1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim maintainers 2020 - 2023 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
14 #ifdef HAVE_SETCLASSRESOURCES
15 #include <login_cap.h>
20 /* Options specific to the pipe transport. They must be in alphabetic
21 order (note that "_" comes before the lower case letters). Those starting
22 with "*" are not settable by the user but are used by the option-reading
23 software for alternative value types. Some options are stored in the transport
24 instance block so as to be publicly visible; these are flagged with opt_public.
26 #define LOFF(field) OPT_OFF(pipe_transport_options_block, field)
28 optionlist pipe_transport_options[] = {
29 { "allow_commands", opt_stringptr, LOFF(allow_commands) },
30 { "batch_id", opt_stringptr | opt_public,
31 OPT_OFF(transport_instance, batch_id) },
32 { "batch_max", opt_int | opt_public,
33 OPT_OFF(transport_instance, batch_max) },
34 { "check_string", opt_stringptr, LOFF(check_string) },
35 { "command", opt_stringptr, LOFF(cmd) },
36 { "environment", opt_stringptr, LOFF(environment) },
37 { "escape_string", opt_stringptr, LOFF(escape_string) },
38 { "force_command", opt_bool, LOFF(force_command) },
39 { "freeze_exec_fail", opt_bool, LOFF(freeze_exec_fail) },
40 { "freeze_signal", opt_bool, LOFF(freeze_signal) },
41 { "ignore_status", opt_bool, LOFF(ignore_status) },
42 { "log_defer_output", opt_bool | opt_public,
43 OPT_OFF(transport_instance, log_defer_output) },
44 { "log_fail_output", opt_bool | opt_public,
45 OPT_OFF(transport_instance, log_fail_output) },
46 { "log_output", opt_bool | opt_public,
47 OPT_OFF(transport_instance, log_output) },
48 { "max_output", opt_mkint, LOFF(max_output) },
49 { "message_prefix", opt_stringptr, LOFF(message_prefix) },
50 { "message_suffix", opt_stringptr, LOFF(message_suffix) },
51 { "path", opt_stringptr, LOFF(path) },
52 { "permit_coredump", opt_bool, LOFF(permit_coredump) },
53 { "pipe_as_creator", opt_bool | opt_public,
54 OPT_OFF(transport_instance, deliver_as_creator) },
55 { "restrict_to_path", opt_bool, LOFF(restrict_to_path) },
56 { "return_fail_output",opt_bool | opt_public,
57 OPT_OFF(transport_instance, return_fail_output) },
58 { "return_output", opt_bool | opt_public,
59 OPT_OFF(transport_instance, return_output) },
60 { "temp_errors", opt_stringptr, LOFF(temp_errors) },
61 { "timeout", opt_time, LOFF(timeout) },
62 { "timeout_defer", opt_bool, LOFF(timeout_defer) },
63 { "umask", opt_octint, LOFF(umask) },
64 { "use_bsmtp", opt_bool, LOFF(use_bsmtp) },
65 #ifdef HAVE_SETCLASSRESOURCES
66 { "use_classresources", opt_bool, LOFF(use_classresources) },
68 { "use_crlf", opt_bool, LOFF(use_crlf) },
69 { "use_shell", opt_bool, LOFF(use_shell) },
72 /* Size of the options list. An extern variable has to be used so that its
73 address can appear in the tables drtables.c. */
75 int pipe_transport_options_count =
76 sizeof(pipe_transport_options)/sizeof(optionlist);
82 pipe_transport_options_block pipe_transport_option_defaults = {0};
83 void pipe_transport_init(transport_instance *tblock) {}
84 BOOL pipe_transport_entry(transport_instance *tblock, address_item *addr) {return FALSE;}
86 #else /*!MACRO_PREDEF*/
89 /* Default private options block for the pipe transport. */
91 pipe_transport_options_block pipe_transport_option_defaults = {
92 .path = US"/bin:/usr/bin",
93 .temp_errors = US mac_expanded_string(EX_TEMPFAIL) ":"
94 mac_expanded_string(EX_CANTCREAT),
98 /* all others null/zero/false */
103 /*************************************************
104 * Setup entry point *
105 *************************************************/
107 /* Called for each delivery in the privileged state, just before the uid/gid
108 are changed and the main entry point is called. In a system that supports the
109 login_cap facilities, this function is used to set the class resource limits
110 for the user. It may also re-enable coredumps.
