1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2023 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Functions concerned with running Exim as a daemon */
16 /* Structure for holding data for each SMTP connection */
18 typedef struct smtp_slot {
19 pid_t pid; /* pid of the spawned reception process */
20 uschar * host_address; /* address of the client host */
23 typedef struct runner_slot {
24 pid_t pid; /* pid of spawned queue-runner process */
25 const uschar *queue_name; /* pointer to the name in the qrunner struct */
28 /* An empty slot for initializing (Standard C does not allow constructor
29 expressions in assignments except as initializers in declarations). */
31 static smtp_slot empty_smtp_slot = { .pid = 0, .host_address = NULL };
33 /*************************************************
34 * Local static variables *
35 *************************************************/
37 static SIGNAL_BOOL sigchld_seen;
38 static SIGNAL_BOOL sighup_seen;
39 static SIGNAL_BOOL sigterm_seen;
41 static int accept_retry_count = 0;
42 static int accept_retry_errno;
43 static BOOL accept_retry_select_failed;
45 static int queue_run_count = 0; /* current runners */
47 static unsigned queue_runner_slot_count = 0;
48 static runner_slot * queue_runner_slots = NULL;
49 static smtp_slot * smtp_slots = NULL;
51 static BOOL write_pid = TRUE;
53 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
54 static uschar * notifier_socket_name;
58 /*************************************************
60 *************************************************/
62 /* All this handler does is to set a flag and re-enable the signal.
64 Argument: the signal number
69 sighup_handler(int sig)
72 signal(SIGHUP, sighup_handler);
77 /*************************************************
78 * SIGCHLD handler for main daemon process *
79 *************************************************/
81 /* Don't re-enable the handler here, since we aren't doing the
82 waiting here. If the signal is re-enabled, there will just be an
83 infinite sequence of calls to this handler. The SIGCHLD signal is
84 used just as a means of waking up the daemon so that it notices
85 terminated subprocesses as soon as possible.
87 Argument: the signal number
92 main_sigchld_handler(int sig)
94 os_non_restarting_signal(SIGCHLD, SIG_DFL);
99 /* SIGTERM handler. Try to get the daemon pid file removed
103 main_sigterm_handler(int sig)
111 /*************************************************
112 * Unexpected errors in SMTP calls *
113 *************************************************/
115 /* This function just saves a bit of repetitious coding.
118 log_msg Text of message to be logged
119 smtp_msg Text of SMTP error message
120 was_errno The failing errno
126 never_error(uschar *log_msg, uschar *smtp_msg, int was_errno)
128 uschar *emsg = was_errno <= 0
129 ? US"" : string_sprintf(": %s", strerror(was_errno));
130 log_write(0, LOG_MAIN|LOG_PANIC, "%s%s", log_msg, emsg);
131 if (smtp_out) smtp_printf("421 %s\r\n", SP_NO_MORE, smtp_msg);
137 /*************************************************
138 *************************************************/
141 unlink_notifier_socket(void)
143 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
144 DEBUG(D_any) debug_printf("unlinking notifier socket %s\n", notifier_socket_name);
145 Uunlink(notifier_socket_name);
151 close_daemon_sockets(int daemon_notifier_fd,
152 struct pollfd * fd_polls, int listen_socket_count)
154 if (daemon_notifier_fd >= 0)
156 (void) close(daemon_notifier_fd);
157 daemon_notifier_fd = -1;
160 for (int i = 0; i < listen_socket_count; i++) (void) close(fd_polls[i].fd);
164 /*************************************************
165 * Handle a connected SMTP call *
166 *************************************************/
168 /* This function is called when an SMTP connection has been accepted.
169 If there are too many, give an error message and close down. Otherwise
170 spin off a sub-process to handle the call. The list of listening sockets
171 is required so that they can be closed in the sub-process. Take care not to
172 leak store in this process - reset the stacking pool at the end.
175 fd_polls sockets which are listening for incoming calls
176 listen_socket_count count of listening sockets
177 accept_socket socket of the current accepted call
178 accepted socket information about the current call
184 handle_smtp_call(struct pollfd * fd_polls, int listen_socket_count,
185 int accept_socket, struct sockaddr *accepted)
188 union sockaddr_46 interface_sockaddr;
189 EXIM_SOCKLEN_T ifsize = sizeof(interface_sockaddr);
190 int dup_accept_socket = -1;
191 int max_for_this_host = 0;
192 int save_log_selector = *log_selector;
195 rmark reset_point = store_mark();
197 /* Make the address available in ASCII representation, and also fish out
200 sender_host_address = host_ntoa(-1, accepted, NULL, &sender_host_port);
201 DEBUG(D_any) debug_printf("Connection request from %s port %d\n",
202 sender_host_address, sender_host_port);
204 /* Set up the output stream, check the socket has duplicated, and set up the
205 input stream. These operations fail only the exceptional circumstances. Note
206 that never_error() won't use smtp_out if it is NULL. */
208 if (!(smtp_out = fdopen(accept_socket, "wb")))
210 never_error(US"daemon: fdopen() for smtp_out failed", US"", errno);
214 if ((dup_accept_socket = dup(accept_socket)) < 0)
216 never_error(US"daemon: couldn't dup socket descriptor",
217 US"Connection setup failed", errno);
221 if (!(smtp_in = fdopen(dup_accept_socket, "rb")))
223 never_error(US"daemon: fdopen() for smtp_in failed",
224 US"Connection setup failed", errno);
228 /* Get the data for the local interface address. Panic for most errors, but
229 "connection reset by peer" just means the connection went away. */
231 if (getsockname(accept_socket, (struct sockaddr *)(&interface_sockaddr),
234 log_write(0, LOG_MAIN | ((errno == ECONNRESET)? 0 : LOG_PANIC),
235 "getsockname() failed: %s", strerror(errno));
236 smtp_printf("421 Local problem: getsockname() failed; please try again later\r\n", SP_NO_MORE);
240 interface_address = host_ntoa(-1, &interface_sockaddr, NULL, &interface_port);
241 DEBUG(D_interface) debug_printf("interface address=%s port=%d\n",
242 interface_address, interface_port);
244 /* Build a string identifying the remote host and, if requested, the port and
245 the local interface data. This is for logging; at the end of this function the
246 memory is reclaimed. */
248 whofrom = string_append(NULL, 3, "[", sender_host_address, "]");
250 if (LOGGING(incoming_port))
251 whofrom = string_fmt_append(whofrom, ":%d", sender_host_port);
253 if (LOGGING(incoming_interface))
254 whofrom = string_fmt_append(whofrom, " I=[%s]:%d",
255 interface_address, interface_port);
257 /* Check maximum number of connections. We do not check for reserved
258 connections or unacceptable hosts here. That is done in the subprocess because
259 it might take some time. */
261 if (smtp_accept_max > 0 && smtp_accept_count >= smtp_accept_max)
263 DEBUG(D_any) debug_printf("rejecting SMTP connection: count=%d max=%d\n",
264 smtp_accept_count, smtp_accept_max);
265 smtp_printf("421 Too many concurrent SMTP connections; "
266 "please try again later.\r\n", SP_NO_MORE);
267 log_write(L_connection_reject,
268 LOG_MAIN, "Connection from %Y refused: too many connections",
273 /* If a load limit above which only reserved hosts are acceptable is defined,
274 get the load average here, and if there are in fact no reserved hosts, do
275 the test right away (saves a fork). If there are hosts, do the check in the
276 subprocess because it might take time. */
278 if (smtp_load_reserve >= 0)
280 load_average = OS_GETLOADAVG();
281 if (!smtp_reserve_hosts && load_average > smtp_load_reserve)
283 DEBUG(D_any) debug_printf("rejecting SMTP connection: load average = %.2f\n",
284 (double)load_average/1000.0);
285 smtp_printf("421 Too much load; please try again later.\r\n", SP_NO_MORE);
286 log_write(L_connection_reject,
287 LOG_MAIN, "Connection from %Y refused: load average = %.2f",
288 whofrom, (double)load_average/1000.0);
293 /* Check that one specific host (strictly, IP address) is not hogging
294 resources. This is done here to prevent a denial of service attack by someone
295 forcing you to fork lots of times before denying service. The value of
296 smtp_accept_max_per_host is a string which is expanded. This makes it possible
297 to provide host-specific limits according to $sender_host address, but because
298 this is in the daemon mainline, only fast expansions (such as inline address
299 checks) should be used. The documentation is full of warnings. */
301 if (smtp_accept_max_per_host)
303 uschar *expanded = expand_string(smtp_accept_max_per_host);
306 if (!f.expand_string_forcedfail)
307 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
308 "failed for %Y: %s", whofrom, expand_string_message);
310 /* For speed, interpret a decimal number inline here */
313 uschar *s = expanded;
315 max_for_this_host = max_for_this_host * 10 + *s++ - '0';
317 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
318 "for %Y contains non-digit: %s", whofrom, expanded);
322 /* If we have fewer connections than max_for_this_host, we can skip the tedious
323 per host_address checks. Note that at this stage smtp_accept_count contains the
324 count of *other* connections, not including this one. */
326 if (max_for_this_host > 0 && smtp_accept_count >= max_for_this_host)
328 int host_accept_count = 0;
329 int other_host_count = 0; /* keep a count of non matches to optimise */
331 for (int i = 0; i < smtp_accept_max; ++i)
332 if (smtp_slots[i].host_address)
334 if (Ustrcmp(sender_host_address, smtp_slots[i].host_address) == 0)
339 /* Testing all these strings is expensive - see if we can drop out
340 early, either by hitting the target, or finding there are not enough
341 connections left to make the target. */
343 if ( host_accept_count >= max_for_this_host
344 || smtp_accept_count - other_host_count < max_for_this_host)
348 if (host_accept_count >= max_for_this_host)
350 DEBUG(D_any) debug_printf("rejecting SMTP connection: too many from this "
351 "IP address: count=%d max=%d\n",
352 host_accept_count, max_for_this_host);
353 smtp_printf("421 Too many concurrent SMTP connections "
354 "from this IP address; please try again later.\r\n", SP_NO_MORE);
355 log_write(L_connection_reject,
356 LOG_MAIN, "Connection from %Y refused: too many connections "
357 "from that IP address", whofrom);
363 /* OK, the connection count checks have been passed.
364 Now we can fork the accepting process; do a lookup tidy, just in case any
365 expansion above did a lookup. */
368 pid = exim_fork(US"daemon-accept");
370 /* Handle the child process */
374 int queue_only_reason = 0;
375 int old_pool = store_pool;
376 int save_debug_selector = debug_selector;
377 BOOL local_queue_only;
378 BOOL session_local_queue_only;
380 struct sigaction act;
383 smtp_accept_count++; /* So that it includes this process */
384 connection_id = getpid();
386 /* Log the connection if requested.
