1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim maintainers 2020 - 2023 */
6 /* Copyright (c) University of Cambridge 1995 - 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
12 #include "appendfile.h"
14 #ifdef SUPPORT_MAILDIR
15 #include "tf_maildir.h"
19 /* Options specific to the appendfile transport. They must be in alphabetic
20 order (note that "_" comes before the lower case letters). Some of them are
21 stored in the publicly visible instance block - these are flagged with the
23 #define LOFF(field) OPT_OFF(appendfile_transport_options_block, field)
25 optionlist appendfile_transport_options[] = {
26 #ifdef SUPPORT_MAILDIR
27 { "*expand_maildir_use_size_file", opt_stringptr, LOFF(expand_maildir_use_size_file) },
29 { "*set_use_fcntl_lock",opt_bool | opt_hidden, LOFF(set_use_fcntl) },
30 { "*set_use_flock_lock",opt_bool | opt_hidden, LOFF(set_use_flock) },
31 { "*set_use_lockfile", opt_bool | opt_hidden, LOFF(set_use_lockfile) },
33 { "*set_use_mbx_lock", opt_bool | opt_hidden, LOFF(set_use_mbx_lock) },
35 { "allow_fifo", opt_bool, LOFF(allow_fifo) },
36 { "allow_symlink", opt_bool, LOFF(allow_symlink) },
37 { "batch_id", opt_stringptr | opt_public, OPT_OFF(transport_instance, batch_id) },
38 { "batch_max", opt_int | opt_public, OPT_OFF(transport_instance, batch_max) },
39 { "check_group", opt_bool, LOFF(check_group) },
40 { "check_owner", opt_bool, LOFF(check_owner) },
41 { "check_string", opt_stringptr, LOFF(check_string) },
42 { "create_directory", opt_bool, LOFF(create_directory) },
43 { "create_file", opt_stringptr, LOFF(create_file_string) },
44 { "directory", opt_stringptr, LOFF(dirname) },
45 { "directory_file", opt_stringptr, LOFF(dirfilename) },
46 { "directory_mode", opt_octint, LOFF(dirmode) },
47 { "escape_string", opt_stringptr, LOFF(escape_string) },
48 { "file", opt_stringptr, LOFF(filename) },
49 { "file_format", opt_stringptr, LOFF(file_format) },
50 { "file_must_exist", opt_bool, LOFF(file_must_exist) },
51 { "lock_fcntl_timeout", opt_time, LOFF(lock_fcntl_timeout) },
52 { "lock_flock_timeout", opt_time, LOFF(lock_flock_timeout) },
53 { "lock_interval", opt_time, LOFF(lock_interval) },
54 { "lock_retries", opt_int, LOFF(lock_retries) },
55 { "lockfile_mode", opt_octint, LOFF(lockfile_mode) },
56 { "lockfile_timeout", opt_time, LOFF(lockfile_timeout) },
57 { "mailbox_filecount", opt_stringptr, LOFF(mailbox_filecount_string) },
58 { "mailbox_size", opt_stringptr, LOFF(mailbox_size_string) },
59 #ifdef SUPPORT_MAILDIR
60 { "maildir_format", opt_bool, LOFF(maildir_format ) } ,
61 { "maildir_quota_directory_regex", opt_stringptr, LOFF(maildir_dir_regex) },
62 { "maildir_retries", opt_int, LOFF(maildir_retries) },
63 { "maildir_tag", opt_stringptr, LOFF(maildir_tag) },
64 { "maildir_use_size_file", opt_expand_bool, LOFF(maildir_use_size_file ) } ,
65 { "maildirfolder_create_regex", opt_stringptr, LOFF(maildirfolder_create_regex ) },
66 #endif /* SUPPORT_MAILDIR */
67 #ifdef SUPPORT_MAILSTORE
68 { "mailstore_format", opt_bool, LOFF(mailstore_format ) },
69 { "mailstore_prefix", opt_stringptr, LOFF(mailstore_prefix ) },
70 { "mailstore_suffix", opt_stringptr, LOFF(mailstore_suffix ) },
71 #endif /* SUPPORT_MAILSTORE */
73 { "mbx_format", opt_bool, LOFF(mbx_format ) } ,
74 #endif /* SUPPORT_MBX */
75 { "message_prefix", opt_stringptr, LOFF(message_prefix) },
76 { "message_suffix", opt_stringptr, LOFF(message_suffix) },
77 { "mode", opt_octint, LOFF(mode) },
78 { "mode_fail_narrower",opt_bool, LOFF(mode_fail_narrower) },
79 { "notify_comsat", opt_bool, LOFF(notify_comsat) },
80 { "quota", opt_stringptr, LOFF(quota) },
81 { "quota_directory", opt_stringptr, LOFF(quota_directory) },
82 { "quota_filecount", opt_stringptr, LOFF(quota_filecount) },
83 { "quota_is_inclusive", opt_bool, LOFF(quota_is_inclusive) },
84 { "quota_size_regex", opt_stringptr, LOFF(quota_size_regex) },
85 { "quota_warn_message", opt_stringptr | opt_public, OPT_OFF(transport_instance, warn_message) },
86 { "quota_warn_threshold", opt_stringptr, LOFF(quota_warn_threshold) },
87 { "use_bsmtp", opt_bool, LOFF(use_bsmtp) },
88 { "use_crlf", opt_bool, LOFF(use_crlf) },
89 { "use_fcntl_lock", opt_bool_set, LOFF(use_fcntl) },
90 { "use_flock_lock", opt_bool_set, LOFF(use_flock) },
91 { "use_lockfile", opt_bool_set, LOFF(use_lockfile) },
93 { "use_mbx_lock", opt_bool_set, LOFF(use_mbx_lock) },
94 #endif /* SUPPORT_MBX */
97 /* Size of the options list. An extern variable has to be used so that its
98 address can appear in the tables drtables.c. */
100 int appendfile_transport_options_count =
101 sizeof(appendfile_transport_options)/sizeof(optionlist);
107 appendfile_transport_options_block appendfile_transport_option_defaults = {0};
108 void appendfile_transport_init(transport_instance *tblock) {}
109 BOOL appendfile_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
111 #else /*!MACRO_PREDEF*/
113 /* Default private options block for the appendfile transport. */
115 appendfile_transport_options_block appendfile_transport_option_defaults = {
116 /* all non-mentioned members zero/null/false */
117 .dirfilename = US"q${base62:$tod_epoch}-$inode",
118 .create_file_string = US"anywhere",
119 .maildir_dir_regex = US"^(?:cur|new|\\..*)$",
120 .mailbox_size_value = -1,
121 .mailbox_filecount_value = -1,
122 .mode = APPENDFILE_MODE,
123 .dirmode = APPENDFILE_DIRECTORY_MODE,
124 .lockfile_mode = APPENDFILE_LOCKFILE_MODE,
125 .lockfile_timeout = 30*60,
128 .maildir_retries = 10,
129 .create_file = create_anywhere,
131 .create_directory = TRUE,
132 .notify_comsat = FALSE,
133 .use_lockfile = TRUE,
135 .mode_fail_narrower = TRUE,
136 .quota_is_inclusive = TRUE,
140 /* Encodings for mailbox formats, and their names. MBX format is actually
141 supported only if SUPPORT_MBX is set. */
143 enum { mbf_unix, mbf_mbx, mbf_smail, mbf_maildir, mbf_mailstore };
145 static const char *mailbox_formats[] = {
146 "unix", "mbx", "smail", "maildir", "mailstore" };
149 /* Check warn threshold only if quota size set or not a percentage threshold
150 percentage check should only be done if quota > 0 */
152 #define THRESHOLD_CHECK (ob->quota_warn_threshold_value > 0 && \
153 (!ob->quota_warn_threshold_is_percent || ob->quota_value > 0))
156 /*************************************************
157 * Setup entry point *
158 *************************************************/
160 /* Called for each delivery in the privileged state, just before the uid/gid
161 are changed and the main entry point is called. We use this function to
162 expand any quota settings, so that it can access files that may not be readable
163 by the user. It is also used to pick up external mailbox size information, if
167 tblock points to the transport instance
168 addrlist addresses about to be delivered (not used)
169 dummy not used (doesn't pass back data)
170 uid the uid that will be set (not used)
171 gid the gid that will be set (not used)
172 errmsg where to put an error message
174 Returns: OK, FAIL, or DEFER
178 appendfile_transport_setup(transport_instance *tblock, address_item *addrlist,
179 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
181 appendfile_transport_options_block * ob =
182 (appendfile_transport_options_block *)(tblock->options_block);
184 double default_value = 0.0;
186 if (ob->expand_maildir_use_size_file)
188 GET_OPTION("maildir_use_size_file");
189 ob->maildir_use_size_file =
190 expand_check_condition(ob->expand_maildir_use_size_file,
191 US"`maildir_use_size_file` in transport", tblock->name);
194 /* Loop for quota, quota_filecount, quota_warn_threshold, mailbox_size,
199 for (int i = 0; i < 5; i++)
201 double d = default_value;
203 uschar *which = NULL;
209 if (!(s = expand_string(q)))
211 *errmsg = string_sprintf("Expansion of \"%s\" in %s transport failed: "
212 "%s", q, tblock->name, expand_string_message);
213 return f.search_find_defer ? DEFER : FAIL;
216 d = Ustrtod(s, &rest);
218 /* Handle following characters K, M, G, %, the latter being permitted
219 for quota_warn_threshold only. A threshold with no quota setting is
222 if (tolower(*rest) == 'k') { d *= 1024.0; rest++; }
223 else if (tolower(*rest) == 'm') { d *= 1024.0*1024.0; rest++; }
224 else if (tolower(*rest) == 'g') { d *= 1024.0*1024.0*1024.0; rest++; }
225 else if (*rest == '%' && i == 2)
227 if (ob->quota_value <= 0 && !ob->maildir_use_size_file)
229 else if ((int)d < 0 || (int)d > 100)
231 *errmsg = string_sprintf("Invalid quota_warn_threshold percentage (%d)"
232 " for %s transport", (int)d, tblock->name);
235 ob->quota_warn_threshold_is_percent = TRUE;
240 /* For quota and quota_filecount there may be options
241 appended. Currently only "no_check", so we can be lazy parsing it */
242 if (i < 2 && Ustrstr(rest, "/no_check") == rest)
245 rest += sizeof("/no_check") - 1;
248 Uskip_whitespace(&rest);
252 *errmsg = string_sprintf("Malformed value \"%s\" (expansion of \"%s\") "
253 "in %s transport", s, q, tblock->name);
258 /* Set each value, checking for possible overflow. */
263 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
265 ob->quota_value = (off_t)d;
266 ob->quota_no_check = no_check;
267 GET_OPTION("quota_filecount");
268 q = ob->quota_filecount;
272 if (d >= 2.0*1024.0*1024.0*1024.0)
273 which = US"quota_filecount";
274 ob->quota_filecount_value = (int)d;
275 ob->quota_filecount_no_check = no_check;
276 GET_OPTION("quota_warn_threshold");
277 q = ob->quota_warn_threshold;
281 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
282 which = US"quota_warn_threshold";
283 ob->quota_warn_threshold_value = (off_t)d;
284 GET_OPTION("mailbox_size");
285 q = ob->mailbox_size_string;
286 default_value = -1.0;
290 if (d >= 2.0*1024.0*1024.0*1024.0 && sizeof(off_t) <= 4)
291 which = US"mailbox_size";;
292 ob->mailbox_size_value = (off_t)d;
293 GET_OPTION("mailbox_filecount");
294 q = ob->mailbox_filecount_string;
298 if (d >= 2.0*1024.0*1024.0*1024.0)
299 which = US"mailbox_filecount";
300 ob->mailbox_filecount_value = (int)d;
306 *errmsg = string_sprintf("%s value %.10g is too large (overflow) in "
307 "%s transport", which, d, tblock->name);
317 /*************************************************
318 * Initialization entry point *
319 *************************************************/
321 /* Called for each instance, after its options have been read, to
322 enable consistency checks to be done, or anything else that needs
326 appendfile_transport_init(transport_instance *tblock)
328 appendfile_transport_options_block *ob =
329 (appendfile_transport_options_block *)(tblock->options_block);
332 /* Set up the setup entry point, to be called in the privileged state */
334 tblock->setup = appendfile_transport_setup;
336 /* Lock_retries must be greater than zero */
338 if (ob->lock_retries == 0) ob->lock_retries = 1;
340 /* Only one of a file name or directory name must be given. */
342 if (ob->filename && ob->dirname)
343 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
344 "only one of \"file\" or \"directory\" can be specified", tblock->name);
346 /* If a file name was specified, neither quota_filecount nor quota_directory
351 if (ob->quota_filecount)
352 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
353 "quota_filecount must not be set without \"directory\"", tblock->name);
354 if (ob->quota_directory)
355 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
356 "quota_directory must not be set without \"directory\"", tblock->name);
359 /* The default locking depends on whether MBX is set or not. Change the
360 built-in default if none of the lock options has been explicitly set. At least
361 one form of locking is required in all cases, but mbx locking changes the
362 meaning of fcntl and flock locking. */
364 /* Not all operating systems provide flock(). For those that do, if flock is
365 requested, the default for fcntl is FALSE. */
370 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
371 "flock() support was not available in the operating system when this "
372 "binary was built", tblock->name);
373 #endif /* NO_FLOCK */
374 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
379 if (!ob->set_use_lockfile && !ob->set_use_fcntl && !ob->set_use_flock &&
380 !ob->set_use_mbx_lock)
382 ob->use_lockfile = ob->use_flock = FALSE;
383 ob->use_mbx_lock = ob->use_fcntl = TRUE;
385 else if (ob->use_mbx_lock)
387 if (!ob->set_use_lockfile) ob->use_lockfile = FALSE;
