[exim.git] / src / src / deliver.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) The Exim Maintainers 2020 - 2024 */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */

/* The main code for delivering a message. */


#include "exim.h"
#include "transports/smtp.h"
#include <sys/uio.h>
#include <assert.h>


/* Data block for keeping track of subprocesses for parallel remote
delivery. */

typedef struct pardata {
  address_item *addrlist;      /* chain of addresses */
  address_item *addr;          /* next address data expected for */
  pid_t pid;                   /* subprocess pid */
  int fd;                      /* pipe fd for getting result from subprocess */
  int transport_count;         /* returned transport count value */
  BOOL done;                   /* no more data needed */
  uschar *msg;                 /* error message */
  const uschar *return_path;   /* return_path for these addresses */
} pardata;

/* Values for the process_recipients variable */

enum { RECIP_ACCEPT, RECIP_IGNORE, RECIP_DEFER,
       RECIP_FAIL, RECIP_FAIL_FILTER, RECIP_FAIL_TIMEOUT,
       RECIP_FAIL_LOOP};

/* Mutually recursive functions for marking addresses done. */

static void child_done(address_item *, const uschar *);
static void address_done(address_item *, const uschar *);

/* Table for turning base-62 numbers into binary */

static uschar tab62[] =
          {0,1,2,3,4,5,6,7,8,9,0,0,0,0,0,0,     /* 0-9 */
           0,10,11,12,13,14,15,16,17,18,19,20,  /* A-K */
          21,22,23,24,25,26,27,28,29,30,31,32,  /* L-W */
          33,34,35, 0, 0, 0, 0, 0,              /* X-Z */
           0,36,37,38,39,40,41,42,43,44,45,46,  /* a-k */
          47,48,49,50,51,52,53,54,55,56,57,58,  /* l-w */
          59,60,61};                            /* x-z */


/*************************************************
*            Local static variables              *
*************************************************/

/* addr_duplicate is global because it needs to be seen from the Envelope-To
writing code. */

static address_item *addr_defer = NULL;
static address_item *addr_failed = NULL;
static address_item *addr_fallback = NULL;
static address_item *addr_local = NULL;
static address_item *addr_new = NULL;
static address_item *addr_remote = NULL;
static address_item *addr_route = NULL;
static address_item *addr_succeed = NULL;

static FILE *message_log = NULL;
static BOOL update_spool;
static BOOL remove_journal;
static int  parcount = 0;
static pardata *parlist = NULL;
static struct pollfd *parpoll;
static int  return_count;
static uschar *frozen_info = US"";
static const uschar * used_return_path = NULL;



/*************************************************
*          read as much as requested             *
*************************************************/

/* The syscall read(2) doesn't always returns as much as we want. For
several reasons it might get less. (Not talking about signals, as syscalls
are restartable). When reading from a network or pipe connection the sender
might send in smaller chunks, with delays between these chunks. The read(2)
may return such a chunk.

The more the writer writes and the smaller the pipe between write and read is,
the more we get the chance of reading leass than requested. (See bug 2130)

This function read(2)s until we got all the data we *requested*.

Note: This function may block. Use it only if you're sure about the
amount of data you will get.

Argument:
  fd          the file descriptor to read from
  buffer      pointer to a buffer of size len
  len         the requested(!) amount of bytes

Returns:      the amount of bytes read
*/
static ssize_t
readn(int fd, void * buffer, size_t len)
{
uschar * next = buffer;
uschar * end = next + len;

while (next < end)
  {
  ssize_t got = read(fd, next, end - next);

  /* I'm not sure if there are signals that can interrupt us,
  for now I assume the worst */
  if (got == -1 && errno == EINTR) continue;
  if (got <= 0) return next - US buffer;
  next += got;
  }

return len;
}


/*************************************************
*             Make a new address item            *
*************************************************/

/* This function gets the store and initializes with default values. The
transport_return value defaults to DEFER, so that any unexpected failure to
deliver does not wipe out the message. The default unique string is set to a
copy of the address, so that its domain can be lowercased.

Argument:
  address     the RFC822 address string
  copy        force a copy of the address

Returns:      a pointer to an initialized address_item
*/

address_item *
deliver_make_addr(const uschar * address, BOOL copy)
{
address_item * addr = store_get(sizeof(address_item), GET_UNTAINTED);
*addr = address_defaults;
if (copy) address = string_copy(address);
addr->address = address;
addr->unique = string_copy(address);
return addr;
}




/*************************************************
*     Set expansion values for an address        *
*************************************************/

/* Certain expansion variables are valid only when handling an address or
address list. This function sets them up or clears the values, according to its
argument.

Arguments:
  addr          the address in question, or NULL to clear values
Returns:        nothing
*/

void
deliver_set_expansions(address_item *addr)
{
if (!addr)
  {
  const uschar ***p = address_expansions;
  while (*p) **p++ = NULL;
  return;
  }

/* Exactly what gets set depends on whether there is one or more addresses, and
what they contain. These first ones are always set, taking their values from
the first address. */

if (!addr->host_list)
  {
  deliver_host = deliver_host_address = US"";
  deliver_host_port = 0;
  }
else
  {
  deliver_host = addr->host_list->name;
  deliver_host_address = addr->host_list->address;
  deliver_host_port = addr->host_list->port;
  }

deliver_recipients = addr;
deliver_address_data = addr->prop.address_data;
deliver_domain_data = addr->prop.domain_data;
deliver_localpart_data = addr->prop.localpart_data;
router_var = addr->prop.variables;

/* These may be unset for multiple addresses */

deliver_domain = addr->domain;
self_hostname = addr->self_hostname;

#ifdef EXPERIMENTAL_BRIGHTMAIL
bmi_deliver = 1;    /* deliver by default */
bmi_alt_location = NULL;
bmi_base64_verdict = NULL;
bmi_base64_tracker_verdict = NULL;
#endif

/* If there's only one address we can set everything. */

if (!addr->next)
  {
  address_item *addr_orig;

  deliver_localpart = addr->local_part;
  deliver_localpart_prefix = addr->prefix;
  deliver_localpart_prefix_v = addr->prefix_v;
  deliver_localpart_suffix = addr->suffix;
  deliver_localpart_suffix_v = addr->suffix_v;

  for (addr_orig = addr; addr_orig->parent; addr_orig = addr_orig->parent) ;
  deliver_domain_orig = addr_orig->domain;

  /* Re-instate any prefix and suffix in the original local part. In all
  normal cases, the address will have a router associated with it, and we can
  choose the caseful or caseless version accordingly. However, when a system
  filter sets up a pipe, file, or autoreply delivery, no router is involved.
  In this case, though, there won't be any prefix or suffix to worry about. */

  deliver_localpart_orig = !addr_orig->router
    ? addr_orig->local_part
    : addr_orig->router->caseful_local_part
    ? addr_orig->cc_local_part
    : addr_orig->lc_local_part;

  /* If there's a parent, make its domain and local part available, and if
  delivering to a pipe or file, or sending an autoreply, get the local
  part from the parent. For pipes and files, put the pipe or file string
  into address_pipe and address_file. */

  if (addr->parent)
    {
    deliver_domain_parent = addr->parent->domain;
    deliver_localpart_parent = !addr->parent->router
      ? addr->parent->local_part
      : addr->parent->router->caseful_local_part
      ? addr->parent->cc_local_part
      : addr->parent->lc_local_part;

    /* File deliveries have their own flag because they need to be picked out
    as special more often. */

    if (testflag(addr, af_pfr))
      {
      if (testflag(addr, af_file))          address_file = addr->local_part;
      else if (deliver_localpart[0] == '|') address_pipe = addr->local_part;
      deliver_localpart = addr->parent->local_part;
      deliver_localpart_prefix = addr->parent->prefix;
      deliver_localpart_prefix_v = addr->parent->prefix_v;
      deliver_localpart_suffix = addr->parent->suffix;
      deliver_localpart_suffix_v = addr->parent->suffix_v;
      }
    }

#ifdef EXPERIMENTAL_BRIGHTMAIL
    /* Set expansion variables related to Brightmail AntiSpam */
    bmi_base64_verdict = bmi_get_base64_verdict(deliver_localpart_orig, deliver_domain_orig);
    bmi_base64_tracker_verdict = bmi_get_base64_tracker_verdict(bmi_base64_verdict);
    /* get message delivery status (0 - don't deliver | 1 - deliver) */
    bmi_deliver = bmi_get_delivery_status(bmi_base64_verdict);
    /* if message is to be delivered, get eventual alternate location */
    if (bmi_deliver == 1)
      bmi_alt_location = bmi_get_alt_location(bmi_base64_verdict);
#endif

  }

/* For multiple addresses, don't set local part, and leave the domain and
self_hostname set only if it is the same for all of them. It is possible to
have multiple pipe and file addresses, but only when all addresses have routed
to the same pipe or file. */

else
  {
  if (testflag(addr, af_pfr))
    {
    if (testflag(addr, af_file))         address_file = addr->local_part;
    else if (addr->local_part[0] == '|') address_pipe = addr->local_part;
    }
  for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
    {
    if (deliver_domain && Ustrcmp(deliver_domain, addr2->domain) != 0)
      deliver_domain = NULL;
    if (  self_hostname
       && (  !addr2->self_hostname
          || Ustrcmp(self_hostname, addr2->self_hostname) != 0
       )  )
      self_hostname = NULL;
    if (!deliver_domain && !self_hostname) break;
    }
  }
}




/*************************************************
*                Open a msglog file              *
*************************************************/

/* This function is used both for normal message logs, and for files in the
msglog directory that are used to catch output from pipes. Try to create the
directory if it does not exist. From release 4.21, normal message logs should
be created when the message is received.

Called from deliver_message(), can be operating as root.

Argument:
  filename  the file name
  mode      the mode required
  error     used for saying what failed

Returns:    a file descriptor, or -1 (with errno set)
*/

static int
open_msglog_file(uschar *filename, int mode, uschar **error)
{
if (Ustrstr(filename, US"/../"))
  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
    "Attempt to open msglog file path with upward-traversal: '%s'\n", filename);

for (int i = 2; i > 0; i--)
  {
  int fd = Uopen(filename,
                EXIM_CLOEXEC | EXIM_NOFOLLOW | O_WRONLY|O_APPEND|O_CREAT, mode);
  if (fd >= 0)
    {
    /* Set the close-on-exec flag and change the owner to the exim uid/gid (this
    function is called as root). Double check the mode, because the group setting
    doesn't always get set automatically. */

#ifndef O_CLOEXEC
    (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
#endif
    if (exim_fchown(fd, exim_uid, exim_gid, filename) < 0)
      {
      *error = US"chown";
      return -1;
      }
    if (fchmod(fd, mode) < 0)
      {
      *error = US"chmod";
      return -1;
      }
    return fd;
    }
  if (errno != ENOENT)
    break;

  (void)directory_make(spool_directory,
                        spool_sname(US"msglog", message_subdir),
                        MSGLOG_DIRECTORY_MODE, TRUE);
  }

*error = US"create or open";
return -1;
}




/*************************************************
*           Write to msglog if required          *
*************************************************/

/* Write to the message log, if configured. This function may also be called
from transports.

Arguments:
  format       a string format

Returns:       nothing
*/

void
deliver_msglog(const char *format, ...)
{
va_list ap;
if (!message_logs) return;
va_start(ap, format);
vfprintf(message_log, format, ap);
fflush(message_log);
va_end(ap);
}




/*************************************************
*            Replicate status for batch          *
*************************************************/

/* When a transport handles a batch of addresses, it may treat them
individually, or it may just put the status in the first one, and return FALSE,
requesting that the status be copied to all the others externally. This is the
replication function. As well as the status, it copies the transport pointer,
which may have changed if appendfile passed the addresses on to a different
transport.

Argument:    pointer to the first address in a chain
Returns:     nothing
*/

static void
replicate_status(address_item *addr)
{
for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
  {
  addr2->transport =        addr->transport;
  addr2->transport_return = addr->transport_return;
  addr2->basic_errno =      addr->basic_errno;
  addr2->more_errno =       addr->more_errno;
  addr2->delivery_time =    addr->delivery_time;
  addr2->special_action =   addr->special_action;
  addr2->message =          addr->message;
  addr2->user_message =     addr->user_message;
  }
}



/*************************************************
*              Compare lists of hosts            *
*************************************************/

/* This function is given two pointers to chains of host items, and it yields
TRUE if the lists refer to the same hosts in the same order, except that

(1) Multiple hosts with the same non-negative MX values are permitted to appear
    in different orders. Round-robinning nameservers can cause this to happen.

(2) Multiple hosts with the same negative MX values less than MX_NONE are also
    permitted to appear in different orders. This is caused by randomizing
    hosts lists.

This enables Exim to use a single SMTP transaction for sending to two entirely
different domains that happen to end up pointing at the same hosts.

We do not try to batch up different A-record host names that refer to the
same IP.

Arguments:
  one       points to the first host list
  two       points to the second host list

Returns:    TRUE if the lists refer to the same host set
*/

static BOOL
same_hosts(host_item *one, host_item *two)
{
while (one && two)
  {
  if (Ustrcmp(one->name, two->name) != 0)
    {
    int mx = one->mx;
    host_item *end_one = one;
    host_item *end_two = two;

    /* Batch up only if there was no MX and the list was not randomized */

    if (mx == MX_NONE) return FALSE;

    /* Find the ends of the shortest sequence of identical MX values */

    while (  end_one->next && end_one->next->mx == mx
          && end_two->next && end_two->next->mx == mx)
      {
      end_one = end_one->next;
      end_two = end_two->next;
      }

    /* If there aren't any duplicates, there's no match. */

    if (end_one == one) return FALSE;

    /* For each host in the 'one' sequence, check that it appears in the 'two'
    sequence, returning FALSE if not. */

    for (;;)
      {
      host_item *hi;
      for (hi = two; hi != end_two->next; hi = hi->next)
        if (Ustrcmp(one->name, hi->name) == 0) break;
      if (hi == end_two->next) return FALSE;
      if (one == end_one) break;
      one = one->next;
      }

    /* All the hosts in the 'one' sequence were found in the 'two' sequence.
    Ensure both are pointing at the last host, and carry on as for equality. */

    two = end_two;
    }

  /* if the names matched but ports do not, mismatch */
  else if (one->port != two->port)
    return FALSE;

#ifdef SUPPORT_DANE
  /* DNSSEC equality */
  if (one->dnssec != two->dnssec) return FALSE;
#endif

  /* Hosts matched */
  one = one->next;
  two = two->next;
  }

/* True if both are NULL */

return (one == two);
}



/*************************************************
*              Compare header lines              *
*************************************************/

/* This function is given two pointers to chains of header items, and it yields
TRUE if they are the same header texts in the same order.

Arguments:
  one       points to the first header list
  two       points to the second header list

Returns:    TRUE if the lists refer to the same header set
*/

static BOOL
same_headers(header_line *one, header_line *two)
{
for (;; one = one->next, two = two->next)
  {
  if (one == two) return TRUE;   /* Includes the case where both NULL */
  if (!one || !two) return FALSE;
  if (Ustrcmp(one->text, two->text) != 0) return FALSE;
  }
}



/*************************************************
*            Compare string settings             *
*************************************************/

/* This function is given two pointers to strings, and it returns
TRUE if they are the same pointer, or if the two strings are the same.

Arguments:
  one       points to the first string
  two       points to the second string

Returns:    TRUE or FALSE
*/

static BOOL
same_strings(const uschar * one, const uschar * two)
{
if (one == two) return TRUE;   /* Includes the case where both NULL */
if (!one || !two) return FALSE;
return (Ustrcmp(one, two) == 0);
}



/*************************************************
*        Compare uid/gid for addresses           *
*************************************************/

/* This function is given a transport and two addresses. It yields TRUE if the
uid/gid/initgroups settings for the two addresses are going to be the same when
they are delivered.

Arguments:
  tp            the transort
  addr1         the first address
  addr2         the second address

Returns:        TRUE or FALSE
*/

static BOOL
same_ugid(transport_instance *tp, address_item *addr1, address_item *addr2)
{
if (  !tp->uid_set && !tp->expand_uid
   && !tp->deliver_as_creator
   && (  testflag(addr1, af_uid_set) != testflag(addr2, af_gid_set)
      || (  testflag(addr1, af_uid_set)
         && (  addr1->uid != addr2->uid
            || testflag(addr1, af_initgroups) != testflag(addr2, af_initgroups)
   )  )  )  )
  return FALSE;

if (  !tp->gid_set && !tp->expand_gid
   && (  testflag(addr1, af_gid_set) != testflag(addr2, af_gid_set)
      || (  testflag(addr1, af_gid_set)
         && addr1->gid != addr2->gid
   )  )  )
  return FALSE;

return TRUE;
}




/*************************************************
*      Record that an address is complete        *
*************************************************/

/* This function records that an address is complete. This is straightforward
for most addresses, where the unique address is just the full address with the
domain lower cased. For homonyms (addresses that are the same as one of their
ancestors) their are complications. Their unique addresses have \x\ prepended
(where x = 0, 1, 2...), so that de-duplication works correctly for siblings and
cousins.

Exim used to record the unique addresses of homonyms as "complete". This,
however, fails when the pattern of redirection varies over time (e.g. if taking
unseen copies at only some times of day) because the prepended numbers may vary
from one delivery run to the next. This problem is solved by never recording
prepended unique addresses as complete. Instead, when a homonymic address has
actually been delivered via a transport, we record its basic unique address
followed by the name of the transport. This is checked in subsequent delivery
runs whenever an address is routed to a transport.

If the completed address is a top-level one (has no parent, which means it
cannot be homonymic) we also add the original address to the non-recipients
tree, so that it gets recorded in the spool file and therefore appears as
"done" in any spool listings. The original address may differ from the unique
address in the case of the domain.

Finally, this function scans the list of duplicates, marks as done any that
match this address, and calls child_done() for their ancestors.

Arguments:
  addr        address item that has been completed
  now         current time as a string

Returns:      nothing
*/

static void
address_done(address_item * addr, const uschar * now)
{
update_spool = TRUE;        /* Ensure spool gets updated */

/* Top-level address */

if (!addr->parent)
  {
  tree_add_nonrecipient(addr->unique);
  tree_add_nonrecipient(addr->address);
  }

/* Homonymous child address */

else if (testflag(addr, af_homonym))
  {
  if (addr->transport)
    tree_add_nonrecipient(
      string_sprintf("%s/%s", addr->unique + 3, addr->transport->name));
  }

/* Non-homonymous child address */

else tree_add_nonrecipient(addr->unique);

/* Check the list of duplicate addresses and ensure they are now marked
done as well. */

for (address_item * dup = addr_duplicate; dup; dup = dup->next)
  if (Ustrcmp(addr->unique, dup->unique) == 0)
    {
    tree_add_nonrecipient(dup->unique);
    child_done(dup, now);
    }
}




/*************************************************
*      Decrease counts in parents and mark done  *
*************************************************/

/* This function is called when an address is complete. If there is a parent
address, its count of children is decremented. If there are still other
children outstanding, the function exits. Otherwise, if the count has become
zero, address_done() is called to mark the parent and its duplicates complete.
Then loop for any earlier ancestors.

Arguments:
  addr      points to the completed address item
  now       the current time as a string, for writing to the message log

Returns:    nothing
*/

static void
child_done(address_item * addr, const uschar * now)
{
while (addr->parent)
  {
  address_item * aa;

  addr = addr->parent;
  if (--addr->child_count > 0) return;   /* Incomplete parent */
  address_done(addr, now);

  /* Log the completion of all descendents only when there is no ancestor with
  the same original address. */

  for (aa = addr->parent; aa; aa = aa->parent)
    if (Ustrcmp(aa->address, addr->address) == 0) break;
  if (aa) continue;

  deliver_msglog("%s %s: children all complete\n", now, addr->address);
  DEBUG(D_deliver) debug_printf("%s: children all complete\n", addr->address);
  }
}



/*************************************************
*      Delivery logging support functions        *
*************************************************/

/* The LOGGING() checks in d_log_interface() are complicated for backwards
compatibility. When outgoing interface logging was originally added, it was
conditional on just incoming_interface (which is off by default). The
outgoing_interface option is on by default to preserve this behaviour, but
you can enable incoming_interface and disable outgoing_interface to get I=
fields on incoming lines only.

Arguments:
  g         The log line
  addr      The address to be logged

Returns:    New value for s
*/

static gstring *
d_log_interface(gstring * g)
{
if (LOGGING(incoming_interface) && LOGGING(outgoing_interface)
    && sending_ip_address)
  {
  g = string_fmt_append(g, " I=[%s]", sending_ip_address);
  if (LOGGING(outgoing_port))
    g = string_fmt_append(g, ":%d", sending_port);
  }
return g;
}



static gstring *
d_hostlog(gstring * g, address_item * addr)
{
host_item * h = addr->host_used;

g = string_append(g, 2, US" H=", h->name);

if (LOGGING(dnssec) && h->dnssec == DS_YES)
  g = string_catn(g, US" DS", 3);

g = string_append(g, 3, US" [", h->address, US"]");

if (LOGGING(outgoing_port))
  g = string_fmt_append(g, ":%d", h->port);

if (testflag(addr, af_cont_conn))
  g = string_catn(g, US"*", 1);

#ifdef SUPPORT_SOCKS
if (LOGGING(proxy) && proxy_local_address)
  {
  g = string_append(g, 3, US" PRX=[", proxy_local_address, US"]");
  if (LOGGING(outgoing_port))
    g = string_fmt_append(g, ":%d", proxy_local_port);
  }
#endif

g = d_log_interface(g);

if (testflag(addr, af_tcp_fastopen))
  g = string_catn(g, US" TFO*", testflag(addr, af_tcp_fastopen_data) ? 5 : 4);

return g;
}





#ifndef DISABLE_TLS
static gstring *
d_tlslog(gstring * g, address_item * addr)
{
if (LOGGING(tls_cipher) && addr->cipher)
  {
  g = string_append(g, 2, US" X=", addr->cipher);
#ifndef DISABLE_TLS_RESUME
  if (LOGGING(tls_resumption) && testflag(addr, af_tls_resume))
    g = string_catn(g, US"*", 1);
#endif
  }
if (LOGGING(tls_certificate_verified) && addr->cipher)
  g = string_append(g, 2, US" CV=",
    testflag(addr, af_cert_verified)
    ?
#ifdef SUPPORT_DANE
      testflag(addr, af_dane_verified)
    ? "dane"
    :
#endif
      "yes"
    : "no");
if (LOGGING(tls_peerdn) && addr->peerdn)
  g = string_append(g, 3, US" DN=\"", string_printing(addr->peerdn), US"\"");
return g;
}
#endif




#ifndef DISABLE_EVENT
/* Distribute a named event to any listeners.

Args:   action  config option specifying listener
        event   name of the event
        ev_data associated data for the event
        errnop  pointer to errno for modification, or null

Return: string expansion from listener, or NULL
*/

uschar *
event_raise(const uschar * action, const uschar * event, const uschar * ev_data,
  int * errnop)
{
const uschar * s;
if (action)
  {
  DEBUG(D_deliver)
    debug_printf("Event(%s): event_action=|%s| delivery_IP=%s\n",
      event,
      action, deliver_host_address);

  event_name = event;
  event_data = ev_data;

  if (!(s = expand_cstring(action)) && *expand_string_message)
    log_write(0, LOG_MAIN|LOG_PANIC,
      "failed to expand event_action %s in %s: %s\n",
      event, transport_name ? transport_name : US"main", expand_string_message);

  event_name = event_data = NULL;

  /* If the expansion returns anything but an empty string, flag for
  the caller to modify his normal processing.  Copy the string to
  de-const it.
  */
  if (s && *s)
    {
    DEBUG(D_deliver)
      debug_printf("Event(%s): event_action returned \"%s\"\n", event, s);
    if (errnop)
      *errnop = ERRNO_EVENT;
    return string_copy(s);
    }
  }
return NULL;
}

void
msg_event_raise(const uschar * event, const address_item * addr)
{
const uschar * save_domain = deliver_domain;
const uschar * save_local =  deliver_localpart;
const uschar * save_host = deliver_host;
const uschar * save_address = deliver_host_address;
const uschar * save_rn = router_name;
uschar * save_tn = transport_name;
const int      save_port =   deliver_host_port;

router_name =    addr->router ? addr->router->drinst.name : NULL;
deliver_domain = addr->domain;
deliver_localpart = addr->local_part;
deliver_host =   addr->host_used ? addr->host_used->name : NULL;

if (!addr->transport)
  {
  if (Ustrcmp(event, "msg:fail:delivery") == 0)
    {
     /* An address failed with no transport involved. This happens when
     a filter was used which triggered a fail command (in such a case
     a transport isn't needed).  Convert it to an internal fail event. */

    (void) event_raise(event_action, US"msg:fail:internal", addr->message, NULL);
    }
  }
else
  {
  transport_name = addr->transport->name;

  (void) event_raise(addr->transport->event_action, event,
            addr->host_used
            || Ustrcmp(addr->transport->driver_name, "smtp") == 0
            || Ustrcmp(addr->transport->driver_name, "lmtp") == 0
            || Ustrcmp(addr->transport->driver_name, "autoreply") == 0
           ? addr->message : NULL,
           NULL);
  }

deliver_host_port =    save_port;
deliver_host_address = save_address;
deliver_host =      save_host;
deliver_localpart = save_local;
deliver_domain =    save_domain;
router_name = save_rn;
transport_name = save_tn;
}
#endif  /*DISABLE_EVENT*/



/******************************************************************************/


/*************************************************
*        Generate local part for logging         *
*************************************************/

static const uschar *
string_get_lpart_sub(const address_item * addr, const uschar * s)
{
#ifdef SUPPORT_I18N
if (testflag(addr, af_utf8_downcvt))
  {
  const uschar * t = string_localpart_utf8_to_alabel(s, NULL);
  return t ? t : s;     /* t is NULL on a failed conversion */
  }
#endif
return s;
}

/* This function is a subroutine for use in string_log_address() below.

Arguments:
  addr        the address being logged
  yield       the current dynamic buffer pointer

Returns:      the new value of the buffer pointer
*/

static gstring *
string_get_localpart(address_item * addr, gstring * yield)
{
const uschar * s;

if (testflag(addr, af_include_affixes) && (s = addr->prefix))
  yield = string_cat(yield, string_get_lpart_sub(addr, s));

yield = string_cat(yield, string_get_lpart_sub(addr, addr->local_part));

if (testflag(addr, af_include_affixes) && (s = addr->suffix))
  yield = string_cat(yield, string_get_lpart_sub(addr, s));

return yield;
}


/*************************************************
*          Generate log address list             *
*************************************************/

/* This function generates a list consisting of an address and its parents, for
use in logging lines. For saved onetime aliased addresses, the onetime parent
field is used. If the address was delivered by a transport with rcpt_include_
affixes set, the af_include_affixes bit will be set in the address. In that
case, we include the affixes here too.

Arguments:
  g             points to growing-string struct
  addr          bottom (ultimate) address
  all_parents   if TRUE, include all parents
  success       TRUE for successful delivery

Returns:        a growable string in dynamic store
*/

static gstring *
string_log_address(gstring * g,
  address_item *addr, BOOL all_parents, BOOL success)
{
BOOL add_topaddr = TRUE;
address_item *topaddr;

/* Find the ultimate parent */

for (topaddr = addr; topaddr->parent; topaddr = topaddr->parent) ;

/* We start with just the local part for pipe, file, and reply deliveries, and
for successful local deliveries from routers that have the log_as_local flag
set. File deliveries from filters can be specified as non-absolute paths in
cases where the transport is going to complete the path. If there is an error
before this happens (expansion failure) the local part will not be updated, and
so won't necessarily look like a path. Add extra text for this case. */

if (  testflag(addr, af_pfr)
   || (  success
      && addr->router && addr->router->log_as_local
      && addr->transport && addr->transport->info->local
   )  )
  {
  if (testflag(addr, af_file) && addr->local_part[0] != '/')
    g = string_catn(g, CUS"save ", 5);
  g = string_get_localpart(addr, g);
  }

/* Other deliveries start with the full address. It we have split it into local
part and domain, use those fields. Some early failures can happen before the
splitting is done; in those cases use the original field. */

else
  {
  uschar * cmp;
  int off = gstring_length(g);  /* start of the "full address" */

  if (addr->local_part)
    {
    const uschar * s;
    g = string_get_localpart(addr, g);
    g = string_catn(g, US"@", 1);
    s = addr->domain;
#ifdef SUPPORT_I18N
    if (testflag(addr, af_utf8_downcvt))
      s = string_localpart_utf8_to_alabel(s, NULL);
#endif
    g = string_cat(g, s);
    }
  else
    g = string_cat(g, addr->address);

  /* If the address we are going to print is the same as the top address,
  and all parents are not being included, don't add on the top address. First
  of all, do a caseless comparison; if this succeeds, do a caseful comparison
  on the local parts. */

  cmp = g->s + off;             /* only now, as rebuffer likely done */
  string_from_gstring(g);       /* ensure nul-terminated */
  if (  strcmpic(cmp, topaddr->address) == 0
     && Ustrncmp(cmp, topaddr->address, Ustrchr(cmp, '@') - cmp) == 0
     && !addr->onetime_parent
     && (!all_parents || !addr->parent || addr->parent == topaddr)
     )
    add_topaddr = FALSE;
  }

/* If all parents are requested, or this is a local pipe/file/reply, and
there is at least one intermediate parent, show it in brackets, and continue
with all of them if all are wanted. */

if (  (all_parents || testflag(addr, af_pfr))
   && addr->parent
   && addr->parent != topaddr)
  {
  uschar *s = US" (";
  for (address_item * addr2 = addr->parent; addr2 != topaddr; addr2 = addr2->parent)
    {
    g = string_catn(g, s, 2);
    g = string_cat (g, addr2->address);
    if (!all_parents) break;
    s = US", ";
    }
  g = string_catn(g, US")", 1);
  }

/* Add the top address if it is required */

if (add_topaddr)
  g = string_append(g, 3,
    US" <",
    addr->onetime_parent ? addr->onetime_parent : topaddr->address,
    US">");

return g;
}



/******************************************************************************/



/* If msg is NULL this is a delivery log and logchar is used. Otherwise
this is a nonstandard call; no two-character delivery flag is written
but sender-host and sender are prefixed and "msg" is inserted in the log line.

Arguments:
  flags         passed to log_write()
*/
void
delivery_log(int flags, address_item * addr, int logchar, uschar * msg)
{
gstring * g; /* Used for a temporary, expanding buffer, for building log lines  */
rmark reset_point;

/* Log the delivery on the main log. We use an extensible string to build up
the log line, and reset the store afterwards. Remote deliveries should always
have a pointer to the host item that succeeded; local deliveries can have a
pointer to a single host item in their host list, for use by the transport. */

#ifndef DISABLE_EVENT
  /* presume no successful remote delivery */
  lookup_dnssec_authenticated = NULL;
#endif

reset_point = store_mark();
g = string_get_tainted(256, GET_TAINTED);       /* addrs will be tainted, so avoid copy */

if (msg)
  g = string_append(g, 2, host_and_ident(TRUE), US" ");
else
  {
  g->s[0] = logchar; g->ptr = 1;
  g = string_catn(g, US"> ", 2);
  }
g = string_log_address(g, addr, LOGGING(all_parents), TRUE);

if (LOGGING(sender_on_delivery) || msg)
  g = string_append(g, 3, US" F=<",
#ifdef SUPPORT_I18N
    testflag(addr, af_utf8_downcvt)
    ? string_address_utf8_to_alabel(sender_address, NULL)
    :
#endif
      sender_address,
  US">");

if (*queue_name)
  g = string_append(g, 2, US" Q=", queue_name);

/* You might think that the return path must always be set for a successful
delivery; indeed, I did for some time, until this statement crashed. The case
when it is not set is for a delivery to /dev/null which is optimised by not
being run at all. */

if (used_return_path && LOGGING(return_path_on_delivery))
  g = string_append(g, 3, US" P=<", used_return_path, US">");

if (msg)
  g = string_append(g, 2, US" ", msg);

/* For a delivery from a system filter, there may not be a router */
if (addr->router)
  g = string_append(g, 2, US" R=", addr->router->drinst.name);

g = string_append(g, 2, US" T=", addr->transport->name);

if (LOGGING(delivery_size))
  g = string_fmt_append(g, " S=%d", transport_count);

/* Local delivery */

if (addr->transport->info->local)
  {
  if (addr->host_list)
    g = string_append(g, 2, US" H=", addr->host_list->name);
  g = d_log_interface(g);
  if (addr->shadow_message)
    g = string_cat(g, addr->shadow_message);
  }

/* Remote delivery */

else
  {
  if (addr->host_used)
    {
    g = d_hostlog(g, addr);

#ifndef DISABLE_EVENT
    deliver_host_address = addr->host_used->address;
    deliver_host_port =    addr->host_used->port;
    deliver_host =         addr->host_used->name;

    /* DNS lookup status */
    lookup_dnssec_authenticated = addr->host_used->dnssec==DS_YES ? US"yes"
                              : addr->host_used->dnssec==DS_NO ? US"no"
                              : NULL;
#endif
    }

#ifndef DISABLE_TLS
  g = d_tlslog(g, addr);
#endif

  if (addr->authenticator)
    {
    g = string_append(g, 2, US" A=", addr->authenticator);
    if (addr->auth_id)
      {
      g = string_append(g, 2, US":", addr->auth_id);
      if (LOGGING(smtp_mailauth) && addr->auth_sndr)
        g = string_append(g, 2, US":", addr->auth_sndr);
      }
    }

  if (LOGGING(pipelining))
    {
    if (testflag(addr, af_pipelining))
      g = string_catn(g, US" L", 2);
#ifndef DISABLE_PIPE_CONNECT
    if (testflag(addr, af_early_pipe))
      g = string_catn(g, US"*", 1);
#endif
    }

#ifndef DISABLE_PRDR
  if (testflag(addr, af_prdr_used))
    g = string_catn(g, US" PRDR", 5);
#endif

  if (testflag(addr, af_chunking_used))
    g = string_catn(g, US" K", 2);
  }

#ifndef DISABLE_DKIM
  if (addr->dkim_used && LOGGING(dkim_verbose))
    {
    g = string_catn(g, US" DKIM=", 6);
    g = string_cat(g, addr->dkim_used);
    }
#endif

/* confirmation message (SMTP (host_used) and LMTP (driver_name)) */

if (  LOGGING(smtp_confirmation)
   && addr->message
   && (addr->host_used || Ustrcmp(addr->transport->driver_name, "lmtp") == 0)
   )
  {
  unsigned lim = big_buffer_size < 1024 ? big_buffer_size : 1024;
  uschar *p = big_buffer;
  uschar *ss = addr->message;
  *p++ = '\"';
  for (int i = 0; i < lim && ss[i] != 0; i++)   /* limit logged amount */
    {
    if (ss[i] == '\"' || ss[i] == '\\') *p++ = '\\'; /* quote \ and " */
    *p++ = ss[i];
    }
  *p++ = '\"';
  *p = 0;
  g = string_append(g, 2, US" C=", big_buffer);
  }

/* Time on queue and actual time taken to deliver */

if (LOGGING(queue_time))
  g = string_append(g, 2, US" QT=", string_timesince(
    LOGGING(queue_time_exclusive) ? &received_time_complete : &received_time));

if (LOGGING(deliver_time))
  g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time));

/* string_cat() always leaves room for the terminator. Release the
store we used to build the line after writing it. */

log_write(0, flags, "%Y", g);

#ifndef DISABLE_EVENT
if (!msg) msg_event_raise(US"msg:delivery", addr);
#endif

store_reset(reset_point);
return;
}



static void
deferral_log(address_item * addr, uschar * now,
  int logflags, uschar * driver_name, uschar * driver_kind)
{
rmark reset_point = store_mark();
gstring * g = string_get(256);

/* Build up the line that is used for both the message log and the main
log. */

/* Create the address string for logging. Must not do this earlier, because
an OK result may be changed to FAIL when a pipe returns text. */

g = string_log_address(g, addr, LOGGING(all_parents), FALSE);

if (*queue_name)
  g = string_append(g, 2, US" Q=", queue_name);

/* Either driver_name contains something and driver_kind contains
" router" or " transport" (note the leading space), or driver_name is
a null string and driver_kind contains "routing" without the leading
space, if all routing has been deferred. When a domain has been held,
so nothing has been done at all, both variables contain null strings. */

if (driver_name)
  {
  if (driver_kind[1] == 't' && addr->router)
    g = string_append(g, 2, US" R=", addr->router->drinst.name);
  g = string_fmt_append(g, " %c=%s", toupper(driver_kind[1]), driver_name);
  }
else if (driver_kind)
  g = string_append(g, 2, US" ", driver_kind);

g = string_fmt_append(g, " defer (%d)", addr->basic_errno);

if (addr->basic_errno > 0)
  g = string_append(g, 2, US": ", US strerror(addr->basic_errno));

if (addr->host_used)
  g = d_hostlog(g, addr);

if (LOGGING(deliver_time))
  g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time));

if (addr->message)
  g = string_append(g, 2, US": ", addr->message);

/* Log the deferment in the message log, but don't clutter it
up with retry-time defers after the first delivery attempt. */

if (f.deliver_firsttime || addr->basic_errno > ERRNO_RETRY_BASE)
  deliver_msglog("%s %.*s\n", now, g->ptr, g->s);

/* Write the main log and reset the store.
For errors of the type "retry time not reached" (also remotes skipped
on queue run), logging is controlled by L_retry_defer. Note that this kind
of error number is negative, and all the retry ones are less than any
others. */


log_write(addr->basic_errno <= ERRNO_RETRY_BASE ? L_retry_defer : 0, logflags,
  "== %Y", g);

store_reset(reset_point);
return;
}



static void
failure_log(address_item * addr, uschar * driver_kind, uschar * now)
{
rmark reset_point = store_mark();
gstring * g = string_get(256);

#ifndef DISABLE_EVENT
/* Message failures for which we will send a DSN get their event raised
later so avoid doing it here. */

if (  !addr->prop.ignore_error
   && !(addr->dsn_flags & (rf_dsnflags & ~rf_notify_failure))
   )
  msg_event_raise(US"msg:fail:delivery", addr);
#endif

/* Build up the log line for the message and main logs */

/* Create the address string for logging. Must not do this earlier, because
an OK result may be changed to FAIL when a pipe returns text. */

g = string_log_address(g, addr, LOGGING(all_parents), FALSE);

if (LOGGING(sender_on_delivery))
  g = string_append(g, 3, US" F=<", sender_address, US">");

if (*queue_name)
  g = string_append(g, 2, US" Q=", queue_name);

/* Return path may not be set if no delivery actually happened */

if (used_return_path && LOGGING(return_path_on_delivery))
  g = string_append(g, 3, US" P=<", used_return_path, US">");

if (addr->router)
  g = string_append(g, 2, US" R=", addr->router->drinst.name);
if (addr->transport)
  g = string_append(g, 2, US" T=", addr->transport->name);

if (addr->host_used)
  g = d_hostlog(g, addr);

#ifndef DISABLE_TLS
g = d_tlslog(g, addr);
#endif

if (addr->basic_errno > 0)
  g = string_append(g, 2, US": ", US strerror(addr->basic_errno));

if (addr->message)
  g = string_append(g, 2, US": ", addr->message);

if (LOGGING(deliver_time))
  g = string_append(g, 2, US" DT=", string_timediff(&addr->delivery_time));

/* Do the logging. For the message log, "routing failed" for those cases,
just to make it clearer. */

if (driver_kind)
  deliver_msglog("%s %s failed for %.*s\n", now, driver_kind, g->ptr, g->s);
else
  deliver_msglog("%s %.*s\n", now, g->ptr, g->s);

log_write(0, LOG_MAIN, "** %Y", g);

store_reset(reset_point);
return;
}



/*************************************************
*    Actions at the end of handling an address   *
*************************************************/

/* This is a function for processing a single address when all that can be done
with it has been done.