387 In order to minimize the cost (because this is going to happen for every
388 connection), do a preliminary selector test here. This saves ploughing through
389 the generalized logging code each time when the selector is false. If the
390 selector is set, check whether the host is on the list for logging. If not,
391 arrange to unset the selector in the subprocess.
393 jgh 2023/08/08 :- moved this logging in from the parent process, just
394 pre-fork. There was a claim back from 2004 that smtp_accept_count could have
395 become out-of-date by the time the child could log it, and I can't see how
396 that could happen. */
398 if (LOGGING(smtp_connection))
400 uschar * list = hosts_connection_nolog;
401 memset(sender_host_cache, 0, sizeof(sender_host_cache));
402 if (list && verify_check_host(&list) == OK)
403 save_log_selector &= ~L_smtp_connection;
404 else if (LOGGING(connection_id))
405 log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %Y "
406 "Ci=%lu (TCP/IP connection count = %d)", whofrom, connection_id, smtp_accept_count);
408 log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %Y "
409 "(TCP/IP connection count = %d)", whofrom, smtp_accept_count);
412 /* If the listen backlog was over the monitoring level, log it. */
414 if (smtp_listen_backlog > smtp_backlog_monitor)
415 log_write(0, LOG_MAIN, "listen backlog %d I=[%s]:%d",
416 smtp_listen_backlog, interface_address, interface_port);
418 /* May have been modified for the subprocess */
420 *log_selector = save_log_selector;
422 /* Get the local interface address into permanent store */
424 store_pool = POOL_PERM;
425 interface_address = string_copy(interface_address);
426 store_pool = old_pool;
428 /* Check for a tls-on-connect port */
430 if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
432 /* Expand smtp_active_hostname if required. We do not do this any earlier,
433 because it may depend on the local interface address (indeed, that is most
434 likely what it depends on.) */
436 smtp_active_hostname = primary_hostname;
437 if (raw_active_hostname)
439 uschar * nah = expand_string(raw_active_hostname);
442 if (!f.expand_string_forcedfail)
444 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" "
445 "(smtp_active_hostname): %s", raw_active_hostname,
446 expand_string_message);
447 smtp_printf("421 Local configuration error; "
448 "please try again later.\r\n", SP_NO_MORE);
451 exim_underbar_exit(EXIT_FAILURE);
454 else if (*nah) smtp_active_hostname = nah;
457 /* Initialize the queueing flags */
460 session_local_queue_only = queue_only;
462 /* Close the listening sockets, and set the SIGCHLD handler to SIG_IGN.
463 We also attempt to set things up so that children are automatically reaped,
464 but just in case this isn't available, there's a paranoid waitpid() in the
465 loop too (except for systems where we are sure it isn't needed). See the more
466 extensive comment before the reception loop in exim.c for a fuller
467 explanation of this logic. */
469 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
471 /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes
472 to be able to communicate with them, under any circumstances. */
473 (void)fcntl(accept_socket, F_SETFD,
474 fcntl(accept_socket, F_GETFD) | FD_CLOEXEC);
475 (void)fcntl(dup_accept_socket, F_SETFD,
476 fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
479 act.sa_handler = SIG_IGN;
480 sigemptyset(&(act.sa_mask));
481 act.sa_flags = SA_NOCLDWAIT;
482 sigaction(SIGCHLD, &act, NULL);
484 signal(SIGCHLD, SIG_IGN);
486 signal(SIGTERM, SIG_DFL);
487 signal(SIGINT, SIG_DFL);
489 /* Attempt to get an id from the sending machine via the RFC 1413
490 protocol. We do this in the sub-process in order not to hold up the
491 main process if there is any delay. Then set up the fullhost information
492 in case there is no HELO/EHLO.
494 If debugging is enabled only for the daemon, we must turn if off while
495 finding the id, but turn it on again afterwards so that information about the
496 incoming connection is output. */
498 if (f.debug_daemon) debug_selector = 0;
499 verify_get_ident(IDENT_PORT);
500 host_build_sender_fullhost();
501 debug_selector = save_debug_selector;
504 debug_printf("Process %d is handling incoming connection from %s\n",
505 (int)getpid(), sender_fullhost);
507 /* Now disable debugging permanently if it's required only for the daemon
510 if (f.debug_daemon) debug_selector = 0;
512 /* If there are too many child processes for immediate delivery,
513 set the session_local_queue_only flag, which is initialized from the
514 configured value and may therefore already be TRUE. Leave logging
515 till later so it will have a message id attached. Note that there is no
516 possibility of re-calculating this per-message, because the value of
517 smtp_accept_count does not change in this subprocess. */
519 if (smtp_accept_queue > 0 && smtp_accept_count > smtp_accept_queue)
521 session_local_queue_only = TRUE;
522 queue_only_reason = 1;
525 /* Handle the start of the SMTP session, then loop, accepting incoming
526 messages from the SMTP connection. The end will come at the QUIT command,
527 when smtp_setup_msg() returns 0. A break in the connection causes the
528 process to die (see accept.c).
530 NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
531 because a log line has already been written for all its failure exists
532 (usually "connection refused: <reason>") and writing another one is
533 unnecessary clutter. */
535 if (!smtp_start_session())
539 exim_underbar_exit(EXIT_SUCCESS);
545 message_id[0] = 0; /* Clear out any previous message_id */
546 reset_point = store_mark(); /* Save current store high water point */
549 debug_printf("Process %d is ready for new message\n", (int)getpid());
551 /* Smtp_setup_msg() returns 0 on QUIT or if the call is from an
552 unacceptable host or if an ACL "drop" command was triggered, -1 on
553 connection lost, and +1 on validly reaching DATA. Receive_msg() almost
554 always returns TRUE when smtp_input is true; just retry if no message was
555 accepted (can happen for invalid message parameters). However, it can yield
556 FALSE if the connection was forcibly dropped by the DATA ACL. */
558 if ((rc = smtp_setup_msg()) > 0)
560 BOOL ok = receive_msg(FALSE);
561 search_tidyup(); /* Close cached databases */
562 if (!ok) /* Connection was dropped */
564 cancel_cutthrough_connection(TRUE, US"receive dropped");
566 smtp_log_no_mail(); /* Log no mail if configured */
567 exim_underbar_exit(EXIT_SUCCESS);
569 if (!message_id[0]) continue; /* No message was accepted */
571 else /* bad smtp_setup_msg() */
575 int fd = fileno(smtp_in);
579 /* drain socket, for clean TCP FINs */
580 if (fcntl(fd, F_SETFL, O_NONBLOCK) == 0)
581 for(int i = 16; read(fd, buf, sizeof(buf)) > 0 && i > 0; ) i--;
583 cancel_cutthrough_connection(TRUE, US"message setup dropped");
585 smtp_log_no_mail(); /* Log no mail if configured */
587 /*XXX should we pause briefly, hoping that the client will be the
588 active TCP closer hence get the TCP_WAIT endpoint? */
589 DEBUG(D_receive) debug_printf("SMTP>>(close on process exit)\n");
590 exim_underbar_exit(rc ? EXIT_FAILURE : EXIT_SUCCESS);
593 /* Show the recipients when debugging */
598 debug_printf("Sender: %s\n", sender_address);
601 debug_printf("Recipients:\n");
602 for (int i = 0; i < recipients_count; i++)
603 debug_printf(" %s\n", recipients_list[i].address);
607 /* A message has been accepted. Clean up any previous delivery processes
608 that have completed and are defunct, on systems where they don't go away
609 by themselves (see comments when setting SIG_IGN above). On such systems
610 (if any) these delivery processes hang around after termination until
611 the next message is received. */
613 #ifndef SIG_IGN_WORKS
614 while (waitpid(-1, NULL, WNOHANG) > 0);
617 /* Reclaim up the store used in accepting this message */
620 int r = receive_messagecount;
621 BOOL q = f.queue_only_policy;
622 smtp_reset(reset_point);
624 f.queue_only_policy = q;
625 receive_messagecount = r;
628 /* If queue_only is set or if there are too many incoming connections in
629 existence, session_local_queue_only will be TRUE. If it is not, check
630 whether we have received too many messages in this session for immediate
633 if (!session_local_queue_only &&
634 smtp_accept_queue_per_connection > 0 &&
635 receive_messagecount > smtp_accept_queue_per_connection)
637 session_local_queue_only = TRUE;
638 queue_only_reason = 2;
641 /* Initialize local_queue_only from session_local_queue_only. If it is not
642 true, and queue_only_load is set, check that the load average is below it.
643 If local_queue_only is set by this means, we also set if for the session if
644 queue_only_load_latch is true (the default). This means that, once set,
645 local_queue_only remains set for any subsequent messages on the same SMTP
646 connection. This is a deliberate choice; even though the load average may
647 fall, it doesn't seem right to deliver later messages on the same call when
648 not delivering earlier ones. However, the are special circumstances such as
649 very long-lived connections from scanning appliances where this is not the
650 best strategy. In such cases, queue_only_load_latch should be set false. */
652 if ( !(local_queue_only = session_local_queue_only)
653 && queue_only_load >= 0
654 && (local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load)
657 queue_only_reason = 3;
658 if (queue_only_load_latch) session_local_queue_only = TRUE;
661 /* Log the queueing here, when it will get a message id attached, but
662 not if queue_only is set (case 0). */
664 if (local_queue_only) switch(queue_only_reason)
666 case 1: log_write(L_delay_delivery,
667 LOG_MAIN, "no immediate delivery: too many connections "
668 "(%d, max %d)", smtp_accept_count, smtp_accept_queue);
671 case 2: log_write(L_delay_delivery,
672 LOG_MAIN, "no immediate delivery: more than %d messages "
673 "received in one connection", smtp_accept_queue_per_connection);
676 case 3: log_write(L_delay_delivery,
677 LOG_MAIN, "no immediate delivery: load average %.2f",
678 (double)load_average/1000.0);
682 /* If a delivery attempt is required, spin off a new process to handle it.
683 If we are not root, we have to re-exec exim unless deliveries are being
684 done unprivileged. */
686 else if ( (!f.queue_only_policy || f.queue_smtp)
687 && !f.deliver_freeze)
691 /* We used to flush smtp_out before forking so that buffered data was not
692 duplicated, but now we want to pipeline the responses for data and quit.
