1 /* $Cambridge: exim/src/src/transports/pipe.c,v 1.15 2010/06/05 10:04:44 pdp Exp $ */
3 /*************************************************
4 * Exim - an Internet mail transport agent *
5 *************************************************/
7 /* Copyright (c) University of Cambridge 1995 - 2009 */
8 /* See the file NOTICE for conditions of use and distribution. */
14 #ifdef HAVE_SETCLASSRESOURCES
15 #include <login_cap.h>
20 /* Options specific to the pipe transport. They must be in alphabetic
21 order (note that "_" comes before the lower case letters). Those starting
22 with "*" are not settable by the user but are used by the option-reading
23 software for alternative value types. Some options are stored in the transport
24 instance block so as to be publicly visible; these are flagged with opt_public.
27 optionlist pipe_transport_options[] = {
28 { "allow_commands", opt_stringptr,
29 (void *)offsetof(pipe_transport_options_block, allow_commands) },
30 { "batch_id", opt_stringptr | opt_public,
31 (void *)offsetof(transport_instance, batch_id) },
32 { "batch_max", opt_int | opt_public,
33 (void *)offsetof(transport_instance, batch_max) },
34 { "check_string", opt_stringptr,
35 (void *)offsetof(pipe_transport_options_block, check_string) },
36 { "command", opt_stringptr,
37 (void *)offsetof(pipe_transport_options_block, cmd) },
38 { "environment", opt_stringptr,
39 (void *)offsetof(pipe_transport_options_block, environment) },
40 { "escape_string", opt_stringptr,
41 (void *)offsetof(pipe_transport_options_block, escape_string) },
42 { "freeze_exec_fail", opt_bool,
43 (void *)offsetof(pipe_transport_options_block, freeze_exec_fail) },
44 { "ignore_status", opt_bool,
45 (void *)offsetof(pipe_transport_options_block, ignore_status) },
46 { "log_defer_output", opt_bool | opt_public,
47 (void *)offsetof(transport_instance, log_defer_output) },
48 { "log_fail_output", opt_bool | opt_public,
49 (void *)offsetof(transport_instance, log_fail_output) },
50 { "log_output", opt_bool | opt_public,
51 (void *)offsetof(transport_instance, log_output) },
52 { "max_output", opt_mkint,
53 (void *)offsetof(pipe_transport_options_block, max_output) },
54 { "message_prefix", opt_stringptr,
55 (void *)offsetof(pipe_transport_options_block, message_prefix) },
56 { "message_suffix", opt_stringptr,
57 (void *)offsetof(pipe_transport_options_block, message_suffix) },
58 { "path", opt_stringptr,
59 (void *)offsetof(pipe_transport_options_block, path) },
60 { "permit_coredump", opt_bool,
61 (void *)offsetof(pipe_transport_options_block, permit_coredump) },
62 { "pipe_as_creator", opt_bool | opt_public,
63 (void *)offsetof(transport_instance, deliver_as_creator) },
64 { "restrict_to_path", opt_bool,
65 (void *)offsetof(pipe_transport_options_block, restrict_to_path) },
66 { "return_fail_output",opt_bool | opt_public,
67 (void *)offsetof(transport_instance, return_fail_output) },
68 { "return_output", opt_bool | opt_public,
69 (void *)offsetof(transport_instance, return_output) },
70 { "temp_errors", opt_stringptr,
71 (void *)offsetof(pipe_transport_options_block, temp_errors) },
72 { "timeout", opt_time,
73 (void *)offsetof(pipe_transport_options_block, timeout) },
74 { "timeout_defer", opt_bool,
75 (void *)offsetof(pipe_transport_options_block, timeout_defer) },
76 { "umask", opt_octint,
77 (void *)offsetof(pipe_transport_options_block, umask) },
78 { "use_bsmtp", opt_bool,
79 (void *)offsetof(pipe_transport_options_block, use_bsmtp) },
80 #ifdef HAVE_SETCLASSRESOURCES
81 { "use_classresources", opt_bool,
82 (void *)offsetof(pipe_transport_options_block, use_classresources) },
84 { "use_crlf", opt_bool,
85 (void *)offsetof(pipe_transport_options_block, use_crlf) },
86 { "use_shell", opt_bool,
87 (void *)offsetof(pipe_transport_options_block, use_shell) },
90 /* Size of the options list. An extern variable has to be used so that its
91 address can appear in the tables drtables.c. */
93 int pipe_transport_options_count =
94 sizeof(pipe_transport_options)/sizeof(optionlist);
96 /* Default private options block for the pipe transport. */
98 pipe_transport_options_block pipe_transport_option_defaults = {
100 NULL, /* allow_commands */
101 NULL, /* environment */
102 US"/bin:/usr/bin", /* path */
103 NULL, /* message_prefix (reset in init if not bsmtp) */
104 NULL, /* message_suffix (ditto) */
105 US mac_expanded_string(EX_TEMPFAIL) ":" /* temp_errors */
