1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-only */
10 /* Functions concerned with running Exim as a daemon */
16 /* Structure for holding data for each SMTP connection */
18 typedef struct smtp_slot {
19 pid_t pid; /* pid of the spawned reception process */
20 uschar *host_address; /* address of the client host */
23 /* An empty slot for initializing (Standard C does not allow constructor
24 expressions in assignments except as initializers in declarations). */
26 static smtp_slot empty_smtp_slot = { .pid = 0, .host_address = NULL };
30 /*************************************************
31 * Local static variables *
32 *************************************************/
34 static SIGNAL_BOOL sigchld_seen;
35 static SIGNAL_BOOL sighup_seen;
36 static SIGNAL_BOOL sigterm_seen;
38 static int accept_retry_count = 0;
39 static int accept_retry_errno;
40 static BOOL accept_retry_select_failed;
42 static int queue_run_count = 0;
43 static pid_t *queue_pid_slots = NULL;
44 static smtp_slot *smtp_slots = NULL;
46 static BOOL write_pid = TRUE;
50 /*************************************************
52 *************************************************/
54 /* All this handler does is to set a flag and re-enable the signal.
56 Argument: the signal number
61 sighup_handler(int sig)
64 signal(SIGHUP, sighup_handler);
69 /*************************************************
70 * SIGCHLD handler for main daemon process *
71 *************************************************/
73 /* Don't re-enable the handler here, since we aren't doing the
74 waiting here. If the signal is re-enabled, there will just be an
75 infinite sequence of calls to this handler. The SIGCHLD signal is
76 used just as a means of waking up the daemon so that it notices
77 terminated subprocesses as soon as possible.
79 Argument: the signal number
84 main_sigchld_handler(int sig)
86 os_non_restarting_signal(SIGCHLD, SIG_DFL);
91 /* SIGTERM handler. Try to get the daemon pid file removed
95 main_sigterm_handler(int sig)
103 /*************************************************
104 * Unexpected errors in SMTP calls *
105 *************************************************/
107 /* This function just saves a bit of repetitious coding.
110 log_msg Text of message to be logged
111 smtp_msg Text of SMTP error message
112 was_errno The failing errno
118 never_error(uschar *log_msg, uschar *smtp_msg, int was_errno)
120 uschar *emsg = was_errno <= 0
121 ? US"" : string_sprintf(": %s", strerror(was_errno));
122 log_write(0, LOG_MAIN|LOG_PANIC, "%s%s", log_msg, emsg);
123 if (smtp_out) smtp_printf("421 %s\r\n", FALSE, smtp_msg);
129 /*************************************************
130 *************************************************/
132 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
134 unlink_notifier_socket(void)
136 uschar * s = expand_string(notifier_socket);
137 DEBUG(D_any) debug_printf("unlinking notifier socket %s\n", s);
144 close_daemon_sockets(int daemon_notifier_fd,
145 struct pollfd * fd_polls, int listen_socket_count)
147 if (daemon_notifier_fd >= 0)
149 (void) close(daemon_notifier_fd);
150 daemon_notifier_fd = -1;
151 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
152 unlink_notifier_socket();
156 for (int i = 0; i < listen_socket_count; i++) (void) close(fd_polls[i].fd);
160 /*************************************************
161 * Handle a connected SMTP call *
162 *************************************************/
164 /* This function is called when an SMTP connection has been accepted.
165 If there are too many, give an error message and close down. Otherwise
166 spin off a sub-process to handle the call. The list of listening sockets
167 is required so that they can be closed in the sub-process. Take care not to
168 leak store in this process - reset the stacking pool at the end.
171 fd_polls sockets which are listening for incoming calls
172 listen_socket_count count of listening sockets
173 accept_socket socket of the current accepted call
174 accepted socket information about the current call
180 handle_smtp_call(struct pollfd *fd_polls, int listen_socket_count,
181 int accept_socket, struct sockaddr *accepted)
184 union sockaddr_46 interface_sockaddr;
185 EXIM_SOCKLEN_T ifsize = sizeof(interface_sockaddr);
186 int dup_accept_socket = -1;
187 int max_for_this_host = 0;
188 int save_log_selector = *log_selector;
191 rmark reset_point = store_mark();
193 /* Make the address available in ASCII representation, and also fish out
196 sender_host_address = host_ntoa(-1, accepted, NULL, &sender_host_port);
197 DEBUG(D_any) debug_printf("Connection request from %s port %d\n",
198 sender_host_address, sender_host_port);
200 /* Set up the output stream, check the socket has duplicated, and set up the
201 input stream. These operations fail only the exceptional circumstances. Note
202 that never_error() won't use smtp_out if it is NULL. */
204 if (!(smtp_out = fdopen(accept_socket, "wb")))
206 never_error(US"daemon: fdopen() for smtp_out failed", US"", errno);
210 if ((dup_accept_socket = dup(accept_socket)) < 0)
212 never_error(US"daemon: couldn't dup socket descriptor",
213 US"Connection setup failed", errno);
217 if (!(smtp_in = fdopen(dup_accept_socket, "rb")))
219 never_error(US"daemon: fdopen() for smtp_in failed",
220 US"Connection setup failed", errno);
224 /* Get the data for the local interface address. Panic for most errors, but
225 "connection reset by peer" just means the connection went away. */
227 if (getsockname(accept_socket, (struct sockaddr *)(&interface_sockaddr),
230 log_write(0, LOG_MAIN | ((errno == ECONNRESET)? 0 : LOG_PANIC),
231 "getsockname() failed: %s", strerror(errno));
232 smtp_printf("421 Local problem: getsockname() failed; please try again later\r\n", FALSE);
236 interface_address = host_ntoa(-1, &interface_sockaddr, NULL, &interface_port);
237 DEBUG(D_interface) debug_printf("interface address=%s port=%d\n",
238 interface_address, interface_port);
240 /* Build a string identifying the remote host and, if requested, the port and
241 the local interface data. This is for logging; at the end of this function the
242 memory is reclaimed. */
244 whofrom = string_append(NULL, 3, "[", sender_host_address, "]");
246 if (LOGGING(incoming_port))
247 whofrom = string_fmt_append(whofrom, ":%d", sender_host_port);
249 if (LOGGING(incoming_interface))
250 whofrom = string_fmt_append(whofrom, " I=[%s]:%d",
251 interface_address, interface_port);
253 (void) string_from_gstring(whofrom); /* Terminate the newly-built string */
255 /* Check maximum number of connections. We do not check for reserved
256 connections or unacceptable hosts here. That is done in the subprocess because
257 it might take some time. */
259 if (smtp_accept_max > 0 && smtp_accept_count >= smtp_accept_max)
261 DEBUG(D_any) debug_printf("rejecting SMTP connection: count=%d max=%d\n",
262 smtp_accept_count, smtp_accept_max);
263 smtp_printf("421 Too many concurrent SMTP connections; "
264 "please try again later.\r\n", FALSE);
265 log_write(L_connection_reject,
266 LOG_MAIN, "Connection from %s refused: too many connections",
271 /* If a load limit above which only reserved hosts are acceptable is defined,
272 get the load average here, and if there are in fact no reserved hosts, do
273 the test right away (saves a fork). If there are hosts, do the check in the
274 subprocess because it might take time. */
276 if (smtp_load_reserve >= 0)
278 load_average = OS_GETLOADAVG();
279 if (!smtp_reserve_hosts && load_average > smtp_load_reserve)
281 DEBUG(D_any) debug_printf("rejecting SMTP connection: load average = %.2f\n",
282 (double)load_average/1000.0);
283 smtp_printf("421 Too much load; please try again later.\r\n", FALSE);
284 log_write(L_connection_reject,
285 LOG_MAIN, "Connection from %s refused: load average = %.2f",
286 whofrom->s, (double)load_average/1000.0);
291 /* Check that one specific host (strictly, IP address) is not hogging
292 resources. This is done here to prevent a denial of service attack by someone
293 forcing you to fork lots of times before denying service. The value of
294 smtp_accept_max_per_host is a string which is expanded. This makes it possible
295 to provide host-specific limits according to $sender_host address, but because
296 this is in the daemon mainline, only fast expansions (such as inline address
297 checks) should be used. The documentation is full of warnings. */
299 if (smtp_accept_max_per_host)
301 uschar *expanded = expand_string(smtp_accept_max_per_host);
304 if (!f.expand_string_forcedfail)
305 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
306 "failed for %s: %s", whofrom->s, expand_string_message);
308 /* For speed, interpret a decimal number inline here */
311 uschar *s = expanded;
313 max_for_this_host = max_for_this_host * 10 + *s++ - '0';
315 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
316 "for %s contains non-digit: %s", whofrom->s, expanded);
320 /* If we have fewer connections than max_for_this_host, we can skip the tedious
321 per host_address checks. Note that at this stage smtp_accept_count contains the
322 count of *other* connections, not including this one. */
324 if (max_for_this_host > 0 && smtp_accept_count >= max_for_this_host)
326 int host_accept_count = 0;
327 int other_host_count = 0; /* keep a count of non matches to optimise */
329 for (int i = 0; i < smtp_accept_max; ++i)
330 if (smtp_slots[i].host_address)
332 if (Ustrcmp(sender_host_address, smtp_slots[i].host_address) == 0)
337 /* Testing all these strings is expensive - see if we can drop out
338 early, either by hitting the target, or finding there are not enough
339 connections left to make the target. */
341 if ( host_accept_count >= max_for_this_host
342 || smtp_accept_count - other_host_count < max_for_this_host)
346 if (host_accept_count >= max_for_this_host)
348 DEBUG(D_any) debug_printf("rejecting SMTP connection: too many from this "
349 "IP address: count=%d max=%d\n",
350 host_accept_count, max_for_this_host);
351 smtp_printf("421 Too many concurrent SMTP connections "
352 "from this IP address; please try again later.\r\n", FALSE);
353 log_write(L_connection_reject,
354 LOG_MAIN, "Connection from %s refused: too many connections "
355 "from that IP address", whofrom->s);
361 /* OK, the connection count checks have been passed. Before we can fork the
362 accepting process, we must first log the connection if requested. This logging
363 used to happen in the subprocess, but doing that means that the value of
364 smtp_accept_count can be out of step by the time it is logged. So we have to do
365 the logging here and accept the performance cost. Note that smtp_accept_count
366 hasn't yet been incremented to take account of this connection.