693 Instead, hard-close the fd underlying smtp_out right after fork to discard
696 if ((dpid = exim_fork(US"daemon-accept-delivery")) == 0)
698 (void)fclose(smtp_in);
699 (void)close(fileno(smtp_out));
700 (void)fclose(smtp_out);
701 smtp_in = smtp_out = NULL;
703 /* Don't ever molest the parent's SSL connection, but do clean up
704 the data structures if necessary. */
707 tls_close(NULL, TLS_NO_SHUTDOWN);
710 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
712 signal(SIGHUP, SIG_DFL);
713 signal(SIGCHLD, SIG_DFL);
714 signal(SIGTERM, SIG_DFL);
715 signal(SIGINT, SIG_DFL);
717 if (geteuid() != root_uid && !deliver_drop_privilege)
719 signal(SIGALRM, SIG_DFL);
720 delivery_re_exec(CEE_EXEC_PANIC);
721 /* Control does not return here. */
724 /* No need to re-exec; SIGALRM remains set to the default handler */
726 (void) deliver_message(message_id, FALSE, FALSE);
728 exim_underbar_exit(EXIT_SUCCESS);
733 release_cutthrough_connection(US"passed for delivery");
734 DEBUG(D_any) debug_printf("forked delivery process %d\n", (int)dpid);
738 cancel_cutthrough_connection(TRUE, US"delivery fork failed");
739 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: delivery process fork "
740 "failed: %s", strerror(errno));
747 /* Carrying on in the parent daemon process... Can't do much if the fork
748 failed. Otherwise, keep count of the number of accepting processes and
749 remember the pid for ticking off when the child completes. */
752 never_error(US"daemon: accept process fork failed", US"Fork failed", errno);
755 for (int i = 0; i < smtp_accept_max; ++i)
756 if (smtp_slots[i].pid <= 0)
758 smtp_slots[i].pid = pid;
759 /* Connection closes come asyncronously, so we cannot stack this store */
760 if (smtp_accept_max_per_host)
761 smtp_slots[i].host_address = string_copy_malloc(sender_host_address);
765 DEBUG(D_any) debug_printf("%d SMTP accept process%s running\n",
766 smtp_accept_count, smtp_accept_count == 1 ? "" : "es");
769 /* Get here via goto in error cases */
773 /* Close the streams associated with the socket which will also close the
774 socket fds in this process. We can't do anything if fclose() fails, but
775 logging brings it to someone's attention. However, "connection reset by peer"
776 isn't really a problem, so skip that one. On Solaris, a dropped connection can
777 manifest itself as a broken pipe, so drop that one too. If the streams don't
778 exist, something went wrong while setting things up. Make sure the socket
779 descriptors are closed, in order to drop the connection. */
783 if (fclose(smtp_out) != 0 && errno != ECONNRESET && errno != EPIPE)
784 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_out) failed: %s",
788 else (void)close(accept_socket);
792 if (fclose(smtp_in) != 0 && errno != ECONNRESET && errno != EPIPE)
793 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_in) failed: %s",
797 else (void)close(dup_accept_socket);
799 /* Release any store used in this process, including the store used for holding
800 the incoming host address and an expanded active_hostname. */
803 interface_address = sender_host_name = sender_host_address = NULL;
804 store_reset(reset_point);
810 /*************************************************
811 * Check wildcard listen special cases *
812 *************************************************/
814 /* This function is used when binding and listening on lists of addresses and
815 ports. It tests for special cases of wildcard listening, when IPv4 and IPv6
816 sockets may interact in different ways in different operating systems. It is
817 passed an error number, the list of listening addresses, and the current
818 address. Two checks are available: for a previous wildcard IPv6 address, or for
819 a following wildcard IPv4 address, in both cases on the same port.
821 In practice, pairs of wildcard addresses should be adjacent in the address list
822 because they are sorted that way below.
826 addresses the list of addresses
827 ipa the current IP address
828 back if TRUE, check for previous wildcard IPv6 address
829 if FALSE, check for a following wildcard IPv4 address
831 Returns: TRUE or FALSE
835 check_special_case(int eno, ip_address_item *addresses, ip_address_item *ipa,
838 ip_address_item *ipa2;
840 /* For the "back" case, if the failure was "address in use" for a wildcard IPv4
841 address, seek a previous IPv6 wildcard address on the same port. As it is
842 previous, it must have been successfully bound and be listening. Flag it as a
843 "6 including 4" listener. */
847 if (eno != EADDRINUSE || ipa->address[0] != 0) return FALSE;
848 for (ipa2 = addresses; ipa2 != ipa; ipa2 = ipa2->next)
850 if (ipa2->address[1] == 0 && ipa2->port == ipa->port)
852 ipa2->v6_include_v4 = TRUE;
858 /* For the "forward" case, if the current address is a wildcard IPv6 address,
859 we seek a following wildcard IPv4 address on the same port. */
863 if (ipa->address[0] != ':' || ipa->address[1] != 0) return FALSE;
864 for (ipa2 = ipa->next; ipa2 != NULL; ipa2 = ipa2->next)
865 if (ipa2->address[0] == 0 && ipa->port == ipa2->port) return TRUE;
874 /*************************************************
875 * Handle terminating subprocesses *
876 *************************************************/
878 /* Handle the termination of child processes. Theoretically, this need be done
879 only when sigchld_seen is TRUE, but rumour has it that some systems lose
880 SIGCHLD signals at busy times, so to be on the safe side, this function is
881 called each time round. It shouldn't be too expensive.
888 handle_ending_processes(void)
893 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
897 debug_printf("child %d ended: status=0x%x\n", (int)pid, status);
899 if (WIFEXITED(status))
900 debug_printf(" normal exit, %d\n", WEXITSTATUS(status));
901 else if (WIFSIGNALED(status))
902 debug_printf(" signal exit, signal %d%s\n", WTERMSIG(status),
903 WCOREDUMP(status) ? " (core dumped)" : "");
907 /* If it's a listening daemon for which we are keeping track of individual
908 subprocesses, deal with an accepting process that has terminated. */
913 for (i = 0; i < smtp_accept_max; i++)
914 if (smtp_slots[i].pid == pid)
916 if (smtp_slots[i].host_address)
917 store_free(smtp_slots[i].host_address);
918 smtp_slots[i] = empty_smtp_slot;
919 if (--smtp_accept_count < 0) smtp_accept_count = 0;
920 DEBUG(D_any) debug_printf("%d SMTP accept process%s now running\n",
921 smtp_accept_count, (smtp_accept_count == 1)? "" : "es");
924 if (i < smtp_accept_max) continue; /* Found an accepting process */
927 /* If it wasn't an accepting process, see if it was a queue-runner
928 process that we are tracking. */
930 if (queue_runner_slots)
931 for (unsigned i = 0; i < queue_runner_slot_count; i++)
933 runner_slot * r = queue_runner_slots + i;
936 r->pid = 0; /* free up the slot */
938 if (--queue_run_count < 0) queue_run_count = 0;
939 DEBUG(D_any) debug_printf("%d queue-runner process%s now running\n",
940 queue_run_count, queue_run_count == 1 ? "" : "es");
942 for (qrunner ** p = &qrunners, * q = qrunners; q; p = &q->next, q = *p)
943 if (q->name == r->queue_name)
945 if (q->interval) /* a periodic queue run */
947 else /* a one-time run */
948 *p = q->next; /* drop this qrunner */
959 set_pid_file_path(void)
961 if (override_pid_file_path)
962 pid_file_path = override_pid_file_path;
965 pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory);
967 if (pid_file_path[0] != '/')
968 log_write(0, LOG_PANIC_DIE, "pid file path %s must be absolute\n", pid_file_path);
972 enum pid_op { PID_WRITE, PID_CHECK, PID_DELETE };
974 /* Do various pid file operations as safe as possible. Ideally we'd just
975 drop the privileges for creation of the pid file and not care at all about removal of
977 Returns: true on success, false + errno==EACCES otherwise
981 operate_on_pid_file(const enum pid_op operation, const pid_t pid)
983 char pid_line[sizeof(int) * 3 + 2];
984 const int pid_len = snprintf(pid_line, sizeof(pid_line), "%d\n", (int)pid);
985 BOOL lines_match = FALSE;
986 uschar * path, * base, * dir;
988 const int dir_flags = O_RDONLY | O_NONBLOCK;
989 const int base_flags = O_NOFOLLOW | O_NONBLOCK;
990 const mode_t base_mode = 0644;
992 int cwd_fd = -1, dir_fd = -1, base_fd = -1;
993 BOOL success = FALSE;
997 if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid) goto cleanup;
998 if (pid_len < 2 || pid_len >= (int)sizeof(pid_line)) goto cleanup;
1000 path = string_copy(pid_file_path);
1001 if ((base = Ustrrchr(path, '/')) == NULL) /* should not happen, but who knows */
1002 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid file path \"%s\" does not contain a '/'", pid_file_path);
1004 dir = base != path ? path : US"/";
1007 if (!dir || !*dir || *dir != '/') goto cleanup;
1008 if (!base || !*base || Ustrchr(base, '/') != NULL) goto cleanup;
1010 cwd_fd = open(".", dir_flags);
1011 if (cwd_fd < 0 || fstat(cwd_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
1012 dir_fd = open(CS dir, dir_flags);
1013 if (dir_fd < 0 || fstat(dir_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
1015 /* emulate openat */
1016 if (fchdir(dir_fd) != 0) goto cleanup;
1017 base_fd = open(CS base, O_RDONLY | base_flags);
1018 if (fchdir(cwd_fd) != 0)
1019 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1023 char line[sizeof(pid_line)];
1026 if (fstat(base_fd, &sb) != 0 || !S_ISREG(sb.st_mode)) goto cleanup;
1027 if ((sb.st_mode & 07777) != base_mode || sb.st_nlink != 1) goto cleanup;
1028 if (sb.st_size < 2 || sb.st_size >= (off_t)sizeof(line)) goto cleanup;
1030 len = read(base_fd, line, sizeof(line));
1031 if (len != (ssize_t)sb.st_size) goto cleanup;
1034 if (strspn(line, "0123456789") != (size_t)len-1) goto cleanup;
1035 if (line[len-1] != '\n') goto cleanup;
1036 lines_match = len == pid_len && strcmp(line, pid_line) == 0;
1039 if (operation == PID_WRITE)
1046 /* emulate unlinkat */
1047 if (fchdir(dir_fd) != 0) goto cleanup;
1048 error = unlink(CS base);