106 mac_expanded_string(EX_CANTCREAT),
107 NULL, /* check_string */
108 NULL, /* escape_string */
110 20480, /* max_output */
113 FALSE, /* freeze_exec_fail */
114 FALSE, /* ignore_status */
115 FALSE, /* permit_coredump */
116 FALSE, /* restrict_to_path */
117 FALSE, /* timeout_defer */
118 FALSE, /* use_shell */
119 FALSE, /* use_bsmtp */
120 FALSE, /* use_classresources */
126 /*************************************************
127 * Setup entry point *
128 *************************************************/
130 /* Called for each delivery in the privileged state, just before the uid/gid
131 are changed and the main entry point is called. In a system that supports the
132 login_cap facilities, this function is used to set the class resource limits
133 for the user. It may also re-enable coredumps.
136 tblock points to the transport instance
137 addrlist addresses about to be delivered (not used)
138 dummy not used (doesn't pass back data)
139 uid the uid that will be set (not used)
140 gid the gid that will be set (not used)
141 errmsg where to put an error message
143 Returns: OK, FAIL, or DEFER
147 pipe_transport_setup(transport_instance *tblock, address_item *addrlist,
148 transport_feedback *dummy, uid_t uid, gid_t gid, uschar **errmsg)
150 pipe_transport_options_block *ob =
151 (pipe_transport_options_block *)(tblock->options_block);
153 addrlist = addrlist; /* Keep compiler happy */
160 #ifdef HAVE_SETCLASSRESOURCES
161 if (ob->use_classresources)
163 struct passwd *pw = getpwuid(uid);
166 login_cap_t *lc = login_getpwclass(pw);
169 setclassresources(lc);
177 if (ob->permit_coredump)
180 rl.rlim_cur = RLIM_INFINITY;
181 rl.rlim_max = RLIM_INFINITY;
182 if (setrlimit(RLIMIT_CORE, &rl) < 0)
184 #ifdef SETRLIMIT_NOT_SUPPORTED
185 if (errno != ENOSYS && errno != ENOTSUP)
187 log_write(0, LOG_MAIN,
188 "delivery setrlimit(RLIMIT_CORE, RLIMI_INFINITY) failed: %s",
199 /*************************************************
200 * Initialization entry point *
201 *************************************************/
203 /* Called for each instance, after its options have been read, to
204 enable consistency checks to be done, or anything else that needs
208 pipe_transport_init(transport_instance *tblock)
210 pipe_transport_options_block *ob =
211 (pipe_transport_options_block *)(tblock->options_block);
213 /* Set up the setup entry point, to be called in the privileged state */
215 tblock->setup = pipe_transport_setup;
217 /* If pipe_as_creator is set, then uid/gid should not be set. */
219 if (tblock->deliver_as_creator && (tblock->uid_set || tblock->gid_set ||
220 tblock->expand_uid != NULL || tblock->expand_gid != NULL))
221 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
222 "both pipe_as_creator and an explicit uid/gid are set for the %s "
223 "transport", tblock->name);
225 /* If a fixed uid field is set, then a gid field must also be set. */
227 if (tblock->uid_set && !tblock->gid_set && tblock->expand_gid == NULL)
228 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
229 "user set without group for the %s transport", tblock->name);
231 /* Temp_errors must consist only of digits and colons, but there can be
232 spaces round the colons, so allow them too. */
234 if (ob->temp_errors != NULL && Ustrcmp(ob->temp_errors, "*") != 0)
236 size_t p = Ustrspn(ob->temp_errors, "0123456789: ");
237 if (ob->temp_errors[p] != 0)
238 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
239 "temp_errors must be a list of numbers or an asterisk for the %s "
240 "transport", tblock->name);
243 /* Only one of return_output/return_fail_output or log_output/log_fail_output
246 if (tblock->return_output && tblock->return_fail_output)
247 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
248 "both return_output and return_fail_output set for %s transport",
251 if (tblock->log_output && tblock->log_fail_output)
252 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
253 "both log_output and log_fail_output set for the %s transport",
256 /* If batch SMTP is set, force the check and escape strings, and arrange that
257 headers are also escaped. */
261 ob->check_string = US".";
262 ob->escape_string = US"..";
263 ob->options |= topt_escape_headers;
266 /* If not batch SMTP, and message_prefix or message_suffix are unset, insert
267 default values for them. */
271 if (ob->message_prefix == NULL) ob->message_prefix =
272 US"From ${if def:return_path{$return_path}{MAILER-DAEMON}} ${tod_bsdinbox}\n";
