printf("daemon_smtp_port overridden by -oX:\n %s\n",
1512 if (new_local_interfaces)
1514 local_interfaces = string_from_gstring(new_local_interfaces);
1515 local_iface_source = US"-oX data";
1516 DEBUG(D_any) debug_printf("local_interfaces overridden by -oX:\n %s\n",
1521 /* Create a list of default SMTP ports, to be used if local_interfaces
1522 contains entries without explicit ports. First count the number of ports, then
1523 build a translated list in a vector. */
1525 list = daemon_smtp_port;
1527 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1529 default_smtp_port = store_get((pct+1) * sizeof(int), FALSE);
1530 list = daemon_smtp_port;
1533 (s = string_nextinlist(&list, &sep, NULL, 0));
1539 default_smtp_port[pct] = Ustrtol(s, &end, 0);
1540 if (end != s + Ustrlen(s))
1541 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "invalid SMTP port: %s", s);
1545 struct servent *smtp_service = getservbyname(CS s, "tcp");
1547 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1548 default_smtp_port[pct] = ntohs(smtp_service->s_port);
1551 default_smtp_port[pct] = 0;
1553 /* Check the list of TLS-on-connect ports and do name lookups if needed */
1555 list = tls_in.on_connect_ports;
1557 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1562 list = tls_in.on_connect_ports;
1563 tls_in.on_connect_ports = NULL;
1565 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1569 struct servent * smtp_service = getservbyname(CS s, "tcp");
1571 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1572 s = string_sprintf("%d", (int)ntohs(smtp_service->s_port));
1574 g = string_append_listele(g, ':', s);
1577 tls_in.on_connect_ports = g->s;
1581 /* Create the list of local interfaces, possibly with ports included. This
1582 list may contain references to 0.0.0.0 and ::0 as wildcards. These special
1583 values are converted below. */
1585 addresses = host_build_ifacelist(local_interfaces, local_iface_source);
1587 /* In the list of IP addresses, convert 0.0.0.0 into an empty string, and ::0
1588 into the string ":". We use these to recognize wildcards in IPv4 and IPv6. In
1589 fact, many IP stacks recognize 0.0.0.0 and ::0 and handle them as wildcards
1590 anyway, but we need to know which are the wildcard addresses, and the shorter
1593 In the same scan, fill in missing port numbers from the default list. When
1594 there is more than one item in the list, extra items are created. */
1596 for (ipa = addresses; ipa; ipa = ipa->next)
1598 if (Ustrcmp(ipa->address, "0.0.0.0") == 0)
1599 ipa->address[0] = 0;
1600 else if (Ustrcmp(ipa->address, "::0") == 0)
1602 ipa->address[0] = ':';
1603 ipa->address[1] = 0;
1606 if (ipa->port > 0) continue;
1608 if (daemon_smtp_port[0] <= 0)
1609 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "no port specified for interface "
1610 "%s and daemon_smtp_port is unset; cannot start daemon",
1611 ipa->address[0] == 0 ? US"\"all IPv4\"" :
1612 ipa->address[1] == 0 ? US"\"all IPv6\"" : ipa->address);
1614 ipa->port = default_smtp_port[0];
1615 for (int i = 1; default_smtp_port[i] > 0; i++)
1617 ip_address_item *new = store_get(sizeof(ip_address_item), FALSE);
1619 memcpy(new->address, ipa->address, Ustrlen(ipa->address) + 1);
1620 new->port = default_smtp_port[i];
1621 new->next = ipa->next;
1627 /* Scan the list of addresses for wildcards. If we find an IPv4 and an IPv6
1628 wildcard for the same port, ensure that (a) they are together and (b) the
1629 IPv6 address comes first. This makes handling the messy features easier, and
1630 also simplifies the construction of the "daemon started" log line. */
1633 for (ipa = addresses; ipa; pipa = &ipa->next, ipa = ipa->next)
1635 ip_address_item *ipa2;
1637 /* Handle an IPv4 wildcard */
1639 if (ipa->address[0] == 0)
1640 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1642 ip_address_item *ipa3 = ipa2->next;
1643 if (ipa3->address[0] == ':' &&
1644 ipa3->address[1] == 0 &&
1645 ipa3->port == ipa->port)
