1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2020 */
6 /* Copyright (c) The Exim maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
11 #include "appendfile.h"
13 #ifdef SUPPORT_MAILDIR
14 #include "tf_maildir.h"
18 /* Options specific to the appendfile transport. They must be in alphabetic
19 order (note that "_" comes before the lower case letters). Some of them are
20 stored in the publicly visible instance block - these are flagged with the
22 #define LOFF(field) OPT_OFF(appendfile_transport_options_block, field)
24 optionlist appendfile_transport_options[] = {
25 #ifdef SUPPORT_MAILDIR
26 { "*expand_maildir_use_size_file", opt_stringptr, LOFF(expand_maildir_use_size_file) },
28 { "*set_use_fcntl_lock",opt_bool | opt_hidden, LOFF(set_use_fcntl) },
29 { "*set_use_flock_lock",opt_bool | opt_hidden, LOFF(set_use_flock) },
30 { "*set_use_lockfile", opt_bool | opt_hidden, LOFF(set_use_lockfile) },
32 { "*set_use_mbx_lock", opt_bool | opt_hidden, LOFF(set_use_mbx_lock) },
34 { "allow_fifo", opt_bool, LOFF(allow_fifo) },
35 { "allow_symlink", opt_bool, LOFF(allow_symlink) },
36 { "batch_id", opt_stringptr | opt_public, OPT_OFF(transport_instance, batch_id) },
37 { "batch_max", opt_int | opt_public, OPT_OFF(transport_instance, batch_max) },
38 { "check_group", opt_bool, LOFF(check_group) },
39 { "check_owner", opt_bool, LOFF(check_owner) },
40 { "check_string", opt_stringptr, LOFF(check_string) },
41 { "create_directory", opt_bool, LOFF(create_directory) },
42 { "create_file", opt_stringptr, LOFF(create_file_string) },
43 { "directory", opt_stringptr, LOFF(dirname) },
44 { "directory_file", opt_stringptr, LOFF(dirfilename) },
45 { "directory_mode", opt_octint, LOFF(dirmode) },
46 { "escape_string", opt_stringptr, LOFF(escape_string) },
47 { "file", opt_stringptr, LOFF(filename) },
48 { "file_format", opt_stringptr, LOFF(file_format) },
49 { "file_must_exist", opt_bool, LOFF(file_must_exist) },
50 { "lock_fcntl_timeout", opt_time, LOFF(lock_fcntl_timeout) },
51 { "lock_flock_timeout", opt_time, LOFF(lock_flock_timeout) },
52 { "lock_interval", opt_time, LOFF(lock_interval) },
53 { "lock_retries", opt_int, LOFF(lock_retries) },
54 { "lockfile_mode", opt_octint, LOFF(lockfile_mode) },
55 { "lockfile_timeout", opt_time, LOFF(lockfile_timeout) },
56 { "mailbox_filecount", opt_stringptr, LOFF(mailbox_filecount_string) },
57 { "mailbox_size", opt_stringptr, LOFF(mailbox_size_string) },
58 #ifdef SUPPORT_MAILDIR
59 { "maildir_format", opt_bool, LOFF(maildir_format ) } ,
60 { "maildir_quota_directory_regex", opt_stringptr, LOFF(maildir_dir_regex) },
61 { "maildir_retries", opt_int, LOFF(maildir_retries) },
62 { "maildir_tag", opt_stringptr, LOFF(maildir_tag) },
63 { "maildir_use_size_file", opt_expand_bool, LOFF(maildir_use_size_file ) } ,
64 { "maildirfolder_create_regex", opt_stringptr, LOFF(maildirfolder_create_regex ) },
65 #endif /* SUPPORT_MAILDIR */
66 #ifdef SUPPORT_MAILSTORE
67 { "mailstore_format", opt_bool, LOFF(mailstore_format ) },
68 { "mailstore_prefix", opt_stringptr, LOFF(mailstore_prefix ) },
69 { "mailstore_suffix", opt_stringptr, LOFF(mailstore_suffix ) },
70 #endif /* SUPPORT_MAILSTORE */
72 { "mbx_format", opt_bool, LOFF(mbx_format ) } ,
73 #endif /* SUPPORT_MBX */
74 { "message_prefix", opt_stringptr, LOFF(message_prefix) },
75 { "message_suffix", opt_stringptr, LOFF(message_suffix) },
76 { "mode", opt_octint, LOFF(mode) },
77 { "mode_fail_narrower",opt_bool, LOFF(mode_fail_narrower) },
78 { "notify_comsat", opt_bool, LOFF(notify_comsat) },
79 { "quota", opt_stringptr, LOFF(quota) },
80 { "quota_directory", opt_stringptr, LOFF(quota_directory) },
81 { "quota_filecount", opt_stringptr, LOFF(quota_filecount) },
82 { "quota_is_inclusive", opt_bool, LOFF(quota_is_inclusive) },
83 { "quota_size_regex", opt_stringptr, LOFF(quota_size_regex) },
84 { "quota_warn_message", opt_stringptr | opt_public, OPT_OFF(transport_instance, warn_message) },
85 { "quota_warn_threshold", opt_stringptr, LOFF(quota_warn_threshold) },
86 { "use_bsmtp", opt_bool, LOFF(use_bsmtp) },
87 { "use_crlf", opt_bool, LOFF(use_crlf) },
88 { "use_fcntl_lock", opt_bool_set, LOFF(use_fcntl) },
89 { "use_flock_lock", opt_bool_set, LOFF(use_flock) },
90 { "use_lockfile", opt_bool_set, LOFF(use_lockfile) },
92 { "use_mbx_lock", opt_bool_set, LOFF(use_mbx_lock) },
93 #endif /* SUPPORT_MBX */
96 /* Size of the options list. An extern variable has to be used so that its
97 address can appear in the tables drtables.c. */
99 int appendfile_transport_options_count =
100 sizeof(appendfile_transport_options)/sizeof(optionlist);
106 appendfile_transport_options_block appendfile_transport_option_defaults = {0};
107 void appendfile_transport_init(transport_instance *tblock) {}
108 BOOL appendfile_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
110 #else /*!MACRO_PREDEF*/
112 /* Default private options block for the appendfile transport. */
114 appendfile_transport_options_block appendfile_transport_option_defaults = {
115 /* all non-mentioned members zero/null/false */
116 .dirfilename = US"q${base62:$tod_epoch}-$inode",
117 .create_file_string = US"anywhere",
118 .maildir_dir_regex = US"^(?:cur|new|\\..*)$",
119 .mailbox_size_value = -1,
120 .mailbox_filecount_value = -1,
121 .mode = APPENDFILE_MODE,
122 .dirmode = APPENDFILE_DIRECTORY_MODE,
123 .lockfile_mode = APPENDFILE_LOCKFILE_MODE,
124 .lockfile_timeout = 30*60,
127 .maildir_retries = 10,
128 .create_file = create_anywhere,
130 .create_directory = TRUE,
131 .notify_comsat = FALSE,
132 .use_lockfile = TRUE,
134 .mode_fail_narrower = TRUE,
135 .quota_is_inclusive = TRUE,
139 /* Encodings for mailbox formats, and their names. MBX format is actually
140 supported only if SUPPORT_MBX is set. */
142 enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
144 static const char *mailbox_formats[] = {
145 "unix", "mbx", "smail", "maildir", "mailstore" };
148 /* Check warn threshold only if quota size set or not a percentage threshold
149 percentage check should only be done if quota > 0 */
151 #define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \
152 (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
156 /*************************************************
157 * Setup entry point *
158 *************************************************/
160 /* Called for each delivery in the privileged state, just before the uid/gid
161 are changed and the main entry point is called. We use this function to
162 expand any quota settings, so that it can access files that may not be readable
163 by the user. It is also used to pick up external mailbox size information, if
167 tblock points to the transport instance
168 addrlist addresses about to be delivered (not used)
169 dummy not used (doesn't pass back data)
170 uid the uid that will be set (not used)
171 gid the gid that will be set (not used)
172 errmsg where to put an error message
174 Returns: OK, FAIL, or DEFER
181 appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
182 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
184 appendfile_transport_options_block *ob =
185 (appendfile_transport_options_block *)(tblock->options_block);
186 uschar *q = ob->quota;
187 double default_value = 0.0;
189 addrlist = addrlist; /* Keep picky compilers happy */
194 /* we can't wait until we're not privileged anymore */
197 if (ob->expand_maildir_use_size_file)
198 ob->maildir_use_size_file = expand_check_condition(ob->expand_maildir_use_size_file,
199 US"`maildir_use_size_file` in transport", tblock->name);
201 /* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
204 for (int i = 0; i < 5; i++)
206 double d = default_value;
208 uschar *which = NULL;
214 if (!(s = expand_string(q)))
216 *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
217 "%s", q, tblock->name, expand_string_message);
218 return f.search_find_defer ? DEFER : FAIL;
221 d = Ustrtod(s, &rest);
223 /* Handle following characters K, M, G, %, the latter being permitted
224 for quota_warn_threshold only. A threshold with no quota setting is
227 if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
228 else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
229 else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
230 else if (*rest == '%' && i == 2)
232 if (ob->quota_value <= 0 && !ob->maildir_use_size_file)
234 else if ((int)d < 0 || (int)d > 100)
236 *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
237 " for %s transport", (int)d, tblock->name);
240 ob->quota_warn_threshold_is_percent = TRUE;
245 /* For quota and quota_filecount there may be options
246 appended. Currently only "no_check", so we can be lazy parsing it */
247 if (i < 2 && Ustrstr(rest, "/no_check") == rest)
250 rest += sizeof("/no_check") - 1;
253 Uskip_whitespace(&rest);
257 *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
258 "in %s transport", s, q, tblock->name);
263 /* Set each value, checking for possible overflow. */
268 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
270 ob->quota_value = (off_t)d;
271 ob->quota_no_check = no_check;
272 q = ob->quota_filecount;
276 if (d >= 2.0*1024.0*1024.0*1024.0)
277 which = US"quota_filecount";
278 ob->quota_filecount_value = (int)d;
279 ob->quota_filecount_no_check = no_check;
280 q = ob->quota_warn_threshold;
284 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
285 which = US"quota_warn_threshold";
286 ob->quota_warn_threshold_value = (off_t)d;
287 q = ob->mailbox_size_string;
288 default_value = -1.0;
292 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
293 which = US"mailbox_size";;
294 ob->mailbox_size_value = (off_t)d;
295 q = ob->mailbox_filecount_string;
299 if (d >= 2.0*1024.0*1024.0*1024.0)
300 which = US"mailbox_filecount";
301 ob->mailbox_filecount_value = (int)d;
307 *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
308 "%s transport", which, d, tblock->name);
318 /*************************************************
319 * Initialization entry point *
320 *************************************************/
322 /* Called for each instance, after its options have been read, to
323 enable consistency checks to be done, or anything else that needs
327 appendfile_transport_init(transport_instance *tblock)
329 appendfile_transport_options_block *ob =
330 (appendfile_transport_options_block *)(tblock->options_block);
333 /* Set up the setup entry point, to be called in the privileged state */
335 tblock->setup = appendfile_transport_setup;
337 /* Lock_retries must be greater than zero */
339 if (ob->lock_retries == 0) ob->lock_retries = 1;
341 /* Only one of a file name or directory name must be given. */
343 if (ob->filename && ob->dirname)
344 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
345 "only one of \"file\" or \"directory\" can be specified", tblock->name);
347 /* If a file name was specified, neither quota_filecount nor quota_directory
352 if (ob->quota_filecount)
353 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
354 "quota_filecount must not be set without \"directory\"", tblock->name);
355 if (ob->quota_directory)
356 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
357 "quota_directory must not be set without \"directory\"", tblock->name);
360 /* The default locking depends on whether MBX is set or not. Change the
361 built-in default if none of the lock options has been explicitly set. At least
362 one form of locking is required in all cases, but mbx locking changes the
363 meaning of fcntl and flock locking. */
365 /* Not all operating systems provide flock(). For those that do, if flock is
366 requested, the default for fcntl is FALSE. */
371 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
372 "flock() support was not available in the operating system when this "
373 "binary was built", tblock->name);
374 #endif /* NO_FLOCK */
375 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
380 if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
381 !ob->set_use_mbx_lock)
383 ob->use_lockfile = ob->use_flock = FALSE;
384 ob->use_mbx_lock = ob->use_fcntl = TRUE;
386 else if (ob->use_mbx_lock)
388 if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
389 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
390 if (!ob->set_use_flock) ob->use_flock = FALSE;
391 if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
393 #endif /* SUPPORT_MBX */
395 if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
396 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
397 "no locking configured", tblock->name);
399 /* Unset timeouts for non-used locking types */
401 if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
402 if (!ob->use_flock) ob->lock_flock_timeout = 0;
404 /* If a directory name was specified, only one of maildir or mailstore may be
405 specified, and if quota_filecount or quota_directory is given, quota must
410 if (ob->maildir_format && ob->mailstore_format)
411 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