368 In order to minimize the cost (because this is going to happen for every
369 connection), do a preliminary selector test here. This saves ploughing through
370 the generalized logging code each time when the selector is false. If the
371 selector is set, check whether the host is on the list for logging. If not,
372 arrange to unset the selector in the subprocess. */
374 if (LOGGING(smtp_connection))
376 uschar *list = hosts_connection_nolog;
377 memset(sender_host_cache, 0, sizeof(sender_host_cache));
378 if (list && verify_check_host(&list) == OK)
379 save_log_selector &= ~L_smtp_connection;
381 log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %s "
382 "(TCP/IP connection count = %d)", whofrom->s, smtp_accept_count + 1);
385 /* Now we can fork the accepting process; do a lookup tidy, just in case any
386 expansion above did a lookup. */
389 pid = exim_fork(US"daemon-accept");
391 /* Handle the child process */
395 int queue_only_reason = 0;
396 int old_pool = store_pool;
397 int save_debug_selector = debug_selector;
398 BOOL local_queue_only;
399 BOOL session_local_queue_only;
401 struct sigaction act;
404 smtp_accept_count++; /* So that it includes this process */
406 /* If the listen backlog was over the monitoring level, log it. */
408 if (smtp_listen_backlog > smtp_backlog_monitor)
409 log_write(0, LOG_MAIN, "listen backlog %d I=[%s]:%d",
410 smtp_listen_backlog, interface_address, interface_port);
412 /* May have been modified for the subprocess */
414 *log_selector = save_log_selector;
416 /* Get the local interface address into permanent store */
418 store_pool = POOL_PERM;
419 interface_address = string_copy(interface_address);
420 store_pool = old_pool;
422 /* Check for a tls-on-connect port */
424 if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
426 /* Expand smtp_active_hostname if required. We do not do this any earlier,
427 because it may depend on the local interface address (indeed, that is most
428 likely what it depends on.) */
430 smtp_active_hostname = primary_hostname;
431 if (raw_active_hostname)
433 uschar * nah = expand_string(raw_active_hostname);
436 if (!f.expand_string_forcedfail)
438 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" "
439 "(smtp_active_hostname): %s", raw_active_hostname,
440 expand_string_message);
441 smtp_printf("421 Local configuration error; "
442 "please try again later.\r\n", FALSE);
445 exim_underbar_exit(EXIT_FAILURE);
448 else if (*nah) smtp_active_hostname = nah;
451 /* Initialize the queueing flags */
454 session_local_queue_only = queue_only;
456 /* Close the listening sockets, and set the SIGCHLD handler to SIG_IGN.
457 We also attempt to set things up so that children are automatically reaped,
458 but just in case this isn't available, there's a paranoid waitpid() in the
459 loop too (except for systems where we are sure it isn't needed). See the more
460 extensive comment before the reception loop in exim.c for a fuller
461 explanation of this logic. */
463 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
465 /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes
466 to be able to communicate with them, under any circumstances. */
467 (void)fcntl(accept_socket, F_SETFD,
468 fcntl(accept_socket, F_GETFD) | FD_CLOEXEC);
469 (void)fcntl(dup_accept_socket, F_SETFD,
470 fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
473 act.sa_handler = SIG_IGN;
474 sigemptyset(&(act.sa_mask));
475 act.sa_flags = SA_NOCLDWAIT;
476 sigaction(SIGCHLD, &act, NULL);
478 signal(SIGCHLD, SIG_IGN);
480 signal(SIGTERM, SIG_DFL);
481 signal(SIGINT, SIG_DFL);
483 /* Attempt to get an id from the sending machine via the RFC 1413
484 protocol. We do this in the sub-process in order not to hold up the
485 main process if there is any delay. Then set up the fullhost information
486 in case there is no HELO/EHLO.
488 If debugging is enabled only for the daemon, we must turn if off while
489 finding the id, but turn it on again afterwards so that information about the
490 incoming connection is output. */
492 if (f.debug_daemon) debug_selector = 0;
493 verify_get_ident(IDENT_PORT);
494 host_build_sender_fullhost();
495 debug_selector = save_debug_selector;
498 debug_printf("Process %d is handling incoming connection from %s\n",
499 (int)getpid(), sender_fullhost);
501 /* Now disable debugging permanently if it's required only for the daemon
504 if (f.debug_daemon) debug_selector = 0;
506 /* If there are too many child processes for immediate delivery,
507 set the session_local_queue_only flag, which is initialized from the
508 configured value and may therefore already be TRUE. Leave logging
509 till later so it will have a message id attached. Note that there is no
510 possibility of re-calculating this per-message, because the value of
511 smtp_accept_count does not change in this subprocess. */
513 if (smtp_accept_queue > 0 && smtp_accept_count > smtp_accept_queue)
515 session_local_queue_only = TRUE;
516 queue_only_reason = 1;
519 /* Handle the start of the SMTP session, then loop, accepting incoming
520 messages from the SMTP connection. The end will come at the QUIT command,
521 when smtp_setup_msg() returns 0. A break in the connection causes the
522 process to die (see accept.c).
524 NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
525 because a log line has already been written for all its failure exists
526 (usually "connection refused: <reason>") and writing another one is
527 unnecessary clutter. */
529 if (!smtp_start_session())
533 exim_underbar_exit(EXIT_SUCCESS);
539 message_id[0] = 0; /* Clear out any previous message_id */
540 reset_point = store_mark(); /* Save current store high water point */
543 debug_printf("Process %d is ready for new message\n", (int)getpid());
545 /* Smtp_setup_msg() returns 0 on QUIT or if the call is from an
546 unacceptable host or if an ACL "drop" command was triggered, -1 on
547 connection lost, and +1 on validly reaching DATA. Receive_msg() almost
548 always returns TRUE when smtp_input is true; just retry if no message was
549 accepted (can happen for invalid message parameters). However, it can yield
550 FALSE if the connection was forcibly dropped by the DATA ACL. */
552 if ((rc = smtp_setup_msg()) > 0)
554 BOOL ok = receive_msg(FALSE);
555 search_tidyup(); /* Close cached databases */
556 if (!ok) /* Connection was dropped */
558 cancel_cutthrough_connection(TRUE, US"receive dropped");
560 smtp_log_no_mail(); /* Log no mail if configured */
561 exim_underbar_exit(EXIT_SUCCESS);
563 if (message_id[0] == 0) continue; /* No message was accepted */
565 else /* bad smtp_setup_msg() */
569 int fd = fileno(smtp_in);
573 /* drain socket, for clean TCP FINs */
574 if (fcntl(fd, F_SETFL, O_NONBLOCK) == 0)
575 for(int i = 16; read(fd, buf, sizeof(buf)) > 0 && i > 0; ) i--;
577 cancel_cutthrough_connection(TRUE, US"message setup dropped");
579 smtp_log_no_mail(); /* Log no mail if configured */
581 /*XXX should we pause briefly, hoping that the client will be the
582 active TCP closer hence get the TCP_WAIT endpoint? */
583 DEBUG(D_receive) debug_printf("SMTP>>(close on process exit)\n");
584 exim_underbar_exit(rc ? EXIT_FAILURE : EXIT_SUCCESS);
587 /* Show the recipients when debugging */
592 debug_printf("Sender: %s\n", sender_address);
595 debug_printf("Recipients:\n");
596 for (int i = 0; i < recipients_count; i++)
597 debug_printf(" %s\n", recipients_list[i].address);
601 /* A message has been accepted. Clean up any previous delivery processes
602 that have completed and are defunct, on systems where they don't go away
603 by themselves (see comments when setting SIG_IGN above). On such systems
604 (if any) these delivery processes hang around after termination until
605 the next message is received. */
607 #ifndef SIG_IGN_WORKS
608 while (waitpid(-1, NULL, WNOHANG) > 0);
611 /* Reclaim up the store used in accepting this message */
614 int r = receive_messagecount;
615 BOOL q = f.queue_only_policy;
616 smtp_reset(reset_point);
618 f.queue_only_policy = q;
619 receive_messagecount = r;
622 /* If queue_only is set or if there are too many incoming connections in
623 existence, session_local_queue_only will be TRUE. If it is not, check
624 whether we have received too many messages in this session for immediate
627 if (!session_local_queue_only &&
628 smtp_accept_queue_per_connection > 0 &&
629 receive_messagecount > smtp_accept_queue_per_connection)
631 session_local_queue_only = TRUE;
632 queue_only_reason = 2;
635 /* Initialize local_queue_only from session_local_queue_only. If it is not
636 true, and queue_only_load is set, check that the load average is below it.
637 If local_queue_only is set by this means, we also set if for the session if
638 queue_only_load_latch is true (the default). This means that, once set,
639 local_queue_only remains set for any subsequent messages on the same SMTP
640 connection. This is a deliberate choice; even though the load average may
641 fall, it doesn't seem right to deliver later messages on the same call when
642 not delivering earlier ones. However, the are special circumstances such as
643 very long-lived connections from scanning appliances where this is not the
644 best strategy. In such cases, queue_only_load_latch should be set false. */
646 if ( !(local_queue_only = session_local_queue_only)
647 && queue_only_load >= 0
648 && (local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load)
651 queue_only_reason = 3;
652 if (queue_only_load_latch) session_local_queue_only = TRUE;
655 /* Log the queueing here, when it will get a message id attached, but
656 not if queue_only is set (case 0). */
658 if (local_queue_only) switch(queue_only_reason)
660 case 1: log_write(L_delay_delivery,
661 LOG_MAIN, "no immediate delivery: too many connections "
662 "(%d, max %d)", smtp_accept_count, smtp_accept_queue);
665 case 2: log_write(L_delay_delivery,
666 LOG_MAIN, "no immediate delivery: more than %d messages "
667 "received in one connection", smtp_accept_queue_per_connection);
670 case 3: log_write(L_delay_delivery,
671 LOG_MAIN, "no immediate delivery: load average %.2f",
672 (double)load_average/1000.0);
676 /* If a delivery attempt is required, spin off a new process to handle it.
677 If we are not root, we have to re-exec exim unless deliveries are being
678 done unprivileged. */
680 else if ( (!f.queue_only_policy || f.queue_smtp)
681 && !f.deliver_freeze)
685 /* We used to flush smtp_out before forking so that buffered data was not
686 duplicated, but now we want to pipeline the responses for data and quit.