1049 if (fchdir(cwd_fd) != 0)
1050 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1051 if (error) goto cleanup;
1052 (void)close(base_fd);
1055 /* emulate openat */
1056 if (fchdir(dir_fd) != 0) goto cleanup;
1057 base_fd = open(CS base, O_WRONLY | O_CREAT | O_EXCL | base_flags, base_mode);
1058 if (fchdir(cwd_fd) != 0)
1059 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1060 if (base_fd < 0) goto cleanup;
1061 if (fchmod(base_fd, base_mode) != 0) goto cleanup;
1062 if (write(base_fd, pid_line, pid_len) != pid_len) goto cleanup;
1063 DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
1068 if (!lines_match) goto cleanup;
1069 if (operation == PID_DELETE)
1072 /* emulate unlinkat */
1073 if (fchdir(dir_fd) != 0) goto cleanup;
1074 error = unlink(CS base);
1075 if (fchdir(cwd_fd) != 0)
1076 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1077 if (error) goto cleanup;
1085 if (cwd_fd >= 0) (void)close(cwd_fd);
1086 if (dir_fd >= 0) (void)close(dir_fd);
1087 if (base_fd >= 0) (void)close(base_fd);
1092 /* Remove the daemon's pidfile. Note: runs with root privilege,
1093 as a direct child of the daemon. Does not return. */
1096 delete_pid_file(void)
1098 const BOOL success = operate_on_pid_file(PID_DELETE, getppid());
1101 debug_printf("delete pid file %s %s: %s\n", pid_file_path,
1102 success ? "success" : "failure", strerror(errno));
1104 exim_exit(EXIT_SUCCESS);
1108 /* Called by the daemon; exec a child to get the pid file deleted
1109 since we may require privs for the containing directory */
1116 DEBUG(D_any) debug_printf("SIGTERM/SIGINT seen\n");
1117 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
1118 tls_watch_invalidate();
1121 if (daemon_notifier_fd >= 0)
1123 close(daemon_notifier_fd);
1124 daemon_notifier_fd = -1;
1125 unlink_notifier_socket();
1128 if (f.running_in_test_harness || write_pid)
1130 if ((pid = exim_fork(US"daemon-del-pidfile")) == 0)
1132 if (override_pid_file_path)
1133 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 3,
1134 "-oP", override_pid_file_path, "-oPX");
1136 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 1, "-oPX");
1138 /* Control never returns here. */
1141 child_close(pid, 1);
1143 exim_exit(EXIT_SUCCESS);
1147 /*************************************************
1148 * Listener socket for local work prompts *
1149 *************************************************/
1152 daemon_client_sockname(struct sockaddr_un * sup, uschar ** sname)
1154 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1155 sup->sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1156 return offsetof(struct sockaddr_un, sun_path) + 1
1157 + snprintf(sup->sun_path+1, sizeof(sup->sun_path)-1, "exim_%d", getpid());
1159 *sname = string_sprintf("%s/p_%d", spool_directory, getpid());
1160 return offsetof(struct sockaddr_un, sun_path)
1161 + snprintf(sup->sun_path, sizeof(sup->sun_path), "%s", CS *sname);
1166 daemon_notifier_sockname(struct sockaddr_un * sup)
1168 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1169 sup->sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1170 return offsetof(struct sockaddr_un, sun_path) + 1
1171 + snprintf(sup->sun_path+1, sizeof(sup->sun_path)-1, "%s",
1172 CS expand_string(notifier_socket));
1174 notifier_socket_name = expand_string(notifier_socket);
1175 return offsetof(struct sockaddr_un, sun_path)
1176 + snprintf(sup->sun_path, sizeof(sup->sun_path), "%s",
1177 CS notifier_socket_name);
1183 daemon_notifier_socket(void)
1186 const uschar * where;
1187 struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
1190 if (!f.notifier_socket_en)
1192 DEBUG(D_any) debug_printf("-oY used so not creating notifier socket\n");
1195 if (override_local_interfaces && !override_pid_file_path)
1198 debug_printf("-oX used without -oP so not creating notifier socket\n");
1201 if (!notifier_socket || !*notifier_socket)
1203 DEBUG(D_any) debug_printf("no name for notifier socket\n");
1207 DEBUG(D_any) debug_printf("creating notifier socket\n");
1210 if ((fd = socket(PF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0)
1211 { where = US"socket"; goto bad; }
1213 if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0)
1214 { where = US"socket"; goto bad; }
1215 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
1218 len = daemon_notifier_sockname(&sa_un);
1220 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1221 DEBUG(D_any) debug_printf(" @%s\n", sa_un.sun_path+1);
1222 #else /* filesystem-visible and persistent; will neeed removal */
1223 DEBUG(D_any) debug_printf(" %s\n", sa_un.sun_path);
1226 if (bind(fd, (const struct sockaddr *)&sa_un, (socklen_t)len) < 0)
1227 { where = US"bind"; goto bad; }
1229 #ifdef SO_PASSCRED /* Linux */
1230 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on)) < 0)
1231 { where = US"SO_PASSCRED"; goto bad2; }
1232 #elif defined(LOCAL_CREDS) /* FreeBSD-ish */
1233 if (setsockopt(fd, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
1234 { where = US"LOCAL_CREDS"; goto bad2; }
1237 /* debug_printf("%s: fd %d\n", __FUNCTION__, fd); */
1238 daemon_notifier_fd = fd;
1242 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1243 Uunlink(sa_un.sun_path);
1246 log_write(0, LOG_MAIN|LOG_PANIC, "%s %s: %s",
1247 __FUNCTION__, where, strerror(errno));
1253 /* Data for notifier-triggered queue runs */
1255 static uschar queuerun_msgid[MESSAGE_ID_LENGTH+1];
1256 static const uschar * queuerun_msg_qname;
1259 /* The notifier socket has something to read. Pull the message from it, decode
1264 daemon_notification(void)
1266 uschar buf[256], cbuf[256];
1267 struct sockaddr_un sa_un;
1268 struct iovec iov = {.iov_base = buf, .iov_len = sizeof(buf)-1};
1269 struct msghdr msg = { .msg_name = &sa_un,
1270 .msg_namelen = sizeof(sa_un),
1273 .msg_control = cbuf,
1274 .msg_controllen = sizeof(cbuf)
1278 buf[sizeof(buf)-1] = 0;
1279 if ((sz = recvmsg(daemon_notifier_fd, &msg, 0)) <= 0) return;
1280 if (sz >= sizeof(buf)) return;
1283 debug_printf("addrlen %d\n", msg.msg_namelen);
1286 if (msg.msg_namelen > 0)
1288 BOOL abstract = !*sa_un.sun_path;
1289 char * name = sa_un.sun_path + (abstract ? 1 : 0);
1290 int namelen = (int)msg.msg_namelen - abstract ? 1 : 0;
1292 debug_printf("%s from addr '%s%.*s'\n", __FUNCTION__,
1293 abstract ? "@" : "",
1296 debug_printf("%s (from unknown addr)\n", __FUNCTION__);
1299 debug_printf("%s (from unknown addr)\n", __FUNCTION__);
1301 /* Refuse to handle the item unless the peer has good credentials */
1302 #ifdef SCM_CREDENTIALS
1303 # define EXIM_SCM_CR_TYPE SCM_CREDENTIALS
1304 #elif defined(LOCAL_CREDS) && defined(SCM_CREDS)
1305 # define EXIM_SCM_CR_TYPE SCM_CREDS
1307 /* The OS has no way to get the creds of the caller (for a unix/datagram socket.
1308 Punt; don't try to check. */
1311 #ifdef EXIM_SCM_CR_TYPE
1312 for (struct cmsghdr * cp = CMSG_FIRSTHDR(&msg);
1314 cp = CMSG_NXTHDR(&msg, cp))
1315 if (cp->cmsg_level == SOL_SOCKET && cp->cmsg_type == EXIM_SCM_CR_TYPE)
1317 # ifdef SCM_CREDENTIALS /* Linux */
1318 struct ucred * cr = (struct ucred *) CMSG_DATA(cp);
1319 if (cr->uid && cr->uid != exim_uid)
1321 DEBUG(D_queue_run) debug_printf("%s: sender creds pid %d uid %d gid %d\n",
1322 __FUNCTION__, (int)cr->pid, (int)cr->uid, (int)cr->gid);
1324 # elif defined(LOCAL_CREDS) /* BSD-ish */
1325 struct sockcred * cr = (struct sockcred *) CMSG_DATA(cp);
1326 if (cr->sc_uid && cr->sc_uid != exim_uid)
1328 DEBUG(D_queue_run) debug_printf("%s: sender creds pid ??? uid %d gid %d\n",
1329 __FUNCTION__, (int)cr->sc_uid, (int)cr->sc_gid);
1339 #ifndef DISABLE_QUEUE_RAMP
1340 case NOTIFY_MSG_QRUN:
1341 /* this should be a message_id */
1343 debug_printf("%s: qrunner trigger: %s\n", __FUNCTION__, buf+1);
1345 memcpy(queuerun_msgid, buf+1, MESSAGE_ID_LENGTH+1);
1347 for (qrunner * q = qrunners; q; q = q->next)
1349 ? Ustrcmp(q->name, buf+1+MESSAGE_ID_LENGTH+1) == 0
1350 : !buf[1+MESSAGE_ID_LENGTH+1]
1352 { queuerun_msg_qname = q->name; break; }
1356 case NOTIFY_QUEUE_SIZE_REQ:
1359 int len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached());
1362 debug_printf("%s: queue size request: %s\n", __FUNCTION__, buf);
1364 if (sendto(daemon_notifier_fd, buf, len, 0,
1365 (const struct sockaddr *)&sa_un, msg.msg_namelen) < 0)
1366 log_write(0, LOG_MAIN|LOG_PANIC,
1367 "%s: sendto: %s\n", __FUNCTION__, strerror(errno));
1372 regex_at_daemon(buf);
1381 daemon_inetd_wtimeout(time_t last_connection_time)
1383 time_t resignal_interval = inetd_wait_timeout;
1385 if (last_connection_time == (time_t)0)
1388 debug_printf("inetd wait timeout expired, but still not seen first message, ignoring\n");
1392 time_t now = time(NULL);
1393 if (now == (time_t)-1)
1395 DEBUG(D_any) debug_printf("failed to get time: %s\n", strerror(errno));
1397 else if ((now - last_connection_time) >= inetd_wait_timeout)
1400 debug_printf("inetd wait timeout %d expired, ending daemon\n",
1401 inetd_wait_timeout);
1402 log_write(0, LOG_MAIN, "exim %s daemon terminating, inetd wait timeout reached.\n",
1404 daemon_die(); /* Does not return */
1407 resignal_interval -= (now - last_connection_time);
1410 sigalrm_seen = FALSE;
1411 ALARM(resignal_interval);
1415 /* Re-sort the qrunners list, and return the shortest interval.
1416 That could be negatime.
1417 The next-tick times should have been updated by any runs initiated,
1418 though will not be when the global limit on runners was reached.
1420 Unlikely to have many queues, so insertion-sort.
1424 next_qrunner_interval(void)
1426 qrunner * sorted = NULL;
1427 for (qrunner * q = qrunners, * next; q; q = next)
1433 qrunner ** p = &sorted;
1434 for (qrunner * qq; qq = *p; p = &qq->next)
1435 if ( q->next_tick < qq->next_tick
1436 || q->next_tick == qq->next_tick && q->interval < qq->interval
1450 return qrunners ? qrunners->next_tick - time(NULL) : 0;
1453 /* See if we can do a queue run. If policy limit permit, kick one off.
1454 If both notification and timer events are present, handle the former
1455 and leave the timer outstanding.