412 "only one of maildir and mailstore may be specified", tblock->name);
413 if (ob->quota_filecount != NULL && ob->quota == NULL)
414 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
415 "quota must be set if quota_filecount is set", tblock->name);
416 if (ob->quota_directory != NULL && ob->quota == NULL)
417 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
418 "quota must be set if quota_directory is set", tblock->name);
421 /* If a fixed uid field is set, then a gid field must also be set. */
423 if (tblock->uid_set && !tblock->gid_set && !tblock->expand_gid)
424 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
425 "user set without group for the %s transport", tblock->name);
427 /* If "create_file" is set, check that a valid option is given, and set the
430 if ((s = ob->create_file_string ) && *s)
433 if (Ustrcmp(s, "anywhere") == 0) val = create_anywhere;
434 else if (*s == '/' || Ustrcmp(s, "belowhome") == 0) val = create_belowhome;
435 else if (Ustrcmp(s, "inhome") == 0) val = create_inhome;
437 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
438 "invalid value given for \"create_file\" for the %s transport: '%s'",
440 ob->create_file = val;
443 /* If quota_warn_threshold is set, set up default for warn_message. It may
444 not be used if the actual threshold for a given delivery ends up as zero,
445 of if it's given as a percentage and there's no quota setting. */
447 if (ob->quota_warn_threshold)
449 if (!tblock->warn_message) tblock->warn_message = US
450 "To: $local_part@$domain\n"
451 "Subject: Your mailbox\n\n"
452 "This message is automatically created by mail delivery software (Exim).\n\n"
453 "The size of your mailbox has exceeded a warning threshold that is\n"
454 "set by the system administrator.\n";
457 /* If batch SMTP is set, force the check and escape strings, and arrange that
458 headers are also escaped. */
462 ob->check_string = US".";
463 ob->escape_string = US"..";
464 ob->options |= topt_escape_headers;
467 /* If not batch SMTP, not maildir, not mailstore, and directory is not set,
468 insert default values for for the affixes and the check/escape strings. */
470 else if (!ob->dirname && !ob->maildir_format && !ob->mailstore_format)
472 if (!ob->message_prefix) ob->message_prefix =
473 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
474 if (!ob->message_suffix) ob->message_suffix = US"\n";
475 if (!ob->check_string) ob->check_string = US"From ";
476 if (!ob->escape_string) ob->escape_string = US">From ";
480 /* Set up the bitwise options for transport_write_message from the various
481 driver options. Only one of body_only and headers_only can be set. */
484 (tblock->body_only ? topt_no_headers : 0) |
485 (tblock->headers_only ? topt_no_body : 0) |
486 (tblock->return_path_add ? topt_add_return_path : 0) |
487 (tblock->delivery_date_add ? topt_add_delivery_date : 0) |
488 (tblock->envelope_to_add ? topt_add_envelope_to : 0) |
489 ((ob->use_crlf || ob->mbx_format) ? topt_use_crlf : 0);
494 /*************************************************
496 *************************************************/
498 /* The comsat daemon is the thing that provides asynchronous notification of
499 the arrival of local messages, if requested by the user by "biff y". It is a
500 BSD thing that uses a TCP/IP protocol for communication. A message consisting
501 of the text "user@offset" must be sent, where offset is the place in the
502 mailbox where new mail starts. There is no scope for telling it which file to
503 look at, which makes it a less than useful if mail is being delivered into a
504 non-standard place such as the user's home directory. In fact, it doesn't seem
505 to pay much attention to the offset.
509 offset offset in mailbox
515 notify_comsat(uschar *user, off_t offset)
521 DEBUG(D_transport) debug_printf("notify_comsat called\n");
523 s = string_sprintf("%.200s@" OFF_T_FMT "\n", user, offset);
525 if ((sp = getservbyname("biff", "udp")) == NULL)
527 DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
531 host.name = US"localhost";
535 /* This code is all set up to look up "localhost" and use all its addresses
536 until one succeeds. However, it appears that at least on some systems, comsat
537 doesn't listen on the ::1 address. So for the moment, just force the address to
538 be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
539 can be changed. (But actually, comsat is probably dying out anyway.) */
542 if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
544 DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
549 host.address = US"127.0.0.1";
552 for (host_item * h = &host; h; h = h->next)
555 int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET;
557 DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
559 if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue;
561 /* Connect never fails for a UDP socket, so don't set a timeout. */
563 (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, NULL);
564 rc = send(sock, s, Ustrlen(s) + 1, 0);
569 debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
576 /*************************************************
577 * Check the format of a file *
578 *************************************************/
580 /* This function is called when file_format is set, to check that an existing
581 file has the right format. The format string contains text/transport pairs. The
582 string matching is literal. we just read big_buffer_size bytes, because this is
583 all about the first few bytes of a file.
587 tblock the transport block
588 addr the address block - for inserting error data
590 Returns: pointer to the required transport, or NULL
594 check_file_format(int cfd, transport_instance *tblock, address_item *addr)
596 const uschar *format =
597 ((appendfile_transport_options_block *)(tblock->options_block))->file_format;
599 int len = read(cfd, data, sizeof(data));
603 DEBUG(D_transport) debug_printf("checking file format\n");
605 /* An empty file matches the current transport */
607 if (len == 0) return tblock;
609 /* Search the formats for a match */
611 /* not expanded so cannot be tainted */
612 while ((s = string_nextinlist(&format, &sep, big_buffer, big_buffer_size)))
614 int slen = Ustrlen(s);
615 BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
616 uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
620 for (transport_instance * tt = transports; tt; tt = tt->next)
621 if (Ustrcmp(tp, tt->name) == 0)
624 debug_printf("file format -> %s transport\n", tt->name);
627 addr->basic_errno = ERRNO_BADTRANSPORT;
628 addr->message = string_sprintf("%s transport (for %.*s format) not found",
634 /* Failed to find a match */
636 addr->basic_errno = ERRNO_FORMATUNKNOWN;
637 addr->message = US"mailbox file format unrecognized";
644 /*************************************************
645 * Check directory's files for quota *
646 *************************************************/
648 /* This function is called if quota is set for one of the delivery modes that
649 delivers into a specific directory. It scans the directory and stats all the
650 files in order to get a total size and count. This is an expensive thing to do,
651 but some people are prepared to bear the cost. Alternatively, if size_regex is
652 set, it is used as a regex to try to extract the size from the file name, a
653 strategy that some people use on maildir files on systems where the users have
656 The function is global, because it is also called from tf_maildir.c for maildir
657 folders (which should contain only regular files).
659 Note: Any problems can be written to debugging output, but cannot be written to
660 the log, because we are running as an unprivileged user here.
663 dirname the name of the directory
664 countptr where to add the file count (because this function recurses)
665 regex a compiled regex to get the size from a name
667 Returns: the sum of the sizes of the stattable files
668 zero if the directory cannot be opened
672 check_dir_size(const uschar * dirname, int *countptr, const pcre *regex)
676 int count = *countptr;
678 if (!(dir = exim_opendir(dirname))) return 0;
680 for (struct dirent *ent; ent = readdir(dir); )
682 uschar * path, * name = US ent->d_name;
685 if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
689 /* If there's a regex, try to find the size using it */
694 if (pcre_exec(regex, NULL, CS name, Ustrlen(name), 0, 0, ovector,6) >= 2)
697 off_t size = (off_t)Ustrtod(name + ovector[2], &endptr);
698 if (endptr == name + ovector[3])
702 debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
708 debug_printf("check_dir_size: regex did not match %s\n", name);
711 /* No regex or no match for the regex, or captured non-digits */
713 path = string_sprintf("%s/%s", dirname, name);
715 if (Ustat(path, &statbuf) < 0)
718 debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, path,
722 if ((statbuf.st_mode & S_IFMT) == S_IFREG)
723 sum += statbuf.st_size / statbuf.st_nlink;
724 else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
725 sum += check_dir_size(path, &count, regex);
730 debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
740 /*************************************************
741 * Apply a lock to a file descriptor *
742 *************************************************/
744 /* This function applies a lock to a file descriptor, using a blocking or
745 non-blocking lock, depending on the timeout value. It can apply either or
746 both of a fcntl() and a flock() lock. However, not all OS support flock();
747 for those that don't, the use_flock option cannot be set.
750 fd the file descriptor
751 fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in
752 fcntl() format); the flock() type is deduced if needed
753 dofcntl do fcntl() locking
754 fcntltime non-zero to use blocking fcntl()
755 doflock do flock() locking
756 flocktime non-zero to use blocking flock()
758 Returns: yield of the fcntl() or flock() call, with errno preserved;
759 sigalrm_seen set if there has been a timeout
763 apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
768 struct flock lock_data;
769 lock_data.l_type = fcntltype;
770 lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
772 sigalrm_seen = FALSE;
779 yield = fcntl(fd, F_SETLKW, &lock_data);
784 else yield = fcntl(fd, F_SETLK, &lock_data);
788 if (doflock && (yield >= 0))
790 int flocktype = (fcntltype == F_WRLCK) ? LOCK_EX : LOCK_SH;
794 yield = flock(fd, flocktype);
799 else yield = flock(fd, flocktype | LOCK_NB);
801 #endif /* NO_FLOCK */
810 /*************************************************
811 * Copy message into MBX mailbox *
812 *************************************************/
814 /* This function is called when a message intended for a MBX mailbox has been
815 written to a temporary file. We can now get the size of the message and then
816 copy it in MBX format to the mailbox.
819 to_fd fd to write to (the real mailbox)
820 from_fd fd to read from (the temporary file)
821 saved_size current size of mailbox
823 Returns: OK if all went well, DEFER otherwise, with errno preserved
824 the number of bytes written are added to transport_count
825 by virtue of calling transport_write_block()
828 /* Values taken from c-client */
830 #define MBX_HDRSIZE 2048
831 #define MBX_NUSERFLAGS 30
834 copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
839 transport_ctx tctx = { .u={.fd = to_fd}, .options = topt_not_socket };
841 /* If the current mailbox size is zero, write a header block */
846 memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
847 sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
848 (long int)time(NULL));
849 for (int i = 0; i < MBX_NUSERFLAGS; i++)
850 sprintf (CS(s += Ustrlen(s)), "\015\012");
851 if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE))
855 DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
857 /* Now construct the message's header from the time and the RFC822 file
858 size, including CRLFs, which is the size of the input (temporary) file. */
860 if (fstat(from_fd, &statbuf) < 0) return DEFER;
861 size = statbuf.st_size;
863 sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
864 tod_stamp(tod_mbx), size, 0L, 0, 0);
865 used = Ustrlen(deliver_out_buffer);
867 /* Rewind the temporary file, and copy it over in chunks. */
869 if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER;
873 int len = read(from_fd, deliver_out_buffer + used,
874 DELIVER_OUT_BUFFER_SIZE - used);
877 if (len == 0) errno = ERRNO_MBXLENGTH;
880 if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE))
888 #endif /* SUPPORT_MBX */
892 /*************************************************
893 * Check creation is permitted *
894 *************************************************/
896 /* This function checks whether a given file name is permitted to be created,
897 as controlled by the create_file option. If no home directory is set, however,
898 we can't do any tests.