388 if (!ob->set_use_fcntl) ob->use_fcntl = FALSE;
389 if (!ob->set_use_flock) ob->use_flock = FALSE;
390 if (!ob->use_fcntl && !ob->use_flock) ob->use_fcntl = TRUE;
392 #endif /* SUPPORT_MBX */
394 if (!ob->use_fcntl && !ob->use_flock && !ob->use_lockfile && !ob->use_mbx_lock)
395 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
396 "no locking configured", tblock->name);
398 /* Unset timeouts for non-used locking types */
400 if (!ob->use_fcntl) ob->lock_fcntl_timeout = 0;
401 if (!ob->use_flock) ob->lock_flock_timeout = 0;
403 /* If a directory name was specified, only one of maildir or mailstore may be
404 specified, and if quota_filecount or quota_directory is given, quota must
409 if (ob->maildir_format && ob->mailstore_format)
410 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
411 "only one of maildir and mailstore may be specified", tblock->name);
412 if (ob->quota_filecount != NULL && !ob->quota)
413 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
414 "quota must be set if quota_filecount is set", tblock->name);
415 if (ob->quota_directory != NULL && !ob->quota)
416 log_write(0, LOG_PANIC_DIE|LOG_CONFIG_FOR, "%s transport:\n "
417 "quota must be set if quota_directory is set", tblock->name);
420 /* If a fixed uid field is set, then a gid field must also be set. */
422 if (tblock->uid_set && !tblock->gid_set && !tblock->expand_gid)
423 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
424 "user set without group for the %s transport", tblock->name);
426 /* If "create_file" is set, check that a valid option is given, and set the
429 if ((s = ob->create_file_string ) && *s)
432 if (Ustrcmp(s, "anywhere") == 0) val = create_anywhere;
433 else if (*s == '/' || Ustrcmp(s, "belowhome") == 0) val = create_belowhome;
434 else if (Ustrcmp(s, "inhome") == 0) val = create_inhome;
436 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
437 "invalid value given for \"create_file\" for the %s transport: '%s'",
439 ob->create_file = val;
442 /* If quota_warn_threshold is set, set up default for warn_message. It may
443 not be used if the actual threshold for a given delivery ends up as zero,
444 of if it's given as a percentage and there's no quota setting. */
446 if (ob->quota_warn_threshold)
448 if (!tblock->warn_message) tblock->warn_message = US
449 "To: $local_part@$domain\n"
450 "Subject: Your mailbox\n\n"
451 "This message is automatically created by mail delivery software (Exim).\n\n"
452 "The size of your mailbox has exceeded a warning threshold that is\n"
453 "set by the system administrator.\n";
456 /* If batch SMTP is set, force the check and escape strings, and arrange that
457 headers are also escaped. */
461 ob->check_string = US".";
462 ob->escape_string = US"..";
463 ob->options |= topt_escape_headers;
466 /* If not batch SMTP, not maildir, not mailstore, and directory is not set,
467 insert default values for for the affixes and the check/escape strings. */
469 else if (!ob->dirname && !ob->maildir_format && !ob->mailstore_format)
471 if (!ob->message_prefix) ob->message_prefix =
472 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
473 if (!ob->message_suffix) ob->message_suffix = US"\n";
474 if (!ob->check_string) ob->check_string = US"From ";
475 if (!ob->escape_string) ob->escape_string = US">From ";
479 /* Set up the bitwise options for transport_write_message from the various
480 driver options. Only one of body_only and headers_only can be set. */
483 (tblock->body_only ? topt_no_headers : 0) |
484 (tblock->headers_only ? topt_no_body : 0) |
485 (tblock->return_path_add ? topt_add_return_path : 0) |
486 (tblock->delivery_date_add ? topt_add_delivery_date : 0) |
487 (tblock->envelope_to_add ? topt_add_envelope_to : 0) |
488 ((ob->use_crlf || ob->mbx_format) ? topt_use_crlf : 0);
493 /*************************************************
495 *************************************************/
497 /* The comsat daemon is the thing that provides asynchronous notification of
498 the arrival of local messages, if requested by the user by "biff y". It is a
499 BSD thing that uses a TCP/IP protocol for communication. A message consisting
500 of the text "user@offset" must be sent, where offset is the place in the
501 mailbox where new mail starts. There is no scope for telling it which file to
502 look at, which makes it a less than useful if mail is being delivered into a
503 non-standard place such as the user's home directory. In fact, it doesn't seem
504 to pay much attention to the offset.
508 offset offset in mailbox
514 notify_comsat(const uschar * user, off_t offset)
520 DEBUG(D_transport) debug_printf("notify_comsat called\n");
522 s = string_sprintf("%.200s@" OFF_T_FMT "\n", user, offset);
524 if ((sp = getservbyname("biff", "udp")) == NULL)
526 DEBUG(D_transport) debug_printf("biff/udp is an unknown service");
530 host.name = US"localhost";
534 /* This code is all set up to look up "localhost" and use all its addresses
535 until one succeeds. However, it appears that at least on some systems, comsat
536 doesn't listen on the ::1 address. So for the moment, just force the address to
537 be 127.0.0.1. At some future stage, when IPv6 really is superseding IPv4, this
538 can be changed. (But actually, comsat is probably dying out anyway.) */
541 if (host_find_byname(&host, NULL, 0, NULL, FALSE) == HOST_FIND_FAILED)
543 DEBUG(D_transport) debug_printf("\"localhost\" unknown\n");
548 host.address = US"127.0.0.1";
551 for (host_item * h = &host; h; h = h->next)
554 int host_af = Ustrchr(h->address, ':') != NULL ? AF_INET6 : AF_INET;
556 DEBUG(D_transport) debug_printf("calling comsat on %s\n", h->address);
558 if ((sock = ip_socket(SOCK_DGRAM, host_af)) < 0) continue;
560 /* Connect never fails for a UDP socket, so don't set a timeout. */
562 (void)ip_connect(sock, host_af, h->address, ntohs(sp->s_port), 0, NULL);
563 rc = send(sock, s, Ustrlen(s) + 1, 0);
568 debug_printf("send to comsat failed for %s: %s\n", strerror(errno),
575 /*************************************************
576 * Check the format of a file *
577 *************************************************/
579 /* This function is called when file_format is set, to check that an existing
580 file has the right format. The format string contains text/transport pairs. The
581 string matching is literal. we just read big_buffer_size bytes, because this is
582 all about the first few bytes of a file.
586 tblock the transport block
587 addr the address block - for inserting error data
589 Returns: pointer to the required transport, or NULL
593 check_file_format(int cfd, transport_instance *tblock, address_item *addr)
595 const uschar *format =
596 ((appendfile_transport_options_block *)(tblock->options_block))->file_format;
598 int len = read(cfd, data, sizeof(data));
602 DEBUG(D_transport) debug_printf("checking file format\n");
604 /* An empty file matches the current transport */
606 if (len == 0) return tblock;
608 /* Search the formats for a match */
610 /* not expanded so cannot be tainted */
611 while ((s = string_nextinlist(&format, &sep, big_buffer, big_buffer_size)))
613 int slen = Ustrlen(s);
614 BOOL match = len >= slen && Ustrncmp(data, s, slen) == 0;
615 uschar *tp = string_nextinlist(&format, &sep, big_buffer, big_buffer_size);
619 for (transport_instance * tt = transports; tt; tt = tt->next)
620 if (Ustrcmp(tp, tt->name) == 0)
623 debug_printf("file format -> %s transport\n", tt->name);
626 addr->basic_errno = ERRNO_BADTRANSPORT;
627 addr->message = string_sprintf("%s transport (for %.*s format) not found",
633 /* Failed to find a match */
635 addr->basic_errno = ERRNO_FORMATUNKNOWN;
636 addr->message = US"mailbox file format unrecognized";
643 /*************************************************
644 * Check directory's files for quota *
645 *************************************************/
647 /* This function is called if quota is set for one of the delivery modes that
648 delivers into a specific directory. It scans the directory and stats all the
649 files in order to get a total size and count. This is an expensive thing to do,
650 but some people are prepared to bear the cost. Alternatively, if size_regex is
651 set, it is used as a regex to try to extract the size from the file name, a
652 strategy that some people use on maildir files on systems where the users have
655 The function is global, because it is also called from tf_maildir.c for maildir
656 folders (which should contain only regular files).
658 Note: Any problems can be written to debugging output, but cannot be written to
659 the log, because we are running as an unprivileged user here.
662 dirname the name of the directory
663 countptr where to add the file count (because this function recurses)
664 re a compiled regex to get the size from a name
666 Returns: the sum of the sizes of the stattable files
667 zero if the directory cannot be opened
671 check_dir_size(const uschar * dirname, int * countptr, const pcre2_code * re)
675 int count = *countptr, lcount = REGEX_LOOPCOUNT_STORE_RESET;
676 rmark reset_point = store_mark();
678 if (!(dir = exim_opendir(dirname))) return 0;
680 for (struct dirent * ent; ent = readdir(dir); )
682 uschar * path, * name = US ent->d_name;
685 if (Ustrcmp(name, ".") == 0 || Ustrcmp(name, "..") == 0) continue;
690 store_reset(reset_point); reset_point = store_mark();
691 lcount = REGEX_LOOPCOUNT_STORE_RESET;
694 /* If there's a regex, try to find the size using it */
698 pcre2_match_data * md = pcre2_match_data_create(2, pcre_gen_ctx);
699 int rc = pcre2_match(re, (PCRE2_SPTR)name, PCRE2_ZERO_TERMINATED,
700 0, 0, md, pcre_gen_mtc_ctx);
701 PCRE2_SIZE * ovec = pcre2_get_ovector_pointer(md);
703 && (rc = pcre2_get_ovector_count(md)) >= 2)
706 off_t size = (off_t)Ustrtod(name + ovec[2], &endptr);
707 if (endptr == name + ovec[3])
711 debug_printf("check_dir_size: size from %s is " OFF_T_FMT "\n", name,
713 /* pcre2_match_data_free(md); gen ctx needs no free */
717 /* pcre2_match_data_free(md); gen ctx needs no free */
719 debug_printf("check_dir_size: regex did not match %s\n", name);
722 /* No regex or no match for the regex, or captured non-digits */
724 path = string_sprintf("%s/%s", dirname, name);
726 if (Ustat(path, &statbuf) < 0)
729 debug_printf("check_dir_size: stat error %d for %s: %s\n", errno, path,
733 if ((statbuf.st_mode & S_IFMT) == S_IFREG)
734 sum += statbuf.st_size / statbuf.st_nlink;
735 else if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
736 sum += check_dir_size(path, &count, re);
741 debug_printf("check_dir_size: dir=%s sum=" OFF_T_FMT " count=%d\n", dirname,
744 store_reset(reset_point);
752 /*************************************************
753 * Apply a lock to a file descriptor *
754 *************************************************/
756 /* This function applies a lock to a file descriptor, using a blocking or
757 non-blocking lock, depending on the timeout value. It can apply either or
758 both of a fcntl() and a flock() lock. However, not all OS support flock();
759 for those that don't, the use_flock option cannot be set.
762 fd the file descriptor
763 fcntltype type of lock, specified as F_WRLCK or F_RDLCK (that is, in
764 fcntl() format); the flock() type is deduced if needed
765 dofcntl do fcntl() locking
766 fcntltime non-zero to use blocking fcntl()
767 doflock do flock() locking
768 flocktime non-zero to use blocking flock()
770 Returns: yield of the fcntl() or flock() call, with errno preserved;
771 sigalrm_seen set if there has been a timeout
775 apply_lock(int fd, int fcntltype, BOOL dofcntl, int fcntltime, BOOL doflock,
780 struct flock lock_data;
781 lock_data.l_type = fcntltype;
782 lock_data.l_whence = lock_data.l_start = lock_data.l_len = 0;
784 sigalrm_seen = FALSE;
791 yield = fcntl(fd, F_SETLKW, &lock_data);
796 else yield = fcntl(fd, F_SETLK, &lock_data);
800 if (doflock && (yield >= 0))
802 int flocktype = (fcntltype == F_WRLCK) ? LOCK_EX : LOCK_SH;
806 yield = flock(fd, flocktype);
811 else yield = flock(fd, flocktype | LOCK_NB);
813 #endif /* NO_FLOCK */
822 /*************************************************
823 * Copy message into MBX mailbox *
824 *************************************************/
826 /* This function is called when a message intended for a MBX mailbox has been
827 written to a temporary file. We can now get the size of the message and then
828 copy it in MBX format to the mailbox.