1457 Return the number of seconds until the next due runner.
1461 daemon_qrun(int local_queue_run_max, struct pollfd * fd_polls, int listen_socket_count)
1463 DEBUG(D_any) debug_printf("%s received\n",
1464 #ifndef DISABLE_QUEUE_RAMP
1465 *queuerun_msgid ? "qrun notification" :
1469 /* Do a full queue run in a child process, if required, unless we already have
1470 enough queue runners on the go. If we are not running as root, a re-exec is
1471 required. In the calling process, restart the alamr timer for the next run. */
1473 if (is_multiple_qrun()) /* we are managing periodic runs */
1474 if (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max)
1478 #ifndef DISABLE_QUEUE_RAMP
1479 /* If this is a triggered run for a specific message, see if we can start
1480 another runner for this queue. */
1482 if (*queuerun_msgid)
1484 for (qrunner * qq = qrunners; qq; qq = qq->next)
1485 if (qq->name == queuerun_msg_qname)
1487 q = qq->run_count < qq->run_max ? qq : NULL;
1493 /* Normal periodic runL in order of run priority, find the first queue
1494 for which we can start a runner */
1496 for (q = qrunners; q; q = q->next)
1497 if (q->run_count < q->run_max) break;
1499 if (q) /* found a queue to run */
1503 /* Bump this queue's next-tick by it's interval */
1507 time_t now = time(NULL);
1508 do ; while ((q->next_tick += q->interval) <= now);
1511 if ((pid = exim_fork(US"queue-runner")) == 0)
1513 /* Disable debugging if it's required only for the daemon process. We
1514 leave the above message, because it ties up with the "child ended"
1515 debugging messages. */
1517 if (f.debug_daemon) debug_selector = 0;
1519 /* Close any open listening sockets in the child */
1521 close_daemon_sockets(daemon_notifier_fd,
1522 fd_polls, listen_socket_count);
1524 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
1526 signal(SIGHUP, SIG_DFL);
1527 signal(SIGCHLD, SIG_DFL);
1528 signal(SIGTERM, SIG_DFL);
1529 signal(SIGINT, SIG_DFL);
1531 /* Re-exec if privilege has been given up, unless deliver_drop_
1532 privilege is set. Reset SIGALRM before exec(). */
1534 if (geteuid() != root_uid && !deliver_drop_privilege)
1541 signal(SIGALRM, SIG_DFL);
1546 if ( q->queue_2stage
1547 #ifndef DISABLE_QUEUE_RAMP
1551 if (q->queue_run_first_delivery) *p++ = 'i';
1552 if (q->queue_run_force) *p++ = 'f';
1553 if (q->deliver_force_thaw) *p++ = 'f';
1554 if (q->queue_run_local) *p++ = 'l';
1558 ? string_sprintf("%sG%s", opt, q->name) : opt;
1560 #ifndef DISABLE_QUEUE_RAMP
1561 if (*queuerun_msgid)
1563 log_write(0, LOG_MAIN, "notify triggered queue run");
1564 extra[extracount++] = queuerun_msgid; /* Trigger only the */
1565 extra[extracount++] = queuerun_msgid; /* one message */
1569 /* If -R or -S were on the original command line, ensure they get
1572 if (deliver_selectstring)
1574 extra[extracount++] = f.deliver_selectstring_regex ? US"-Rr" : US"-R";
1575 extra[extracount++] = deliver_selectstring;
1578 if (deliver_selectstring_sender)
1580 extra[extracount++] = f.deliver_selectstring_sender_regex
1582 extra[extracount++] = deliver_selectstring_sender;
1585 /* Overlay this process with a new execution. */
1587 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, extracount,
1588 extra[0], extra[1], extra[2], extra[3], extra[4], extra[5], extra[6]);
1590 /* Control never returns here. */
1593 /* No need to re-exec; SIGALRM remains set to the default handler */
1595 #ifndef DISABLE_QUEUE_RAMP
1596 if (*queuerun_msgid)
1598 log_write(0, LOG_MAIN, "notify triggered queue run");
1599 f.queue_2stage = FALSE;
1600 queue_run(q, queuerun_msgid, queuerun_msgid, FALSE);
1604 queue_run(q, NULL, NULL, FALSE);
1605 exim_underbar_exit(EXIT_SUCCESS);
1610 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fork of queue-runner "
1611 "process failed: %s", strerror(errno));
1616 for (int i = 0; i < local_queue_run_max; ++i)
1617 if (queue_runner_slots[i].pid <= 0)
1619 queue_runner_slots[i].pid = pid;
1620 queue_runner_slots[i].queue_name = q->name;
1625 DEBUG(D_any) debug_printf("%d queue-runner process%s running\n",
1626 queue_run_count, queue_run_count == 1 ? "" : "es");
1631 /* The queue run has been initiated (unless we were already running enough) */
1633 #ifndef DISABLE_QUEUE_RAMP
1634 if (*queuerun_msgid) /* it was a fast-ramp kick; dealt with */
1635 *queuerun_msgid = 0;
1636 else /* periodic or one-time queue run */
1638 /* Set up next timer callback. Impose a minimum 1s tick,
1639 even when a run was outstanding */
1641 int interval = next_qrunner_interval();
1642 if (interval <= 0) interval = 1;
1644 sigalrm_seen = FALSE;
1645 if (qrunners) /* there are still periodic qrunners */
1647 ALARM(interval); /* set up next qrun tick */
1658 describe_queue_runners(void)
1662 if (!is_multiple_qrun()) return US"no queue runs";
1664 for (qrunner * q = qrunners; q; q = q->next)
1666 g = string_catn(g, US"-q", 2);
1667 if (q->name) g = string_append(g, 3, US"G", q->name, US"/");
1668 g = string_cat(g, readconf_printtime(q->interval));
1669 g = string_catn(g, US" ", 1);
1672 gstring_release_unused(g);
1673 return string_from_gstring(g);
1677 /*************************************************
1678 * Exim Daemon Mainline *
1679 *************************************************/
1681 /* The daemon can do two jobs, either of which is optional:
1683 (1) Listens for incoming SMTP calls and spawns off a sub-process to handle
1684 each one. This is requested by the -bd option, with -oX specifying the SMTP
1685 port on which to listen (for testing).
1687 (2) Spawns a queue-running process every so often. This is controlled by the
1688 -q option with a an interval time. (If no time is given, a single queue run
1689 is done from the main function, and control doesn't get here.)
1691 Root privilege is required in order to attach to port 25. Some systems require
1692 it when calling socket() rather than bind(). To cope with all cases, we run as
1693 root for both socket() and bind(). Some systems also require root in order to
1694 write to the pid file directory. This function must therefore be called as root
1695 if it is to work properly in all circumstances. Once the socket is bound and
1696 the pid file written, root privilege is given up if there is an exim uid.
1698 There are no arguments to this function, and it never returns. */
1704 struct pollfd * fd_polls, * tls_watch_poll = NULL, * dnotify_poll = NULL;
1705 int listen_socket_count = 0, poll_fd_count;
1706 ip_address_item * addresses = NULL;
1707 time_t last_connection_time = (time_t)0;
1708 int local_queue_run_max = 0;
1710 if (is_multiple_qrun())
1712 /* Nuber of runner-tracking structs needed: If the option queue_run_max has
1713 no expandable elements then it is the overall maximum; else we assume it
1714 depends on the queue name, and add them up to get the maximum.
1715 Evaluate both that and the individual limits. */
1717 if (Ustrchr(queue_run_max, '$') != NULL)
1719 for (qrunner * q = qrunners; q; q = q->next)
1721 queue_name = q->name;
1722 local_queue_run_max +=
1723 (q->run_max = atoi(CS expand_string(queue_run_max)));
1729 local_queue_run_max = atoi(CS expand_string(queue_run_max));
1730 for (qrunner * q = qrunners; q; q = q->next)
1731 q->run_max = local_queue_run_max;
1734 process_purpose = US"daemon";
1736 /* If any debugging options are set, turn on the D_pid bit so that all
1737 debugging lines get the pid added. */
1739 DEBUG(D_any|D_v) debug_selector |= D_pid;
1741 /* Allocate enough pollstructs for inetd mode plus the ancillary sockets;
1742 also used when there are no listen sockets. */
1744 fd_polls = store_get(sizeof(struct pollfd) * 3, GET_UNTAINTED);
1746 if (f.inetd_wait_mode)
1748 listen_socket_count = 1;
1750 if (dup2(0, 3) == -1)
1751 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1752 "failed to dup inetd socket safely away: %s", strerror(errno));
1755 fd_polls[0].events = POLLIN;
1761 if (debug_file == stderr)
1763 /* need a call to log_write before call to open debug_file, so that
1764 log.c:file_path has been initialised. This is unfortunate. */
1765 log_write(0, LOG_MAIN, "debugging Exim in inetd wait mode starting");
1769 exim_nullstd(); /* re-open fd2 after we just closed it again */
1770 debug_logging_activate(US"-wait", NULL);
1773 DEBUG(D_any) debug_printf("running in inetd wait mode\n");
1775 /* As per below, when creating sockets ourselves, we handle tcp_nodelay for
1776 our own buffering; we assume though that inetd set the socket REUSEADDR. */
1779 if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
1780 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s",
1785 if (f.inetd_wait_mode || f.daemon_listen)
1787 /* If any option requiring a load average to be available during the
1788 reception of a message is set, call os_getloadavg() while we are root
1789 for those OS for which this is necessary the first time it is called (in
1790 order to perform an "open" on the kernel memory file). */
1792 #ifdef LOAD_AVG_NEEDS_ROOT
1793 if (queue_only_load >= 0 || smtp_load_reserve >= 0 ||
1794 (deliver_queue_load_max >= 0 && deliver_drop_privilege))
1795 (void)os_getloadavg();
1800 /* Do the preparation for setting up a listener on one or more interfaces, and
1801 possible on various ports. This is controlled by the combination of
1802 local_interfaces (which can set IP addresses and ports) and daemon_smtp_port
1803 (which is a list of default ports to use for those items in local_interfaces
1804 that do not specify a port). The -oX command line option can be used to
1805 override one or both of these options.
1807 If local_interfaces is not set, the default is to listen on all interfaces.
1808 When it is set, it can include "all IPvx interfaces" as an item. This is useful
1809 when different ports are in use.
1811 It turns out that listening on all interfaces is messy in an IPv6 world,
1812 because several different implementation approaches have been taken. This code
1813 is now supposed to work with all of them. The point of difference is whether an
1814 IPv6 socket that is listening on all interfaces will receive incoming IPv4
1815 calls or not. We also have to cope with the case when IPv6 libraries exist, but
1816 there is no IPv6 support in the kernel.
1818 . On Solaris, an IPv6 socket will accept IPv4 calls, and give them as mapped
1819 addresses. However, if an IPv4 socket is also listening on all interfaces,
1820 calls are directed to the appropriate socket.
1822 . On (some versions of) Linux, an IPv6 socket will accept IPv4 calls, and
1823 give them as mapped addresses, but an attempt also to listen on an IPv4
1824 socket on all interfaces causes an error.