901 filename the file name
902 create_file the ob->create_file option
903 deliver_dir the delivery directory
905 Returns: TRUE if creation is permitted
909 check_creation(uschar *filename, int create_file, const uschar * deliver_dir)
913 if (deliver_dir && create_file != create_anywhere)
915 int len = Ustrlen(deliver_dir);
916 uschar *file = filename;
918 while (file[0] == '/' && file[1] == '/') file++;
919 if ( Ustrncmp(file, deliver_dir, len) != 0
921 || Ustrchr(file+len+2, '/') != NULL
922 && ( create_file != create_belowhome
923 || Ustrstr(file+len, "/../") != NULL
927 /* If yield is TRUE, the file name starts with the home directory, and does
928 not contain any instances of "/../" in the "belowhome" case. However, it may
929 still contain symbolic links. We can check for this by making use of
930 realpath(), which most Unixes seem to have (but make it possible to cut this
931 out). We can't just use realpath() on the whole file name, because we know
932 the file itself doesn't exist, and intermediate directories may also not
933 exist. What we want to know is the real path of the longest existing part of
934 the path. That must match the home directory's beginning, whichever is the
938 if (yield && create_file == create_belowhome)
942 for (uschar * slash = Ustrrchr(file, '/'); /* There is known to be one */
943 !rp && slash > file; /* Stop if reached beginning */
947 rp = US realpath(CS file, CS big_buffer);
948 next = Ustrrchr(file, '/');
952 /* If rp == NULL it means that none of the relevant directories exist.
953 This is not a problem here - it means that no symbolic links can exist,
954 which is all we are worried about. Otherwise, we must compare it
955 against the start of the home directory. However, that may itself
956 contain symbolic links, so we have to "realpath" it as well, if
961 uschar hdbuffer[PATH_MAX+1];
962 const uschar * rph = deliver_dir;
963 int rlen = Ustrlen(big_buffer);
965 if ((rp = US realpath(CS deliver_dir, CS hdbuffer)))
971 if (rlen > len) rlen = len;
972 if (Ustrncmp(rph, big_buffer, rlen) != 0)
975 DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
976 big_buffer, deliver_dir);
980 #endif /* NO_REALPATH */
988 /*************************************************
990 *************************************************/
992 /* See local README for general interface details. This transport always
993 returns FALSE, indicating that the status which has been placed in the first
994 address should be copied to any other addresses in a batch.
996 Appendfile delivery is tricky and has led to various security problems in other
997 mailers. The logic used here is therefore laid out in some detail. When this
998 function is called, we are running in a subprocess which has had its gid and
999 uid set to the appropriate values. Therefore, we cannot write directly to the
1000 exim logs. Any errors must be handled by setting appropriate return codes.
1001 Note that the default setting for addr->transport_return is DEFER, so it need
1002 not be set unless some other value is required.
1004 The code below calls geteuid() rather than getuid() to get the current uid
1005 because in weird configurations not running setuid root there may be a
1006 difference. In the standard configuration, where setuid() has been used in the
1007 delivery process, there will be no difference between the uid and the euid.
1009 (1) If the af_file flag is set, this is a delivery to a file after .forward or
1010 alias expansion. Otherwise, there must be a configured file name or
1013 The following items apply in the case when a file name (as opposed to a
1014 directory name) is given, that is, when appending to a single file:
1016 (2f) Expand the file name.
1018 (3f) If the file name is /dev/null, return success (optimization).
1020 (4f) If the file_format options is set, open the file for reading, and check
1021 that the bytes at the start of the file match one of the given strings.
1022 If the check indicates a transport other than the current one should be
1023 used, pass control to that other transport. Otherwise continue. An empty
1024 or non-existent file matches the current transport. The file is closed
1027 (5f) If a lock file is required, create it (see extensive separate comments
1028 below about the algorithm for doing this). It is important to do this
1029 before opening the mailbox if NFS is in use.
1031 (6f) Stat the file, using lstat() rather than stat(), in order to pick up
1032 details of any symbolic link.
1034 (7f) If the file already exists:
1036 Check the owner and group if necessary, and defer if they are wrong.
1038 If it is a symbolic link AND the allow_symlink option is set (NOT the
1039 default), go back to (6f) but this time use stat() instead of lstat().
1041 If it's not a regular file (or FIFO when permitted), defer delivery.
1043 Check permissions. If the required permissions are *less* than the
1044 existing ones, or supplied by the address (often by the user via filter),
1045 chmod() the file. Otherwise, defer.
1047 Save the inode number.
1049 Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
1051 If open fails because the file does not exist, go to (6f); on any other
1054 Check the inode number hasn't changed - I realize this isn't perfect (an
1055 inode can be reused) but it's cheap and will catch some of the races.
1057 Check it's still a regular file (or FIFO if permitted).
1059 Check that the owner and permissions haven't changed.
1061 If file_format is set, check that the file still matches the format for
1062 the current transport. If not, defer delivery.
1064 (8f) If file does not exist initially:
1066 Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
1067 this is via a symbolic link (only possible if allow_symlinks is set), in
1068 which case don't use O_EXCL, as it doesn't work.
1070 If open fails because the file already exists, go to (6f). To avoid
1071 looping for ever in a situation where the file is continuously being
1072 created and deleted, all of this happens inside a loop that operates
1073 lock_retries times and includes the fcntl and flock locking. If the
1074 loop completes without the file getting opened, defer and request
1075 freezing, because something really weird is happening.
1077 If open fails for any other reason, defer for subsequent delivery except
1078 when this is a file delivery resulting from an alias or forward expansion
1079 and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
1080 most likely a user rather than a configuration error.
1082 (9f) We now have the file checked and open for writing. If so configured, lock
1083 it using fcntl, flock, or MBX locking rules. If this fails, close the file
1084 and goto (6f), up to lock_retries times, after sleeping for a while. If it
1085 still fails, give up and defer delivery.
1087 (10f)Save the access time (for subsequent restoration) and the size of the
1088 file, for comsat and for re-setting if delivery fails in the middle -
1089 e.g. for quota exceeded.
1091 The following items apply in the case when a directory name is given:
1093 (2d) Create a new file in the directory using a temporary name, by opening for
1094 writing and with O_CREAT. If maildir format is being used, the file
1095 is created in a temporary subdirectory with a prescribed name. If
1096 mailstore format is being used, the envelope file is first created with a
1097 temporary name, then the data file.
1099 The following items apply in all cases:
1101 (11) We now have the file open for writing, and locked if it was given as a
1102 file name. Write the message and flush the file, unless there is a setting
1103 of the local quota option, in which case we can check for its excession
1104 without doing any writing.
1106 In the case of MBX format mailboxes, the message is first written to a
1107 temporary file, in order to get its correct length. This is then copied to
1108 the real file, preceded by an MBX header.
1110 If there is a quota error on writing, defer the address. Timeout logic
1111 will determine for how long retries are attempted. We restore the mailbox
1112 to its original length if it's a single file. There doesn't seem to be a
1113 uniform error code for quota excession (it even differs between SunOS4
1114 and some versions of SunOS5) so a system-dependent macro called
1115 ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
1118 For any other error (most commonly disk full), do the same.
1120 The following applies after appending to a file:
1122 (12f)Restore the atime; notify_comsat if required; close the file (which
1123 unlocks it if it was locked). Delete the lock file if it exists.
1125 The following applies after writing a unique file in a directory:
1127 (12d)For maildir format, rename the file into the new directory. For mailstore
1128 format, rename the envelope file to its correct name. Otherwise, generate
1129 a unique name from the directory_file option, and rename to that, possibly
1130 trying a few times if the file exists and re-expanding the name gives a
1133 This transport yields FAIL only when a file name is generated by an alias or
1134 forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
1135 All other failures return DEFER (in addr->transport_return). */
1139 appendfile_transport_entry(
1140 transport_instance *tblock, /* data for this instantiation */
1141 address_item *addr) /* address we are working on */
1143 appendfile_transport_options_block *ob =
1144 (appendfile_transport_options_block *)(tblock->options_block);
1145 struct stat statbuf;
1146 const uschar * deliver_dir;
1147 uschar *fdname = NULL;
1148 uschar *filename = NULL;
1149 uschar *hitchname = NULL;
1150 uschar *dataname = NULL;
1151 uschar *lockname = NULL;
1152 uschar *newname = NULL;
1153 uschar *nametag = NULL;
1155 uschar *filecount_msg = US"";
1157 struct utimbuf times;
1158 struct timeval msg_tv;
1159 BOOL disable_quota = FALSE;
1160 BOOL isdirectory = FALSE;
1161 BOOL isfifo = FALSE;
1162 BOOL wait_for_tick = FALSE;
1163 uid_t uid = geteuid(); /* See note above */
1164 gid_t gid = getegid();
1166 int mode = (addr->mode > 0) ? addr->mode : ob->mode;
1167 off_t saved_size = -1;
1168 off_t mailbox_size = ob->mailbox_size_value;
1169 int mailbox_filecount = ob->mailbox_filecount_value;
1177 int mbx_lockfd = -1;
1178 uschar mbx_lockname[40];
1179 FILE *temp_file = NULL;
1180 #endif /* SUPPORT_MBX */
1182 #ifdef SUPPORT_MAILDIR
1183 int maildirsize_fd = -1; /* fd for maildirsize file */
1184 int maildir_save_errno;
1188 DEBUG(D_transport) debug_printf("appendfile transport entered\n");
1190 /* An "address_file" or "address_directory" transport is used to deliver to
1191 files specified via .forward or an alias file. Prior to release 4.20, the
1192 "file" and "directory" options were ignored in this case. This has been changed
1193 to allow the redirection data to specify what is in effect a folder, whose
1194 location is determined by the options on the transport.
1196 Compatibility with the case when neither option is set is retained by forcing a
1197 value for the file or directory name. A directory delivery is assumed if the
1198 last character of the path from the router is '/'.