Arguments:
  addr         points to the address block
  result       the result of the delivery attempt
  logflags     flags for log_write() (LOG_MAIN and/or LOG_PANIC)
  driver_type  indicates which type of driver (transport, or router) was last
                 to process the address
  logchar      '=' or '-' for use when logging deliveries with => or ->

Returns:       nothing
*/

static void
post_process_one(address_item * addr, int result, int logflags, int driver_type,
  int logchar)
{
uschar * now = tod_stamp(tod_log);
uschar * driver_kind = NULL;
uschar * driver_name = NULL;

DEBUG(D_deliver) debug_printf("post-process %s (%d)\n", addr->address, result);

/* Set up driver kind and name for logging. Disable logging if the router or
transport has disabled it. */

if (driver_type == EXIM_DTYPE_TRANSPORT)
  {
  if (addr->transport)
    {
    driver_name = addr->transport->name;
    driver_kind = US" transport";
    f.disable_logging = addr->transport->disable_logging;
    }
  else driver_kind = US"transporting";
  }
else if (driver_type == EXIM_DTYPE_ROUTER)
  {
  if (addr->router)
    {
    driver_name = addr->router->drinst.name;
    driver_kind = US" router";
    f.disable_logging = addr->router->disable_logging;
    }
  else driver_kind = US"routing";
  }

/* If there's an error message set, ensure that it contains only printing
characters - it should, but occasionally things slip in and this at least
stops the log format from getting wrecked. We also scan the message for an LDAP
expansion item that has a password setting, and flatten the password. This is a
fudge, but I don't know a cleaner way of doing this. (If the item is badly
malformed, it won't ever have gone near LDAP.) */

if (addr->message)
  {
  const uschar * s = string_printing(addr->message);

  /* deconst cast ok as string_printing known to have alloc'n'copied */
  addr->message = expand_hide_passwords(US s);
  }

/* If we used a transport that has one of the "return_output" options set, and
if it did in fact generate some output, then for return_output we treat the
message as failed if it was not already set that way, so that the output gets
returned to the sender, provided there is a sender to send it to. For
return_fail_output, do this only if the delivery failed. Otherwise we just
unlink the file, and remove the name so that if the delivery failed, we don't
try to send back an empty or unwanted file. The log_output options operate only
on a non-empty file.

In any case, we close the message file, because we cannot afford to leave a
file-descriptor for one address while processing (maybe very many) others. */

if (addr->return_file >= 0 && addr->return_filename)
  {
  BOOL return_output = FALSE;
  struct stat statbuf;
  (void)EXIMfsync(addr->return_file);

  /* If there is no output, do nothing. */

  if (fstat(addr->return_file, &statbuf) == 0 && statbuf.st_size > 0)
    {
    transport_instance *tb = addr->transport;

    /* Handle logging options */

    if (  tb->log_output
       || result == FAIL  && tb->log_fail_output
       || result == DEFER && tb->log_defer_output
       )
      {
      uschar *s;
      FILE *f = Ufopen(addr->return_filename, "rb");
      if (!f)
        log_write(0, LOG_MAIN|LOG_PANIC, "failed to open %s to log output "
          "from %s transport: %s", addr->return_filename, tb->name,
          strerror(errno));
      else
        if ((s = US Ufgets(big_buffer, big_buffer_size, f)))
          {
          uschar *p = big_buffer + Ustrlen(big_buffer);
          const uschar * sp;
          while (p > big_buffer && isspace(p[-1])) p--;
          *p = 0;
          sp = string_printing(big_buffer);
          log_write(0, LOG_MAIN, "<%s>: %s transport output: %s",
            addr->address, tb->name, sp);
          }
      (void)fclose(f);
      }

    /* Handle returning options, but only if there is an address to return
    the text to. */

    if (sender_address[0] != 0 || addr->prop.errors_address)
      if (tb->return_output)
        {
        addr->transport_return = result = FAIL;
        if (addr->basic_errno == 0 && !addr->message)
          addr->message = US"return message generated";
        return_output = TRUE;
        }
      else
        if (tb->return_fail_output && result == FAIL) return_output = TRUE;
    }

  /* Get rid of the file unless it might be returned, but close it in
  all cases. */

  if (!return_output)
    {
    Uunlink(addr->return_filename);
    addr->return_filename = NULL;
    addr->return_file = -1;
    }

  (void)close(addr->return_file);
  }

/* The success case happens only after delivery by a transport. */

if (result == OK)
  {
  addr->next = addr_succeed;
  addr_succeed = addr;

  /* Call address_done() to ensure that we don't deliver to this address again,
  and write appropriate things to the message log. If it is a child address, we
  call child_done() to scan the ancestors and mark them complete if this is the
  last child to complete. */

  address_done(addr, now);
  DEBUG(D_deliver) debug_printf("%s delivered\n", addr->address);

  if (!addr->parent)
    deliver_msglog("%s %s: %s%s succeeded\n", now, addr->address,
      driver_name, driver_kind);
  else
    {
    deliver_msglog("%s %s <%s>: %s%s succeeded\n", now, addr->address,
      addr->parent->address, driver_name, driver_kind);
    child_done(addr, now);
    }

  /* Certificates for logging (via events) */
#ifndef DISABLE_TLS
  tls_out.ourcert = addr->ourcert;
  addr->ourcert = NULL;
  tls_out.peercert = addr->peercert;
  addr->peercert = NULL;

  tls_out.ver = addr->tlsver;
  tls_out.cipher = addr->cipher;
  tls_out.peerdn = addr->peerdn;
  tls_out.ocsp = addr->ocsp;
# ifdef SUPPORT_DANE
  tls_out.dane_verified = testflag(addr, af_dane_verified);
# endif
#endif

  delivery_log(LOG_MAIN, addr, logchar, NULL);

#ifndef DISABLE_TLS
  tls_free_cert(&tls_out.ourcert);
  tls_free_cert(&tls_out.peercert);
  tls_out.ver = NULL;
  tls_out.cipher = NULL;
  tls_out.peerdn = NULL;
  tls_out.ocsp = OCSP_NOT_REQ;
# ifdef SUPPORT_DANE
  tls_out.dane_verified = FALSE;
# endif
#endif
  }


/* Soft failure, or local delivery process failed; freezing may be
requested. */

else if (result == DEFER || result == PANIC)
  {
  if (result == PANIC) logflags |= LOG_PANIC;

  /* This puts them on the chain in reverse order. Do not change this, because
  the code for handling retries assumes that the one with the retry
  information is last. */

  addr->next = addr_defer;
  addr_defer = addr;

  /* The only currently implemented special action is to freeze the
  message. Logging of this is done later, just before the -H file is
  updated. */

  if (addr->special_action == SPECIAL_FREEZE)
    {
    f.deliver_freeze = TRUE;
    deliver_frozen_at = time(NULL);
    update_spool = TRUE;
    }

  /* If doing a 2-stage queue run, we skip writing to either the message
  log or the main log for SMTP defers. */

  if (!f.queue_2stage || addr->basic_errno != 0)
    deferral_log(addr, now, logflags, driver_name, driver_kind);
  }


/* Hard failure. If there is an address to which an error message can be sent,
put this address on the failed list. If not, put it on the deferred list and
freeze the mail message for human attention. The latter action can also be
explicitly requested by a router or transport. */

else
  {
  /* If this is a delivery error, or a message for which no replies are
  wanted, and the message's age is greater than ignore_bounce_errors_after,
  force the af_ignore_error flag. This will cause the address to be discarded
  later (with a log entry). */

  if (!*sender_address && message_age >= ignore_bounce_errors_after)
    addr->prop.ignore_error = TRUE;

  /* Freeze the message if requested, or if this is a bounce message (or other
  message with null sender) and this address does not have its own errors
  address. However, don't freeze if errors are being ignored. The actual code
  to ignore occurs later, instead of sending a message. Logging of freezing
  occurs later, just before writing the -H file. */

  if (  !addr->prop.ignore_error
     && (  addr->special_action == SPECIAL_FREEZE
        || (sender_address[0] == 0 && !addr->prop.errors_address)
     )  )
    {
    frozen_info = addr->special_action == SPECIAL_FREEZE
      ? US""
      : f.sender_local && !f.local_error_message
      ? US" (message created with -f <>)"
      : US" (delivery error message)";
    f.deliver_freeze = TRUE;
    deliver_frozen_at = time(NULL);
    update_spool = TRUE;

    /* The address is put on the defer rather than the failed queue, because
    the message is being retained. */

    addr->next = addr_defer;
    addr_defer = addr;
    }

  /* Don't put the address on the nonrecipients tree yet; wait until an
  error message has been successfully sent. */

  else
    {
    addr->next = addr_failed;
    addr_failed = addr;
    }

  failure_log(addr, driver_name ? NULL : driver_kind, now);
  }

/* Ensure logging is turned on again in all cases */

f.disable_logging = FALSE;
}




/*************************************************
*            Address-independent error           *
*************************************************/

/* This function is called when there's an error that is not dependent on a
particular address, such as an expansion string failure. It puts the error into
all the addresses in a batch, logs the incident on the main and panic logs, and
clears the expansions. It is mostly called from local_deliver(), but can be
called for a remote delivery via findugid().

Arguments:
  logit        TRUE if (MAIN+PANIC) logging required
  addr         the first of the chain of addresses
  code         the error code
  format       format string for error message, or NULL if already set in addr
  ...          arguments for the format

Returns:       nothing
*/

static void
common_error(BOOL logit, address_item *addr, int code, uschar *format, ...)
{
addr->basic_errno = code;

if (format)
  {
  va_list ap;
  gstring * g;

  va_start(ap, format);
  g = string_vformat(NULL, SVFMT_EXTEND|SVFMT_REBUFFER, CS format, ap);
  va_end(ap);
  addr->message = string_from_gstring(g);
  }

for (address_item * addr2 = addr->next; addr2; addr2 = addr2->next)
  {
  addr2->basic_errno = code;
  addr2->message = addr->message;
  }

if (logit) log_write(0, LOG_MAIN|LOG_PANIC, "%s", addr->message);
deliver_set_expansions(NULL);
}




/*************************************************
*         Check a "never users" list             *
*************************************************/

/* This function is called to check whether a uid is on one of the two "never
users" lists.

Arguments:
  uid         the uid to be checked
  nusers      the list to be scanned; the first item in the list is the count

Returns:      TRUE if the uid is on the list
*/

static BOOL
check_never_users(uid_t uid, uid_t *nusers)
{
if (!nusers) return FALSE;
for (int i = 1; i <= (int)(nusers[0]); i++) if (nusers[i] == uid) return TRUE;
return FALSE;
}



/*************************************************
*          Find uid and gid for a transport      *
*************************************************/

/* This function is called for both local and remote deliveries, to find the
uid/gid under which to run the delivery. The values are taken preferentially
from the transport (either explicit or deliver_as_creator), then from the
address (i.e. the router), and if nothing is set, the exim uid/gid are used. If
the resulting uid is on the "never_users" or the "fixed_never_users" list, a
panic error is logged, and the function fails (which normally leads to delivery
deferral).

Arguments:
  addr         the address (possibly a chain)
  tp           the transport
  uidp         pointer to uid field
  gidp         pointer to gid field
  igfp         pointer to the use_initgroups field

Returns:       FALSE if failed - error has been set in address(es)
*/

static BOOL
findugid(address_item *addr, transport_instance *tp, uid_t *uidp, gid_t *gidp,
  BOOL *igfp)
{
uschar *nuname;
BOOL gid_set = FALSE;

/* Default initgroups flag comes from the transport */

*igfp = tp->initgroups;

/* First see if there's a gid on the transport, either fixed or expandable.
The expanding function always logs failure itself. */

if (tp->gid_set)
  {
  *gidp = tp->gid;
  gid_set = TRUE;
  }
else if (tp->expand_gid)
  {
  GET_OPTION("group");
  if (!route_find_expanded_group(tp->expand_gid, tp->name, US"transport", gidp,
    &addr->message))
    {
    common_error(FALSE, addr, ERRNO_GIDFAIL, NULL);
    return FALSE;
    }
  gid_set = TRUE;
  }

/* If the transport did not set a group, see if the router did. */

if (!gid_set && testflag(addr, af_gid_set))
  {
  *gidp = addr->gid;
  gid_set = TRUE;
  }

/* Pick up a uid from the transport if one is set. */

if (tp->uid_set) *uidp = tp->uid;

/* Otherwise, try for an expandable uid field. If it ends up as a numeric id,
it does not provide a passwd value from which a gid can be taken. */

else if (tp->expand_uid)
  {
  struct passwd *pw;
  GET_OPTION("user");
  if (!route_find_expanded_user(tp->expand_uid, tp->name, US"transport", &pw,
       uidp, &(addr->message)))
    {
    common_error(FALSE, addr, ERRNO_UIDFAIL, NULL);
    return FALSE;
    }
  if (!gid_set && pw)
    {
    *gidp = pw->pw_gid;
    gid_set = TRUE;
    }
  }

/* If the transport doesn't set the uid, test the deliver_as_creator flag. */

else if (tp->deliver_as_creator)
  {
  *uidp = originator_uid;
  if (!gid_set)
    {
    *gidp = originator_gid;
    gid_set = TRUE;
    }
  }

/* Otherwise see if the address specifies the uid and if so, take it and its
initgroups flag. */

else if (testflag(addr, af_uid_set))
  {
  *uidp = addr->uid;
  *igfp = testflag(addr, af_initgroups);
  }

/* Nothing has specified the uid - default to the Exim user, and group if the
gid is not set. */

else
  {
  *uidp = exim_uid;
  if (!gid_set)
    {
    *gidp = exim_gid;
    gid_set = TRUE;
    }
  }

/* If no gid is set, it is a disaster. We default to the Exim gid only if
defaulting to the Exim uid. In other words, if the configuration has specified
a uid, it must also provide a gid. */

if (!gid_set)
  {
  common_error(TRUE, addr, ERRNO_GIDFAIL, US"User set without group for "
    "%s transport", tp->name);
  return FALSE;
  }

/* Check that the uid is not on the lists of banned uids that may not be used
for delivery processes. */

nuname = check_never_users(*uidp, never_users)
  ? US"never_users"
  : check_never_users(*uidp, fixed_never_users)
  ? US"fixed_never_users"
  : NULL;
if (nuname)
  {
  common_error(TRUE, addr, ERRNO_UIDFAIL, US"User %ld set for %s transport "
    "is on the %s list", (long int)(*uidp), tp->name, nuname);
  return FALSE;
  }

/* All is well */

return TRUE;
}




/*************************************************
*   Check the size of a message for a transport  *
*************************************************/

/* Checks that the message isn't too big for the selected transport.
This is called only when it is known that the limit is set.

Arguments:
  tp          the transport
  addr        the (first) address being delivered

Returns:      OK
              DEFER   expansion failed or did not yield an integer
              FAIL    message too big
*/

int
check_message_size(transport_instance *tp, address_item *addr)
{
int rc = OK;
int size_limit;

GET_OPTION("message_size_limit");
deliver_set_expansions(addr);
size_limit = expand_string_integer(tp->message_size_limit, TRUE);
deliver_set_expansions(NULL);

if (expand_string_message)
  {
  rc = DEFER;
  addr->message = size_limit == -1
    ? string_sprintf("failed to expand message_size_limit "
      "in %s transport: %s", tp->name, expand_string_message)
    : string_sprintf("invalid message_size_limit "
      "in %s transport: %s", tp->name, expand_string_message);
  }
else if (size_limit > 0 && message_size > size_limit)
  {
  rc = FAIL;
  addr->message =
    string_sprintf("message is too big (transport limit = %d)",
      size_limit);
  }

return rc;
}



/*************************************************
*  Transport-time check for a previous delivery  *
*************************************************/

/* Check that this base address hasn't previously been delivered to its routed
transport. If it has been delivered, mark it done. The check is necessary at
delivery time in order to handle homonymic addresses correctly in cases where
the pattern of redirection changes between delivery attempts (so the unique
fields change). Non-homonymic previous delivery is detected earlier, at routing
time (which saves unnecessary routing).

Arguments:
  addr      the address item
  testing   TRUE if testing wanted only, without side effects

Returns:    TRUE if previously delivered by the transport
*/

static BOOL
previously_transported(address_item *addr, BOOL testing)
{
uschar * s = string_sprintf("%s/%s",
  addr->unique + (testflag(addr, af_homonym) ? 3:0), addr->transport->name);

if (tree_search(tree_nonrecipients, s) != 0)
  {
  DEBUG(D_deliver|D_route|D_transport)
    debug_printf("%s was previously delivered (%s transport): discarded\n",
    addr->address, addr->transport->name);
  if (!testing) child_done(addr, tod_stamp(tod_log));
  return TRUE;
  }

return FALSE;
}



/******************************************************
*      Check for a given header in a header string    *
******************************************************/

/* This function is used when generating quota warnings. The configuration may
specify any header lines it likes in quota_warn_message. If certain of them are
missing, defaults are inserted, so we need to be able to test for the presence
of a given header.

Arguments:
  hdr         the required header name
  hstring     the header string

Returns:      TRUE  the header is in the string
              FALSE the header is not in the string
*/

static BOOL
contains_header(uschar *hdr, uschar *hstring)
{
int len = Ustrlen(hdr);
uschar *p = hstring;
while (*p != 0)
  {
  if (strncmpic(p, hdr, len) == 0)
    {
    p += len;
    while (*p == ' ' || *p == '\t') p++;
    if (*p == ':') return TRUE;
    }
  while (*p != 0 && *p != '\n') p++;
  if (*p == '\n') p++;
  }
return FALSE;
}




/*************************************************
*           Perform a local delivery             *
*************************************************/

/* Each local delivery is performed in a separate process which sets its
uid and gid as specified. This is a safer way than simply changing and
restoring using seteuid(); there is a body of opinion that seteuid()
cannot be used safely. From release 4, Exim no longer makes any use of
it for delivery. Besides, not all systems have seteuid().

If the uid/gid are specified in the transport_instance, they are used; the
transport initialization must ensure that either both or neither are set.
Otherwise, the values associated with the address are used. If neither are set,
it is a configuration error.

The transport or the address may specify a home directory (transport over-
rides), and if they do, this is set as $home. If neither have set a working
directory, this value is used for that as well. Otherwise $home is left unset
and the cwd is set to "/" - a directory that should be accessible to all users.

Using a separate process makes it more complicated to get error information
back. We use a pipe to pass the return code and also an error code and error
text string back to the parent process.

Arguments:
  addr       points to an address block for this delivery; for "normal" local
             deliveries this is the only address to be delivered, but for
             pseudo-remote deliveries (e.g. by batch SMTP to a file or pipe)
             a number of addresses can be handled simultaneously, and in this
             case addr will point to a chain of addresses with the same
             characteristics.

  shadowing  TRUE if running a shadow transport; this causes output from pipes
             to be ignored.

Returns:     nothing
*/

void
deliver_local(address_item *addr, BOOL shadowing)
{
BOOL use_initgroups;
uid_t uid;
gid_t gid;
int status, len, rc;
int pfd[2];
pid_t pid;
uschar *working_directory;
address_item *addr2;
transport_instance *tp = addr->transport;

/* Set up the return path from the errors or sender address. If the transport
has its own return path setting, expand it and replace the existing value. */

if(addr->prop.errors_address)
  return_path = addr->prop.errors_address;
else
  return_path = sender_address;

GET_OPTION("return_path");
if (tp->return_path)
  {
  uschar * new_return_path = expand_string(tp->return_path);
  if (new_return_path)
    return_path = new_return_path;
  else if (!f.expand_string_forcedfail)
    {
    common_error(TRUE, addr, ERRNO_EXPANDFAIL,
      US"Failed to expand return path \"%s\" in %s transport: %s",
      tp->return_path, tp->name, expand_string_message);
    return;
    }
  }

/* For local deliveries, one at a time, the value used for logging can just be
set directly, once and for all. */

used_return_path = return_path;

/* Sort out the uid, gid, and initgroups flag. If an error occurs, the message
gets put into the address(es), and the expansions are unset, so we can just
return. */

if (!findugid(addr, tp, &uid, &gid, &use_initgroups)) return;

/* See if either the transport or the address specifies a home directory. A
home directory set in the address may already be expanded; a flag is set to
indicate that. In other cases we must expand it. */

GET_OPTION("home_directory");
if (  (deliver_home = tp->home_dir)             /* Set in transport, or */
   || (  (deliver_home = addr->home_dir)        /* Set in address and */
      && !testflag(addr, af_home_expanded)      /*   not expanded */
   )  )
  {
  uschar *rawhome = deliver_home;
  deliver_home = NULL;                      /* in case it contains $home */
  if (!(deliver_home = expand_string(rawhome)))
    {
    common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"home directory \"%s\" failed "
      "to expand for %s transport: %s", rawhome, tp->name,
      expand_string_message);
    return;
    }
  if (*deliver_home != '/')
    {
    common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"home directory path \"%s\" "
      "is not absolute for %s transport", deliver_home, tp->name);
    return;
    }
  }

/* See if either the transport or the address specifies a current directory,
and if so, expand it. If nothing is set, use the home directory, unless it is
also unset in which case use "/", which is assumed to be a directory to which
all users have access. It is necessary to be in a visible directory for some
operating systems when running pipes, as some commands (e.g. "rm" under Solaris
2.5) require this. */

GET_OPTION("current_directory");
working_directory = tp->current_dir ? tp->current_dir : addr->current_dir;
if (working_directory)
  {
  uschar *raw = working_directory;
  if (!(working_directory = expand_string(raw)))
    {
    common_error(TRUE, addr, ERRNO_EXPANDFAIL, US"current directory \"%s\" "
      "failed to expand for %s transport: %s", raw, tp->name,
      expand_string_message);
    return;
    }
  if (*working_directory != '/')
    {
    common_error(TRUE, addr, ERRNO_NOTABSOLUTE, US"current directory path "
      "\"%s\" is not absolute for %s transport", working_directory, tp->name);
    return;
    }
  }
else working_directory = deliver_home ? deliver_home : US"/";

/* If one of the return_output flags is set on the transport, create and open a
file in the message log directory for the transport to write its output onto.
This is mainly used by pipe transports. The file needs to be unique to the
address. This feature is not available for shadow transports. */

if (  !shadowing
   && (  tp->return_output || tp->return_fail_output
      || tp->log_output || tp->log_fail_output || tp->log_defer_output
   )  )
  {
  uschar * error;

  addr->return_filename =
    spool_fname(US"msglog", message_subdir, message_id,
      string_sprintf("-%ld-%d", (long)getpid(), return_count++));

  if ((addr->return_file = open_msglog_file(addr->return_filename, 0400, &error)) < 0)
    {
    common_error(TRUE, addr, errno, US"Unable to %s file for %s transport "
      "to return message: %s", error, tp->name, strerror(errno));
    return;
    }
  }

/* Create the pipe for inter-process communication. */

if (pipe(pfd) != 0)
  {
  common_error(TRUE, addr, ERRNO_PIPEFAIL, US"Creation of pipe failed: %s",
    strerror(errno));
  return;
  }

/* Now fork the process to do the real work in the subprocess, but first
ensure that all cached resources are freed so that the subprocess starts with
a clean slate and doesn't interfere with the parent process. */

search_tidyup();

if ((pid = exim_fork(US"delivery-local")) == 0)
  {
  BOOL replicate = TRUE;

  /* Prevent core dumps, as we don't want them in users' home directories.
  HP-UX doesn't have RLIMIT_CORE; I don't know how to do this in that
  system. Some experimental/developing systems (e.g. GNU/Hurd) may define
  RLIMIT_CORE but not support it in setrlimit(). For such systems, do not
  complain if the error is "not supported".

  There are two scenarios where changing the max limit has an effect.  In one,
  the user is using a .forward and invoking a command of their choice via pipe;
  for these, we do need the max limit to be 0 unless the admin chooses to
  permit an increased limit.  In the other, the command is invoked directly by
  the transport and is under administrator control, thus being able to raise
  the limit aids in debugging.  So there's no general always-right answer.

  Thus we inhibit core-dumps completely but let individual transports, while
  still root, re-raise the limits back up to aid debugging.  We make the
  default be no core-dumps -- few enough people can use core dumps in
  diagnosis that it's reasonable to make them something that has to be explicitly requested.
  */

#ifdef RLIMIT_CORE
  struct rlimit rl;
  rl.rlim_cur = 0;
  rl.rlim_max = 0;
  if (setrlimit(RLIMIT_CORE, &rl) < 0)
    {
# ifdef SETRLIMIT_NOT_SUPPORTED
    if (errno != ENOSYS && errno != ENOTSUP)
# endif
      log_write(0, LOG_MAIN|LOG_PANIC, "setrlimit(RLIMIT_CORE) failed: %s",
        strerror(errno));
    }
#endif

  /* Reset the random number generator, so different processes don't all
  have the same sequence. */

  random_seed = 0;

  /* If the transport has a setup entry, call this first, while still
  privileged. (Appendfile uses this to expand quota, for example, while
  able to read private files.) */

  if (addr->transport->setup)
    switch((addr->transport->setup)(addr->transport, addr, NULL, uid, gid,
           &addr->message))
      {
      case DEFER:
        addr->transport_return = DEFER;
        goto PASS_BACK;

      case FAIL:
        addr->transport_return = PANIC;
        goto PASS_BACK;
      }

  /* Ignore SIGINT and SIGTERM during delivery. Also ignore SIGUSR1, as
  when the process becomes unprivileged, it won't be able to write to the
  process log. SIGHUP is ignored throughout exim, except when it is being
  run as a daemon. */

  signal(SIGINT, SIG_IGN);
  signal(SIGTERM, SIG_IGN);
  signal(SIGUSR1, SIG_IGN);

  /* Close the unwanted half of the pipe, and set close-on-exec for the other
  half - for transports that exec things (e.g. pipe). Then set the required
  gid/uid. */

  (void)close(pfd[pipe_read]);
  (void)fcntl(pfd[pipe_write], F_SETFD, fcntl(pfd[pipe_write], F_GETFD) |
    FD_CLOEXEC);
  exim_setugid(uid, gid, use_initgroups,
    string_sprintf("local delivery to %s <%s> transport=%s", addr->local_part,
      addr->address, addr->transport->name));

  DEBUG(D_deliver)
    {
    debug_printf("  home=%s current=%s\n", deliver_home, working_directory);
    for (address_item * batched = addr->next; batched; batched = batched->next)
      debug_printf("additional batched address: %s\n", batched->address);
    }

  /* Set an appropriate working directory. */

  if (Uchdir(working_directory) < 0)
    {
    addr->transport_return = DEFER;
    addr->basic_errno = errno;
    addr->message = string_sprintf("failed to chdir to %s", working_directory);
    }

  /* If successful, call the transport */

  else
    {
    BOOL ok = TRUE;
    set_process_info("delivering %s to %s using %s", message_id,
     addr->local_part, tp->name);

    /* Setting these globals in the subprocess means we need never clear them */

    transport_name = tp->name;
    if (addr->router) router_name = addr->router->drinst.name;
    driver_srcfile = tp->srcfile;
    driver_srcline = tp->srcline;

    /* If a transport filter has been specified, set up its argument list.
    Any errors will get put into the address, and FALSE yielded. */

    if (tp->filter_command)
      {
      ok = transport_set_up_command(&transport_filter_argv,
        tp->filter_command,
        TSUC_EXPAND_ARGS, PANIC, addr, US"transport filter", NULL);
      transport_filter_timeout = tp->filter_timeout;
      }
    else transport_filter_argv = NULL;

    if (ok)
      {
      debug_print_string(tp->debug_string);
      replicate = !(tp->info->code)(addr->transport, addr);
      }
    }

  /* Pass the results back down the pipe. If necessary, first replicate the
  status in the top address to the others in the batch. The label is the
  subject of a goto when a call to the transport's setup function fails. We
  pass the pointer to the transport back in case it got changed as a result of
  file_format in appendfile. */

  PASS_BACK:

  if (replicate) replicate_status(addr);
  for (addr2 = addr; addr2; addr2 = addr2->next)
    {
    int i;
    int local_part_length = Ustrlen(addr2->local_part);
    uschar *s;
    int ret;

    if(  (i = addr2->transport_return, (ret = write(pfd[pipe_write], &i, sizeof(int))) != sizeof(int))
      || (ret = write(pfd[pipe_write], &transport_count, sizeof(transport_count))) != sizeof(transport_count)
      || (ret = write(pfd[pipe_write], &addr2->flags, sizeof(addr2->flags))) != sizeof(addr2->flags)
      || (ret = write(pfd[pipe_write], &addr2->basic_errno,    sizeof(int))) != sizeof(int)
      || (ret = write(pfd[pipe_write], &addr2->more_errno,     sizeof(int))) != sizeof(int)
      || (ret = write(pfd[pipe_write], &addr2->delivery_time,  sizeof(struct timeval))) != sizeof(struct timeval)
      || (i = addr2->special_action, (ret = write(pfd[pipe_write], &i, sizeof(int))) != sizeof(int))
      || (ret = write(pfd[pipe_write], &addr2->transport,
        sizeof(transport_instance *))) != sizeof(transport_instance *)

    /* For a file delivery, pass back the local part, in case the original
    was only part of the final delivery path. This gives more complete
    logging. */

      || (testflag(addr2, af_file)
          && (  (ret = write(pfd[pipe_write], &local_part_length, sizeof(int))) != sizeof(int)
             || (ret = write(pfd[pipe_write], addr2->local_part, local_part_length)) != local_part_length
             )
         )
      )
      log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
        ret == -1 ? strerror(errno) : "short write");

    /* Now any messages */

    for (i = 0, s = addr2->message; i < 2; i++, s = addr2->user_message)
      {
      int message_length = s ? Ustrlen(s) + 1 : 0;
      if(  (ret = write(pfd[pipe_write], &message_length, sizeof(int))) != sizeof(int)
        || message_length > 0  && (ret = write(pfd[pipe_write], s, message_length)) != message_length
        )
        log_write(0, LOG_MAIN|LOG_PANIC, "Failed writing transport results to pipe: %s",
          ret == -1 ? strerror(errno) : "short write");
      }
    }

  /* OK, this process is now done. Free any cached resources that it opened,
  and close the pipe we were writing down before exiting. */

  (void)close(pfd[pipe_write]);
  exim_exit(EXIT_SUCCESS);
  }

/* Back in the main process: panic if the fork did not succeed. This seems
better than returning an error - if forking is failing it is probably best
not to try other deliveries for this message. */

if (pid < 0)
  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Fork failed for local delivery to %s",
    addr->address);