1826 . On OpenBSD, an IPv6 socket will not accept IPv4 calls. You have to set up
1827 two sockets if you want to accept both kinds of call.
1829 . FreeBSD is like OpenBSD, but it has the IPV6_V6ONLY socket option, which
1830 can be turned off, to make it behave like the versions of Linux described
1833 . I heard a report that the USAGI IPv6 stack for Linux has implemented
1836 So, what we do when IPv6 is supported is as follows:
1838 (1) After it is set up, the list of interfaces is scanned for wildcard
1839 addresses. If an IPv6 and an IPv4 wildcard are both found for the same
1840 port, the list is re-arranged so that they are together, with the IPv6
1843 (2) If the creation of a wildcard IPv6 socket fails, we just log the error and
1844 carry on if an IPv4 wildcard socket for the same port follows later in the
1845 list. This allows Exim to carry on in the case when the kernel has no IPv6
1848 (3) Having created an IPv6 wildcard socket, we try to set IPV6_V6ONLY if that
1849 option is defined. However, if setting fails, carry on regardless (but log
1852 (4) If binding or listening on an IPv6 wildcard socket fails, it is a serious
1855 (5) If binding or listening on an IPv4 wildcard socket fails with the error
1856 EADDRINUSE, and a previous interface was an IPv6 wildcard for the same
1857 port (which must have succeeded or we wouldn't have got this far), we
1858 assume we are in the situation where just a single socket is permitted,
1859 and ignore the error.
1863 The preparation code decodes options and sets up the relevant data. We do this
1864 first, so that we can return non-zero if there are any syntax errors, and also
1867 if (f.daemon_listen && !f.inetd_wait_mode)
1869 int *default_smtp_port;
1873 const uschar * list;
1874 uschar *local_iface_source = US"local_interfaces";
1875 ip_address_item *ipa;
1876 ip_address_item **pipa;
1878 /* If -oX was used, disable the writing of a pid file unless -oP was
1879 explicitly used to force it. Then scan the string given to -oX. Any items
1880 that contain neither a dot nor a colon are used to override daemon_smtp_port.
1881 Any other items are used to override local_interfaces. */
1883 if (override_local_interfaces)
1885 gstring * new_smtp_port = NULL;
1886 gstring * new_local_interfaces = NULL;
1888 if (!override_pid_file_path) write_pid = FALSE;
1890 list = override_local_interfaces;
1892 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1895 gstring ** gp = Ustrpbrk(s, ".:") ? &new_local_interfaces : &new_smtp_port;
1901 *gp = string_catn(*gp, US"<", 1);
1904 *gp = string_catn(*gp, joinstr, 2);
1905 *gp = string_cat (*gp, s);
1910 daemon_smtp_port = string_from_gstring(new_smtp_port);
1911 DEBUG(D_any) debug_printf("daemon_smtp_port overridden by -oX:\n %s\n",
1915 if (new_local_interfaces)
1917 local_interfaces = string_from_gstring(new_local_interfaces);
1918 local_iface_source = US"-oX data";
1919 DEBUG(D_any) debug_printf("local_interfaces overridden by -oX:\n %s\n",
1924 /* Create a list of default SMTP ports, to be used if local_interfaces
1925 contains entries without explicit ports. First count the number of ports, then
1926 build a translated list in a vector. */
1928 list = daemon_smtp_port;
1930 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1932 default_smtp_port = store_get((pct+1) * sizeof(int), GET_UNTAINTED);
1933 list = daemon_smtp_port;
1936 (s = string_nextinlist(&list, &sep, NULL, 0));
1942 default_smtp_port[pct] = Ustrtol(s, &end, 0);
1943 if (end != s + Ustrlen(s))
1944 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "invalid SMTP port: %s", s);
1948 struct servent *smtp_service = getservbyname(CS s, "tcp");
1950 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1951 default_smtp_port[pct] = ntohs(smtp_service->s_port);
1954 default_smtp_port[pct] = 0;
1956 /* Check the list of TLS-on-connect ports and do name lookups if needed */
1958 list = tls_in.on_connect_ports;
1960 /* the list isn't expanded so cannot be tainted. If it ever is we will trap here */
1961 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1966 list = tls_in.on_connect_ports;
1967 tls_in.on_connect_ports = NULL;
1969 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1973 struct servent * smtp_service = getservbyname(CS s, "tcp");
1975 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1976 s = string_sprintf("%d", (int)ntohs(smtp_service->s_port));
1978 g = string_append_listele(g, ':', s);
1981 tls_in.on_connect_ports = g->s;
1985 /* Create the list of local interfaces, possibly with ports included. This
1986 list may contain references to 0.0.0.0 and ::0 as wildcards. These special
1987 values are converted below. */
1989 addresses = host_build_ifacelist(local_interfaces, local_iface_source);
1991 /* In the list of IP addresses, convert 0.0.0.0 into an empty string, and ::0
1992 into the string ":". We use these to recognize wildcards in IPv4 and IPv6. In
1993 fact, many IP stacks recognize 0.0.0.0 and ::0 and handle them as wildcards
1994 anyway, but we need to know which are the wildcard addresses, and the shorter
1997 In the same scan, fill in missing port numbers from the default list. When
1998 there is more than one item in the list, extra items are created. */
2000 for (ipa = addresses; ipa; ipa = ipa->next)
2002 if (Ustrcmp(ipa->address, "0.0.0.0") == 0)
2003 ipa->address[0] = 0;
2004 else if (Ustrcmp(ipa->address, "::0") == 0)
2006 ipa->address[0] = ':';
2007 ipa->address[1] = 0;
2010 if (ipa->port > 0) continue;
2012 if (daemon_smtp_port[0] <= 0)
2013 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "no port specified for interface "
2014 "%s and daemon_smtp_port is unset; cannot start daemon",
2015 ipa->address[0] == 0 ? US"\"all IPv4\"" :
2016 ipa->address[1] == 0 ? US"\"all IPv6\"" : ipa->address);
2018 ipa->port = default_smtp_port[0];
2019 for (int i = 1; default_smtp_port[i] > 0; i++)
2021 ip_address_item * new = store_get(sizeof(ip_address_item), GET_UNTAINTED);
2023 memcpy(new->address, ipa->address, Ustrlen(ipa->address) + 1);
2024 new->port = default_smtp_port[i];
2025 new->next = ipa->next;
2031 /* Scan the list of addresses for wildcards. If we find an IPv4 and an IPv6
2032 wildcard for the same port, ensure that (a) they are together and (b) the
2033 IPv6 address comes first. This makes handling the messy features easier, and
2034 also simplifies the construction of the "daemon started" log line. */
2037 for (ipa = addresses; ipa; pipa = &ipa->next, ipa = ipa->next)
2039 ip_address_item *ipa2;
2041 /* Handle an IPv4 wildcard */
2043 if (ipa->address[0] == 0)
2044 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
2046 ip_address_item *ipa3 = ipa2->next;
2047 if (ipa3->address[0] == ':' &&
2048 ipa3->address[1] == 0 &&
2049 ipa3->port == ipa->port)
2051 ipa2->next = ipa3->next;
2058 /* Handle an IPv6 wildcard. */
2060 else if (ipa->address[0] == ':' && ipa->address[1] == 0)
2061 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
2063 ip_address_item *ipa3 = ipa2->next;
2064 if (ipa3->address[0] == 0 && ipa3->port == ipa->port)
2066 ipa2->next = ipa3->next;
2067 ipa3->next = ipa->next;
2075 /* Get a vector to remember all the sockets in.
2076 Two extra elements for the ancillary sockets */
2078 for (ipa = addresses; ipa; ipa = ipa->next)
2079 listen_socket_count++;
2080 fd_polls = store_get(sizeof(struct pollfd) * (listen_socket_count + 2),
2082 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count + 2;
2084 { p->fd = -1; p->events = POLLIN; }
2086 } /* daemon_listen but not inetd_wait_mode */
2088 if (f.daemon_listen)
2091 /* Do a sanity check on the max connects value just to save us from getting
2092 a huge amount of store. */
2094 if (smtp_accept_max > 4095) smtp_accept_max = 4096;
2096 /* There's no point setting smtp_accept_queue unless it is less than the max
2097 connects limit. The configuration reader ensures that the max is set if the
2098 queue-only option is set. */
2100 if (smtp_accept_queue > smtp_accept_max) smtp_accept_queue = 0;
2102 /* Get somewhere to keep the list of SMTP accepting pids if we are keeping
2103 track of them for total number and queue/host limits. */
2105 if (smtp_accept_max > 0)
2107 smtp_slots = store_get(smtp_accept_max * sizeof(smtp_slot), GET_UNTAINTED);
2108 for (int i = 0; i < smtp_accept_max; i++) smtp_slots[i] = empty_smtp_slot;
2112 /* The variable background_daemon is always false when debugging, but
2113 can also be forced false in order to keep a non-debugging daemon in the
2114 foreground. If background_daemon is true, close all open file descriptors that
2115 we know about, but then re-open stdin, stdout, and stderr to /dev/null. Also
2116 do this for inetd_wait mode.
2118 This is protection against any called functions (in libraries, or in
2119 Perl, or whatever) that think they can write to stderr (or stdout). Before this
2120 was added, it was quite likely that an SMTP connection would use one of these
2121 file descriptors, in which case writing random stuff to it caused chaos.
2123 Then disconnect from the controlling terminal, Most modern Unixes seem to have
2124 setsid() for getting rid of the controlling terminal. For any OS that doesn't,
2125 setsid() can be #defined as a no-op, or as something else. */
2127 if (f.background_daemon || f.inetd_wait_mode)
2129 log_close_all(); /* Just in case anything was logged earlier */
2130 search_tidyup(); /* Just in case any were used in reading the config. */
2131 (void)close(0); /* Get rid of stdin/stdout/stderr */
2134 exim_nullstd(); /* Connect stdin/stdout/stderr to /dev/null */
2135 log_stderr = NULL; /* So no attempt to copy paniclog output */
2138 if (f.background_daemon)
2140 /* If the parent process of this one has pid == 1, we are re-initializing the
2141 daemon as the result of a SIGHUP. In this case, there is no need to do
2142 anything, because the controlling terminal has long gone. Otherwise, fork, in
2143 case current process is a process group leader (see 'man setsid' for an
2144 explanation) before calling setsid().
2145 All other forks want daemon_listen cleared. Rather than blow a register, jsut
2150 BOOL daemon_listen = f.daemon_listen;
2151 pid_t pid = exim_fork(US"daemon");
2152 if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2153 "fork() failed when starting daemon: %s", strerror(errno));
2154 if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */
2155 (void)setsid(); /* release controlling terminal */
2156 f.daemon_listen = daemon_listen;
2160 /* We are now in the disconnected, daemon process (unless debugging). Set up
2161 the listening sockets if required. */
2163 daemon_notifier_socket();
2165 if (f.daemon_listen && !f.inetd_wait_mode)
2168 ip_address_item *ipa;
2170 /* For each IP address, create a socket, bind it to the appropriate port, and
2171 start listening. See comments above about IPv6 sockets that may or may not
2172 accept IPv4 calls when listening on all interfaces. We also have to cope with
2173 the case of a system with IPv6 libraries, but no IPv6 support in the kernel.