113 tblock points to the transport instance
114 addrlist addresses about to be delivered (not used)
115 dummy not used (doesn't pass back data)
116 uid the uid that will be set (not used)
117 gid the gid that will be set (not used)
118 errmsg where to put an error message
120 Returns: OK, FAIL, or DEFER
124 pipe_transport_setup(transport_instance *tblock, address_item *addrlist,
125 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
127 pipe_transport_options_block *ob =
128 (pipe_transport_options_block *)(tblock->options_block);
130 #ifdef HAVE_SETCLASSRESOURCES
131 if (ob->use_classresources)
133 struct passwd *pw = getpwuid(uid);
136 login_cap_t *lc = login_getpwclass(pw);
139 setclassresources(lc);
147 if (ob->permit_coredump)
150 rl.rlim_cur = RLIM_INFINITY;
151 rl.rlim_max = RLIM_INFINITY;
152 if (setrlimit(RLIMIT_CORE, &rl) < 0)
154 #ifdef SETRLIMIT_NOT_SUPPORTED
155 if (errno != ENOSYS && errno != ENOTSUP)
157 log_write(0, LOG_MAIN,
158 "delivery setrlimit(RLIMIT_CORE, RLIM_INFINITY) failed: %s",
169 /*************************************************
170 * Initialization entry point *
171 *************************************************/
173 /* Called for each instance, after its options have been read, to
174 enable consistency checks to be done, or anything else that needs
178 pipe_transport_init(transport_instance *tblock)
180 pipe_transport_options_block *ob =
181 (pipe_transport_options_block *)(tblock->options_block);
183 /* Set up the setup entry point, to be called in the privileged state */
185 tblock->setup = pipe_transport_setup;
187 /* If pipe_as_creator is set, then uid/gid should not be set. */
189 if (tblock->deliver_as_creator && (tblock->uid_set || tblock->gid_set ||
190 tblock->expand_uid != NULL || tblock->expand_gid != NULL))
191 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
192 "both pipe_as_creator and an explicit uid/gid are set for the %s "
193 "transport", tblock->name);
195 /* If a fixed uid field is set, then a gid field must also be set. */
197 if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL)
198 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
199 "user set without group for the %s transport", tblock->name);
201 /* Temp_errors must consist only of digits and colons, but there can be
202 spaces round the colons, so allow them too. */
204 if (ob->temp_errors != NULL && Ustrcmp(ob->temp_errors, "*") != 0)
206 size_t p = Ustrspn(ob->temp_errors, "0123456789: ");
207 if (ob->temp_errors[p] != 0)
208 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
209 "temp_errors must be a list of numbers or an asterisk for the %s "
210 "transport", tblock->name);
213 /* Only one of return_output/return_fail_output or log_output/log_fail_output
216 if (tblock->return_output && tblock->return_fail_output)
217 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
218 "both return_output and return_fail_output set for %s transport",
221 if (tblock->log_output && tblock->log_fail_output)
222 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
223 "both log_output and log_fail_output set for the %s transport",
226 /* If batch SMTP is set, force the check and escape strings, and arrange that
227 headers are also escaped. */
231 ob->check_string = US".";
232 ob->escape_string = US"..";
233 ob->options |= topt_escape_headers;
236 /* If not batch SMTP, and message_prefix or message_suffix are unset, insert
237 default values for them. */
241 if (ob->message_prefix == NULL) ob->message_prefix =
242 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
243 if (ob->message_suffix == NULL) ob->message_suffix = US"\n";
246 /* The restrict_to_path and use_shell options are incompatible */
248 if (ob->restrict_to_path && ob->use_shell)
249 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
250 "both restrict_to_path and use_shell set for %s transport",
253 /* The allow_commands and use_shell options are incompatible */
255 if (ob->allow_commands && ob->use_shell)
256 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
257 "both allow_commands and use_shell set for %s transport",
260 /* Set up the bitwise options for transport_write_message from the various
261 driver options. Only one of body_only and headers_only can be set. */
264 (tblock->body_only ? topt_no_headers : 0)
265 | (tblock->headers_only ? topt_no_body : 0)
266 | (tblock->return_path_add ? topt_add_return_path : 0)
267 | (tblock->delivery_date_add ? topt_add_delivery_date : 0)
268 | (tblock->envelope_to_add ? topt_add_envelope_to : 0)
269 | (ob->use_crlf ? topt_use_crlf : 0);
274 /*************************************************
275 * Set up direct (non-shell) command *
276 *************************************************/
278 /* This function is called when a command line is to be parsed by the transport
279 and executed directly, without the use of /bin/sh.