687 Instead, hard-close the fd underlying smtp_out right after fork to discard
690 if ((dpid = exim_fork(US"daemon-accept-delivery")) == 0)
692 (void)fclose(smtp_in);
693 (void)close(fileno(smtp_out));
694 (void)fclose(smtp_out);
695 smtp_in = smtp_out = NULL;
697 /* Don't ever molest the parent's SSL connection, but do clean up
698 the data structures if necessary. */
701 tls_close(NULL, TLS_NO_SHUTDOWN);
704 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
706 signal(SIGHUP, SIG_DFL);
707 signal(SIGCHLD, SIG_DFL);
708 signal(SIGTERM, SIG_DFL);
709 signal(SIGINT, SIG_DFL);
711 if (geteuid() != root_uid && !deliver_drop_privilege)
713 signal(SIGALRM, SIG_DFL);
714 delivery_re_exec(CEE_EXEC_PANIC);
715 /* Control does not return here. */
718 /* No need to re-exec; SIGALRM remains set to the default handler */
720 (void) deliver_message(message_id, FALSE, FALSE);
722 exim_underbar_exit(EXIT_SUCCESS);
727 release_cutthrough_connection(US"passed for delivery");
728 DEBUG(D_any) debug_printf("forked delivery process %d\n", (int)dpid);
732 cancel_cutthrough_connection(TRUE, US"delivery fork failed");
733 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: delivery process fork "
734 "failed: %s", strerror(errno));
741 /* Carrying on in the parent daemon process... Can't do much if the fork
742 failed. Otherwise, keep count of the number of accepting processes and
743 remember the pid for ticking off when the child completes. */
746 never_error(US"daemon: accept process fork failed", US"Fork failed", errno);
749 for (int i = 0; i < smtp_accept_max; ++i)
750 if (smtp_slots[i].pid <= 0)
752 smtp_slots[i].pid = pid;
753 /* Connection closes come asyncronously, so we cannot stack this store */
754 if (smtp_accept_max_per_host)
755 smtp_slots[i].host_address = string_copy_malloc(sender_host_address);
759 DEBUG(D_any) debug_printf("%d SMTP accept process%s running\n",
760 smtp_accept_count, smtp_accept_count == 1 ? "" : "es");
763 /* Get here via goto in error cases */
767 /* Close the streams associated with the socket which will also close the
768 socket fds in this process. We can't do anything if fclose() fails, but
769 logging brings it to someone's attention. However, "connection reset by peer"
770 isn't really a problem, so skip that one. On Solaris, a dropped connection can
771 manifest itself as a broken pipe, so drop that one too. If the streams don't
772 exist, something went wrong while setting things up. Make sure the socket
773 descriptors are closed, in order to drop the connection. */
777 if (fclose(smtp_out) != 0 && errno != ECONNRESET && errno != EPIPE)
778 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_out) failed: %s",
782 else (void)close(accept_socket);
786 if (fclose(smtp_in) != 0 && errno != ECONNRESET && errno != EPIPE)
787 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_in) failed: %s",
791 else (void)close(dup_accept_socket);
793 /* Release any store used in this process, including the store used for holding
794 the incoming host address and an expanded active_hostname. */
797 interface_address = sender_host_name = sender_host_address = NULL;
798 store_reset(reset_point);
804 /*************************************************
805 * Check wildcard listen special cases *
806 *************************************************/
808 /* This function is used when binding and listening on lists of addresses and
809 ports. It tests for special cases of wildcard listening, when IPv4 and IPv6
810 sockets may interact in different ways in different operating systems. It is
811 passed an error number, the list of listening addresses, and the current
812 address. Two checks are available: for a previous wildcard IPv6 address, or for
813 a following wildcard IPv4 address, in both cases on the same port.
815 In practice, pairs of wildcard addresses should be adjacent in the address list
816 because they are sorted that way below.
820 addresses the list of addresses
821 ipa the current IP address
822 back if TRUE, check for previous wildcard IPv6 address
823 if FALSE, check for a following wildcard IPv4 address
825 Returns: TRUE or FALSE
829 check_special_case(int eno, ip_address_item *addresses, ip_address_item *ipa,
832 ip_address_item *ipa2;
834 /* For the "back" case, if the failure was "address in use" for a wildcard IPv4
835 address, seek a previous IPv6 wildcard address on the same port. As it is
836 previous, it must have been successfully bound and be listening. Flag it as a
837 "6 including 4" listener. */
841 if (eno != EADDRINUSE || ipa->address[0] != 0) return FALSE;
842 for (ipa2 = addresses; ipa2 != ipa; ipa2 = ipa2->next)
844 if (ipa2->address[1] == 0 && ipa2->port == ipa->port)
846 ipa2->v6_include_v4 = TRUE;
852 /* For the "forward" case, if the current address is a wildcard IPv6 address,
853 we seek a following wildcard IPv4 address on the same port. */
857 if (ipa->address[0] != ':' || ipa->address[1] != 0) return FALSE;
858 for (ipa2 = ipa->next; ipa2 != NULL; ipa2 = ipa2->next)
859 if (ipa2->address[0] == 0 && ipa->port == ipa2->port) return TRUE;
868 /*************************************************
869 * Handle terminating subprocesses *
870 *************************************************/
872 /* Handle the termination of child processes. Theoretically, this need be done
873 only when sigchld_seen is TRUE, but rumour has it that some systems lose
874 SIGCHLD signals at busy times, so to be on the safe side, this function is
875 called each time round. It shouldn't be too expensive.
882 handle_ending_processes(void)
887 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
891 debug_printf("child %d ended: status=0x%x\n", (int)pid, status);
893 if (WIFEXITED(status))
894 debug_printf(" normal exit, %d\n", WEXITSTATUS(status));
895 else if (WIFSIGNALED(status))
896 debug_printf(" signal exit, signal %d%s\n", WTERMSIG(status),
897 WCOREDUMP(status) ? " (core dumped)" : "");
901 /* If it's a listening daemon for which we are keeping track of individual
902 subprocesses, deal with an accepting process that has terminated. */
907 for (i = 0; i < smtp_accept_max; i++)
908 if (smtp_slots[i].pid == pid)
910 if (smtp_slots[i].host_address)
911 store_free(smtp_slots[i].host_address);
912 smtp_slots[i] = empty_smtp_slot;
913 if (--smtp_accept_count < 0) smtp_accept_count = 0;
914 DEBUG(D_any) debug_printf("%d SMTP accept process%s now running\n",
915 smtp_accept_count, (smtp_accept_count == 1)? "" : "es");
918 if (i < smtp_accept_max) continue; /* Found an accepting process */
921 /* If it wasn't an accepting process, see if it was a queue-runner
922 process that we are tracking. */
926 int max = atoi(CS expand_string(queue_run_max));
927 for (int i = 0; i < max; i++)
928 if (queue_pid_slots[i] == pid)
930 queue_pid_slots[i] = 0;
931 if (--queue_run_count < 0) queue_run_count = 0;
932 DEBUG(D_any) debug_printf("%d queue-runner process%s now running\n",
933 queue_run_count, (queue_run_count == 1)? "" : "es");
942 set_pid_file_path(void)
944 if (override_pid_file_path)
945 pid_file_path = override_pid_file_path;
948 pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory);
950 if (pid_file_path[0] != '/')
951 log_write(0, LOG_PANIC_DIE, "pid file path %s must be absolute\n", pid_file_path);
955 enum pid_op { PID_WRITE, PID_CHECK, PID_DELETE };
957 /* Do various pid file operations as safe as possible. Ideally we'd just
958 drop the privileges for creation of the pid file and not care at all about removal of
960 Returns: true on success, false + errno==EACCES otherwise
964 operate_on_pid_file(const enum pid_op operation, const pid_t pid)
966 char pid_line[sizeof(int) * 3 + 2];
967 const int pid_len = snprintf(pid_line, sizeof(pid_line), "%d\n", (int)pid);
968 BOOL lines_match = FALSE;
969 uschar * path, * base, * dir;
971 const int dir_flags = O_RDONLY | O_NONBLOCK;
972 const int base_flags = O_NOFOLLOW | O_NONBLOCK;
973 const mode_t base_mode = 0644;
975 int cwd_fd = -1, dir_fd = -1, base_fd = -1;
976 BOOL success = FALSE;
980 if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid) goto cleanup;
981 if (pid_len < 2 || pid_len >= (int)sizeof(pid_line)) goto cleanup;
983 path = string_copy(pid_file_path);
984 if ((base = Ustrrchr(path, '/')) == NULL) /* should not happen, but who knows */
985 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid file path \"%s\" does not contain a '/'", pid_file_path);
987 dir = base != path ? path : US"/";
990 if (!dir || !*dir || *dir != '/') goto cleanup;
991 if (!base || !*base || Ustrchr(base, '/') != NULL) goto cleanup;
993 cwd_fd = open(".", dir_flags);
994 if (cwd_fd < 0 || fstat(cwd_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
995 dir_fd = open(CS dir, dir_flags);
996 if (dir_fd < 0 || fstat(dir_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
999 if (fchdir(dir_fd) != 0) goto cleanup;
1000 base_fd = open(CS base, O_RDONLY | base_flags);
1001 if (fchdir(cwd_fd) != 0)
1002 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1006 char line[sizeof(pid_line)];
1009 if (fstat(base_fd, &sb) != 0 || !S_ISREG(sb.st_mode)) goto cleanup;
1010 if ((sb.st_mode & 07777) != base_mode || sb.st_nlink != 1) goto cleanup;
1011 if (sb.st_size < 2 || sb.st_size >= (off_t)sizeof(line)) goto cleanup;
1013 len = read(base_fd, line, sizeof(line));