2174 listening, provided a wildcard IPv4 socket for the same port follows. */
2176 for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++)
2179 ip_address_item * ipa2;
2182 if (Ustrchr(ipa->address, ':') != NULL)
2185 wildcard = ipa->address[1] == 0;
2190 wildcard = ipa->address[0] == 0;
2193 if ((fd_polls[sk].fd = fd = ip_socket(SOCK_STREAM, af)) < 0)
2195 if (check_special_case(0, addresses, ipa, FALSE))
2197 log_write(0, LOG_MAIN, "Failed to create IPv6 socket for wildcard "
2198 "listening (%s): will use IPv4", strerror(errno));
2201 log_write(0, LOG_PANIC_DIE, "IPv%c socket creation failed: %s",
2202 af == AF_INET6 ? '6' : '4', strerror(errno));
2205 /* If this is an IPv6 wildcard socket, set IPV6_V6ONLY if that option is
2206 available. Just log failure (can get protocol not available, just like
2207 socket creation can). */
2210 if (af == AF_INET6 && wildcard &&
2211 setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
2212 log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard "
2213 "socket failed (%s): carrying on without it", strerror(errno));
2214 #endif /* IPV6_V6ONLY */
2216 /* Set SO_REUSEADDR so that the daemon can be restarted while a connection
2217 is being handled. Without this, a connection will prevent reuse of the
2218 smtp port for listening. */
2220 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
2221 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket "
2222 "failed when starting daemon: %s", strerror(errno));
2224 /* Set TCP_NODELAY; Exim does its own buffering. There is a switch to
2225 disable this because it breaks some broken clients. */
2227 if (tcp_nodelay) setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
2229 /* Now bind the socket to the required port; if Exim is being restarted
2230 it may not always be possible to bind immediately, even with SO_REUSEADDR
2231 set, so try 10 times, waiting between each try. After 10 failures, we give
2232 up. In an IPv6 environment, if bind () fails with the error EADDRINUSE and
2233 we are doing wildcard IPv4 listening and there was a previous IPv6 wildcard
2234 address for the same port, ignore the error on the grounds that we must be
2235 in a system where the IPv6 socket accepts both kinds of call. This is
2236 necessary for (some release of) USAGI Linux; other IP stacks fail at the
2237 listen() stage instead. */
2240 f.tcp_fastopen_ok = TRUE;
2245 if (ip_bind(fd, af, ipa->address, ipa->port) >= 0) break;
2246 if (check_special_case(errno, addresses, ipa, TRUE))
2248 DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 "
2249 "listen() success; EADDRINUSE ignored\n");
2253 msg = US strerror(errno);
2259 if (daemon_startup_retries <= 0)
2260 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2261 "socket bind() to port %d for address %s failed: %s: "
2262 "daemon abandoned", ipa->port, addr, msg);
2263 log_write(0, LOG_MAIN, "socket bind() to port %d for address %s "
2264 "failed: %s: waiting %s before trying again (%d more %s)",
2265 ipa->port, addr, msg, readconf_printtime(daemon_startup_sleep),
2266 daemon_startup_retries, (daemon_startup_retries > 1)? "tries" : "try");
2267 daemon_startup_retries--;
2268 sleep(daemon_startup_sleep);
2273 debug_printf("listening on all interfaces (IPv%c) port %d\n",
2274 af == AF_INET6 ? '6' : '4', ipa->port);
2276 debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
2278 /* Start listening on the bound socket, establishing the maximum backlog of
2279 connections that is allowed. On success, add to the set of sockets for select
2280 and continue to the next address. */
2282 #if defined(TCP_FASTOPEN) && !defined(__APPLE__)
2283 if ( f.tcp_fastopen_ok
2284 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN,
2285 &smtp_connect_backlog, sizeof(smtp_connect_backlog)))
2287 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
2288 f.tcp_fastopen_ok = FALSE;
2291 if (listen(fd, smtp_connect_backlog) >= 0)
2293 #if defined(TCP_FASTOPEN) && defined(__APPLE__)
2294 if ( f.tcp_fastopen_ok
2295 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)))
2297 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
2298 f.tcp_fastopen_ok = FALSE;
2301 fd_polls[sk].fd = fd;
2305 /* Listening has failed. In an IPv6 environment, as for bind(), if listen()
2306 fails with the error EADDRINUSE and we are doing IPv4 wildcard listening
2307 and there was a previous successful IPv6 wildcard listen on the same port,
2308 we want to ignore the error on the grounds that we must be in a system
2309 where the IPv6 socket accepts both kinds of call. */
2311 if (!check_special_case(errno, addresses, ipa, TRUE))
2312 log_write(0, LOG_PANIC_DIE, "listen() failed on interface %s: %s",
2314 ? af == AF_INET6 ? US"(any IPv6)" : US"(any IPv4)" : ipa->address,
2317 DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 "
2318 "listen() success; EADDRINUSE ignored\n");
2321 /* Come here if there has been a problem with the socket which we
2322 are going to ignore. We remove the address from the chain, and back up the
2326 sk--; /* Back up the count */
2327 listen_socket_count--; /* Reduce the total */
2328 if (ipa == addresses) addresses = ipa->next; else
2330 for (ipa2 = addresses; ipa2->next != ipa; ipa2 = ipa2->next);
2331 ipa2->next = ipa->next;
2334 } /* End of bind/listen loop for each address */
2335 } /* End of setup for listening */
2338 /* If we are not listening, we want to write a pid file only if -oP was
2339 explicitly given. */
2341 else if (!override_pid_file_path)
2344 /* Write the pid to a known file for assistance in identification, if required.
2345 We do this before giving up root privilege, because on some systems it is
2346 necessary to be root in order to write into the pid file directory. There's
2347 nothing to stop multiple daemons running, as long as no more than one listens
2348 on a given TCP/IP port on the same interface(s). However, in these
2349 circumstances it gets far too complicated to mess with pid file names
2350 automatically. Consequently, Exim 4 writes a pid file only
2352 (a) When running in the test harness, or
2353 (b) When -bd is used and -oX is not used, or
2354 (c) When -oP is used to supply a path.
2356 The variable daemon_write_pid is used to control this. */
2358 if (f.running_in_test_harness || write_pid)
2360 const enum pid_op operation = (f.running_in_test_harness
2361 || real_uid == root_uid
2362 || (real_uid == exim_uid && !override_pid_file_path)) ? PID_WRITE : PID_CHECK;
2363 if (!operate_on_pid_file(operation, getpid()))
2364 DEBUG(D_any) debug_printf("%s pid file %s: %s\n", (operation == PID_WRITE) ? "write" : "check", pid_file_path, strerror(errno));
2367 /* Set up the handler for SIGHUP, which causes a restart of the daemon. */
2369 sighup_seen = FALSE;
2370 signal(SIGHUP, sighup_handler);
2372 /* Give up root privilege at this point (assuming that exim_uid and exim_gid
2373 are not root). The third argument controls the running of initgroups().
2374 Normally we do this, in order to set up the groups for the Exim user. However,
2375 if we are not root at this time - some odd installations run that way - we
2378 exim_setugid(exim_uid, exim_gid, geteuid()==root_uid, US"running as a daemon");
2380 /* Update the originator_xxx fields so that received messages as listed as
2381 coming from Exim, not whoever started the daemon. */
2383 originator_uid = exim_uid;
2384 originator_gid = exim_gid;
2385 originator_login = (pw = getpwuid(exim_uid))
2386 ? string_copy_perm(US pw->pw_name, FALSE) : US"exim";
2388 /* Get somewhere to keep the list of queue-runner pids if we are keeping track
2389 of them (and also if we are doing queue runs). */
2391 if (is_multiple_qrun() && local_queue_run_max > 0)
2393 queue_runner_slot_count = local_queue_run_max;
2394 queue_runner_slots = store_get(local_queue_run_max * sizeof(runner_slot), GET_UNTAINTED);
2395 memset(queue_runner_slots, 0, local_queue_run_max * sizeof(runner_slot));
2398 /* Set up the handler for termination of child processes, and the one
2399 telling us to die. */
2401 sigchld_seen = FALSE;
2402 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2404 sigterm_seen = FALSE;
2405 os_non_restarting_signal(SIGTERM, main_sigterm_handler);
2406 os_non_restarting_signal(SIGINT, main_sigterm_handler);
2408 /* If we are to run the queue periodically, pretend the alarm has just gone
2409 off. This will cause the first queue-runner to get kicked off straight away.
2410 Get an initial sort of the list of queues, to prioritize the initial q-runs */
2413 if ((sigalrm_seen = is_multiple_qrun()))
2414 (void) next_qrunner_interval();
2416 /* Log the start up of a daemon - at least one of listening or queue running
2419 if (f.inetd_wait_mode)
2421 uschar *p = big_buffer;
2423 if (inetd_wait_timeout >= 0)
2424 sprintf(CS p, "terminating after %d seconds", inetd_wait_timeout);
2426 sprintf(CS p, "with no wait timeout");
2428 log_write(0, LOG_MAIN,
2429 "exim %s daemon started: pid=%d, launched with listening socket, %s",
2430 version_string, getpid(), big_buffer);
2431 set_process_info("daemon(%s): pre-listening socket", version_string);
2433 /* set up the timeout logic */
2434 sigalrm_seen = TRUE;
2437 else if (f.daemon_listen)
2440 int smtps_ports = 0;
2441 ip_address_item * ipa;
2443 const uschar * qinfo = describe_queue_runners();
2445 /* Build a list of listening addresses in big_buffer, but limit it to 10
2446 items. The style is for backwards compatibility.