282 argvptr pointer to anchor for argv vector
283 cmd points to the command string
284 expand_arguments true if expansion is to occur
285 expand_fail error if expansion fails
286 addr chain of addresses
287 tname the transport name
288 ob the transport options block
290 Returns: TRUE if all went well; otherwise an error will be
291 set in the first address and FALSE returned
295 set_up_direct_command(const uschar *** argvptr, const uschar * cmd,
296 BOOL expand_arguments, int expand_fail, address_item * addr, uschar * tname,
297 pipe_transport_options_block * ob)
299 BOOL permitted = FALSE;
302 /* Set up "transport <name>" to be put in any error messages, and then
303 call the common function for creating an argument list and expanding
304 the items if necessary. If it fails, this function fails (error information
305 is in the addresses). */
307 if (!transport_set_up_command(argvptr, cmd,
308 expand_arguments ? TSUC_EXPAND_ARGS : 0,
309 expand_fail, addr, string_sprintf("%.50s transport", tname), NULL))
312 /* Point to the set-up arguments. */
316 /* If allow_commands is set, see if the command is in the permitted list. */
318 GET_OPTION("allow_commands");
319 if (ob->allow_commands)
325 if (!(s = expand_string(ob->allow_commands)))
327 addr->transport_return = DEFER;
328 addr->message = string_sprintf("failed to expand string \"%s\" "
329 "for %s transport: %s", ob->allow_commands, tname, expand_string_message);
333 while ((p = string_nextinlist(&s, &sep, NULL, 0)))
334 if (Ustrcmp(p, argv[0]) == 0) { permitted = TRUE; break; }
337 /* If permitted is TRUE it means the command was found in the allowed list, and
338 no further checks are done. If permitted = FALSE, it either means
339 allow_commands wasn't set, or that the command didn't match anything in the
340 list. In both cases, if restrict_to_path is set, we fail if the command
341 contains any slashes, but if restrict_to_path is not set, we must fail the
342 command only if allow_commands is set. */
346 if (ob->restrict_to_path)
348 if (Ustrchr(argv[0], '/') != NULL)
350 addr->transport_return = FAIL;
351 addr->message = string_sprintf("\"/\" found in \"%s\" (command for %s "
352 "transport) - failed for security reasons", cmd, tname);
357 else if (ob->allow_commands)
359 addr->transport_return = FAIL;
360 addr->message = string_sprintf("\"%s\" command not permitted by %s "
361 "transport", argv[0], tname);
366 /* If the command is not an absolute path, search the PATH directories
369 if (argv[0][0] != '/')
375 for (const uschar * listptr = expand_string(ob->path);
376 p = string_nextinlist(&listptr, &sep, NULL, 0); )
379 sprintf(CS big_buffer, "%.256s/%.256s", p, argv[0]);
380 if (Ustat(big_buffer, &statbuf) == 0)
382 argv[0] = string_copy(big_buffer);
388 addr->transport_return = FAIL;
389 addr->message = string_sprintf("\"%s\" command not found for %s transport",
399 /*************************************************
400 * Set up shell command *
401 *************************************************/
403 /* This function is called when a command line is to be passed to /bin/sh
404 without parsing inside the transport.