/* Read the pipe to get the delivery status codes and error messages. Our copy
of the writing end must be closed first, as otherwise read() won't return zero
on an empty pipe. We check that a status exists for each address before
overwriting the address structure. If data is missing, the default DEFER status
will remain. Afterwards, close the reading end. */

(void)close(pfd[pipe_write]);

for (addr2 = addr; addr2; addr2 = addr2->next)
  {
  if ((len = read(pfd[pipe_read], &status, sizeof(int))) > 0)
    {
    int i;
    uschar **sptr;

    addr2->transport_return = status;
    len = read(pfd[pipe_read], &transport_count,
      sizeof(transport_count));
    len = read(pfd[pipe_read], &addr2->flags, sizeof(addr2->flags));
    len = read(pfd[pipe_read], &addr2->basic_errno,    sizeof(int));
    len = read(pfd[pipe_read], &addr2->more_errno,     sizeof(int));
    len = read(pfd[pipe_read], &addr2->delivery_time,  sizeof(struct timeval));
    len = read(pfd[pipe_read], &i, sizeof(int)); addr2->special_action = i;
    len = read(pfd[pipe_read], &addr2->transport,
      sizeof(transport_instance *));

    if (testflag(addr2, af_file))
      {
      int llen;
      if (  read(pfd[pipe_read], &llen, sizeof(int)) != sizeof(int)
         || llen > 64*4 /* limit from rfc 5821, times I18N factor */
         )
        {
        log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part length read"
          " from delivery subprocess");
        break;
        }
      /* sanity-checked llen so disable the Coverity error */
      /* coverity[tainted_data] */
      if (read(pfd[pipe_read], big_buffer, llen) != llen)
        {
        log_write(0, LOG_MAIN|LOG_PANIC, "bad local_part read"
          " from delivery subprocess");
        break;
        }
      big_buffer[llen] = 0;
      addr2->local_part = string_copy(big_buffer);
      }

    for (i = 0, sptr = &addr2->message; i < 2; i++, sptr = &addr2->user_message)
      {
      int message_length;
      len = read(pfd[pipe_read], &message_length, sizeof(int));
      if (message_length > 0)
        {
        len = read(pfd[pipe_read], big_buffer, message_length);
        big_buffer[big_buffer_size-1] = '\0';           /* guard byte */
        if (len > 0) *sptr = string_copy(big_buffer);
        }
      }
    }

  else
    {
    log_write(0, LOG_MAIN|LOG_PANIC, "failed to read delivery status for %s "
      "from delivery subprocess", addr2->unique);
    break;
    }
  }

(void)close(pfd[pipe_read]);

/* Unless shadowing, write all successful addresses immediately to the journal
file, to ensure they are recorded asap. For homonymic addresses, use the base
address plus the transport name. Failure to write the journal is panic-worthy,
but don't stop, as it may prove possible subsequently to update the spool file
in order to record the delivery. */

if (!shadowing)
  {
  for (addr2 = addr; addr2; addr2 = addr2->next)
    if (addr2->transport_return == OK)
      {
      if (testflag(addr2, af_homonym))
        sprintf(CS big_buffer, "%.500s/%s\n", addr2->unique + 3, tp->name);
      else
        sprintf(CS big_buffer, "%.500s\n", addr2->unique);

      /* In the test harness, wait just a bit to let the subprocess finish off
      any debug output etc first. */

      testharness_pause_ms(300);

      DEBUG(D_deliver) debug_printf("journalling %s", big_buffer);
      len = Ustrlen(big_buffer);
      if (write(journal_fd, big_buffer, len) != len)
        log_write(0, LOG_MAIN|LOG_PANIC, "failed to update journal for %s: %s",
          big_buffer, strerror(errno));
      }

  /* Ensure the journal file is pushed out to disk. */

  if (EXIMfsync(journal_fd) < 0)
    log_write(0, LOG_MAIN|LOG_PANIC, "failed to fsync journal: %s",
      strerror(errno));
  }

/* Wait for the process to finish. If it terminates with a non-zero code,
freeze the message (except for SIGTERM, SIGKILL and SIGQUIT), but leave the
status values of all the addresses as they are. Take care to handle the case
when the subprocess doesn't seem to exist. This has been seen on one system
when Exim was called from an MUA that set SIGCHLD to SIG_IGN. When that
happens, wait() doesn't recognize the termination of child processes. Exim now
resets SIGCHLD to SIG_DFL, but this code should still be robust. */

while ((rc = wait(&status)) != pid)
  if (rc < 0 && errno == ECHILD)      /* Process has vanished */
    {
    log_write(0, LOG_MAIN, "%s transport process vanished unexpectedly",
      addr->transport->driver_name);
    status = 0;
    break;
    }

if ((status & 0xffff) != 0)
  {
  int msb = (status >> 8) & 255;
  int lsb = status & 255;
  int code = (msb == 0)? (lsb & 0x7f) : msb;
  if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
    addr->special_action = SPECIAL_FREEZE;
  log_write(0, LOG_MAIN|LOG_PANIC, "%s transport process returned non-zero "
    "status 0x%04x: %s %d",
    addr->transport->driver_name,
    status,
    msb == 0 ? "terminated by signal" : "exit code",
    code);
  }

/* If SPECIAL_WARN is set in the top address, send a warning message. */

if (addr->special_action == SPECIAL_WARN)
  {
  uschar * warn_message = addr->transport->warn_message;
  GET_OPTION("quota_warn_message");
  if (warn_message)
    {
    int fd;
    pid_t pid;

    DEBUG(D_deliver) debug_printf("Warning message requested by transport\n");

    if (!(warn_message = expand_string(warn_message)))
      log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand \"%s\" (warning "
        "message for %s transport): %s", addr->transport->warn_message,
        addr->transport->name, expand_string_message);

    else if ((pid = child_open_exim(&fd, US"tpt-warning-message")) > 0)
      {
      FILE * f = fdopen(fd, "wb");
      if (errors_reply_to && !contains_header(US"Reply-To", warn_message))
        fprintf(f, "Reply-To: %s\n", errors_reply_to);
      fprintf(f, "Auto-Submitted: auto-replied\n");
      if (!contains_header(US"From", warn_message))
        moan_write_from(f);
      fprintf(f, "%s", CS warn_message);

      /* Close and wait for child process to complete, without a timeout. */

      (void)fclose(f);
      (void)child_close(pid, 0);
      }

    addr->special_action = SPECIAL_NONE;
    }
  }
}




/* Check transport for the given concurrency limit.  Return TRUE if over
the limit (or an expansion failure), else FALSE and if there was a limit,
the key for the hints database used for the concurrency count. */

static BOOL
tpt_parallel_check(transport_instance * tp, address_item * addr, uschar ** key)
{
unsigned max_parallel;

GET_OPTION("max_parallel");
if (!tp->max_parallel) return FALSE;

max_parallel = (unsigned) expand_string_integer(tp->max_parallel, TRUE);
if (expand_string_message)
  {
  log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand max_parallel option "
        "in %s transport (%s): %s", tp->name, addr->address,
        expand_string_message);
  return TRUE;
  }

if (max_parallel > 0)
  {
  uschar * serialize_key = string_sprintf("tpt-serialize-%s", tp->name);
  if (!enq_start(serialize_key, max_parallel))
    {
    address_item * next;
    DEBUG(D_transport)
      debug_printf("skipping tpt %s because concurrency limit %u reached\n",
                  tp->name, max_parallel);
    do
      {
      next = addr->next;
      addr->message = US"concurrency limit reached for transport";
      addr->basic_errno = ERRNO_TRETRY;
      post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0);
      } while ((addr = next));
    return TRUE;
    }
  *key = serialize_key;
  }
return FALSE;
}



/*************************************************
*              Do local deliveries               *
*************************************************/

/* This function processes the list of addresses in addr_local. True local
deliveries are always done one address at a time. However, local deliveries can
be batched up in some cases. Typically this is when writing batched SMTP output
files for use by some external transport mechanism, or when running local
deliveries over LMTP.

Arguments:   None
Returns:     Nothing
*/

static void
do_local_deliveries(void)
{
open_db dbblock, * dbm_file = NULL;
time_t now = time(NULL);

/* Loop until we have exhausted the supply of local deliveries */

while (addr_local)
  {
  struct timeval delivery_start;
  struct timeval deliver_time;
  address_item *addr2, *addr3, *nextaddr;
  int logflags = LOG_MAIN;
  int logchar = f.dont_deliver? '*' : '=';
  transport_instance *tp;
  uschar * serialize_key = NULL;

  /* Pick the first undelivered address off the chain */

  address_item *addr = addr_local;
  addr_local = addr->next;
  addr->next = NULL;

  DEBUG(D_deliver|D_transport)
    debug_printf("--------> %s <--------\n", addr->address);

  /* An internal disaster if there is no transport. Should not occur! */

  if (!(tp = addr->transport))
    {
    logflags |= LOG_PANIC;
    f.disable_logging = FALSE;  /* Jic */
    addr->message = addr->router
      ? string_sprintf("No transport set by %s router", addr->router->drinst.name)
      : US"No transport set by system filter";
    post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
    continue;
    }

  /* Check that this base address hasn't previously been delivered to this
  transport. The check is necessary at this point to handle homonymic addresses
  correctly in cases where the pattern of redirection changes between delivery
  attempts. Non-homonymic previous delivery is detected earlier, at routing
  time. */

  if (previously_transported(addr, FALSE)) continue;

  /* There are weird cases where logging is disabled */

  f.disable_logging = tp->disable_logging;

  /* Check for batched addresses and possible amalgamation. Skip all the work
  if either batch_max <= 1 or there aren't any other addresses for local
  delivery. */

  if (tp->batch_max > 1 && addr_local)
    {
    int batch_count = 1;
    BOOL uses_dom = readconf_depends((driver_instance *)tp, US"domain");
    BOOL uses_lp = (  testflag(addr, af_pfr)
                   && (testflag(addr, af_file) || addr->local_part[0] == '|')
                   )
                || readconf_depends((driver_instance *)tp, US"local_part");
    uschar *batch_id = NULL;
    address_item **anchor = &addr_local;
    address_item *last = addr;
    address_item *next;

    /* Expand the batch_id string for comparison with other addresses.
    Expansion failure suppresses batching. */

    GET_OPTION("batch_id");
    if (tp->batch_id)
      {
      deliver_set_expansions(addr);
      batch_id = expand_string(tp->batch_id);
      deliver_set_expansions(NULL);
      if (!batch_id)
        {
        log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
          "in %s transport (%s): %s", tp->name, addr->address,
          expand_string_message);
        batch_count = tp->batch_max;
        }
      }

    /* Until we reach the batch_max limit, pick off addresses which have the
    same characteristics. These are:

      same transport
      not previously delivered (see comment about 50 lines above)
      same local part if the transport's configuration contains $local_part
        or if this is a file or pipe delivery from a redirection
      same domain if the transport's configuration contains $domain
      same errors address
      same additional headers
      same headers to be removed
      same uid/gid for running the transport
      same first host if a host list is set
    */

    while ((next = *anchor) && batch_count < tp->batch_max)
      {
      BOOL ok =
           tp == next->transport
        && !previously_transported(next, TRUE)
        && testflag(addr, af_pfr) == testflag(next, af_pfr)
        && testflag(addr, af_file) == testflag(next, af_file)
        && (!uses_lp  || Ustrcmp(next->local_part, addr->local_part) == 0)
        && (!uses_dom || Ustrcmp(next->domain, addr->domain) == 0)
        && same_strings(next->prop.errors_address, addr->prop.errors_address)
        && same_headers(next->prop.extra_headers, addr->prop.extra_headers)
        && same_strings(next->prop.remove_headers, addr->prop.remove_headers)
        && same_ugid(tp, addr, next)
        && (  !addr->host_list && !next->host_list
           ||    addr->host_list
              && next->host_list
              && Ustrcmp(addr->host_list->name, next->host_list->name) == 0
           );

      /* If the transport has a batch_id setting, batch_id will be non-NULL
      from the expansion outside the loop. Expand for this address and compare.
      Expansion failure makes this address ineligible for batching. */

      if (ok && batch_id)
        {
        uschar * bid;
        address_item * save_nextnext = next->next;
        next->next = NULL;            /* Expansion for a single address */
        deliver_set_expansions(next);
        next->next = save_nextnext;
        GET_OPTION("batch_id");
        bid = expand_string(tp->batch_id);
        deliver_set_expansions(NULL);
        if (!bid)
          {
          log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand batch_id option "
            "in %s transport (%s): %s", tp->name, next->address,
            expand_string_message);
          ok = FALSE;
          }
        else ok = (Ustrcmp(batch_id, bid) == 0);
        }

      /* Take address into batch if OK. */

      if (ok)
        {
        *anchor = next->next;           /* Include the address */
        next->next = NULL;
        last->next = next;
        last = next;
        batch_count++;
        }
      else anchor = &next->next;        /* Skip the address */
      }
    }

  /* We now have one or more addresses that can be delivered in a batch. Check
  whether the transport is prepared to accept a message of this size. If not,
  fail them all forthwith. If the expansion fails, or does not yield an
  integer, defer delivery. */

  if (tp->message_size_limit)
    {
    int rc = check_message_size(tp, addr);
    if (rc != OK)
      {
      replicate_status(addr);
      while (addr)
        {
        addr2 = addr->next;
        post_process_one(addr, rc, logflags, EXIM_DTYPE_TRANSPORT, 0);
        addr = addr2;
        }
      continue;    /* With next batch of addresses */
      }
    }

  /* If we are not running the queue, or if forcing, all deliveries will be
  attempted. Otherwise, we must respect the retry times for each address. Even
  when not doing this, we need to set up the retry key string, and determine
  whether a retry record exists, because after a successful delivery, a delete
  retry item must be set up. Keep the retry database open only for the duration
  of these checks, rather than for all local deliveries, because some local
  deliveries (e.g. to pipes) can take a substantial time. */

  if (continue_retry_db && continue_retry_db != (open_db *)-1)
    {
    DEBUG(D_hints_lookup) debug_printf("using cached retry hintsdb handle\n");
    dbm_file = continue_retry_db;
    }
  else if (!(dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE, TRUE)))
    DEBUG(D_deliver|D_retry|D_hints_lookup)
      debug_printf("no retry data available\n");

  addr2 = addr;
  addr3 = NULL;
  while (addr2)
    {
    BOOL ok = TRUE;   /* to deliver this address */

    if (f.queue_2stage)
      {
      DEBUG(D_deliver)
        debug_printf_indent("no router retry check (ph1 qrun)\n");
      }
    else
      {
      /* Set up the retry key to include the domain or not, and change its
      leading character from "R" to "T". Must make a copy before doing this,
      because the old key may be pointed to from a "delete" retry item after
      a routing delay. */
      uschar * retry_key = string_copy(tp->retry_use_local_part
                        ? addr2->address_retry_key : addr2->domain_retry_key);
      *retry_key = 'T';

      /* Inspect the retry data. If there is no hints file, delivery happens. */

      if (dbm_file)
        {
        dbdata_retry * retry_record = dbfn_read(dbm_file, retry_key);

        /* If there is no retry record, delivery happens. If there is,
        remember it exists so it can be deleted after a successful delivery. */

        if (retry_record)
          {
          setflag(addr2, af_lt_retry_exists);

          /* A retry record exists for this address. If queue running and not
          forcing, inspect its contents. If the record is too old, or if its
          retry time has come, or if it has passed its cutoff time, delivery
          will go ahead. */

          DEBUG(D_retry)
            {
            debug_printf("retry record exists: age=%s ",
              readconf_printtime(now - retry_record->time_stamp));
            debug_printf("(max %s)\n", readconf_printtime(retry_data_expire));
            debug_printf("  time to retry = %s expired = %d\n",
              readconf_printtime(retry_record->next_try - now),
              retry_record->expired);
            }

          if (f.queue_running && !f.deliver_force)
            {
            ok = (now - retry_record->time_stamp > retry_data_expire)
              || (now >= retry_record->next_try)
              || retry_record->expired;

            /* If we haven't reached the retry time, there is one more check
            to do, which is for the ultimate address timeout. */

            if (!ok)
              ok = retry_ultimate_address_timeout(retry_key, addr2->domain,
                  retry_record, now);
            }
          }
        else DEBUG(D_retry) debug_printf("no retry record exists\n");
        }
      }

    /* This address is to be delivered. Leave it on the chain. */

    if (ok)
      {
      addr3 = addr2;
      addr2 = addr2->next;
      }

    /* This address is to be deferred. Take it out of the chain, and
    post-process it as complete. Must take it out of the chain first,
    because post processing puts it on another chain. */

    else
      {
      address_item *this = addr2;
      this->message = US"Retry time not yet reached";
      this->basic_errno = ERRNO_LRETRY;
      addr2 = addr3 ? (addr3->next = addr2->next)
                    : (addr = addr2->next);
      post_process_one(this, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
      }
    }

  if (dbm_file)
    if (dbm_file != continue_retry_db)
      { dbfn_close(dbm_file); dbm_file = NULL; }
    else
      DEBUG(D_hints_lookup) debug_printf("retaining retry hintsdb handle\n");

  /* If there are no addresses left on the chain, they all deferred. Loop
  for the next set of addresses. */

  if (!addr) continue;

  /* If the transport is limited for parallellism, enforce that here.
  We use a hints DB entry, incremented here and decremented after
  the transport (and any shadow transport) completes. */

  if (tpt_parallel_check(tp, addr, &serialize_key))
    {
    if (expand_string_message)
      {
      logflags |= LOG_PANIC;
      do
        {
        addr = addr->next;
        post_process_one(addr, DEFER, logflags, EXIM_DTYPE_TRANSPORT, 0);
        } while ((addr = addr2));
      }
    continue;                   /* Loop for the next set of addresses. */
    }


  /* So, finally, we do have some addresses that can be passed to the
  transport. Before doing so, set up variables that are relevant to a
  single delivery. */

  deliver_set_expansions(addr);

  gettimeofday(&delivery_start, NULL);
  deliver_local(addr, FALSE);
  timesince(&deliver_time, &delivery_start);

  /* If a shadow transport (which must perforce be another local transport), is
  defined, and its condition is met, we must pass the message to the shadow
  too, but only those addresses that succeeded. We do this by making a new
  chain of addresses - also to keep the original chain uncontaminated. We must
  use a chain rather than doing it one by one, because the shadow transport may
  batch.

  NOTE: if the condition fails because of a lookup defer, there is nothing we
  can do! */

  if (  tp->shadow
     && (  !tp->shadow_condition
        || expand_check_condition(tp->shadow_condition, tp->name, US"transport")
     )  )
    {
    transport_instance *stp;
    address_item *shadow_addr = NULL;
    address_item **last = &shadow_addr;

    for (stp = transports; stp; stp = stp->next)
      if (Ustrcmp(stp->name, tp->shadow) == 0) break;

    if (!stp)
      log_write(0, LOG_MAIN|LOG_PANIC, "shadow transport \"%s\" not found ",
        tp->shadow);

    /* Pick off the addresses that have succeeded, and make clones. Put into
    the shadow_message field a pointer to the shadow_message field of the real
    address. */

    else for (addr2 = addr; addr2; addr2 = addr2->next)
      if (addr2->transport_return == OK)
        {
        addr3 = store_get(sizeof(address_item), GET_UNTAINTED);
        *addr3 = *addr2;
        addr3->next = NULL;
        addr3->shadow_message = US &addr2->shadow_message;
        addr3->transport = stp;
        addr3->transport_return = DEFER;
        addr3->return_filename = NULL;
        addr3->return_file = -1;
        *last = addr3;
        last = &addr3->next;
        }

    /* If we found any addresses to shadow, run the delivery, and stick any
    message back into the shadow_message field in the original. */

    if (shadow_addr)
      {
      int save_count = transport_count;

      DEBUG(D_deliver|D_transport)
        debug_printf(">>>>>>>>>>>>>>>> Shadow delivery >>>>>>>>>>>>>>>>\n");
      deliver_local(shadow_addr, TRUE);

      for(; shadow_addr; shadow_addr = shadow_addr->next)
        {
        int sresult = shadow_addr->transport_return;
        *(uschar **)shadow_addr->shadow_message =
          sresult == OK
          ? string_sprintf(" ST=%s", stp->name)
          : string_sprintf(" ST=%s (%s%s%s)", stp->name,
              shadow_addr->basic_errno <= 0
              ? US""
              : US strerror(shadow_addr->basic_errno),
              shadow_addr->basic_errno <= 0 || !shadow_addr->message
              ? US""
              : US": ",
              shadow_addr->message
              ? shadow_addr->message
              : shadow_addr->basic_errno <= 0
              ? US"unknown error"
              : US"");

        DEBUG(D_deliver|D_transport)
          debug_printf("%s shadow transport returned %s for %s\n",
            stp->name, rc_to_string(sresult), shadow_addr->address);
        }

      DEBUG(D_deliver|D_transport)
        debug_printf(">>>>>>>>>>>>>>>> End shadow delivery >>>>>>>>>>>>>>>>\n");

      transport_count = save_count;   /* Restore original transport count */
      }
    }

  /* Cancel the expansions that were set up for the delivery. */

  deliver_set_expansions(NULL);

  /* If the transport was parallelism-limited, decrement the hints DB record. */

  if (serialize_key) enq_end(serialize_key);

  /* Now we can process the results of the real transport. We must take each
  address off the chain first, because post_process_one() puts it on another
  chain. */

  for (addr2 = addr; addr2; addr2 = nextaddr)
    {
    int result = addr2->transport_return;
    nextaddr = addr2->next;

    DEBUG(D_deliver|D_transport)
      debug_printf("%s transport returned %s for %s\n",
        tp->name, rc_to_string(result), addr2->address);

    /* If there is a retry_record, or if delivery is deferred, build a retry
    item for setting a new retry time or deleting the old retry record from
    the database. These items are handled all together after all addresses
    have been handled (so the database is open just for a short time for
    updating). */

    if (result == DEFER || testflag(addr2, af_lt_retry_exists))
      {
      int flags = result == DEFER ? 0 : rf_delete;
      uschar * retry_key = string_copy(tp->retry_use_local_part
        ? addr2->address_retry_key : addr2->domain_retry_key);
      *retry_key = 'T';
      retry_add_item(addr2, retry_key, flags);
      }

    /* Done with this address */

    addr2->delivery_time = deliver_time;
    post_process_one(addr2, result, logflags, EXIM_DTYPE_TRANSPORT, logchar);

    /* If a pipe delivery generated text to be sent back, the result may be
    changed to FAIL, and we must copy this for subsequent addresses in the
    batch. */

    if (addr2->transport_return != result)
      {
      for (addr3 = nextaddr; addr3; addr3 = addr3->next)
        {
        addr3->transport_return = addr2->transport_return;
        addr3->basic_errno = addr2->basic_errno;
        addr3->message = addr2->message;
        }
      result = addr2->transport_return;
      }

    /* Whether or not the result was changed to FAIL, we need to copy the
    return_file value from the first address into all the addresses of the
    batch, so they are all listed in the error message. */

    addr2->return_file = addr->return_file;

    /* Change log character for recording successful deliveries. */

    if (result == OK) logchar = '-';
    }
  }        /* Loop back for next batch of addresses */
}




/*************************************************
*           Sort remote deliveries               *
*************************************************/

/* This function is called if remote_sort_domains is set. It arranges that the
chain of addresses for remote deliveries is ordered according to the strings
specified. Try to make this shuffling reasonably efficient by handling
sequences of addresses rather than just single ones.

Arguments:  None
Returns:    Nothing
*/

static void
sort_remote_deliveries(void)
{
int sep = 0;
address_item **aptr = &addr_remote;
const uschar *listptr = remote_sort_domains;
uschar *pattern;
uschar patbuf[256];

/*XXX The list is used before expansion. Not sure how that ties up with the docs */
while (  *aptr
      && (pattern = string_nextinlist(&listptr, &sep, patbuf, sizeof(patbuf)))
      )
  {
  address_item *moved = NULL;
  address_item **bptr = &moved;

  while (*aptr)
    {
    address_item **next;
    deliver_domain = (*aptr)->domain;   /* set $domain */
    if (match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
          &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) == OK)
      {
      aptr = &(*aptr)->next;
      continue;
      }

    next = &(*aptr)->next;
    while (  *next
          && (deliver_domain = (*next)->domain,  /* Set $domain */
            match_isinlist(deliver_domain, (const uschar **)&pattern, UCHAR_MAX+1,
              &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL)) != OK
          )
      next = &(*next)->next;

    /* If the batch of non-matchers is at the end, add on any that were
    extracted further up the chain, and end this iteration. Otherwise,
    extract them from the chain and hang on the moved chain. */

    if (!*next)
      {
      *next = moved;
      break;
      }

    *bptr = *aptr;
    *aptr = *next;
    *next = NULL;
    bptr = next;
    aptr = &(*aptr)->next;
    }

  /* If the loop ended because the final address matched, *aptr will
  be NULL. Add on to the end any extracted non-matching addresses. If
  *aptr is not NULL, the loop ended via "break" when *next is null, that
  is, there was a string of non-matching addresses at the end. In this
  case the extracted addresses have already been added on the end. */

  if (!*aptr) *aptr = moved;
  }

DEBUG(D_deliver)
  {
  debug_printf("remote addresses after sorting:\n");
  for (address_item * addr = addr_remote; addr; addr = addr->next)
    debug_printf("  %s\n", addr->address);
  }
}



/*************************************************
*  Read from pipe for remote delivery subprocess *
*************************************************/

/* This function is called when the subprocess is complete, but can also be
called before it is complete, in order to empty a pipe that is full (to prevent
deadlock). It must therefore keep track of its progress in the parlist data
block.

We read the pipe to get the delivery status codes and a possible error message
for each address, optionally preceded by unusability data for the hosts and
also by optional retry data.

Read in large chunks into the big buffer and then scan through, interpreting
the data therein. In most cases, only a single read will be necessary. No
individual item will ever be anywhere near 2500 bytes in length, so by ensuring
that we read the next chunk when there is less than 2500 bytes left in the
non-final chunk, we can assume each item is complete in the buffer before
handling it. Each item is written using a single write(), which is atomic for
small items (less than PIPE_BUF, which seems to be at least 512 in any Unix and
often bigger) so even if we are reading while the subprocess is still going, we
should never have only a partial item in the buffer.

hs12: This assumption is not true anymore, since we get quite large items (certificate
information and such).

Argument:
  poffset     the offset of the parlist item
  eop         TRUE if the process has completed

Returns:      TRUE if the terminating 'Z' item has been read,
              or there has been a disaster (i.e. no more data needed);
              FALSE otherwise
*/

static BOOL
par_read_pipe(int poffset, BOOL eop)
{
host_item *h;
pardata *p = parlist + poffset;
address_item *addrlist = p->addrlist;
address_item *addr = p->addr;
pid_t pid = p->pid;
int fd = p->fd;

uschar *msg = p->msg;
BOOL done = p->done;

continue_hostname = NULL;
continue_transport = NULL;

/* Loop through all items, reading from the pipe when necessary. The pipe
used to be non-blocking. But I do not see a reason for using non-blocking I/O
here, as the preceding poll() tells us, if data is available for reading.

A read() on a "selected" handle should never block, but(!) it may return
less data then we expected. (The buffer size we pass to read() shouldn't be
understood as a "request", but as a "limit".)

Each separate item is written to the pipe in a timely manner. But, especially for
larger items, the read(2) may already return partial data from the write(2).

The write is atomic mostly (depending on the amount written), but atomic does
not imply "all or noting", it just is "not intermixed" with other writes on the
same channel (pipe).

*/

DEBUG(D_deliver) debug_printf("reading pipe for subprocess %ld (%s)\n",
  (long)p->pid, eop? "ended" : "not ended yet");

while (!done)
  {
  retry_item *r, **rp;
  uschar pipeheader[PIPE_HEADER_SIZE+1];
  uschar *id = &pipeheader[0];
  uschar *subid = &pipeheader[1];
  uschar *ptr = big_buffer;
  size_t required = PIPE_HEADER_SIZE; /* first the pipehaeder, later the data */
  ssize_t got;

  DEBUG(D_deliver)
    debug_printf("expect %lu bytes (pipeheader) from tpt process %ld\n",
    (u_long)required, (long)pid);

  /* We require(!) all the PIPE_HEADER_SIZE bytes here, as we know,
  they're written in a timely manner, so waiting for the write shouldn't hurt a lot.
  If we get less, we can assume the subprocess do be done and do not expect any further
  information from it. */

  if ((got = readn(fd, pipeheader, required)) != required)
    {
    msg = string_sprintf("got " SSIZE_T_FMT " of %d bytes (pipeheader) "
      "from transport process %ld for transport %s",
      got, PIPE_HEADER_SIZE, (long)pid, addr->transport->driver_name);
    done = TRUE;
    break;
    }

  pipeheader[PIPE_HEADER_SIZE] = '\0';
  DEBUG(D_deliver)
    debug_printf("got %ld bytes (pipeheader) '%c' from transport process %ld\n",
      (long) got, *id, (long)pid);

  {
  /* If we can't decode the pipeheader, the subprocess seems to have a
  problem, we do not expect any furher information from it. */
  char *endc;
  required = Ustrtol(pipeheader+2, &endc, 10);
  if (*endc)
    {
    msg = string_sprintf("failed to read pipe "
      "from transport process %ld for transport %s: error decoding size from header",
      (long)pid, addr ? addr->transport->driver_name : US"?");
    done = TRUE;
    break;
    }
  }

  DEBUG(D_deliver)
    debug_printf("expect %lu bytes (pipedata) from transport process %ld\n",
      (u_long)required, (long)pid);

  /* Same as above, the transport process will write the bytes announced
  in a timely manner, so we can just wait for the bytes, getting less than expected
  is considered a problem of the subprocess, we do not expect anything else from it. */
  if ((got = readn(fd, big_buffer, required)) != required)
    {
    msg = string_sprintf("got only " SSIZE_T_FMT " of " SIZE_T_FMT
      " bytes (pipedata) from transport process %ld for transport %s",
      got, required, (long)pid, addr->transport->driver_name);
    done = TRUE;
    break;
    }

  /* Handle each possible type of item, assuming the complete item is
  available in store. */

  switch (*id)
    {
    /* Host items exist only if any hosts were marked unusable. Match
    up by checking the IP address. */

    case 'H':
      for (h = addrlist->host_list; h; h = h->next)
        {
        if (!h->address || Ustrcmp(h->address, ptr+2) != 0) continue;
        h->status = ptr[0];
        h->why = ptr[1];
        }
      ptr += 2;
      while (*ptr++);
      break;

    /* Retry items are sent in a preceding R item for each address. This is
    kept separate to keep each message short enough to guarantee it won't
    be split in the pipe. Hopefully, in the majority of cases, there won't in
    fact be any retry items at all.