273 if (ob->message_suffix == NULL) ob->message_suffix = US"\n";
276 /* The restrict_to_path and use_shell options are incompatible */
278 if (ob->restrict_to_path && ob->use_shell)
279 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
280 "both restrict_to_path and use_shell set for %s transport",
283 /* The allow_commands and use_shell options are incompatible */
285 if (ob->allow_commands && ob->use_shell)
286 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
287 "both allow_commands and use_shell set for %s transport",
290 /* Set up the bitwise options for transport_write_message from the various
291 driver options. Only one of body_only and headers_only can be set. */
294 (tblock->body_only? topt_no_headers : 0) |
295 (tblock->headers_only? topt_no_body : 0) |
296 (tblock->return_path_add? topt_add_return_path : 0) |
297 (tblock->delivery_date_add? topt_add_delivery_date : 0) |
298 (tblock->envelope_to_add? topt_add_envelope_to : 0) |
299 (ob->use_crlf? topt_use_crlf : 0);
304 /*************************************************
305 * Set up direct (non-shell) command *
306 *************************************************/
308 /* This function is called when a command line is to be parsed by the transport
309 and executed directly, without the use of /bin/sh.
312 argvptr pointer to anchor for argv vector
313 cmd points to the command string
314 expand_arguments true if expansion is to occur
315 expand_fail error if expansion fails
316 addr chain of addresses
317 tname the transport name
318 ob the transport options block
320 Returns: TRUE if all went well; otherwise an error will be
321 set in the first address and FALSE returned
325 set_up_direct_command(uschar ***argvptr, uschar *cmd, BOOL expand_arguments,
326 int expand_fail, address_item *addr, uschar *tname,
327 pipe_transport_options_block *ob)
329 BOOL permitted = FALSE;
333 /* Set up "transport <name>" to be put in any error messages, and then
334 call the common function for creating an argument list and expanding
335 the items if necessary. If it fails, this function fails (error information
336 is in the addresses). */
338 sprintf(CS buffer, "%.50s transport", tname);
339 if (!transport_set_up_command(argvptr, cmd, expand_arguments, expand_fail,
343 /* Point to the set-up arguments. */
347 /* If allow_commands is set, see if the command is in the permitted list. */
349 if (ob->allow_commands != NULL)
355 s = expand_string(ob->allow_commands);
358 addr->transport_return = DEFER;
359 addr->message = string_sprintf("failed to expand string \"%s\" "
360 "for %s transport: %s", ob->allow_commands, tname, expand_string_message);
364 while ((p = string_nextinlist(&s, &sep, buffer, sizeof(buffer))) != NULL)
366 if (Ustrcmp(p, argv[0]) == 0) { permitted = TRUE; break; }
370 /* If permitted is TRUE it means the command was found in the allowed list, and
371 no further checks are done. If permitted = FALSE, it either means
372 allow_commands wasn't set, or that the command didn't match anything in the
373 list. In both cases, if restrict_to_path is set, we fail if the command
374 contains any slashes, but if restrict_to_path is not set, we must fail the
375 command only if allow_commands is set. */
379 if (ob->restrict_to_path)
381 if (Ustrchr(argv[0], '/') != NULL)
383 addr->transport_return = FAIL;
384 addr->message = string_sprintf("\"/\" found in \"%s\" (command for %s "
385 "transport) - failed for security reasons", cmd, tname);
390 else if (ob->allow_commands != NULL)
392 addr->transport_return = FAIL;
393 addr->message = string_sprintf("\"%s\" command not permitted by %s "
394 "transport", argv[0], tname);
399 /* If the command is not an absolute path, search the PATH directories
402 if (argv[0][0] != '/')
406 uschar *listptr = ob->path;
409 while ((p = string_nextinlist(&listptr, &sep, buffer, sizeof(buffer))) != NULL)
412 sprintf(CS big_buffer, "%.256s/%.256s", p, argv[0]);
413 if (Ustat(big_buffer, &statbuf) == 0)
415 argv[0] = string_copy(big_buffer);
421 addr->transport_return = FAIL;
422 addr->message = string_sprintf("\"%s\" command not found for %s transport",
432 /*************************************************
433 * Set up shell command *
434 *************************************************/
436 /* This function is called when a command line is to be passed to /bin/sh
437 without parsing inside the transport.