407 argvptr pointer to anchor for argv vector
408 cmd points to the command string
409 expand_arguments true if expansion is to occur
410 expand_fail error if expansion fails
411 addr chain of addresses
412 tname the transport name
414 Returns: TRUE if all went well; otherwise an error will be
415 set in the first address and FALSE returned
419 set_up_shell_command(const uschar *** argvptr, const uschar * cmd,
420 BOOL expand_arguments, int expand_fail, address_item * addr, uschar * tname)
424 *argvptr = argv = store_get((4)*sizeof(uschar *), GET_UNTAINTED);
426 argv[0] = US"/bin/sh";
429 /* We have to take special action to handle the special "variable" called
430 $pipe_addresses, which is not recognized by the normal expansion function. */
432 if (expand_arguments)
434 uschar * p = Ustrstr(cmd, "pipe_addresses");
438 debug_printf("shell pipe command before expansion:\n %s\n", cmd);
440 /* Allow $recipients in the expansion iff it comes from a system filter */
442 f.enable_dollar_recipients = addr && addr->parent &&
443 Ustrcmp(addr->parent->address, "system-filter") == 0;
446 (p > cmd && p[-1] == '$') ||
447 (p > cmd + 1 && p[-2] == '$' && p[-1] == '{' && p[14] == '}')))
451 if (p[-1] == '{') { q++; p--; }
453 g = string_get(Ustrlen(cmd) + 64);
454 g = string_catn(g, cmd, p - cmd - 1);
456 for (address_item * ad = addr; ad; ad = ad->next)
458 DEBUG(D_transport) if (is_tainted(ad->address))
459 debug_printf("tainted element '%s' from $pipe_addresses\n", ad->address);
461 /*XXX string_append_listele() ? */
462 if (ad != addr) g = string_catn(g, US" ", 1);
463 g = string_cat(g, ad->address);
466 g = string_cat(g, q);
467 argv[2] = (cmd = string_from_gstring(g)) ? expand_cstring(cmd) : NULL;
470 argv[2] = expand_cstring(cmd);
472 f.enable_dollar_recipients = FALSE;
476 addr->transport_return = f.search_find_defer ? DEFER : expand_fail;
477 addr->message = string_sprintf("Expansion of command \"%s\" "
478 "in %s transport failed: %s",
479 cmd, tname, expand_string_message);
484 debug_printf("shell pipe command after expansion:\n %s\n", argv[2]);
489 debug_printf("shell pipe command (no expansion):\n %s\n", cmd);
500 /*************************************************
502 *************************************************/
504 /* See local README for interface details. This transport always returns FALSE,
505 indicating that the status in the first address is the status for all addresses
509 pipe_transport_entry(
510 transport_instance *tblock, /* data for this instantiation */
511 address_item *addr) /* address(es) we are working on */
514 int fd_in, fd_out, rc;
518 pipe_transport_options_block *ob =
519 (pipe_transport_options_block *)(tblock->options_block);
520 int timeout = ob->timeout;
521 BOOL written_ok = FALSE;
522 BOOL expand_arguments;
523 const uschar ** argv;
525 const uschar * envlist = ob->environment;
528 uschar * eol = ob->use_crlf ? US"\r\n" : US"\n";
529 transport_ctx tctx = {
532 .check_string = ob->check_string,
533 .escape_string = ob->escape_string,
534 ob->options | topt_not_socket /* set at initialization time */
537 DEBUG(D_transport) debug_printf("%s transport entered\n", tblock->name);
539 /* Set up for the good case */
541 addr->transport_return = OK;
542 addr->basic_errno = 0;
544 /* Pipes are not accepted as general addresses, but they can be generated from
545 .forward files or alias files. In those cases, the pfr flag is set, and the
546 command to be obeyed is pointed to by addr->local_part; it starts with the pipe
547 symbol. In other cases, the command is supplied as one of the pipe transport's
550 if (testflag(addr, af_pfr) && addr->local_part[0] == '|')
551 if (ob->force_command)
553 /* Enables expansion of $address_pipe into separate arguments */
554 setflag(addr, af_force_command);
555 GET_OPTION("commsnd");
557 expand_arguments = TRUE;
562 cmd = addr->local_part + 1;
563 while (isspace(*cmd)) cmd++;
564 expand_arguments = testflag(addr, af_expand_pipe);
569 GET_OPTION("commsnd");
571 expand_arguments = TRUE;
575 /* If no command has been supplied, we are in trouble.