1200 The file path is in the local part of the address, but not in the $local_part
1201 variable (that holds the parent local part). It is, however, in the
1202 $address_file variable. Below, we update the local part in the address if it
1203 changes by expansion, so that the final path ends up in the log. */
1205 if (testflag(addr, af_file) && !ob->filename && !ob->dirname)
1207 fdname = US"$address_file";
1208 if (address_file[Ustrlen(address_file)-1] == '/' ||
1209 ob->maildir_format ||
1210 ob->mailstore_format)
1214 /* Handle (a) an "address file" delivery where "file" or "directory" is
1215 explicitly set and (b) a non-address_file delivery, where one of "file" or
1216 "directory" must be set; initialization ensures that they are not both set. */
1220 if (!(fdname = ob->filename))
1222 fdname = ob->dirname;
1227 addr->message = string_sprintf("Mandatory file or directory option "
1228 "missing from %s transport", tblock->name);
1233 /* Maildir and mailstore require a directory */
1235 if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
1237 addr->message = string_sprintf("mail%s_format requires \"directory\" "
1238 "to be specified for the %s transport",
1239 ob->maildir_format ? "dir" : "store", tblock->name);
1243 if (!(path = expand_string(fdname)))
1245 addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
1246 "name for %s transport) failed: %s", fdname, tblock->name,
1247 expand_string_message);
1253 addr->message = string_sprintf("appendfile: file or directory name "
1254 "\"%s\" is not absolute", path);
1255 addr->basic_errno = ERRNO_NOTABSOLUTE;
1259 /* For a file delivery, make sure the local part in the address(es) is updated
1260 to the true local part. */
1262 if (testflag(addr, af_file))
1263 for (address_item * addr2 = addr; addr2; addr2 = addr2->next)
1264 addr2->local_part = string_copy(path);
1266 /* The available mailbox formats depend on whether it is a directory or a file
1272 #ifdef SUPPORT_MAILDIR
1273 ob->maildir_format ? mbf_maildir :
1275 #ifdef SUPPORT_MAILSTORE
1276 ob->mailstore_format ? mbf_mailstore :
1284 ob->mbx_format ? mbf_mbx :
1291 debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
1293 " warning=" OFF_T_FMT "%s\n"
1294 " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n "
1295 "maildir_use_size_file=%s\n",
1296 mode, ob->notify_comsat, ob->quota_value,
1297 ob->quota_no_check ? " (no_check)" : "",
1298 ob->quota_filecount_no_check ? " (no_check_filecount)" : "",
1299 ob->quota_warn_threshold_value,
1300 ob->quota_warn_threshold_is_percent ? "%" : "",
1301 isdirectory ? "directory" : "file",
1302 path, mailbox_formats[mbformat],
1303 !ob->message_prefix ? US"null" : string_printing(ob->message_prefix),
1304 !ob->message_suffix ? US"null" : string_printing(ob->message_suffix),
1305 ob->maildir_use_size_file ? "yes" : "no");
1307 if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n",
1308 ob->use_lockfile ? "lockfile " : "",
1309 ob->use_mbx_lock ? "mbx locking (" : "",
1310 ob->use_fcntl ? "fcntl " : "",
1311 ob->use_flock ? "flock" : "",
1312 ob->use_mbx_lock ? ")" : "");
1315 /* If the -N option is set, can't do any more. */
1320 debug_printf("*** delivery by %s transport bypassed by -N option\n",
1322 addr->transport_return = OK;
1326 /* If an absolute path was given for create_file the it overrides deliver_home
1327 (here) and de-taints the filename (below, after check_creation() */
1329 deliver_dir = *ob->create_file_string == '/'
1330 ? ob->create_file_string : deliver_home;
1332 /* Handle the case of a file name. If the file name is /dev/null, we can save
1333 ourselves some effort and just give a success return right away. */
1337 BOOL use_lstat = TRUE;
1338 BOOL file_opened = FALSE;
1339 BOOL allow_creation_here = TRUE;
1341 if (Ustrcmp(path, "/dev/null") == 0)
1343 addr->transport_return = OK;
1347 /* Set the name of the file to be opened, and the file to which the data
1348 is written, and find out if we are permitted to create a non-existent file.
1349 If the create_file option is an absolute path and the file was within it,
1350 de-taint. Chaeck for a tainted path. */
1352 if ( (allow_creation_here = check_creation(path, ob->create_file, deliver_dir))
1353 && ob->create_file == create_belowhome)
1354 if (is_tainted(path))
1356 DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
1357 path = string_copy_taint(path, FALSE);
1360 if (is_tainted(path)) goto tainted_ret_panic;
1361 dataname = filename = path;
1363 /* If ob->create_directory is set, attempt to create the directories in
1364 which this mailbox lives, but only if we are permitted to create the file
1365 itself. We know we are dealing with an absolute path, because this was
1368 if (ob->create_directory && allow_creation_here)
1370 uschar *p = Ustrrchr(path, '/');
1371 p = string_copyn(path, p - path);
1372 if (!directory_make(NULL, p, ob->dirmode, FALSE))
1374 addr->basic_errno = errno;
1376 string_sprintf("failed to create directories for %s: %s", path,
1377 exim_errstr(errno));
1378 DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path);
1383 /* If file_format is set we must check that any existing file matches one of
1384 the configured formats by checking the bytes it starts with. A match then
1385 indicates a specific transport - if it is not this one, pass control to it.
1386 Otherwise carry on here. An empty or non-existent file matches the current
1387 transport. We don't need to distinguish between non-existence and other open
1388 failures because if an existing file fails to open here, it will also fail
1389 again later when O_RDWR is used. */
1391 if (ob->file_format)
1393 int cfd = Uopen(path, O_RDONLY, 0);
1396 transport_instance *tt = check_file_format(cfd, tblock, addr);
1399 /* If another transport is indicated, call it and return; if no transport
1400 was found, just return - the error data will have been set up.*/
1406 set_process_info("delivering %s to %s using %s", message_id,
1407 addr->local_part, tt->name);
1408 debug_print_string(tt->debug_string);
1409 addr->transport = tt;
1410 (tt->info->code)(tt, addr);
1417 /* The locking of mailbox files is worse than the naming of cats, which is
1418 known to be "a difficult matter" (T.S. Eliot) and just as cats must have
1419 three different names, so several different styles of locking are used.
1421 Research in other programs that lock mailboxes shows that there is no
1422 universally standard method. Having mailboxes NFS-mounted on the system that
1423 is delivering mail is not the best thing, but people do run like this,
1424 and so the code must do its best to cope.
1426 Three different locking mechanisms are supported. The initialization function
1427 checks that at least one is configured.
1431 Unless no_use_lockfile is set, we attempt to build a lock file in a way that
1432 will work over NFS. Only after that is done do we actually open the mailbox
1433 and apply locks to it (if configured).
1435 Originally, Exim got the file opened before doing anything about locking.
1436 However, a very occasional problem was observed on Solaris 2 when delivering
1437 over NFS. It is seems that when a file is opened with O_APPEND, the file size
1438 gets remembered at open time. If another process on another host (that's
1439 important) has the file open and locked and writes to it and then releases
1440 the lock while the first process is waiting to get the lock, the first
1441 process may fail to write at the new end point of the file - despite the very
1442 definite statement about O_APPEND in the man page for write(). Experiments
1443 have reproduced this problem, but I do not know any way of forcing a host to
1444 update its attribute cache for an open NFS file. It would be nice if it did
1445 so when a lock was taken out, but this does not seem to happen. Anyway, to
1446 reduce the risk of this problem happening, we now create the lock file
1447 (if configured) *before* opening the mailbox. That will prevent two different
1448 Exims opening the file simultaneously. It may not prevent clashes with MUAs,
1449 however, but Pine at least seems to operate in the same way.
1451 Lockfiles should normally be used when NFS is involved, because of the above
1454 The logic for creating the lock file is:
1456 . The name of the lock file is <mailbox-name>.lock
1458 . First, create a "hitching post" name by adding the primary host name,
1459 current time and pid to the lock file name. This should be unique.
1461 . Create the hitching post file using WRONLY + CREAT + EXCL.
1463 . If that fails EACCES, we assume it means that the user is unable to create
1464 files in the mail spool directory. Some installations might operate in this
1465 manner, so there is a configuration option to allow this state not to be an
1466 error - we proceed to lock using fcntl only, after the file is open.
1468 . Otherwise, an error causes a deferment of the address.
1470 . Hard link the hitching post to the lock file name.
1472 . If the link succeeds, we have successfully created the lock file. Simply
1473 close and unlink the hitching post file.
1475 . If the link does not succeed, proceed as follows:
1477 o Fstat the hitching post file, and then close and unlink it.
1479 o Now examine the stat data. If the number of links to the file is exactly
1480 2, the linking succeeded but for some reason, e.g. an NFS server crash,
1481 the return never made it back, so the link() function gave a failure
1484 . This method allows for the lock file to be created by some other process
1485 right up to the moment of the attempt to hard link it, and is also robust
1486 against NFS server crash-reboots, which would probably result in timeouts
1487 in the middle of link().
1489 . System crashes may cause lock files to get left lying around, and some means
1490 of flushing them is required. The approach of writing a pid (used by smail
1491 and by elm) into the file isn't useful when NFS may be in use. Pine uses a
1492 timeout, which seems a better approach. Since any program that writes to a
1493 mailbox using a lock file should complete its task very quickly, Pine
1494 removes lock files that are older than 5 minutes. We allow the value to be
1495 configurable on the transport.
1499 If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
1500 mailbox once it is open. This is done by default with a non-blocking lock.
1501 Failures to lock cause retries after a sleep, but only for a certain number
1502 of tries. A blocking lock is deliberately not used so that we don't hold the
1503 mailbox open. This minimizes the possibility of the NFS problem described
1504 under LOCK FILES above, if for some reason NFS deliveries are happening
1505 without lock files. However, the use of a non-blocking lock and sleep, though
1506 the safest approach, does not give the best performance on very busy systems.
1507 A blocking lock plus timeout does better. Therefore Exim has an option to
1508 allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
1509 enables the use of blocking fcntl() calls.
1513 If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
1514 same manner as for fcntl locking above. No-blocking/timeout is also set as
1515 above in lock_flock_timeout. Not all operating systems provide or support
1516 flock(). For those that don't (as determined by the definition of LOCK_SH in
1517 /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
1518 is implemented (not precisely) on top of fcntl(), which means there's no
1519 point in actually using it.
1523 If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
1524 then the rules used for locking in c-client are used. Exim takes out a shared
1525 lock on the mailbox file, and an exclusive lock on the file whose name is
1526 /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
1527 any other MBX client from getting an exclusive lock on it and expunging it.
1528 It also stops any other MBX client from unlinking the /tmp lock when it has
1531 The exclusive lock on the /tmp file prevents any other MBX client from
1532 updating the mailbox in any way. When writing is finished, if an exclusive
1533 lock on the mailbox can be obtained, indicating there are no current sharers,
1534 the /tmp file is unlinked.
1536 MBX locking can use either fcntl() or flock() locking. If neither
1537 use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
1538 The calls for getting these locks are by default non-blocking, as for non-mbx
1539 locking, but can be made blocking by setting lock_fcntl_timeout and/or
1540 lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it
1541 probably makes sense to set timeouts for any MBX deliveries. */
1544 /* Build a lock file if configured to do so - the existence of a lock
1545 file is subsequently checked by looking for a non-negative value of the
1546 file descriptor hd - even though the file is no longer open. */
1548 if (ob->use_lockfile)
1550 /* cf. exim_lock.c */
1551 lockname = string_sprintf("%s.lock", filename);
1552 hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
1553 (unsigned int)(time(NULL)), (unsigned int)getpid());
1555 DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
1558 /* Lock file creation retry loop */
1560 for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
1564 hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
1567 addr->basic_errno = errno;
1569 string_sprintf("creating lock file hitching post %s "
1570 "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
1571 (long int)getegid());
1575 /* Attempt to hitch the hitching post to the lock file. If link()
1576 succeeds (the common case, we hope) all is well. Otherwise, fstat the
1577 file, and get rid of the hitching post. If the number of links was 2,
1578 the link was created, despite the failure of link(). If the hitch was
1579 not successful, try again, having unlinked the lock file if it is too
1582 There's a version of Linux (2.0.27) which doesn't update its local cache
1583 of the inode after link() by default - which many think is a bug - but
1584 if the link succeeds, this code will be OK. It just won't work in the
1585 case when link() fails after having actually created the link. The Linux
1586 NFS person is fixing this; a temporary patch is available if anyone is
1587 sufficiently worried. */
1589 if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
1592 if (rc != 0 && statbuf.st_nlink != 2)
1594 if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
1595 time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
1597 DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
1600 DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
1604 DEBUG(D_transport) debug_printf("lock file created\n");
1608 /* Check for too many tries at creating the lock file */
1610 if (i >= ob->lock_retries)
1612 addr->basic_errno = ERRNO_LOCKFAILED;
1613 addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
1620 /* We now have to get the file open. First, stat() it and act on existence or
1621 non-existence. This is in a loop to handle the case of a file's being created
1622 or deleted as we watch, and also to handle retries when the locking fails.
1623 Rather than holding the file open while waiting for the fcntl() and/or
1624 flock() lock, we close and do the whole thing again. This should be safer,
1625 especially for NFS files, which might get altered from other hosts, making
1626 their cached sizes incorrect.
1628 With the default settings, no symlinks are permitted, but there is an option
1629 to permit symlinks for those sysadmins that know what they are doing.