    The complete set of retry items might include an item to delete a
    routing retry if there was a previous routing delay. However, routing
    retries are also used when a remote transport identifies an address error.
    In that case, there may also be an "add" item for the same key. Arrange
    that a "delete" item is dropped in favour of an "add" item. */

    case 'R':
      if (!addr) goto ADDR_MISMATCH;

      DEBUG(D_deliver|D_retry)
        debug_printf("reading retry information for %s from subprocess\n",
          ptr+1);

      /* Cut out any "delete" items on the list. */

      for (rp = &addr->retries; (r = *rp); rp = &r->next)
        if (Ustrcmp(r->key, ptr+1) == 0)           /* Found item with same key */
          {
          if (!(r->flags & rf_delete)) break;      /* It was not "delete" */
          *rp = r->next;                           /* Excise a delete item */
          DEBUG(D_deliver|D_retry)
            debug_printf("  existing delete item dropped\n");
          }

      /* We want to add a delete item only if there is no non-delete item;
      however we still have to step ptr through the data. */

      if (!r || !(*ptr & rf_delete))
        {
        r = store_get(sizeof(retry_item), GET_UNTAINTED);
        r->next = addr->retries;
        addr->retries = r;
        r->flags = *ptr++;
        r->key = string_copy(ptr);
        while (*ptr++);
        memcpy(&r->basic_errno, ptr, sizeof(r->basic_errno));
        ptr += sizeof(r->basic_errno);
        memcpy(&r->more_errno, ptr, sizeof(r->more_errno));
        ptr += sizeof(r->more_errno);
        r->message = *ptr ? string_copy(ptr) : NULL;
        DEBUG(D_deliver|D_retry) debug_printf("  added %s item\n",
            r->flags & rf_delete ? "delete" : "retry");
        }

      else
        {
        DEBUG(D_deliver|D_retry)
          debug_printf("  delete item not added: non-delete item exists\n");
        ptr++;
        while(*ptr++);
        ptr += sizeof(r->basic_errno) + sizeof(r->more_errno);
        }

      while(*ptr++);
      break;

    /* Put the amount of data written into the parlist block */

    case 'S':           /* Size */
      memcpy(&(p->transport_count), ptr, sizeof(transport_count));
      ptr += sizeof(transport_count);
      break;

    /* Address items are in the order of items on the address chain. We
    remember the current address value in case this function is called
    several times to empty the pipe in stages. Information about delivery
    over TLS is sent in a preceding X item for each address. We don't put
    it in with the other info, in order to keep each message short enough to
    guarantee it won't be split in the pipe. */

#ifndef DISABLE_TLS
    case 'X':           /* TLS details */
      if (!addr) goto ADDR_MISMATCH;          /* Below, in 'A' handler */
      switch (*subid)
        {
        case '1':
          addr->tlsver = addr->cipher = addr->peerdn = NULL;

          if (*ptr)
            {
            addr->cipher = string_copy(ptr);
            addr->tlsver = string_copyn(ptr, Ustrchr(ptr, ':') - ptr);
            }
          while (*ptr++);
          if (*ptr)
            addr->peerdn = string_copy(ptr);
          break;

        case '2':
          if (*ptr)
            (void) tls_import_cert(ptr, &addr->peercert);
          else
            addr->peercert = NULL;
          break;

        case '3':
          if (*ptr)
            (void) tls_import_cert(ptr, &addr->ourcert);
          else
            addr->ourcert = NULL;
          break;

# ifndef DISABLE_OCSP
        case '4':
          addr->ocsp = *ptr ? *ptr - '0' : OCSP_NOT_REQ;
          break;
# endif
        }
      while (*ptr++);
      break;
#endif  /*DISABLE_TLS*/

    case 'C':   /* client authenticator information */
      switch (*subid)
        {
        case '1': addr->authenticator = *ptr ? string_copy(ptr) : NULL; break;
        case '2': addr->auth_id = *ptr ? string_copy(ptr) : NULL;       break;
        case '3': addr->auth_sndr = *ptr ? string_copy(ptr) : NULL;     break;
        }
      while (*ptr++);
      break;

#ifndef DISABLE_PRDR
    case 'P':
      setflag(addr, af_prdr_used);
      break;
#endif

    case 'L':
      switch (*subid)
        {
#ifndef DISABLE_PIPE_CONNECT
        case 2: setflag(addr, af_early_pipe);   /*FALLTHROUGH*/
#endif
        case 1: setflag(addr, af_pipelining); break;
        }
      break;

    case 'K':
      setflag(addr, af_chunking_used);
      break;

    case 'T':
      setflag(addr, af_tcp_fastopen_conn);
      if (*subid > '0') setflag(addr, af_tcp_fastopen);
      if (*subid > '1') setflag(addr, af_tcp_fastopen_data);
      break;

    case 'D':           /* DSN */
      if (!addr) goto ADDR_MISMATCH;
      memcpy(&(addr->dsn_aware), ptr, sizeof(addr->dsn_aware));
      ptr += sizeof(addr->dsn_aware);
      DEBUG(D_deliver) debug_printf("DSN read: addr->dsn_aware = %d\n", addr->dsn_aware);
      break;

    case 'A':           /* Per-address info */
      if (!addr)
        {
        ADDR_MISMATCH:
        msg = string_sprintf("address count mismatch for data read from pipe "
          "for transport process %ld for transport %s",
            (long)pid, addrlist->transport->driver_name);
        done = TRUE;
        break;
        }

      switch (*subid)
        {
#ifndef DISABLE_DKIM
        case '4':       /* DKIM information */
          addr->dkim_used = string_copy(ptr);
          while(*ptr++);
          break;
#endif

        case '3':       /* explicit notification of continued-connection (non)use;
                        overrides caller's knowlege. */
          if (*ptr & BIT(1))      setflag(addr, af_new_conn);
          else if (*ptr & BIT(2)) setflag(addr, af_cont_conn);
          break;

#ifdef SUPPORT_SOCKS
        case '2':       /* proxy information; must arrive before A0 and applies to that addr XXX oops*/
          proxy_session = TRUE; /*XXX should this be cleared somewhere? */
          if (*ptr == 0)
            ptr++;
          else
            {
            proxy_local_address = string_copy(ptr);
            while(*ptr++);
            memcpy(&proxy_local_port, ptr, sizeof(proxy_local_port));
            ptr += sizeof(proxy_local_port);
            }
          break;
#endif

#ifdef EXPERIMENTAL_DSN_INFO
        case '1':       /* must arrive before A0, and applies to that addr */
                        /* Two strings: smtp_greeting and helo_response */
          addr->smtp_greeting = string_copy(ptr);
          while(*ptr++);
          addr->helo_response = string_copy(ptr);
          while(*ptr++);
          break;
#endif

        case '0':       /* results of trying to send to this address */
          DEBUG(D_deliver) debug_printf("A0 %s tret %d\n", addr->address, *ptr);
          addr->transport_return = *ptr++;
          addr->special_action = *ptr++;
          memcpy(&addr->basic_errno, ptr, sizeof(addr->basic_errno));
          ptr += sizeof(addr->basic_errno);
          memcpy(&addr->more_errno, ptr, sizeof(addr->more_errno));
          ptr += sizeof(addr->more_errno);
          memcpy(&addr->delivery_time, ptr, sizeof(addr->delivery_time));
          ptr += sizeof(addr->delivery_time);
          memcpy(&addr->flags, ptr, sizeof(addr->flags));
          ptr += sizeof(addr->flags);
          addr->message = *ptr ? string_copy(ptr) : NULL;
          while(*ptr++);
          addr->user_message = *ptr ? string_copy(ptr) : NULL;
          while(*ptr++);

          /* Always two strings for host information, followed by the port number and DNSSEC mark */

          if (*ptr)
            {
            h = store_get(sizeof(host_item), GET_UNTAINTED);
            h->name = string_copy(ptr);
            while (*ptr++);
            h->address = string_copy(ptr);
            while(*ptr++);
            memcpy(&h->port, ptr, sizeof(h->port));
            ptr += sizeof(h->port);
            h->dnssec = *ptr == '2' ? DS_YES
                      : *ptr == '1' ? DS_NO
                      : DS_UNK;
            addr->host_used = h;
            }
          ptr++;

          continue_flags = 0;
#ifndef DISABLE_TLS
          if (testflag(addr, af_cert_verified)) continue_flags |= CTF_CV;
# ifdef SUPPORT_DANE
          if (testflag(addr, af_dane_verified)) continue_flags |= CTF_DV;
# endif
# ifndef DISABLE_TLS_RESUME
          if (testflag(addr, af_tls_resume))    continue_flags |= CTF_TR;
# endif
#endif
          /* Finished with this address */

          addr = addr->next;
          break;
        }
      break;

    /* Local interface address/port */
    case 'I':
      if (*ptr) sending_ip_address = string_copy(ptr);
      while (*ptr++) ;
      if (*ptr) sending_port = atoi(CS ptr);
      while (*ptr++) ;
      break;

    /* Z0 marks the logical end of the data. It is followed by '0' if
    continue_transport was NULL at the end of transporting, otherwise '1'.
    Those are now for historical reasons only; we always clear the continued
    channel info, and then set it explicitly if the transport indicates it
    is still open, because it could differ for each transport we are running in
    parallel.

    Z1 is a suggested message_id to handle next, used during a
    continued-transport sequence. */

    case 'Z':
      switch (*subid)
        {
        case '0':                       /* End marker */
          done = TRUE;
          DEBUG(D_deliver) debug_printf("Z0%c item read\n", *ptr);
          break;
        case '1':                       /* Suggested continuation message */
          Ustrncpy(continue_next_id, ptr, MESSAGE_ID_LENGTH);
          continue_sequence = atoi(CS ptr + MESSAGE_ID_LENGTH + 1);
          DEBUG(D_deliver) debug_printf("continue_next_id: %s seq %d\n",
                                        continue_next_id, continue_sequence);
          break;
        case '2':                       /* Continued transport, host & addr */
          {
          int recvd_fd;

          DEBUG(D_any) if (Ustrcmp(process_purpose, "continued-delivery") != 0)
            debug_printf("%s becomes continued-delivery\n", process_purpose);
          process_purpose = US"continued-delivery";
          continue_transport = string_copy(ptr);        while (*ptr++) ;
          continue_hostname = string_copy(ptr);         while (*ptr++) ;
          continue_host_address = string_copy(ptr);     while (*ptr++) ;
          continue_sequence = atoi(CS ptr);

          dup2((recvd_fd = recv_fd_from_sock(fd)), 0);
          close(recvd_fd);

          DEBUG(D_deliver)
            debug_printf("continue: fd %d tpt %s host '%s' addr '%s' seq %d\n",
                          recvd_fd, continue_transport, continue_hostname,
                          continue_host_address, continue_sequence);
          break;
          }
        case '3':                               /* Continued conn info */
          smtp_peer_options = ptr[0];
          f.smtp_authenticated = ptr[1] & 1;
          break;
#ifndef DISABLE_TLS
        case '4':                               /* Continued TLS info */
          continue_proxy_cipher = string_copy(ptr);
          break;
        case '5':                               /* Continued DANE info */
        case '6':                               /* Continued TLS info */
# ifdef SUPPORT_DANE
          continue_proxy_dane = *subid == '5';
# endif
          continue_proxy_sni = *ptr ? string_copy(ptr) : NULL;
          break;
#endif
#ifndef DISABLE_ESMTP_LIMITS
        case '7':                               /* Continued peer limits */
          sscanf(CS ptr, "%u %u %u",
                  &continue_limit_mail, &continue_limit_rcpt,
                  &continue_limit_rcptdom);
          break;
#endif
#ifdef SUPPORT_SOCKS
        case '8':                               /* Continued proxy info */
          proxy_local_address = string_copy(ptr);       while (*ptr++) ;
          proxy_local_port = atoi(CS ptr);              while (*ptr++) ;
          proxy_external_address = string_copy(ptr);    while (*ptr++) ;
          proxy_external_port = atoi(CS ptr);
          break;
#endif
        }
      break;

    /* Anything else is a disaster. */

    default:
      msg = string_sprintf("malformed data (%d) read from pipe for transport "
        "process %ld for transport %s", ptr[-1], (long)pid,
          addr ? addr->transport->driver_name : US"?");
      done = TRUE;
      break;
    }
  }

/* The done flag is inspected externally, to determine whether or not to
call the function again when the process finishes. */

p->done = done;

/* If the process hadn't finished, and we haven't seen the end of the data
or if we suffered a disaster, update the rest of the state, and return FALSE to
indicate "not finished". */

if (!eop && !done)
  {
  p->addr = addr;
  p->msg = msg;
  return FALSE;
  }

/* Close our end of the pipe, to prevent deadlock if the far end is still
pushing stuff into it. */

(void)close(fd);
p->fd = -1;

/* If we have finished without error, but haven't had data for every address,
something is wrong. */

if (!msg && addr)
  msg = string_sprintf("insufficient address data read from pipe "
    "for transport process %ld for transport %s", (long)pid,
      addr->transport->driver_name);

/* If an error message is set, something has gone wrong in getting back
the delivery data. Put the message into each address and freeze it. */

if (msg)
  for (addr = addrlist; addr; addr = addr->next)
    {
    addr->transport_return = DEFER;
    addr->special_action = SPECIAL_FREEZE;
    addr->message = msg;
    log_write(0, LOG_MAIN|LOG_PANIC, "Delivery status for %s: %s\n",
              addr->address, addr->message);
    }

/* Return TRUE to indicate we have got all we need from this process, even
if it hasn't actually finished yet. */

return TRUE;
}



/*************************************************
*   Post-process a set of remote addresses       *
*************************************************/

/* Do what has to be done immediately after a remote delivery for each set of
addresses, then re-write the spool if necessary. Note that post_process_one
puts the address on an appropriate queue; hence we must fish off the next
one first. This function is also called if there is a problem with setting
up a subprocess to do a remote delivery in parallel. In this case, the final
argument contains a message, and the action must be forced to DEFER.

Argument:
   addr      pointer to chain of address items
   logflags  flags for logging
   msg       NULL for normal cases; -> error message for unexpected problems
   fallback  TRUE if processing fallback hosts

Returns:     nothing
*/

static void
remote_post_process(address_item * addr, int logflags, uschar * msg,
  BOOL fallback)
{
/* If any host addresses were found to be unusable, add them to the unusable
tree so that subsequent deliveries don't try them. */

for (host_item * h = addr->host_list; h; h = h->next)
  if (h->address)
    if (h->status >= hstatus_unusable) tree_add_unusable(h);

/* Now handle each address on the chain. The transport has placed '=' or '-'
into the special_action field for each successful delivery. */

while (addr)
  {
  address_item * next = addr->next;

  /* If msg == NULL (normal processing) and the result is DEFER and we are
  processing the main hosts and there are fallback hosts available, put the
  address on the list for fallback delivery. */

  if (  addr->transport_return == DEFER
     && addr->fallback_hosts
     && !fallback
     && !msg
     )
    {
    addr->host_list = addr->fallback_hosts;
    addr->next = addr_fallback;
    addr_fallback = addr;
    DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", addr->address);
    }

  /* If msg is set (=> unexpected problem), set it in the address before
  doing the ordinary post processing. */

  else
    {
    if (msg)
      {
      addr->message = msg;
      addr->transport_return = DEFER;
      }
    (void)post_process_one(addr, addr->transport_return, logflags,
      EXIM_DTYPE_TRANSPORT, addr->special_action);
    }

  /* Next address */

  addr = next;
  }

/* If we have just delivered down a passed SMTP channel, and that was
the last address, the channel will have been closed down. Now that
we have logged that delivery, set continue_sequence to 1 so that
any subsequent deliveries don't get "*" incorrectly logged. */

if (!continue_transport) continue_sequence = 1;
}



/*************************************************
*     Wait for one remote delivery subprocess    *
*************************************************/

/* This function is called while doing remote deliveries when either the
maximum number of processes exist and we need one to complete so that another
can be created, or when waiting for the last ones to complete. It must wait for
the completion of one subprocess, empty the control block slot, and return a
pointer to the address chain.

Arguments:    none
Returns:      pointer to the chain of addresses handled by the process;
              NULL if no subprocess found - this is an unexpected error
*/

static address_item *
par_wait(void)
{
int poffset, status;
address_item * addr, * addrlist;
pid_t pid;

set_process_info("delivering %s: waiting for a remote delivery subprocess "
  "to finish", message_id);

/* Loop until either a subprocess completes, or there are no subprocesses in
existence - in which case give an error return. We cannot proceed just by
waiting for a completion, because a subprocess may have filled up its pipe, and
be waiting for it to be emptied. Therefore, if no processes have finished, we
wait for one of the pipes to acquire some data by calling poll(), with a
timeout just in case.

The simple approach is just to iterate after reading data from a ready pipe.
This leads to non-ideal behaviour when the subprocess has written its final Z
item, closed the pipe, and is in the process of exiting (the common case). A
call to waitpid() yields nothing completed, but poll() shows the pipe ready -
reading it yields EOF, so you end up with busy-waiting until the subprocess has
actually finished.

To avoid this, if all the data that is needed has been read from a subprocess
after poll(), an explicit wait() for it is done. We know that all it is doing
is writing to the pipe and then exiting, so the wait should not be long.

The non-blocking waitpid() is to some extent just insurance; if we could
reliably detect end-of-file on the pipe, we could always know when to do a
blocking wait() for a completed process. However, because some systems use
NDELAY, which doesn't distinguish between EOF and pipe empty, it is easier to
use code that functions without the need to recognize EOF.

There's a double loop here just in case we end up with a process that is not in
the list of remote delivery processes. Something has obviously gone wrong if
this is the case. (For example, a process that is incorrectly left over from
routing or local deliveries might be found.) The damage can be minimized by
looping back and looking for another process. If there aren't any, the error
return will happen. */

for (;;)   /* Normally we do not repeat this loop */
  {
  while ((pid = waitpid(-1, &status, WNOHANG)) <= 0)
    {
    int readycount;

    /* A return value of -1 can mean several things. If errno != ECHILD, it
    either means invalid options (which we discount), or that this process was
    interrupted by a signal. Just loop to try the waitpid() again.

    If errno == ECHILD, waitpid() is telling us that there are no subprocesses
    in existence. This should never happen, and is an unexpected error.
    However, there is a nasty complication when running under Linux. If "strace
    -f" is being used under Linux to trace this process and its children,
    subprocesses are "stolen" from their parents and become the children of the
    tracing process. A general wait such as the one we've just obeyed returns
    as if there are no children while subprocesses are running. Once a
    subprocess completes, it is restored to the parent, and waitpid(-1) finds
    it. Thanks to Joachim Wieland for finding all this out and suggesting a
    palliative.

    This does not happen using "truss" on Solaris, nor (I think) with other
    tracing facilities on other OS. It seems to be specific to Linux.

    What we do to get round this is to use kill() to see if any of our
    subprocesses are still in existence. If kill() gives an OK return, we know
    it must be for one of our processes - it can't be for a re-use of the pid,
    because if our process had finished, waitpid() would have found it. If any
    of our subprocesses are in existence, we proceed to use poll() as if
    waitpid() had returned zero. I think this is safe. */

    if (pid < 0)
      {
      if (errno != ECHILD) continue;   /* Repeats the waitpid() */

      DEBUG(D_deliver)
        debug_printf("waitpid() returned -1/ECHILD: checking explicitly "
          "for process existence\n");

      for (poffset = 0; poffset < remote_max_parallel; poffset++)
        {
        if ((pid = parlist[poffset].pid) != 0 && kill(pid, 0) == 0)
          {
          DEBUG(D_deliver) debug_printf("process %ld still exists: assume "
            "stolen by strace\n", (long)pid);
          break;   /* With poffset set */
          }
        }

      if (poffset >= remote_max_parallel)
        {
        DEBUG(D_deliver) debug_printf("*** no delivery children found\n");
        return NULL;    /* This is the error return */
        }
      }

    /* A pid value greater than 0 breaks the "while" loop. A negative value has
    been handled above. A return value of zero means that there is at least one
    subprocess, but there are no completed subprocesses. See if any pipes are
    ready with any data for reading. */

    DEBUG(D_deliver) debug_printf("polling subprocess pipes\n");

    for (poffset = 0; poffset < remote_max_parallel; poffset++)
      if (parlist[poffset].pid != 0)
        {
        parpoll[poffset].fd = parlist[poffset].fd;
        parpoll[poffset].events = POLLIN;
        }
      else
        parpoll[poffset].fd = -1;

    /* Stick in a 60-second timeout, just in case. */

    readycount = poll(parpoll, remote_max_parallel, 60 * 1000);

    /* Scan through the pipes and read any that are ready; use the count
    returned by poll() to stop when there are no more. Select() can return
    with no processes (e.g. if interrupted). This shouldn't matter.

    If par_read_pipe() returns TRUE, it means that either the terminating Z was
    read, or there was a disaster. In either case, we are finished with this
    process. Do an explicit wait() for the process and break the main loop if
    it succeeds.

    It turns out that we have to deal with the case of an interrupted system
    call, which can happen on some operating systems if the signal handling is
    set up to do that by default. */

    for (poffset = 0;
         readycount > 0 && poffset < remote_max_parallel;
         poffset++)
      {
      if (  (pid = parlist[poffset].pid) != 0
         && parpoll[poffset].revents
         )
        {
        readycount--;
        if (par_read_pipe(poffset, FALSE))    /* Finished with this pipe */
          for (;;)                            /* Loop for signals */
            {
            pid_t endedpid = waitpid(pid, &status, 0);
            if (endedpid == pid) goto PROCESS_DONE;
            if (endedpid != (pid_t)(-1) || errno != EINTR)
              log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Unexpected error return "
                "%d (errno = %d) from waitpid() for process %ld",
                (int)endedpid, errno, (long)pid);
            }
        }
      }

    /* Now go back and look for a completed subprocess again. */
    }

  /* A completed process was detected by the non-blocking waitpid(). Find the
  data block that corresponds to this subprocess. */

  for (poffset = 0; poffset < remote_max_parallel; poffset++)
    if (pid == parlist[poffset].pid) break;

  /* Found the data block; this is a known remote delivery process. We don't
  need to repeat the outer loop. This should be what normally happens. */

  if (poffset < remote_max_parallel) break;

  /* This situation is an error, but it's probably better to carry on looking
  for another process than to give up (as we used to do). */

  log_write(0, LOG_MAIN|LOG_PANIC, "Process %ld finished: not found in remote "
    "transport process list", (long)pid);
  }  /* End of the "for" loop */

/* Come here when all the data was completely read after a poll(), and
the process in pid has been wait()ed for. */

PROCESS_DONE:

DEBUG(D_deliver)
  {
  if (status == 0)
    debug_printf("remote delivery process %ld ended\n", (long)pid);
  else
    debug_printf("remote delivery process %ld ended: status=%04x\n", (long)pid,
      status);
  }

set_process_info("delivering %s", message_id);

/* Get the chain of processed addresses */

addrlist = parlist[poffset].addrlist;

/* If the process did not finish cleanly, record an error and freeze (except
for SIGTERM, SIGKILL and SIGQUIT), and also ensure the journal is not removed,
in case the delivery did actually happen. */

if ((status & 0xffff) != 0)
  {
  uschar *msg;
  int msb = (status >> 8) & 255;
  int lsb = status & 255;
  int code = (msb == 0)? (lsb & 0x7f) : msb;

  msg = string_sprintf("%s transport process returned non-zero status 0x%04x: "
    "%s %d",
    addrlist->transport->driver_name,
    status,
    msb == 0 ? "terminated by signal" : "exit code",
    code);

  if (msb != 0 || (code != SIGTERM && code != SIGKILL && code != SIGQUIT))
    addrlist->special_action = SPECIAL_FREEZE;

  for (addr = addrlist; addr; addr = addr->next)
    {
    addr->transport_return = DEFER;
    addr->message = msg;
    }

  remove_journal = FALSE;
  }

/* Else complete reading the pipe to get the result of the delivery, if all
the data has not yet been obtained. */

else if (!parlist[poffset].done)
  (void) par_read_pipe(poffset, TRUE);

/* Put the data count and return path into globals, mark the data slot unused,
decrement the count of subprocesses, and return the address chain. */

transport_count = parlist[poffset].transport_count;
used_return_path = parlist[poffset].return_path;
parlist[poffset].pid = 0;
parcount--;
return addrlist;
}



/*************************************************
*      Wait for subprocesses and post-process    *
*************************************************/

/* This function waits for subprocesses until the number that are still running
is below a given threshold. For each complete subprocess, the addresses are
post-processed. If we can't find a running process, there is some shambles.
Better not bomb out, as that might lead to multiple copies of the message. Just
log and proceed as if all done.

Arguments:
  max         maximum number of subprocesses to leave running
  fallback    TRUE if processing fallback hosts

Returns:      nothing
*/

static void
par_reduce(int max, BOOL fallback)
{
while (parcount > max)
  {
  address_item * doneaddr = par_wait();
  if (!doneaddr)
    {
    log_write(0, LOG_MAIN|LOG_PANIC,
      "remote delivery process count got out of step");
    parcount = 0;
    }
  else
    {
    transport_instance * tp = doneaddr->transport;
    if (tp->max_parallel)
      enq_end(string_sprintf("tpt-serialize-%s", tp->name));

    remote_post_process(doneaddr, LOG_MAIN, NULL, fallback);
    }
  }
}

static void
rmt_dlv_checked_write(int fd, char id, char subid, void * buf, ssize_t size)
{
uschar pipe_header[PIPE_HEADER_SIZE+1];
size_t total_len = PIPE_HEADER_SIZE + size;

struct iovec iov[2] = {
  { pipe_header, PIPE_HEADER_SIZE },  /* indication about the data to expect */
  { buf, size }                       /* *the* data */
};

ssize_t ret;

/* we assume that size can't get larger then BIG_BUFFER_SIZE which currently is set to 16k */
/* complain to log if someone tries with buffer sizes we can't handle*/

if (size > BIG_BUFFER_SIZE-1)
  {
  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
    "Failed writing transport result to pipe: can't handle buffers > %d bytes. truncating!\n",
      BIG_BUFFER_SIZE-1);
  size = BIG_BUFFER_SIZE;
  }

/* Should we check that we do not write more than PIPE_BUF? What would
that help? */

/* convert size to human readable string prepended by id and subid */
if (PIPE_HEADER_SIZE != snprintf(CS pipe_header, PIPE_HEADER_SIZE+1, "%c%c%05ld",
    id, subid, (long)size))
  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "header snprintf failed\n");

DEBUG(D_deliver) debug_printf("header write id:%c,subid:%c,size:%ld,final:%s\n",
                                 id, subid, (long)size, pipe_header);

if ((ret = writev(fd, iov, 2)) != total_len)
  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
    "Failed writing transport result to pipe (%ld of %ld bytes): %s",
    (long)ret, (long)total_len, ret == -1 ? strerror(errno) : "short write");
}

/*************************************************
*           Do remote deliveries                 *
*************************************************/

/* This function is called to process the addresses in addr_remote. We must
pick off the queue all addresses that have the same transport, remote
destination, and errors address, and hand them to the transport in one go,
subject to some configured limitations. If this is a run to continue delivering
to an existing delivery channel, skip all but those addresses that can go to
that channel. The skipped addresses just get deferred.

If mua_wrapper is set, all addresses must be able to be sent in a single
transaction. If not, this function yields FALSE.

In Exim 4, remote deliveries are always done in separate processes, even
if remote_max_parallel = 1 or if there's only one delivery to do. The reason
is so that the base process can retain privilege. This makes the
implementation of fallback transports feasible (though not initially done.)

We create up to the configured number of subprocesses, each of which passes
back the delivery state via a pipe. (However, when sending down an existing
connection, remote_max_parallel is forced to 1.)

Arguments:
  fallback  TRUE if processing fallback hosts

Returns:    TRUE normally
            FALSE if mua_wrapper is set and the addresses cannot all be sent
              in one transaction
*/

static BOOL
do_remote_deliveries(BOOL fallback)
{
int parmax;
int poffset;

parcount = 0;    /* Number of executing subprocesses */

/* When sending down an existing channel, only do one delivery at a time.
We use a local variable (parmax) to hold the maximum number of processes;
this gets reduced from remote_max_parallel if we can't create enough pipes. */

if (continue_transport) remote_max_parallel = 1;
parmax = remote_max_parallel;

/* If the data for keeping a list of processes hasn't yet been
set up, do so. */

if (!parlist)
  {
  parlist = store_get(remote_max_parallel * sizeof(pardata), GET_UNTAINTED);
  for (poffset = 0; poffset < remote_max_parallel; poffset++)
    parlist[poffset].pid = 0;
  parpoll = store_get(remote_max_parallel * sizeof(struct pollfd), GET_UNTAINTED);
  }

/* Now loop for each remote delivery */

for (int delivery_count = 0; addr_remote; delivery_count++)
  {
  pid_t pid;
  uid_t uid;
  gid_t gid;
  int pfd[2];
  int address_count = 1;
  int address_count_max;
  BOOL multi_domain;
  BOOL use_initgroups;
  BOOL pipe_done = FALSE;
  transport_instance *tp;
  address_item **anchor = &addr_remote;
  address_item *addr = addr_remote;
  address_item *last = addr;
  address_item *next;
  uschar * panicmsg;
  uschar * serialize_key = NULL;

  /* Pull the first address right off the list. */

  addr_remote = addr->next;
  addr->next = NULL;

  DEBUG(D_deliver|D_transport)
    debug_printf("--------> %s <--------\n", addr->address);

  /* If no transport has been set, there has been a big screw-up somewhere. */

  if (!(tp = addr->transport))
    {
    f.disable_logging = FALSE;  /* Jic */
    panicmsg = US"No transport set by router";
    goto panic_continue;
    }

  /* Check that this base address hasn't previously been delivered to this
  transport. The check is necessary at this point to handle homonymic addresses
  correctly in cases where the pattern of redirection changes between delivery
  attempts. Non-homonymic previous delivery is detected earlier, at routing
  time. */

  if (previously_transported(addr, FALSE)) continue;

  /* Force failure if the message is too big. */

  if (tp->message_size_limit)
    {
    int rc = check_message_size(tp, addr);
    if (rc != OK)
      {
      addr->transport_return = rc;
      remote_post_process(addr, LOG_MAIN, NULL, fallback);
      continue;
      }
    }

/*XXX need to defeat this when DANE is used - but we don't know that yet.
So look out for the place it gets used.
*/

  /* Get the flag which specifies whether the transport can handle different
  domains that nevertheless resolve to the same set of hosts. If it needs
  expanding, get variables set: $address_data, $domain_data, $localpart_data,
  $host, $host_address, $host_port. */
  if (tp->expand_multi_domain)
    deliver_set_expansions(addr);

  if (exp_bool(addr, US"transport", tp->name, D_transport,
                US"multi_domain", tp->multi_domain, tp->expand_multi_domain,
                &multi_domain) != OK)
    {
    deliver_set_expansions(NULL);
    panicmsg = addr->message;
    goto panic_continue;
    }

  /* Get the maximum it can handle in one envelope, with zero meaning
  unlimited, which is forced for the MUA wrapper case and if the
  value could vary depending on the messages.
  For those, we only split (below) by (tpt,dest,erraddr,hdrs) and rely on the
  transport splitting further by max_rcp.  So we potentially lose some
  parallellism. */

  GET_OPTION("max_rcpt");
  address_count_max = mua_wrapper || Ustrchr(tp->max_addresses, '$')
    ? UNLIMITED_ADDRS : expand_max_rcpt(tp->max_addresses);


  /************************************************************************/
  /*****    This is slightly experimental code, but should be safe.   *****/

  /* The address_count_max value is the maximum number of addresses that the
  transport can send in one envelope. However, the transport must be capable of
  dealing with any number of addresses. If the number it gets exceeds its
  envelope limitation, it must send multiple copies of the message. This can be
  done over a single connection for SMTP, so uses less resources than making
  multiple connections. On the other hand, if remote_max_parallel is greater
  than one, it is perhaps a good idea to use parallel processing to move the
  message faster, even if that results in multiple simultaneous connections to
  the same host.

  How can we come to some compromise between these two ideals? What we do is to
  limit the number of addresses passed to a single instance of a transport to
  the greater of (a) its address limit (rcpt_max for SMTP) and (b) the total
  number of addresses routed to remote transports divided by
  remote_max_parallel. For example, if the message has 100 remote recipients,
  remote max parallel is 2, and rcpt_max is 10, we'd never send more than 50 at
  once. But if rcpt_max is 100, we could send up to 100.

  Of course, not all the remotely addresses in a message are going to go to the
  same set of hosts (except in smarthost configurations), so this is just a
  heuristic way of dividing up the work.

  Furthermore (1), because this may not be wanted in some cases, and also to
  cope with really pathological cases, there is also a limit to the number of
  messages that are sent over one connection. This is the same limit that is
  used when sending several different messages over the same connection.
  Continue_sequence is set when in this situation, to the number sent so
  far, including this message.

  Furthermore (2), when somebody explicitly sets the maximum value to 1, it
  is probably because they are using VERP, in which case they want to pass only
  one address at a time to the transport, in order to be able to use
  $local_part and $domain in constructing a new return path. We could test for
  the use of these variables, but as it is so likely they will be used when the
  maximum is 1, we don't bother. Just leave the value alone. */

  if (  address_count_max != 1
     && address_count_max < remote_delivery_count/remote_max_parallel
     )
    {
    int new_max = remote_delivery_count/remote_max_parallel, message_max;
    GET_OPTION("connection_max_messages");
    message_max = tp->connection_max_messages;
    if (connection_max_messages >= 0) message_max = connection_max_messages;
    message_max -= continue_sequence - 1;
    if (message_max > 0 && new_max > address_count_max * message_max)
      new_max = address_count_max * message_max;
    address_count_max = new_max;
    }

  /************************************************************************/


/*XXX don't know yet if DANE will be used.  So tpt will have to
check at the point if gets next addr from list, and skip/defer any
nonmatch domains
*/

  /* Pick off all addresses which have the same transport, errors address,
  destination, and extra headers. In some cases they point to the same host
  list, but we also need to check for identical host lists generated from
  entirely different domains. The host list pointers can be NULL in the case
  where the hosts are defined in the transport. There is also a configured
  maximum limit of addresses that can be handled at once (see comments above
  for how it is computed).
  If the transport does not handle multiple domains, enforce that also,
  and if it might need a per-address check for this, re-evaluate it.
  */

  while ((next = *anchor) && address_count < address_count_max)
    {
    BOOL md;
    if (  (multi_domain || Ustrcmp(next->domain, addr->domain) == 0)
       && tp == next->transport
       && same_hosts(next->host_list, addr->host_list)
       && same_strings(next->prop.errors_address, addr->prop.errors_address)
       && same_headers(next->prop.extra_headers, addr->prop.extra_headers)
       && same_ugid(tp, next, addr)
       && (  next->prop.remove_headers == addr->prop.remove_headers
          || (  next->prop.remove_headers
             && addr->prop.remove_headers
             && Ustrcmp(next->prop.remove_headers, addr->prop.remove_headers) == 0
          )  )
       && (  !multi_domain
          || (  (
                (void)(!tp->expand_multi_domain || ((void)deliver_set_expansions(next), 1)),
                exp_bool(addr,
                    US"transport", next->transport->name, D_transport,
                    US"multi_domain", next->transport->multi_domain,
                    next->transport->expand_multi_domain, &md) == OK
                )
             && md
       )  )  )
      {
      *anchor = next->next;
      next->next = NULL;
      next->first = addr;  /* remember top one (for retry processing) */
      last->next = next;
      last = next;
      address_count++;
      }
    else anchor = &(next->next);
    deliver_set_expansions(NULL);
    }

  /* If we are acting as an MUA wrapper, all addresses must go in a single
  transaction. If not, put them back on the chain and yield FALSE. */

  if (mua_wrapper && addr_remote)
    {
    last->next = addr_remote;
    addr_remote = addr;
    return FALSE;
    }

  /* If the transport is limited for parallellism, enforce that here.
  The hints DB entry is decremented in par_reduce(), when we reap the
  transport process. */

  if (tpt_parallel_check(tp, addr, &serialize_key))
    if ((panicmsg = expand_string_message))
      goto panic_continue;
    else
      continue;                 /* Loop for the next set of addresses. */

  /* Set up the expansion variables for this set of addresses */

  deliver_set_expansions(addr);

  /* Ensure any transport-set auth info is fresh */
  addr->authenticator = addr->auth_id = addr->auth_sndr = NULL;

  /* Compute the return path, expanding a new one if required. The old one
  must be set first, as it might be referred to in the expansion. */

  return_path = addr->prop.errors_address
                ? addr->prop.errors_address : sender_address;

  GET_OPTION("return_path");
  if (tp->return_path)
    {
    uschar * new_return_path = expand_string(tp->return_path);
    if (new_return_path)
      return_path = new_return_path;
    else if (!f.expand_string_forcedfail)
      {
      panicmsg = string_sprintf("Failed to expand return path \"%s\": %s",
        tp->return_path, expand_string_message);
      goto enq_continue;
      }
    }

  /* Find the uid, gid, and use_initgroups setting for this transport. Failure
  logs and sets up error messages, so we just post-process and continue with
  the next address. */

  if (!findugid(addr, tp, &uid, &gid, &use_initgroups))
    {
    panicmsg = NULL;
    goto enq_continue;
    }

  /* If this transport has a setup function, call it now so that it gets
  run in this process and not in any subprocess. That way, the results of
  any setup that are retained by the transport can be reusable. One of the
  things the setup does is to set the fallback host lists in the addresses.
  That is why it is called at this point, before the continue delivery
  processing, because that might use the fallback hosts. */

  if (tp->setup)
    (void)((tp->setup)(addr->transport, addr, NULL, uid, gid, NULL));

  /* If we have a connection still open from a verify stage (lazy-close)
  treat it as if it is a continued connection (apart from the counter used
  for the log line mark). */

  if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
    {
    DEBUG(D_deliver)
      debug_printf("lazy-callout-close: have conn still open from verification\n");
    continue_transport = cutthrough.transport;
    continue_hostname = string_copy(cutthrough.host.name);
    continue_host_address = string_copy(cutthrough.host.address);
    continue_sequence = 1;
    sending_ip_address = cutthrough.snd_ip;
    sending_port = cutthrough.snd_port;
    smtp_peer_options = cutthrough.peer_options;
    }

  /* If this is a run to continue delivery down an already-established
  channel, check that this set of addresses matches the transport and
  the channel. If it does not, defer the addresses. If a host list exists,
  we must check that the continue host is on the list. Otherwise, the
  host is set in the transport. */

  f.continue_more = FALSE;           /* In case got set for the last lot */
  if (continue_transport)
    {
    BOOL ok = Ustrcmp(continue_transport, tp->name) == 0;
/*XXX do we need to check for a DANEd conn vs. a change of domain? */

    /* If the transport is about to override the host list do not check
    it here but take the cost of running the transport process to discover
    if the continued_hostname connection is suitable.  This is a layering
    violation which is unfortunate as it requires we haul in the smtp
    include file. */

    if (ok)
      {
      smtp_transport_options_block * ob;

      if (  !(  Ustrcmp(tp->info->driver_name, "smtp") == 0
             && (ob = (smtp_transport_options_block *)tp->options_block)
             && ob->hosts_override && ob->hosts
             )
         && addr->host_list
         )
        {
        ok = FALSE;
        for (host_item * h = addr->host_list; h; h = h->next)
          if (Ustrcmp(h->name, continue_hostname) == 0)
  /*XXX should also check port here */
            { ok = TRUE; break; }
        }
      }