576 We also check for an empty string since it may be
577 coming from addr->local_part[0] == '|' */
581 addr->transport_return = DEFER;
582 addr->message = string_sprintf("no command specified for %s transport",
588 DEBUG(D_transport) debug_printf("cmd '%s' is tainted\n", cmd);
589 addr->message = string_sprintf("Tainted '%s' (command "
590 "for %s transport) not permitted", cmd, tblock->name);
591 addr->transport_return = PANIC;
595 /* When a pipe is set up by a filter file, there may be values for $thisaddress
596 and numerical the variables in existence. These are passed in
597 addr->pipe_expandn for use here. */
599 if (expand_arguments && addr->pipe_expandn)
601 uschar **ss = addr->pipe_expandn;
603 if (*ss) filter_thisaddress = *ss++;
606 expand_nstring[++expand_nmax] = *ss;
607 expand_nlength[expand_nmax] = Ustrlen(*ss++);
611 /* The default way of processing the command is to split it up into arguments
612 here, and run it directly. This offers some security advantages. However, there
613 are installations that want by default to run commands under /bin/sh always, so
614 there is an option to do that. */
618 if (!set_up_shell_command(&argv, cmd, expand_arguments, expand_fail, addr,
619 tblock->name)) return FALSE;
621 else if (!set_up_direct_command(&argv, cmd, expand_arguments, expand_fail, addr,
622 tblock->name, ob)) return FALSE;
624 expand_nmax = -1; /* Reset */
625 filter_thisaddress = NULL;
627 /* Set up the environment for the command. */
629 envp[envcount++] = string_sprintf("LOCAL_PART=%s", deliver_localpart);
630 envp[envcount++] = string_sprintf("LOGNAME=%s", deliver_localpart);
631 envp[envcount++] = string_sprintf("USER=%s", deliver_localpart);
632 envp[envcount++] = string_sprintf("LOCAL_PART_PREFIX=%#s",
633 deliver_localpart_prefix);
634 envp[envcount++] = string_sprintf("LOCAL_PART_SUFFIX=%#s",
635 deliver_localpart_suffix);
636 envp[envcount++] = string_sprintf("DOMAIN=%s", deliver_domain);
637 envp[envcount++] = string_sprintf("HOME=%#s", deliver_home);
638 envp[envcount++] = string_sprintf("MESSAGE_ID=%s", message_id);
639 envp[envcount++] = string_sprintf("PATH=%s", expand_string(ob->path));
640 envp[envcount++] = string_sprintf("RECIPIENT=%#s%#s%#s@%#s",
641 deliver_localpart_prefix, deliver_localpart, deliver_localpart_suffix,
643 envp[envcount++] = string_sprintf("QUALIFY_DOMAIN=%s", qualify_domain_sender);
644 envp[envcount++] = string_sprintf("SENDER=%s", sender_address);
645 envp[envcount++] = US"SHELL=/bin/sh";
648 envp[envcount++] = string_sprintf("HOST=%s", addr->host_list->name);
650 if (f.timestamps_utc)
651 envp[envcount++] = US"TZ=UTC";
652 else if (timezone_string && timezone_string[0])
653 envp[envcount++] = string_sprintf("TZ=%s", timezone_string);
655 /* Add any requested items */
657 GET_OPTION("environment");
659 if (!(envlist = expand_cstring(envlist)))
661 addr->transport_return = DEFER;
662 addr->message = string_sprintf("failed to expand string \"%s\" "
663 "for %s transport: %s", ob->environment, tblock->name,
664 expand_string_message);
668 while ((ss = string_nextinlist(&envlist, &envsep, NULL, 0)))
670 if (envcount > nelem(envp) - 2)
672 addr->transport_return = DEFER;
673 addr->basic_errno = E2BIG;
674 addr->message = string_sprintf("too many environment settings for "
675 "%s transport", tblock->name);
678 envp[envcount++] = string_copy(ss);
681 envp[envcount] = NULL;
683 /* If the -N option is set, can't do any more. */
688 debug_printf("*** delivery by %s transport bypassed by -N option",
694 /* Handling the output from the pipe is tricky. If a file for catching this
695 output is provided, we could in theory just hand that fd over to the process,
696 but this isn't very safe because it might loop and carry on writing for
697 ever (which is exactly what happened in early versions of Exim). Therefore we
698 use the standard child_open() function, which creates pipes. We can then read
699 our end of the output pipe and count the number of bytes that come through,
700 chopping the sub-process if it exceeds some limit.