1630 Shudder. However, insist that the initial symlink is owned by the right user.
1631 Thus lstat() is used initially; if a symlink is discovered, the loop is
1632 repeated such that stat() is used, to look at the end file. */
1634 for (i = 0; i < ob->lock_retries; i++)
1636 int sleep_before_retry = TRUE;
1637 file_opened = FALSE;
1639 if ((use_lstat ? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
1641 /* Let's hope that failure to stat (other than non-existence) is a
1644 if (errno != ENOENT)
1646 addr->basic_errno = errno;
1647 addr->message = string_sprintf("attempting to stat mailbox %s",
1652 /* File does not exist. If it is required to pre-exist this state is an
1655 if (ob->file_must_exist)
1657 addr->basic_errno = errno;
1658 addr->message = string_sprintf("mailbox %s does not exist, "
1659 "but file_must_exist is set", filename);
1663 /* If not permitted to create this file because it isn't in or below
1664 the home directory, generate an error. */
1666 if (!allow_creation_here)
1668 addr->basic_errno = ERRNO_BADCREATE;
1669 addr->message = string_sprintf("mailbox %s does not exist, "
1670 "but creation outside the home directory is not permitted",
1675 /* Attempt to create and open the file. If open fails because of
1676 pre-existence, go round the loop again. For any other error, defer the
1677 address, except for an alias or forward generated file name with EPERM,
1678 ENOENT, or EACCES, as those are most likely to be user errors rather
1679 than Exim config errors. When a symbolic link is permitted and points
1680 to a non-existent file, we get here with use_lstat = FALSE. In this case
1681 we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
1682 consistency and because MBX locking requires it in order to be able to
1683 get a shared lock. */
1685 fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
1686 (use_lstat ? O_EXCL : 0), mode);
1689 if (errno == EEXIST) continue;
1690 addr->basic_errno = errno;
1691 addr->message = string_sprintf("while creating mailbox %s",
1693 if (testflag(addr, af_file) &&
1694 (errno == EPERM || errno == ENOENT || errno == EACCES))
1695 addr->transport_return = FAIL;
1699 /* We have successfully created and opened the file. Ensure that the group
1700 and the mode are correct. */
1702 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
1704 addr->basic_errno = errno;
1705 addr->message = string_sprintf("while setting perms on mailbox %s",
1707 addr->transport_return = FAIL;
1713 /* The file already exists. Test its type, ownership, and permissions, and
1714 save the inode for checking later. If symlinks are permitted (not the
1715 default or recommended state) it may be a symlink that already exists.
1716 Check its ownership and then look for the file at the end of the link(s).
1717 This at least prevents one user creating a symlink for another user in
1718 a sticky directory. */
1722 int oldmode = (int)statbuf.st_mode;
1723 ino_t inode = statbuf.st_ino;
1724 BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
1726 isfifo = FALSE; /* In case things are changing */
1728 /* Check owner if required - the default. */
1730 if (ob->check_owner && statbuf.st_uid != uid)
1732 addr->basic_errno = ERRNO_BADUGID;
1733 addr->message = string_sprintf("mailbox %s%s has wrong uid "
1734 "(%ld != %ld)", filename,
1735 islink ? " (symlink)" : "",
1736 (long int)(statbuf.st_uid), (long int)uid);
1740 /* Group is checked only if check_group is set. */
1742 if (ob->check_group && statbuf.st_gid != gid)
1744 addr->basic_errno = ERRNO_BADUGID;
1745 addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
1746 filename, islink ? " (symlink)" : "", statbuf.st_gid, gid);
1750 /* Just in case this is a sticky-bit mail directory, we don't want
1751 users to be able to create hard links to other users' files. */
1753 if (statbuf.st_nlink != 1)
1755 addr->basic_errno = ERRNO_NOTREGULAR;
1756 addr->message = string_sprintf("mailbox %s%s has too many links (%lu)",
1757 filename, islink ? " (symlink)" : "", (unsigned long)statbuf.st_nlink);
1762 /* If symlinks are permitted (not recommended), the lstat() above will
1763 have found the symlink. Its ownership has just been checked; go round
1764 the loop again, using stat() instead of lstat(). That will never yield a
1767 if (islink && ob->allow_symlink)
1770 i--; /* Don't count this time round */
1774 /* An actual file exists. Check that it is a regular file, or FIFO
1777 if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
1779 else if ((oldmode & S_IFMT) != S_IFREG)
1781 addr->basic_errno = ERRNO_NOTREGULAR;
1782 addr->message = string_sprintf("mailbox %s is not a regular file%s",
1783 filename, ob->allow_fifo ? " or named pipe" : "");
1787 /* If the mode is not what it would be for a newly created file, change
1788 the permissions if the mode is supplied for the address. Otherwise,
1789 reduce but do not extend the permissions. If the newly created
1790 permissions are greater than the existing permissions, don't change
1791 things when the mode is not from the address. */
1793 if ((oldmode &= 07777) != mode)
1795 int diffs = oldmode ^ mode;
1796 if (addr->mode > 0 || (diffs & oldmode) == diffs)
1798 DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
1799 if (Uchmod(filename, mode) < 0)
1801 addr->basic_errno = errno;
1802 addr->message = string_sprintf("attempting to chmod mailbox %s",
1809 /* Mode not from address, and newly-created permissions are greater
1810 than existing permissions. Default is to complain, but it can be
1811 configured to go ahead and try to deliver anyway if that's what
1812 the administration wants. */
1814 else if (ob->mode_fail_narrower)
1816 addr->basic_errno = ERRNO_BADMODE;
1817 addr->message = string_sprintf("mailbox %s has the wrong mode %o "
1818 "(%o expected)", filename, oldmode, mode);
1823 /* We are happy with the existing file. Open it, and then do further
1824 tests to ensure that it is the same file that we were just looking at.
1825 If the file does not now exist, restart this loop, going back to using
1826 lstat again. For an NFS error, just defer; other opening errors are
1827 more serious. The file is opened RDWR so that its format can be checked,
1828 and also MBX locking requires the use of a shared (read) lock. However,
1829 a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
1830 reading the pipe. */
1832 fd = Uopen(filename, isfifo ? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
1836 if (errno == ENOENT)
1841 addr->basic_errno = errno;
1843 addr->message = string_sprintf("while opening named pipe %s "
1844 "(could mean no process is reading it)", filename);
1845 else if (errno != EWOULDBLOCK)
1846 addr->message = string_sprintf("while opening mailbox %s", filename);
1850 /* This fstat really shouldn't fail, as we have an open file! There's a
1851 dilemma here. We use fstat in order to be sure we are peering at the file
1852 we have got open. However, that won't tell us if the file was reached
1853 via a symbolic link. We checked this above, but there is a race exposure
1854 if the link was created between the previous lstat and the open. However,
1855 it would have to be created with the same inode in order to pass the
1856 check below. If ob->allow_symlink is set, causing the use of stat rather
1857 than lstat above, symbolic links may be there anyway, and the checking is
1860 if (fstat(fd, &statbuf) < 0)
1862 addr->basic_errno = errno;
1863 addr->message = string_sprintf("attempting to stat open mailbox %s",
1868 /* Check the inode; this is isn't a perfect check, but gives some
1871 if (inode != statbuf.st_ino)
1873 addr->basic_errno = ERRNO_INODECHANGED;
1874 addr->message = string_sprintf("opened mailbox %s inode number changed "
1875 "from " INO_T_FMT " to " INO_T_FMT, filename, inode, statbuf.st_ino);
1876 addr->special_action = SPECIAL_FREEZE;
1880 /* Check it's still a regular file or FIFO, and the uid, gid, and
1881 permissions have not changed. */
1883 if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
1884 (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
1886 addr->basic_errno = ERRNO_NOTREGULAR;
1888 string_sprintf("opened mailbox %s is no longer a %s", filename,
1889 isfifo ? "named pipe" : "regular file");
1890 addr->special_action = SPECIAL_FREEZE;
1894 if ((ob->check_owner && statbuf.st_uid != uid) ||
1895 (ob->check_group && statbuf.st_gid != gid))
1897 addr->basic_errno = ERRNO_BADUGID;
1899 string_sprintf("opened mailbox %s has wrong uid or gid", filename);
1900 addr->special_action = SPECIAL_FREEZE;
1904 if ((statbuf.st_mode & 07777) != oldmode)
1906 addr->basic_errno = ERRNO_BADMODE;
1907 addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
1908 "(%o expected)", filename, statbuf.st_mode & 07777, mode);
1909 addr->special_action = SPECIAL_FREEZE;
1913 /* If file_format is set, check that the format of the file has not
1914 changed. Error data is set by the testing function. */
1916 if (ob->file_format && check_file_format(fd, tblock, addr) != tblock)
1918 addr->message = US"open mailbox has changed format";
1922 /* The file is OK. Carry on to do the locking. */
1925 /* We now have an open file, and must lock it using fcntl(), flock() or MBX
1926 locking rules if configured to do so. If a lock file is also required, it
1927 was created above and hd was left >= 0. At least one form of locking is
1928 required by the initialization function. If locking fails here, close the
1929 file and go round the loop all over again, after waiting for a bit, unless
1930 blocking locking was used. */
1933 if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
1934 sleep_before_retry = FALSE;
1936 /* Simple fcntl() and/or flock() locking */
1938 if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
1940 if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1941 ob->use_flock, ob->lock_flock_timeout) >= 0) break;
1944 /* MBX locking rules */
1947 else if (ob->use_mbx_lock)
1950 struct stat lstatbuf, statbuf2;
1951 if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1952 ob->use_flock, ob->lock_flock_timeout) >= 0 &&
1953 fstat(fd, &statbuf) >= 0)
1955 sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
1956 (long)statbuf.st_ino);
1959 * 2010-05-29: SECURITY
1960 * Dan Rosenberg reported the presence of a race-condition in the
1961 * original code here. Beware that many systems still allow symlinks
1962 * to be followed in /tmp so an attacker can create a symlink pointing
1963 * elsewhere between a stat and an open, which we should avoid
1966 * It's unfortunate that we can't just use all the heavily debugged
1967 * locking from above.
1969 * Also: remember to mirror changes into exim_lock.c */
1971 /* first leave the old pre-check in place, it provides better
1972 * diagnostics for common cases */
1973 if (Ulstat(mbx_lockname, &statbuf) >= 0)
1975 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
1977 addr->basic_errno = ERRNO_LOCKFAILED;
1978 addr->message = string_sprintf("symbolic link on MBX lock file %s",
1982 if (statbuf.st_nlink > 1)
1984 addr->basic_errno = ERRNO_LOCKFAILED;
1985 addr->message = string_sprintf("hard link to MBX lock file %s",
1991 /* If we could just declare "we must be the ones who create this
1992 * file" then a hitching post in a subdir would work, since a
1993 * subdir directly in /tmp/ which we create wouldn't follow links
1994 * but this isn't our locking logic, so we can't safely change the
1995 * file existence rules. */
1997 /* On systems which support O_NOFOLLOW, it's the easiest and most
1998 * obviously correct security fix */
1999 mbx_tmp_oflags = O_RDWR | O_CREAT;
2001 mbx_tmp_oflags |= O_NOFOLLOW;
2003 mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
2006 addr->basic_errno = ERRNO_LOCKFAILED;
2007 addr->message = string_sprintf("failed to open MBX lock file %s :%s",
2008 mbx_lockname, strerror(errno));
2012 if (Ulstat(mbx_lockname, &lstatbuf) < 0)
2014 addr->basic_errno = ERRNO_LOCKFAILED;
2015 addr->message = string_sprintf("attempting to lstat open MBX "
2016 "lock file %s: %s", mbx_lockname, strerror(errno));
2019 if (fstat(mbx_lockfd, &statbuf2) < 0)
2021 addr->basic_errno = ERRNO_LOCKFAILED;
2022 addr->message = string_sprintf("attempting to stat fd of open MBX "
2023 "lock file %s: %s", mbx_lockname, strerror(errno));
2029 * statbuf: if exists, is file which existed prior to opening the
2030 * lockfile, might have been replaced since then
2031 * statbuf2: result of stat'ing the open fd, is what was actually
2033 * lstatbuf: result of lstat'ing the filename immediately after
2034 * the open but there's a race condition again between
2035 * those two steps: before open, symlink to foo, after
2036 * open but before lstat have one of:
2037 * * was no symlink, so is the opened file
2038 * (we created it, no messing possible after that point)
2040 * * symlink elsewhere
2041 * * hardlink elsewhere
2043 * Don't want to compare to device of /tmp because some modern systems
2044 * have regressed to having /tmp be the safe actual filesystem as
2045 * valuable data, so is mostly worthless, unless we assume that *only*
2046 * Linux systems do this and that all Linux has O_NOFOLLOW. Something
2047 * for further consideration.