831 to_fd fd to write to (the real mailbox)
832 from_fd fd to read from (the temporary file)
833 saved_size current size of mailbox
835 Returns: OK if all went well, DEFER otherwise, with errno preserved
836 the number of bytes written are added to transport_count
837 by virtue of calling transport_write_block()
840 /* Values taken from c-client */
842 #define MBX_HDRSIZE 2048
843 #define MBX_NUSERFLAGS 30
846 copy_mbx_message(int to_fd, int from_fd, off_t saved_size)
851 transport_ctx tctx = { .u={.fd = to_fd}, .options = topt_not_socket };
853 /* If the current mailbox size is zero, write a header block */
858 memset (deliver_out_buffer, '\0', MBX_HDRSIZE);
859 sprintf(CS(s = deliver_out_buffer), "*mbx*\015\012%08lx00000000\015\012",
860 (long int)time(NULL));
861 for (int i = 0; i < MBX_NUSERFLAGS; i++)
862 sprintf (CS(s += Ustrlen(s)), "\015\012");
863 if (!transport_write_block (&tctx, deliver_out_buffer, MBX_HDRSIZE, FALSE))
867 DEBUG(D_transport) debug_printf("copying MBX message from temporary file\n");
869 /* Now construct the message's header from the time and the RFC822 file
870 size, including CRLFs, which is the size of the input (temporary) file. */
872 if (fstat(from_fd, &statbuf) < 0) return DEFER;
873 size = statbuf.st_size;
875 sprintf (CS deliver_out_buffer, "%s," OFF_T_FMT ";%08lx%04x-%08x\015\012",
876 tod_stamp(tod_mbx), size, 0L, 0, 0);
877 used = Ustrlen(deliver_out_buffer);
879 /* Rewind the temporary file, and copy it over in chunks. */
881 if (lseek(from_fd, 0 , SEEK_SET) < 0) return DEFER;
885 int len = read(from_fd, deliver_out_buffer + used,
886 DELIVER_OUT_BUFFER_SIZE - used);
889 if (len == 0) errno = ERRNO_MBXLENGTH;
892 if (!transport_write_block(&tctx, deliver_out_buffer, used + len, FALSE))
900 #endif /* SUPPORT_MBX */
904 /*************************************************
905 * Check creation is permitted *
906 *************************************************/
908 /* This function checks whether a given file name is permitted to be created,
909 as controlled by the create_file option. If no home directory is set, however,
910 we can't do any tests.
913 filename the file name
914 create_file the ob->create_file option
915 deliver_dir the delivery directory
917 Returns: TRUE if creation is permitted
921 check_creation(uschar *filename, int create_file, const uschar * deliver_dir)
925 if (deliver_dir && create_file != create_anywhere)
927 int len = Ustrlen(deliver_dir);
928 uschar *file = filename;
930 while (file[0] == '/' && file[1] == '/') file++;
931 if ( Ustrncmp(file, deliver_dir, len) != 0
933 || Ustrchr(file+len+2, '/') != NULL
934 && ( create_file != create_belowhome
935 || Ustrstr(file+len, "/../") != NULL
939 /* If yield is TRUE, the file name starts with the home directory, and does
940 not contain any instances of "/../" in the "belowhome" case. However, it may
941 still contain symbolic links. We can check for this by making use of
942 realpath(), which most Unixes seem to have (but make it possible to cut this
943 out). We can't just use realpath() on the whole file name, because we know
944 the file itself doesn't exist, and intermediate directories may also not
945 exist. What we want to know is the real path of the longest existing part of
946 the path. That must match the home directory's beginning, whichever is the
950 if (yield && create_file == create_belowhome)
954 for (uschar * slash = Ustrrchr(file, '/'); /* There is known to be one */
955 !rp && slash > file; /* Stop if reached beginning */
959 rp = US realpath(CS file, CS big_buffer);
960 next = Ustrrchr(file, '/');
964 /* If rp == NULL it means that none of the relevant directories exist.
965 This is not a problem here - it means that no symbolic links can exist,
966 which is all we are worried about. Otherwise, we must compare it
967 against the start of the home directory. However, that may itself
968 contain symbolic links, so we have to "realpath" it as well, if
973 uschar hdbuffer[PATH_MAX+1];
974 const uschar * rph = deliver_dir;
975 int rlen = Ustrlen(big_buffer);
977 if ((rp = US realpath(CS deliver_dir, CS hdbuffer)))
983 if (rlen > len) rlen = len;
984 if (Ustrncmp(rph, big_buffer, rlen) != 0)
987 DEBUG(D_transport) debug_printf("Real path \"%s\" does not match \"%s\"\n",
988 big_buffer, deliver_dir);
992 #endif /* NO_REALPATH */
1000 /*************************************************
1001 * Main entry point *
1002 *************************************************/
1004 /* See local README for general interface details. This transport always
1005 returns FALSE, indicating that the status which has been placed in the first
1006 address should be copied to any other addresses in a batch.
1008 Appendfile delivery is tricky and has led to various security problems in other
1009 mailers. The logic used here is therefore laid out in some detail. When this
1010 function is called, we are running in a subprocess which has had its gid and
1011 uid set to the appropriate values. Therefore, we cannot write directly to the
1012 exim logs. Any errors must be handled by setting appropriate return codes.
1013 Note that the default setting for addr->transport_return is DEFER, so it need
1014 not be set unless some other value is required.
1016 The code below calls geteuid() rather than getuid() to get the current uid
1017 because in weird configurations not running setuid root there may be a
1018 difference. In the standard configuration, where setuid() has been used in the
1019 delivery process, there will be no difference between the uid and the euid.
1021 (1) If the af_file flag is set, this is a delivery to a file after .forward or
1022 alias expansion. Otherwise, there must be a configured file name or
1025 The following items apply in the case when a file name (as opposed to a
1026 directory name) is given, that is, when appending to a single file:
1028 (2f) Expand the file name.
1030 (3f) If the file name is /dev/null, return success (optimization).
1032 (4f) If the file_format options is set, open the file for reading, and check
1033 that the bytes at the start of the file match one of the given strings.
1034 If the check indicates a transport other than the current one should be
1035 used, pass control to that other transport. Otherwise continue. An empty
1036 or non-existent file matches the current transport. The file is closed
1039 (5f) If a lock file is required, create it (see extensive separate comments
1040 below about the algorithm for doing this). It is important to do this
1041 before opening the mailbox if NFS is in use.
1043 (6f) Stat the file, using lstat() rather than stat(), in order to pick up
1044 details of any symbolic link.
1046 (7f) If the file already exists:
1048 Check the owner and group if necessary, and defer if they are wrong.
1050 If it is a symbolic link AND the allow_symlink option is set (NOT the
1051 default), go back to (6f) but this time use stat() instead of lstat().
1053 If it's not a regular file (or FIFO when permitted), defer delivery.
1055 Check permissions. If the required permissions are *less* than the
1056 existing ones, or supplied by the address (often by the user via filter),
1057 chmod() the file. Otherwise, defer.
1059 Save the inode number.
1061 Open with O_RDRW + O_APPEND, thus failing if the file has vanished.
1063 If open fails because the file does not exist, go to (6f); on any other
1066 Check the inode number hasn't changed - I realize this isn't perfect (an
1067 inode can be reused) but it's cheap and will catch some of the races.
1069 Check it's still a regular file (or FIFO if permitted).
1071 Check that the owner and permissions haven't changed.
1073 If file_format is set, check that the file still matches the format for
1074 the current transport. If not, defer delivery.
1076 (8f) If file does not exist initially:
1078 Open with O_WRONLY + O_EXCL + O_CREAT with configured mode, unless we know
1079 this is via a symbolic link (only possible if allow_symlinks is set), in
1080 which case don't use O_EXCL, as it doesn't work.
1082 If open fails because the file already exists, go to (6f). To avoid
1083 looping for ever in a situation where the file is continuously being
1084 created and deleted, all of this happens inside a loop that operates
1085 lock_retries times and includes the fcntl and flock locking. If the
1086 loop completes without the file getting opened, defer and request
1087 freezing, because something really weird is happening.
1089 If open fails for any other reason, defer for subsequent delivery except
1090 when this is a file delivery resulting from an alias or forward expansion
1091 and the error is EPERM or ENOENT or EACCES, in which case FAIL as this is
1092 most likely a user rather than a configuration error.
1094 (9f) We now have the file checked and open for writing. If so configured, lock
1095 it using fcntl, flock, or MBX locking rules. If this fails, close the file
1096 and goto (6f), up to lock_retries times, after sleeping for a while. If it
1097 still fails, give up and defer delivery.
1099 (10f)Save the access time (for subsequent restoration) and the size of the
1100 file, for comsat and for re-setting if delivery fails in the middle -
1101 e.g. for quota exceeded.
1103 The following items apply in the case when a directory name is given:
1105 (2d) Create a new file in the directory using a temporary name, by opening for
1106 writing and with O_CREAT. If maildir format is being used, the file
1107 is created in a temporary subdirectory with a prescribed name. If
1108 mailstore format is being used, the envelope file is first created with a
1109 temporary name, then the data file.
1111 The following items apply in all cases:
1113 (11) We now have the file open for writing, and locked if it was given as a
1114 file name. Write the message and flush the file, unless there is a setting
1115 of the local quota option, in which case we can check for its excession
1116 without doing any writing.
1118 In the case of MBX format mailboxes, the message is first written to a
1119 temporary file, in order to get its correct length. This is then copied to
1120 the real file, preceded by an MBX header.
1122 If there is a quota error on writing, defer the address. Timeout logic
1123 will determine for how long retries are attempted. We restore the mailbox
1124 to its original length if it's a single file. There doesn't seem to be a
1125 uniform error code for quota excession (it even differs between SunOS4
1126 and some versions of SunOS5) so a system-dependent macro called
1127 ERRNO_QUOTA is used for it, and the value gets put into errno_quota at
1130 For any other error (most commonly disk full), do the same.
1132 The following applies after appending to a file:
1134 (12f)Restore the atime; notify_comsat if required; close the file (which
1135 unlocks it if it was locked). Delete the lock file if it exists.
1137 The following applies after writing a unique file in a directory:
1139 (12d)For maildir format, rename the file into the new directory. For mailstore
1140 format, rename the envelope file to its correct name. Otherwise, generate
1141 a unique name from the directory_file option, and rename to that, possibly
1142 trying a few times if the file exists and re-expanding the name gives a
1145 This transport yields FAIL only when a file name is generated by an alias or
1146 forwarding operation and attempting to open it gives EPERM, ENOENT, or EACCES.
1147 All other failures return DEFER (in addr->transport_return). */
1151 appendfile_transport_entry(
1152 transport_instance *tblock, /* data for this instantiation */
1153 address_item *addr) /* address we are working on */
1155 appendfile_transport_options_block *ob =
1156 (appendfile_transport_options_block *)(tblock->options_block);
1157 struct stat statbuf;
1158 const uschar * deliver_dir;
1159 uschar *fdname = NULL;
1160 uschar *filename = NULL;
1161 uschar *hitchname = NULL;
1162 uschar *dataname = NULL;
1163 uschar *lockname = NULL;
1164 uschar *newname = NULL;
1165 uschar *nametag = NULL;
1167 uschar *filecount_msg = US"";
1169 struct utimbuf times;
1170 struct timeval msg_tv;
1171 BOOL disable_quota = FALSE;
1172 BOOL isdirectory = FALSE;
1173 BOOL isfifo = FALSE;
1174 BOOL wait_for_tick = FALSE;
1175 uid_t uid = geteuid(); /* See note above */
1176 gid_t gid = getegid();
1178 int mode = (addr->mode > 0) ? addr->mode : ob->mode;
1179 off_t saved_size = -1;
1180 off_t mailbox_size = ob->mailbox_size_value;
1181 int mailbox_filecount = ob->mailbox_filecount_value;
1189 int mbx_lockfd = -1;
1190 uschar mbx_lockname[40];
1191 FILE *temp_file = NULL;
1192 #endif /* SUPPORT_MBX */
1194 #ifdef SUPPORT_MAILDIR
1195 int maildirsize_fd = -1; /* fd for maildirsize file */
1196 int maildir_save_errno;
1200 DEBUG(D_transport) debug_printf("appendfile transport entered\n");
1202 /* An "address_file" or "address_directory" transport is used to deliver to
1203 files specified via .forward or an alias file. Prior to release 4.20, the
1204 "file" and "directory" options were ignored in this case. This has been changed
1205 to allow the redirection data to specify what is in effect a folder, whose
1206 location is determined by the options on the transport.
1208 Compatibility with the case when neither option is set is retained by forcing a
1209 value for the file or directory name. A directory delivery is assumed if the
1210 last character of the path from the router is '/'.