1647 ipa2->next = ipa3->next;
1654 /* Handle an IPv6 wildcard. */
1656 else if (ipa->address[0] == ':' && ipa->address[1] == 0)
1657 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1659 ip_address_item *ipa3 = ipa2->next;
1660 if (ipa3->address[0] == 0 && ipa3->port == ipa->port)
1662 ipa2->next = ipa3->next;
1663 ipa3->next = ipa->next;
1671 /* Get a vector to remember all the sockets in */
1673 for (ipa = addresses; ipa; ipa = ipa->next)
1674 listen_socket_count++;
1675 listen_sockets = store_get(sizeof(int) * listen_socket_count, FALSE);
1677 } /* daemon_listen but not inetd_wait_mode */
1679 if (f.daemon_listen)
1682 /* Do a sanity check on the max connects value just to save us from getting
1683 a huge amount of store. */
1685 if (smtp_accept_max > 4095) smtp_accept_max = 4096;
1687 /* There's no point setting smtp_accept_queue unless it is less than the max
1688 connects limit. The configuration reader ensures that the max is set if the
1689 queue-only option is set. */
1691 if (smtp_accept_queue > smtp_accept_max) smtp_accept_queue = 0;
1693 /* Get somewhere to keep the list of SMTP accepting pids if we are keeping
1694 track of them for total number and queue/host limits. */
1696 if (smtp_accept_max > 0)
1698 smtp_slots = store_get(smtp_accept_max * sizeof(smtp_slot), FALSE);
1699 for (int i = 0; i < smtp_accept_max; i++) smtp_slots[i] = empty_smtp_slot;
1703 /* The variable background_daemon is always false when debugging, but
1704 can also be forced false in order to keep a non-debugging daemon in the
1705 foreground. If background_daemon is true, close all open file descriptors that
1706 we know about, but then re-open stdin, stdout, and stderr to /dev/null. Also
1707 do this for inetd_wait mode.
1709 This is protection against any called functions (in libraries, or in
1710 Perl, or whatever) that think they can write to stderr (or stdout). Before this
1711 was added, it was quite likely that an SMTP connection would use one of these
1712 file descriptors, in which case writing random stuff to it caused chaos.
1714 Then disconnect from the controlling terminal, Most modern Unixes seem to have
1715 setsid() for getting rid of the controlling terminal. For any OS that doesn't,
1716 setsid() can be #defined as a no-op, or as something else. */
1718 if (f.background_daemon || f.inetd_wait_mode)
1720 log_close_all(); /* Just in case anything was logged earlier */
1721 search_tidyup(); /* Just in case any were used in reading the config. */
1722 (void)close(0); /* Get rid of stdin/stdout/stderr */
1725 exim_nullstd(); /* Connect stdin/stdout/stderr to /dev/null */
1726 log_stderr = NULL; /* So no attempt to copy paniclog output */
1729 if (f.background_daemon)
1731 /* If the parent process of this one has pid == 1, we are re-initializing the
1732 daemon as the result of a SIGHUP. In this case, there is no need to do
1733 anything, because the controlling terminal has long gone. Otherwise, fork, in
1734 case current process is a process group leader (see 'man setsid' for an
1735 explanation) before calling setsid(). */
1739 pid_t pid = exim_fork(US"daemon");
1740 if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1741 "fork() failed when starting daemon: %s", strerror(errno));
1742 if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */
1743 (void)setsid(); /* release controlling terminal */
1747 /* We are now in the disconnected, daemon process (unless debugging). Set up
1748 the listening sockets if required. */
1750 daemon_notifier_socket();
1752 if (f.daemon_listen && !f.inetd_wait_mode)
1755 ip_address_item *ipa;
1757 /* For each IP address, create a socket, bind it to the appropriate port, and
1758 start listening. See comments above about IPv6 sockets that may or may not
1759 accept IPv4 calls when listening on all interfaces. We also have to cope with
1760 the case of a system with IPv6 libraries, but no IPv6 support in the kernel.