440 argvptr pointer to anchor for argv vector
441 cmd points to the command string
442 expand_arguments true if expansion is to occur
443 expand_fail error if expansion fails
444 addr chain of addresses
445 tname the transport name
447 Returns: TRUE if all went well; otherwise an error will be
448 set in the first address and FALSE returned
452 set_up_shell_command(uschar ***argvptr, uschar *cmd, BOOL expand_arguments,
453 int expand_fail, address_item *addr, uschar *tname)
457 *argvptr = argv = store_get((4)*sizeof(uschar *));
459 argv[0] = US"/bin/sh";
462 /* We have to take special action to handle the special "variable" called
463 $pipe_addresses, which is not recognized by the normal expansion function. */
466 debug_printf("shell pipe command before expansion:\n %s\n", cmd);
468 if (expand_arguments)
471 uschar *p = Ustrstr(cmd, "pipe_addresses");
474 (p > cmd && p[-1] == '$') ||
475 (p > cmd + 1 && p[-2] == '$' && p[-1] == '{' && p[14] == '}')))
479 int size = Ustrlen(cmd) + 64;
482 if (p[-1] == '{') { q++; p--; }
485 offset = p - cmd - 1;
486 Ustrncpy(s, cmd, offset);
488 for (ad = addr; ad != NULL; ad = ad->next)
490 if (ad != addr) string_cat(s, &size, &offset, US" ", 1);
491 string_cat(s, &size, &offset, ad->address, Ustrlen(ad->address));
494 string_cat(s, &size, &offset, q, Ustrlen(q));
498 /* Allow $recipients in the expansion iff it comes from a system filter */
500 enable_dollar_recipients = addr != NULL &&
501 addr->parent != NULL &&
502 Ustrcmp(addr->parent->address, "system-filter") == 0;
503 argv[2] = expand_string(s);
504 enable_dollar_recipients = FALSE;
508 addr->transport_return = search_find_defer? DEFER : expand_fail;
509 addr->message = string_sprintf("Expansion of command \"%s\" "
510 "in %s transport failed: %s",
511 cmd, tname, expand_string_message);
516 debug_printf("shell pipe command after expansion:\n %s\n", argv[2]);
520 argv[3] = (uschar *)0;
527 /*************************************************
529 *************************************************/
531 /* See local README for interface details. This transport always returns FALSE,
532 indicating that the status in the first address is the status for all addresses
536 pipe_transport_entry(
537 transport_instance *tblock, /* data for this instantiation */
538 address_item *addr) /* address(es) we are working on */
541 int fd_in, fd_out, rc;
545 pipe_transport_options_block *ob =
546 (pipe_transport_options_block *)(tblock->options_block);
547 int timeout = ob->timeout;
548 BOOL written_ok = FALSE;
549 BOOL expand_arguments;
552 uschar *envlist = ob->environment;
554 uschar *eol = (ob->use_crlf)? US"\r\n" : US"\n";
556 DEBUG(D_transport) debug_printf("%s transport entered\n", tblock->name);
558 /* Set up for the good case */
560 addr->transport_return = OK;
561 addr->basic_errno = 0;
563 /* Pipes are not accepted as general addresses, but they can be generated from
564 .forward files or alias files. In those cases, the pfr flag is set, and the
565 command to be obeyed is pointed to by addr->local_part; it starts with the pipe
566 symbol. In other cases, the command is supplied as one of the pipe transport's
569 if (testflag(addr, af_pfr) && addr->local_part[0] == '|')
571 cmd = addr->local_part + 1;
572 while (isspace(*cmd)) cmd++;
573 expand_arguments = testflag(addr, af_expand_pipe);
579 expand_arguments = TRUE;
583 /* If no command has been supplied, we are in trouble. */
587 addr->transport_return = DEFER;
588 addr->message = string_sprintf("no command specified for %s transport",
593 /* When a pipe is set up by a filter file, there may be values for $thisaddress