1212 The file path is in the local part of the address, but not in the $local_part
1213 variable (that holds the parent local part). It is, however, in the
1214 $address_file variable. Below, we update the local part in the address if it
1215 changes by expansion, so that the final path ends up in the log. */
1217 if (testflag(addr, af_file) && !ob->filename && !ob->dirname)
1219 fdname = US"$address_file";
1220 if (address_file[Ustrlen(address_file)-1] == '/' ||
1221 ob->maildir_format ||
1222 ob->mailstore_format)
1226 /* Handle (a) an "address file" delivery where "file" or "directory" is
1227 explicitly set and (b) a non-address_file delivery, where one of "file" or
1228 "directory" must be set; initialization ensures that they are not both set. */
1232 if (!(fdname = ob->filename))
1234 GET_OPTION("directory");
1235 fdname = ob->dirname;
1240 addr->message = string_sprintf("Mandatory file or directory option "
1241 "missing from %s transport", tblock->name);
1246 /* Maildir and mailstore require a directory */
1248 if ((ob->maildir_format || ob->mailstore_format) && !isdirectory)
1250 addr->message = string_sprintf("mail%s_format requires \"directory\" "
1251 "to be specified for the %s transport",
1252 ob->maildir_format ? "dir" : "store", tblock->name);
1256 if (!(path = expand_string(fdname)))
1258 addr->message = string_sprintf("Expansion of \"%s\" (file or directory "
1259 "name for %s transport) failed: %s", fdname, tblock->name,
1260 expand_string_message);
1266 addr->message = string_sprintf("appendfile: file or directory name "
1267 "\"%s\" is not absolute", path);
1268 addr->basic_errno = ERRNO_NOTABSOLUTE;
1272 /* For a file delivery, make sure the local part in the address(es) is updated
1273 to the true local part. */
1275 if (testflag(addr, af_file))
1276 for (address_item * addr2 = addr; addr2; addr2 = addr2->next)
1277 addr2->local_part = string_copy(path);
1279 /* The available mailbox formats depend on whether it is a directory or a file
1285 #ifdef SUPPORT_MAILDIR
1286 ob->maildir_format ? mbf_maildir :
1288 #ifdef SUPPORT_MAILSTORE
1289 ob->mailstore_format ? mbf_mailstore :
1297 ob->mbx_format ? mbf_mbx :
1304 debug_printf("appendfile: mode=%o notify_comsat=%d quota=" OFF_T_FMT
1306 " warning=" OFF_T_FMT "%s\n"
1307 " %s=%s format=%s\n message_prefix=%s\n message_suffix=%s\n "
1308 "maildir_use_size_file=%s\n",
1309 mode, ob->notify_comsat, ob->quota_value,
1310 ob->quota_no_check ? " (no_check)" : "",
1311 ob->quota_filecount_no_check ? " (no_check_filecount)" : "",
1312 ob->quota_warn_threshold_value,
1313 ob->quota_warn_threshold_is_percent ? "%" : "",
1314 isdirectory ? "directory" : "file",
1315 path, mailbox_formats[mbformat],
1316 !ob->message_prefix ? US"null" : string_printing(ob->message_prefix),
1317 !ob->message_suffix ? US"null" : string_printing(ob->message_suffix),
1318 ob->maildir_use_size_file ? "yes" : "no");
1320 if (!isdirectory) debug_printf(" locking by %s%s%s%s%s\n",
1321 ob->use_lockfile ? "lockfile " : "",
1322 ob->use_mbx_lock ? "mbx locking (" : "",
1323 ob->use_fcntl ? "fcntl " : "",
1324 ob->use_flock ? "flock" : "",
1325 ob->use_mbx_lock ? ")" : "");
1328 /* If the -N option is set, can't do any more. */
1333 debug_printf("*** delivery by %s transport bypassed by -N option\n",
1335 addr->transport_return = OK;
1339 /* If an absolute path was given for create_file the it overrides deliver_home
1340 (here) and de-taints the filename (below, after check_creation() */
1342 deliver_dir = *ob->create_file_string == '/'
1343 ? ob->create_file_string : deliver_home;
1345 /* Handle the case of a file name. If the file name is /dev/null, we can save
1346 ourselves some effort and just give a success return right away. */
1350 BOOL use_lstat = TRUE;
1351 BOOL file_opened = FALSE;
1352 BOOL allow_creation_here = TRUE;
1354 if (Ustrcmp(path, "/dev/null") == 0)
1356 addr->transport_return = OK;
1360 /* Set the name of the file to be opened, and the file to which the data
1361 is written, and find out if we are permitted to create a non-existent file.
1362 If the create_file option is an absolute path and the file was within it,
1363 de-taint. Chaeck for a tainted path. */
1365 if ( (allow_creation_here = check_creation(path, ob->create_file, deliver_dir))
1366 && ob->create_file == create_belowhome)
1367 if (is_tainted(path))
1369 DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
1370 path = string_copy_taint(path, GET_UNTAINTED);
1373 if (is_tainted(path)) goto tainted_ret_panic;
1374 dataname = filename = path;
1376 /* If ob->create_directory is set, attempt to create the directories in
1377 which this mailbox lives, but only if we are permitted to create the file
1378 itself. We know we are dealing with an absolute path, because this was
1381 if (ob->create_directory && allow_creation_here)
1383 uschar *p = Ustrrchr(path, '/');
1384 p = string_copyn(path, p - path);
1385 if (!directory_make(NULL, p, ob->dirmode, FALSE))
1387 addr->basic_errno = errno;
1389 string_sprintf("failed to create directories for %s: %s", path,
1390 exim_errstr(errno));
1391 DEBUG(D_transport) debug_printf("%s transport: %s\n", tblock->name, path);
1396 /* If file_format is set we must check that any existing file matches one of
1397 the configured formats by checking the bytes it starts with. A match then
1398 indicates a specific transport - if it is not this one, pass control to it.
1399 Otherwise carry on here. An empty or non-existent file matches the current
1400 transport. We don't need to distinguish between non-existence and other open
1401 failures because if an existing file fails to open here, it will also fail
1402 again later when O_RDWR is used. */
1404 if (ob->file_format)
1406 int cfd = Uopen(path, O_RDONLY, 0);
1409 transport_instance *tt = check_file_format(cfd, tblock, addr);
1412 /* If another transport is indicated, call it and return; if no transport
1413 was found, just return - the error data will have been set up.*/
1419 set_process_info("delivering %s to %s using %s", message_id,
1420 addr->local_part, tt->name);
1421 debug_print_string(tt->debug_string);
1422 addr->transport = tt;
1423 (tt->info->code)(tt, addr);
1430 /* The locking of mailbox files is worse than the naming of cats, which is
1431 known to be "a difficult matter" (T.S. Eliot) and just as cats must have
1432 three different names, so several different styles of locking are used.
1434 Research in other programs that lock mailboxes shows that there is no
1435 universally standard method. Having mailboxes NFS-mounted on the system that
1436 is delivering mail is not the best thing, but people do run like this,
1437 and so the code must do its best to cope.
1439 Three different locking mechanisms are supported. The initialization function
1440 checks that at least one is configured.
1444 Unless no_use_lockfile is set, we attempt to build a lock file in a way that
1445 will work over NFS. Only after that is done do we actually open the mailbox
1446 and apply locks to it (if configured).
1448 Originally, Exim got the file opened before doing anything about locking.
1449 However, a very occasional problem was observed on Solaris 2 when delivering
1450 over NFS. It is seems that when a file is opened with O_APPEND, the file size
1451 gets remembered at open time. If another process on another host (that's
1452 important) has the file open and locked and writes to it and then releases
1453 the lock while the first process is waiting to get the lock, the first
1454 process may fail to write at the new end point of the file - despite the very
1455 definite statement about O_APPEND in the man page for write(). Experiments
1456 have reproduced this problem, but I do not know any way of forcing a host to
1457 update its attribute cache for an open NFS file. It would be nice if it did
1458 so when a lock was taken out, but this does not seem to happen. Anyway, to
1459 reduce the risk of this problem happening, we now create the lock file
1460 (if configured) *before* opening the mailbox. That will prevent two different
1461 Exims opening the file simultaneously. It may not prevent clashes with MUAs,
1462 however, but Pine at least seems to operate in the same way.
1464 Lockfiles should normally be used when NFS is involved, because of the above
1467 The logic for creating the lock file is:
1469 . The name of the lock file is <mailbox-name>.lock
1471 . First, create a "hitching post" name by adding the primary host name,
1472 current time and pid to the lock file name. This should be unique.
1474 . Create the hitching post file using WRONLY + CREAT + EXCL.
1476 . If that fails EACCES, we assume it means that the user is unable to create
1477 files in the mail spool directory. Some installations might operate in this
1478 manner, so there is a configuration option to allow this state not to be an
1479 error - we proceed to lock using fcntl only, after the file is open.
1481 . Otherwise, an error causes a deferment of the address.
1483 . Hard link the hitching post to the lock file name.
1485 . If the link succeeds, we have successfully created the lock file. Simply
1486 close and unlink the hitching post file.
1488 . If the link does not succeed, proceed as follows:
1490 o Fstat the hitching post file, and then close and unlink it.
1492 o Now examine the stat data. If the number of links to the file is exactly
1493 2, the linking succeeded but for some reason, e.g. an NFS server crash,
1494 the return never made it back, so the link() function gave a failure
1497 . This method allows for the lock file to be created by some other process
1498 right up to the moment of the attempt to hard link it, and is also robust
1499 against NFS server crash-reboots, which would probably result in timeouts
1500 in the middle of link().
1502 . System crashes may cause lock files to get left lying around, and some means
1503 of flushing them is required. The approach of writing a pid (used by smail
1504 and by elm) into the file isn't useful when NFS may be in use. Pine uses a
1505 timeout, which seems a better approach. Since any program that writes to a
1506 mailbox using a lock file should complete its task very quickly, Pine
1507 removes lock files that are older than 5 minutes. We allow the value to be
1508 configurable on the transport.
1512 If use_fcntl_lock is set, then Exim gets an exclusive fcntl() lock on the
1513 mailbox once it is open. This is done by default with a non-blocking lock.
1514 Failures to lock cause retries after a sleep, but only for a certain number
1515 of tries. A blocking lock is deliberately not used so that we don't hold the
1516 mailbox open. This minimizes the possibility of the NFS problem described
1517 under LOCK FILES above, if for some reason NFS deliveries are happening
1518 without lock files. However, the use of a non-blocking lock and sleep, though
1519 the safest approach, does not give the best performance on very busy systems.
1520 A blocking lock plus timeout does better. Therefore Exim has an option to
1521 allow it to work this way. If lock_fcntl_timeout is set greater than zero, it
1522 enables the use of blocking fcntl() calls.
1526 If use_flock_lock is set, then Exim gets an exclusive flock() lock in the
1527 same manner as for fcntl locking above. No-blocking/timeout is also set as
1528 above in lock_flock_timeout. Not all operating systems provide or support
1529 flock(). For those that don't (as determined by the definition of LOCK_SH in
1530 /usr/include/sys/file.h), use_flock_lock may not be set. For some OS, flock()
1531 is implemented (not precisely) on top of fcntl(), which means there's no
1532 point in actually using it.
1536 If use_mbx_lock is set (this is supported only if SUPPORT_MBX is defined)
1537 then the rules used for locking in c-client are used. Exim takes out a shared
1538 lock on the mailbox file, and an exclusive lock on the file whose name is
1539 /tmp/.<device-number>.<inode-number>. The shared lock on the mailbox stops
1540 any other MBX client from getting an exclusive lock on it and expunging it.
1541 It also stops any other MBX client from unlinking the /tmp lock when it has
1544 The exclusive lock on the /tmp file prevents any other MBX client from
1545 updating the mailbox in any way. When writing is finished, if an exclusive
1546 lock on the mailbox can be obtained, indicating there are no current sharers,
1547 the /tmp file is unlinked.
1549 MBX locking can use either fcntl() or flock() locking. If neither
1550 use_fcntl_lock or use_flock_lock is set, it defaults to using fcntl() only.
1551 The calls for getting these locks are by default non-blocking, as for non-mbx
1552 locking, but can be made blocking by setting lock_fcntl_timeout and/or
1553 lock_flock_timeout as appropriate. As MBX delivery doesn't work over NFS, it
1554 probably makes sense to set timeouts for any MBX deliveries. */
1557 /* Build a lock file if configured to do so - the existence of a lock
1558 file is subsequently checked by looking for a non-negative value of the
1559 file descriptor hd - even though the file is no longer open. */
1561 if (ob->use_lockfile)
1563 /* cf. exim_lock.c */
1564 lockname = string_sprintf("%s.lock", filename);
1565 hitchname = string_sprintf( "%s.%s.%08x.%08x", lockname, primary_hostname,
1566 (unsigned int)(time(NULL)), (unsigned int)getpid());
1568 DEBUG(D_transport) debug_printf("lock name: %s\nhitch name: %s\n", lockname,
1571 /* Lock file creation retry loop */
1573 for (i = 0; i < ob->lock_retries; sleep(ob->lock_interval), i++)
1577 hd = Uopen(hitchname, O_WRONLY | O_CREAT | O_EXCL, ob->lockfile_mode);
1580 addr->basic_errno = errno;
1582 string_sprintf("creating lock file hitching post %s "
1583 "(euid=%ld egid=%ld)", hitchname, (long int)geteuid(),
1584 (long int)getegid());
1588 /* Attempt to hitch the hitching post to the lock file. If link()
1589 succeeds (the common case, we hope) all is well. Otherwise, fstat the
1590 file, and get rid of the hitching post. If the number of links was 2,
1591 the link was created, despite the failure of link(). If the hitch was
1592 not successful, try again, having unlinked the lock file if it is too
1595 There's a version of Linux (2.0.27) which doesn't update its local cache
1596 of the inode after link() by default - which many think is a bug - but
1597 if the link succeeds, this code will be OK. It just won't work in the
1598 case when link() fails after having actually created the link. The Linux
1599 NFS person is fixing this; a temporary patch is available if anyone is
1600 sufficiently worried. */
1602 if ((rc = Ulink(hitchname, lockname)) != 0) fstat(hd, &statbuf);
1605 if (rc != 0 && statbuf.st_nlink != 2)
1607 if (ob->lockfile_timeout > 0 && Ustat(lockname, &statbuf) == 0 &&
1608 time(NULL) - statbuf.st_ctime > ob->lockfile_timeout)
1610 DEBUG(D_transport) debug_printf("unlinking timed-out lock file\n");
1613 DEBUG(D_transport) debug_printf("link of hitching post failed - retrying\n");
1617 DEBUG(D_transport) debug_printf("lock file created\n");
1621 /* Check for too many tries at creating the lock file */
1623 if (i >= ob->lock_retries)
1625 addr->basic_errno = ERRNO_LOCKFAILED;
1626 addr->message = string_sprintf("failed to lock mailbox %s (lock file)",
1633 /* We now have to get the file open. First, stat() it and act on existence or
1634 non-existence. This is in a loop to handle the case of a file's being created
1635 or deleted as we watch, and also to handle retries when the locking fails.
1636 Rather than holding the file open while waiting for the fcntl() and/or
1637 flock() lock, we close and do the whole thing again. This should be safer,
1638 especially for NFS files, which might get altered from other hosts, making
1639 their cached sizes incorrect.
1641 With the default settings, no symlinks are permitted, but there is an option
1642 to permit symlinks for those sysadmins that know what they are doing.