1761 listening, provided a wildcard IPv4 socket for the same port follows. */
1763 for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++)
1766 ip_address_item *ipa2;
1769 if (Ustrchr(ipa->address, ':') != NULL)
1772 wildcard = ipa->address[1] == 0;
1777 wildcard = ipa->address[0] == 0;
1780 if ((listen_sockets[sk] = ip_socket(SOCK_STREAM, af)) < 0)
1782 if (check_special_case(0, addresses, ipa, FALSE))
1784 log_write(0, LOG_MAIN, "Failed to create IPv6 socket for wildcard "
1785 "listening (%s): will use IPv4", strerror(errno));
1788 log_write(0, LOG_PANIC_DIE, "IPv%c socket creation failed: %s",
1789 (af == AF_INET6)? '6' : '4', strerror(errno));
1792 /* If this is an IPv6 wildcard socket, set IPV6_V6ONLY if that option is
1793 available. Just log failure (can get protocol not available, just like
1794 socket creation can). */
1797 if (af == AF_INET6 && wildcard &&
1798 setsockopt(listen_sockets[sk], IPPROTO_IPV6, IPV6_V6ONLY, CS (&on),
1800 log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard "
1801 "socket failed (%s): carrying on without it", strerror(errno));
1802 #endif /* IPV6_V6ONLY */
1804 /* Set SO_REUSEADDR so that the daemon can be restarted while a connection
1805 is being handled. Without this, a connection will prevent reuse of the
1806 smtp port for listening. */
1808 if (setsockopt(listen_sockets[sk], SOL_SOCKET, SO_REUSEADDR,
1809 US (&on), sizeof(on)) < 0)
1810 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket "
1811 "failed when starting daemon: %s", strerror(errno));
1813 /* Set TCP_NODELAY; Exim does its own buffering. There is a switch to
1814 disable this because it breaks some broken clients. */
1816 if (tcp_nodelay) setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_NODELAY,
1817 US (&on), sizeof(on));
1819 /* Now bind the socket to the required port; if Exim is being restarted
1820 it may not always be possible to bind immediately, even with SO_REUSEADDR
1821 set, so try 10 times, waiting between each try. After 10 failures, we give
1822 up. In an IPv6 environment, if bind () fails with the error EADDRINUSE and
1823 we are doing wildcard IPv4 listening and there was a previous IPv6 wildcard
1824 address for the same port, ignore the error on the grounds that we must be
1825 in a system where the IPv6 socket accepts both kinds of call. This is
1826 necessary for (some release of) USAGI Linux; other IP stacks fail at the
1827 listen() stage instead. */
1830 f.tcp_fastopen_ok = TRUE;
1835 if (ip_bind(listen_sockets[sk], af, ipa->address, ipa->port) >= 0) break;
1836 if (check_special_case(errno, addresses, ipa, TRUE))
1838 DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 "
1839 "listen() success; EADDRINUSE ignored\n");
1840 (void)close(listen_sockets[sk]);
1843 msg = US strerror(errno);
1849 if (daemon_startup_retries <= 0)
1850 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1851 "socket bind() to port %d for address %s failed: %s: "
1852 "daemon abandoned", ipa->port, addr, msg);
1853 log_write(0, LOG_MAIN, "socket bind() to port %d for address %s "
1854 "failed: %s: waiting %s before trying again (%d more %s)",
1855 ipa->port, addr, msg, readconf_printtime(daemon_startup_sleep),
1856 daemon_startup_retries, (daemon_startup_retries > 1)? "tries" : "try");
1857 daemon_startup_retries--;
1858 sleep(daemon_startup_sleep);
1863 debug_printf("listening on all interfaces (IPv%c) port %d\n",
1864 af == AF_INET6 ? '6' : '4', ipa->port);
1866 debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
1868 #if defined(TCP_FASTOPEN) && !defined(__APPLE__)
1869 if ( f.tcp_fastopen_ok
1870 && setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN,
1871 &smtp_connect_backlog, sizeof(smtp_connect_backlog)))
1873 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
1874 f.tcp_fastopen_ok = FALSE;
1878 /* Start listening on the bound socket, establishing the maximum backlog of
1879 connections that is allowed. On success, continue to the next address. */
1881 if (listen(listen_sockets[sk], smtp_connect_backlog) >= 0)
1883 #if defined(TCP_FASTOPEN) && defined(__APPLE__)
1884 if ( f.tcp_fastopen_ok
1885 && setsockopt(listen_sockets[sk], IPPROTO_TCP, TCP_FASTOPEN,
1888 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
1889 f.tcp_fastopen_ok = FALSE;
1895 /* Listening has failed. In an IPv6 environment, as for bind(), if listen()
1896 fails with the error EADDRINUSE and we are doing IPv4 wildcard listening
1897 and there was a previous successful IPv6 wildcard listen on the same port,
1898 we want to ignore the error on the grounds that we must be in a system
1899 where the IPv6 socket accepts both kinds of call. */
1901 if (!check_special_case(errno, addresses, ipa, TRUE))
1902 log_write(0, LOG_PANIC_DIE, "listen() failed on interface %s: %s",
1904 ? af == AF_INET6 ? US"(any IPv6)" : US"(any IPv4)" : ipa->address,
1907 DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 "
1908 "listen() success; EADDRINUSE ignored\n");
1909 (void)close(listen_sockets[sk]);
1911 /* Come here if there has been a problem with the socket which we
1912 are going to ignore. We remove the address from the chain, and back up the
1916 sk--; /* Back up the count */
1917 listen_socket_count--; /* Reduce the total */
1918 if (ipa == addresses) addresses = ipa->next; else
1920 for (ipa2 = addresses; ipa2->next != ipa; ipa2 = ipa2->next);
1921 ipa2->next = ipa->next;
1924 } /* End of bind/listen loop for each address */
1925 } /* End of setup for listening */
1928 /* If we are not listening, we want to write a pid file only if -oP was
1929 explicitly given. */
1931 else if (!override_pid_file_path)
1934 /* Write the pid to a known file for assistance in identification, if required.