2048 * No point in doing a readlink on the lockfile as that will always be
2049 * at a different point in time from when we open it, so tells us
2050 * nothing; attempts to clean up and delete after ourselves would risk
2051 * deleting a *third* filename.
2053 if ((statbuf2.st_nlink > 1) ||
2054 (lstatbuf.st_nlink > 1) ||
2055 (!S_ISREG(lstatbuf.st_mode)) ||
2056 (lstatbuf.st_dev != statbuf2.st_dev) ||
2057 (lstatbuf.st_ino != statbuf2.st_ino))
2059 addr->basic_errno = ERRNO_LOCKFAILED;
2060 addr->message = string_sprintf("RACE CONDITION detected: "
2061 "mismatch post-initial-checks between \"%s\" and opened "
2062 "fd lead us to abort!", mbx_lockname);
2066 (void)Uchmod(mbx_lockname, ob->lockfile_mode);
2068 if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
2069 ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
2071 struct stat ostatbuf;
2073 /* This tests for a specific race condition. Ensure that we still
2074 have the same file. */
2076 if (Ulstat(mbx_lockname, &statbuf) == 0 &&
2077 fstat(mbx_lockfd, &ostatbuf) == 0 &&
2078 statbuf.st_dev == ostatbuf.st_dev &&
2079 statbuf.st_ino == ostatbuf.st_ino)
2081 DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
2082 "between creation and locking\n", mbx_lockname);
2085 DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
2087 (void)close(mbx_lockfd);
2092 DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
2093 filename, strerror(errno));
2096 #endif /* SUPPORT_MBX */
2098 else break; /* No on-file locking required; break the open/lock loop */
2101 debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
2105 use_lstat = TRUE; /* Reset to use lstat first */
2108 /* If a blocking call timed out, break the retry loop if the total time
2109 so far is not less than than retries * interval. Use the larger of the
2110 flock() and fcntl() timeouts. */
2113 (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
2114 ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
2115 ob->lock_retries * ob->lock_interval)
2116 i = ob->lock_retries;
2118 /* Wait a bit before retrying, except when it was a blocked fcntl() or
2119 flock() that caused the problem. */
2121 if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
2124 /* Test for exceeding the maximum number of tries. Either the file remains
2125 locked, or, if we haven't got it open, something is terribly wrong... */
2127 if (i >= ob->lock_retries)
2131 addr->basic_errno = ERRNO_EXISTRACE;
2132 addr->message = string_sprintf("mailbox %s: existence unclear", filename);
2133 addr->special_action = SPECIAL_FREEZE;
2137 addr->basic_errno = ERRNO_LOCKFAILED;
2138 addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
2144 DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
2146 /* Save access time (for subsequent restoration), modification time (for
2147 restoration if updating fails), size of file (for comsat and for re-setting if
2148 delivery fails in the middle - e.g. for quota exceeded). */
2150 if (fstat(fd, &statbuf) < 0)
2152 addr->basic_errno = errno;
2153 addr->message = string_sprintf("while fstatting opened mailbox %s",
2158 times.actime = statbuf.st_atime;
2159 times.modtime = statbuf.st_mtime;
2160 saved_size = statbuf.st_size;
2161 if (mailbox_size < 0) mailbox_size = saved_size;
2162 mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */
2165 /* Prepare for writing to a new file (as opposed to appending to an old one).
2166 There are several different formats, but there is preliminary stuff concerned
2167 with quotas that applies to all of them. Finding the current size by directory
2168 scanning is expensive; for maildirs some fudges have been invented:
2170 (1) A regex can be used to extract a file size from its name;
2171 (2) If maildir_use_size is set, a maildirsize file is used to cache the
2177 uschar *check_path; /* Default quota check path */
2178 const pcre *regex = NULL; /* Regex for file size from file name */
2180 if (!check_creation(string_sprintf("%s/any", path),
2181 ob->create_file, deliver_dir))
2183 addr->basic_errno = ERRNO_BADCREATE;
2184 addr->message = string_sprintf("tried to create file in %s, but "
2185 "file creation outside the home directory is not permitted", path);
2189 /* If the create_file option is an absolute path and the file was within
2190 it, de-taint. Otherwise check for taint. */
2192 if (is_tainted(path))
2193 if (ob->create_file == create_belowhome)
2195 DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
2196 path = string_copy_taint(path, FALSE);
2199 goto tainted_ret_panic;
2203 #ifdef SUPPORT_MAILDIR
2204 /* For a maildir delivery, ensure that all the relevant directories exist,
2205 and a maildirfolder file if necessary. */
2207 if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
2208 ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
2210 #endif /* SUPPORT_MAILDIR */
2212 /* If we are going to do a quota check, of if maildir_use_size_file is set
2213 for a maildir delivery, compile the regular expression if there is one. We
2214 may also need to adjust the path that is used. We need to do this for
2215 maildir_use_size_file even if the quota is unset, because we still want to
2216 create the file. When maildir support is not compiled,
2217 ob->maildir_use_size_file is always FALSE. */
2219 if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
2221 const uschar *error;
2224 /* Compile the regex if there is one. */
2226 if (ob->quota_size_regex)
2228 if (!(regex = pcre_compile(CS ob->quota_size_regex, PCRE_COPT,
2229 CCSS &error, &offset, NULL)))
2231 addr->message = string_sprintf("appendfile: regular expression "
2232 "error: %s at offset %d while compiling %s", error, offset,
2233 ob->quota_size_regex);
2236 DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
2237 ob->quota_size_regex);
2240 /* Use an explicitly configured directory if set */
2242 if (ob->quota_directory)
2244 if (!(check_path = expand_string(ob->quota_directory)))
2246 addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
2247 "name for %s transport) failed: %s", ob->quota_directory,
2248 tblock->name, expand_string_message);
2252 if (check_path[0] != '/')
2254 addr->message = string_sprintf("appendfile: quota_directory name "
2255 "\"%s\" is not absolute", check_path);
2256 addr->basic_errno = ERRNO_NOTABSOLUTE;
2261 #ifdef SUPPORT_MAILDIR
2262 /* Otherwise, if we are handling a maildir delivery, and the directory
2263 contains a file called maildirfolder, this is a maildir++ feature telling
2264 us that this is a sub-directory of the real inbox. We should therefore do
2265 the quota check on the parent directory. Beware of the special case when
2266 the directory name itself ends in a slash. */
2268 else if (mbformat == mbf_maildir)
2270 struct stat statbuf;
2271 if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
2273 uschar *new_check_path = string_copy(check_path);
2274 uschar *slash = Ustrrchr(new_check_path, '/');
2280 slash = Ustrrchr(new_check_path, '/');
2285 check_path = new_check_path;
2286 DEBUG(D_transport) debug_printf("maildirfolder file exists: "
2287 "quota check directory changed to %s\n", check_path);
2292 #endif /* SUPPORT_MAILDIR */
2295 /* If we are using maildirsize files, we need to ensure that such a file
2296 exists and, if necessary, recalculate its contents. As a byproduct of this,
2297 we obtain the current size of the maildir. If no quota is to be enforced
2298 (ob->quota_value == 0), we still need the size if a threshold check will
2301 Another regular expression is used to determine which directories inside the
2302 maildir are going to be counted. */
2304 #ifdef SUPPORT_MAILDIR
2305 if (ob->maildir_use_size_file)
2307 const pcre *dir_regex = NULL;
2308 const uschar *error;
2311 if (ob->maildir_dir_regex)
2313 int check_path_len = Ustrlen(check_path);
2315 if (!(dir_regex = pcre_compile(CS ob->maildir_dir_regex, PCRE_COPT,
2316 CCSS &error, &offset, NULL)))
2318 addr->message = string_sprintf("appendfile: regular expression "
2319 "error: %s at offset %d while compiling %s", error, offset,
2320 ob->maildir_dir_regex);
2325 debug_printf("using regex for maildir directory selection: %s\n",
2326 ob->maildir_dir_regex);
2328 /* Check to see if we are delivering into an ignored directory, that is,
2329 if the delivery path starts with the quota check path, and the rest
2330 of the deliver path matches the regex; if so, set a flag to disable quota
2331 checking and maildirsize updating. */
2333 if (Ustrncmp(path, check_path, check_path_len) == 0)
2335 uschar *s = path + check_path_len;
2336 while (*s == '/') s++;
2337 s = *s ? string_sprintf("%s/new", s) : US"new";
2338 if (pcre_exec(dir_regex, NULL, CS s, Ustrlen(s), 0, 0, NULL, 0) < 0)
2340 disable_quota = TRUE;
2341 DEBUG(D_transport) debug_printf("delivery directory does not match "
2342 "maildir_quota_directory_regex: disabling quota\n");
2347 /* Quota enforcement; create and check the file. There is some discussion
2348 about whether this should happen if the quota is unset. At present, Exim
2349 always creates the file. If we ever want to change this, uncomment
2350 appropriate lines below, possibly doing a check on some option. */
2352 /* if (???? || ob->quota_value > 0) */
2359 if ((maildirsize_fd = maildir_ensure_sizefile(check_path, ob, regex, dir_regex,
2360 &size, &filecount)) == -1)
2362 addr->basic_errno = errno;
2363 addr->message = string_sprintf("while opening or reading "
2364 "%s/maildirsize", check_path);
2367 /* can also return -2, which means that the file was removed because of
2368 raciness; but in this case, the size & filecount will still have been
2371 if (mailbox_size < 0) mailbox_size = size;
2372 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2375 /* No quota enforcement; ensure file does *not* exist; calculate size if
2380 * time_t old_latest;
2381 * (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
2382 * if (THRESHOLD_CHECK)
2383 * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
2384 * regex, dir_regex, FALSE);
2389 #endif /* SUPPORT_MAILDIR */
2391 /* Otherwise if we are going to do a quota check later on, and the mailbox
2392 size is not set, find the current size of the mailbox. Ditto for the file
2393 count. Note that ob->quota_filecount_value cannot be set without
2394 ob->quota_value being set. */
2397 && (ob->quota_value > 0 || THRESHOLD_CHECK)
2398 && ( mailbox_size < 0
2399 || mailbox_filecount < 0 && ob->quota_filecount_value > 0
2405 debug_printf("quota checks on directory %s\n", check_path);
2406 size = check_dir_size(check_path, &filecount, regex);
2407 if (mailbox_size < 0) mailbox_size = size;
2408 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2411 /* Handle the case of creating a unique file in a given directory (not in
2412 maildir or mailstore format - this is how smail did it). A temporary name is
2413 used to create the file. Later, when it is written, the name is changed to a
2414 unique one. There is no need to lock the file. An attempt is made to create
2415 the directory if it does not exist. */
2417 if (mbformat == mbf_smail)
2420 debug_printf("delivering to new file in %s\n", path);
2421 filename = dataname =
2422 string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
2423 fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
2424 if (fd < 0 && /* failed to open, and */
2425 (errno != ENOENT || /* either not non-exist */
2426 !ob->create_directory || /* or not allowed to make */
2427 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2428 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2430 addr->basic_errno = errno;
2431 addr->message = string_sprintf("while creating file %s", filename);
2436 #ifdef SUPPORT_MAILDIR
2438 /* Handle the case of a unique file in maildir format. The file is written to
2439 the tmp subdirectory, with a prescribed form of name. */
2441 else if (mbformat == mbf_maildir)
2444 debug_printf("delivering in maildir format in %s\n", path);
2446 nametag = ob->maildir_tag;
2448 /* Check that nametag expands successfully; a hard failure causes a panic
2449 return. The actual expansion for use happens again later, when
2450 $message_size is accurately known. */
2452 if (nametag && !expand_string(nametag) && !f.expand_string_forcedfail)
2454 addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
2455 "for %s transport) failed: %s", nametag, tblock->name,
2456 expand_string_message);
2460 /* We ensured the existence of all the relevant directories above. Attempt
2461 to open the temporary file a limited number of times. I think this rather
2462 scary-looking for statement is actually OK. If open succeeds, the loop is
2463 broken; if not, there is a test on the value of i. Get the time again
2464 afresh each time round the loop. Its value goes into a variable that is
2465 checked at the end, to make sure we don't release this process until the
2466 clock has ticked. */
2468 for (int i = 1;; i++)
2472 (void)gettimeofday(&msg_tv, NULL);