1643 Shudder. However, insist that the initial symlink is owned by the right user.
1644 Thus lstat() is used initially; if a symlink is discovered, the loop is
1645 repeated such that stat() is used, to look at the end file. */
1647 for (i = 0; i < ob->lock_retries; i++)
1649 int sleep_before_retry = TRUE;
1650 file_opened = FALSE;
1652 if ((use_lstat ? Ulstat(filename, &statbuf) : Ustat(filename, &statbuf)) != 0)
1654 /* Let's hope that failure to stat (other than non-existence) is a
1657 if (errno != ENOENT)
1659 addr->basic_errno = errno;
1660 addr->message = string_sprintf("attempting to stat mailbox %s",
1665 /* File does not exist. If it is required to pre-exist this state is an
1668 if (ob->file_must_exist)
1670 addr->basic_errno = errno;
1671 addr->message = string_sprintf("mailbox %s does not exist, "
1672 "but file_must_exist is set", filename);
1676 /* If not permitted to create this file because it isn't in or below
1677 the home directory, generate an error. */
1679 if (!allow_creation_here)
1681 addr->basic_errno = ERRNO_BADCREATE;
1682 addr->message = string_sprintf("mailbox %s does not exist, "
1683 "but creation outside the home directory is not permitted",
1688 /* Attempt to create and open the file. If open fails because of
1689 pre-existence, go round the loop again. For any other error, defer the
1690 address, except for an alias or forward generated file name with EPERM,
1691 ENOENT, or EACCES, as those are most likely to be user errors rather
1692 than Exim config errors. When a symbolic link is permitted and points
1693 to a non-existent file, we get here with use_lstat = FALSE. In this case
1694 we mustn't use O_EXCL, since it doesn't work. The file is opened RDRW for
1695 consistency and because MBX locking requires it in order to be able to
1696 get a shared lock. */
1698 fd = Uopen(filename, O_RDWR | O_APPEND | O_CREAT |
1699 (use_lstat ? O_EXCL : 0), mode);
1702 if (errno == EEXIST) continue;
1703 addr->basic_errno = errno;
1704 addr->message = string_sprintf("while creating mailbox %s",
1706 if (testflag(addr, af_file) &&
1707 (errno == EPERM || errno == ENOENT || errno == EACCES))
1708 addr->transport_return = FAIL;
1712 /* We have successfully created and opened the file. Ensure that the group
1713 and the mode are correct. */
1715 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
1717 addr->basic_errno = errno;
1718 addr->message = string_sprintf("while setting perms on mailbox %s",
1720 addr->transport_return = FAIL;
1726 /* The file already exists. Test its type, ownership, and permissions, and
1727 save the inode for checking later. If symlinks are permitted (not the
1728 default or recommended state) it may be a symlink that already exists.
1729 Check its ownership and then look for the file at the end of the link(s).
1730 This at least prevents one user creating a symlink for another user in
1731 a sticky directory. */
1735 int oldmode = (int)statbuf.st_mode;
1736 ino_t inode = statbuf.st_ino;
1737 BOOL islink = (oldmode & S_IFMT) == S_IFLNK;
1739 isfifo = FALSE; /* In case things are changing */
1741 /* Check owner if required - the default. */
1743 if (ob->check_owner && statbuf.st_uid != uid)
1745 addr->basic_errno = ERRNO_BADUGID;
1746 addr->message = string_sprintf("mailbox %s%s has wrong uid "
1747 "(%ld != %ld)", filename,
1748 islink ? " (symlink)" : "",
1749 (long int)(statbuf.st_uid), (long int)uid);
1753 /* Group is checked only if check_group is set. */
1755 if (ob->check_group && statbuf.st_gid != gid)
1757 addr->basic_errno = ERRNO_BADUGID;
1758 addr->message = string_sprintf("mailbox %s%s has wrong gid (%d != %d)",
1759 filename, islink ? " (symlink)" : "", statbuf.st_gid, gid);
1763 /* Just in case this is a sticky-bit mail directory, we don't want
1764 users to be able to create hard links to other users' files. */
1766 if (statbuf.st_nlink != 1)
1768 addr->basic_errno = ERRNO_NOTREGULAR;
1769 addr->message = string_sprintf("mailbox %s%s has too many links (%lu)",
1770 filename, islink ? " (symlink)" : "", (unsigned long)statbuf.st_nlink);
1775 /* If symlinks are permitted (not recommended), the lstat() above will
1776 have found the symlink. Its ownership has just been checked; go round
1777 the loop again, using stat() instead of lstat(). That will never yield a
1780 if (islink && ob->allow_symlink)
1783 i--; /* Don't count this time round */
1787 /* An actual file exists. Check that it is a regular file, or FIFO
1790 if (ob->allow_fifo && (oldmode & S_IFMT) == S_IFIFO) isfifo = TRUE;
1792 else if ((oldmode & S_IFMT) != S_IFREG)
1794 addr->basic_errno = ERRNO_NOTREGULAR;
1795 addr->message = string_sprintf("mailbox %s is not a regular file%s",
1796 filename, ob->allow_fifo ? " or named pipe" : "");
1800 /* If the mode is not what it would be for a newly created file, change
1801 the permissions if the mode is supplied for the address. Otherwise,
1802 reduce but do not extend the permissions. If the newly created
1803 permissions are greater than the existing permissions, don't change
1804 things when the mode is not from the address. */
1806 if ((oldmode &= 07777) != mode)
1808 int diffs = oldmode ^ mode;
1809 if (addr->mode > 0 || (diffs & oldmode) == diffs)
1811 DEBUG(D_transport) debug_printf("chmod %o %s\n", mode, filename);
1812 if (Uchmod(filename, mode) < 0)
1814 addr->basic_errno = errno;
1815 addr->message = string_sprintf("attempting to chmod mailbox %s",
1822 /* Mode not from address, and newly-created permissions are greater
1823 than existing permissions. Default is to complain, but it can be
1824 configured to go ahead and try to deliver anyway if that's what
1825 the administration wants. */
1827 else if (ob->mode_fail_narrower)
1829 addr->basic_errno = ERRNO_BADMODE;
1830 addr->message = string_sprintf("mailbox %s has the wrong mode %o "
1831 "(%o expected)", filename, oldmode, mode);
1836 /* We are happy with the existing file. Open it, and then do further
1837 tests to ensure that it is the same file that we were just looking at.
1838 If the file does not now exist, restart this loop, going back to using
1839 lstat again. For an NFS error, just defer; other opening errors are
1840 more serious. The file is opened RDWR so that its format can be checked,
1841 and also MBX locking requires the use of a shared (read) lock. However,
1842 a FIFO is opened WRONLY + NDELAY so that it fails if there is no process
1843 reading the pipe. */
1845 fd = Uopen(filename, isfifo ? (O_WRONLY|O_NDELAY) : (O_RDWR|O_APPEND),
1849 if (errno == ENOENT)
1854 addr->basic_errno = errno;
1856 addr->message = string_sprintf("while opening named pipe %s "
1857 "(could mean no process is reading it)", filename);
1858 else if (errno != EWOULDBLOCK)
1859 addr->message = string_sprintf("while opening mailbox %s", filename);
1863 /* This fstat really shouldn't fail, as we have an open file! There's a
1864 dilemma here. We use fstat in order to be sure we are peering at the file
1865 we have got open. However, that won't tell us if the file was reached
1866 via a symbolic link. We checked this above, but there is a race exposure
1867 if the link was created between the previous lstat and the open. However,
1868 it would have to be created with the same inode in order to pass the
1869 check below. If ob->allow_symlink is set, causing the use of stat rather
1870 than lstat above, symbolic links may be there anyway, and the checking is
1873 if (fstat(fd, &statbuf) < 0)
1875 addr->basic_errno = errno;
1876 addr->message = string_sprintf("attempting to stat open mailbox %s",
1881 /* Check the inode; this is isn't a perfect check, but gives some
1884 if (inode != statbuf.st_ino)
1886 addr->basic_errno = ERRNO_INODECHANGED;
1887 addr->message = string_sprintf("opened mailbox %s inode number changed "
1888 "from " INO_T_FMT " to " INO_T_FMT, filename, inode, statbuf.st_ino);
1889 addr->special_action = SPECIAL_FREEZE;
1893 /* Check it's still a regular file or FIFO, and the uid, gid, and
1894 permissions have not changed. */
1896 if ((!isfifo && (statbuf.st_mode & S_IFMT) != S_IFREG) ||
1897 (isfifo && (statbuf.st_mode & S_IFMT) != S_IFIFO))
1899 addr->basic_errno = ERRNO_NOTREGULAR;
1901 string_sprintf("opened mailbox %s is no longer a %s", filename,
1902 isfifo ? "named pipe" : "regular file");
1903 addr->special_action = SPECIAL_FREEZE;
1907 if ((ob->check_owner && statbuf.st_uid != uid) ||
1908 (ob->check_group && statbuf.st_gid != gid))
1910 addr->basic_errno = ERRNO_BADUGID;
1912 string_sprintf("opened mailbox %s has wrong uid or gid", filename);
1913 addr->special_action = SPECIAL_FREEZE;
1917 if ((statbuf.st_mode & 07777) != oldmode)
1919 addr->basic_errno = ERRNO_BADMODE;
1920 addr->message = string_sprintf("opened mailbox %s has wrong mode %o "
1921 "(%o expected)", filename, statbuf.st_mode & 07777, mode);
1922 addr->special_action = SPECIAL_FREEZE;
1926 /* If file_format is set, check that the format of the file has not
1927 changed. Error data is set by the testing function. */
1929 if (ob->file_format && check_file_format(fd, tblock, addr) != tblock)
1931 addr->message = US"open mailbox has changed format";
1935 /* The file is OK. Carry on to do the locking. */
1938 /* We now have an open file, and must lock it using fcntl(), flock() or MBX
1939 locking rules if configured to do so. If a lock file is also required, it
1940 was created above and hd was left >= 0. At least one form of locking is
1941 required by the initialization function. If locking fails here, close the
1942 file and go round the loop all over again, after waiting for a bit, unless
1943 blocking locking was used. */
1946 if ((ob->lock_fcntl_timeout > 0) || (ob->lock_flock_timeout > 0))
1947 sleep_before_retry = FALSE;
1949 /* Simple fcntl() and/or flock() locking */
1951 if (!ob->use_mbx_lock && (ob->use_fcntl || ob->use_flock))
1953 if (apply_lock(fd, F_WRLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1954 ob->use_flock, ob->lock_flock_timeout) >= 0) break;
1957 /* MBX locking rules */
1960 else if (ob->use_mbx_lock)
1963 struct stat lstatbuf, statbuf2;
1964 if (apply_lock(fd, F_RDLCK, ob->use_fcntl, ob->lock_fcntl_timeout,
1965 ob->use_flock, ob->lock_flock_timeout) >= 0 &&
1966 fstat(fd, &statbuf) >= 0)
1968 sprintf(CS mbx_lockname, "/tmp/.%lx.%lx", (long)statbuf.st_dev,
1969 (long)statbuf.st_ino);
1972 * 2010-05-29: SECURITY
1973 * Dan Rosenberg reported the presence of a race-condition in the
1974 * original code here. Beware that many systems still allow symlinks
1975 * to be followed in /tmp so an attacker can create a symlink pointing
1976 * elsewhere between a stat and an open, which we should avoid
1979 * It's unfortunate that we can't just use all the heavily debugged
1980 * locking from above.
1982 * Also: remember to mirror changes into exim_lock.c */
1984 /* first leave the old pre-check in place, it provides better
1985 * diagnostics for common cases */
1986 if (Ulstat(mbx_lockname, &statbuf) >= 0)
1988 if ((statbuf.st_mode & S_IFMT) == S_IFLNK)
1990 addr->basic_errno = ERRNO_LOCKFAILED;
1991 addr->message = string_sprintf("symbolic link on MBX lock file %s",
1995 if (statbuf.st_nlink > 1)
1997 addr->basic_errno = ERRNO_LOCKFAILED;
1998 addr->message = string_sprintf("hard link to MBX lock file %s",
2004 /* If we could just declare "we must be the ones who create this
2005 * file" then a hitching post in a subdir would work, since a
2006 * subdir directly in /tmp/ which we create wouldn't follow links
2007 * but this isn't our locking logic, so we can't safely change the
2008 * file existence rules. */
2010 /* On systems which support O_NOFOLLOW, it's the easiest and most
2011 * obviously correct security fix */
2012 mbx_tmp_oflags = O_RDWR | O_CREAT;
2014 mbx_tmp_oflags |= O_NOFOLLOW;
2016 mbx_lockfd = Uopen(mbx_lockname, mbx_tmp_oflags, ob->lockfile_mode);
2019 addr->basic_errno = ERRNO_LOCKFAILED;
2020 addr->message = string_sprintf("failed to open MBX lock file %s :%s",
2021 mbx_lockname, strerror(errno));
2025 if (Ulstat(mbx_lockname, &lstatbuf) < 0)
2027 addr->basic_errno = ERRNO_LOCKFAILED;
2028 addr->message = string_sprintf("attempting to lstat open MBX "
2029 "lock file %s: %s", mbx_lockname, strerror(errno));
2032 if (fstat(mbx_lockfd, &statbuf2) < 0)
2034 addr->basic_errno = ERRNO_LOCKFAILED;
2035 addr->message = string_sprintf("attempting to stat fd of open MBX "
2036 "lock file %s: %s", mbx_lockname, strerror(errno));
2042 * statbuf: if exists, is file which existed prior to opening the
2043 * lockfile, might have been replaced since then
2044 * statbuf2: result of stat'ing the open fd, is what was actually
2046 * lstatbuf: result of lstat'ing the filename immediately after
2047 * the open but there's a race condition again between
2048 * those two steps: before open, symlink to foo, after
2049 * open but before lstat have one of:
2050 * * was no symlink, so is the opened file
2051 * (we created it, no messing possible after that point)
2053 * * symlink elsewhere
2054 * * hardlink elsewhere
2056 * Don't want to compare to device of /tmp because some modern systems
2057 * have regressed to having /tmp be the safe actual filesystem as
2058 * valuable data, so is mostly worthless, unless we assume that *only*
2059 * Linux systems do this and that all Linux has O_NOFOLLOW. Something
2060 * for further consideration.