1935 We do this before giving up root privilege, because on some systems it is
1936 necessary to be root in order to write into the pid file directory. There's
1937 nothing to stop multiple daemons running, as long as no more than one listens
1938 on a given TCP/IP port on the same interface(s). However, in these
1939 circumstances it gets far too complicated to mess with pid file names
1940 automatically. Consequently, Exim 4 writes a pid file only
1942 (a) When running in the test harness, or
1943 (b) When -bd is used and -oX is not used, or
1944 (c) When -oP is used to supply a path.
1946 The variable daemon_write_pid is used to control this. */
1948 if (f.running_in_test_harness || write_pid)
1950 const enum pid_op operation = (f.running_in_test_harness
1951 || real_uid == root_uid
1952 || (real_uid == exim_uid && !override_pid_file_path)) ? PID_WRITE : PID_CHECK;
1953 if (!operate_on_pid_file(operation, getpid()))
1954 DEBUG(D_any) debug_printf("%s pid file %s: %s\n", (operation == PID_WRITE) ? "write" : "check", pid_file_path, strerror(errno));
1957 /* Set up the handler for SIGHUP, which causes a restart of the daemon. */
1958 sighup_seen = FALSE;
1959 signal(SIGHUP, sighup_handler);
1961 /* Give up root privilege at this point (assuming that exim_uid and exim_gid
1962 are not root). The third argument controls the running of initgroups().
1963 Normally we do this, in order to set up the groups for the Exim user. However,
1964 if we are not root at this time - some odd installations run that way - we
1967 exim_setugid(exim_uid, exim_gid, geteuid()==root_uid, US"running as a daemon");
1969 /* Update the originator_xxx fields so that received messages as listed as
1970 coming from Exim, not whoever started the daemon. */
1972 originator_uid = exim_uid;
1973 originator_gid = exim_gid;
1974 originator_login = (pw = getpwuid(exim_uid))
1975 ? string_copy_perm(US pw->pw_name, FALSE) : US"exim";
1977 /* Get somewhere to keep the list of queue-runner pids if we are keeping track
1978 of them (and also if we are doing queue runs). */
1980 if (queue_interval > 0 && local_queue_run_max > 0)
1982 queue_pid_slots = store_get(local_queue_run_max * sizeof(pid_t), FALSE);
1983 for (int i = 0; i < local_queue_run_max; i++) queue_pid_slots[i] = 0;
1986 /* Set up the handler for termination of child processes, and the one
1987 telling us to die. */
1989 sigchld_seen = FALSE;
1990 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
1992 sigterm_seen = FALSE;
1993 os_non_restarting_signal(SIGTERM, main_sigterm_handler);
1994 os_non_restarting_signal(SIGINT, main_sigterm_handler);
1996 /* If we are to run the queue periodically, pretend the alarm has just gone
1997 off. This will cause the first queue-runner to get kicked off straight away. */
1999 sigalrm_seen = (queue_interval > 0);
2001 /* Log the start up of a daemon - at least one of listening or queue running
2004 if (f.inetd_wait_mode)
2006 uschar *p = big_buffer;
2008 if (inetd_wait_timeout >= 0)
2009 sprintf(CS p, "terminating after %d seconds", inetd_wait_timeout);
2011 sprintf(CS p, "with no wait timeout");
2013 log_write(0, LOG_MAIN,
2014 "exim %s daemon started: pid=%d, launched with listening socket, %s",
2015 version_string, getpid(), big_buffer);
2016 set_process_info("daemon(%s): pre-listening socket", version_string);
2018 /* set up the timeout logic */
2019 sigalrm_seen = TRUE;
2022 else if (f.daemon_listen)
2025 int smtps_ports = 0;
2026 ip_address_item * ipa;
2028 uschar * qinfo = queue_interval > 0
2029 ? string_sprintf("-q%s%s",
2030 f.queue_2stage ? "q" : "", readconf_printtime(queue_interval))
2031 : US"no queue runs";
2033 /* Build a list of listening addresses in big_buffer, but limit it to 10
2034 items. The style is for backwards compatibility.