    /* Addresses not suitable; defer or queue for fallback hosts (which
    might be the continue host) and skip to next address. */

    if (!ok)
      {
      DEBUG(D_deliver) debug_printf("not suitable for continue_transport (%s)\n",
        Ustrcmp(continue_transport, tp->name) != 0
        ? string_sprintf("tpt %s vs %s", continue_transport, tp->name)
        : string_sprintf("no host matching %s", continue_hostname));
      if (serialize_key) enq_end(serialize_key);

      if (addr->fallback_hosts && !fallback)
        {
        for (next = addr; ; next = next->next)
          {
          next->host_list = next->fallback_hosts;
          DEBUG(D_deliver) debug_printf("%s queued for fallback host(s)\n", next->address);
          if (!next->next) break;
          }
        next->next = addr_fallback;
        addr_fallback = addr;
        }

      else
        {
        for (next = addr; ; next = next->next)
          {
          DEBUG(D_deliver) debug_printf(" %s to def list\n", next->address);
          if (!next->next) break;
          }
        next->next = addr_defer;
        addr_defer = addr;
        }

      continue;
      }
    }

    /* Once we hit the max number of parallel transports set a flag indicating
    whether there are further addresses that list the same host. This tells the
    transport to leave the channel open for us. */
/*XXX maybe we should *count* possible further's, and set continue_more if
parmax * tpt-max is exceeded? */

  if (parcount+1 >= remote_max_parallel)
    {
    host_item * h1 = addr->host_list;
    if (h1)
      {
      const uschar * name = continue_hostname ? continue_hostname : h1->name;
      for (next = addr_remote; next && !f.continue_more; next = next->next)
        for (host_item * h = next->host_list; h; h = h->next)
          if (Ustrcmp(h->name, name) == 0)
            { f.continue_more = TRUE; break; }
      }
    }
  else DEBUG(D_deliver)
    debug_printf(
      "not reached parallelism limit (%d/%d) so not setting continue_more\n",
      parcount+1, remote_max_parallel);

  /* The transports set up the process info themselves as they may connect
  to more than one remote machine. They also have to set up the filter
  arguments, if required, so that the host name and address are available
  for expansion. */

  transport_filter_argv = NULL;

  /* Create the pipe for inter-process communication. If pipe creation
  fails, it is probably because the value of remote_max_parallel is so
  large that too many file descriptors for pipes have been created. Arrange
  to wait for a process to finish, and then try again. If we still can't
  create a pipe when all processes have finished, break the retry loop.
  Use socketpair() rather than pipe() so we can pass an fd back from the
  transport process.
  */

  while (!pipe_done)
    {
    if (socketpair(AF_UNIX, SOCK_STREAM, 0, pfd) == 0) pipe_done = TRUE;
    else if (parcount > 0) parmax = parcount;
    else break;

    /* We need to make the reading end of the pipe non-blocking. There are
    two different options for this. Exim is cunningly (I hope!) coded so
    that it can use either of them, though it prefers O_NONBLOCK, which
    distinguishes between EOF and no-more-data. */

/* The data appears in a timely manner and we already did a poll on
all pipes, so I do not see a reason to use non-blocking IO here

#ifdef O_NONBLOCK
    (void)fcntl(pfd[pipe_read], F_SETFL, O_NONBLOCK);
#else
    (void)fcntl(pfd[pipe_read], F_SETFL, O_NDELAY);
#endif
*/

    /* If the maximum number of subprocesses already exist, wait for a process
    to finish. If we ran out of file descriptors, parmax will have been reduced
    from its initial value of remote_max_parallel. */

    par_reduce(parmax - 1, fallback);
    }

  /* If we failed to create a pipe and there were no processes to wait
  for, we have to give up on this one. Do this outside the above loop
  so that we can continue the main loop. */

  if (!pipe_done)
    {
    panicmsg = string_sprintf("unable to create pipe: %s", strerror(errno));
    goto enq_continue;
    }

  /* Find a free slot in the pardata list. Must do this after the possible
  waiting for processes to finish, because a terminating process will free
  up a slot. */

  for (poffset = 0; poffset < remote_max_parallel; poffset++)
    if (parlist[poffset].pid == 0)
      break;

  /* If there isn't one, there has been a horrible disaster. */

  if (poffset >= remote_max_parallel)
    {
    (void)close(pfd[pipe_write]);
    (void)close(pfd[pipe_read]);
    panicmsg = US"Unexpectedly no free subprocess slot";
    goto enq_continue;
    }

  /* Now fork a subprocess to do the remote delivery, but before doing so,
  ensure that any cached resources are released so as not to interfere with
  what happens in the subprocess. */

  search_tidyup();

/*
A continued-tpt will, in the tpt parent here, call par_reduce for
the one child. But we are hoping to never do continued-transport...
SO.... we may have called par_reduce for a single child, above when we'd
hit the limit on child-count. Possibly multiple times with different
transports and target hosts.  Does it matter if several return a suggested
next-id, and we lose all but the last?  Hmm.  Less parallel working would
happen. Perhaps still do continued-tpt once one has been set? No, that won't
work for all cases.
BAH.
Could take the initial continued-tpt hit, and then do the next-id thing?

do_remote_deliveries par_reduce par_wait par_read_pipe
*/

  /*XXX what about firsttime? */
  /*XXX also, ph1? Note tp->name would possibly change per message,
  so a check/close/open would be needed. Might was to change that var name
  "continue_wait_db" as we'd be using it for a non-continued-transport
  context. */
  if (continue_transport && !exim_lockfile_needed())
    if (!continue_wait_db)
      {
      continue_wait_db = dbfn_open_multi(
                    string_sprintf("wait-%.200s", continue_transport),
                    O_RDWR,
                    (open_db *) store_get(sizeof(open_db), GET_UNTAINTED));
      continue_next_id[0] = '\0';
      }

  if ((pid = exim_fork(f.queue_2stage ? US"transport ph1":US"transport")) == 0)
    {
    int fd = pfd[pipe_write];
    host_item *h;

    /* Setting these globals in the subprocess means we need never clear them */

    transport_name = tp->name;
    if (addr->router) router_name = addr->router->drinst.name;
    driver_srcfile = tp->srcfile;
    driver_srcline = tp->srcline;

    /* There are weird circumstances in which logging is disabled */
    f.disable_logging = tp->disable_logging;

    /* Show pids on debug output if parallelism possible */

    if (parmax > 1 && (parcount > 0 || addr_remote))
      DEBUG(D_any|D_v) debug_selector |= D_pid;

    /* Reset the random number generator, so different processes don't all
    have the same sequence. In the test harness we want different, but
    predictable settings for each delivery process, so do something explicit
    here rather they rely on the fixed reset in the random number function. */

    random_seed = f.running_in_test_harness ? 42 + 2*delivery_count : 0;

    /* Set close-on-exec on the pipe so that it doesn't get passed on to
    a new process that may be forked to do another delivery down the same
    SMTP connection. */

    (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);

    /* Close open file descriptors for the pipes of other processes
    that are running in parallel. */

    for (poffset = 0; poffset < remote_max_parallel; poffset++)
      if (parlist[poffset].pid != 0) (void)close(parlist[poffset].fd);

    /* This process has inherited a copy of the file descriptor
    for the data file, but its file pointer is shared with all the
    other processes running in parallel. Therefore, we have to re-open
    the file in order to get a new file descriptor with its own
    file pointer. We don't need to lock it, as the lock is held by
    the parent process. There doesn't seem to be any way of doing
    a dup-with-new-file-pointer. */

    (void)close(deliver_datafile);
    {
    uschar * fname = spool_fname(US"input", message_subdir, message_id, US"-D");

    if (  (deliver_datafile = Uopen(fname, EXIM_CLOEXEC | O_RDWR | O_APPEND, 0))
        < 0)
      log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Failed to reopen %s for remote "
        "parallel delivery: %s", fname, strerror(errno));
    }

#ifndef O_CLOEXEC                       /* Set the close-on-exec flag */
    (void)fcntl(deliver_datafile, F_SETFD, fcntl(deliver_datafile, F_GETFD) |
      FD_CLOEXEC);
#endif

    /* Set the uid/gid of this process; bombs out on failure. */

    exim_setugid(uid, gid, use_initgroups,
      string_sprintf("remote delivery to %s with transport=%s",
        addr->address, tp->name));

    /* Close the unwanted half of this process' pipe, set the process state,
    and run the transport. Afterwards, transport_count will contain the number
    of bytes written. */

    (void)close(pfd[pipe_read]);
    set_process_info("delivering %s using %s", message_id, tp->name);
    debug_print_string(tp->debug_string);
    if (!(tp->info->code)(addr->transport, addr)) replicate_status(addr);

    set_process_info("delivering %s (just run %s for %s%s in subprocess)",
      message_id, tp->name, addr->address, addr->next ? ", ..." : "");

    /* Ensure any cached resources that we used are now released */

    search_tidyup();

    /* Pass the result back down the pipe. This is a lot more information
    than is needed for a local delivery. We have to send back the error
    status for each address, the usability status for each host that is
    flagged as unusable, and all the retry items. When TLS is in use, we
    send also the cipher and peerdn information. Each type of information
    is flagged by an identifying byte, and is then in a fixed format (with
    strings terminated by zeros), and there is a final terminator at the
    end. The host information and retry information is all attached to
    the first address, so that gets sent at the start.

    Result item tags:
      A C D H I K L P R S T X Z
    */

    /* Host unusability information: for most success cases this will
    be null. */

    for (h = addr->host_list; h; h = h->next)
      {
      if (!h->address || h->status < hstatus_unusable) continue;
      sprintf(CS big_buffer, "%c%c%s", h->status, h->why, h->address);
      rmt_dlv_checked_write(fd, 'H','0', big_buffer, Ustrlen(big_buffer+2) + 3);
      }

    /* The number of bytes written. This is the same for each address. Even
    if we sent several copies of the message down the same connection, the
    size of each one is the same, and it's that value we have got because
    transport_count gets reset before calling transport_write_message(). */

    memcpy(big_buffer, &transport_count, sizeof(transport_count));
    rmt_dlv_checked_write(fd, 'S', '0', big_buffer, sizeof(transport_count));

    /* Information about what happened to each address. Four item types are
    used: an optional 'X' item first, for TLS information, then an optional "C"
    item for any client-auth info followed by 'R' items for any retry settings,
    and finally an 'A' item for the remaining data. The actual recipient address
    is not sent but is implicit in the address-chain being handled. */

    for(; addr; addr = addr->next)
      {
      uschar * ptr;

#ifndef DISABLE_TLS
      /* The certificate verification status goes into the flags, in A0 */
      if (tls_out.certificate_verified) setflag(addr, af_cert_verified);
# ifdef SUPPORT_DANE
      if (tls_out.dane_verified)        setflag(addr, af_dane_verified);
# endif
# ifndef DISABLE_TLS_RESUME
      if (tls_out.resumption & RESUME_USED) setflag(addr, af_tls_resume);
# endif

      /* Use an X item only if there's something to send */
      if (addr->cipher)
        {
        ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->cipher) + 1;
        if (!addr->peerdn)
          *ptr++ = 0;
        else
          ptr += sprintf(CS ptr, "%.512s", addr->peerdn) + 1;

        rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
        }
      else if (continue_proxy_cipher)
        {
        ptr = big_buffer + sprintf(CS big_buffer, "%.128s", continue_proxy_cipher) + 1;
        *ptr++ = 0;
        rmt_dlv_checked_write(fd, 'X', '1', big_buffer, ptr - big_buffer);
        }

      if (addr->peercert)
        {
        ptr = big_buffer;
        if (tls_export_cert(ptr, big_buffer_size-2, addr->peercert))
          while(*ptr++);
        else
          *ptr++ = 0;
        rmt_dlv_checked_write(fd, 'X', '2', big_buffer, ptr - big_buffer);
        }
      if (addr->ourcert)
        {
        ptr = big_buffer;
        if (tls_export_cert(ptr, big_buffer_size-2, addr->ourcert))
          while(*ptr++);
        else
          *ptr++ = 0;
        rmt_dlv_checked_write(fd, 'X', '3', big_buffer, ptr - big_buffer);
        }
# ifndef DISABLE_OCSP
      if (addr->ocsp > OCSP_NOT_REQ)
        {
        ptr = big_buffer + sprintf(CS big_buffer, "%c", addr->ocsp + '0') + 1;
        rmt_dlv_checked_write(fd, 'X', '4', big_buffer, ptr - big_buffer);
        }
# endif
#endif  /*DISABLE_TLS*/

      if (client_authenticator)
        {
        ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticator) + 1;
        rmt_dlv_checked_write(fd, 'C', '1', big_buffer, ptr - big_buffer);
        }
      if (client_authenticated_id)
        {
        ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticated_id) + 1;
        rmt_dlv_checked_write(fd, 'C', '2', big_buffer, ptr - big_buffer);
        }
      if (client_authenticated_sender)
        {
        ptr = big_buffer + sprintf(CS big_buffer, "%.64s", client_authenticated_sender) + 1;
        rmt_dlv_checked_write(fd, 'C', '3', big_buffer, ptr - big_buffer);
        }

#ifndef DISABLE_PRDR
      if (testflag(addr, af_prdr_used))
        rmt_dlv_checked_write(fd, 'P', '0', NULL, 0);
#endif

      if (testflag(addr, af_pipelining))
#ifndef DISABLE_PIPE_CONNECT
        if (testflag(addr, af_early_pipe))
          rmt_dlv_checked_write(fd, 'L', '2', NULL, 0);
        else
#endif
          rmt_dlv_checked_write(fd, 'L', '1', NULL, 0);

      if (testflag(addr, af_chunking_used))
        rmt_dlv_checked_write(fd, 'K', '0', NULL, 0);

      if (testflag(addr, af_tcp_fastopen_conn))
        rmt_dlv_checked_write(fd, 'T',
          testflag(addr, af_tcp_fastopen) ? testflag(addr, af_tcp_fastopen_data)
          ? '2' : '1' : '0',
          NULL, 0);

      memcpy(big_buffer, &addr->dsn_aware, sizeof(addr->dsn_aware));
      rmt_dlv_checked_write(fd, 'D', '0', big_buffer, sizeof(addr->dsn_aware));

      /* Retry information: for most success cases this will be null. */

      for (retry_item * r = addr->retries; r; r = r->next)
        {
        sprintf(CS big_buffer, "%c%.500s", r->flags, r->key);
        ptr = big_buffer + Ustrlen(big_buffer+2) + 3;
        memcpy(ptr, &r->basic_errno, sizeof(r->basic_errno));
        ptr += sizeof(r->basic_errno);
        memcpy(ptr, &r->more_errno, sizeof(r->more_errno));
        ptr += sizeof(r->more_errno);
        if (!r->message) *ptr++ = 0; else
          {
          sprintf(CS ptr, "%.512s", r->message);
          while(*ptr++);
          }
        rmt_dlv_checked_write(fd, 'R', '0', big_buffer, ptr - big_buffer);
        }

#ifndef DISABLE_DKIM
      if (addr->dkim_used && LOGGING(dkim_verbose))
        {
        DEBUG(D_deliver) debug_printf("dkim used: %s\n", addr->dkim_used);
        ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->dkim_used) + 1;
        rmt_dlv_checked_write(fd, 'A', '4', big_buffer, ptr - big_buffer);
        }
#endif

      if (testflag(addr, af_new_conn) || testflag(addr, af_cont_conn))
        {
        DEBUG(D_deliver) debug_printf("%scontinued-connection\n",
          testflag(addr, af_new_conn) ? "non-" : "");
        big_buffer[0] = testflag(addr, af_new_conn) ? BIT(1) : BIT(2);
        rmt_dlv_checked_write(fd, 'A', '3', big_buffer, 1);
        }

#ifdef SUPPORT_SOCKS
      if (LOGGING(proxy) && proxy_session)
        {
        ptr = big_buffer;
        if (proxy_local_address)
          {
          DEBUG(D_deliver) debug_printf("proxy_local_address '%s'\n", proxy_local_address);
          ptr = big_buffer + sprintf(CS ptr, "%.128s", proxy_local_address) + 1;
          DEBUG(D_deliver) debug_printf("proxy_local_port %d\n", proxy_local_port);
          memcpy(ptr, &proxy_local_port, sizeof(proxy_local_port));
          ptr += sizeof(proxy_local_port);
          }
        else
          *ptr++ = '\0';
        rmt_dlv_checked_write(fd, 'A', '2', big_buffer, ptr - big_buffer);
        }
#endif

#ifdef EXPERIMENTAL_DSN_INFO
/*um, are they really per-addr?  Other per-conn stuff is not (auth, tls).  But host_used is! */
      if (addr->smtp_greeting)
        {
        DEBUG(D_deliver) debug_printf("smtp_greeting '%s'\n", addr->smtp_greeting);
        ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->smtp_greeting) + 1;
        if (addr->helo_response)
          {
          DEBUG(D_deliver) debug_printf("helo_response '%s'\n", addr->helo_response);
          ptr += sprintf(CS ptr, "%.128s", addr->helo_response) + 1;
          }
        else
          *ptr++ = '\0';
        rmt_dlv_checked_write(fd, 'A', '1', big_buffer, ptr - big_buffer);
        }
#endif

      /* The rest of the information goes in an 'A0' item. */
#ifdef notdef
      DEBUG(D_deliver)
        debug_printf("%s %s for MAIL\n",
          addr->special_action == '=' ? "initial RCPT"
          : addr->special_action == '-' ? "additional RCPT" : "?",
          addr->address);
#endif
      sprintf(CS big_buffer, "%c%c", addr->transport_return, addr->special_action);
      ptr = big_buffer + 2;
      memcpy(ptr, &addr->basic_errno, sizeof(addr->basic_errno));
      ptr += sizeof(addr->basic_errno);
      memcpy(ptr, &addr->more_errno, sizeof(addr->more_errno));
      ptr += sizeof(addr->more_errno);
      memcpy(ptr, &addr->delivery_time, sizeof(addr->delivery_time));
      ptr += sizeof(addr->delivery_time);
      memcpy(ptr, &addr->flags, sizeof(addr->flags));
      ptr += sizeof(addr->flags);

      if (!addr->message) *ptr++ = 0; else
        ptr += sprintf(CS ptr, "%.1024s", addr->message) + 1;

      if (!addr->user_message) *ptr++ = 0; else
        ptr += sprintf(CS ptr, "%.1024s", addr->user_message) + 1;

      if (!addr->host_used) *ptr++ = 0; else
        {
        ptr += sprintf(CS ptr, "%.256s", addr->host_used->name) + 1;
        ptr += sprintf(CS ptr, "%.64s", addr->host_used->address) + 1;
        memcpy(ptr, &addr->host_used->port, sizeof(addr->host_used->port));
        ptr += sizeof(addr->host_used->port);

        /* DNS lookup status */
        *ptr++ = addr->host_used->dnssec==DS_YES ? '2'
               : addr->host_used->dnssec==DS_NO ? '1' : '0';

        }
      rmt_dlv_checked_write(fd, 'A', '0', big_buffer, ptr - big_buffer);
      }

    /* Local interface address/port */
#ifdef EXPERIMENTAL_DSN_INFO
    if (sending_ip_address)
#else
    if (LOGGING(incoming_interface) && sending_ip_address)
#endif
      {
      uschar * ptr = big_buffer
                    + sprintf(CS big_buffer, "%.128s", sending_ip_address) + 1;
      ptr += sprintf(CS ptr, "%d", sending_port) + 1;
      rmt_dlv_checked_write(fd, 'I', '0', big_buffer, ptr - big_buffer);
      }

    /* Continuation message-id, if a continuation is for that reason,
    and the next sequence number (MAIL FROM count) for the connection. */

    if (*continue_next_id)
      rmt_dlv_checked_write(fd, 'Z', '1', big_buffer,
          sprintf(CS big_buffer, "%.*s %u",
              MESSAGE_ID_LENGTH, continue_next_id, continue_sequence+1) + 1);

    /* Connection details, only on the first suggested continuation for
    wait-db ones, but for all continue-more ones (though any after the
    delivery proc has the info are pointless). */

    if (continue_hostname && continue_fd >= 0)
      {
       {
        uschar * ptr = big_buffer;
        ptr += sprintf(CS ptr, "%.128s", continue_transport) + 1;
        ptr += sprintf(CS ptr, "%.128s", continue_hostname) + 1;
        ptr += sprintf(CS ptr, "%.128s", continue_host_address) + 1;
        ptr += sprintf(CS ptr, "%u", continue_sequence+1) + 1;
        rmt_dlv_checked_write(fd, 'Z', '2', big_buffer, ptr - big_buffer);
        send_fd_over_socket(fd, continue_fd);
       }

      big_buffer[0] = smtp_peer_options;
      big_buffer[1] = f.smtp_authenticated ? 1 : 0;
      rmt_dlv_checked_write(fd, 'Z', '3', big_buffer, 2);

      if (tls_out.active.sock >= 0 || continue_proxy_cipher)
        rmt_dlv_checked_write(fd, 'Z', '4', big_buffer,
              sprintf(CS big_buffer, "%.128s", continue_proxy_cipher) + 1);

      if (tls_out.sni)
        rmt_dlv_checked_write(fd, 'Z',
#ifdef SUPPORT_DANE
          tls_out.dane_verified ? '5' : '6',
#else
          '6',
#endif
          tls_out.sni, Ustrlen(tls_out.sni)+1);

#ifndef DISABLE_ESMTP_LIMITS
      if (continue_limit_mail || continue_limit_rcpt || continue_limit_rcptdom)
        rmt_dlv_checked_write(fd, 'Z', '7', big_buffer,
              sprintf(CS big_buffer, "%u %u %u",
                  continue_limit_mail, continue_limit_rcpt,
                  continue_limit_rcptdom) + 1);
#endif

#ifdef SUPPORT_SOCKS
      if (proxy_session)
        {
        uschar * ptr = big_buffer;
        ptr += sprintf(CS ptr, "%.128s", proxy_local_address) + 1;
        ptr += sprintf(CS ptr, "%u", proxy_local_port) + 1;
        ptr += sprintf(CS ptr, "%.128s", proxy_external_address) + 1;
        ptr += sprintf(CS ptr, "%u", proxy_external_port) + 1;
        rmt_dlv_checked_write(fd, 'Z', '8', big_buffer, ptr - big_buffer);
        }
#endif
      }

    /* Add termination flag, close the pipe, and that's it. The character
    after "Z0" indicates whether continue_transport is now NULL or not.
    A change from non-NULL to NULL indicates a problem with a continuing
    connection. */

    big_buffer[0] = continue_transport ? '1' : '0';
    rmt_dlv_checked_write(fd, 'Z', '0', big_buffer, 1);
    (void)close(fd);
    exim_exit(EXIT_SUCCESS);
    }

  /* Back in the mainline: close the unwanted half of the pipe. */

  (void)close(pfd[pipe_write]);

  /* If we have a connection still open from a verify stage (lazy-close)
  release its TLS library context (if any) as responsibility was passed to
  the delivery child process. */

  if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
    {
#ifndef DISABLE_TLS
    if (cutthrough.is_tls)
      tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN);
#endif
    (void) close(cutthrough.cctx.sock);
    release_cutthrough_connection(US"passed to transport proc");
    }

  /* Fork failed; defer with error message */

  if (pid == -1)
    {
    (void)close(pfd[pipe_read]);
    panicmsg = string_sprintf("fork failed for remote delivery to %s: %s",
        addr->domain, strerror(errno));
    goto enq_continue;
    }

  /* Fork succeeded; increment the count, and remember relevant data for
  when the process finishes. */

  parcount++;
  parlist[poffset].addrlist = parlist[poffset].addr = addr;
  parlist[poffset].pid = pid;
  parlist[poffset].fd = pfd[pipe_read];
  parlist[poffset].done = FALSE;
  parlist[poffset].msg = NULL;
  parlist[poffset].return_path = return_path;

  /* If the process we've just started is sending a message down an existing
  channel, wait for it now. This ensures that only one such process runs at
  once, whatever the value of remote_max parallel. Otherwise, we might try to
  send two or more messages simultaneously down the same channel. This could
  happen if there are different domains that include the same host in otherwise
  different host lists.

  Also, if the transport closes down the channel, this information gets back
  (continue_transport gets set to NULL) before we consider any other addresses
  in this message. */

  if (continue_transport)
    {
    par_reduce(0, fallback);
    if (!*continue_next_id && continue_wait_db)
        { dbfn_close_multi(continue_wait_db); continue_wait_db = NULL; }
    }

  /* Otherwise, if we are running in the test harness, wait a bit, to let the
  newly created process get going before we create another process. This should
  ensure repeatability in the tests. Wait long enough for most cases to complete
  the transport. */

  else
    testharness_pause_ms(600);

  continue;

enq_continue:
  if (serialize_key) enq_end(serialize_key);
panic_continue:
  remote_post_process(addr, LOG_MAIN|LOG_PANIC, panicmsg, fallback);
  continue;
  }

/* Reached the end of the list of addresses. Wait for all the subprocesses that
are still running and post-process their addresses. */

par_reduce(0, fallback);
return TRUE;
}




/*************************************************
*   Split an address into local part and domain  *
*************************************************/

/* This function initializes an address for routing by splitting it up into a
local part and a domain. The local part is set up twice - once in its original
casing, and once in lower case, and it is dequoted. We also do the "percent
hack" for configured domains. This may lead to a DEFER result if a lookup
defers. When a percent-hacking takes place, we insert a copy of the original
address as a new parent of this address, as if we have had a redirection.

Argument:
  addr      points to an addr_item block containing the address

Returns:    OK
            DEFER   - could not determine if domain is %-hackable
*/

int
deliver_split_address(address_item * addr)
{
const uschar * address = addr->address;
uschar * domain;
uschar * t;
int len;

if (!(domain = Ustrrchr(address, '@')))
  return DEFER;         /* should always have a domain, but just in case... */

len = domain - address;
addr->domain = string_copylc(domain+1);    /* Domains are always caseless */

/* The implication in the RFCs (though I can't say I've seen it spelled out
explicitly) is that quoting should be removed from local parts at the point
where they are locally interpreted. [The new draft "821" is more explicit on
this, Jan 1999.] We know the syntax is valid, so this can be done by simply
removing quoting backslashes and any unquoted doublequotes. */

addr->cc_local_part = t = store_get(len+1, address);
while(len-- > 0)
  {
  int c = *address++;
  if (c == '\"') continue;
  if (c == '\\')
    {
    *t++ = *address++;
    len--;
    }
  else *t++ = c;
  }
*t = '\0';

/* We do the percent hack only for those domains that are listed in
percent_hack_domains. A loop is required, to copy with multiple %-hacks. */

if (percent_hack_domains)
  {
  int rc;
  uschar * new_address = NULL;
  const uschar * local_part = addr->cc_local_part;

  deliver_domain = addr->domain;  /* set $domain */

  while (  (rc = match_isinlist(deliver_domain, (const uschar **)&percent_hack_domains, 0,
               &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
             == OK
        && (t = Ustrrchr(local_part, '%')) != NULL
        )
    {
    new_address = string_copy(local_part);
    new_address[t - local_part] = '@';
    deliver_domain = string_copylc(t+1);
    local_part = string_copyn(local_part, t - local_part);
    }

  if (rc == DEFER) return DEFER;   /* lookup deferred */

  /* If hackery happened, set up new parent and alter the current address. */

  if (new_address)
    {
    address_item * new_parent = store_get(sizeof(address_item), GET_UNTAINTED);
    *new_parent = *addr;
    addr->parent = new_parent;
    new_parent->child_count = 1;
    addr->address = new_address;
    addr->unique = string_copy(new_address);
    addr->domain = deliver_domain;
    addr->cc_local_part = local_part;
    DEBUG(D_deliver) debug_printf("%%-hack changed address to: %s\n",
      addr->address);
    }
  }

/* Create the lowercased version of the final local part, and make that the
default one to be used. */

addr->local_part = addr->lc_local_part = string_copylc(addr->cc_local_part);
return OK;
}




/*************************************************
*      Get next error message text               *
*************************************************/

/* If f is not NULL, read the next "paragraph", from a customized error message
text file, terminated by a line containing ****, and expand it.

Arguments:
  f          NULL or a file to read from
  which      string indicating which string (for errors)

Returns:     NULL or an expanded string
*/

static uschar *
next_emf(FILE *f, uschar *which)
{
uschar *yield;
gstring * para;
uschar buffer[256];

if (!f) return NULL;

if (!Ufgets(buffer, sizeof(buffer), f) || Ustrcmp(buffer, "****\n") == 0)
  return NULL;

para = string_get(256);
for (;;)
  {
  para = string_cat(para, buffer);
  if (!Ufgets(buffer, sizeof(buffer), f) || Ustrcmp(buffer, "****\n") == 0)
    break;
  }
if ((yield = expand_string(string_from_gstring(para))))
  return yield;

log_write(0, LOG_MAIN|LOG_PANIC, "Failed to expand string from "
  "bounce_message_file or warn_message_file (%s): %s", which,
  expand_string_message);
return NULL;
}




/*************************************************
*      Close down a passed transport channel     *
*************************************************/

/* This function is called when a passed transport channel cannot be used.
It attempts to close it down tidily. The yield is always DELIVER_NOT_ATTEMPTED
so that the function call can be the argument of a "return" statement.

Arguments:  None
Returns:    DELIVER_NOT_ATTEMPTED
*/

static int
continue_closedown(void)
{
if (continue_transport)
  for (transport_instance * t = transports; t; t = t->next)
    if (Ustrcmp(t->name, continue_transport) == 0)
      {
      if (t->info->closedown) (t->info->closedown)(t);
      continue_transport = NULL;
      break;
      }
return DELIVER_NOT_ATTEMPTED;
}




/*************************************************
*           Print address information            *
*************************************************/

/* This function is called to output an address, or information about an
address, for bounce or defer messages. If the hide_child flag is set, all we
output is the original ancestor address.

Arguments:
  addr         points to the address
  f            the FILE to print to
  si           an initial string
  sc           a continuation string for before "generated"
  se           an end string

Returns:       TRUE if the address is not hidden
*/

static BOOL
print_address_information(address_item * addr, FILE * f, uschar * si,
  uschar * sc, uschar * se)
{
BOOL yield = TRUE;
const uschar * printed = US"";
address_item * ancestor = addr;
while (ancestor->parent) ancestor = ancestor->parent;

fprintf(f, "%s", CS si);

if (addr->parent && testflag(addr, af_hide_child))
  {
  printed = US"an undisclosed address";
  yield = FALSE;
  }
else if (!testflag(addr, af_pfr) || !addr->parent)
  printed = addr->address;

else
  {
  const uschar * s = addr->address;
  const uschar * ss;

  if (addr->address[0] == '>') { ss = US"mail"; s++; }
  else if (addr->address[0] == '|') ss = US"pipe";
  else ss = US"save";

  fprintf(f, "%s to %s%sgenerated by ", ss, s, sc);
  printed = addr->parent->address;
  }

fprintf(f, "%s", CS string_printing(printed));

if (ancestor != addr)
  {
  const uschar * original = ancestor->onetime_parent;
  if (!original) original= ancestor->address;
  if (strcmpic(original, printed) != 0)
    fprintf(f, "%s(%sgenerated from %s)", sc,
      ancestor != addr->parent ? "ultimately " : "",
      string_printing(original));
  }

if (addr->host_used)
  fprintf(f, "\n    host %s [%s]",
          addr->host_used->name, addr->host_used->address);

fprintf(f, "%s", CS se);
return yield;
}





/*************************************************
*         Print error for an address             *
*************************************************/

/* This function is called to print the error information out of an address for
a bounce or a warning message. It tries to format the message reasonably by
introducing newlines. All lines are indented by 4; the initial printing
position must be set before calling.

This function used always to print the error. Nowadays we want to restrict it
to cases such as LMTP/SMTP errors from a remote host, and errors from :fail:
and filter "fail". We no longer pass other information willy-nilly in bounce
and warning messages. Text in user_message is always output; text in message
only if the af_pass_message flag is set.

Arguments:
  addr         the address
  f            the FILE to print on
  t            some leading text

Returns:       nothing
*/

static void
print_address_error(address_item * addr, FILE * f, const uschar * t)
{
int count = Ustrlen(t);
uschar * s = testflag(addr, af_pass_message) ? addr->message : NULL;

if (!s && !(s = addr->user_message))
  return;

fprintf(f, "\n    %s", t);

while (*s)
  if (*s == '\\' && s[1] == 'n')
    {
    fprintf(f, "\n    ");
    s += 2;
    count = 0;
    }
  else
    {
    fputc(*s, f);
    count++;
    if (*s++ == ':' && isspace(*s) && count > 45)
      {
      fprintf(f, "\n   ");  /* sic (because space follows) */
      count = 0;
      }
    else if (count > 254)       /* arbitrary limit */
      {
      fprintf(f, "[truncated]");
      do s++; while (*s && !(*s == '\\' && s[1] == '\n'));
      }
    }
}


/***********************************************************
*         Print Diagnostic-Code for an address             *
************************************************************/

/* This function is called to print the error information out of an address for
a bounce or a warning message. It tries to format the message reasonably as
required by RFC 3461 by adding a space after each newline

it uses the same logic as print_address_error() above. if af_pass_message is true
and addr->message is set it uses the remote host answer. if not addr->user_message
is used instead if available.

Arguments:
  addr         the address
  f            the FILE to print on

Returns:       nothing
*/

static void
print_dsn_diagnostic_code(const address_item *addr, FILE *f)
{
uschar * s = testflag(addr, af_pass_message) ? addr->message : NULL;
unsigned cnt;

/* af_pass_message and addr->message set ? print remote host answer */
if (!s)
  return;

DEBUG(D_deliver)
  debug_printf("DSN Diagnostic-Code: addr->message = %s\n", addr->message);

/* search first ": ". we assume to find the remote-MTA answer there */
if (!(s = Ustrstr(addr->message, ": ")))
  return;                               /* not found, bail out */

s += 2;  /* skip ": " */
cnt = fprintf(f, "Diagnostic-Code: smtp; ");

while (*s)
  {
  if (cnt > 950)        /* RFC line length limit: 998 */
    {
    DEBUG(D_deliver) debug_printf("print_dsn_diagnostic_code() truncated line\n");
    fputs("[truncated]", f);
    break;
    }

  if (*s == '\\' && s[1] == 'n')
    {
    fputs("\n ", f);    /* as defined in RFC 3461 */
    s += 2;
    cnt += 2;
    }
  else
    {
    fputc(*s++, f);
    cnt++;
    }
  }

fputc('\n', f);
}


/*************************************************
*     Check list of addresses for duplication    *
*************************************************/

/* This function was introduced when the test for duplicate addresses that are
not pipes, files, or autoreplies was moved from the middle of routing to when
routing was complete. That was to fix obscure cases when the routing history
affects the subsequent routing of identical addresses. This function is called
after routing, to check that the final routed addresses are not duplicates.

If we detect a duplicate, we remember what it is a duplicate of. Note that
pipe, file, and autoreply de-duplication is handled during routing, so we must
leave such "addresses" alone here, as otherwise they will incorrectly be
discarded.