2061 * No point in doing a readlink on the lockfile as that will always be
2062 * at a different point in time from when we open it, so tells us
2063 * nothing; attempts to clean up and delete after ourselves would risk
2064 * deleting a *third* filename.
2066 if ((statbuf2.st_nlink > 1) ||
2067 (lstatbuf.st_nlink > 1) ||
2068 (!S_ISREG(lstatbuf.st_mode)) ||
2069 (lstatbuf.st_dev != statbuf2.st_dev) ||
2070 (lstatbuf.st_ino != statbuf2.st_ino))
2072 addr->basic_errno = ERRNO_LOCKFAILED;
2073 addr->message = string_sprintf("RACE CONDITION detected: "
2074 "mismatch post-initial-checks between \"%s\" and opened "
2075 "fd lead us to abort!", mbx_lockname);
2079 (void)Uchmod(mbx_lockname, ob->lockfile_mode);
2081 if (apply_lock(mbx_lockfd, F_WRLCK, ob->use_fcntl,
2082 ob->lock_fcntl_timeout, ob->use_flock, ob->lock_flock_timeout) >= 0)
2084 struct stat ostatbuf;
2086 /* This tests for a specific race condition. Ensure that we still
2087 have the same file. */
2089 if (Ulstat(mbx_lockname, &statbuf) == 0 &&
2090 fstat(mbx_lockfd, &ostatbuf) == 0 &&
2091 statbuf.st_dev == ostatbuf.st_dev &&
2092 statbuf.st_ino == ostatbuf.st_ino)
2094 DEBUG(D_transport) debug_printf("MBX lockfile %s changed "
2095 "between creation and locking\n", mbx_lockname);
2098 DEBUG(D_transport) debug_printf("failed to lock %s: %s\n", mbx_lockname,
2100 (void)close(mbx_lockfd);
2105 DEBUG(D_transport) debug_printf("failed to fstat or get read lock on %s: %s\n",
2106 filename, strerror(errno));
2109 #endif /* SUPPORT_MBX */
2111 else break; /* No on-file locking required; break the open/lock loop */
2114 debug_printf("fcntl(), flock(), or MBX locking failed - retrying\n");
2118 use_lstat = TRUE; /* Reset to use lstat first */
2121 /* If a blocking call timed out, break the retry loop if the total time
2122 so far is not less than than retries * interval. Use the larger of the
2123 flock() and fcntl() timeouts. */
2126 (i+1) * ((ob->lock_fcntl_timeout > ob->lock_flock_timeout)?
2127 ob->lock_fcntl_timeout : ob->lock_flock_timeout) >=
2128 ob->lock_retries * ob->lock_interval)
2129 i = ob->lock_retries;
2131 /* Wait a bit before retrying, except when it was a blocked fcntl() or
2132 flock() that caused the problem. */
2134 if (i < ob->lock_retries && sleep_before_retry) sleep(ob->lock_interval);
2137 /* Test for exceeding the maximum number of tries. Either the file remains
2138 locked, or, if we haven't got it open, something is terribly wrong... */
2140 if (i >= ob->lock_retries)
2144 addr->basic_errno = ERRNO_EXISTRACE;
2145 addr->message = string_sprintf("mailbox %s: existence unclear", filename);
2146 addr->special_action = SPECIAL_FREEZE;
2150 addr->basic_errno = ERRNO_LOCKFAILED;
2151 addr->message = string_sprintf("failed to lock mailbox %s (fcntl/flock)",
2157 DEBUG(D_transport) debug_printf("mailbox %s is locked\n", filename);
2159 /* Save access time (for subsequent restoration), modification time (for
2160 restoration if updating fails), size of file (for comsat and for re-setting if
2161 delivery fails in the middle - e.g. for quota exceeded). */
2163 if (fstat(fd, &statbuf) < 0)
2165 addr->basic_errno = errno;
2166 addr->message = string_sprintf("while fstatting opened mailbox %s",
2171 times.actime = statbuf.st_atime;
2172 times.modtime = statbuf.st_mtime;
2173 saved_size = statbuf.st_size;
2174 if (mailbox_size < 0) mailbox_size = saved_size;
2175 mailbox_filecount = 0; /* Not actually relevant for single-file mailbox */
2178 /* Prepare for writing to a new file (as opposed to appending to an old one).
2179 There are several different formats, but there is preliminary stuff concerned
2180 with quotas that applies to all of them. Finding the current size by directory
2181 scanning is expensive; for maildirs some fudges have been invented:
2183 (1) A regex can be used to extract a file size from its name;
2184 (2) If maildir_use_size is set, a maildirsize file is used to cache the
2190 uschar *check_path; /* Default quota check path */
2191 const pcre2_code * re = NULL; /* Regex for file size from file name */
2193 if (!check_creation(string_sprintf("%s/any", path),
2194 ob->create_file, deliver_dir))
2196 addr->basic_errno = ERRNO_BADCREATE;
2197 addr->message = string_sprintf("tried to create file in %s, but "
2198 "file creation outside the home directory is not permitted", path);
2202 /* If the create_file option is an absolute path and the file was within
2203 it, de-taint. Otherwise check for taint. */
2205 if (is_tainted(path))
2206 if (ob->create_file == create_belowhome)
2208 DEBUG(D_transport) debug_printf("de-tainting path '%s'\n", path);
2209 path = string_copy_taint(path, GET_UNTAINTED);
2212 goto tainted_ret_panic;
2216 #ifdef SUPPORT_MAILDIR
2217 /* For a maildir delivery, ensure that all the relevant directories exist,
2218 and a maildirfolder file if necessary. */
2220 if (mbformat == mbf_maildir && !maildir_ensure_directories(path, addr,
2221 ob->create_directory, ob->dirmode, ob->maildirfolder_create_regex))
2223 #endif /* SUPPORT_MAILDIR */
2225 /* If we are going to do a quota check, of if maildir_use_size_file is set
2226 for a maildir delivery, compile the regular expression if there is one. We
2227 may also need to adjust the path that is used. We need to do this for
2228 maildir_use_size_file even if the quota is unset, because we still want to
2229 create the file. When maildir support is not compiled,
2230 ob->maildir_use_size_file is always FALSE. */
2232 if (ob->quota_value > 0 || THRESHOLD_CHECK || ob->maildir_use_size_file)
2234 /* Compile the regex if there is one. */
2236 if (ob->quota_size_regex)
2238 if (!(re = regex_compile(ob->quota_size_regex,
2239 MCS_NOFLAGS, &addr->message, pcre_gen_cmp_ctx)))
2242 DEBUG(D_transport) debug_printf("using regex for file sizes: %s\n",
2243 ob->quota_size_regex);
2246 /* Use an explicitly configured directory if set */
2248 GET_OPTION("quota_directory");
2249 if (ob->quota_directory)
2251 if (!(check_path = expand_string(ob->quota_directory)))
2253 addr->message = string_sprintf("Expansion of \"%s\" (quota_directory "
2254 "name for %s transport) failed: %s", ob->quota_directory,
2255 tblock->name, expand_string_message);
2259 if (check_path[0] != '/')
2261 addr->message = string_sprintf("appendfile: quota_directory name "
2262 "\"%s\" is not absolute", check_path);
2263 addr->basic_errno = ERRNO_NOTABSOLUTE;
2268 #ifdef SUPPORT_MAILDIR
2269 /* Otherwise, if we are handling a maildir delivery, and the directory
2270 contains a file called maildirfolder, this is a maildir++ feature telling
2271 us that this is a sub-directory of the real inbox. We should therefore do
2272 the quota check on the parent directory. Beware of the special case when
2273 the directory name itself ends in a slash. */
2275 else if (mbformat == mbf_maildir)
2277 struct stat statbuf;
2278 if (Ustat(string_sprintf("%s/maildirfolder", path), &statbuf) >= 0)
2280 uschar *new_check_path = string_copy(check_path);
2281 uschar *slash = Ustrrchr(new_check_path, '/');
2287 slash = Ustrrchr(new_check_path, '/');
2292 check_path = new_check_path;
2293 DEBUG(D_transport) debug_printf("maildirfolder file exists: "
2294 "quota check directory changed to %s\n", check_path);
2299 #endif /* SUPPORT_MAILDIR */
2302 /* If we are using maildirsize files, we need to ensure that such a file
2303 exists and, if necessary, recalculate its contents. As a byproduct of this,
2304 we obtain the current size of the maildir. If no quota is to be enforced
2305 (ob->quota_value == 0), we still need the size if a threshold check will
2308 Another regular expression is used to determine which directories inside the
2309 maildir are going to be counted. */
2311 #ifdef SUPPORT_MAILDIR
2312 if (ob->maildir_use_size_file)
2314 const pcre2_code * dir_regex = NULL;
2316 if (ob->maildir_dir_regex)
2318 int check_path_len = Ustrlen(check_path);
2320 if (!(dir_regex = regex_compile(ob->maildir_dir_regex,
2321 MCS_NOFLAGS, &addr->message, pcre_gen_cmp_ctx)))
2325 debug_printf("using regex for maildir directory selection: %s\n",
2326 ob->maildir_dir_regex);
2328 /* Check to see if we are delivering into an ignored directory, that is,
2329 if the delivery path starts with the quota check path, and the rest
2330 of the deliver path matches the regex; if so, set a flag to disable quota
2331 checking and maildirsize updating. */
2333 if (Ustrncmp(path, check_path, check_path_len) == 0)
2335 uschar *s = path + check_path_len;
2336 while (*s == '/') s++;
2337 s = *s ? string_sprintf("%s/new", s) : US"new";
2338 if (!regex_match(dir_regex, s, -1, NULL))
2340 disable_quota = TRUE;
2341 DEBUG(D_transport) debug_printf("delivery directory does not match "
2342 "maildir_quota_directory_regex: disabling quota\n");
2347 /* Quota enforcement; create and check the file. There is some discussion
2348 about whether this should happen if the quota is unset. At present, Exim
2349 always creates the file. If we ever want to change this, uncomment
2350 appropriate lines below, possibly doing a check on some option. */
2352 /* if (???? || ob->quota_value > 0) */
2359 if ((maildirsize_fd = maildir_ensure_sizefile(check_path, ob, re, dir_regex,
2360 &size, &filecount)) == -1)
2362 addr->basic_errno = errno;
2363 addr->message = string_sprintf("while opening or reading "
2364 "%s/maildirsize", check_path);
2367 /* can also return -2, which means that the file was removed because of
2368 raciness; but in this case, the size & filecount will still have been
2371 if (mailbox_size < 0) mailbox_size = size;
2372 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2375 /* No quota enforcement; ensure file does *not* exist; calculate size if
2380 * time_t old_latest;
2381 * (void)unlink(CS string_sprintf("%s/maildirsize", check_path));
2382 * if (THRESHOLD_CHECK)
2383 * mailbox_size = maildir_compute_size(check_path, &mailbox_filecount, &old_latest,
2384 * re, dir_regex, FALSE);
2389 #endif /* SUPPORT_MAILDIR */
2391 /* Otherwise if we are going to do a quota check later on, and the mailbox
2392 size is not set, find the current size of the mailbox. Ditto for the file
2393 count. Note that ob->quota_filecount_value cannot be set without
2394 ob->quota_value being set. */
2397 && (ob->quota_value > 0 || THRESHOLD_CHECK)
2398 && ( mailbox_size < 0
2399 || mailbox_filecount < 0 && ob->quota_filecount_value > 0
2405 debug_printf("quota checks on directory %s\n", check_path);
2406 size = check_dir_size(check_path, &filecount, re);
2407 if (mailbox_size < 0) mailbox_size = size;
2408 if (mailbox_filecount < 0) mailbox_filecount = filecount;
2411 /* Handle the case of creating a unique file in a given directory (not in
2412 maildir or mailstore format - this is how smail did it). A temporary name is
2413 used to create the file. Later, when it is written, the name is changed to a
2414 unique one. There is no need to lock the file. An attempt is made to create
2415 the directory if it does not exist. */
2417 if (mbformat == mbf_smail)
2420 debug_printf("delivering to new file in %s\n", path);
2421 filename = dataname =
2422 string_sprintf("%s/temp.%d.%s", path, (int)getpid(), primary_hostname);
2423 fd = Uopen(filename, O_WRONLY|O_CREAT, mode);
2424 if (fd < 0 && /* failed to open, and */
2425 (errno != ENOENT || /* either not non-exist */
2426 !ob->create_directory || /* or not allowed to make */
2427 !directory_make(NULL, path, ob->dirmode, FALSE) || /* or failed to create dir */
2428 (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)) /* or then failed to open */
2430 addr->basic_errno = errno;
2431 addr->message = string_sprintf("while creating file %s", filename);
2436 #ifdef SUPPORT_MAILDIR