2036 It is now possible to have some ports listening for SMTPS (the old,
2037 deprecated protocol that starts TLS without using STARTTLS), and others
2038 listening for standard SMTP. Keep their listings separate. */
2040 for (int j = 0, i; j < 2; j++)
2042 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2044 /* First time round, look for SMTP ports; second time round, look for
2045 SMTPS ports. Build IP+port strings. */
2047 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2054 /* Now the information about the port (and sometimes interface) */
2056 if (ipa->address[0] == ':' && ipa->address[1] == 0)
2058 if (ipa->next && ipa->next->address[0] == 0 &&
2059 ipa->next->port == ipa->port)
2061 ipa->log = string_sprintf(" port %d (IPv6 and IPv4)", ipa->port);
2062 (ipa = ipa->next)->log = NULL;
2064 else if (ipa->v6_include_v4)
2065 ipa->log = string_sprintf(" port %d (IPv6 with IPv4)", ipa->port);
2067 ipa->log = string_sprintf(" port %d (IPv6)", ipa->port);
2069 else if (ipa->address[0] == 0) /* v4 wildcard */
2070 ipa->log = string_sprintf(" port %d (IPv4)", ipa->port);
2071 else /* check for previously-seen IP */
2073 ip_address_item * i2;
2074 for (i2 = addresses; i2 != ipa; i2 = i2->next)
2075 if ( host_is_tls_on_connect_port(i2->port) == (j > 0)
2076 && Ustrcmp(ipa->address, i2->address) == 0
2078 { /* found; append port to list */
2079 for (p = i2->log; *p; ) p++; /* end of existing string */
2080 if (*--p == '}') *p = '\0'; /* drop EOL */
2081 while (isdigit(*--p)) ; /* char before port */
2083 i2->log = *p == ':' /* no list yet? */
2084 ? string_sprintf("%.*s{%s,%d}",
2085 (int)(p - i2->log + 1), i2->log, p+1, ipa->port)
2086 : string_sprintf("%s,%d}", i2->log, ipa->port);
2090 if (i2 == ipa) /* first-time IP */
2091 ipa->log = string_sprintf(" [%s]:%d", ipa->address, ipa->port);
2098 for (int j = 0, i; j < 2; j++)
2100 /* First time round, look for SMTP ports; second time round, look for
2101 SMTPS ports. For the first one of each, insert leading text. */
2106 p += sprintf(CS p, "SMTP on");
2109 if (smtps_ports > 0)
2110 p += sprintf(CS p, "%sSMTPS on",
2111 smtp_ports == 0 ? "" : " and for ");
2113 /* Now the information about the port (and sometimes interface) */
2115 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2116 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2118 p += sprintf(CS p, "%s", ipa->log);
2121 p += sprintf(CS p, " ...");
2124 log_write(0, LOG_MAIN,
2125 "exim %s daemon started: pid=%d, %s, listening for %s",
2126 version_string, getpid(), qinfo, big_buffer);
2127 set_process_info("daemon(%s): %s, listening for %s",
2128 version_string, qinfo, big_buffer);
2133 uschar * s = *queue_name
2134 ? string_sprintf("-qG%s/%s", queue_name, readconf_printtime(queue_interval))
2135 : string_sprintf("-q%s", readconf_printtime(queue_interval));
2136 log_write(0, LOG_MAIN,
2137 "exim %s daemon started: pid=%d, %s, not listening for SMTP",
2138 version_string, getpid(), s);
2139 set_process_info("daemon(%s): %s, not listening", version_string, s);
2142 /* Do any work it might be useful to amortize over our children
2143 (eg: compile regex) */
2146 smtp_deliver_init(); /* Used for callouts */
2148 #ifndef DISABLE_DKIM
2150 # ifdef MEASURE_TIMING
2152 gettimeofday(&t0, NULL);
2155 # ifdef MEASURE_TIMING
2156 report_time_since(&t0, US"dkim_exim_init (delta)");
2161 #ifdef WITH_CONTENT_SCAN
2168 /* Close the log so it can be renamed and moved. In the few cases below where
2169 this long-running process writes to the log (always exceptional conditions), it
2170 closes the log afterwards, for the same reason. */
2174 DEBUG(D_any) debug_print_ids(US"daemon running with");
2176 /* Any messages accepted via this route are going to be SMTP. */
2180 #ifdef MEASURE_TIMING
2181 report_time_since(×tamp_startup, US"daemon loop start"); /* testcase 0022 */
2184 /* Enter the never-ending loop... */
2189 struct sockaddr_in6 accepted;
2191 struct sockaddr_in accepted;
2198 daemon_die(); /* Does not return */
2200 /* This code is placed first in the loop, so that it gets obeyed at the
2201 start, before the first wait, for the queue-runner case, so that the first
2202 one can be started immediately.