702 However, this means we want to run a sub-process with both its input and output
703 attached to pipes. We can't handle that easily from a single parent process
704 using straightforward code such as the transport_write_message() function
705 because the subprocess might not be reading its input because it is trying to
706 write to a full output pipe. The complication of redesigning the world to
707 handle this is too great - simpler just to run another process to do the
708 reading of the output pipe. */
711 /* As this is a local transport, we are already running with the required
712 uid/gid and current directory. Request that the new process be a process group
713 leader, so we can kill it and all its children on a timeout. */
715 if ((pid = child_open(USS argv, envp, ob->umask, &fd_in, &fd_out, TRUE,
716 US"pipe-tpt-cmd")) < 0)
718 addr->transport_return = DEFER;
719 addr->message = string_sprintf(
720 "Failed to create child process for %s transport: %s", tblock->name,
726 /* Now fork a process to handle the output that comes down the pipe. */
728 if ((outpid = exim_fork(US"pipe-tpt-output")) < 0)
730 addr->basic_errno = errno;
731 addr->transport_return = DEFER;
732 addr->message = string_sprintf(
733 "Failed to create process for handling output in %s transport",
740 /* This is the code for the output-handling subprocess. Read from the pipe
741 in chunks, and write to the return file if one is provided. Keep track of
742 the number of bytes handled. If the limit is exceeded, try to kill the
743 subprocess group, and in any case close the pipe and exit, which should cause
744 the subprocess to fail. */
750 set_process_info("reading output from |%s", cmd);
751 while ((rc = read(fd_out, big_buffer, big_buffer_size)) > 0)
753 if (addr->return_file >= 0)
754 if(write(addr->return_file, big_buffer, rc) != rc)
755 DEBUG(D_transport) debug_printf("Problem writing to return_file\n");
757 if (count > ob->max_output)
759 DEBUG(D_transport) debug_printf("Too much output from pipe - killed\n");
760 if (addr->return_file >= 0)
762 uschar *message = US"\n\n*** Too much output - remainder discarded ***\n";
763 rc = Ustrlen(message);
764 if(write(addr->return_file, message, rc) != rc)
765 DEBUG(D_transport) debug_printf("Problem writing to return_file\n");
767 killpg(pid, SIGKILL);
775 (void)close(fd_out); /* Not used in this process */
778 /* Carrying on now with the main parent process. Attempt to write the message
779 to it down the pipe. It is a fallacy to think that you can detect write errors
780 when the sub-process fails to read the pipe. The parent process may complete
781 writing and close the pipe before the sub-process completes. We could sleep a
782 bit here to let the sub-process get going, but it may still not complete. So we
783 ignore all writing errors. (When in the test harness, we do do a short sleep so
784 any debugging output is likely to be in the same order.) */
786 testharness_pause_ms(500);
788 DEBUG(D_transport) debug_printf("Writing message to pipe\n");
790 /* Arrange to time out writes if there is a timeout set. */
794 sigalrm_seen = FALSE;
795 transport_write_timeout = timeout;
798 /* Reset the counter of bytes written */
802 /* First write any configured prefix information */
804 GET_OPTION("message_prefix");
805 if (ob->message_prefix)
807 uschar * prefix = expand_string(ob->message_prefix);
810 addr->transport_return = f.search_find_defer? DEFER : PANIC;
811 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
812 "transport) failed: %s", ob->message_prefix, tblock->name,
813 expand_string_message);
816 if (!transport_write_block(&tctx, prefix, Ustrlen(prefix), FALSE))
820 /* If the use_bsmtp option is set, we need to write SMTP prefix information.
821 The various different values for batching are handled outside; if there is more
822 than one address available here, all must be included. Force SMTP dot-handling.
827 if (!transport_write_string(fd_in, "MAIL FROM:<%s>%s", return_path, eol))
830 for (address_item * a = addr; a; a = a->next)
831 if (!transport_write_string(fd_in,
833 transport_rcpt_address(a, tblock->rcpt_include_affixes),
837 if (!transport_write_string(fd_in, "DATA%s", eol)) goto END_WRITE;
840 /* Now the actual message */
842 if (!transport_write_message(&tctx, 0))
845 /* Now any configured suffix */
847 GET_OPTION("message_suffix");
848 if (ob->message_suffix)
850 uschar * suffix = expand_string(ob->message_suffix);
853 addr->transport_return = f.search_find_defer? DEFER : PANIC;
854 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
855 "transport) failed: %s", ob->message_suffix, tblock->name,
856 expand_string_message);
859 if (!transport_write_block(&tctx, suffix, Ustrlen(suffix), FALSE))
863 /* If local_smtp, write the terminating dot. */
865 if (ob->use_bsmtp && !transport_write_string(fd_in, ".%s", eol))
868 /* Flag all writing completed successfully. */
872 /* Come here if there are errors during writing. */
876 /* OK, the writing is now all done. Close the pipe. */
880 /* Handle errors during writing. For timeouts, set the timeout for waiting for
881 the child process to 1 second. If the process at the far end of the pipe died
882 without reading all of it, we expect an EPIPE error, which should be ignored.