Argument:     address of list anchor
Returns:      nothing
*/

static void
do_duplicate_check(address_item ** anchor)
{
address_item * addr;
while ((addr = *anchor))
  {
  tree_node * tnode;
  if (testflag(addr, af_pfr))
    anchor = &addr->next;
  else if ((tnode = tree_search(tree_duplicates, addr->unique)))
    {
    DEBUG(D_deliver|D_route)
      debug_printf("%s is a duplicate address: discarded\n", addr->unique);
    *anchor = addr->next;
    addr->dupof = tnode->data.ptr;
    addr->next = addr_duplicate;
    addr_duplicate = addr;
    }
  else
    {
    tree_add_duplicate(addr->unique, addr);
    anchor = &addr->next;
    }
  }
}




/************************************************/

static void
print_dsn_addr_action(FILE * f, address_item * addr,
  uschar * action, uschar * status)
{
address_item * pa;

if (addr->dsn_orcpt)
  fprintf(f,"Original-Recipient: %s\n", addr->dsn_orcpt);

for (pa = addr; pa->parent; ) pa = pa->parent;
fprintf(f, "Action: %s\n"
    "Final-Recipient: rfc822;%s\n"
    "Status: %s\n",
  action, pa->address, status);
}



/* When running in the test harness, there's an option that allows us to
fudge this time so as to get repeatability of the tests. Take the first
time off the list. In queue runs, the list pointer gets updated in the
calling process. */

int
test_harness_fudged_queue_time(int actual_time)
{
int qt;
if (  f.running_in_test_harness && *fudged_queue_times
   && (qt = readconf_readtime(fudged_queue_times, '/', FALSE)) >= 0)
  {
  DEBUG(D_deliver) debug_printf("fudged queue_times = %s\n",
    fudged_queue_times);
  return qt;
  }
return actual_time;
}

/************************************************/

static FILE *
expand_open(const uschar * filename,
  const uschar * optname, const uschar * reason)
{
const uschar * s = expand_cstring(filename);
FILE * fp = NULL;

if (!s || !*s)
  log_write(0, LOG_MAIN|LOG_PANIC,
    "Failed to expand %s: '%s'\n", optname, filename);
else if (*s != '/' || is_tainted(s))
  log_write(0, LOG_MAIN|LOG_PANIC,
    "%s is not %s after expansion: '%s'\n",
    optname, *s == '/' ? "untainted" : "absolute", s);
else if (!(fp = Ufopen(s, "rb")))
  log_write(0, LOG_MAIN|LOG_PANIC, "Failed to open %s for %s "
    "message texts: %s", s, reason, strerror(errno));
return fp;
}


/* Output the given header and string, converting either
the sequence "\n" or a real newline into newline plus space.
If that still takes us past column 78, look for the last space
and split there too.
Append a newline if string did not have one.
Limit to about 1024 chars total. */

static void
dsn_put_wrapped(FILE * fp, const uschar * header, const uschar * s)
{
gstring * g = string_cat(NULL, header);

g = string_cat(g, s);
gstring_release_unused(g);
fprintf(fp, "%s\n", wrap_header(string_from_gstring(g), 79, 1023, US" ", 1));
}




/*************************************************
*              Send a bounce message             *
*************************************************/

/* Find the error address for the first address, then send a message that
includes all failed addresses that have the same error address. Note the
bounce_recipient is a global so that it can be accessed by $bounce_recipient
while creating a customized error message. */

static void
send_bounce_message(time_t now, const uschar * logtod)
{
pid_t pid;
int fd;

if (!(bounce_recipient = addr_failed->prop.errors_address))
  bounce_recipient = sender_address;

/* Make a subprocess to send a message, using its stdin */

if ((pid = child_open_exim(&fd, US"bounce-message")) < 0)
  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %ld (parent %ld) failed to "
    "create child process to send failure message: %s",
    (long)getpid(), (long)getppid(), strerror(errno));

/* Creation of child succeeded */

else
  {
  int ch, rc, filecount = 0, rcount = 0;
  uschar * bcc, * emf_text;
  FILE * fp = fdopen(fd, "wb"), * emf = NULL;
  BOOL to_sender = strcmpic(sender_address, bounce_recipient) == 0;
  int max = (bounce_return_size_limit/DELIVER_IN_BUFFER_SIZE + 1) *
    DELIVER_IN_BUFFER_SIZE;
  uschar * bound, * dsnlimitmsg, * dsnnotifyhdr;
  int topt;
  address_item ** paddr;
  address_item * msgchain = NULL, ** pmsgchain = &msgchain;
  address_item * handled_addr = NULL;

  DEBUG(D_deliver)
    debug_printf("sending error message to: %s\n", bounce_recipient);

  /* Scan the addresses for all that have the same errors address, removing
  them from the addr_failed chain, and putting them on msgchain. */

  paddr = &addr_failed;
  for (address_item * addr = addr_failed; addr; addr = *paddr)
    if (Ustrcmp(bounce_recipient, addr->prop.errors_address
          ? addr->prop.errors_address : sender_address) == 0)
      {                          /* The same - dechain */
      *paddr = addr->next;
      *pmsgchain = addr;
      addr->next = NULL;
      pmsgchain = &addr->next;
      }
    else
      paddr = &addr->next;        /* Not the same; skip */

  /* Include X-Failed-Recipients: for automatic interpretation, but do
  not let any one header line get too long. We do this by starting a
  new header every 50 recipients. Omit any addresses for which the
  "hide_child" flag is set. */

  for (address_item * addr = msgchain; addr; addr = addr->next)
    {
    if (testflag(addr, af_hide_child)) continue;
    if (rcount >= 50)
      {
      fprintf(fp, "\n");
      rcount = 0;
      }
    fprintf(fp, "%s%s",
      rcount++ == 0
      ? "X-Failed-Recipients: "
      : ",\n  ",
      testflag(addr, af_pfr) && addr->parent
      ? string_printing(addr->parent->address)
      : string_printing(addr->address));
    }
  if (rcount > 0) fprintf(fp, "\n");

  /* Output the standard headers */

  if (errors_reply_to)
    fprintf(fp, "Reply-To: %s\n", errors_reply_to);
  fprintf(fp, "Auto-Submitted: auto-replied\n");
  moan_write_from(fp);
  fprintf(fp, "To: %s\n", bounce_recipient);
  moan_write_references(fp, NULL);

  /* generate boundary string and output MIME-Headers */
  bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());

  fprintf(fp, "Content-Type: multipart/report;"
        " report-type=delivery-status; boundary=%s\n"
      "MIME-Version: 1.0\n",
    bound);

  /* Open a template file if one is provided. Log failure to open, but
  carry on - default texts will be used. */

  GET_OPTION("bounce_message_file");
  if (bounce_message_file)
    emf = expand_open(bounce_message_file,
            US"bounce_message_file", US"error");

  /* Quietly copy to configured additional addresses if required. */

  if ((bcc = moan_check_errorcopy(bounce_recipient)))
    fprintf(fp, "Bcc: %s\n", bcc);

  /* The texts for the message can be read from a template file; if there
  isn't one, or if it is too short, built-in texts are used. The first
  emf text is a Subject: and any other headers. */

  if ((emf_text = next_emf(emf, US"header")))
    fprintf(fp, "%s\n", emf_text);
  else
    fprintf(fp, "Subject: Mail delivery failed%s\n\n",
      to_sender? ": returning message to sender" : "");

  /* output human readable part as text/plain section */
  fprintf(fp, "--%s\n"
      "Content-type: text/plain; charset=us-ascii\n\n",
    bound);

  if ((emf_text = next_emf(emf, US"intro")))
    fprintf(fp, "%s", CS emf_text);
  else
    {
    fprintf(fp,
/* This message has been reworded several times. It seems to be confusing to
somebody, however it is worded. I have retreated to the original, simple
wording. */
"This message was created automatically by mail delivery software.\n");

    if (bounce_message_text)
      fprintf(fp, "%s", CS bounce_message_text);
    if (to_sender)
      fprintf(fp,
"\nA message that you sent could not be delivered to one or more of its\n"
"recipients. This is a permanent error. The following address(es) failed:\n");
    else
      fprintf(fp,
"\nA message sent by\n\n  <%s>\n\n"
"could not be delivered to one or more of its recipients. The following\n"
"address(es) failed:\n", sender_address);
    }
  fputc('\n', fp);

  /* Process the addresses, leaving them on the msgchain if they have a
  file name for a return message. (There has already been a check in
  post_process_one() for the existence of data in the message file.) A TRUE
  return from print_address_information() means that the address is not
  hidden. */

  paddr = &msgchain;
  for (address_item * addr = msgchain; addr; addr = *paddr)
    {
    if (print_address_information(addr, fp, US"  ", US"\n    ", US""))
      print_address_error(addr, fp, US"");

    /* End the final line for the address */

    fputc('\n', fp);

    /* Leave on msgchain if there's a return file. */

    if (addr->return_file >= 0)
      {
      paddr = &addr->next;
      filecount++;
      }

    /* Else save so that we can tick off the recipient when the
    message is sent. */

    else
      {
      *paddr = addr->next;
      addr->next = handled_addr;
      handled_addr = addr;
      }
    }

  fputc('\n', fp);

  /* Get the next text, whether we need it or not, so as to be
  positioned for the one after. */

  emf_text = next_emf(emf, US"generated text");

  /* If there were any file messages passed by the local transports,
  include them in the message. Then put the address on the handled chain.
  In the case of a batch of addresses that were all sent to the same
  transport, the return_file field in all of them will contain the same
  fd, and the return_filename field in the *last* one will be set (to the
  name of the file). */

  if (msgchain)
    {
    address_item * nextaddr;

    if (emf_text)
      fprintf(fp, "%s", CS emf_text);
    else
      fprintf(fp,
        "The following text was generated during the delivery "
        "attempt%s:\n", (filecount > 1)? "s" : "");

    for (address_item * addr = msgchain; addr; addr = nextaddr)
      {
      FILE *fm;
      address_item *topaddr = addr;

      /* List all the addresses that relate to this file */

      fputc('\n', fp);
      while(addr)                   /* Insurance */
        {
        print_address_information(addr, fp, US"------ ",  US"\n       ",
          US" ------\n");
        if (addr->return_filename) break;
        addr = addr->next;
        }
      fputc('\n', fp);

      /* Now copy the file */

      if (!(fm = Ufopen(addr->return_filename, "rb")))
        fprintf(fp, "    +++ Exim error... failed to open text file: %s\n",
          strerror(errno));
      else
        {
        while ((ch = fgetc(fm)) != EOF) fputc(ch, fp);
        (void)fclose(fm);
        }
      Uunlink(addr->return_filename);

      /* Can now add to handled chain, first fishing off the next
      address on the msgchain. */

      nextaddr = addr->next;
      addr->next = handled_addr;
      handled_addr = topaddr;
      }
    fputc('\n', fp);
    }

  /* output machine readable part */
#ifdef SUPPORT_I18N
  if (message_smtputf8)
    fprintf(fp, "--%s\n"
        "Content-type: message/global-delivery-status\n\n"
        "Reporting-MTA: dns; %s\n",
      bound, smtp_active_hostname);
  else
#endif
    fprintf(fp, "--%s\n"
        "Content-type: message/delivery-status\n\n"
        "Reporting-MTA: dns; %s\n",
      bound, smtp_active_hostname);

  if (dsn_envid)
    {
    /* must be decoded from xtext: see RFC 3461:6.3a */
    uschar * xdec_envid;
    if (xtextdecode(dsn_envid, &xdec_envid) > 0)
      fprintf(fp, "Original-Envelope-ID: %s\n", dsn_envid);
    else
      fprintf(fp, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
    }
  fputc('\n', fp);

  for (address_item * addr = handled_addr; addr; addr = addr->next)
    {
    host_item * hu;
#ifdef EXPERIMENTAL_DSN_INFO
    const uschar * s;
#endif

    print_dsn_addr_action(fp, addr, US"failed", US"5.0.0");

    if ((hu = addr->host_used) && hu->name)
      {
      fprintf(fp, "Remote-MTA: dns; %s\n", hu->name);
#ifdef EXPERIMENTAL_DSN_INFO
      if (hu->address)
        {
        uschar * p = hu->port == 25
          ? US"" : string_sprintf(":%d", hu->port);
        fprintf(fp, "Remote-MTA: X-ip; [%s]%s\n", hu->address, p);
        }
      if ((s = addr->smtp_greeting) && *s)
        dsn_put_wrapped(fp, US"X-Remote-MTA-smtp-greeting: X-str; ", s);
      if ((s = addr->helo_response) && *s)
        dsn_put_wrapped(fp, US"X-Remote-MTA-helo-response: X-str; ", s);
      if (testflag(addr, af_pass_message) && (s = addr->message) && *s)
        dsn_put_wrapped(fp, US"X-Exim-Diagnostic: X-str; ", s);
#endif
      print_dsn_diagnostic_code(addr, fp);
      }
#ifdef EXPERIMENTAL_DSN_INFO
      else if (testflag(addr, af_pass_message) && (s = addr->message) && *s)
        dsn_put_wrapped(fp, US"X-Exim-Diagnostic: X-str; ", s);
#endif
    fputc('\n', fp);
    }

  /* Now copy the message, trying to give an intelligible comment if
  it is too long for it all to be copied. The limit isn't strictly
  applied because of the buffering. There is, however, an option
  to suppress copying altogether. */

  emf_text = next_emf(emf, US"copy");

  /* add message body
     we ignore the intro text from template and add
     the text for bounce_return_size_limit at the end.

     bounce_return_message is ignored
     in case RET= is defined we honor these values
     otherwise bounce_return_body is honored.

     bounce_return_size_limit is always honored.
  */

  fprintf(fp, "--%s\n", bound);

  dsnlimitmsg = US"X-Exim-DSN-Information: Due to administrative limits only headers are returned";
  dsnnotifyhdr = NULL;
  topt = topt_add_return_path;

  /* RET=HDRS? top priority */
  if (dsn_ret == dsn_ret_hdrs)
    topt |= topt_no_body;
  else
    {
    struct stat statbuf;

    /* no full body return at all? */
    if (!bounce_return_body)
      {
      topt |= topt_no_body;
      /* add header if we overrule RET=FULL */
      if (dsn_ret == dsn_ret_full)
        dsnnotifyhdr = dsnlimitmsg;
      }
    /* line length limited... return headers only if oversize */
    /* size limited ... return headers only if limit reached */
    else if (  max_received_linelength > bounce_return_linesize_limit
            || (  bounce_return_size_limit > 0
               && fstat(deliver_datafile, &statbuf) == 0
               && statbuf.st_size > max
            )  )
      {
      topt |= topt_no_body;
      dsnnotifyhdr = dsnlimitmsg;
      }
    }

#ifdef SUPPORT_I18N
  if (message_smtputf8)
    fputs(topt & topt_no_body ? "Content-type: message/global-headers\n\n"
                              : "Content-type: message/global\n\n",
          fp);
  else
#endif
    fputs(topt & topt_no_body ? "Content-type: text/rfc822-headers\n\n"
                              : "Content-type: message/rfc822\n\n",
          fp);

  fflush(fp);
  transport_filter_argv = NULL;   /* Just in case */
  return_path = sender_address;   /* In case not previously set */
    {                         /* Dummy transport for headers add */
    transport_ctx tctx = {{0}};
    transport_instance tb = {0};

    tctx.u.fd = fileno(fp);
    tctx.tblock = &tb;
    tctx.options = topt | topt_truncate_headers;
    tb.add_headers = dsnnotifyhdr;

    /*XXX no checking for failure!  buggy! */
    transport_write_message(&tctx, 0);
    }
  fflush(fp);

  /* we never add the final text. close the file */
  if (emf)
    (void)fclose(emf);

  fprintf(fp, "\n--%s--\n", bound);

  /* Close the file, which should send an EOF to the child process
  that is receiving the message. Wait for it to finish. */

  (void)fclose(fp);
  rc = child_close(pid, 0);     /* Waits for child to close, no timeout */

  /* If the process failed, there was some disaster in setting up the
  error message. Unless the message is very old, ensure that addr_defer
  is non-null, which will have the effect of leaving the message on the
  spool. The failed addresses will get tried again next time. However, we
  don't really want this to happen too often, so freeze the message unless
  there are some genuine deferred addresses to try. To do this we have
  to call spool_write_header() here, because with no genuine deferred
  addresses the normal code below doesn't get run. */

  if (rc != 0)
    {
    uschar * s = US"";
    if (now - received_time.tv_sec < retry_maximum_timeout && !addr_defer)
      {
      addr_defer = (address_item *)(+1);
      f.deliver_freeze = TRUE;
      deliver_frozen_at = time(NULL);
      /* Panic-dies on error */
      (void)spool_write_header(message_id, SW_DELIVERING, NULL);
      s = US" (frozen)";
      }
    deliver_msglog("Process failed (%d) when writing error message "
      "to %s%s", rc, bounce_recipient, s);
    log_write(0, LOG_MAIN, "Process failed (%d) when writing error message "
      "to %s%s", rc, bounce_recipient, s);
    }

  /* The message succeeded. Ensure that the recipients that failed are
  now marked finished with on the spool and their parents updated. */

  else
    {
    for (address_item * addr = handled_addr; addr; addr = addr->next)
      {
      address_done(addr, logtod);
      child_done(addr, logtod);
      }
    /* Panic-dies on error */
    (void)spool_write_header(message_id, SW_DELIVERING, NULL);
    }
  }
}

/*************************************************
*              Send a warning message            *
*************************************************/
/* Return: boolean success */

static BOOL
send_warning_message(const uschar * recipients, int queue_time, int show_time)
{
int fd;
pid_t pid = child_open_exim(&fd, US"delay-warning-message");
FILE * wmf = NULL, * f = fdopen(fd, "wb");
uschar * wmf_text, * bound;
transport_ctx tctx = {{0}};


if (pid <= 0) return FALSE;

GET_OPTION("warn_message_file");
if (warn_message_file)
  wmf = expand_open(warn_message_file,
          US"warn_message_file", US"warning");

warnmsg_recipients = recipients;
warnmsg_delay = queue_time < 120*60
  ? string_sprintf("%d minutes", show_time/60)
  : string_sprintf("%d hours", show_time/3600);

if (errors_reply_to)
  fprintf(f, "Reply-To: %s\n", errors_reply_to);
fprintf(f, "Auto-Submitted: auto-replied\n");
moan_write_from(f);
fprintf(f, "To: %s\n", recipients);
moan_write_references(f, NULL);

/* generated boundary string and output MIME-Headers */
bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());

fprintf(f, "Content-Type: multipart/report;"
    " report-type=delivery-status; boundary=%s\n"
    "MIME-Version: 1.0\n",
  bound);

if ((wmf_text = next_emf(wmf, US"header")))
  fprintf(f, "%s\n", wmf_text);
else
  fprintf(f, "Subject: Warning: message %s delayed %s\n\n",
    message_id, warnmsg_delay);

/* output human readable part as text/plain section */
fprintf(f, "--%s\n"
    "Content-type: text/plain; charset=us-ascii\n\n",
  bound);

if ((wmf_text = next_emf(wmf, US"intro")))
  fprintf(f, "%s", CS wmf_text);
else
  {
  fprintf(f,
"This message was created automatically by mail delivery software.\n");

  if (Ustrcmp(recipients, sender_address) == 0)
    fprintf(f,
"A message that you sent has not yet been delivered to one or more of its\n"
"recipients after more than ");

  else
    fprintf(f,
"A message sent by\n\n  <%s>\n\n"
"has not yet been delivered to one or more of its recipients after more than \n",
      sender_address);

  fprintf(f, "%s on the queue on %s.\n\n"
      "The message identifier is:     %s\n",
    warnmsg_delay, primary_hostname, message_id);

  for (header_line * h = header_list; h; h = h->next)
    if (strncmpic(h->text, US"Subject:", 8) == 0)
      fprintf(f, "The subject of the message is: %s", h->text + 9);
    else if (strncmpic(h->text, US"Date:", 5) == 0)
      fprintf(f, "The date of the message is:    %s", h->text + 6);
  fputc('\n', f);

  fprintf(f, "The address%s to which the message has not yet been "
    "delivered %s:\n",
    !addr_defer->next ? "" : "es",
    !addr_defer->next ? "is": "are");
  }

/* List the addresses, with error information if allowed */

fputc('\n', f);
for (address_item * addr = addr_defer; addr; addr = addr->next)
  {
  if (print_address_information(addr, f, US"  ", US"\n    ", US""))
    print_address_error(addr, f, US"Delay reason: ");
  fputc('\n', f);
  }
fputc('\n', f);

/* Final text */

if (wmf)
  {
  if ((wmf_text = next_emf(wmf, US"final")))
    fprintf(f, "%s", CS wmf_text);
  (void)fclose(wmf);
  }
else
  {
  fprintf(f,
"No action is required on your part. Delivery attempts will continue for\n"
"some time, and this warning may be repeated at intervals if the message\n"
"remains undelivered. Eventually the mail delivery software will give up,\n"
"and when that happens, the message will be returned to you.\n");
  }

/* output machine readable part */
fprintf(f, "\n--%s\n"
    "Content-type: message/delivery-status\n\n"
    "Reporting-MTA: dns; %s\n",
  bound,
  smtp_active_hostname);


if (dsn_envid)
  {
  /* must be decoded from xtext: see RFC 3461:6.3a */
  uschar *xdec_envid;
  if (xtextdecode(dsn_envid, &xdec_envid) > 0)
    fprintf(f,"Original-Envelope-ID: %s\n", dsn_envid);
  else
    fprintf(f,"X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
  }
fputc('\n', f);

for (address_item * addr = addr_defer; addr; addr = addr->next)
  {
  host_item * hu;

  print_dsn_addr_action(f, addr, US"delayed", US"4.0.0");

  if ((hu = addr->host_used) && hu->name)
    {
    fprintf(f, "Remote-MTA: dns; %s\n", hu->name);
    print_dsn_diagnostic_code(addr, f);
    }
  fputc('\n', f);
  }

fprintf(f, "--%s\n"
    "Content-type: text/rfc822-headers\n\n",
  bound);

fflush(f);
/* header only as required by RFC. only failure DSN needs to honor RET=FULL */
tctx.u.fd = fileno(f);
tctx.options = topt_add_return_path | topt_truncate_headers | topt_no_body;
transport_filter_argv = NULL;   /* Just in case */
return_path = sender_address;   /* In case not previously set */

/* Write the original email out */
/*XXX no checking for failure!  buggy! */
transport_write_message(&tctx, 0);
fflush(f);

fprintf(f,"\n--%s--\n", bound);

fflush(f);

/* Close and wait for child process to complete, without a timeout.
If there's an error, don't update the count. */

(void)fclose(f);
return child_close(pid, 0) == 0;
}

/*************************************************
*              Send a success-DSN                *
*************************************************/

static void
maybe_send_dsn(const address_item * const addr_succeed)
{
address_item * addr_senddsn = NULL;

for (const address_item * a = addr_succeed; a; a = a->next)
  {
  /* af_ignore_error not honored here. it's not an error */
  DEBUG(D_deliver) debug_printf("DSN: processing router : %s\n"
      "DSN: processing successful delivery address: %s\n"
      "DSN: Sender_address: %s\n"
      "DSN: orcpt: %s  flags: 0x%x\n"
      "DSN: envid: %s  ret: %d\n"
      "DSN: Final recipient: %s\n"
      "DSN: Remote SMTP server supports DSN: %d\n",
      a->router ? a->router->drinst.name : US"(unknown)",
      a->address,
      sender_address,
      a->dsn_orcpt ? a->dsn_orcpt : US"NULL",
      a->dsn_flags,
      dsn_envid ? dsn_envid : US"NULL", dsn_ret,
      a->address,
      a->dsn_aware
      );

  /* send report if next hop not DSN aware or a router flagged "last DSN hop"
  and a report was requested */

  if (  (a->dsn_aware != dsn_support_yes || a->dsn_flags & rf_dsnlasthop)
     && a->dsn_flags & rf_notify_success
     )
    {
    /* copy and relink address_item and send report with all of them at once later */
    address_item * addr_next = addr_senddsn;
    addr_senddsn = store_get(sizeof(address_item), GET_UNTAINTED);
    *addr_senddsn = *a;
    addr_senddsn->next = addr_next;
    }
  else
    DEBUG(D_deliver) debug_printf("DSN: not sending DSN success message\n");
  }

if (addr_senddsn)
  {                             /* create exim process to send message */
  int fd;
  pid_t pid = child_open_exim(&fd, US"DSN");

  DEBUG(D_deliver) debug_printf("DSN: child_open_exim returns: %ld\n", (long)pid);

  if (pid < 0)  /* Creation of child failed */
    {
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Process %ld (parent %ld) failed to "
      "create child process to send success-dsn message: %s",
      (long)getpid(), (long)getppid(), strerror(errno));

    DEBUG(D_deliver) debug_printf("DSN: child_open_exim failed\n");
    }
  else  /* Creation of child succeeded */
    {
    FILE * f = fdopen(fd, "wb");
    /* header only as required by RFC. only failure DSN needs to honor RET=FULL */
    uschar * bound;
    transport_ctx tctx = {{0}};

    DEBUG(D_deliver)
      debug_printf("sending success-dsn to: %s\n", sender_address);

    /* build unique id for MIME boundary */
    bound = string_sprintf(TIME_T_FMT "-eximdsn-%d", time(NULL), rand());
    DEBUG(D_deliver) debug_printf("DSN: MIME boundary: %s\n", bound);

    if (errors_reply_to)
      fprintf(f, "Reply-To: %s\n", errors_reply_to);

    moan_write_from(f);
    fprintf(f, "Auto-Submitted: auto-generated\n"
        "To: %s\n"
        "Subject: Delivery Status Notification\n",
      sender_address);
    moan_write_references(f, NULL);
    fprintf(f, "Content-Type: multipart/report;"
                " report-type=delivery-status; boundary=%s\n"
        "MIME-Version: 1.0\n\n"

        "--%s\n"
        "Content-type: text/plain; charset=us-ascii\n\n"

        "This message was created automatically by mail delivery software.\n"
        " ----- The following addresses had successful delivery notifications -----\n",
      bound, bound);

    for (address_item * a = addr_senddsn; a; a = a->next)
      fprintf(f, "<%s> (relayed %s)\n\n",
        a->address,
        a->dsn_flags & rf_dsnlasthop ? "via non DSN router"
        : a->dsn_aware == dsn_support_no ? "to non-DSN-aware mailer"
        : "via non \"Remote SMTP\" router"
        );

    fprintf(f, "--%s\n"
        "Content-type: message/delivery-status\n\n"
        "Reporting-MTA: dns; %s\n",
      bound, smtp_active_hostname);

    if (dsn_envid)
      {                 /* must be decoded from xtext: see RFC 3461:6.3a */
      uschar * xdec_envid;
      if (xtextdecode(dsn_envid, &xdec_envid) > 0)
        fprintf(f, "Original-Envelope-ID: %s\n", dsn_envid);
      else
        fprintf(f, "X-Original-Envelope-ID: error decoding xtext formatted ENVID\n");
      }
    fputc('\n', f);

    for (address_item * a = addr_senddsn; a; a = a->next)
      {
      host_item * hu;

      print_dsn_addr_action(f, a, US"delivered", US"2.0.0");

      if ((hu = a->host_used) && hu->name)
        fprintf(f, "Remote-MTA: dns; %s\nDiagnostic-Code: smtp; 250 Ok\n\n",
          hu->name);
      else
        fprintf(f, "Diagnostic-Code: X-Exim; relayed via non %s router\n\n",
          a->dsn_flags & rf_dsnlasthop ? "DSN" : "SMTP");
      }

    fprintf(f, "--%s\nContent-type: text/rfc822-headers\n\n", bound);

    fflush(f);
    transport_filter_argv = NULL;   /* Just in case */
    return_path = sender_address;   /* In case not previously set */

    /* Write the original email out */

    tctx.u.fd = fd;
    tctx.options = topt_add_return_path | topt_truncate_headers | topt_no_body;
    /*XXX hmm, FALSE(fail) retval ignored.
    Could error for any number of reasons, and they are not handled. */
    transport_write_message(&tctx, 0);
    fflush(f);

    fprintf(f,"\n--%s--\n", bound);

    fflush(f);
    fclose(f);
    (void) child_close(pid, 0);     /* Waits for child to close, no timeout */
    }
  }
}

/*************************************************
*              Deliver one message               *
*************************************************/

/* This is the function which is called when a message is to be delivered. It
is passed the id of the message. It is possible that the message no longer
exists, if some other process has delivered it, and it is also possible that
the message is being worked on by another process, in which case the data file
will be locked.

If no delivery is attempted for any of the above reasons, the function returns
DELIVER_NOT_ATTEMPTED.

If the give_up flag is set true, do not attempt any deliveries, but instead
fail all outstanding addresses and return the message to the sender (or
whoever).

A delivery operation has a process all to itself; we never deliver more than
one message in the same process. Therefore we needn't worry too much about
store leakage.

Liable to be called as root.

Arguments:
  id          the id of the message to be delivered
  forced      TRUE if delivery was forced by an administrator; this overrides
              retry delays and causes a delivery to be tried regardless
  give_up     TRUE if an administrator has requested that delivery attempts
              be abandoned

Returns:      When the global variable mua_wrapper is FALSE:
                DELIVER_ATTEMPTED_NORMAL   if a delivery attempt was made
                DELIVER_NOT_ATTEMPTED      otherwise (see comment above)
              When the global variable mua_wrapper is TRUE:
                DELIVER_MUA_SUCCEEDED      if delivery succeeded
                DELIVER_MUA_FAILED         if delivery failed
                DELIVER_NOT_ATTEMPTED      if not attempted (should not occur)
*/

int
deliver_message(const uschar * id, BOOL forced, BOOL give_up)
{
int i, rc, final_yield, process_recipients;
time_t now;
address_item * addr_last;
uschar * filter_message, * info;
open_db dbblock, * dbm_file;
extern int acl_where;

CONTINUED_ID:
final_yield = DELIVER_ATTEMPTED_NORMAL;
now = time(NULL);
addr_last = NULL;
filter_message = NULL;
process_recipients = RECIP_ACCEPT;

#ifdef MEASURE_TIMING
report_time_since(&timestamp_startup, US"delivery start");      /* testcase 0022, 2100 */
#endif

info = queue_run_pid == (pid_t)0
  ? string_sprintf("delivering %s", id)
  : string_sprintf("delivering %s (queue run pid %ld)", id, (long)queue_run_pid);

/* If the D_process_info bit is on, set_process_info() will output debugging
information. If not, we want to show this initial information if D_deliver or
D_queue_run is set or in verbose mode. */

set_process_info("%s", info);

if (  !(debug_selector & D_process_info)
   && (debug_selector & (D_deliver|D_queue_run|D_v))
   )
  debug_printf("%s\n", info);

/* Ensure that we catch any subprocesses that are created. Although Exim
sets SIG_DFL as its initial default, some routes through the code end up
here with it set to SIG_IGN - cases where a non-synchronous delivery process
has been forked, but no re-exec has been done. We use sigaction rather than
plain signal() on those OS where SA_NOCLDWAIT exists, because we want to be
sure it is turned off. (There was a problem on AIX with this.) */

#ifdef SA_NOCLDWAIT
  {
  struct sigaction act;
  act.sa_handler = SIG_DFL;
  sigemptyset(&(act.sa_mask));
  act.sa_flags = 0;
  sigaction(SIGCHLD, &act, NULL);
  }
#else
signal(SIGCHLD, SIG_DFL);
#endif

/* Make the forcing flag available for routers and transports, set up the
global message id field, and initialize the count for returned files and the
message size. This use of strcpy() is OK because the length id is checked when
it is obtained from a command line (the -M or -q options), and otherwise it is
known to be a valid message id. */

if (id != message_id)
  Ustrcpy(message_id, id);
f.deliver_force = forced;
return_count = 0;
message_size = 0;

/* Initialize some flags */

update_spool = FALSE;
remove_journal = TRUE;

/* Set a known context for any ACLs we call via expansions */
acl_where = ACL_WHERE_DELIVERY;

/* Reset the random number generator, so that if several delivery processes are
started from a queue runner that has already used random numbers (for sorting),
they don't all get the same sequence. */

random_seed = 0;

/* Open and lock the message's data file. Exim locks on this one because the
header file may get replaced as it is re-written during the delivery process.
Any failures cause messages to be written to the log, except for missing files
while queue running - another process probably completed delivery. As part of
opening the data file, message_subdir gets set. */

if ((deliver_datafile = spool_open_datafile(id)) < 0)
  return continue_closedown();  /* yields DELIVER_NOT_ATTEMPTED */

/* The value of message_size at this point has been set to the data length,
plus one for the blank line that notionally precedes the data. */

/* Now read the contents of the header file, which will set up the headers in
store, and also the list of recipients and the tree of non-recipients and
assorted flags. It updates message_size. If there is a reading or format error,
give up; if the message has been around for sufficiently long, remove it. */

  {
  uschar * spoolname = string_sprintf("%s-H", id);
  if ((rc = spool_read_header(spoolname, TRUE, TRUE)) != spool_read_OK)
    {
    if (errno == ERRNO_SPOOLFORMAT)
      {
      struct stat statbuf;
      if (Ustat(spool_fname(US"input", message_subdir, spoolname, US""),
                &statbuf) == 0)
        log_write(0, LOG_MAIN, "Format error in spool file %s: "
          "size=" OFF_T_FMT, spoolname, statbuf.st_size);
      else
        log_write(0, LOG_MAIN, "Format error in spool file %s", spoolname);
      }
    else
      log_write(0, LOG_MAIN, "Error reading spool file %s: %s", spoolname,
        strerror(errno));

    /* If we managed to read the envelope data, received_time contains the
    time the message was received. Otherwise, we can calculate it from the
    message id. */

    if (rc != spool_read_hdrerror)
      {
      received_time.tv_sec = received_time.tv_usec = 0;
      /*III subsec precision?*/
      for (i = 0; i < MESSAGE_ID_TIME_LEN; i++)
        received_time.tv_sec = received_time.tv_sec * BASE_62 + tab62[id[i] - '0'];
      }

    /* If we've had this malformed message too long, sling it. */

    if (now - received_time.tv_sec > keep_malformed)
      {
      Uunlink(spool_fname(US"msglog", message_subdir, id, US""));
      Uunlink(spool_fname(US"input", message_subdir, id, US"-D"));
      Uunlink(spool_fname(US"input", message_subdir, id, US"-H"));
      Uunlink(spool_fname(US"input", message_subdir, id, US"-J"));
      log_write(0, LOG_MAIN, "Message removed because older than %s",
        readconf_printtime(keep_malformed));
      }

    (void)close(deliver_datafile);
    deliver_datafile = -1;
    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
    }
  }

/* The spool header file has been read. Look to see if there is an existing
journal file for this message. If there is, it means that a previous delivery
attempt crashed (program or host) before it could update the spool header file.
Read the list of delivered addresses from the journal and add them to the
nonrecipients tree. Then update the spool file. We can leave the journal in
existence, as it will get further successful deliveries added to it in this
run, and it will be deleted if this function gets to its end successfully.
Otherwise it might be needed again. */

  {
  uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");
  FILE * jread;

  if (  (journal_fd = Uopen(fname,
              O_RDWR|O_APPEND | EXIM_CLOEXEC | EXIM_NOFOLLOW, SPOOL_MODE)) >= 0
     && lseek(journal_fd, 0, SEEK_SET) == 0
     && (jread = fdopen(journal_fd, "rb"))
     )
    {
    while (Ufgets(big_buffer, big_buffer_size, jread))
      {
      int n = Ustrlen(big_buffer);
      big_buffer[n-1] = 0;
      tree_add_nonrecipient(big_buffer);
      DEBUG(D_deliver) debug_printf("Previously delivered address %s taken from "
        "journal file\n", big_buffer);
      }
    rewind(jread);
    if ((journal_fd = dup(fileno(jread))) < 0)
      journal_fd = fileno(jread);
    else
      (void) fclose(jread);     /* Try to not leak the FILE resource */