1014 if (len != (ssize_t)sb.st_size) goto cleanup;
1017 if (strspn(line, "0123456789") != (size_t)len-1) goto cleanup;
1018 if (line[len-1] != '\n') goto cleanup;
1019 lines_match = len == pid_len && strcmp(line, pid_line) == 0;
1022 if (operation == PID_WRITE)
1029 /* emulate unlinkat */
1030 if (fchdir(dir_fd) != 0) goto cleanup;
1031 error = unlink(CS base);
1032 if (fchdir(cwd_fd) != 0)
1033 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1034 if (error) goto cleanup;
1035 (void)close(base_fd);
1038 /* emulate openat */
1039 if (fchdir(dir_fd) != 0) goto cleanup;
1040 base_fd = open(CS base, O_WRONLY | O_CREAT | O_EXCL | base_flags, base_mode);
1041 if (fchdir(cwd_fd) != 0)
1042 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1043 if (base_fd < 0) goto cleanup;
1044 if (fchmod(base_fd, base_mode) != 0) goto cleanup;
1045 if (write(base_fd, pid_line, pid_len) != pid_len) goto cleanup;
1046 DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
1051 if (!lines_match) goto cleanup;
1052 if (operation == PID_DELETE)
1055 /* emulate unlinkat */
1056 if (fchdir(dir_fd) != 0) goto cleanup;
1057 error = unlink(CS base);
1058 if (fchdir(cwd_fd) != 0)
1059 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1060 if (error) goto cleanup;
1068 if (cwd_fd >= 0) (void)close(cwd_fd);
1069 if (dir_fd >= 0) (void)close(dir_fd);
1070 if (base_fd >= 0) (void)close(base_fd);
1075 /* Remove the daemon's pidfile. Note: runs with root privilege,
1076 as a direct child of the daemon. Does not return. */
1079 delete_pid_file(void)
1081 const BOOL success = operate_on_pid_file(PID_DELETE, getppid());
1084 debug_printf("delete pid file %s %s: %s\n", pid_file_path,
1085 success ? "success" : "failure", strerror(errno));
1087 exim_exit(EXIT_SUCCESS);
1091 /* Called by the daemon; exec a child to get the pid file deleted
1092 since we may require privs for the containing directory */
1099 DEBUG(D_any) debug_printf("SIGTERM/SIGINT seen\n");
1100 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
1101 tls_watch_invalidate();
1104 if (daemon_notifier_fd >= 0)
1106 close(daemon_notifier_fd);
1107 daemon_notifier_fd = -1;
1108 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1109 unlink_notifier_socket();
1113 if (f.running_in_test_harness || write_pid)
1115 if ((pid = exim_fork(US"daemon-del-pidfile")) == 0)
1117 if (override_pid_file_path)
1118 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 3,
1119 "-oP", override_pid_file_path, "-oPX");
1121 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 1, "-oPX");
1123 /* Control never returns here. */
1126 child_close(pid, 1);
1128 exim_exit(EXIT_SUCCESS);
1132 /*************************************************
1133 * Listener socket for local work prompts *
1134 *************************************************/
1137 daemon_client_sockname(struct sockaddr_un * sup, uschar ** sname)
1139 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1140 sup->sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1141 return offsetof(struct sockaddr_un, sun_path) + 1
1142 + snprintf(sup->sun_path+1, sizeof(sup->sun_path)-1, "exim_%d", getpid());
1144 *sname = string_sprintf("%s/p_%d", spool_directory, getpid());
1145 return offsetof(struct sockaddr_un, sun_path)
1146 + snprintf(sup->sun_path, sizeof(sup->sun_path), "%s", sname);
1151 daemon_notifier_sockname(struct sockaddr_un * sup)
1153 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1154 sup->sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1155 return offsetof(struct sockaddr_un, sun_path) + 1
1156 + snprintf(sup->sun_path+1, sizeof(sup->sun_path)-1, "%s",
1157 expand_string(notifier_socket));
1159 return offsetof(struct sockaddr_un, sun_path)
1160 + snprintf(sup->sun_path, sizeof(sup->sun_path), "%s",
1161 expand_string(notifier_socket));
1167 daemon_notifier_socket(void)
1170 const uschar * where;
1171 struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
1174 if (!notifier_socket || !*notifier_socket)
1176 DEBUG(D_any) debug_printf("-oY used so not creating notifier socket\n");
1179 if (override_local_interfaces && !override_pid_file_path)
1182 debug_printf("-oX used without -oP so not creating notifier socket\n");
1186 DEBUG(D_any) debug_printf("creating notifier socket\n");
1189 if ((fd = socket(PF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0)
1190 { where = US"socket"; goto bad; }
1192 if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0)
1193 { where = US"socket"; goto bad; }
1194 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
1197 len = daemon_notifier_sockname(&sa_un);
1199 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1200 DEBUG(D_any) debug_printf(" @%s\n", sa_un.sun_path+1);
1201 #else /* filesystem-visible and persistent; will neeed removal */
1202 DEBUG(D_any) debug_printf(" %s\n", sa_un.sun_path);
1205 if (bind(fd, (const struct sockaddr *)&sa_un, (socklen_t)len) < 0)
1206 { where = US"bind"; goto bad; }
1208 #ifdef SO_PASSCRED /* Linux */
1209 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on)) < 0)
1210 { where = US"SO_PASSCRED"; goto bad2; }
1211 #elif defined(LOCAL_CREDS) /* FreeBSD-ish */
1212 if (setsockopt(fd, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
1213 { where = US"LOCAL_CREDS"; goto bad2; }
1216 /* debug_printf("%s: fd %d\n", __FUNCTION__, fd); */
1217 daemon_notifier_fd = fd;
1221 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1222 Uunlink(sa_un.sun_path);
1225 log_write(0, LOG_MAIN|LOG_PANIC, "%s %s: %s",
1226 __FUNCTION__, where, strerror(errno));
1232 static uschar queuerun_msgid[MESSAGE_ID_LENGTH+1];
1234 /* The notifier socket has something to read. Pull the message from it, decode
1237 Return TRUE if a sigalrm should be emulated */
1240 daemon_notification(void)
1242 uschar buf[256], cbuf[256];
1243 struct sockaddr_un sa_un;
1244 struct iovec iov = {.iov_base = buf, .iov_len = sizeof(buf)-1};
1245 struct msghdr msg = { .msg_name = &sa_un,
1246 .msg_namelen = sizeof(sa_un),
1249 .msg_control = cbuf,
1250 .msg_controllen = sizeof(cbuf)
1254 buf[sizeof(buf)-1] = 0;
1255 if ((sz = recvmsg(daemon_notifier_fd, &msg, 0)) <= 0) return FALSE;
1256 if (sz >= sizeof(buf)) return FALSE;
1259 debug_printf("addrlen %d\n", msg.msg_namelen);
1261 DEBUG(D_queue_run) debug_printf("%s from addr '%s%.*s'\n", __FUNCTION__,
1262 *sa_un.sun_path ? "" : "@",
1263 (int)msg.msg_namelen - (*sa_un.sun_path ? 0 : 1),
1264 sa_un.sun_path + (*sa_un.sun_path ? 0 : 1));
1266 /* Refuse to handle the item unless the peer has good credentials */
1267 #ifdef SCM_CREDENTIALS
1268 # define EXIM_SCM_CR_TYPE SCM_CREDENTIALS
1269 #elif defined(LOCAL_CREDS) && defined(SCM_CREDS)
1270 # define EXIM_SCM_CR_TYPE SCM_CREDS
1272 /* The OS has no way to get the creds of the caller (for a unix/datagram socket.
1273 Punt; don't try to check. */
1276 #ifdef EXIM_SCM_CR_TYPE
1277 for (struct cmsghdr * cp = CMSG_FIRSTHDR(&msg);
1279 cp = CMSG_NXTHDR(&msg, cp))
1280 if (cp->cmsg_level == SOL_SOCKET && cp->cmsg_type == EXIM_SCM_CR_TYPE)
1282 # ifdef SCM_CREDENTIALS /* Linux */
1283 struct ucred * cr = (struct ucred *) CMSG_DATA(cp);
1284 if (cr->uid && cr->uid != exim_uid)
1286 DEBUG(D_queue_run) debug_printf("%s: sender creds pid %d uid %d gid %d\n",
1287 __FUNCTION__, (int)cr->pid, (int)cr->uid, (int)cr->gid);
1289 # elif defined(LOCAL_CREDS) /* BSD-ish */
1290 struct sockcred * cr = (struct sockcred *) CMSG_DATA(cp);
1291 if (cr->sc_uid && cr->sc_uid != exim_uid)
1293 DEBUG(D_queue_run) debug_printf("%s: sender creds pid ??? uid %d gid %d\n",
1294 __FUNCTION__, (int)cr->sc_uid, (int)cr->sc_gid);
1304 #ifndef DISABLE_QUEUE_RAMP
1305 case NOTIFY_MSG_QRUN:
1306 /* this should be a message_id */
1308 debug_printf("%s: qrunner trigger: %s\n", __FUNCTION__, buf+1);
1309 memcpy(queuerun_msgid, buf+1, MESSAGE_ID_LENGTH+1);
1313 case NOTIFY_QUEUE_SIZE_REQ:
1316 int len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached());
1319 debug_printf("%s: queue size request: %s\n", __FUNCTION__, buf);
1321 if (sendto(daemon_notifier_fd, buf, len, 0,
1322 (const struct sockaddr *)&sa_un, msg.msg_namelen) < 0)
1323 log_write(0, LOG_MAIN|LOG_PANIC,
1324 "%s: sendto: %s\n", __FUNCTION__, strerror(errno));
1329 regex_at_daemon(buf);
1337 /*************************************************
1338 * Exim Daemon Mainline *
1339 *************************************************/
1341 /* The daemon can do two jobs, either of which is optional:
1343 (1) Listens for incoming SMTP calls and spawns off a sub-process to handle
1344 each one. This is requested by the -bd option, with -oX specifying the SMTP
1345 port on which to listen (for testing).
1347 (2) Spawns a queue-running process every so often. This is controlled by the
1348 -q option with a an interval time. (If no time is given, a single queue run
1349 is done from the main function, and control doesn't get here.)
1351 Root privilege is required in order to attach to port 25. Some systems require
1352 it when calling socket() rather than bind(). To cope with all cases, we run as
1353 root for both socket() and bind(). Some systems also require root in order to
1354 write to the pid file directory. This function must therefore be called as root
1355 if it is to work properly in all circumstances. Once the socket is bound and
1356 the pid file written, root privilege is given up if there is an exim uid.