2438 /* Handle the case of a unique file in maildir format. The file is written to
2439 the tmp subdirectory, with a prescribed form of name. */
2441 else if (mbformat == mbf_maildir)
2444 debug_printf("delivering in maildir format in %s\n", path);
2446 GET_OPTION("maildir_tag");
2447 nametag = ob->maildir_tag;
2449 /* Check that nametag expands successfully; a hard failure causes a panic
2450 return. The actual expansion for use happens again later, when
2451 $message_size is accurately known. */
2453 if (nametag && !expand_string(nametag) && !f.expand_string_forcedfail)
2455 addr->message = string_sprintf("Expansion of \"%s\" (maildir_tag "
2456 "for %s transport) failed: %s", nametag, tblock->name,
2457 expand_string_message);
2461 /* We ensured the existence of all the relevant directories above. Attempt
2462 to open the temporary file a limited number of times. I think this rather
2463 scary-looking for statement is actually OK. If open succeeds, the loop is
2464 broken; if not, there is a test on the value of i. Get the time again
2465 afresh each time round the loop. Its value goes into a variable that is
2466 checked at the end, to make sure we don't release this process until the
2467 clock has ticked. */
2469 for (int i = 1;; i++)
2473 (void)gettimeofday(&msg_tv, NULL);
2474 basename = string_sprintf(TIME_T_FMT ".M%luP" PID_T_FMT ".%s",
2475 msg_tv.tv_sec, msg_tv.tv_usec, getpid(), primary_hostname);
2477 filename = dataname = string_sprintf("tmp/%s", basename);
2478 newname = string_sprintf("new/%s", basename);
2480 if (Ustat(filename, &statbuf) == 0)
2482 else if (errno == ENOENT)
2484 if ((fd = Uopen(filename, O_WRONLY | O_CREAT | O_EXCL, mode)) >= 0)
2486 DEBUG (D_transport) debug_printf ("open failed for %s: %s\n",
2487 filename, strerror(errno));
2490 /* Too many retries - give up */
2492 if (i >= ob->maildir_retries)
2494 addr->message = string_sprintf ("failed to open %s (%d tr%s)",
2495 filename, i, (i == 1) ? "y" : "ies");
2496 addr->basic_errno = errno;
2497 if (errno == errno_quota || errno == ENOSPC)
2498 addr->user_message = US"mailbox is full";
2502 /* Open or stat failed but we haven't tried too many times yet. */
2507 /* Note that we have to ensure the clock has ticked before leaving */
2509 wait_for_tick = TRUE;
2511 /* Why are these here? Put in because they are present in the non-maildir
2512 directory case above. */
2514 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2516 addr->basic_errno = errno;
2517 addr->message = string_sprintf("while setting perms on maildir %s",
2523 #endif /* SUPPORT_MAILDIR */
2525 #ifdef SUPPORT_MAILSTORE
2527 /* Handle the case of a unique file in mailstore format. First write the
2528 envelope to a temporary file, then open the main file. The unique base name
2529 for the files consists of the message id plus the pid of this delivery
2535 mailstore_basename = string_sprintf("%s/%s-%s", path, message_id,
2536 string_base62_64((long int)getpid()));
2539 debug_printf("delivering in mailstore format in %s\n", path);
2541 filename = string_sprintf("%s.tmp", mailstore_basename);
2542 newname = string_sprintf("%s.env", mailstore_basename);
2543 dataname = string_sprintf("%s.msg", mailstore_basename);
2545 fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode);
2546 if ( fd < 0 /* failed to open, and */
2547 && ( errno != ENOENT /* either not non-exist */
2548 || !ob->create_directory /* or not allowed to make */
2549 || !directory_make(NULL, path, ob->dirmode, FALSE) /* or failed to create dir */
2550 || (fd = Uopen(filename, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0 /* or then failed to open */
2553 addr->basic_errno = errno;
2554 addr->message = string_sprintf("while creating file %s", filename);
2558 /* Why are these here? Put in because they are present in the non-maildir
2559 directory case above. */
2561 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2563 addr->basic_errno = errno;
2564 addr->message = string_sprintf("while setting perms on file %s",
2569 /* Built a C stream from the open file descriptor. */
2571 if (!(env_file = fdopen(fd, "wb")))
2573 addr->basic_errno = errno;
2574 addr->message = string_sprintf("fdopen of %s ("
2575 "for %s transport) failed", filename, tblock->name);
2581 /* Write the envelope file, then close it. */
2583 GET_OPTION("mailstore_prefix");
2584 if (ob->mailstore_prefix)
2586 uschar * s = expand_string(ob->mailstore_prefix);
2589 if (!f.expand_string_forcedfail)
2591 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2592 "prefix for %s transport) failed: %s", ob->mailstore_prefix,
2593 tblock->name, expand_string_message);
2594 (void)fclose(env_file);
2602 fprintf(env_file, "%s", CS s);
2603 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2607 fprintf(env_file, "%s\n", sender_address);
2609 for (address_item * taddr = addr; taddr; taddr = taddr->next)
2610 fprintf(env_file, "%s@%s\n", taddr->local_part, taddr->domain);
2612 GET_OPTION("mailstore_suffix");
2613 if (ob->mailstore_suffix)
2615 uschar * s = expand_string(ob->mailstore_suffix);
2618 if (!f.expand_string_forcedfail)
2620 addr->message = string_sprintf("Expansion of \"%s\" (mailstore "
2621 "suffix for %s transport) failed: %s", ob->mailstore_suffix,
2622 tblock->name, expand_string_message);
2623 (void)fclose(env_file);
2631 fprintf(env_file, "%s", CS s);
2632 if (n == 0 || s[n-1] != '\n') fprintf(env_file, "\n");
2636 if (fclose(env_file) != 0)
2638 addr->basic_errno = errno;
2639 addr->message = string_sprintf("while closing %s", filename);
2644 DEBUG(D_transport) debug_printf("Envelope file %s written\n", filename);
2646 /* Now open the data file, and ensure that it has the correct ownership and
2649 if ((fd = Uopen(dataname, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0)
2651 addr->basic_errno = errno;
2652 addr->message = string_sprintf("while creating file %s", dataname);
2656 if (exim_chown(dataname, uid, gid) || Uchmod(dataname, mode))
2658 addr->basic_errno = errno;
2659 addr->message = string_sprintf("while setting perms on file %s",
2665 #endif /* SUPPORT_MAILSTORE */
2668 /* In all cases of writing to a new file, ensure that the file which is
2669 going to be renamed has the correct ownership and mode. */
2671 if (exim_chown(filename, uid, gid) || Uchmod(filename, mode))
2673 addr->basic_errno = errno;
2674 addr->message = string_sprintf("while setting perms on file %s",
2681 /* At last we can write the message to the file, preceded by any configured
2682 prefix line, and followed by any configured suffix line. If there are any
2683 writing errors, we must defer. */
2685 DEBUG(D_transport) debug_printf("writing to file %s\n", dataname);
2690 /* If there is a local quota setting, check that we are not going to exceed it
2691 with this message if quota_is_inclusive is set; if it is not set, the check
2692 is for the mailbox already being over quota (i.e. the current message is not
2693 included in the check). */
2695 if (!disable_quota && ob->quota_value > 0)
2699 debug_printf("Exim quota = " OFF_T_FMT " old size = " OFF_T_FMT
2700 " this message = %d (%sincluded)\n",
2701 ob->quota_value, mailbox_size, message_size,
2702 ob->quota_is_inclusive ? "" : "not ");
2703 debug_printf(" file count quota = %d count = %d\n",
2704 ob->quota_filecount_value, mailbox_filecount);
2707 if (mailbox_size + (ob->quota_is_inclusive ? message_size:0) > ob->quota_value)
2708 if (!ob->quota_no_check)
2710 DEBUG(D_transport) debug_printf("mailbox quota exceeded\n");
2712 errno = ERRNO_EXIMQUOTA;
2715 DEBUG(D_transport) debug_printf("mailbox quota exceeded but ignored\n");
2717 if (ob->quota_filecount_value > 0
2718 && mailbox_filecount + (ob->quota_is_inclusive ? 1:0) >
2719 ob->quota_filecount_value)
2720 if (!ob->quota_filecount_no_check)
2722 DEBUG(D_transport) debug_printf("mailbox file count quota exceeded\n");
2724 errno = ERRNO_EXIMQUOTA;
2725 filecount_msg = US" filecount";
2727 else DEBUG(D_transport) if (ob->quota_filecount_no_check)
2728 debug_printf("mailbox file count quota exceeded but ignored\n");
2734 addr->basic_errno = errno;
2735 addr->message = US"Over quota";
2736 addr->transport_return = yield;
2738 debug_printf("appendfile (verify) yields %d with errno=%d more_errno=%d\n",
2739 yield, addr->basic_errno, addr->more_errno);
2744 /* If we are writing in MBX format, what we actually do is to write the message
2745 to a temporary file, and then copy it to the real file once we know its size.
2746 This is the most straightforward way of getting the correct length in the
2747 separator line. So, what we do here is to save the real file descriptor, and
2748 replace it with one for a temporary file. The temporary file gets unlinked once
2749 opened, so that it goes away on closure. */
2752 if (yield == OK && ob->mbx_format)
2754 if (!(temp_file = tmpfile()))
2756 addr->basic_errno = errno;
2757 addr->message = US"while setting up temporary file";
2762 fd = fileno(temp_file);
2763 DEBUG(D_transport) debug_printf("writing to temporary file\n");
2765 #endif /* SUPPORT_MBX */
2767 /* Zero the count of bytes written. It is incremented by the transport_xxx()
2770 transport_count = 0;
2771 transport_newlines = 0;
2773 /* Write any configured prefix text first */
2777 uschar * prefix = ob->message_prefix;
2778 GET_OPTION("message_prefix");
2779 if (prefix && *prefix)
2780 if (!(prefix = expand_string(prefix)))
2782 errno = ERRNO_EXPANDFAIL;
2783 addr->transport_return = PANIC;
2784 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
2785 "transport) failed", ob->message_prefix, tblock->name);
2788 else if (!transport_write_string(fd, "%s", prefix))
2792 /* If the use_bsmtp option is on, we need to write SMTP prefix information. The
2793 various different values for batching are handled outside; if there is more
2794 than one address available here, all must be included. If any address is a
2795 file, use its parent in the RCPT TO. */
2797 if (yield == OK && ob->use_bsmtp)
2799 transport_count = 0;
2800 transport_newlines = 0;
2801 if (ob->use_crlf) cr = US"\r";
2802 if (!transport_write_string(fd, "MAIL FROM:<%s>%s\n", return_path, cr))
2806 transport_newlines++;
2807 for (address_item * a = addr; a; a = a->next)
2809 address_item * b = testflag(a, af_pfr) ? a->parent : a;
2810 if (!transport_write_string(fd, "RCPT TO:<%s>%s\n",
2811 transport_rcpt_address(b, tblock->rcpt_include_affixes), cr))
2812 { yield = DEFER; break; }
2813 transport_newlines++;
2815 if (yield == OK && !transport_write_string(fd, "DATA%s\n", cr))
2818 transport_newlines++;
2822 /* Now the message itself. The options for transport_write_message were set up
2823 at initialization time. */
2827 transport_ctx tctx = {
2831 .check_string = ob->check_string,
2832 .escape_string = ob->escape_string,
2833 .options = ob->options | topt_not_socket
2835 if (!transport_write_message(&tctx, 0))
2839 /* Now a configured suffix. */
2843 uschar * suffix = ob->message_suffix;
2844 GET_OPTION("message_suffix");
2845 if (suffix && *suffix)
2846 if (!(suffix = expand_string(suffix)))
2848 errno = ERRNO_EXPANDFAIL;
2849 addr->transport_return = PANIC;
2850 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
2851 "transport) failed", ob->message_suffix, tblock->name);
2854 else if (!transport_write_string(fd, "%s", suffix))
2858 /* If batch smtp, write the terminating dot. */
2860 if (yield == OK && ob->use_bsmtp)
2861 if (!transport_write_string(fd, ".%s\n", cr)) yield = DEFER;
2862 else transport_newlines++;
2864 /* If MBX format is being used, all that writing was to the temporary file.
2865 However, if there was an earlier failure (Exim quota exceeded, for example),
2866 the temporary file won't have got opened - and no writing will have been done.