594 and numerical the variables in existence. These are passed in
595 addr->pipe_expandn for use here. */
597 if (expand_arguments && addr->pipe_expandn != NULL)
599 uschar **ss = addr->pipe_expandn;
601 if (*ss != NULL) filter_thisaddress = *ss++;
604 expand_nstring[++expand_nmax] = *ss;
605 expand_nlength[expand_nmax] = Ustrlen(*ss++);
609 /* The default way of processing the command is to split it up into arguments
610 here, and run it directly. This offers some security advantages. However, there
611 are installations that want by default to run commands under /bin/sh always, so
612 there is an option to do that. */
616 if (!set_up_shell_command(&argv, cmd, expand_arguments, expand_fail, addr,
617 tblock->name)) return FALSE;
619 else if (!set_up_direct_command(&argv, cmd, expand_arguments, expand_fail, addr,
620 tblock->name, ob)) return FALSE;
622 expand_nmax = -1; /* Reset */
623 filter_thisaddress = NULL;
625 /* Set up the environment for the command. */
627 envp[envcount++] = string_sprintf("LOCAL_PART=%s", deliver_localpart);
628 envp[envcount++] = string_sprintf("LOGNAME=%s", deliver_localpart);
629 envp[envcount++] = string_sprintf("USER=%s", deliver_localpart);
630 envp[envcount++] = string_sprintf("LOCAL_PART_PREFIX=%#s",
631 deliver_localpart_prefix);
632 envp[envcount++] = string_sprintf("LOCAL_PART_SUFFIX=%#s",
633 deliver_localpart_suffix);
634 envp[envcount++] = string_sprintf("DOMAIN=%s", deliver_domain);
635 envp[envcount++] = string_sprintf("HOME=%#s", deliver_home);
636 envp[envcount++] = string_sprintf("MESSAGE_ID=%s", message_id);
637 envp[envcount++] = string_sprintf("PATH=%s", ob->path);
638 envp[envcount++] = string_sprintf("RECIPIENT=%#s%#s%#s@%#s",
639 deliver_localpart_prefix, deliver_localpart, deliver_localpart_suffix,
641 envp[envcount++] = string_sprintf("QUALIFY_DOMAIN=%s", qualify_domain_sender);
642 envp[envcount++] = string_sprintf("SENDER=%s", sender_address);
643 envp[envcount++] = US"SHELL=/bin/sh";
645 if (addr->host_list != NULL)
646 envp[envcount++] = string_sprintf("HOST=%s", addr->host_list->name);
648 if (timestamps_utc) envp[envcount++] = US"TZ=UTC";
649 else if (timezone_string != NULL && timezone_string[0] != 0)
650 envp[envcount++] = string_sprintf("TZ=%s", timezone_string);
652 /* Add any requested items */
656 envlist = expand_string(envlist);
659 addr->transport_return = DEFER;
660 addr->message = string_sprintf("failed to expand string \"%s\" "
661 "for %s transport: %s", ob->environment, tblock->name,
662 expand_string_message);
667 while ((ss = string_nextinlist(&envlist, &envsep, big_buffer, big_buffer_size))
670 if (envcount > sizeof(envp)/sizeof(uschar *) - 2)
672 addr->transport_return = DEFER;
673 addr->message = string_sprintf("too many environment settings for "
674 "%s transport", tblock->name);
677 envp[envcount++] = string_copy(ss);
680 envp[envcount] = NULL;
682 /* If the -N option is set, can't do any more. */
687 debug_printf("*** delivery by %s transport bypassed by -N option",
693 /* Handling the output from the pipe is tricky. If a file for catching this
694 output is provided, we could in theory just hand that fd over to the process,
695 but this isn't very safe because it might loop and carry on writing for
696 ever (which is exactly what happened in early versions of Exim). Therefore we
697 use the standard child_open() function, which creates pipes. We can then read
698 our end of the output pipe and count the number of bytes that come through,
699 chopping the sub-process if it exceeds some limit.