1358 There are no arguments to this function, and it never returns. */
1364 struct pollfd * fd_polls, * tls_watch_poll = NULL, * dnotify_poll = NULL;
1365 int listen_socket_count = 0, poll_fd_count;
1366 ip_address_item * addresses = NULL;
1367 time_t last_connection_time = (time_t)0;
1368 int local_queue_run_max = atoi(CS expand_string(queue_run_max));
1370 process_purpose = US"daemon";
1372 /* If any debugging options are set, turn on the D_pid bit so that all
1373 debugging lines get the pid added. */
1375 DEBUG(D_any|D_v) debug_selector |= D_pid;
1377 /* Allocate enough pollstructs for inetd mode plus the ancillary sockets;
1378 also used when there are no listen sockets. */
1380 fd_polls = store_get(sizeof(struct pollfd) * 3, GET_UNTAINTED);
1382 if (f.inetd_wait_mode)
1384 listen_socket_count = 1;
1386 if (dup2(0, 3) == -1)
1387 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1388 "failed to dup inetd socket safely away: %s", strerror(errno));
1391 fd_polls[0].events = POLLIN;
1397 if (debug_file == stderr)
1399 /* need a call to log_write before call to open debug_file, so that
1400 log.c:file_path has been initialised. This is unfortunate. */
1401 log_write(0, LOG_MAIN, "debugging Exim in inetd wait mode starting");
1405 exim_nullstd(); /* re-open fd2 after we just closed it again */
1406 debug_logging_activate(US"-wait", NULL);
1409 DEBUG(D_any) debug_printf("running in inetd wait mode\n");
1411 /* As per below, when creating sockets ourselves, we handle tcp_nodelay for
1412 our own buffering; we assume though that inetd set the socket REUSEADDR. */
1415 if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
1416 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s",
1421 if (f.inetd_wait_mode || f.daemon_listen)
1423 /* If any option requiring a load average to be available during the
1424 reception of a message is set, call os_getloadavg() while we are root
1425 for those OS for which this is necessary the first time it is called (in
1426 order to perform an "open" on the kernel memory file). */
1428 #ifdef LOAD_AVG_NEEDS_ROOT
1429 if (queue_only_load >= 0 || smtp_load_reserve >= 0 ||
1430 (deliver_queue_load_max >= 0 && deliver_drop_privilege))
1431 (void)os_getloadavg();
1436 /* Do the preparation for setting up a listener on one or more interfaces, and
1437 possible on various ports. This is controlled by the combination of
1438 local_interfaces (which can set IP addresses and ports) and daemon_smtp_port
1439 (which is a list of default ports to use for those items in local_interfaces
1440 that do not specify a port). The -oX command line option can be used to
1441 override one or both of these options.
1443 If local_interfaces is not set, the default is to listen on all interfaces.
1444 When it is set, it can include "all IPvx interfaces" as an item. This is useful
1445 when different ports are in use.
1447 It turns out that listening on all interfaces is messy in an IPv6 world,
1448 because several different implementation approaches have been taken. This code
1449 is now supposed to work with all of them. The point of difference is whether an
1450 IPv6 socket that is listening on all interfaces will receive incoming IPv4
1451 calls or not. We also have to cope with the case when IPv6 libraries exist, but
1452 there is no IPv6 support in the kernel.
1454 . On Solaris, an IPv6 socket will accept IPv4 calls, and give them as mapped
1455 addresses. However, if an IPv4 socket is also listening on all interfaces,
1456 calls are directed to the appropriate socket.
1458 . On (some versions of) Linux, an IPv6 socket will accept IPv4 calls, and
1459 give them as mapped addresses, but an attempt also to listen on an IPv4
1460 socket on all interfaces causes an error.
1462 . On OpenBSD, an IPv6 socket will not accept IPv4 calls. You have to set up
1463 two sockets if you want to accept both kinds of call.
1465 . FreeBSD is like OpenBSD, but it has the IPV6_V6ONLY socket option, which
1466 can be turned off, to make it behave like the versions of Linux described
1469 . I heard a report that the USAGI IPv6 stack for Linux has implemented
1472 So, what we do when IPv6 is supported is as follows:
1474 (1) After it is set up, the list of interfaces is scanned for wildcard
1475 addresses. If an IPv6 and an IPv4 wildcard are both found for the same
1476 port, the list is re-arranged so that they are together, with the IPv6
1479 (2) If the creation of a wildcard IPv6 socket fails, we just log the error and
1480 carry on if an IPv4 wildcard socket for the same port follows later in the
1481 list. This allows Exim to carry on in the case when the kernel has no IPv6
1484 (3) Having created an IPv6 wildcard socket, we try to set IPV6_V6ONLY if that
1485 option is defined. However, if setting fails, carry on regardless (but log
1488 (4) If binding or listening on an IPv6 wildcard socket fails, it is a serious
1491 (5) If binding or listening on an IPv4 wildcard socket fails with the error
1492 EADDRINUSE, and a previous interface was an IPv6 wildcard for the same
1493 port (which must have succeeded or we wouldn't have got this far), we
1494 assume we are in the situation where just a single socket is permitted,
1495 and ignore the error.
1499 The preparation code decodes options and sets up the relevant data. We do this
1500 first, so that we can return non-zero if there are any syntax errors, and also
1503 if (f.daemon_listen && !f.inetd_wait_mode)
1505 int *default_smtp_port;
1509 const uschar * list;
1510 uschar *local_iface_source = US"local_interfaces";
1511 ip_address_item *ipa;
1512 ip_address_item **pipa;
1514 /* If -oX was used, disable the writing of a pid file unless -oP was
1515 explicitly used to force it. Then scan the string given to -oX. Any items
1516 that contain neither a dot nor a colon are used to override daemon_smtp_port.
1517 Any other items are used to override local_interfaces. */
1519 if (override_local_interfaces)
1521 gstring * new_smtp_port = NULL;
1522 gstring * new_local_interfaces = NULL;
1524 if (!override_pid_file_path) write_pid = FALSE;
1526 list = override_local_interfaces;
1528 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1531 gstring ** gp = Ustrpbrk(s, ".:") ? &new_local_interfaces : &new_smtp_port;
1537 *gp = string_catn(*gp, US"<", 1);
1540 *gp = string_catn(*gp, joinstr, 2);
1541 *gp = string_cat (*gp, s);
1546 daemon_smtp_port = string_from_gstring(new_smtp_port);
1547 DEBUG(D_any) debug_printf("daemon_smtp_port overridden by -oX:\n %s\n",
1551 if (new_local_interfaces)
1553 local_interfaces = string_from_gstring(new_local_interfaces);
1554 local_iface_source = US"-oX data";
1555 DEBUG(D_any) debug_printf("local_interfaces overridden by -oX:\n %s\n",
1560 /* Create a list of default SMTP ports, to be used if local_interfaces
1561 contains entries without explicit ports. First count the number of ports, then
1562 build a translated list in a vector. */
1564 list = daemon_smtp_port;
1566 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1568 default_smtp_port = store_get((pct+1) * sizeof(int), GET_UNTAINTED);
1569 list = daemon_smtp_port;
1572 (s = string_nextinlist(&list, &sep, NULL, 0));
1578 default_smtp_port[pct] = Ustrtol(s, &end, 0);
1579 if (end != s + Ustrlen(s))
1580 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "invalid SMTP port: %s", s);
1584 struct servent *smtp_service = getservbyname(CS s, "tcp");
1586 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1587 default_smtp_port[pct] = ntohs(smtp_service->s_port);
1590 default_smtp_port[pct] = 0;
1592 /* Check the list of TLS-on-connect ports and do name lookups if needed */
1594 list = tls_in.on_connect_ports;
1596 /* the list isn't expanded so cannot be tainted. If it ever is we will trap here */
1597 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1602 list = tls_in.on_connect_ports;
1603 tls_in.on_connect_ports = NULL;
1605 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1609 struct servent * smtp_service = getservbyname(CS s, "tcp");
1611 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1612 s = string_sprintf("%d", (int)ntohs(smtp_service->s_port));
1614 g = string_append_listele(g, ':', s);
1617 tls_in.on_connect_ports = g->s;
1621 /* Create the list of local interfaces, possibly with ports included. This
1622 list may contain references to 0.0.0.0 and ::0 as wildcards. These special
1623 values are converted below. */
1625 addresses = host_build_ifacelist(local_interfaces, local_iface_source);
1627 /* In the list of IP addresses, convert 0.0.0.0 into an empty string, and ::0
1628 into the string ":". We use these to recognize wildcards in IPv4 and IPv6. In
1629 fact, many IP stacks recognize 0.0.0.0 and ::0 and handle them as wildcards
1630 anyway, but we need to know which are the wildcard addresses, and the shorter
1633 In the same scan, fill in missing port numbers from the default list. When
1634 there is more than one item in the list, extra items are created. */
1636 for (ipa = addresses; ipa; ipa = ipa->next)
1638 if (Ustrcmp(ipa->address, "0.0.0.0") == 0)
1639 ipa->address[0] = 0;
1640 else if (Ustrcmp(ipa->address, "::0") == 0)
1642 ipa->address[0] = ':';
1643 ipa->address[1] = 0;
1646 if (ipa->port > 0) continue;
1648 if (daemon_smtp_port[0] <= 0)
1649 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "no port specified for interface "
1650 "%s and daemon_smtp_port is unset; cannot start daemon",
1651 ipa->address[0] == 0 ? US"\"all IPv4\"" :
1652 ipa->address[1] == 0 ? US"\"all IPv6\"" : ipa->address);
1654 ipa->port = default_smtp_port[0];
1655 for (int i = 1; default_smtp_port[i] > 0; i++)
1657 ip_address_item * new = store_get(sizeof(ip_address_item), GET_UNTAINTED);
1659 memcpy(new->address, ipa->address, Ustrlen(ipa->address) + 1);
1660 new->port = default_smtp_port[i];
1661 new->next = ipa->next;
1667 /* Scan the list of addresses for wildcards. If we find an IPv4 and an IPv6
1668 wildcard for the same port, ensure that (a) they are together and (b) the
1669 IPv6 address comes first. This makes handling the messy features easier, and
1670 also simplifies the construction of the "daemon started" log line. */
1673 for (ipa = addresses; ipa; pipa = &ipa->next, ipa = ipa->next)
1675 ip_address_item *ipa2;
1677 /* Handle an IPv4 wildcard */
1679 if (ipa->address[0] == 0)
1680 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1682 ip_address_item *ipa3 = ipa2->next;
1683 if (ipa3->address[0] == ':' &&
1684 ipa3->address[1] == 0 &&
1685 ipa3->port == ipa->port)
1687 ipa2->next = ipa3->next;
1694 /* Handle an IPv6 wildcard. */
1696 else if (ipa->address[0] == ':' && ipa->address[1] == 0)
1697 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
1699 ip_address_item *ipa3 = ipa2->next;
1700 if (ipa3->address[0] == 0 && ipa3->port == ipa->port)
1702 ipa2->next = ipa3->next;
1703 ipa3->next = ipa->next;
1711 /* Get a vector to remember all the sockets in.