    /* Panic-dies on error */
    (void)spool_write_header(message_id, SW_DELIVERING, NULL);
    }
  else if (errno != ENOENT)
    {
    log_write(0, LOG_MAIN|LOG_PANIC, "attempt to open journal for reading gave: "
      "%s", strerror(errno));
    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
    }

  /* A null recipients list indicates some kind of disaster. */

  if (!recipients_list)
    {
    (void)close(deliver_datafile);
    deliver_datafile = -1;
    log_write(0, LOG_MAIN, "Spool error: no recipients for %s", fname);
    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
    }
  }


/* Handle a message that is frozen. There are a number of different things that
can happen, but in the default situation, unless forced, no delivery is
attempted. */

if (f.deliver_freeze)
  {
#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
  /* Moving to another directory removes the message from Exim's view. Other
  tools must be used to deal with it. Logging of this action happens in
  spool_move_message() and its subfunctions. */

  if (  move_frozen_messages
     && spool_move_message(id, message_subdir, US"", US"F")
     )
    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
#endif

  /* For all frozen messages (bounces or not), timeout_frozen_after sets the
  maximum time to keep messages that are frozen. Thaw if we reach it, with a
  flag causing all recipients to be failed. The time is the age of the
  message, not the time since freezing. */

  if (timeout_frozen_after > 0 && message_age >= timeout_frozen_after)
    {
    log_write(0, LOG_MAIN, "cancelled by timeout_frozen_after");
    process_recipients = RECIP_FAIL_TIMEOUT;
    }

  /* For bounce messages (and others with no sender), thaw if the error message
  ignore timer is exceeded. The message will be discarded if this delivery
  fails. */

  else if (!*sender_address && message_age >= ignore_bounce_errors_after)
    log_write(0, LOG_MAIN, "Unfrozen by errmsg timer");

  /* If this is a bounce message, or there's no auto thaw, or we haven't
  reached the auto thaw time yet, and this delivery is not forced by an admin
  user, do not attempt delivery of this message. Note that forced is set for
  continuing messages down the same channel, in order to skip load checking and
  ignore hold domains, but we don't want unfreezing in that case. */

  else
    {
    if (  (  sender_address[0] == 0
          || auto_thaw <= 0
          || now <= deliver_frozen_at + auto_thaw
          )
       && (  !forced || !f.deliver_force_thaw
          || !f.admin_user || continue_hostname
       )  )
      {
      (void)close(deliver_datafile);
      deliver_datafile = -1;
      log_write(L_skip_delivery, LOG_MAIN, "Message is frozen");
      return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
      }

    /* If delivery was forced (by an admin user), assume a manual thaw.
    Otherwise it's an auto thaw. */

    if (forced)
      {
      f.deliver_manual_thaw = TRUE;
      log_write(0, LOG_MAIN, "Unfrozen by forced delivery");
      }
    else log_write(0, LOG_MAIN, "Unfrozen by auto-thaw");
    }

  /* We get here if any of the rules for unfreezing have triggered. */

  f.deliver_freeze = FALSE;
  update_spool = TRUE;
  }


/* Open the message log file if we are using them. This records details of
deliveries, deferments, and failures for the benefit of the mail administrator.
The log is not used by exim itself to track the progress of a message; that is
done by rewriting the header spool file. */

if (message_logs)
  {
  uschar * fname = spool_fname(US"msglog", message_subdir, id, US"");
  uschar * error;
  int fd;

  if ((fd = open_msglog_file(fname, SPOOL_MODE, &error)) < 0)
    {
    log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't %s message log %s: %s", error,
      fname, strerror(errno));
    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
    }

  /* Make a stdio stream out of it. */

  if (!(message_log = fdopen(fd, "a")))
    {
    log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't fdopen message log %s: %s",
      fname, strerror(errno));
    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
    }
  }


/* If asked to give up on a message, log who did it, and set the action for all
the addresses. */

if (give_up)
  {
  struct passwd *pw = getpwuid(real_uid);
  log_write(0, LOG_MAIN, "cancelled by %s",
      pw ? US pw->pw_name : string_sprintf("uid %ld", (long int)real_uid));
  process_recipients = RECIP_FAIL;
  }

/* Otherwise, if there are too many Received: headers, fail all recipients. */

else if (received_count > received_headers_max)
  process_recipients = RECIP_FAIL_LOOP;

/* Otherwise, if a system-wide, address-independent message filter is
specified, run it now, except in the case when we are failing all recipients as
a result of timeout_frozen_after. If the system filter yields "delivered", then
ignore the true recipients of the message. Failure of the filter file is
logged, and the delivery attempt fails. */

else if (system_filter && process_recipients != RECIP_FAIL_TIMEOUT)
  {
  int rc;
  int filtertype;
  ugid_block ugid;
  redirect_block redirect;

  if (system_filter_uid_set)
    {
    ugid.uid = system_filter_uid;
    ugid.gid = system_filter_gid;
    ugid.uid_set = ugid.gid_set = TRUE;
    }
  else
    ugid.uid_set = ugid.gid_set = FALSE;

  return_path = sender_address;
  f.enable_dollar_recipients = TRUE;   /* Permit $recipients in system filter */
  f.system_filtering = TRUE;

  /* Any error in the filter file causes a delivery to be abandoned. */

  GET_OPTION("system_filter");
  redirect.string = system_filter;
  redirect.isfile = TRUE;
  redirect.check_owner = redirect.check_group = FALSE;
  redirect.owners = NULL;
  redirect.owngroups = NULL;
  redirect.pw = NULL;
  redirect.modemask = 0;

  DEBUG(D_deliver|D_filter) debug_printf("running system filter\n");

  rc = rda_interpret(
    &redirect,              /* Where the data is */
    RDO_DEFER |             /* Turn on all the enabling options */
      RDO_FAIL |            /* Leave off all the disabling options */
      RDO_FILTER |
      RDO_FREEZE |
      RDO_REALLOG |
      RDO_REWRITE,
    NULL,                   /* No :include: restriction (not used in filter) */
    NULL,                   /* No sieve info (not sieve!) */
    &ugid,                  /* uid/gid data */
    &addr_new,              /* Where to hang generated addresses */
    &filter_message,        /* Where to put error message */
    NULL,                   /* Don't skip syntax errors */
    &filtertype,            /* Will always be set to FILTER_EXIM for this call */
    US"system filter");     /* For error messages */

  DEBUG(D_deliver|D_filter) debug_printf("system filter returned %d\n", rc);

  if (rc == FF_ERROR || rc == FF_NONEXIST)
    {
    (void)close(deliver_datafile);
    deliver_datafile = -1;
    log_write(0, LOG_MAIN|LOG_PANIC, "Error in system filter: %s",
      string_printing(filter_message));
    return continue_closedown();   /* yields DELIVER_NOT_ATTEMPTED */
    }

  /* Reset things. If the filter message is an empty string, which can happen
  for a filter "fail" or "freeze" command with no text, reset it to NULL. */

  f.system_filtering = FALSE;
  f.enable_dollar_recipients = FALSE;
  if (filter_message && filter_message[0] == 0) filter_message = NULL;

  /* Save the values of the system filter variables so that user filters
  can use them. */

  memcpy(filter_sn, filter_n, sizeof(filter_sn));

  /* The filter can request that delivery of the original addresses be
  deferred. */

  if (rc == FF_DEFER)
    {
    process_recipients = RECIP_DEFER;
    deliver_msglog("Delivery deferred by system filter\n");
    log_write(0, LOG_MAIN, "Delivery deferred by system filter");
    }

  /* The filter can request that a message be frozen, but this does not
  take place if the message has been manually thawed. In that case, we must
  unset "delivered", which is forced by the "freeze" command to make -bF
  work properly. */

  else if (rc == FF_FREEZE && !f.deliver_manual_thaw)
    {
    f.deliver_freeze = TRUE;
    deliver_frozen_at = time(NULL);
    process_recipients = RECIP_DEFER;
    frozen_info = string_sprintf(" by the system filter%s%s",
      filter_message ? US": " : US"",
      filter_message ? filter_message : US"");
    }

  /* The filter can request that a message be failed. The error message may be
  quite long - it is sent back to the sender in the bounce - but we don't want
  to fill up the log with repetitions of it. If it starts with << then the text
  between << and >> is written to the log, with the rest left for the bounce
  message. */

  else if (rc == FF_FAIL)
    {
    uschar *colon = US"";
    uschar *logmsg = US"";
    int loglen = 0;

    process_recipients = RECIP_FAIL_FILTER;

    if (filter_message)
      {
      uschar *logend;
      colon = US": ";
      if (  filter_message[0] == '<'
         && filter_message[1] == '<'
         && (logend = Ustrstr(filter_message, ">>"))
         )
        {
        logmsg = filter_message + 2;
        loglen = logend - logmsg;
        filter_message = logend + 2;
        if (filter_message[0] == 0) filter_message = NULL;
        }
      else
        {
        logmsg = filter_message;
        loglen = Ustrlen(filter_message);
        }
      }

    log_write(0, LOG_MAIN, "cancelled by system filter%s%.*s", colon, loglen,
      logmsg);
    }

  /* Delivery can be restricted only to those recipients (if any) that the
  filter specified. */

  else if (rc == FF_DELIVERED)
    {
    process_recipients = RECIP_IGNORE;
    if (addr_new)
      log_write(0, LOG_MAIN, "original recipients ignored (system filter)");
    else
      log_write(0, LOG_MAIN, "=> discarded (system filter)");
    }

  /* If any new addresses were created by the filter, fake up a "parent"
  for them. This is necessary for pipes, etc., which are expected to have
  parents, and it also gives some sensible logging for others. Allow
  pipes, files, and autoreplies, and run them as the filter uid if set,
  otherwise as the current uid. */

  if (addr_new)
    {
    int uid = system_filter_uid_set ? system_filter_uid : geteuid();
    int gid = system_filter_gid_set ? system_filter_gid : getegid();

    /* The text "system-filter" is tested in transport_set_up_command() and in
    set_up_shell_command() in the pipe transport, to enable them to permit
    $recipients, so don't change it here without also changing it there. */

    address_item *p = addr_new;
    address_item *parent = deliver_make_addr(US"system-filter", FALSE);

    parent->domain = string_copylc(qualify_domain_recipient);
    parent->local_part = US"system-filter";

    /* As part of this loop, we arrange for addr_last to end up pointing
    at the final address. This is used if we go on to add addresses for the
    original recipients. */

    while (p)
      {
      if (parent->child_count == USHRT_MAX)
        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "system filter generated more "
          "than %d delivery addresses", USHRT_MAX);
      parent->child_count++;
      p->parent = parent;

      if (testflag(p, af_pfr))
        {
        uschar *tpname;
        uschar *type;
        p->uid = uid;
        p->gid = gid;
        setflag(p, af_uid_set);
        setflag(p, af_gid_set);
        setflag(p, af_allow_file);
        setflag(p, af_allow_pipe);
        setflag(p, af_allow_reply);

        /* Find the name of the system filter's appropriate pfr transport */

        if (p->address[0] == '|')
          {
          type = US"pipe";
          GET_OPTION("system_filter_pipe_transport");
          tpname = system_filter_pipe_transport;
          address_pipe = p->address;
          }
        else if (p->address[0] == '>')
          {
          type = US"reply";
          GET_OPTION("system_filter_reply_transport");
          tpname = system_filter_reply_transport;
          }
        else
          {
          if (p->address[Ustrlen(p->address)-1] == '/')
            {
            type = US"directory";
            GET_OPTION("system_filter_directory_transport");
            tpname = system_filter_directory_transport;
            }
          else
            {
            type = US"file";
            GET_OPTION("system_filter_file_transport");
            tpname = system_filter_file_transport;
            }
          address_file = p->address;
          }

        /* Now find the actual transport, first expanding the name. We have
        set address_file or address_pipe above. */

        if (tpname)
          {
          uschar *tmp = expand_string(tpname);
          address_file = address_pipe = NULL;
          if (!tmp)
            p->message = string_sprintf("failed to expand \"%s\" as a "
              "system filter transport name", tpname);
          if (is_tainted(tmp))
            p->message = string_sprintf("attempt to used tainted value '%s' for"
              "transport '%s' as a system filter", tmp, tpname);
          tpname = tmp;
          }
        else
          p->message = string_sprintf("system_filter_%s_transport is unset",
            type);

        if (tpname)
          {
          transport_instance *tp;
          for (tp = transports; tp; tp = tp->next)
            if (Ustrcmp(tp->name, tpname) == 0)
              { p->transport = tp; break; }
          if (!tp)
            p->message = string_sprintf("failed to find \"%s\" transport "
              "for system filter delivery", tpname);
          }

        /* If we couldn't set up a transport, defer the delivery, putting the
        error on the panic log as well as the main log. */

        if (!p->transport)
          {
          address_item * badp = p;
          p = p->next;
          if (!addr_last) addr_new = p; else addr_last->next = p;
          badp->local_part = badp->address;   /* Needed for log line */
          post_process_one(badp, DEFER, LOG_MAIN|LOG_PANIC, EXIM_DTYPE_ROUTER, 0);
          continue;
          }
        }    /* End of pfr handling */

      /* Either a non-pfr delivery, or we found a transport */

      DEBUG(D_deliver|D_filter)
        debug_printf("system filter added %s\n", p->address);

      addr_last = p;
      p = p->next;
      }    /* Loop through all addr_new addresses */
    }
  }


/* Scan the recipients list, and for every one that is not in the non-
recipients tree, add an addr item to the chain of new addresses. If the pno
value is non-negative, we must set the onetime parent from it. This which
points to the relevant entry in the recipients list.

This processing can be altered by the setting of the process_recipients
variable, which is changed if recipients are to be ignored, failed, or
deferred. This can happen as a result of system filter activity, or if the -Mg
option is used to fail all of them.

Duplicate addresses are handled later by a different tree structure; we can't
just extend the non-recipients tree, because that will be re-written to the
spool if the message is deferred, and in any case there are casing
complications for local addresses. */

if (process_recipients != RECIP_IGNORE)
  for (i = 0; i < recipients_count; i++)
    if (!tree_search(tree_nonrecipients, recipients_list[i].address))
      {
      recipient_item * r = recipients_list + i;
      address_item * new = deliver_make_addr(r->address, FALSE);

      new->prop.errors_address = r->errors_to;
#ifdef SUPPORT_I18N
      if ((new->prop.utf8_msg = message_smtputf8))
        {
        new->prop.utf8_downcvt =       message_utf8_downconvert == 1;
        new->prop.utf8_downcvt_maybe = message_utf8_downconvert == -1;
        DEBUG(D_deliver) debug_printf("utf8, downconvert %s\n",
          new->prop.utf8_downcvt ? "yes"
          : new->prop.utf8_downcvt_maybe ? "ifneeded"
          : "no");
        }
#endif

      if (r->pno >= 0)
        new->onetime_parent = recipients_list[r->pno].address;

      /* If DSN support is enabled, set the dsn flags and the original receipt
      to be passed on to other DSN enabled MTAs */

      new->dsn_flags = r->dsn_flags & rf_dsnflags;
      new->dsn_orcpt = r->orcpt;
      DEBUG(D_deliver) debug_printf("DSN: set orcpt: %s  flags: 0x%x\n",
        new->dsn_orcpt ? new->dsn_orcpt : US"", new->dsn_flags);

      switch (process_recipients)
        {
        /* RECIP_DEFER is set when a system filter freezes a message. */

        case RECIP_DEFER:
          new->next = addr_defer;
          addr_defer = new;
          break;


        /* RECIP_FAIL_FILTER is set when a system filter has obeyed a "fail"
        command. */

        case RECIP_FAIL_FILTER:
          new->message =
            filter_message ? filter_message : US"delivery cancelled";
          setflag(new, af_pass_message);
          goto RECIP_QUEUE_FAILED;   /* below */


        /* RECIP_FAIL_TIMEOUT is set when a message is frozen, but is older
        than the value in timeout_frozen_after. Treat non-bounce messages
        similarly to -Mg; for bounce messages we just want to discard, so
        don't put the address on the failed list. The timeout has already
        been logged. */

        case RECIP_FAIL_TIMEOUT:
          new->message  = US"delivery cancelled; message timed out";
          goto RECIP_QUEUE_FAILED;   /* below */


        /* RECIP_FAIL is set when -Mg has been used. */

        case RECIP_FAIL:
          new->message  = US"delivery cancelled by administrator";
          /* not setting af_pass_message here means that will not
          appear in the bounce message */
          /* Fall through */

        /* Common code for the failure cases above. If this is not a bounce
        message, put the address on the failed list so that it is used to
        create a bounce. Otherwise do nothing - this just discards the address.
        The incident has already been logged. */

        RECIP_QUEUE_FAILED:
          if (*sender_address)
            {
            new->next = addr_failed;
            addr_failed = new;
            }
        break;


        /* RECIP_FAIL_LOOP is set when there are too many Received: headers
        in the message. Process each address as a routing failure; if this
        is a bounce message, it will get frozen. */

        case RECIP_FAIL_LOOP:
          new->message = US"Too many \"Received\" headers - suspected mail loop";
          post_process_one(new, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
          break;


        /* Value should be RECIP_ACCEPT; take this as the safe default. */

        default:
          if (!addr_new) addr_new = new; else addr_last->next = new;
          addr_last = new;
          break;
        }

#ifndef DISABLE_EVENT
      if (process_recipients != RECIP_ACCEPT && event_action)
        {
        const uschar * save_local =  deliver_localpart;
        const uschar * save_domain = deliver_domain;
        const uschar * addr = new->address;
        uschar * errmsg = NULL;
        int start, end, dom;

        if (!parse_extract_address(addr, &errmsg, &start, &end, &dom, TRUE))
          log_write(0, LOG_MAIN|LOG_PANIC,
                "failed to parse address '%.100s': %s\n", addr, errmsg);
        else
          {
          deliver_localpart =
            string_copyn(addr+start, dom ? (dom-1) - start : end - start);
          deliver_domain = dom ? CUS string_copyn(addr+dom, end - dom) : CUS"";

          (void) event_raise(event_action, US"msg:fail:internal", new->message, NULL);

          deliver_localpart = save_local;
          deliver_domain = save_domain;
          }
        }
#endif
      }

DEBUG(D_deliver)
  {
  debug_printf("Delivery address list:\n");
  for (address_item * p = addr_new; p; p = p->next)
    debug_printf("  %s %s\n", p->address,
      p->onetime_parent ? p->onetime_parent : US"");
  }

/* Set up the buffers used for copying over the file when delivering. */

deliver_in_buffer = store_malloc(DELIVER_IN_BUFFER_SIZE);
deliver_out_buffer = store_malloc(DELIVER_OUT_BUFFER_SIZE);



/* Until there are no more new addresses, handle each one as follows:

 . If this is a generated address (indicated by the presence of a parent
   pointer) then check to see whether it is a pipe, file, or autoreply, and
   if so, handle it directly here. The router that produced the address will
   have set the allow flags into the address, and also set the uid/gid required.
   Having the routers generate new addresses and then checking them here at
   the outer level is tidier than making each router do the checking, and
   means that routers don't need access to the failed address queue.

 . Break up the address into local part and domain, and make lowercased
   versions of these strings. We also make unquoted versions of the local part.

 . Handle the percent hack for those domains for which it is valid.

 . For child addresses, determine if any of the parents have the same address.
   If so, generate a different string for previous delivery checking. Without
   this code, if the address spqr generates spqr via a forward or alias file,
   delivery of the generated spqr stops further attempts at the top level spqr,
   which is not what is wanted - it may have generated other addresses.

 . Check on the retry database to see if routing was previously deferred, but
   only if in a queue run. Addresses that are to be routed are put on the
   addr_route chain. Addresses that are to be deferred are put on the
   addr_defer chain. We do all the checking first, so as not to keep the
   retry database open any longer than necessary.

 . Now we run the addresses through the routers. A router may put the address
   on either the addr_local or the addr_remote chain for local or remote
   delivery, respectively, or put it on the addr_failed chain if it is
   undeliveable, or it may generate child addresses and put them on the
   addr_new chain, or it may defer an address. All the chain anchors are
   passed as arguments so that the routers can be called for verification
   purposes as well.

 . If new addresses have been generated by the routers, da capo.
*/

f.header_rewritten = FALSE;          /* No headers rewritten yet */
while (addr_new)           /* Loop until all addresses dealt with */
  {
  address_item * addr, * parent;

  /* Failure to open the retry database is treated the same as if it does
  not exist. In both cases, dbm_file is NULL.  For the first stage of a 2-phase
  queue run don't bother checking domain- or address-retry info; they will take
  effect on the second stage. */

  if (f.queue_2stage)
    dbm_file = NULL;
  else
    {
    /* If we have transaction-capable hintsdbs, open the retry db without
    locking, and leave open for the transport process and for subsequent
    deliveries. Use a writeable open as we can keep it open all the way through
    to writing retry records if needed due to message fails.
    If the open fails, tag that explicitly for the transport but retry the open
    next time around, in case it was created in the interim.
    If non-transaction, we are only reading records at this stage and
    we close the db before running the transport.
    Either way we do a non-creating open. */

    if (continue_retry_db == (open_db *)-1)
      continue_retry_db = NULL;

    if (continue_retry_db)
      {
      DEBUG(D_hints_lookup) debug_printf("using cached retry hintsdb handle\n");
      dbm_file = continue_retry_db;
      }
    else if (!exim_lockfile_needed())
      {
      dbm_file = dbfn_open_multi(US"retry", O_RDWR, &dbblock);
      continue_retry_db = dbm_file ? dbm_file : (open_db *)-1;
      }
    else
      dbm_file = dbfn_open(US"retry", O_RDONLY, &dbblock, FALSE, TRUE);

    if (!dbm_file)
      DEBUG(D_deliver|D_retry|D_route|D_hints_lookup)
        debug_printf("no retry data available\n");
    }

  /* Scan the current batch of new addresses, to handle pipes, files and
  autoreplies, and determine which others are ready for routing. */

  while (addr_new)
    {
    int rc;
    tree_node * tnode;
    dbdata_retry * domain_retry_record = NULL, * address_retry_record = NULL;

    addr = addr_new;
    addr_new = addr->next;

    DEBUG(D_deliver|D_retry|D_route)
      {
      debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
      debug_printf("Considering: %s\n", addr->address);
      }

    /* Handle generated address that is a pipe or a file or an autoreply. */

    if (testflag(addr, af_pfr))
      {
      /* If an autoreply in a filter could not generate a syntactically valid
      address, give up forthwith. Set af_ignore_error so that we don't try to
      generate a bounce. */

      if (testflag(addr, af_bad_reply))
        {
        addr->basic_errno = ERRNO_BADADDRESS2;
        addr->local_part = addr->address;
        addr->message =
          US"filter autoreply generated syntactically invalid recipient";
        addr->prop.ignore_error = TRUE;
        (void) post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
        continue;   /* with the next new address */
        }

      /* If two different users specify delivery to the same pipe or file or
      autoreply, there should be two different deliveries, so build a unique
      string that incorporates the original address, and use this for
      duplicate testing and recording delivery, and also for retrying. */

      addr->unique =
        string_sprintf("%s:%s", addr->address, addr->parent->unique +
          (testflag(addr->parent, af_homonym) ? 3:0));

      addr->address_retry_key = addr->domain_retry_key =
        string_sprintf("T:%s", addr->unique);

      /* If a filter file specifies two deliveries to the same pipe or file,
      we want to de-duplicate, but this is probably not wanted for two mail
      commands to the same address, where probably both should be delivered.
      So, we have to invent a different unique string in that case. Just
      keep piling '>' characters on the front. */

      if (addr->address[0] == '>')
        while (tree_search(tree_duplicates, addr->unique))
          addr->unique = string_sprintf(">%s", addr->unique);

      else if ((tnode = tree_search(tree_duplicates, addr->unique)))
        {
        DEBUG(D_deliver|D_route)
          debug_printf("%s is a duplicate address: discarded\n", addr->address);
        addr->dupof = tnode->data.ptr;
        addr->next = addr_duplicate;
        addr_duplicate = addr;
        continue;
        }

      DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique);

      /* Check for previous delivery */

      if (tree_search(tree_nonrecipients, addr->unique))
        {
        DEBUG(D_deliver|D_route)
          debug_printf("%s was previously delivered: discarded\n", addr->address);
        child_done(addr, tod_stamp(tod_log));
        continue;
        }

      /* Save for checking future duplicates */

      tree_add_duplicate(addr->unique, addr);

      /* Set local part and domain */

      addr->local_part = addr->address;
      addr->domain = addr->parent->domain;

      /* Ensure that the delivery is permitted. */

      if (testflag(addr, af_file))
        {
        if (!testflag(addr, af_allow_file))
          {
          addr->basic_errno = ERRNO_FORBIDFILE;
          addr->message = US"delivery to file forbidden";
          (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
          continue;   /* with the next new address */
          }
        }
      else if (addr->address[0] == '|')
        {
        if (!testflag(addr, af_allow_pipe))
          {
          addr->basic_errno = ERRNO_FORBIDPIPE;
          addr->message = US"delivery to pipe forbidden";
          (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
          continue;   /* with the next new address */
          }
        }
      else if (!testflag(addr, af_allow_reply))
        {
        addr->basic_errno = ERRNO_FORBIDREPLY;
        addr->message = US"autoreply forbidden";
        (void)post_process_one(addr, FAIL, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
        continue;     /* with the next new address */
        }

      /* If the errno field is already set to BADTRANSPORT, it indicates
      failure to expand a transport string, or find the associated transport,
      or an unset transport when one is required. Leave this test till now so
      that the forbid errors are given in preference. */

      if (addr->basic_errno == ERRNO_BADTRANSPORT)
        {
        (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
        continue;
        }

      /* Treat /dev/null as a special case and abandon the delivery. This
      avoids having to specify a uid on the transport just for this case.
      Arrange for the transport name to be logged as "**bypassed**".
      Copy the transport for this fairly unusual case rather than having
      to make all transports mutable. */

      if (Ustrcmp(addr->address, "/dev/null") == 0)
        {
        transport_instance * save_t = addr->transport;
        transport_instance * t = store_get(sizeof(*t), save_t);
        *t = *save_t;
        t->name = US"**bypassed**";
        addr->transport = t;
        (void)post_process_one(addr, OK, LOG_MAIN, EXIM_DTYPE_TRANSPORT, '=');
        addr->transport= save_t;
        continue;   /* with the next new address */
        }

      /* Pipe, file, or autoreply delivery is to go ahead as a normal local
      delivery. */

      DEBUG(D_deliver|D_route)
        debug_printf("queued for %s transport\n", addr->transport->name);
      addr->next = addr_local;
      addr_local = addr;
      continue;       /* with the next new address */
      }

    /* Handle normal addresses. First, split up into local part and domain,
    handling the %-hack if necessary. There is the possibility of a defer from
    a lookup in percent_hack_domains. */

    if ((rc = deliver_split_address(addr)) == DEFER)
      {
      addr->message = US"cannot check percent_hack_domains";
      addr->basic_errno = ERRNO_LISTDEFER;
      (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_NONE, 0);
      continue;
      }

    /* Check to see if the domain is held. If so, proceed only if the
    delivery was forced by hand. */

    deliver_domain = addr->domain;  /* set $domain */
    if (  !forced && hold_domains
       && (rc = match_isinlist(addr->domain, (const uschar **)&hold_domains, 0,
           &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE,
           NULL)) != FAIL
       )
      {
      if (rc == DEFER)
        {
        addr->message = US"hold_domains lookup deferred";
        addr->basic_errno = ERRNO_LISTDEFER;
        }
      else
        {
        addr->message = US"domain is held";
        addr->basic_errno = ERRNO_HELD;
        }
      (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_NONE, 0);
      continue;
      }

    /* Now we can check for duplicates and previously delivered addresses. In
    order to do this, we have to generate a "unique" value for each address,
    because there may be identical actual addresses in a line of descendents.
    The "unique" field is initialized to the same value as the "address" field,
    but gets changed here to cope with identically-named descendents. */

    for (parent = addr->parent; parent; parent = parent->parent)
      if (strcmpic(addr->address, parent->address) == 0) break;

    /* If there's an ancestor with the same name, set the homonym flag. This
    influences how deliveries are recorded. Then add a prefix on the front of
    the unique address. We use \n\ where n starts at 0 and increases each time.
    It is unlikely to pass 9, but if it does, it may look odd but will still
    work. This means that siblings or cousins with the same names are treated
    as duplicates, which is what we want. */

    if (parent)
      {
      setflag(addr, af_homonym);
      if (parent->unique[0] != '\\')
        addr->unique = string_sprintf("\\0\\%s", addr->address);
      else
        addr->unique = string_sprintf("\\%c\\%s", parent->unique[1] + 1,
          addr->address);
      }

    /* Ensure that the domain in the unique field is lower cased, because
    domains are always handled caselessly. */

    for (uschar * p = Ustrrchr(addr->unique, '@'); *p; p++) *p = tolower(*p);

    DEBUG(D_deliver|D_route) debug_printf("unique = %s\n", addr->unique);

    if (tree_search(tree_nonrecipients, addr->unique))
      {
      DEBUG(D_deliver|D_route)
        debug_printf("%s was previously delivered: discarded\n", addr->unique);
      child_done(addr, tod_stamp(tod_log));
      continue;
      }

    if (f.queue_2stage)
      {
      DEBUG(D_deliver)
        debug_printf_indent("no router retry check (ph1 qrun)\n");
      }
    else
      {
      /* Get the routing retry status, saving the two retry keys (with and
      without the local part) for subsequent use. If there is no retry record
      for the standard address routing retry key, we look for the same key with
      the sender attached, because this form is used by the smtp transport after
      a 4xx response to RCPT when address_retry_include_sender is true. */

      DEBUG(D_deliver|D_retry)
        {
        debug_printf_indent("checking router retry status\n");
        acl_level++;
        }
      addr->domain_retry_key = string_sprintf("R:%s", addr->domain);
      addr->address_retry_key = string_sprintf("R:%s@%s", addr->local_part,
        addr->domain);

      if (dbm_file)
        {
        domain_retry_record = dbfn_read(dbm_file, addr->domain_retry_key);
        if (  domain_retry_record
           && now - domain_retry_record->time_stamp > retry_data_expire
           )
          {
          DEBUG(D_deliver|D_retry)
            debug_printf_indent("domain retry record present but expired\n");
          domain_retry_record = NULL;    /* Ignore if too old */
          }

        address_retry_record = dbfn_read(dbm_file, addr->address_retry_key);
        if (  address_retry_record
           && now - address_retry_record->time_stamp > retry_data_expire
           )
          {
          DEBUG(D_deliver|D_retry)
            debug_printf_indent("address retry record present but expired\n");
          address_retry_record = NULL;   /* Ignore if too old */
          }

        if (!address_retry_record)
          {
          uschar *altkey = string_sprintf("%s:<%s>", addr->address_retry_key,
            sender_address);
          address_retry_record = dbfn_read(dbm_file, altkey);
          if (  address_retry_record
             && now - address_retry_record->time_stamp > retry_data_expire)
            {
            DEBUG(D_deliver|D_retry)
              debug_printf_indent("address<sender> retry record present but expired\n");
            address_retry_record = NULL;   /* Ignore if too old */
            }
          }
        }

      DEBUG(D_deliver|D_retry)
        {
        if (!domain_retry_record)
          debug_printf_indent("no   domain  retry record\n");
        else
          debug_printf_indent("have domain  retry record; next_try = now%+d\n",
                        f.running_in_test_harness ? 0 :
                        (int)(domain_retry_record->next_try - now));

        if (!address_retry_record)
          debug_printf_indent("no   address retry record\n");
        else
          debug_printf_indent("have address retry record; next_try = now%+d\n",
                        f.running_in_test_harness ? 0 :
                        (int)(address_retry_record->next_try - now));
        acl_level--;
        }
      }

    /* If we are sending a message down an existing SMTP connection, we must
    assume that the message which created the connection managed to route
    an address to that connection. We do not want to run the risk of taking
    a long time over routing here, because if we do, the server at the other
    end of the connection may time it out. This is especially true for messages
    with lots of addresses. For this kind of delivery, queue_running is not
    set, so we would normally route all addresses. We take a pragmatic approach
    and defer routing any addresses that have any kind of domain retry record.
    That is, we don't even look at their retry times. It doesn't matter if this
    doesn't work occasionally. This is all just an optimization, after all.

    The reason for not doing the same for address retries is that they normally
    arise from 4xx responses, not DNS timeouts. */

    if (continue_hostname && domain_retry_record)
      {
      addr->message = US"reusing SMTP connection skips previous routing defer";
      addr->basic_errno = ERRNO_RRETRY;
      (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);

      addr->message = domain_retry_record->text;
      setflag(addr, af_pass_message);
      }

    /* If we are in a queue run, defer routing unless there is no retry data or
    we've passed the next retry time, or this message is forced. In other
    words, ignore retry data when not in a queue run.

    However, if the domain retry time has expired, always allow the routing
    attempt. If it fails again, the address will be failed. This ensures that
    each address is routed at least once, even after long-term routing
    failures.

    If there is an address retry, check that too; just wait for the next
    retry time. This helps with the case when the temporary error on the
    address was really message-specific rather than address specific, since
    it allows other messages through.

    We also wait for the next retry time if this is a message sent down an
    existing SMTP connection (even though that will be forced). Otherwise there
    will be far too many attempts for an address that gets a 4xx error. In
    fact, after such an error, we should not get here because, the host should
    not be remembered as one this message needs. However, there was a bug that
    used to cause this to  happen, so it is best to be on the safe side.