883 We used also to ignore WRITEINCOMPLETE but the writing function is now cleverer
884 at handling OS where the death of a pipe doesn't give EPIPE immediately. See
889 if (errno == ETIMEDOUT)
891 addr->message = string_sprintf("%stimeout while writing to pipe",
892 f.transport_filter_timed_out ? "transport filter " : "");
893 addr->transport_return = ob->timeout_defer? DEFER : FAIL;
896 else if (errno == EPIPE)
898 debug_printf("transport error EPIPE ignored\n");
902 addr->transport_return = PANIC;
903 addr->basic_errno = errno;
904 if (errno == ERRNO_CHHEADER_FAIL)
906 string_sprintf("Failed to expand headers_add or headers_remove: %s",
907 expand_string_message);
908 else if (errno == ERRNO_FILTER_FAIL)
909 addr->message = string_sprintf("Transport filter process failed (%d)%s",
911 (addr->more_errno == EX_EXECFAILED)? ": unable to execute command" : "");
912 else if (errno == ERRNO_WRITEINCOMPLETE)
913 addr->message = US"Failed repeatedly to write data";
915 addr->message = string_sprintf("Error %d", errno);
920 /* Wait for the child process to complete and take action if the returned
921 status is nonzero. The timeout will be just 1 second if any of the writes
924 if ((rc = child_close(pid, timeout)) != 0)
926 uschar * tmsg = addr->message
927 ? string_sprintf(" (preceded by %s)", addr->message) : US"";
929 /* The process did not complete in time; kill its process group and fail
930 the delivery. It appears to be necessary to kill the output process too, as
931 otherwise it hangs on for some time if the actual pipe process is sleeping.
932 (At least, that's what I observed on Solaris 2.5.1.) Since we are failing
933 the delivery, that shouldn't cause any problem. */
937 killpg(pid, SIGKILL);
938 kill(outpid, SIGKILL);
939 addr->transport_return = ob->timeout_defer? DEFER : FAIL;
940 addr->message = string_sprintf("pipe delivery process timed out%s", tmsg);
947 addr->transport_return = PANIC;
948 addr->message = string_sprintf("Wait() failed for child process of %s "
949 "transport: %s%s", tblock->name, strerror(errno), tmsg);
952 /* Since the transport_filter timed out we assume it has sent the child process
953 a malformed or incomplete data stream. Kill off the child process
954 and prevent checking its exit status as it will has probably exited in error.
955 This prevents the transport_filter timeout message from getting overwritten
956 by the exit error which is not the cause of the problem. */
958 else if (f.transport_filter_timed_out)
960 killpg(pid, SIGKILL);
961 kill(outpid, SIGKILL);
964 /* Either the process completed, but yielded a non-zero (necessarily
965 positive) status, or the process was terminated by a signal (rc will contain
966 the negation of the signal number). Treat killing by signal as failure unless
967 status is being ignored. By default, the message is bounced back, unless
968 freeze_signal is set, in which case it is frozen instead. */
972 if (ob->freeze_signal)
974 addr->transport_return = DEFER;
975 addr->special_action = SPECIAL_FREEZE;
976 addr->message = string_sprintf("Child process of %s transport (running "
977 "command \"%s\") was terminated by signal %d (%s)%s", tblock->name, cmd,
978 -rc, os_strsignal(-rc), tmsg);
980 else if (!ob->ignore_status)
982 addr->transport_return = FAIL;
983 addr->message = string_sprintf("Child process of %s transport (running "
984 "command \"%s\") was terminated by signal %d (%s)%s", tblock->name, cmd,
985 -rc, os_strsignal(-rc), tmsg);
989 /* For positive values (process terminated with non-zero status), we need a
990 status code to request deferral. A number of systems contain the following
993 #define EX_TEMPFAIL 75
997 EX_TEMPFAIL -- temporary failure, indicating something that
998 is not really an error. In sendmail, this means
999 that a mailer (e.g.) could not create a connection,
1000 and the request should be reattempted later.