1712 Two extra elements for the ancillary sockets */
1714 for (ipa = addresses; ipa; ipa = ipa->next)
1715 listen_socket_count++;
1716 fd_polls = store_get(sizeof(struct pollfd) * (listen_socket_count + 2),
1718 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count + 2;
1720 { p->fd = -1; p->events = POLLIN; }
1722 } /* daemon_listen but not inetd_wait_mode */
1724 if (f.daemon_listen)
1727 /* Do a sanity check on the max connects value just to save us from getting
1728 a huge amount of store. */
1730 if (smtp_accept_max > 4095) smtp_accept_max = 4096;
1732 /* There's no point setting smtp_accept_queue unless it is less than the max
1733 connects limit. The configuration reader ensures that the max is set if the
1734 queue-only option is set. */
1736 if (smtp_accept_queue > smtp_accept_max) smtp_accept_queue = 0;
1738 /* Get somewhere to keep the list of SMTP accepting pids if we are keeping
1739 track of them for total number and queue/host limits. */
1741 if (smtp_accept_max > 0)
1743 smtp_slots = store_get(smtp_accept_max * sizeof(smtp_slot), GET_UNTAINTED);
1744 for (int i = 0; i < smtp_accept_max; i++) smtp_slots[i] = empty_smtp_slot;
1748 /* The variable background_daemon is always false when debugging, but
1749 can also be forced false in order to keep a non-debugging daemon in the
1750 foreground. If background_daemon is true, close all open file descriptors that
1751 we know about, but then re-open stdin, stdout, and stderr to /dev/null. Also
1752 do this for inetd_wait mode.
1754 This is protection against any called functions (in libraries, or in
1755 Perl, or whatever) that think they can write to stderr (or stdout). Before this
1756 was added, it was quite likely that an SMTP connection would use one of these
1757 file descriptors, in which case writing random stuff to it caused chaos.
1759 Then disconnect from the controlling terminal, Most modern Unixes seem to have
1760 setsid() for getting rid of the controlling terminal. For any OS that doesn't,
1761 setsid() can be #defined as a no-op, or as something else. */
1763 if (f.background_daemon || f.inetd_wait_mode)
1765 log_close_all(); /* Just in case anything was logged earlier */
1766 search_tidyup(); /* Just in case any were used in reading the config. */
1767 (void)close(0); /* Get rid of stdin/stdout/stderr */
1770 exim_nullstd(); /* Connect stdin/stdout/stderr to /dev/null */
1771 log_stderr = NULL; /* So no attempt to copy paniclog output */
1774 if (f.background_daemon)
1776 /* If the parent process of this one has pid == 1, we are re-initializing the
1777 daemon as the result of a SIGHUP. In this case, there is no need to do
1778 anything, because the controlling terminal has long gone. Otherwise, fork, in
1779 case current process is a process group leader (see 'man setsid' for an
1780 explanation) before calling setsid().
1781 All other forks want daemon_listen cleared. Rather than blow a register, jsut
1786 BOOL daemon_listen = f.daemon_listen;
1787 pid_t pid = exim_fork(US"daemon");
1788 if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1789 "fork() failed when starting daemon: %s", strerror(errno));
1790 if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */
1791 (void)setsid(); /* release controlling terminal */
1792 f.daemon_listen = daemon_listen;
1796 /* We are now in the disconnected, daemon process (unless debugging). Set up
1797 the listening sockets if required. */
1799 daemon_notifier_socket();
1801 if (f.daemon_listen && !f.inetd_wait_mode)
1804 ip_address_item *ipa;
1806 /* For each IP address, create a socket, bind it to the appropriate port, and
1807 start listening. See comments above about IPv6 sockets that may or may not
1808 accept IPv4 calls when listening on all interfaces. We also have to cope with
1809 the case of a system with IPv6 libraries, but no IPv6 support in the kernel.
1810 listening, provided a wildcard IPv4 socket for the same port follows. */
1812 for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++)
1815 ip_address_item * ipa2;
1818 if (Ustrchr(ipa->address, ':') != NULL)
1821 wildcard = ipa->address[1] == 0;
1826 wildcard = ipa->address[0] == 0;
1829 if ((fd_polls[sk].fd = fd = ip_socket(SOCK_STREAM, af)) < 0)
1831 if (check_special_case(0, addresses, ipa, FALSE))
1833 log_write(0, LOG_MAIN, "Failed to create IPv6 socket for wildcard "
1834 "listening (%s): will use IPv4", strerror(errno));
1837 log_write(0, LOG_PANIC_DIE, "IPv%c socket creation failed: %s",
1838 af == AF_INET6 ? '6' : '4', strerror(errno));
1841 /* If this is an IPv6 wildcard socket, set IPV6_V6ONLY if that option is
1842 available. Just log failure (can get protocol not available, just like
1843 socket creation can). */
1846 if (af == AF_INET6 && wildcard &&
1847 setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
1848 log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard "
1849 "socket failed (%s): carrying on without it", strerror(errno));
1850 #endif /* IPV6_V6ONLY */
1852 /* Set SO_REUSEADDR so that the daemon can be restarted while a connection
1853 is being handled. Without this, a connection will prevent reuse of the
1854 smtp port for listening. */
1856 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
1857 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket "
1858 "failed when starting daemon: %s", strerror(errno));
1860 /* Set TCP_NODELAY; Exim does its own buffering. There is a switch to
1861 disable this because it breaks some broken clients. */
1863 if (tcp_nodelay) setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
1865 /* Now bind the socket to the required port; if Exim is being restarted
1866 it may not always be possible to bind immediately, even with SO_REUSEADDR
1867 set, so try 10 times, waiting between each try. After 10 failures, we give
1868 up. In an IPv6 environment, if bind () fails with the error EADDRINUSE and
1869 we are doing wildcard IPv4 listening and there was a previous IPv6 wildcard
1870 address for the same port, ignore the error on the grounds that we must be
1871 in a system where the IPv6 socket accepts both kinds of call. This is
1872 necessary for (some release of) USAGI Linux; other IP stacks fail at the
1873 listen() stage instead. */
1876 f.tcp_fastopen_ok = TRUE;
1881 if (ip_bind(fd, af, ipa->address, ipa->port) >= 0) break;
1882 if (check_special_case(errno, addresses, ipa, TRUE))
1884 DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 "
1885 "listen() success; EADDRINUSE ignored\n");
1889 msg = US strerror(errno);
1895 if (daemon_startup_retries <= 0)
1896 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1897 "socket bind() to port %d for address %s failed: %s: "
1898 "daemon abandoned", ipa->port, addr, msg);
1899 log_write(0, LOG_MAIN, "socket bind() to port %d for address %s "
1900 "failed: %s: waiting %s before trying again (%d more %s)",
1901 ipa->port, addr, msg, readconf_printtime(daemon_startup_sleep),
1902 daemon_startup_retries, (daemon_startup_retries > 1)? "tries" : "try");
1903 daemon_startup_retries--;
1904 sleep(daemon_startup_sleep);
1909 debug_printf("listening on all interfaces (IPv%c) port %d\n",
1910 af == AF_INET6 ? '6' : '4', ipa->port);
1912 debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
1914 /* Start listening on the bound socket, establishing the maximum backlog of
1915 connections that is allowed. On success, add to the set of sockets for select
1916 and continue to the next address. */
1918 #if defined(TCP_FASTOPEN) && !defined(__APPLE__)
1919 if ( f.tcp_fastopen_ok
1920 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN,
1921 &smtp_connect_backlog, sizeof(smtp_connect_backlog)))
1923 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
1924 f.tcp_fastopen_ok = FALSE;
1927 if (listen(fd, smtp_connect_backlog) >= 0)
1929 #if defined(TCP_FASTOPEN) && defined(__APPLE__)
1930 if ( f.tcp_fastopen_ok
1931 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)))
1933 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
1934 f.tcp_fastopen_ok = FALSE;
1937 fd_polls[sk].fd = fd;
1941 /* Listening has failed. In an IPv6 environment, as for bind(), if listen()
1942 fails with the error EADDRINUSE and we are doing IPv4 wildcard listening
1943 and there was a previous successful IPv6 wildcard listen on the same port,
1944 we want to ignore the error on the grounds that we must be in a system
1945 where the IPv6 socket accepts both kinds of call. */
1947 if (!check_special_case(errno, addresses, ipa, TRUE))
1948 log_write(0, LOG_PANIC_DIE, "listen() failed on interface %s: %s",
1950 ? af == AF_INET6 ? US"(any IPv6)" : US"(any IPv4)" : ipa->address,
1953 DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 "
1954 "listen() success; EADDRINUSE ignored\n");
1957 /* Come here if there has been a problem with the socket which we
1958 are going to ignore. We remove the address from the chain, and back up the
1962 sk--; /* Back up the count */
1963 listen_socket_count--; /* Reduce the total */
1964 if (ipa == addresses) addresses = ipa->next; else
1966 for (ipa2 = addresses; ipa2->next != ipa; ipa2 = ipa2->next);
1967 ipa2->next = ipa->next;
1970 } /* End of bind/listen loop for each address */
1971 } /* End of setup for listening */
1974 /* If we are not listening, we want to write a pid file only if -oP was
1975 explicitly given. */
1977 else if (!override_pid_file_path)
1980 /* Write the pid to a known file for assistance in identification, if required.
1981 We do this before giving up root privilege, because on some systems it is
1982 necessary to be root in order to write into the pid file directory. There's
1983 nothing to stop multiple daemons running, as long as no more than one listens
1984 on a given TCP/IP port on the same interface(s). However, in these
1985 circumstances it gets far too complicated to mess with pid file names
1986 automatically. Consequently, Exim 4 writes a pid file only
1988 (a) When running in the test harness, or
1989 (b) When -bd is used and -oX is not used, or
1990 (c) When -oP is used to supply a path.
1992 The variable daemon_write_pid is used to control this. */
1994 if (f.running_in_test_harness || write_pid)
1996 const enum pid_op operation = (f.running_in_test_harness
1997 || real_uid == root_uid
1998 || (real_uid == exim_uid && !override_pid_file_path)) ? PID_WRITE : PID_CHECK;
1999 if (!operate_on_pid_file(operation, getpid()))
2000 DEBUG(D_any) debug_printf("%s pid file %s: %s\n", (operation == PID_WRITE) ? "write" : "check", pid_file_path, strerror(errno));
2003 /* Set up the handler for SIGHUP, which causes a restart of the daemon. */
2005 sighup_seen = FALSE;
2006 signal(SIGHUP, sighup_handler);
2008 /* Give up root privilege at this point (assuming that exim_uid and exim_gid
2009 are not root). The third argument controls the running of initgroups().