2473 basename = string_sprintf(TIME_T_FMT ".M%luP" PID_T_FMT ".%s",
2474 msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname);
2476 filename = dataname = string_sprintf("tmp/%s", basename);
2477 newname = string_sprintf("new/%s", basename);
2479 if (Ustat(filename, &statbuf) == 0)
2481 else if (errno == ENOENT)
2483 if ((fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode)) >= 0)
2485 DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
2486 filename, strerror(errno));
2489 /* Too many retries - give up */
2491 if (i >= ob->maildir_retries)
2493 addr->message = string_sprintf ("failed to open %s (%d tr%s)",
2494 filename, i, (i == 1) ? "y" : "ies");
2495 addr->basic_errno = errno;
2496 if (errno == errno_quota || errno == ENOSPC)
2497 addr->user_message = US"mailbox is full";
2501 /* Open or stat failed but we haven't tried too many times yet. */
2506 /* Note that we have to ensure the clock has ticked before leaving */
2508 wait_for_tick = TRUE;
2510 /* Why are these here? Put in because they are present in the non-maildir
2511 directory case above. */
2513 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2515 addr->basic_errno = errno;
2516 addr->message = string_sprintf("while setting perms on maildir %s",
2522 #endif /* SUPPORT_MAILDIR */
2524 #ifdef SUPPORT_MAILSTORE
2526 /* Handle the case of a unique file in mailstore format. First write the
2527 envelope to a temporary file, then open the main file. The unique base name
2528 for the files consists of the message id plus the pid of this delivery
2534 mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
2535 string_base62((long int)getpid()));
2538 debug_printf("delivering in mailstore format in %s\n", path);
2540 filename = string_sprintf("%s.tmp", mailstore_basename);
2541 newname = string_sprintf("%s.env", mailstore_basename);
2542 dataname = string_sprintf("%s.msg", mailstore_basename);
2544 fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2545 if ( fd < 0 /* failed to open, and */
2546 && ( errno != ENOENT /* either not non-exist */
2547 || !ob->create_directory /* or not allowed to make */
2548 || !directory_make(NULL, path, ob->dirmode, FALSE) /* or failed to create dir */
2549 || (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0 /* or then failed to open */
2552 addr->basic_errno = errno;
2553 addr->message = string_sprintf("while creating file %s", filename);
2557 /* Why are these here? Put in because they are present in the non-maildir
2558 directory case above. */
2560 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2562 addr->basic_errno = errno;
2563 addr->message = string_sprintf("while setting perms on file %s",
2568 /* Built a C stream from the open file descriptor. */
2570 if (!(env_file = fdopen(fd, "wb")))
2572 addr->basic_errno = errno;
2573 addr->message = string_sprintf("fdopen of %s ("
2574 "for %s transport) failed", filename, tblock->name);
2580 /* Write the envelope file, then close it. */
2582 if (ob->mailstore_prefix)
2584 uschar *s = expand_string(ob->mailstore_prefix);
2587 if (!f.expand_string_forcedfail)
2589 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2590 "prefix for %s transport) failed: %s", ob->mailstore_prefix,
2591 tblock->name, expand_string_message);
2592 (void)fclose(env_file);
2600 fprintf(env_file, "%s", CS s);
2601 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2605 fprintf(env_file, "%s\n", sender_address);
2607 for (address_item * taddr = addr; taddr; taddr = taddr->next)
2608 fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
2610 if (ob->mailstore_suffix)
2612 uschar *s = expand_string(ob->mailstore_suffix);
2615 if (!f.expand_string_forcedfail)
2617 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2618 "suffix for %s transport) failed: %s", ob->mailstore_suffix,
2619 tblock->name, expand_string_message);
2620 (void)fclose(env_file);
2628 fprintf(env_file, "%s", CS s);
2629 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2633 if (fclose(env_file) != 0)
2635 addr->basic_errno = errno;
2636 addr->message = string_sprintf("while closing %s", filename);
2641 DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
2643 /* Now open the data file, and ensure that it has the correct ownership and
2646 if ((fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)
2648 addr->basic_errno = errno;
2649 addr->message = string_sprintf("while creating file %s", dataname);
2653 if (exim_chown(dataname, uid, gid) || Uchmod(dataname, mode))
2655 addr->basic_errno = errno;
2656 addr->message = string_sprintf("while setting perms on file %s",
2662 #endif /* SUPPORT_MAILSTORE */
2665 /* In all cases of writing to a new file, ensure that the file which is
2666 going to be renamed has the correct ownership and mode. */
2668 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2670 addr->basic_errno = errno;
2671 addr->message = string_sprintf("while setting perms on file %s",
2678 /* At last we can write the message to the file, preceded by any configured
2679 prefix line, and followed by any configured suffix line. If there are any
2680 writing errors, we must defer. */
2682 DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
2687 /* If there is a local quota setting, check that we are not going to exceed it
2688 with this message if quota_is_inclusive is set; if it is not set, the check
2689 is for the mailbox already being over quota (i.e. the current message is not
2690 included in the check). */
2692 if (!disable_quota && ob->quota_value > 0)
2696 debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
2697 " this message = %d (%sincluded)\n",
2698 ob->quota_value, mailbox_size, message_size,
2699 ob->quota_is_inclusive ? "" : "not ");
2700 debug_printf(" file count quota = %d count = %d\n",
2701 ob->quota_filecount_value, mailbox_filecount);
2704 if (mailbox_size + (ob->quota_is_inclusive ? message_size:0) > ob->quota_value)
2705 if (!ob->quota_no_check)
2707 DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
2709 errno = ERRNO_EXIMQUOTA;
2712 DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n");
2714 if (ob->quota_filecount_value > 0
2715 && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
2716 ob->quota_filecount_value)
2717 if (!ob->quota_filecount_no_check)
2719 DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
2721 errno = ERRNO_EXIMQUOTA;
2722 filecount_msg = US" filecount";
2724 else DEBUG(D_transport) if (ob->quota_filecount_no_check)
2725 debug_printf("mailbox file count quota exceeded but ignored\n");
2731 addr->basic_errno = errno;
2732 addr->message = US"Over quota";
2733 addr->transport_return = yield;
2735 debug_printf("appendfile (verify) yields %d with errno=%d more_errno=%d\n",
2736 yield, addr->basic_errno, addr->more_errno);
2741 /* If we are writing in MBX format, what we actually do is to write the message
2742 to a temporary file, and then copy it to the real file once we know its size.
2743 This is the most straightforward way of getting the correct length in the
2744 separator line. So, what we do here is to save the real file descriptor, and
2745 replace it with one for a temporary file. The temporary file gets unlinked once
2746 opened, so that it goes away on closure. */
2749 if (yield == OK && ob->mbx_format)
2751 if (!(temp_file = tmpfile()))
2753 addr->basic_errno = errno;
2754 addr->message = US"while setting up temporary file";
2759 fd = fileno(temp_file);
2760 DEBUG(D_transport) debug_printf("writing to temporary file\n");
2762 #endif /* SUPPORT_MBX */
2764 /* Zero the count of bytes written. It is incremented by the transport_xxx()
2767 transport_count = 0;
2768 transport_newlines = 0;
2770 /* Write any configured prefix text first */
2772 if (yield == OK && ob->message_prefix && *ob->message_prefix)
2774 uschar *prefix = expand_string(ob->message_prefix);
2777 errno = ERRNO_EXPANDFAIL;
2778 addr->transport_return = PANIC;
2779 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
2780 "transport) failed", ob->message_prefix, tblock->name);
2783 else if (!transport_write_string(fd, "%s", prefix)) yield = DEFER;
2786 /* If the use_bsmtp option is on, we need to write SMTP prefix information. The
2787 various different values for batching are handled outside; if there is more
2788 than one address available here, all must be included. If any address is a
2789 file, use its parent in the RCPT TO. */
2791 if (yield == OK && ob->use_bsmtp)
2793 transport_count = 0;
2794 transport_newlines = 0;
2795 if (ob->use_crlf) cr = US"\r";
2796 if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
2800 transport_newlines++;
2801 for (address_item * a = addr; a; a = a->next)
2803 address_item * b = testflag(a, af_pfr) ? a->parent : a;
2804 if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
2805 transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
2806 { yield = DEFER; break; }
2807 transport_newlines++;
2809 if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
2812 transport_newlines++;
2816 /* Now the message itself. The options for transport_write_message were set up
2817 at initialization time. */
2821 transport_ctx tctx = {
2825 .check_string = ob->check_string,
2826 .escape_string = ob->escape_string,
2827 .options = ob->options | topt_not_socket
2829 if (!transport_write_message(&tctx, 0))
2833 /* Now a configured suffix. */
2835 if (yield == OK && ob->message_suffix && *ob->message_suffix)
2837 uschar *suffix = expand_string(ob->message_suffix);
2840 errno = ERRNO_EXPANDFAIL;
2841 addr->transport_return = PANIC;
2842 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
2843 "transport) failed", ob->message_suffix, tblock->name);
2846 else if (!transport_write_string(fd, "%s", suffix)) yield = DEFER;
2849 /* If batch smtp, write the terminating dot. */
2851 if (yield == OK && ob->use_bsmtp)
2852 if (!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
2853 else transport_newlines++;
2855 /* If MBX format is being used, all that writing was to the temporary file.
2856 However, if there was an earlier failure (Exim quota exceeded, for example),
2857 the temporary file won't have got opened - and no writing will have been done.
2858 If writing was OK, we restore the fd, and call a function that copies the
2859 message in MBX format into the real file. Otherwise use the temporary name in
2863 if (temp_file && ob->mbx_format)
2870 transport_count = 0; /* Reset transport count for actual write */
2871 /* No need to reset transport_newlines as we're just using a block copy
2872 * routine so the number won't be affected */
2873 yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
2875 else if (errno >= 0) dataname = US"temporary file";
2877 /* Preserve errno while closing the temporary file. */
2879 mbx_save_errno = errno;
2880 (void)fclose(temp_file);
2881 errno = mbx_save_errno;
2883 #endif /* SUPPORT_MBX */
2885 /* Force out the remaining data to check for any errors; some OS don't allow
2886 fsync() to be called for a FIFO. */
2888 if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
2890 /* Update message_size and message_linecount to the accurate count of bytes
2891 written, including added headers. Note; we subtract 1 from message_linecount as
2892 this variable doesn't count the new line between the header and the body of the
2895 message_size = transport_count;
2896 message_linecount = transport_newlines - 1;
2898 /* If using a maildir++ quota file, add this message's size to it, and
2899 close the file descriptor, except when the quota has been disabled because we
2900 are delivering into an uncounted folder. */
2902 #ifdef SUPPORT_MAILDIR
2905 if (yield == OK && maildirsize_fd >= 0)
2906 maildir_record_length(maildirsize_fd, message_size);
2907 maildir_save_errno = errno; /* Preserve errno while closing the file */
2908 if (maildirsize_fd >= 0)
2909 (void)close(maildirsize_fd);
2910 errno = maildir_save_errno;
2912 #endif /* SUPPORT_MAILDIR */
2914 /* If there is a quota warning threshold and we are have crossed it with this
2915 message, set the SPECIAL_WARN flag in the address, to cause a warning message
2918 if (!disable_quota && THRESHOLD_CHECK)
2920 off_t threshold = ob->quota_warn_threshold_value;
2921 if (ob->quota_warn_threshold_is_percent)
2922 threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
2924 debug_printf("quota = " OFF_T_FMT
2925 " threshold = " OFF_T_FMT
2926 " old size = " OFF_T_FMT
2927 " message size = %d\n",
2928 ob->quota_value, threshold, mailbox_size,
2930 if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
2931 addr->special_action = SPECIAL_WARN;
2933 /******* You might think that the test ought to be this:
2935 * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
2936 * mailbox_size <= threshold && mailbox_size + message_size > threshold)
2938 * (indeed, I was sent a patch with that in). However, it is possible to
2939 * have a warning threshold without actually imposing a quota, and I have
2940 * therefore kept Exim backwards compatible.