2204 The other option is that we have an inetd wait timeout specified to -bw. */
2208 if (inetd_wait_timeout > 0)
2210 time_t resignal_interval = inetd_wait_timeout;
2212 if (last_connection_time == (time_t)0)
2215 debug_printf("inetd wait timeout expired, but still not seen first message, ignoring\n");
2219 time_t now = time(NULL);
2220 if (now == (time_t)-1)
2222 DEBUG(D_any) debug_printf("failed to get time: %s\n", strerror(errno));
2226 if ((now - last_connection_time) >= inetd_wait_timeout)
2229 debug_printf("inetd wait timeout %d expired, ending daemon\n",
2230 inetd_wait_timeout);
2231 log_write(0, LOG_MAIN, "exim %s daemon terminating, inetd wait timeout reached.\n",
2237 resignal_interval -= (now - last_connection_time);
2242 sigalrm_seen = FALSE;
2243 ALARM(resignal_interval);
2248 DEBUG(D_any) debug_printf("%s received\n",
2249 #ifdef EXPERIMENTAL_QUEUE_RAMP
2250 *queuerun_msgid ? "qrun notification" :
2254 /* Do a full queue run in a child process, if required, unless we already
2255 have enough queue runners on the go. If we are not running as root, a
2256 re-exec is required. */
2258 if ( queue_interval > 0
2259 && (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max))
2261 if ((pid = exim_fork(US"queue-runner")) == 0)
2263 /* Disable debugging if it's required only for the daemon process. We
2264 leave the above message, because it ties up with the "child ended"
2265 debugging messages. */
2267 if (f.debug_daemon) debug_selector = 0;
2269 /* Close any open listening sockets in the child */
2271 close_daemon_sockets(daemon_notifier_fd,
2272 listen_sockets, listen_socket_count);
2274 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
2276 signal(SIGHUP, SIG_DFL);
2277 signal(SIGCHLD, SIG_DFL);
2278 signal(SIGTERM, SIG_DFL);
2279 signal(SIGINT, SIG_DFL);
2281 /* Re-exec if privilege has been given up, unless deliver_drop_
2282 privilege is set. Reset SIGALRM before exec(). */
2284 if (geteuid() != root_uid && !deliver_drop_privilege)
2291 signal(SIGALRM, SIG_DFL);
2295 #ifdef EXPERIMENTAL_QUEUE_RAMP
2299 if (f.queue_run_first_delivery) *p++ = 'i';
2300 if (f.queue_run_force) *p++ = 'f';
2301 if (f.deliver_force_thaw) *p++ = 'f';
2302 if (f.queue_run_local) *p++ = 'l';
2304 extra[0] = *queue_name
2305 ? string_sprintf("%sG%s", opt, queue_name) : opt;
2307 #ifdef EXPERIMENTAL_QUEUE_RAMP
2308 if (*queuerun_msgid)
2310 log_write(0, LOG_MAIN, "notify triggered queue run");
2311 extra[extracount++] = queuerun_msgid; /* Trigger only the */
2312 extra[extracount++] = queuerun_msgid; /* one message */
2316 /* If -R or -S were on the original command line, ensure they get
2319 if (deliver_selectstring)
2321 extra[extracount++] = f.deliver_selectstring_regex ? US"-Rr" : US"-R";
2322 extra[extracount++] = deliver_selectstring;
2325 if (deliver_selectstring_sender)
2327 extra[extracount++] = f.deliver_selectstring_sender_regex
2329 extra[extracount++] = deliver_selectstring_sender;
2332 /* Overlay this process with a new execution. */
2334 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, extracount,
2335 extra[0], extra[1], extra[2], extra[3], extra[4], extra[5], extra[6]);
2337 /* Control never returns here. */
2340 /* No need to re-exec; SIGALRM remains set to the default handler */
2342 #ifdef EXPERIMENTAL_QUEUE_RAMP
2343 if (*queuerun_msgid)
2345 log_write(0, LOG_MAIN, "notify triggered queue run");
2346 f.queue_2stage = FALSE;
2347 queue_run(queuerun_msgid, queuerun_msgid, FALSE);
2351 queue_run(NULL, NULL, FALSE);
2352 exim_underbar_exit(EXIT_SUCCESS);
2357 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fork of queue-runner "