2010 Normally we do this, in order to set up the groups for the Exim user. However,
2011 if we are not root at this time - some odd installations run that way - we
2014 exim_setugid(exim_uid, exim_gid, geteuid()==root_uid, US"running as a daemon");
2016 /* Update the originator_xxx fields so that received messages as listed as
2017 coming from Exim, not whoever started the daemon. */
2019 originator_uid = exim_uid;
2020 originator_gid = exim_gid;
2021 originator_login = (pw = getpwuid(exim_uid))
2022 ? string_copy_perm(US pw->pw_name, FALSE) : US"exim";
2024 /* Get somewhere to keep the list of queue-runner pids if we are keeping track
2025 of them (and also if we are doing queue runs). */
2027 if (queue_interval > 0 && local_queue_run_max > 0)
2029 queue_pid_slots = store_get(local_queue_run_max * sizeof(pid_t), GET_UNTAINTED);
2030 for (int i = 0; i < local_queue_run_max; i++) queue_pid_slots[i] = 0;
2033 /* Set up the handler for termination of child processes, and the one
2034 telling us to die. */
2036 sigchld_seen = FALSE;
2037 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2039 sigterm_seen = FALSE;
2040 os_non_restarting_signal(SIGTERM, main_sigterm_handler);
2041 os_non_restarting_signal(SIGINT, main_sigterm_handler);
2043 /* If we are to run the queue periodically, pretend the alarm has just gone
2044 off. This will cause the first queue-runner to get kicked off straight away. */
2046 sigalrm_seen = (queue_interval > 0);
2048 /* Log the start up of a daemon - at least one of listening or queue running
2051 if (f.inetd_wait_mode)
2053 uschar *p = big_buffer;
2055 if (inetd_wait_timeout >= 0)
2056 sprintf(CS p, "terminating after %d seconds", inetd_wait_timeout);
2058 sprintf(CS p, "with no wait timeout");
2060 log_write(0, LOG_MAIN,
2061 "exim %s daemon started: pid=%d, launched with listening socket, %s",
2062 version_string, getpid(), big_buffer);
2063 set_process_info("daemon(%s): pre-listening socket", version_string);
2065 /* set up the timeout logic */
2066 sigalrm_seen = TRUE;
2069 else if (f.daemon_listen)
2072 int smtps_ports = 0;
2073 ip_address_item * ipa;
2075 uschar * qinfo = queue_interval > 0
2076 ? string_sprintf("-q%s%s",
2077 f.queue_2stage ? "q" : "", readconf_printtime(queue_interval))
2078 : US"no queue runs";
2080 /* Build a list of listening addresses in big_buffer, but limit it to 10
2081 items. The style is for backwards compatibility.
2083 It is now possible to have some ports listening for SMTPS (the old,
2084 deprecated protocol that starts TLS without using STARTTLS), and others
2085 listening for standard SMTP. Keep their listings separate. */
2087 for (int j = 0, i; j < 2; j++)
2089 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2091 /* First time round, look for SMTP ports; second time round, look for
2092 SMTPS ports. Build IP+port strings. */
2094 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2101 /* Now the information about the port (and sometimes interface) */
2103 if (ipa->address[0] == ':' && ipa->address[1] == 0)
2105 if (ipa->next && ipa->next->address[0] == 0 &&
2106 ipa->next->port == ipa->port)
2108 ipa->log = string_sprintf(" port %d (IPv6 and IPv4)", ipa->port);
2109 (ipa = ipa->next)->log = NULL;
2111 else if (ipa->v6_include_v4)
2112 ipa->log = string_sprintf(" port %d (IPv6 with IPv4)", ipa->port);
2114 ipa->log = string_sprintf(" port %d (IPv6)", ipa->port);
2116 else if (ipa->address[0] == 0) /* v4 wildcard */
2117 ipa->log = string_sprintf(" port %d (IPv4)", ipa->port);
2118 else /* check for previously-seen IP */
2120 ip_address_item * i2;
2121 for (i2 = addresses; i2 != ipa; i2 = i2->next)
2122 if ( host_is_tls_on_connect_port(i2->port) == (j > 0)
2123 && Ustrcmp(ipa->address, i2->address) == 0
2125 { /* found; append port to list */
2126 for (p = i2->log; *p; ) p++; /* end of existing string */
2127 if (*--p == '}') *p = '\0'; /* drop EOL */
2128 while (isdigit(*--p)) ; /* char before port */
2130 i2->log = *p == ':' /* no list yet? { */
2131 ? string_sprintf("%.*s{%s,%d}",
2132 (int)(p - i2->log + 1), i2->log, p+1, ipa->port)
2133 : string_sprintf("%s,%d}", i2->log, ipa->port);
2137 if (i2 == ipa) /* first-time IP */
2138 ipa->log = string_sprintf(" [%s]:%d", ipa->address, ipa->port);
2145 for (int j = 0, i; j < 2; j++)
2147 /* First time round, look for SMTP ports; second time round, look for
2148 SMTPS ports. For the first one of each, insert leading text. */
2153 p += sprintf(CS p, "SMTP on");
2156 if (smtps_ports > 0)
2157 p += sprintf(CS p, "%sSMTPS on",
2158 smtp_ports == 0 ? "" : " and for ");
2160 /* Now the information about the port (and sometimes interface) */
2162 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2163 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2165 p += sprintf(CS p, "%s", ipa->log);
2168 p += sprintf(CS p, " ...");
2171 log_write(0, LOG_MAIN,
2172 "exim %s daemon started: pid=%d, %s, listening for %s",
2173 version_string, getpid(), qinfo, big_buffer);
2174 set_process_info("daemon(%s): %s, listening for %s",
2175 version_string, qinfo, big_buffer);
2180 uschar * s = *queue_name
2181 ? string_sprintf("-qG%s/%s", queue_name, readconf_printtime(queue_interval))
2182 : string_sprintf("-q%s", readconf_printtime(queue_interval));
2183 log_write(0, LOG_MAIN,
2184 "exim %s daemon started: pid=%d, %s, not listening for SMTP",
2185 version_string, getpid(), s);
2186 set_process_info("daemon(%s): %s, not listening", version_string, s);
2189 /* Do any work it might be useful to amortize over our children
2190 (eg: compile regex) */
2193 smtp_deliver_init(); /* Used for callouts */
2195 #ifndef DISABLE_DKIM
2197 # ifdef MEASURE_TIMING
2199 gettimeofday(&t0, NULL);
2202 # ifdef MEASURE_TIMING
2203 report_time_since(&t0, US"dkim_exim_init (delta)");
2208 #ifdef WITH_CONTENT_SCAN
2218 /* Add ancillary sockets to the set for select */
2220 poll_fd_count = listen_socket_count;
2222 if (tls_watch_fd >= 0)
2224 tls_watch_poll = &fd_polls[poll_fd_count++];
2225 tls_watch_poll->fd = tls_watch_fd;
2226 tls_watch_poll->events = POLLIN;
2229 if (daemon_notifier_fd >= 0)
2231 dnotify_poll = &fd_polls[poll_fd_count++];
2232 dnotify_poll->fd = daemon_notifier_fd;
2233 dnotify_poll->events = POLLIN;
2236 /* Close the log so it can be renamed and moved. In the few cases below where
2237 this long-running process writes to the log (always exceptional conditions), it
2238 closes the log afterwards, for the same reason. */
2242 DEBUG(D_any) debug_print_ids(US"daemon running with");
2244 /* Any messages accepted via this route are going to be SMTP. */
2248 #ifdef MEASURE_TIMING
2249 report_time_since(×tamp_startup, US"daemon loop start"); /* testcase 0022 */
2252 /* Enter the never-ending loop... */
2259 daemon_die(); /* Does not return */
2261 /* This code is placed first in the loop, so that it gets obeyed at the
2262 start, before the first wait, for the queue-runner case, so that the first
2263 one can be started immediately.