2945 /* Handle error while writing the file. Control should come here directly after
2946 the error, with the reason in errno. In the case of expansion failure in prefix
2947 or suffix, it will be ERRNO_EXPANDFAIL. */
2951 addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */
2953 /* Save the error number. If positive, it will ultimately cause a strerror()
2954 call to generate some text. */
2956 addr->basic_errno = errno;
2958 /* For system or Exim quota excession, or disk full, set more_errno to the
2959 time since the file was last read. If delivery was into a directory, the
2960 time since last read logic is not relevant, in general. However, for maildir
2961 deliveries we can approximate it by looking at the last modified time of the
2962 "new" subdirectory. Since Exim won't be adding new messages, a change to the
2963 "new" subdirectory implies that an MUA has moved a message from there to the
2966 if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
2968 addr->more_errno = 0;
2969 if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
2971 #ifdef SUPPORT_MAILDIR
2972 else if (mbformat == mbf_maildir)
2974 struct stat statbuf;
2975 if (Ustat("new", &statbuf) < 0)
2977 DEBUG(D_transport) debug_printf("maildir quota exceeded: "
2978 "stat error %d for \"new\": %s\n", errno, strerror(errno));
2980 else /* Want a repeatable time when in test harness */
2981 addr->more_errno = f.running_in_test_harness ? 10 :
2982 (int)time(NULL) - statbuf.st_mtime;
2985 debug_printf("maildir: time since \"new\" directory modified = %s\n",
2986 readconf_printtime(addr->more_errno));
2988 #endif /* SUPPORT_MAILDIR */
2991 /* Handle system quota excession. Add an explanatory phrase for the error
2992 message, since some systems don't have special quota-excession errors,
2993 and on those that do, "quota" doesn't always mean anything to the user. */
2995 if (errno == errno_quota)
2998 addr->message = string_sprintf("mailbox is full "
2999 "(quota exceeded while writing to file %s)", filename);
3001 addr->message = US"mailbox is full";
3003 addr->user_message = US"mailbox is full";
3004 DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
3006 isdirectory ? US"" : US": time since file read = ",
3007 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3010 /* Handle Exim's own quota-imposition */
3012 else if (errno == ERRNO_EXIMQUOTA)
3014 addr->message = string_sprintf("mailbox is full "
3015 "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
3017 addr->user_message = US"mailbox is full";
3018 DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
3019 filecount_msg, dataname,
3020 isdirectory ? US"" : US": time since file read = ",
3021 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3024 /* Handle a process failure while writing via a filter; the return
3025 from child_close() is in more_errno. */
3027 else if (errno == ERRNO_FILTER_FAIL)
3030 addr->message = string_sprintf("transport filter process failed (%d) "
3031 "while writing to %s%s", addr->more_errno, dataname,
3032 (addr->more_errno == EX_EXECFAILED) ? ": unable to execute command" : "");
3035 /* Handle failure to expand header changes */
3037 else if (errno == ERRNO_CHHEADER_FAIL)
3041 string_sprintf("failed to expand headers_add or headers_remove while "
3042 "writing to %s: %s", dataname, expand_string_message);
3045 /* Handle failure to complete writing of a data block */
3047 else if (errno == ERRNO_WRITEINCOMPLETE)
3048 addr->message = string_sprintf("failed to write data block while "
3049 "writing to %s", dataname);
3051 /* Handle length mismatch on MBX copying */
3054 else if (errno == ERRNO_MBXLENGTH)
3055 addr->message = string_sprintf("length mismatch while copying MBX "
3056 "temporary file to %s", dataname);
3057 #endif /* SUPPORT_MBX */
3059 /* For other errors, a general-purpose explanation, if the message is
3062 else if (addr->message == NULL)
3063 addr->message = string_sprintf("error while writing to %s", dataname);
3065 /* For a file, reset the file size to what it was before we started, leaving
3066 the last modification time unchanged, so it will get reset also. All systems
3067 investigated so far have ftruncate(), whereas not all have the F_FREESP
3068 fcntl() call (BSDI & FreeBSD do not). */
3070 if (!isdirectory && ftruncate(fd, saved_size))
3071 DEBUG(D_transport) debug_printf("Error resetting file size\n");
3074 /* Handle successful writing - we want the modification time to be now for
3075 appended files. Remove the default backstop error number. For a directory, now
3076 is the time to rename the file with a unique name. As soon as such a name
3077 appears it may get used by another process, so we close the file first and
3078 check that all is well. */
3082 times.modtime = time(NULL);
3083 addr->basic_errno = 0;
3085 /* Handle the case of writing to a new file in a directory. This applies
3086 to all single-file formats - maildir, mailstore, and "smail format". */
3090 if (fstat(fd, &statbuf) < 0)
3092 addr->basic_errno = errno;
3093 addr->message = string_sprintf("while fstatting opened message file %s",
3098 else if (close(fd) < 0)
3100 addr->basic_errno = errno;
3101 addr->message = string_sprintf("close() error for %s",
3102 (ob->mailstore_format) ? dataname : filename);
3106 /* File is successfully written and closed. Arrange to rename it. For the
3107 different kinds of single-file delivery, some games can be played with the
3108 name. The message size is by this time set to the accurate value so that
3109 its value can be used in expansions. */
3113 uschar *renamename = newname;
3116 DEBUG(D_transport) debug_printf("renaming temporary file\n");
3118 /* If there is no rename name set, we are in a non-maildir, non-mailstore
3119 situation. The name is built by expanding the directory_file option, and
3120 we make the inode number available for use in this. The expansion was
3121 checked for syntactic validity above, before we wrote the file.
3123 We have to be careful here, in case the file name exists. (In the other
3124 cases, the names used are constructed to be unique.) The rename()
3125 function just replaces an existing file - we don't want that! So instead
3126 of calling rename(), we must use link() and unlink().
3128 In this case, if the link fails because of an existing file, we wait
3129 for one second and try the expansion again, to see if it produces a
3130 different value. Do this up to 5 times unless the name stops changing.
3131 This makes it possible to build values that are based on the time, and
3132 still cope with races from multiple simultaneous deliveries. */
3137 uschar *old_renameleaf = US"";
3139 for (int i = 0; ; sleep(1), i++)
3141 deliver_inode = statbuf.st_ino;
3142 renameleaf = expand_string(ob->dirfilename);
3147 addr->transport_return = PANIC;
3148 addr->message = string_sprintf("Expansion of \"%s\" "
3149 "(directory_file for %s transport) failed: %s",
3150 ob->dirfilename, tblock->name, expand_string_message);
3154 renamename = string_sprintf("%s/%s", path, renameleaf);
3155 if (Ulink(filename, renamename) < 0)
3157 DEBUG(D_transport) debug_printf("link failed: %s\n",
3159 if (errno != EEXIST || i >= 4 ||
3160 Ustrcmp(renameleaf, old_renameleaf) == 0)
3162 addr->basic_errno = errno;
3163 addr->message = string_sprintf("while renaming %s as %s",
3164 filename, renamename);
3168 old_renameleaf = renameleaf;
3169 DEBUG(D_transport) debug_printf("%s exists - trying again\n",
3178 } /* re-expand loop */
3179 } /* not mailstore or maildir */
3181 /* For maildir and mailstore formats, the new name was created earlier,
3182 except that for maildir, there is the possibility of adding a "tag" on
3183 the end of the name by expanding the value of nametag. This usually
3184 includes a reference to the message size. The expansion of nametag was
3185 checked above, before the file was opened. It either succeeded, or
3186 provoked a soft failure. So any failure here can be treated as soft.
3187 Ignore non-printing characters and / and put a colon at the start if the
3188 first character is alphanumeric. */
3194 uschar *iptr = expand_string(nametag);
3197 uschar *etag = store_get(Ustrlen(iptr) + 2, is_tainted(iptr));
3198 uschar *optr = etag;
3199 for ( ; *iptr; iptr++)
3200 if (mac_isgraph(*iptr) && *iptr != '/')
3202 if (optr == etag && isalnum(*iptr)) *optr++ = ':';
3206 renamename = string_sprintf("%s%s", newname, etag);
3210 /* Do the rename. If the name is too long and a tag exists, try again
3213 if (Urename(filename, renamename) < 0 &&
3214 (nametag == NULL || errno != ENAMETOOLONG ||
3215 (renamename = newname, Urename(filename, renamename) < 0)))
3217 addr->basic_errno = errno;
3218 addr->message = string_sprintf("while renaming %s as %s",
3219 filename, renamename);
3223 /* Rename succeeded */
3227 DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename,
3229 filename = dataname = NULL; /* Prevents attempt to unlink at end */
3231 } /* maildir or mailstore */
3232 } /* successful write + close */
3234 } /* write success */
3237 /* For a file, restore the last access time (atime), and set the modification
3238 time as required - changed if write succeeded, unchanged if not. */
3240 if (!isdirectory) utime(CS filename, ×);
3242 /* Notify comsat if configured to do so. It only makes sense if the configured
3243 file is the one that the comsat daemon knows about. */
3245 if (ob->notify_comsat && yield == OK && deliver_localpart)
3246 notify_comsat(deliver_localpart, saved_size);
3248 /* Pass back the final return code in the address structure */
3251 debug_printf("appendfile yields %d with errno=%d more_errno=%d\n",
3252 yield, addr->basic_errno, addr->more_errno);
3254 addr->transport_return = yield;
3256 /* Close the file, which will release the fcntl lock. For a directory write it
3257 is closed above, except in cases of error which goto RETURN, when we also need
3258 to remove the original file(s). For MBX locking, if all has gone well, before
3259 closing the file, see if we can get an exclusive lock on it, in which case we
3260 can unlink the /tmp lock file before closing it. This is always a non-blocking
3261 lock; there's no need to wait if we can't get it. If everything has gone right
3262 but close fails, defer the message. Then unlink the lock file, if present. This
3263 point in the code is jumped to from a number of places when errors are
3264 detected, in order to get the file closed and the lock file tidied away. */
3269 if (mbx_lockfd >= 0)
3271 if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0,
3272 ob->use_flock, 0) >= 0)
3275 debug_printf("unlinking MBX lock file %s\n", mbx_lockname);
3276 Uunlink(mbx_lockname);
3278 (void)close(mbx_lockfd);
3280 #endif /* SUPPORT_MBX */
3282 if (fd >= 0 && close(fd) < 0 && yield == OK)
3284 addr->basic_errno = errno;
3285 addr->message = string_sprintf("while closing %s", filename);
3286 addr->transport_return = DEFER;
3289 if (hd >= 0) Uunlink(lockname);
3291 /* We get here with isdirectory and filename set only in error situations. */
3293 if (isdirectory && filename)
3296 if (dataname != filename) Uunlink(dataname);
3299 /* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a
3300 file name relies on time + pid. We must not allow the process to finish until
3301 the clock has move on by at least one microsecond. Usually we expect this
3302 already to be the case, but machines keep getting faster... */
3304 if (wait_for_tick) exim_wait_tick(&msg_tv, 1);
3306 /* A return of FALSE means that if there was an error, a common error was
3307 put in the first address of a batch. */
3312 addr->message = string_sprintf("Tainted '%s' (file or directory "
3313 "name for %s transport) not permitted", path, tblock->name);
3315 addr->transport_return = PANIC;
3319 #endif /*!MACRO_PREDEF*/
3320 /* End of transport/appendfile.c */
git://git.exim.org / exim.git / blob