2358 "process failed: %s", strerror(errno));
2363 for (int i = 0; i < local_queue_run_max; ++i)
2364 if (queue_pid_slots[i] <= 0)
2366 queue_pid_slots[i] = pid;
2370 DEBUG(D_any) debug_printf("%d queue-runner process%s running\n",
2371 queue_run_count, queue_run_count == 1 ? "" : "es");
2375 /* Reset the alarm clock */
2377 sigalrm_seen = FALSE;
2378 #ifdef EXPERIMENTAL_QUEUE_RAMP
2379 if (*queuerun_msgid)
2380 *queuerun_msgid = 0;
2383 ALARM(queue_interval);
2386 } /* sigalrm_seen */
2389 /* Sleep till a connection happens if listening, and handle the connection if
2390 that is why we woke up. The FreeBSD operating system requires the use of
2391 select() before accept() because the latter function is not interrupted by
2392 a signal, and we want to wake up for SIGCHLD and SIGALRM signals. Some other
2393 OS do notice signals in accept() but it does no harm to have the select()
2394 in for all of them - and it won't then be a lurking problem for ports to
2395 new OS. In fact, the later addition of listening on specific interfaces only
2396 requires this way of working anyway. */
2398 if (f.daemon_listen)
2400 int lcount, select_errno;
2402 BOOL select_failed = FALSE;
2403 fd_set select_listen;
2405 FD_ZERO(&select_listen);
2406 if (daemon_notifier_fd >= 0)
2407 FD_SET(daemon_notifier_fd, &select_listen);
2408 for (int sk = 0; sk < listen_socket_count; sk++)
2410 FD_SET(listen_sockets[sk], &select_listen);
2411 if (listen_sockets[sk] > max_socket) max_socket = listen_sockets[sk];
2414 DEBUG(D_any) debug_printf("Listening...\n");
2416 /* In rare cases we may have had a SIGCHLD signal in the time between
2417 setting the handler (below) and getting back here. If so, pretend that the
2418 select() was interrupted so that we reap the child. This might still leave
2419 a small window when a SIGCHLD could get lost. However, since we use SIGCHLD
2420 only to do the reaping more quickly, it shouldn't result in anything other
2421 than a delay until something else causes a wake-up. */
2429 lcount = select(max_socket + 1, (SELECT_ARG2_TYPE *)&select_listen,
2434 select_failed = TRUE;
2438 /* Clean up any subprocesses that may have terminated. We need to do this
2439 here so that smtp_accept_max_per_host works when a connection to that host
2440 has completed, and we are about to accept a new one. When this code was
2441 later in the sequence, a new connection could be rejected, even though an
2442 old one had just finished. Preserve the errno from any select() failure for
2443 the use of the common select/accept error processing below. */
2445 select_errno = errno;
2446 handle_ending_processes();
2447 errno = select_errno;
2450 /* Create or rotate any required keys */
2454 /* Loop for all the sockets that are currently ready to go. If select
2455 actually failed, we have set the count to 1 and select_failed=TRUE, so as
2456 to use the common error code for select/accept below. */
2458 while (lcount-- > 0)
2460 int accept_socket = -1;
2464 if ( daemon_notifier_fd >= 0
2465 && FD_ISSET(daemon_notifier_fd, &select_listen))
2467 FD_CLR(daemon_notifier_fd, &select_listen);
2468 sigalrm_seen = daemon_notification();
2469 break; /* to top of daemon loop */
2471 for (int sk = 0; sk < listen_socket_count; sk++)
2472 if (FD_ISSET(listen_sockets[sk], &select_listen))
2474 len = sizeof(accepted);
2475 accept_socket = accept(listen_sockets[sk],
2476 (struct sockaddr *)&accepted, &len);
2477 FD_CLR(listen_sockets[sk], &select_listen);
2482 /* If select or accept has failed and this was not caused by an
2483 interruption, log the incident and try again. With asymmetric TCP/IP