701 However, this means we want to run a sub-process with both its input and output
702 attached to pipes. We can't handle that easily from a single parent process
703 using straightforward code such as the transport_write_message() function
704 because the subprocess might not be reading its input because it is trying to
705 write to a full output pipe. The complication of redesigning the world to
706 handle this is too great - simpler just to run another process to do the
707 reading of the output pipe. */
710 /* As this is a local transport, we are already running with the required
711 uid/gid and current directory. Request that the new process be a process group
712 leader, so we can kill it and all its children on a timeout. */
714 if ((pid = child_open(argv, envp, ob->umask, &fd_in, &fd_out, TRUE)) < 0)
716 addr->transport_return = DEFER;
717 addr->message = string_sprintf(
718 "Failed to create child process for %s transport: %s", tblock->name,
723 /* Now fork a process to handle the output that comes down the pipe. */
725 if ((outpid = fork()) < 0)
727 addr->basic_errno = errno;
728 addr->transport_return = DEFER;
729 addr->message = string_sprintf(
730 "Failed to create process for handling output in %s transport",
737 /* This is the code for the output-handling subprocess. Read from the pipe
738 in chunks, and write to the return file if one is provided. Keep track of
739 the number of bytes handled. If the limit is exceeded, try to kill the
740 subprocess group, and in any case close the pipe and exit, which should cause
741 the subprocess to fail. */
747 set_process_info("reading output from |%s", cmd);
748 while ((rc = read(fd_out, big_buffer, big_buffer_size)) > 0)
750 if (addr->return_file >= 0)
751 write(addr->return_file, big_buffer, rc);
753 if (count > ob->max_output)
755 uschar *message = US"\n\n*** Too much output - remainder discarded ***\n";
756 DEBUG(D_transport) debug_printf("Too much output from pipe - killed\n");
757 if (addr->return_file >= 0)
758 write(addr->return_file, message, Ustrlen(message));
759 killpg(pid, SIGKILL);
767 (void)close(fd_out); /* Not used in this process */
770 /* Carrying on now with the main parent process. Attempt to write the message
771 to it down the pipe. It is a fallacy to think that you can detect write errors
772 when the sub-process fails to read the pipe. The parent process may complete
773 writing and close the pipe before the sub-process completes. We could sleep a
774 bit here to let the sub-process get going, but it may still not complete. So we
775 ignore all writing errors. (When in the test harness, we do do a short sleep so
776 any debugging output is likely to be in the same order.) */
778 if (running_in_test_harness) millisleep(500);
780 DEBUG(D_transport) debug_printf("Writing message to pipe\n");
782 /* Arrange to time out writes if there is a timeout set. */
786 sigalrm_seen = FALSE;
787 transport_write_timeout = timeout;
790 /* Reset the counter of bytes written */
794 /* First write any configured prefix information */
796 if (ob->message_prefix != NULL)
798 uschar *prefix = expand_string(ob->message_prefix);
801 addr->transport_return = search_find_defer? DEFER : PANIC;
802 addr->message = string_sprintf("Expansion of \"%s\" (prefix for %s "
803 "transport) failed: %s", ob->message_prefix, tblock->name,
804 expand_string_message);
807 if (!transport_write_block(fd_in, prefix, Ustrlen(prefix)))
811 /* If the use_bsmtp option is set, we need to write SMTP prefix information.
812 The various different values for batching are handled outside; if there is more
813 than one address available here, all must be included. Force SMTP dot-handling.
820 if (!transport_write_string(fd_in, "MAIL FROM:<%s>%s", return_path, eol))
823 for (a = addr; a != NULL; a = a->next)
825 if (!transport_write_string(fd_in,
827 transport_rcpt_address(a, tblock->rcpt_include_affixes),
832 if (!transport_write_string(fd_in, "DATA%s", eol)) goto END_WRITE;
835 /* Now the actual message - the options were set at initialization time */
837 if (!transport_write_message(addr, fd_in, ob->options, 0, tblock->add_headers,
838 tblock->remove_headers, ob->check_string, ob->escape_string,
839 tblock->rewrite_rules, tblock->rewrite_existflags))
842 /* Now any configured suffix */
844 if (ob->message_suffix != NULL)
846 uschar *suffix = expand_string(ob->message_suffix);
849 addr->transport_return = search_find_defer? DEFER : PANIC;
850 addr->message = string_sprintf("Expansion of \"%s\" (suffix for %s "
851 "transport) failed: %s", ob->message_suffix, tblock->name,
852 expand_string_message);
855 if (!transport_write_block(fd_in, suffix, Ustrlen(suffix)))
859 /* If local_smtp, write the terminating dot. */
861 if (ob->use_bsmtp && !transport_write_string(fd_in, ".%s", eol))
864 /* Flag all writing completed successfully. */
868 /* Come here if there are errors during writing. */
872 /* OK, the writing is now all done. Close the pipe. */
876 /* Handle errors during writing. For timeouts, set the timeout for waiting for
877 the child process to 1 second. If the process at the far end of the pipe died
878 without reading all of it, we expect an EPIPE error, which should be ignored.