2867 If writing was OK, we restore the fd, and call a function that copies the
2868 message in MBX format into the real file. Otherwise use the temporary name in
2872 if (temp_file && ob->mbx_format)
2879 transport_count = 0; /* Reset transport count for actual write */
2880 /* No need to reset transport_newlines as we're just using a block copy
2881 * routine so the number won't be affected */
2882 yield = copy_mbx_message(fd, fileno(temp_file), saved_size);
2884 else if (errno >= 0) dataname = US"temporary file";
2886 /* Preserve errno while closing the temporary file. */
2888 mbx_save_errno = errno;
2889 (void)fclose(temp_file);
2890 errno = mbx_save_errno;
2892 #endif /* SUPPORT_MBX */
2894 /* Force out the remaining data to check for any errors; some OS don't allow
2895 fsync() to be called for a FIFO. */
2897 if (yield == OK && !isfifo && EXIMfsync(fd) < 0) yield = DEFER;
2899 /* Update message_size and message_linecount to the accurate count of bytes
2900 written, including added headers. Note; we subtract 1 from message_linecount as
2901 this variable doesn't count the new line between the header and the body of the
2904 message_size = transport_count;
2905 message_linecount = transport_newlines - 1;
2907 /* If using a maildir++ quota file, add this message's size to it, and
2908 close the file descriptor, except when the quota has been disabled because we
2909 are delivering into an uncounted folder. */
2911 #ifdef SUPPORT_MAILDIR
2914 if (yield == OK && maildirsize_fd >= 0)
2915 maildir_record_length(maildirsize_fd, message_size);
2916 maildir_save_errno = errno; /* Preserve errno while closing the file */
2917 if (maildirsize_fd >= 0)
2918 (void)close(maildirsize_fd);
2919 errno = maildir_save_errno;
2921 #endif /* SUPPORT_MAILDIR */
2923 /* If there is a quota warning threshold and we are have crossed it with this
2924 message, set the SPECIAL_WARN flag in the address, to cause a warning message
2927 if (!disable_quota && THRESHOLD_CHECK)
2929 off_t threshold = ob->quota_warn_threshold_value;
2930 if (ob->quota_warn_threshold_is_percent)
2931 threshold = (off_t)(((double)ob->quota_value * threshold) / 100);
2933 debug_printf("quota = " OFF_T_FMT
2934 " threshold = " OFF_T_FMT
2935 " old size = " OFF_T_FMT
2936 " message size = %d\n",
2937 ob->quota_value, threshold, mailbox_size,
2939 if (mailbox_size <= threshold && mailbox_size + message_size > threshold)
2940 addr->special_action = SPECIAL_WARN;
2942 /******* You might think that the test ought to be this:
2944 * if (ob->quota_value > 0 && threshold > 0 && mailbox_size > 0 &&
2945 * mailbox_size <= threshold && mailbox_size + message_size > threshold)
2947 * (indeed, I was sent a patch with that in). However, it is possible to
2948 * have a warning threshold without actually imposing a quota, and I have
2949 * therefore kept Exim backwards compatible.
2954 /* Handle error while writing the file. Control should come here directly after
2955 the error, with the reason in errno. In the case of expansion failure in prefix
2956 or suffix, it will be ERRNO_EXPANDFAIL. */
2960 addr->special_action = SPECIAL_NONE; /* Cancel any quota warning */
2962 /* Save the error number. If positive, it will ultimately cause a strerror()
2963 call to generate some text. */
2965 addr->basic_errno = errno;
2967 /* For system or Exim quota excession, or disk full, set more_errno to the
2968 time since the file was last read. If delivery was into a directory, the
2969 time since last read logic is not relevant, in general. However, for maildir
2970 deliveries we can approximate it by looking at the last modified time of the
2971 "new" subdirectory. Since Exim won't be adding new messages, a change to the
2972 "new" subdirectory implies that an MUA has moved a message from there to the
2975 if (errno == errno_quota || errno == ERRNO_EXIMQUOTA || errno == ENOSPC)
2977 addr->more_errno = 0;
2978 if (!isdirectory) addr->more_errno = (int)(time(NULL) - times.actime);
2980 #ifdef SUPPORT_MAILDIR
2981 else if (mbformat == mbf_maildir)
2983 struct stat statbuf;
2984 if (Ustat("new", &statbuf) < 0)
2986 DEBUG(D_transport) debug_printf("maildir quota exceeded: "
2987 "stat error %d for \"new\": %s\n", errno, strerror(errno));
2989 else /* Want a repeatable time when in test harness */
2990 addr->more_errno = f.running_in_test_harness ? 10 :
2991 (int)time(NULL) - statbuf.st_mtime;
2994 debug_printf("maildir: time since \"new\" directory modified = %s\n",
2995 readconf_printtime(addr->more_errno));
2997 #endif /* SUPPORT_MAILDIR */
3000 /* Handle system quota excession. Add an explanatory phrase for the error
3001 message, since some systems don't have special quota-excession errors,
3002 and on those that do, "quota" doesn't always mean anything to the user. */
3004 if (errno == errno_quota)
3007 addr->message = string_sprintf("mailbox is full "
3008 "(quota exceeded while writing to file %s)", filename);
3010 addr->message = US"mailbox is full";
3012 addr->user_message = US"mailbox is full";
3013 DEBUG(D_transport) debug_printf("System quota exceeded for %s%s%s\n",
3015 isdirectory ? US"" : US": time since file read = ",
3016 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3019 /* Handle Exim's own quota-imposition */
3021 else if (errno == ERRNO_EXIMQUOTA)
3023 addr->message = string_sprintf("mailbox is full "
3024 "(MTA-imposed%s quota exceeded while writing to %s)", filecount_msg,
3026 addr->user_message = US"mailbox is full";
3027 DEBUG(D_transport) debug_printf("Exim%s quota exceeded for %s%s%s\n",
3028 filecount_msg, dataname,
3029 isdirectory ? US"" : US": time since file read = ",
3030 isdirectory ? US"" : readconf_printtime(addr->more_errno));
3033 /* Handle a process failure while writing via a filter; the return
3034 from child_close() is in more_errno. */
3036 else if (errno == ERRNO_FILTER_FAIL)
3039 addr->message = string_sprintf("transport filter process failed (%d) "
3040 "while writing to %s%s", addr->more_errno, dataname,
3041 (addr->more_errno == EX_EXECFAILED) ? ": unable to execute command" : "");
3044 /* Handle failure to expand header changes */
3046 else if (errno == ERRNO_CHHEADER_FAIL)
3050 string_sprintf("failed to expand headers_add or headers_remove while "
3051 "writing to %s: %s", dataname, expand_string_message);
3054 /* Handle failure to complete writing of a data block */
3056 else if (errno == ERRNO_WRITEINCOMPLETE)
3057 addr->message = string_sprintf("failed to write data block while "
3058 "writing to %s", dataname);
3060 /* Handle length mismatch on MBX copying */
3063 else if (errno == ERRNO_MBXLENGTH)
3064 addr->message = string_sprintf("length mismatch while copying MBX "
3065 "temporary file to %s", dataname);
3066 #endif /* SUPPORT_MBX */
3068 /* For other errors, a general-purpose explanation, if the message is
3071 else if (addr->message == NULL)
3072 addr->message = string_sprintf("error while writing to %s", dataname);
3074 /* For a file, reset the file size to what it was before we started, leaving
3075 the last modification time unchanged, so it will get reset also. All systems
3076 investigated so far have ftruncate(), whereas not all have the F_FREESP
3077 fcntl() call (BSDI & FreeBSD do not). */
3079 if (!isdirectory && ftruncate(fd, saved_size))
3080 DEBUG(D_transport) debug_printf("Error resetting file size\n");
3083 /* Handle successful writing - we want the modification time to be now for
3084 appended files. Remove the default backstop error number. For a directory, now
3085 is the time to rename the file with a unique name. As soon as such a name
3086 appears it may get used by another process, so we close the file first and
3087 check that all is well. */
3091 times.modtime = time(NULL);
3092 addr->basic_errno = 0;
3094 /* Handle the case of writing to a new file in a directory. This applies
3095 to all single-file formats - maildir, mailstore, and "smail format". */
3099 if (fstat(fd, &statbuf) < 0)
3101 addr->basic_errno = errno;
3102 addr->message = string_sprintf("while fstatting opened message file %s",
3107 else if (close(fd) < 0)
3109 addr->basic_errno = errno;
3110 addr->message = string_sprintf("close() error for %s",
3111 (ob->mailstore_format) ? dataname : filename);
3115 /* File is successfully written and closed. Arrange to rename it. For the
3116 different kinds of single-file delivery, some games can be played with the
3117 name. The message size is by this time set to the accurate value so that
3118 its value can be used in expansions. */
3122 uschar *renamename = newname;
3125 DEBUG(D_transport) debug_printf("renaming temporary file\n");
3127 /* If there is no rename name set, we are in a non-maildir, non-mailstore
3128 situation. The name is built by expanding the directory_file option, and
3129 we make the inode number available for use in this. The expansion was
3130 checked for syntactic validity above, before we wrote the file.
3132 We have to be careful here, in case the file name exists. (In the other
3133 cases, the names used are constructed to be unique.) The rename()
3134 function just replaces an existing file - we don't want that! So instead
3135 of calling rename(), we must use link() and unlink().
3137 In this case, if the link fails because of an existing file, we wait
3138 for one second and try the expansion again, to see if it produces a
3139 different value. Do this up to 5 times unless the name stops changing.
3140 This makes it possible to build values that are based on the time, and
3141 still cope with races from multiple simultaneous deliveries. */
3146 uschar *old_renameleaf = US"";
3148 for (int i = 0; ; sleep(1), i++)
3150 deliver_inode = statbuf.st_ino;
3151 renameleaf = expand_string(ob->dirfilename);
3156 addr->transport_return = PANIC;
3157 addr->message = string_sprintf("Expansion of \"%s\" "
3158 "(directory_file for %s transport) failed: %s",
3159 ob->dirfilename, tblock->name, expand_string_message);
3163 renamename = string_sprintf("%s/%s", path, renameleaf);
3164 if (Ulink(filename, renamename) < 0)
3166 DEBUG(D_transport) debug_printf("link failed: %s\n",
3168 if (errno != EEXIST || i >= 4 ||
3169 Ustrcmp(renameleaf, old_renameleaf) == 0)
3171 addr->basic_errno = errno;
3172 addr->message = string_sprintf("while renaming %s as %s",
3173 filename, renamename);
3177 old_renameleaf = renameleaf;
3178 DEBUG(D_transport) debug_printf("%s exists - trying again\n",
3187 } /* re-expand loop */
3188 } /* not mailstore or maildir */
3190 /* For maildir and mailstore formats, the new name was created earlier,
3191 except that for maildir, there is the possibility of adding a "tag" on
3192 the end of the name by expanding the value of nametag. This usually
3193 includes a reference to the message size. The expansion of nametag was
3194 checked above, before the file was opened. It either succeeded, or
3195 provoked a soft failure. So any failure here can be treated as soft.
3196 Ignore non-printing characters and / and put a colon at the start if the
3197 first character is alphanumeric. */
3203 uschar *iptr = expand_string(nametag);
3206 uschar *etag = store_get(Ustrlen(iptr) + 2, iptr);
3207 uschar *optr = etag;
3208 for ( ; *iptr; iptr++)
3209 if (mac_isgraph(*iptr) && *iptr != '/')
3211 if (optr == etag && isalnum(*iptr)) *optr++ = ':';
3215 renamename = string_sprintf("%s%s", newname, etag);
3219 /* Do the rename. If the name is too long and a tag exists, try again
3222 if (Urename(filename, renamename) < 0 &&
3223 (nametag == NULL || errno != ENAMETOOLONG ||
3224 (renamename = newname, Urename(filename, renamename) < 0)))
3226 addr->basic_errno = errno;
3227 addr->message = string_sprintf("while renaming %s as %s",
3228 filename, renamename);
3232 /* Rename succeeded */
3236 DEBUG(D_transport) debug_printf("renamed %s as %s\n", filename,
3238 filename = dataname = NULL; /* Prevents attempt to unlink at end */
3240 } /* maildir or mailstore */
3241 } /* successful write + close */
3243 } /* write success */
3246 /* For a file, restore the last access time (atime), and set the modification
3247 time as required - changed if write succeeded, unchanged if not. */
3249 if (!isdirectory) utime(CS filename, ×);
3251 /* Notify comsat if configured to do so. It only makes sense if the configured
3252 file is the one that the comsat daemon knows about. */
3254 if (ob->notify_comsat && yield == OK && deliver_localpart)
3255 notify_comsat(deliver_localpart, saved_size);
3257 /* Pass back the final return code in the address structure */
3260 debug_printf("appendfile yields %d with errno=%d more_errno=%d\n",
3261 yield, addr->basic_errno, addr->more_errno);
3263 addr->transport_return = yield;
3265 /* Close the file, which will release the fcntl lock. For a directory write it
3266 is closed above, except in cases of error which goto RETURN, when we also need
3267 to remove the original file(s). For MBX locking, if all has gone well, before
3268 closing the file, see if we can get an exclusive lock on it, in which case we
3269 can unlink the /tmp lock file before closing it. This is always a non-blocking
3270 lock; there's no need to wait if we can't get it. If everything has gone right
3271 but close fails, defer the message. Then unlink the lock file, if present. This
3272 point in the code is jumped to from a number of places when errors are
3273 detected, in order to get the file closed and the lock file tidied away. */
3278 if (mbx_lockfd >= 0)
3280 if (yield == OK && apply_lock(fd, F_WRLCK, ob->use_fcntl, 0,
3281 ob->use_flock, 0) >= 0)
3284 debug_printf("unlinking MBX lock file %s\n", mbx_lockname);
3285 Uunlink(mbx_lockname);
3287 (void)close(mbx_lockfd);
3289 #endif /* SUPPORT_MBX */
3291 if (fd >= 0 && close(fd) < 0 && yield == OK)
3293 addr->basic_errno = errno;
3294 addr->message = string_sprintf("while closing %s", filename);
3295 addr->transport_return = DEFER;
3298 if (hd >= 0) Uunlink(lockname);
3300 /* We get here with isdirectory and filename set only in error situations. */
3302 if (isdirectory && filename)
3305 if (dataname != filename) Uunlink(dataname);
3308 /* If wait_for_tick is TRUE, we have done a delivery where the uniqueness of a
3309 file name relies on time + pid. We must not allow the process to finish until
3310 the clock has move on by at least one microsecond. Usually we expect this
3311 already to be the case, but machines keep getting faster... */
3313 if (wait_for_tick) exim_wait_tick(&msg_tv, 1);
3315 /* A return of FALSE means that if there was an error, a common error was
3316 put in the first address of a batch. */
3321 addr->message = string_sprintf("Tainted '%s' (file or directory "
3322 "name for %s transport) not permitted", path, tblock->name);
3324 addr->transport_return = PANIC;
3328 #endif /*!MACRO_PREDEF*/
3329 /* End of transport/appendfile.c */
git://git.exim.org / exim.git / blob