2484 routing errors such as "No route to network" have been seen here. Also
2485 "connection reset by peer" has been seen. These cannot be classed as
2486 disastrous errors, but they could fill up a lot of log. The code in smail
2487 crashes the daemon after 10 successive failures of accept, on the grounds
2488 that some OS fail continuously. Exim originally followed suit, but this
2489 appears to have caused problems. Now it just keeps going, but instead of
2490 logging each error, it batches them up when they are continuous. */
2492 if (accept_socket < 0 && errno != EINTR)
2494 if (accept_retry_count == 0)
2496 accept_retry_errno = errno;
2497 accept_retry_select_failed = select_failed;
2499 else if ( errno != accept_retry_errno
2500 || select_failed != accept_retry_select_failed
2501 || accept_retry_count >= 50)
2503 log_write(0, LOG_MAIN | (accept_retry_count >= 50? LOG_PANIC : 0),
2504 "%d %s() failure%s: %s",
2506 accept_retry_select_failed? "select" : "accept",
2507 accept_retry_count == 1 ? "" : "s",
2508 strerror(accept_retry_errno));
2510 accept_retry_count = 0;
2511 accept_retry_errno = errno;
2512 accept_retry_select_failed = select_failed;
2514 accept_retry_count++;
2518 if (accept_retry_count > 0)
2520 log_write(0, LOG_MAIN, "%d %s() failure%s: %s",
2522 accept_retry_select_failed? "select" : "accept",
2523 (accept_retry_count == 1)? "" : "s",
2524 strerror(accept_retry_errno));
2526 accept_retry_count = 0;
2530 /* If select/accept succeeded, deal with the connection. */
2532 if (accept_socket >= 0)
2534 if (inetd_wait_timeout)
2535 last_connection_time = time(NULL);
2536 handle_smtp_call(listen_sockets, listen_socket_count, accept_socket,
2537 (struct sockaddr *)&accepted);
2542 /* If not listening, then just sleep for the queue interval. If we woke
2543 up early the last time for some other signal, it won't matter because
2544 the alarm signal will wake at the right time. This code originally used
2545 sleep() but it turns out that on the FreeBSD system, sleep() is not inter-
2546 rupted by signals, so it wasn't waking up for SIGALRM or SIGCHLD. Luckily
2547 select() can be used as an interruptible sleep() on all versions of Unix. */
2552 tv.tv_sec = queue_interval;
2554 select(0, NULL, NULL, NULL, &tv);
2555 handle_ending_processes();
2558 /* Re-enable the SIGCHLD handler if it has been run. It can't do it
2559 for itself, because it isn't doing the waiting itself. */
2563 sigchld_seen = FALSE;
2564 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2567 /* Handle being woken by SIGHUP. We know at this point that the result
2568 of accept() has been dealt with, so we can re-exec exim safely, first
2569 closing the listening sockets so that they can be reused. Cancel any pending
2570 alarm in case it is just about to go off, and set SIGHUP to be ignored so
2571 that another HUP in quick succession doesn't clobber the new daemon before it
2572 gets going. All log files get closed by the close-on-exec flag; however, if
2573 the exec fails, we need to close the logs. */
2577 log_write(0, LOG_MAIN, "pid %d: SIGHUP received: re-exec daemon",
2579 close_daemon_sockets(daemon_notifier_fd,
2580 listen_sockets, listen_socket_count);
2582 signal(SIGHUP, SIG_IGN);
2583 sighup_argv[0] = exim_path;
2585 execv(CS exim_path, (char *const *)sighup_argv);
2586 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid %d: exec of %s failed: %s",
2587 getpid(), exim_path, strerror(errno));
2591 } /* End of main loop */
2593 /* Control never reaches here */
2598 /* End of exim_daemon.c */
git://git.exim.org / exim.git / blob