879 We used also to ignore WRITEINCOMPLETE but the writing function is now cleverer
880 at handling OS where the death of a pipe doesn't give EPIPE immediately. See
885 if (errno == ETIMEDOUT)
887 addr->message = string_sprintf("%stimeout while writing to pipe",
888 transport_filter_timed_out? "transport filter " : "");
889 addr->transport_return = ob->timeout_defer? DEFER : FAIL;
892 else if (errno == EPIPE)
894 debug_printf("transport error EPIPE ignored\n");
898 addr->transport_return = PANIC;
899 addr->basic_errno = errno;
900 if (errno == ERRNO_CHHEADER_FAIL)
902 string_sprintf("Failed to expand headers_add or headers_remove: %s",
903 expand_string_message);
904 else if (errno == ERRNO_FILTER_FAIL)
905 addr->message = string_sprintf("Transport filter process failed (%d)%s",
907 (addr->more_errno == EX_EXECFAILED)? ": unable to execute command" : "");
908 else if (errno == ERRNO_WRITEINCOMPLETE)
909 addr->message = string_sprintf("Failed repeatedly to write data");
911 addr->message = string_sprintf("Error %d", errno);
916 /* Wait for the child process to complete and take action if the returned
917 status is nonzero. The timeout will be just 1 second if any of the writes
920 if ((rc = child_close(pid, timeout)) != 0)
922 uschar *tmsg = (addr->message == NULL)? US"" :
923 string_sprintf(" (preceded by %s)", addr->message);
925 /* The process did not complete in time; kill its process group and fail
926 the delivery. It appears to be necessary to kill the output process too, as
927 otherwise it hangs on for some time if the actual pipe process is sleeping.
928 (At least, that's what I observed on Solaris 2.5.1.) Since we are failing
929 the delivery, that shouldn't cause any problem. */
933 killpg(pid, SIGKILL);
934 kill(outpid, SIGKILL);
935 addr->transport_return = ob->timeout_defer? DEFER : FAIL;
936 addr->message = string_sprintf("pipe delivery process timed out%s", tmsg);
943 addr->transport_return = PANIC;
944 addr->message = string_sprintf("Wait() failed for child process of %s "
945 "transport: %s%s", tblock->name, strerror(errno), tmsg);
948 /* Since the transport_filter timed out we assume it has sent the child process
949 a malformed or incomplete data stream. Kill off the child process
950 and prevent checking its exit status as it will has probably exited in error.
951 This prevents the transport_filter timeout message from getting overwritten
952 by the exit error which is not the cause of the problem. */
954 else if (transport_filter_timed_out)
956 killpg(pid, SIGKILL);
957 kill(outpid, SIGKILL);
960 /* Either the process completed, but yielded a non-zero (necessarily
961 positive) status, or the process was terminated by a signal (rc will contain
962 the negation of the signal number). Treat killing by signal as failure unless
963 status is being ignored. */
967 if (!ob->ignore_status)
969 addr->transport_return = FAIL;
970 addr->message = string_sprintf("Child process of %s transport (running "
971 "command \"%s\") was terminated by signal %d (%s)%s", tblock->name, cmd,
972 -rc, os_strsignal(-rc), tmsg);
976 /* For positive values (process terminated with non-zero status), we need a
977 status code to request deferral. A number of systems contain the following
980 #define EX_TEMPFAIL 75
984 EX_TEMPFAIL -- temporary failure, indicating something that
985 is not really an error. In sendmail, this means
986 that a mailer (e.g.) could not create a connection,
987 and the request should be reattempted later.