1002 Based on this, we use exit code EX_TEMPFAIL as a default to mean "defer" when
1003 not ignoring the returned status. However, there is now an option that
1004 contains a list of temporary codes, with TEMPFAIL and CANTCREAT as defaults.
1006 Another case that needs special treatment is if execve() failed (typically
1007 the command that was given is a non-existent path). By default this is
1008 treated as just another failure, but if freeze_exec_fail is set, the reaction
1009 is to freeze the message rather than bounce the address. Exim used to signal
1010 this failure with EX_UNAVAILABLE, which is defined in many systems as
1012 #define EX_UNAVAILABLE 69
1014 with the description
1016 EX_UNAVAILABLE -- A service is unavailable. This can occur
1017 if a support program or file does not exist. This
1018 can also be used as a catchall message when something
1019 you wanted to do doesn't work, but you don't know why.
1021 However, this can be confused with a command that actually returns 69 because
1022 something *it* wanted is unavailable. At release 4.21, Exim was changed to
1023 use return code 127 instead, because this is what the shell returns when it
1024 is unable to exec a command. We define it as EX_EXECFAILED, and use it in
1025 child.c to signal execve() failure and other unexpected failures such as
1026 setuid() not working - though that won't be the case here because we aren't
1031 /* Always handle execve() failure specially if requested to */
1033 if (ob->freeze_exec_fail && rc == EX_EXECFAILED)
1035 addr->transport_return = DEFER;
1036 addr->special_action = SPECIAL_FREEZE;
1037 addr->message = string_sprintf("pipe process failed to exec \"%s\"%s",
1041 /* Otherwise take action only if not ignoring status */
1043 else if (!ob->ignore_status)
1048 /* If temp_errors is "*" all codes are temporary. Initialization checks
1049 that it's either "*" or a list of numbers. If not "*", scan the list of
1050 temporary failure codes; if any match, the result is DEFER. */
1052 if (ob->temp_errors[0] == '*')
1053 addr->transport_return = DEFER;
1057 const uschar *s = ob->temp_errors;
1061 addr->transport_return = FAIL;
1062 while ((p = string_nextinlist(&s,&sep,NULL,0)))
1063 if (rc == Uatoi(p)) { addr->transport_return = DEFER; break; }
1066 /* Ensure the message contains the expanded command and arguments. This
1067 doesn't have to be brilliantly efficient - it is an error situation. */
1069 addr->message = string_sprintf("Child process of %s transport returned "
1070 "%d", tblock->name, rc);
1071 g = string_cat(NULL, addr->message);
1073 /* If the return code is > 128, it often means that a shell command
1074 was terminated by a signal. */
1077 string_sprintf("(could mean shell command ended by signal %d (%s))",
1078 rc-128, os_strsignal(rc-128)) :
1083 g = string_catn(g, US" ", 1);
1084 g = string_cat (g, ss);
1087 /* Now add the command and arguments */
1089 g = string_catn(g, US" from command:", 14);
1091 for (int i = 0; i < sizeof(argv)/sizeof(int *) && argv[i] != NULL; i++)
1094 g = string_catn(g, US" ", 1);
1095 if (Ustrpbrk(argv[i], " \t") != NULL)
1098 g = string_catn(g, US"\"", 1);
1100 g = string_cat(g, argv[i]);
1102 g = string_catn(g, US"\"", 1);
1105 /* Add previous filter timeout message, if present. */
1108 g = string_cat(g, tmsg);
1110 addr->message = string_from_gstring(g);
1115 /* Ensure all subprocesses (in particular, the output handling process)
1116 are complete before we pass this point. */
1118 while (wait(&rc) >= 0);
1120 DEBUG(D_transport) debug_printf("%s transport yielded %d\n", tblock->name,
1121 addr->transport_return);
1123 /* If there has been a problem, the message in addr->message contains details
1124 of the pipe command. We don't want to expose these to the world, so we set up
1125 something bland to return to the sender. */
1127 if (addr->transport_return != OK)
1128 addr->user_message = US"local delivery failed";
1133 #endif /*!MACRO_PREDEF*/
1134 /* End of transport/pipe.c */