2265 The other option is that we have an inetd wait timeout specified to -bw. */
2269 if (inetd_wait_timeout > 0)
2271 time_t resignal_interval = inetd_wait_timeout;
2273 if (last_connection_time == (time_t)0)
2276 debug_printf("inetd wait timeout expired, but still not seen first message, ignoring\n");
2280 time_t now = time(NULL);
2281 if (now == (time_t)-1)
2283 DEBUG(D_any) debug_printf("failed to get time: %s\n", strerror(errno));
2287 if ((now - last_connection_time) >= inetd_wait_timeout)
2290 debug_printf("inetd wait timeout %d expired, ending daemon\n",
2291 inetd_wait_timeout);
2292 log_write(0, LOG_MAIN, "exim %s daemon terminating, inetd wait timeout reached.\n",
2298 resignal_interval -= (now - last_connection_time);
2303 sigalrm_seen = FALSE;
2304 ALARM(resignal_interval);
2309 DEBUG(D_any) debug_printf("%s received\n",
2310 #ifndef DISABLE_QUEUE_RAMP
2311 *queuerun_msgid ? "qrun notification" :
2315 /* Do a full queue run in a child process, if required, unless we already
2316 have enough queue runners on the go. If we are not running as root, a
2317 re-exec is required. */
2319 if ( queue_interval > 0
2320 && (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max))
2322 if ((pid = exim_fork(US"queue-runner")) == 0)
2324 /* Disable debugging if it's required only for the daemon process. We
2325 leave the above message, because it ties up with the "child ended"
2326 debugging messages. */
2328 if (f.debug_daemon) debug_selector = 0;
2330 /* Close any open listening sockets in the child */
2332 close_daemon_sockets(daemon_notifier_fd,
2333 fd_polls, listen_socket_count);
2335 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
2337 signal(SIGHUP, SIG_DFL);
2338 signal(SIGCHLD, SIG_DFL);
2339 signal(SIGTERM, SIG_DFL);
2340 signal(SIGINT, SIG_DFL);
2342 /* Re-exec if privilege has been given up, unless deliver_drop_
2343 privilege is set. Reset SIGALRM before exec(). */
2345 if (geteuid() != root_uid && !deliver_drop_privilege)
2352 signal(SIGALRM, SIG_DFL);
2356 #ifndef DISABLE_QUEUE_RAMP
2360 if (f.queue_run_first_delivery) *p++ = 'i';
2361 if (f.queue_run_force) *p++ = 'f';
2362 if (f.deliver_force_thaw) *p++ = 'f';
2363 if (f.queue_run_local) *p++ = 'l';
2365 extra[0] = *queue_name
2366 ? string_sprintf("%sG%s", opt, queue_name) : opt;
2368 #ifndef DISABLE_QUEUE_RAMP
2369 if (*queuerun_msgid)
2371 log_write(0, LOG_MAIN, "notify triggered queue run");
2372 extra[extracount++] = queuerun_msgid; /* Trigger only the */
2373 extra[extracount++] = queuerun_msgid; /* one message */
2377 /* If -R or -S were on the original command line, ensure they get
2380 if (deliver_selectstring)
2382 extra[extracount++] = f.deliver_selectstring_regex ? US"-Rr" : US"-R";
2383 extra[extracount++] = deliver_selectstring;
2386 if (deliver_selectstring_sender)
2388 extra[extracount++] = f.deliver_selectstring_sender_regex
2390 extra[extracount++] = deliver_selectstring_sender;
2393 /* Overlay this process with a new execution. */
2395 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, extracount,
2396 extra[0], extra[1], extra[2], extra[3], extra[4], extra[5], extra[6]);
2398 /* Control never returns here. */
2401 /* No need to re-exec; SIGALRM remains set to the default handler */
2403 #ifndef DISABLE_QUEUE_RAMP
2404 if (*queuerun_msgid)
2406 log_write(0, LOG_MAIN, "notify triggered queue run");
2407 f.queue_2stage = FALSE;
2408 queue_run(queuerun_msgid, queuerun_msgid, FALSE);
2412 queue_run(NULL, NULL, FALSE);
2413 exim_underbar_exit(EXIT_SUCCESS);
2418 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fork of queue-runner "
2419 "process failed: %s", strerror(errno));
2424 for (int i = 0; i < local_queue_run_max; ++i)
2425 if (queue_pid_slots[i] <= 0)
2427 queue_pid_slots[i] = pid;
2431 DEBUG(D_any) debug_printf("%d queue-runner process%s running\n",
2432 queue_run_count, queue_run_count == 1 ? "" : "es");
2436 /* Reset the alarm clock */
2438 sigalrm_seen = FALSE;
2439 #ifndef DISABLE_QUEUE_RAMP
2440 if (*queuerun_msgid)
2441 *queuerun_msgid = 0;
2444 ALARM(queue_interval);
2447 } /* sigalrm_seen */
2450 /* Sleep till a connection happens if listening, and handle the connection if
2451 that is why we woke up. The FreeBSD operating system requires the use of
2452 select() before accept() because the latter function is not interrupted by
2453 a signal, and we want to wake up for SIGCHLD and SIGALRM signals. Some other
2454 OS do notice signals in accept() but it does no harm to have the select()
2455 in for all of them - and it won't then be a lurking problem for ports to
2456 new OS. In fact, the later addition of listening on specific interfaces only
2457 requires this way of working anyway. */
2459 if (f.daemon_listen)
2462 BOOL select_failed = FALSE;
2464 DEBUG(D_any) debug_printf("Listening...\n");
2466 /* In rare cases we may have had a SIGCHLD signal in the time between
2467 setting the handler (below) and getting back here. If so, pretend that the
2468 select() was interrupted so that we reap the child. This might still leave
2469 a small window when a SIGCHLD could get lost. However, since we use SIGCHLD
2470 only to do the reaping more quickly, it shouldn't result in anything other
2471 than a delay until something else causes a wake-up. */
2479 lcount = poll(fd_polls, poll_fd_count, -1);
2483 select_failed = TRUE;
2487 /* Clean up any subprocesses that may have terminated. We need to do this
2488 here so that smtp_accept_max_per_host works when a connection to that host
2489 has completed, and we are about to accept a new one. When this code was
2490 later in the sequence, a new connection could be rejected, even though an
2491 old one had just finished. Preserve the errno from any select() failure for
2492 the use of the common select/accept error processing below. */
2495 int select_errno = errno;
2496 handle_ending_processes();
2501 /* Create or rotate any required keys; handle (delayed) filewatch event */
2503 if ((old_tfd = tls_daemon_tick()) >= 0)
2504 for (struct pollfd * p = &fd_polls[listen_socket_count];
2505 p < fd_polls + poll_fd_count; p++)
2506 if (p->fd == old_tfd) { p->fd = tls_watch_fd ; break; }
2509 errno = select_errno;
2512 /* Loop for all the sockets that are currently ready to go. If select
2513 actually failed, we have set the count to 1 and select_failed=TRUE, so as
2514 to use the common error code for select/accept below. */
2516 while (lcount-- > 0)
2518 int accept_socket = -1;
2520 struct sockaddr_in6 accepted;
2522 struct sockaddr_in accepted;
2527 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
2528 if (tls_watch_poll && tls_watch_poll->revents & POLLIN)
2530 tls_watch_poll->revents = 0;
2531 tls_watch_trigger_time = time(NULL); /* Set up delayed event */
2532 tls_watch_discard_event(tls_watch_fd);
2533 break; /* to top of daemon loop */
2536 if (dnotify_poll && dnotify_poll->revents & POLLIN)
2538 dnotify_poll->revents = 0;
2539 sigalrm_seen = daemon_notification();
2540 break; /* to top of daemon loop */
2542 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count;
2544 if (p->revents & POLLIN)
2546 EXIM_SOCKLEN_T alen = sizeof(accepted);
2549 socklen_t tlen = sizeof(ti);
2551 /* If monitoring the backlog is wanted, grab for later logging */
2553 smtp_listen_backlog = 0;
2554 if ( smtp_backlog_monitor > 0
2555 && getsockopt(p->fd, IPPROTO_TCP, TCP_INFO, &ti, &tlen) == 0)
2557 # ifdef EXIM_HAVE_TCPI_UNACKED
2558 DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
2559 p->fd, ti.tcpi_sacked, ti.tcpi_unacked);
2560 smtp_listen_backlog = ti.tcpi_unacked;
2561 # elif defined(__FreeBSD__) /* This does not work. Investigate kernel sourcecode. */
2562 DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
2563 p->fd, ti.__tcpi_sacked, ti.__tcpi_unacked);
2564 smtp_listen_backlog = ti.__tcpi_unacked;
2569 accept_socket = accept(p->fd, (struct sockaddr *)&accepted, &alen);
2574 /* If select or accept has failed and this was not caused by an
2575 interruption, log the incident and try again. With asymmetric TCP/IP
2576 routing errors such as "No route to network" have been seen here. Also
2577 "connection reset by peer" has been seen. These cannot be classed as
2578 disastrous errors, but they could fill up a lot of log. The code in smail
2579 crashes the daemon after 10 successive failures of accept, on the grounds
2580 that some OS fail continuously. Exim originally followed suit, but this
2581 appears to have caused problems. Now it just keeps going, but instead of
2582 logging each error, it batches them up when they are continuous. */
2584 if (accept_socket < 0 && errno != EINTR)
2586 if (accept_retry_count == 0)
2588 accept_retry_errno = errno;
2589 accept_retry_select_failed = select_failed;
2591 else if ( errno != accept_retry_errno
2592 || select_failed != accept_retry_select_failed
2593 || accept_retry_count >= 50)
2595 log_write(0, LOG_MAIN | (accept_retry_count >= 50 ? LOG_PANIC : 0),
2596 "%d %s() failure%s: %s",
2598 accept_retry_select_failed ? "select" : "accept",
2599 accept_retry_count == 1 ? "" : "s",
2600 strerror(accept_retry_errno));
2602 accept_retry_count = 0;
2603 accept_retry_errno = errno;
2604 accept_retry_select_failed = select_failed;
2606 accept_retry_count++;
2608 else if (accept_retry_count > 0)
2610 log_write(0, LOG_MAIN, "%d %s() failure%s: %s",
2612 accept_retry_select_failed ? "select" : "accept",
2613 accept_retry_count == 1 ? "" : "s",
2614 strerror(accept_retry_errno));
2616 accept_retry_count = 0;
2619 /* If select/accept succeeded, deal with the connection. */
2621 if (accept_socket >= 0)
2623 #ifdef TCP_QUICKACK /* Avoid pure-ACKs while in tls protocol pingpong phase */
2624 /* Unfortunately we cannot be certain to do this before a TLS-on-connect
2625 Client Hello arrives and is acked. We do it as early as possible. */
2626 (void) setsockopt(accept_socket, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
2628 if (inetd_wait_timeout)
2629 last_connection_time = time(NULL);
2630 handle_smtp_call(fd_polls, listen_socket_count, accept_socket,
2631 (struct sockaddr *)&accepted);
2636 /* If not listening, then just sleep for the queue interval. If we woke
2637 up early the last time for some other signal, it won't matter because
2638 the alarm signal will wake at the right time. This code originally used
2639 sleep() but it turns out that on the FreeBSD system, sleep() is not inter-
2640 rupted by signals, so it wasn't waking up for SIGALRM or SIGCHLD. Luckily
2641 select() can be used as an interruptible sleep() on all versions of Unix. */
2646 poll(&p, 0, queue_interval * 1000);
2647 handle_ending_processes();
2650 /* Re-enable the SIGCHLD handler if it has been run. It can't do it
2651 for itself, because it isn't doing the waiting itself. */
2655 sigchld_seen = FALSE;
2656 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2659 /* Handle being woken by SIGHUP. We know at this point that the result
2660 of accept() has been dealt with, so we can re-exec exim safely, first
2661 closing the listening sockets so that they can be reused. Cancel any pending
2662 alarm in case it is just about to go off, and set SIGHUP to be ignored so
2663 that another HUP in quick succession doesn't clobber the new daemon before it
2664 gets going. All log files get closed by the close-on-exec flag; however, if
2665 the exec fails, we need to close the logs. */
2669 log_write(0, LOG_MAIN, "pid %d: SIGHUP received: re-exec daemon",
2671 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
2673 signal(SIGHUP, SIG_IGN);
2674 sighup_argv[0] = exim_path;
2676 execv(CS exim_path, (char *const *)sighup_argv);
2677 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid %d: exec of %s failed: %s",
2678 getpid(), exim_path, strerror(errno));
2682 } /* End of main loop */
2684 /* Control never reaches here */
2689 /* End of exim_daemon.c */
git://git.exim.org / exim.git / blob