    Even if we haven't reached the retry time in the hints, there is one more
    check to do, which is for the ultimate address timeout. We only do this
    check if there is an address retry record and there is not a domain retry
    record; this implies that previous attempts to handle the address had the
    retry_use_local_parts option turned on. We use this as an approximation
    for the destination being like a local delivery, for example delivery over
    LMTP to an IMAP message store. In this situation users are liable to bump
    into their quota and thereby have intermittently successful deliveries,
    which keep the retry record fresh, which can lead to us perpetually
    deferring messages. */

    else if (  (  f.queue_running && !f.deliver_force
               || continue_hostname
               )
            && (  (  domain_retry_record
                  && now < domain_retry_record->next_try
                  && !domain_retry_record->expired
                  )
               || (  address_retry_record
                  && now < address_retry_record->next_try
               )  )
            && (  domain_retry_record
               || !address_retry_record
               || !retry_ultimate_address_timeout(addr->address_retry_key,
                                 addr->domain, address_retry_record, now)
            )  )
      {
      addr->message = US"retry time not reached";
      addr->basic_errno = ERRNO_RRETRY;
      (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);

      /* For remote-retry errors (here and just above) that we've not yet
      hit the retry time, use the error recorded in the retry database
      as info in the warning message.  This lets us send a message even
      when we're not failing on a fresh attempt.  We assume that this
      info is not sensitive. */

      addr->message = domain_retry_record
        ? domain_retry_record->text : address_retry_record->text;
      setflag(addr, af_pass_message);
      }

    /* The domain is OK for routing. Remember if retry data exists so it
    can be cleaned up after a successful delivery. */

    else
      {
      if (domain_retry_record || address_retry_record)
        setflag(addr, af_dr_retry_exists);
      addr->next = addr_route;
      addr_route = addr;
      DEBUG(D_deliver|D_route)
        debug_printf("%s: queued for routing\n", addr->address);
      }
    }

  /* If not transaction-capable, the database is closed while routing is
  actually happening. Requests to update it are put on a chain and all processed
  together at the end. */

  if (dbm_file)
    if (exim_lockfile_needed())
      { dbfn_close(dbm_file); dbm_file = NULL; }
    else
      DEBUG(D_hints_lookup) debug_printf("retaining retry hintsdb handle\n");

  /* If queue_domains is set, we don't even want to try routing addresses in
  those domains. During queue runs, queue_domains is forced to be unset.
  Optimize by skipping this pass through the addresses if nothing is set. */

  if (!f.deliver_force && queue_domains)
    {
    address_item *okaddr = NULL;
    while (addr_route)
      {
      address_item *addr = addr_route;
      addr_route = addr->next;

      deliver_domain = addr->domain;  /* set $domain */
      if ((rc = match_isinlist(addr->domain, CUSS &queue_domains, 0,
            &domainlist_anchor, addr->domain_cache, MCL_DOMAIN, TRUE, NULL))
              != OK)
        if (rc == DEFER)
          {
          addr->basic_errno = ERRNO_LISTDEFER;
          addr->message = US"queue_domains lookup deferred";
          (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
          }
        else
          {
          addr->next = okaddr;
          okaddr = addr;
          }
      else
        {
        addr->basic_errno = ERRNO_QUEUE_DOMAIN;
        addr->message = US"domain is in queue_domains";
        (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
        }
      }

    addr_route = okaddr;
    }

  /* Now route those addresses that are not deferred. */

  while (addr_route)
    {
    int rc;
    address_item *addr = addr_route;
    const uschar *old_domain = addr->domain;
    uschar *old_unique = addr->unique;
    addr_route = addr->next;
    addr->next = NULL;

    /* Just in case some router parameter refers to it. */

    if (!(return_path = addr->prop.errors_address))
      return_path = sender_address;

    /* If a router defers an address, add a retry item. Whether or not to
    use the local part in the key is a property of the router. */

    if ((rc = route_address(addr, &addr_local, &addr_remote, &addr_new,
         &addr_succeed, v_none)) == DEFER)
      retry_add_item(addr,
        addr->router->retry_use_local_part
          ? string_sprintf("R:%s@%s", addr->local_part, addr->domain)
          : string_sprintf("R:%s", addr->domain),
        0);

    /* Otherwise, if there is an existing retry record in the database, add
    retry items to delete both forms. We must also allow for the possibility
    of a routing retry that includes the sender address. Since the domain might
    have been rewritten (expanded to fully qualified) as a result of routing,
    ensure that the rewritten form is also deleted. */

    else if (testflag(addr, af_dr_retry_exists))
      {
      uschar * altkey = string_sprintf("%s:<%s>", addr->address_retry_key,
        sender_address);
      retry_add_item(addr, altkey, rf_delete);
      retry_add_item(addr, addr->address_retry_key, rf_delete);
      retry_add_item(addr, addr->domain_retry_key, rf_delete);
      if (Ustrcmp(addr->domain, old_domain) != 0)
        retry_add_item(addr, string_sprintf("R:%s", old_domain), rf_delete);
      }

    /* DISCARD is given for :blackhole: and "seen finish". The event has been
    logged, but we need to ensure the address (and maybe parents) is marked
    done. */

    if (rc == DISCARD)
      {
      address_done(addr, tod_stamp(tod_log));
      continue;  /* route next address */
      }

    /* The address is finished with (failed or deferred). */

    if (rc != OK)
      {
      (void)post_process_one(addr, rc, LOG_MAIN, EXIM_DTYPE_ROUTER, 0);
      continue;  /* route next address */
      }

    /* The address has been routed. If the router changed the domain, it will
    also have changed the unique address. We have to test whether this address
    has already been delivered, because it's the unique address that finally
    gets recorded. */

    if (  addr->unique != old_unique
       && tree_search(tree_nonrecipients, addr->unique) != 0
       )
      {
      DEBUG(D_deliver|D_route) debug_printf("%s was previously delivered: "
        "discarded\n", addr->address);
      if (addr_remote == addr) addr_remote = addr->next;
      else if (addr_local == addr) addr_local = addr->next;
      }

    /* If the router has same_domain_copy_routing set, we are permitted to copy
    the routing for any other addresses with the same domain. This is an
    optimisation to save repeated DNS lookups for "standard" remote domain
    routing. The option is settable only on routers that generate host lists.
    We play it very safe, and do the optimization only if the address is routed
    to a remote transport, there are no header changes, and the domain was not
    modified by the router. */

    if (  addr_remote == addr
       && addr->router->same_domain_copy_routing
       && !addr->prop.extra_headers
       && !addr->prop.remove_headers
       && old_domain == addr->domain
       )
      {
      address_item **chain = &addr_route;
      while (*chain)
        {
        address_item *addr2 = *chain;
        if (Ustrcmp(addr2->domain, addr->domain) != 0)
          {
          chain = &(addr2->next);
          continue;
          }

        /* Found a suitable address; take it off the routing list and add it to
        the remote delivery list. */

        *chain = addr2->next;
        addr2->next = addr_remote;
        addr_remote = addr2;

        /* Copy the routing data */

        addr2->domain = addr->domain;
        addr2->router = addr->router;
        addr2->transport = addr->transport;
        addr2->host_list = addr->host_list;
        addr2->fallback_hosts = addr->fallback_hosts;
        addr2->prop.errors_address = addr->prop.errors_address;
        copyflag(addr2, addr, af_hide_child);
        copyflag(addr2, addr, af_local_host_removed);

        DEBUG(D_deliver|D_route)
          debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n"
                       "routing %s\n"
                       "Routing for %s copied from %s\n",
            addr2->address, addr2->address, addr->address);
        }
      }
    }  /* Continue with routing the next address. */
  }    /* Loop to process any child addresses that the routers created, and
       any rerouted addresses that got put back on the new chain. */

/* Debugging: show the results of the routing */

DEBUG(D_deliver|D_retry|D_route)
  {
  debug_printf(">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n");
  debug_printf("After routing:\n  Local deliveries:\n");
  for (address_item * p = addr_local; p; p = p->next)
    debug_printf("    %s\n", p->address);

  debug_printf("  Remote deliveries:\n");
  for (address_item * p = addr_remote; p; p = p->next)
    debug_printf("    %s\n", p->address);

  debug_printf("  Failed addresses:\n");
  for (address_item * p = addr_failed; p; p = p->next)
    debug_printf("    %s\n", p->address);

  debug_printf("  Deferred addresses:\n");
  for (address_item * p = addr_defer; p; p = p->next)
    debug_printf("    %s\n", p->address);
  }

/* Free any resources that were cached during routing. */

search_tidyup();
route_tidyup();

/* These two variables are set only during routing, after check_local_user.
Ensure they are not set in transports. */

local_user_gid = (gid_t)(-1);
local_user_uid = (uid_t)(-1);

/* Check for any duplicate addresses. This check is delayed until after
routing, because the flexibility of the routing configuration means that
identical addresses with different parentage may end up being redirected to
different addresses. Checking for duplicates too early (as we previously used
to) makes this kind of thing not work. */

do_duplicate_check(&addr_local);
do_duplicate_check(&addr_remote);

/* When acting as an MUA wrapper, we proceed only if all addresses route to a
remote transport. The check that they all end up in one transaction happens in
the do_remote_deliveries() function. */

if (  mua_wrapper
   && (addr_local || addr_failed || addr_defer)
   )
  {
  address_item *addr;
  uschar *which, *colon, *msg;

  if (addr_local)
    {
    addr = addr_local;
    which = US"local";
    }
  else if (addr_defer)
    {
    addr = addr_defer;
    which = US"deferred";
    }
  else
    {
    addr = addr_failed;
    which = US"failed";
    }

  while (addr->parent) addr = addr->parent;

  if (addr->message)
    {
    colon = US": ";
    msg = addr->message;
    }
  else colon = msg = US"";

  /* We don't need to log here for a forced failure as it will already
  have been logged. Defer will also have been logged, but as a defer, so we do
  need to do the failure logging. */

  if (addr != addr_failed)
    log_write(0, LOG_MAIN, "** %s routing yielded a %s delivery",
      addr->address, which);

  /* Always write an error to the caller */

  fprintf(stderr, "routing %s yielded a %s delivery%s%s\n", addr->address,
    which, colon, msg);

  final_yield = DELIVER_MUA_FAILED;
  addr_failed = addr_defer = NULL;   /* So that we remove the message */
  goto DELIVERY_TIDYUP;
  }


/* If this is a run to continue deliveries to an external channel that is
already set up, defer any local deliveries because we are handling remotes.

To avoid delaying a local when combined with a callout-hold for a remote
delivery, test continue_sequence rather than continue_transport. */

if (continue_sequence > 1 && addr_local)
  {
  DEBUG(D_deliver|D_retry|D_route)
    debug_printf("deferring local deliveries due to continued-transport\n");
  if (addr_defer)
    {
    address_item * addr = addr_defer;
    while (addr->next) addr = addr->next;
    addr->next = addr_local;
    }
  else
    addr_defer = addr_local;
  addr_local = NULL;
  }


/* Because address rewriting can happen in the routers, we should not really do
ANY deliveries until all addresses have been routed, so that all recipients of
the message get the same headers. However, this is in practice not always
possible, since sometimes remote addresses give DNS timeouts for days on end.
The pragmatic approach is to deliver what we can now, saving any rewritten
headers so that at least the next lot of recipients benefit from the rewriting
that has already been done.

If any headers have been rewritten during routing, update the spool file to
remember them for all subsequent deliveries. This can be delayed till later if
there is only address to be delivered - if it succeeds the spool write need not
happen. */

if (  f.header_rewritten
   && (  addr_local && (addr_local->next || addr_remote)
      || addr_remote && addr_remote->next
   )  )
  {
  /* Panic-dies on error */
  (void)spool_write_header(message_id, SW_DELIVERING, NULL);
  f.header_rewritten = FALSE;
  }


/* If there are any deliveries to do and we do not already have the journal
file, create it. This is used to record successful deliveries as soon as
possible after each delivery is known to be complete. A file opened with
O_APPEND is used so that several processes can run simultaneously.

The journal is just insurance against crashes. When the spool file is
ultimately updated at the end of processing, the journal is deleted. If a
journal is found to exist at the start of delivery, the addresses listed
therein are added to the non-recipients. */

if (addr_local || addr_remote)
  {
  if (journal_fd < 0)
    {
    uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");

    if ((journal_fd = Uopen(fname,
              EXIM_CLOEXEC | O_WRONLY|O_APPEND|O_CREAT|O_EXCL, SPOOL_MODE)) < 0)
      {
      log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't open journal file %s: %s",
        fname, strerror(errno));
      return DELIVER_NOT_ATTEMPTED;
      }

    /* Set the close-on-exec flag, make the file owned by Exim, and ensure
    that the mode is correct - the group setting doesn't always seem to get
    set automatically. */

    if(  exim_fchown(journal_fd, exim_uid, exim_gid, fname)
      || fchmod(journal_fd, SPOOL_MODE)
#ifndef O_CLOEXEC
      || fcntl(journal_fd, F_SETFD, fcntl(journal_fd, F_GETFD) | FD_CLOEXEC)
#endif
      )
      {
      int ret = Uunlink(fname);
      log_write(0, LOG_MAIN|LOG_PANIC, "Couldn't set perms on journal file %s: %s",
        fname, strerror(errno));
      if(ret  &&  errno != ENOENT)
        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
          fname, strerror(errno));
      return DELIVER_NOT_ATTEMPTED;
      }
    }
  }
else if (journal_fd >= 0)
  {
  close(journal_fd);
  journal_fd = -1;
  }



/* Now we can get down to the business of actually doing deliveries. Local
deliveries are done first, then remote ones. If ever the problems of how to
handle fallback transports are figured out, this section can be put into a loop
for handling fallbacks, though the uid switching will have to be revised. */

/* Precompile a regex that is used to recognize a parameter in response
to an LHLO command, if is isn't already compiled. This may be used on both
local and remote LMTP deliveries. */

if (!regex_IGNOREQUOTA)
  regex_IGNOREQUOTA =
    regex_must_compile(US"\\n250[\\s\\-]IGNOREQUOTA(\\s|\\n|$)", MCS_NOFLAGS, TRUE);

/* Handle local deliveries */

if (addr_local)
  {
  DEBUG(D_deliver|D_transport)
    debug_printf(">>>>>>>>>>>>>>>> Local deliveries >>>>>>>>>>>>>>>>\n");
  do_local_deliveries();
  f.disable_logging = FALSE;
  }

/* If queue_run_local is set, we do not want to attempt any remote deliveries,
so just queue them all. */

if (f.queue_run_local)
  while (addr_remote)
    {
    address_item *addr = addr_remote;
    addr_remote = addr->next;
    addr->next = NULL;
    addr->basic_errno = ERRNO_LOCAL_ONLY;
    addr->message = US"remote deliveries suppressed";
    (void)post_process_one(addr, DEFER, LOG_MAIN, EXIM_DTYPE_TRANSPORT, 0);
    }

/* Handle remote deliveries */

if (addr_remote)
  {
  DEBUG(D_deliver|D_transport)
    debug_printf(">>>>>>>>>>>>>>>> Remote deliveries >>>>>>>>>>>>>>>>\n");

  /* Precompile some regex that are used to recognize parameters in response
  to an EHLO command, if they aren't already compiled. */

  smtp_deliver_init();

  /* Now sort the addresses if required, and do the deliveries. The yield of
  do_remote_deliveries is FALSE when mua_wrapper is set and all addresses
  cannot be delivered in one transaction. */

  if (remote_sort_domains) sort_remote_deliveries();
  if (!do_remote_deliveries(FALSE))
    {
    log_write(0, LOG_MAIN, "** mua_wrapper is set but recipients cannot all "
      "be delivered in one transaction");
    fprintf(stderr, "delivery to smarthost failed (configuration problem)\n");

    final_yield = DELIVER_MUA_FAILED;
    addr_failed = addr_defer = NULL;   /* So that we remove the message */
    goto DELIVERY_TIDYUP;
    }

  /* See if any of the addresses that failed got put on the queue for delivery
  to their fallback hosts. We do it this way because often the same fallback
  host is used for many domains, so all can be sent in a single transaction
  (if appropriately configured). */

  if (addr_fallback && !mua_wrapper)
    {
    DEBUG(D_deliver) debug_printf("Delivering to fallback hosts\n");
    addr_remote = addr_fallback;
    addr_fallback = NULL;
    if (remote_sort_domains) sort_remote_deliveries();
    do_remote_deliveries(TRUE);
    }
  f.disable_logging = FALSE;
  }


/* All deliveries are now complete. Ignore SIGTERM during this tidying up
phase, to minimize cases of half-done things. */

DEBUG(D_deliver)
  debug_printf(">>>>>>>>>>>>>>>> deliveries are done >>>>>>>>>>>>>>>>\n");
cancel_cutthrough_connection(TRUE, US"deliveries are done");

/* Root privilege is no longer needed */

exim_setugid(exim_uid, exim_gid, FALSE, US"post-delivery tidying");

set_process_info("tidying up after delivering %s", message_id);
signal(SIGTERM, SIG_IGN);

/* When we are acting as an MUA wrapper, the smtp transport will either have
succeeded for all addresses, or failed them all in normal cases. However, there
are some setup situations (e.g. when a named port does not exist) that cause an
immediate exit with deferral of all addresses. Convert those into failures. We
do not ever want to retry, nor do we want to send a bounce message. */

if (mua_wrapper)
  {
  if (addr_defer)
    {
    address_item * nextaddr;
    for (address_item * addr = addr_defer; addr; addr = nextaddr)
      {
      log_write(0, LOG_MAIN, "** %s mua_wrapper forced failure for deferred "
        "delivery", addr->address);
      nextaddr = addr->next;
      addr->next = addr_failed;
      addr_failed = addr;
      }
    addr_defer = NULL;
    }

  /* Now all should either have succeeded or failed. */

  if (!addr_failed)
    final_yield = DELIVER_MUA_SUCCEEDED;
  else
    {
    host_item * host;
    uschar *s = addr_failed->user_message;

    if (!s) s = addr_failed->message;

    fprintf(stderr, "Delivery failed: ");
    if (addr_failed->basic_errno > 0)
      {
      fprintf(stderr, "%s", strerror(addr_failed->basic_errno));
      if (s) fprintf(stderr, ": ");
      }
    if ((host = addr_failed->host_used))
      fprintf(stderr, "H=%s [%s]: ", host->name, host->address);
    if (s)
      fprintf(stderr, "%s", CS s);
    else if (addr_failed->basic_errno <= 0)
      fprintf(stderr, "unknown error");
    fprintf(stderr, "\n");

    final_yield = DELIVER_MUA_FAILED;
    addr_failed = NULL;
    }
  }

/* In a normal configuration, we now update the retry database. This is done in
one fell swoop at the end in order not to keep opening and closing (and
locking) the database (at least, for non-transaction-capable DBs.
The code for handling retries is hived off into a separate module for
convenience. We pass it the addresses of the various chains,
because deferred addresses can get moved onto the failed chain if the
retry cutoff time has expired for all alternative destinations. Bypass the
updating of the database if the -N flag is set, which is a debugging thing that
prevents actual delivery. */

else if (!f.dont_deliver)
  retry_update(&addr_defer, &addr_failed, &addr_succeed);

/* Send DSN for successful messages if requested */

maybe_send_dsn(addr_succeed);

/* If any addresses failed, we must send a message to somebody, unless
af_ignore_error is set, in which case no action is taken. It is possible for
several messages to get sent if there are addresses with different
requirements. */

while (addr_failed)
  {
  const uschar * logtod = tod_stamp(tod_log);
  address_item * addr;

  /* There are weird cases when logging is disabled in the transport. However,
  there may not be a transport (address failed by a router). */

  f.disable_logging = FALSE;
  if (addr_failed->transport)
    f.disable_logging = addr_failed->transport->disable_logging;

  DEBUG(D_deliver)
    debug_printf("processing failed address %s\n", addr_failed->address);

  /* There are only two ways an address in a bounce message can get here:

  (1) When delivery was initially deferred, but has now timed out (in the call
      to retry_update() above). We can detect this by testing for
      af_retry_timedout. If the address does not have its own errors address,
      we arrange to ignore the error.

  (2) If delivery failures for bounce messages are being ignored. We can detect
      this by testing for af_ignore_error. This will also be set if a bounce
      message has been autothawed and the ignore_bounce_errors_after time has
      passed. It might also be set if a router was explicitly configured to
      ignore errors (errors_to = "").

  If neither of these cases obtains, something has gone wrong. Log the
  incident, but then ignore the error. */

  if (sender_address[0] == 0 && !addr_failed->prop.errors_address)
    {
    if (  !testflag(addr_failed, af_retry_timedout)
       && !addr_failed->prop.ignore_error)
      log_write(0, LOG_MAIN|LOG_PANIC, "internal error: bounce message "
        "failure is neither frozen nor ignored (it's been ignored)");

    addr_failed->prop.ignore_error = TRUE;
    }

  /* If the first address on the list has af_ignore_error set, just remove
  it from the list, throw away any saved message file, log it, and
  mark the recipient done. */

  if (  addr_failed->prop.ignore_error
     ||    addr_failed->dsn_flags & rf_dsnflags
        && !(addr_failed->dsn_flags & rf_notify_failure)
     )
    {
    addr = addr_failed;
    addr_failed = addr->next;
    if (addr->return_filename) Uunlink(addr->return_filename);

#ifndef DISABLE_EVENT
    msg_event_raise(US"msg:fail:delivery", addr);
#endif
    log_write(0, LOG_MAIN, "%s%s%s%s: error ignored%s",
      addr->address,
      !addr->parent ? US"" : US" <",
      !addr->parent ? US"" : addr->parent->address,
      !addr->parent ? US"" : US">",
      addr->prop.ignore_error
      ? US"" : US": RFC 3461 DSN, failure notify not requested");

    address_done(addr, logtod);
    child_done(addr, logtod);
    /* Panic-dies on error */
    (void)spool_write_header(message_id, SW_DELIVERING, NULL);
    }

  /* Otherwise, handle the sending of a message. Find the error address for
  the first address, then send a message that includes all failed addresses
  that have the same error address. */

  else
    send_bounce_message(now, logtod);
  }

f.disable_logging = FALSE;  /* In case left set */

/* Come here from the mua_wrapper case if routing goes wrong */

DELIVERY_TIDYUP:

if (dbm_file)           /* Can only be continue_retry_db */
  {
  DEBUG(D_hints_lookup) debug_printf("final close of cached retry db\n");
  dbfn_close_multi(continue_retry_db);
  continue_retry_db = dbm_file = NULL;
  }

/* If there are now no deferred addresses, we are done. Preserve the
message log if so configured, and we are using them. Otherwise, sling it.
Then delete the message itself. */

if (!addr_defer)
  {
  uschar * fname;

  if (message_logs)
    {
    fname = spool_fname(US"msglog", message_subdir, id, US"");
    if (preserve_message_logs)
      {
      int rc;
      uschar * moname = spool_fname(US"msglog.OLD", US"", id, US"");

      if ((rc = Urename(fname, moname)) < 0)
        {
        (void)directory_make(spool_directory,
                              spool_sname(US"msglog.OLD", US""),
                              MSGLOG_DIRECTORY_MODE, TRUE);
        rc = Urename(fname, moname);
        }
      if (rc < 0)
        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to move %s to the "
          "msglog.OLD directory", fname);
      }
    else
      if (Uunlink(fname) < 0)
        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
                  fname, strerror(errno));
    }

  /* Remove the two message files. */

  fname = spool_fname(US"input", message_subdir, id, US"-D");
  if (Uunlink(fname) < 0)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
      fname, strerror(errno));
  fname = spool_fname(US"input", message_subdir, id, US"-H");
  if (Uunlink(fname) < 0)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s",
      fname, strerror(errno));

  /* Log the end of this message, with queue time if requested. */

  if (LOGGING(queue_time_overall))
    log_write(0, LOG_MAIN, "Completed QT=%s", string_timesince(&received_time));
  else
    log_write(0, LOG_MAIN, "Completed");

  /* Unset deliver_freeze so that we won't try to move the spool files further down */
  f.deliver_freeze = FALSE;

#ifndef DISABLE_EVENT
  (void) event_raise(event_action, US"msg:complete", NULL, NULL);
#endif
  }

/* If there are deferred addresses, we are keeping this message because it is
not yet completed. Lose any temporary files that were catching output from
pipes for any of the deferred addresses, handle one-time aliases, and see if
the message has been on the queue for so long that it is time to send a warning
message to the sender, unless it is a mailer-daemon. If all deferred addresses
have the same domain, we can set deliver_domain for the expansion of
delay_warning_ condition - if any of them are pipes, files, or autoreplies, use
the parent's domain.

If all the deferred addresses have an error number that indicates "retry time
not reached", skip sending the warning message, because it won't contain the
reason for the delay. It will get sent at the next real delivery attempt.
  Exception: for retries caused by a remote peer we use the error message
  store in the retry DB as the reason.
However, if at least one address has tried, we'd better include all of them in
the message.

If we can't make a process to send the message, don't worry.

For mailing list expansions we want to send the warning message to the
mailing list manager. We can't do a perfect job here, as some addresses may
have different errors addresses, but if we take the errors address from
each deferred address it will probably be right in most cases.

If addr_defer == +1, it means there was a problem sending an error message
for failed addresses, and there were no "real" deferred addresses. The value
was set just to keep the message on the spool, so there is nothing to do here.
*/

else if (addr_defer != (address_item *)(+1))
  {
  uschar * recipients = US"";
  BOOL want_warning_msg = FALSE;

  deliver_domain = testflag(addr_defer, af_pfr)
    ? addr_defer->parent->domain : addr_defer->domain;

  for (address_item * addr = addr_defer; addr; addr = addr->next)
    {
    address_item * otaddr;

    if (addr->basic_errno > ERRNO_WARN_BASE) want_warning_msg = TRUE;

    if (deliver_domain)
      {
      const uschar *d = testflag(addr, af_pfr)
        ? addr->parent->domain : addr->domain;

      /* The domain may be unset for an address that has never been routed
      because the system filter froze the message. */

      if (!d || Ustrcmp(d, deliver_domain) != 0)
        deliver_domain = NULL;
      }

    if (addr->return_filename) Uunlink(addr->return_filename);

    /* Handle the case of one-time aliases. If any address in the ancestry
    of this one is flagged, ensure it is in the recipients list, suitably
    flagged, and that its parent is marked delivered. */

    for (otaddr = addr; otaddr; otaddr = otaddr->parent)
      if (otaddr->onetime_parent) break;

    if (otaddr)
      {
      int i;
      int t = recipients_count;

      for (i = 0; i < recipients_count; i++)
        {
        const uschar * r = recipients_list[i].address;
        if (Ustrcmp(otaddr->onetime_parent, r) == 0) t = i;
        if (Ustrcmp(otaddr->address, r) == 0) break;
        }

      /* Didn't find the address already in the list, and did find the
      ultimate parent's address in the list, and they really are different
      (i.e. not from an identity-redirect). After adding the recipient,
      update the errors address in the recipients list. */

      if (  i >= recipients_count && t < recipients_count
         && Ustrcmp(otaddr->address, otaddr->parent->address) != 0)
        {
        DEBUG(D_deliver) debug_printf("one_time: adding %s in place of %s\n",
          otaddr->address, otaddr->parent->address);
        receive_add_recipient(otaddr->address, t);
        recipients_list[recipients_count-1].errors_to = otaddr->prop.errors_address;
        tree_add_nonrecipient(otaddr->parent->address);
        update_spool = TRUE;
        }
      }

    /* Except for error messages, ensure that either the errors address for
    this deferred address or, if there is none, the sender address, is on the
    list of recipients for a warning message. */

    if (sender_address[0])
      {
      const uschar * s = addr->prop.errors_address;
      if (!s) s = sender_address;
      if (Ustrstr(recipients, s) == NULL)
        recipients = string_sprintf("%s%s%s", recipients,
          recipients[0] ? "," : "", s);
      }
    }

  /* Send a warning message if the conditions are right. If the condition check
  fails because of a lookup defer, there is nothing we can do. The warning
  is not sent. Another attempt will be made at the next delivery attempt (if
  it also defers). */

  if (  !f.queue_2stage
     && want_warning_msg
     && (  !(addr_defer->dsn_flags & rf_dsnflags)
        || addr_defer->dsn_flags & rf_notify_delay
        )
     && delay_warning[1] > 0
     && sender_address[0] != 0)
    {
    GET_OPTION("delay_warning_condition");
    if ( (  !delay_warning_condition
            || expand_check_condition(delay_warning_condition,
                US"delay_warning", US"option")
          )
       )
      {
      int count;
      int show_time;
      int queue_time = time(NULL) - received_time.tv_sec;

      queue_time = test_harness_fudged_queue_time(queue_time);

      /* See how many warnings we should have sent by now */

      for (count = 0; count < delay_warning[1]; count++)
        if (queue_time < delay_warning[count+2]) break;

      show_time = delay_warning[count+1];

      if (count >= delay_warning[1])
        {
        int extra;
        int last_gap = show_time;
        if (count > 1) last_gap -= delay_warning[count];
        extra = (queue_time - delay_warning[count+1])/last_gap;
        show_time += last_gap * extra;
        count += extra;
        }

      DEBUG(D_deliver)
        {
        debug_printf("time on queue = %s  id %s  addr %s\n",
          readconf_printtime(queue_time), message_id, addr_defer->address);
        debug_printf("warning counts: required %d done %d\n", count,
          warning_count);
        }

      /* We have computed the number of warnings there should have been by now.
      If there haven't been enough, send one, and up the count to what it should
      have been. */

      if (warning_count < count)
        if (send_warning_message(recipients, queue_time, show_time))
          {
          warning_count = count;
          update_spool = TRUE;    /* Ensure spool rewritten */
          }
      }
    }

  /* Clear deliver_domain */

  deliver_domain = NULL;

  /* If this was a first delivery attempt, unset the first time flag, and
  ensure that the spool gets updated. */

  if (f.deliver_firsttime && !f.queue_2stage)
    {
    f.deliver_firsttime = FALSE;
    update_spool = TRUE;
    }

  /* If delivery was frozen and freeze_tell is set, generate an appropriate
  message, unless the message is a local error message (to avoid loops). Then
  log the freezing. If the text in "frozen_info" came from a system filter,
  it has been escaped into printing characters so as not to mess up log lines.
  For the "tell" message, we turn \n back into newline. Also, insert a newline
  near the start instead of the ": " string. */

  if (f.deliver_freeze)
    {
    if (freeze_tell && *freeze_tell && !f.local_error_message)
      {
      uschar * s = string_copy(frozen_info);
      uschar * ss = Ustrstr(s, " by the system filter: ");

      if (ss)
        {
        ss[21] = '.';
        ss[22] = '\n';
        }

      for (ss = s; *ss; )
        if (*ss == '\\' && ss[1] == 'n')
          { *ss++ = ' '; *ss++ = '\n'; }
        else
          ss++;

      moan_tell_someone(freeze_tell, addr_defer, US"Message frozen",
        "Message %s has been frozen%s.\nThe sender is <%s>.\n", message_id,
        s, sender_address);
      }

    /* Log freezing just before we update the -H file, to minimize the chance
    of a race problem. */

    deliver_msglog("*** Frozen%s\n", frozen_info);
    log_write(0, LOG_MAIN, "Frozen%s", frozen_info);
    }

  /* If there have been any updates to the non-recipients list, or other things
  that get written to the spool, we must now update the spool header file so
  that it has the right information for the next delivery attempt. If there
  was more than one address being delivered, the header_change update is done
  earlier, in case one succeeds and then something crashes. */

  DEBUG(D_deliver)
    debug_printf("delivery deferred: update_spool=%d header_rewritten=%d\n",
      update_spool, f.header_rewritten);

  if (update_spool || f.header_rewritten)
    /* Panic-dies on error */
    (void)spool_write_header(message_id, SW_DELIVERING, NULL);
  }

/* Finished with the message log. If the message is complete, it will have
been unlinked or renamed above. */

if (message_logs) (void)fclose(message_log);

/* Now we can close and remove the journal file. Its only purpose is to record
successfully completed deliveries asap so that this information doesn't get
lost if Exim (or the machine) crashes. Forgetting about a failed delivery is
not serious, as trying it again is not harmful. The journal might not be open
if all addresses were deferred at routing or directing. Nevertheless, we must
remove it if it exists (may have been lying around from a crash during the
previous delivery attempt). We don't remove the journal if a delivery
subprocess failed to pass back delivery information; this is controlled by
the remove_journal flag. When the journal is left, we also don't move the
message off the main spool if frozen and the option is set. It should get moved
at the next attempt, after the journal has been inspected. */

if (journal_fd >= 0) (void)close(journal_fd);

if (remove_journal)
  {
  uschar * fname = spool_fname(US"input", message_subdir, id, US"-J");

  if (Uunlink(fname) < 0 && errno != ENOENT)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to unlink %s: %s", fname,
      strerror(errno));

  /* Move the message off the spool if requested */

#ifdef SUPPORT_MOVE_FROZEN_MESSAGES
  if (f.deliver_freeze && move_frozen_messages)
    (void)spool_move_message(id, message_subdir, US"", US"F");
#endif
  }

/* Closing the data file frees the lock; if the file has been unlinked it
will go away. Otherwise the message becomes available for another process
to try delivery. */

(void)close(deliver_datafile);
deliver_datafile = -1;
DEBUG(D_deliver) debug_printf("end delivery of %s\n", id);
#ifdef MEASURE_TIMING
report_time_since(&timestamp_startup, US"delivery end"); /* testcase 0005 */
#endif

/* If the transport suggested another message to deliver, go round again. */

if (final_yield == DELIVER_ATTEMPTED_NORMAL && *continue_next_id)
  {
  addr_defer = addr_failed = addr_succeed = NULL;
  tree_duplicates = NULL;       /* discard dups info from old message */
  id = string_copyn(continue_next_id, MESSAGE_ID_LENGTH);
  continue_next_id[0] = '\0';
  goto CONTINUED_ID;
  }

/* It is unlikely that there will be any cached resources, since they are
released after routing, and in the delivery subprocesses. However, it's
possible for an expansion for something afterwards (for example,
expand_check_condition) to do a lookup. We must therefore be sure everything is
released. */

search_tidyup();
acl_where = ACL_WHERE_UNKNOWN;
return final_yield;
}



void
tcp_init(void)
{
#ifdef EXIM_TFO_PROBE
tfo_probe();
#else
f.tcp_fastopen_ok = TRUE;
#endif
}



/* Called from a commandline, or from the daemon, to do a delivery.
We need to regain privs; do this by exec of the exim binary. */

void
delivery_re_exec(int exec_type)
{
uschar * where;

if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
  {
  int channel_fd = cutthrough.cctx.sock;

  smtp_peer_options = cutthrough.peer_options;
  continue_sequence = 0;

#ifndef DISABLE_TLS
  if (cutthrough.is_tls)
    {
    int pfd[2], pid;

    smtp_peer_options |= OPTION_TLS;
    sending_ip_address = cutthrough.snd_ip;
    sending_port = cutthrough.snd_port;

    where = US"socketpair";
    if (socketpair(AF_UNIX, SOCK_STREAM, 0, pfd) != 0)
      goto fail;

    where = US"fork";
    testharness_pause_ms(150);
    if ((pid = exim_fork(US"tls-proxy-interproc")) < 0)
      goto fail;

    if (pid == 0)       /* child: will fork again to totally disconnect */
      {
      smtp_proxy_tls(cutthrough.cctx.tls_ctx, big_buffer, big_buffer_size,
                      pfd, 5*60, cutthrough.host.name);
      /* does not return */
      }

    close(pfd[0]);
    waitpid(pid, NULL, 0);
    (void) close(channel_fd);   /* release the client socket */
    channel_fd = pfd[1];
    }
#endif

  transport_do_pass_socket(cutthrough.transport, cutthrough.host.name,
    cutthrough.host.address, message_id, channel_fd);
  }
else
  {
  cancel_cutthrough_connection(TRUE, US"non-continued delivery");
  (void) child_exec_exim(exec_type, FALSE, NULL, FALSE, 2, US"-Mc", message_id);
  }
return;         /* compiler quietening; control does not reach here. */

#ifndef DISABLE_TLS
fail:
  log_write(0,
    LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
    "delivery re-exec %s failed: %s", where, strerror(errno));

  /* Get here if exec_type == CEE_EXEC_EXIT.
  Note: this must be _exit(), not exit(). */

  _exit(EX_EXECFAILED);
#endif
}

/* vi: aw ai sw=2
*/
/* End of deliver.c */