989 Based on this, we use exit code EX_TEMPFAIL as a default to mean "defer" when
990 not ignoring the returned status. However, there is now an option that
991 contains a list of temporary codes, with TEMPFAIL and CANTCREAT as defaults.
993 Another case that needs special treatment is if execve() failed (typically
994 the command that was given is a non-existent path). By default this is
995 treated as just another failure, but if freeze_exec_fail is set, the reaction
996 is to freeze the message rather than bounce the address. Exim used to signal
997 this failure with EX_UNAVAILABLE, which is definined in many systems as
999 #define EX_UNAVAILABLE 69
1001 with the description
1003 EX_UNAVAILABLE -- A service is unavailable. This can occur
1004 if a support program or file does not exist. This
1005 can also be used as a catchall message when something
1006 you wanted to do doesn't work, but you don't know why.
1008 However, this can be confused with a command that actually returns 69 because
1009 something *it* wanted is unavailable. At release 4.21, Exim was changed to
1010 use return code 127 instead, because this is what the shell returns when it
1011 is unable to exec a command. We define it as EX_EXECFAILED, and use it in
1012 child.c to signal execve() failure and other unexpected failures such as
1013 setuid() not working - though that won't be the case here because we aren't
1018 /* Always handle execve() failure specially if requested to */
1020 if (ob->freeze_exec_fail && (rc == EX_EXECFAILED))
1022 addr->transport_return = DEFER;
1023 addr->special_action = SPECIAL_FREEZE;
1024 addr->message = string_sprintf("pipe process failed to exec \"%s\"%s",
1028 /* Otherwise take action only if not ignoring status */
1030 else if (!ob->ignore_status)
1035 /* If temp_errors is "*" all codes are temporary. Initializion checks
1036 that it's either "*" or a list of numbers. If not "*", scan the list of
1037 temporary failure codes; if any match, the result is DEFER. */
1039 if (ob->temp_errors[0] == '*')
1040 addr->transport_return = DEFER;
1044 uschar *s = ob->temp_errors;
1049 addr->transport_return = FAIL;
1050 while ((p = string_nextinlist(&s,&sep,buffer,sizeof(buffer))) != NULL)
1052 if (rc == Uatoi(p)) { addr->transport_return = DEFER; break; }
1056 /* Ensure the message contains the expanded command and arguments. This
1057 doesn't have to be brilliantly efficient - it is an error situation. */
1059 addr->message = string_sprintf("Child process of %s transport returned "
1060 "%d", tblock->name, rc);
1062 ptr = Ustrlen(addr->message);
1065 /* If the return code is > 128, it often means that a shell command
1066 was terminated by a signal. */
1069 string_sprintf("(could mean shell command ended by signal %d (%s))",
1070 rc-128, os_strsignal(rc-128)) :
1075 addr->message = string_cat(addr->message, &size, &ptr, US" ", 1);
1076 addr->message = string_cat(addr->message, &size, &ptr,
1080 /* Now add the command and arguments */
1082 addr->message = string_cat(addr->message, &size, &ptr,
1083 US" from command:", 14);
1085 for (i = 0; i < sizeof(argv)/sizeof(int *) && argv[i] != NULL; i++)
1088 addr->message = string_cat(addr->message, &size, &ptr, US" ", 1);
1089 if (Ustrpbrk(argv[i], " \t") != NULL)
1092 addr->message = string_cat(addr->message, &size, &ptr, US"\"", 1);
1094 addr->message = string_cat(addr->message, &size, &ptr, argv[i],
1097 addr->message = string_cat(addr->message, &size, &ptr, US"\"", 1);
1100 /* Add previous filter timeout message, if present. */
1103 addr->message = string_cat(addr->message, &size, &ptr, tmsg,
1106 addr->message[ptr] = 0; /* Ensure concatenated string terminated */
1111 /* Ensure all subprocesses (in particular, the output handling process)
1112 are complete before we pass this point. */
1114 while (wait(&rc) >= 0);
1116 DEBUG(D_transport) debug_printf("%s transport yielded %d\n", tblock->name,
1117 addr->transport_return);
1119 /* If there has been a problem, the message in addr->message contains details
1120 of the pipe command. We don't want to expose these to the world, so we set up
1121 something bland to return to the sender. */
1123 if (addr->transport_return != OK)
1124 addr->user_message = US"local delivery failed";
1129 /* End of transport/pipe.c */
git://git.exim.org / exim.git / blob