2448 It is possible to have some ports listening for SMTPS (as opposed to TLS
2449 startted by STARTTLS), and others listening for standard SMTP. Keep their
2450 listings separate. */
2452 for (int j = 0, i; j < 2; j++)
2453 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2455 /* First time round, look for SMTP ports; second time round, look for
2456 SMTPS ports. Build IP+port strings. */
2458 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2465 /* Now the information about the port (and sometimes interface) */
2467 if (ipa->address[0] == ':' && ipa->address[1] == 0)
2469 if (ipa->next && ipa->next->address[0] == 0 &&
2470 ipa->next->port == ipa->port)
2472 ipa->log = string_sprintf(" port %d (IPv6 and IPv4)", ipa->port);
2473 (ipa = ipa->next)->log = NULL;
2475 else if (ipa->v6_include_v4)
2476 ipa->log = string_sprintf(" port %d (IPv6 with IPv4)", ipa->port);
2478 ipa->log = string_sprintf(" port %d (IPv6)", ipa->port);
2480 else if (ipa->address[0] == 0) /* v4 wildcard */
2481 ipa->log = string_sprintf(" port %d (IPv4)", ipa->port);
2482 else /* check for previously-seen IP */
2484 ip_address_item * i2;
2485 for (i2 = addresses; i2 != ipa; i2 = i2->next)
2486 if ( host_is_tls_on_connect_port(i2->port) == (j > 0)
2487 && Ustrcmp(ipa->address, i2->address) == 0
2489 { /* found; append port to list */
2490 for (p = i2->log; *p; ) p++; /* end of existing string { */
2491 if (*--p == '}') *p = '\0'; /* drop EOL */
2492 while (isdigit(*--p)) ; /* char before port */
2494 i2->log = *p == ':' /* no list yet? { */
2495 ? string_sprintf("%.*s{%s,%d}",
2496 (int)(p - i2->log + 1), i2->log, p+1, ipa->port)
2497 : string_sprintf("%s,%d}", i2->log, ipa->port);
2501 if (i2 == ipa) /* first-time IP */
2502 ipa->log = string_sprintf(" [%s]:%d", ipa->address, ipa->port);
2508 for (int j = 0, i; j < 2; j++)
2510 /* First time round, look for SMTP ports; second time round, look for
2511 SMTPS ports. For the first one of each, insert leading text. */
2516 p += sprintf(CS p, "SMTP on");
2519 if (smtps_ports > 0)
2520 p += sprintf(CS p, "%sSMTPS on",
2521 smtp_ports == 0 ? "" : " and for ");
2523 /* Now the information about the port (and sometimes interface) */
2525 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2526 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2528 p += sprintf(CS p, "%s", ipa->log);
2531 p += sprintf(CS p, " ...");
2534 log_write(0, LOG_MAIN,
2535 "exim %s daemon started: pid=%d, %s, listening for %s",
2536 version_string, getpid(), qinfo, big_buffer);
2537 set_process_info("daemon(%s): %s, listening for %s",
2538 version_string, qinfo, big_buffer);
2541 else /* no listening sockets, only queue-runs */
2543 const uschar * s = describe_queue_runners();
2544 log_write(0, LOG_MAIN,
2545 "exim %s daemon started: pid=%d, %s, not listening for SMTP",
2546 version_string, getpid(), s);
2547 set_process_info("daemon(%s): %s, not listening", version_string, s);
2550 /* Do any work it might be useful to amortize over our children
2551 (eg: compile regex) */
2554 smtp_deliver_init(); /* Used for callouts */
2556 #ifndef DISABLE_DKIM
2558 # ifdef MEASURE_TIMING
2560 gettimeofday(&t0, NULL);
2563 # ifdef MEASURE_TIMING
2564 report_time_since(&t0, US"dkim_exim_init (delta)");
2569 #ifdef WITH_CONTENT_SCAN
2579 /* Add ancillary sockets to the set for select */
2581 poll_fd_count = listen_socket_count;
2583 if (tls_watch_fd >= 0)
2585 tls_watch_poll = &fd_polls[poll_fd_count++];
2586 tls_watch_poll->fd = tls_watch_fd;
2587 tls_watch_poll->events = POLLIN;
2590 if (daemon_notifier_fd >= 0)
2592 dnotify_poll = &fd_polls[poll_fd_count++];
2593 dnotify_poll->fd = daemon_notifier_fd;
2594 dnotify_poll->events = POLLIN;
2597 /* Close the log so it can be renamed and moved. In the few cases below where
2598 this long-running process writes to the log (always exceptional conditions), it
2599 closes the log afterwards, for the same reason. */
2603 DEBUG(D_any) debug_print_ids(US"daemon running with");
2605 /* Any messages accepted via this route are going to be SMTP. */
2609 #ifdef MEASURE_TIMING
2610 report_time_since(×tamp_startup, US"daemon loop start"); /* testcase 0022 */
2613 /* Enter the never-ending loop... */
2617 int nolisten_sleep = 60;
2620 daemon_die(); /* Does not return */
2622 /* This code is placed first in the loop, so that it gets obeyed at the
2623 start, before the first wait, for the queue-runner case, so that the first
2624 one can be started immediately.
2626 The other option is that we have an inetd wait timeout specified to -bw. */
2628 if (sigalrm_seen || *queuerun_msgid)
2629 if (inetd_wait_timeout > 0)
2630 daemon_inetd_wtimeout(last_connection_time); /* Might not return */
2633 daemon_qrun(local_queue_run_max, fd_polls, listen_socket_count);
2636 /* Sleep till a connection happens if listening, and handle the connection if
2637 that is why we woke up. The FreeBSD operating system requires the use of
2638 select() before accept() because the latter function is not interrupted by
2639 a signal, and we want to wake up for SIGCHLD and SIGALRM signals. Some other
2640 OS do notice signals in accept() but it does no harm to have the select()
2641 in for all of them - and it won't then be a lurking problem for ports to
2642 new OS. In fact, the later addition of listening on specific interfaces only
2643 requires this way of working anyway. */
2645 if (f.daemon_listen)
2648 BOOL select_failed = FALSE;
2650 DEBUG(D_any) debug_printf("Listening...\n");
2652 /* In rare cases we may have had a SIGCHLD signal in the time between
2653 setting the handler (below) and getting back here. If so, pretend that the
2654 select() was interrupted so that we reap the child. This might still leave
2655 a small window when a SIGCHLD could get lost. However, since we use SIGCHLD
2656 only to do the reaping more quickly, it shouldn't result in anything other
2657 than a delay until something else causes a wake-up.
2658 For the normal case, wait for either a pollable fd (eg. new connection) or
2659 or a SIGALRM (for a periodic queue run) */
2667 lcount = poll(fd_polls, poll_fd_count, -1);
2671 select_failed = TRUE;
2675 /* Clean up any subprocesses that may have terminated. We need to do this
2676 here so that smtp_accept_max_per_host works when a connection to that host
2677 has completed, and we are about to accept a new one. When this code was
2678 later in the sequence, a new connection could be rejected, even though an
2679 old one had just finished. Preserve the errno from any select() failure for
2680 the use of the common select/accept error processing below. */
2683 int select_errno = errno;
2684 handle_ending_processes();
2689 /* Create or rotate any required keys; handle (delayed) filewatch event */
2691 if ((old_tfd = tls_daemon_tick()) >= 0)
2692 for (struct pollfd * p = &fd_polls[listen_socket_count];
2693 p < fd_polls + poll_fd_count; p++)
2694 if (p->fd == old_tfd) { p->fd = tls_watch_fd ; break; }
2697 errno = select_errno;
2700 /* Loop for all the sockets that are currently ready to go. If select
2701 actually failed, we have set the count to 1 and select_failed=TRUE, so as
2702 to use the common error code for select/accept below. */
2704 while (lcount-- > 0)
2706 int accept_socket = -1;
2708 struct sockaddr_in6 accepted;
2710 struct sockaddr_in accepted;
2715 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
2716 if (tls_watch_poll && tls_watch_poll->revents & POLLIN)
2718 tls_watch_poll->revents = 0;
2719 tls_watch_trigger_time = time(NULL); /* Set up delayed event */
2720 tls_watch_discard_event(tls_watch_fd);
2721 break; /* to top of daemon loop */
2724 /* Handle the daemon-notifier socket. If it was a fast-ramp
2725 notification then queuerun_msgid will have a nonzerolength string. */
2727 if (dnotify_poll && dnotify_poll->revents & POLLIN)
2729 dnotify_poll->revents = 0;
2730 daemon_notification();
2731 break; /* to top of daemon loop */
2733 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count;
2735 if (p->revents & POLLIN)
2737 EXIM_SOCKLEN_T alen = sizeof(accepted);
2738 #if defined(__FreeBSD__) && defined(SO_LISTENQLEN)
2740 socklen_t blen = sizeof(backlog);
2742 if ( smtp_backlog_monitor > 0
2743 && getsockopt(p->fd, SOL_SOCKET, SO_LISTENQLEN, &backlog, &blen) == 0)
2746 debug_printf("listen fd %d queue curr %d\n", p->fd, backlog);
2747 smtp_listen_backlog = backlog;
2750 #elif defined(TCP_INFO) && defined(EXIM_HAVE_TCPI_UNACKED)
2752 socklen_t tlen = sizeof(ti);
2754 /* If monitoring the backlog is wanted, grab for later logging */
2756 smtp_listen_backlog = 0;
2757 if ( smtp_backlog_monitor > 0
2758 && getsockopt(p->fd, IPPROTO_TCP, TCP_INFO, &ti, &tlen) == 0)
2760 DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
2761 p->fd, ti.tcpi_sacked, ti.tcpi_unacked);
2762 smtp_listen_backlog = ti.tcpi_unacked;
2766 accept_socket = accept(p->fd, (struct sockaddr *)&accepted, &alen);
2771 /* If select or accept has failed and this was not caused by an
2772 interruption, log the incident and try again. With asymmetric TCP/IP
2773 routing errors such as "No route to network" have been seen here. Also
2774 "connection reset by peer" has been seen. These cannot be classed as
2775 disastrous errors, but they could fill up a lot of log. The code in smail
2776 crashes the daemon after 10 successive failures of accept, on the grounds
2777 that some OS fail continuously. Exim originally followed suit, but this
2778 appears to have caused problems. Now it just keeps going, but instead of
2779 logging each error, it batches them up when they are continuous. */
2781 if (accept_socket < 0 && errno != EINTR)
2783 if (accept_retry_count == 0)
2785 accept_retry_errno = errno;
2786 accept_retry_select_failed = select_failed;
2788 else if ( errno != accept_retry_errno
2789 || select_failed != accept_retry_select_failed
2790 || accept_retry_count >= 50)
2792 log_write(0, LOG_MAIN | (accept_retry_count >= 50 ? LOG_PANIC : 0),
2793 "%d %s() failure%s: %s",
2795 accept_retry_select_failed ? "select" : "accept",
2796 accept_retry_count == 1 ? "" : "s",
2797 strerror(accept_retry_errno));
2799 accept_retry_count = 0;
2800 accept_retry_errno = errno;
2801 accept_retry_select_failed = select_failed;
2803 accept_retry_count++;
2805 else if (accept_retry_count > 0)
2807 log_write(0, LOG_MAIN, "%d %s() failure%s: %s",
2809 accept_retry_select_failed ? "select" : "accept",
2810 accept_retry_count == 1 ? "" : "s",
2811 strerror(accept_retry_errno));
2813 accept_retry_count = 0;
2816 /* If select/accept succeeded, deal with the connection. */
2818 if (accept_socket >= 0)
2820 #ifdef TCP_QUICKACK /* Avoid pure-ACKs while in tls protocol pingpong phase */
2821 /* Unfortunately we cannot be certain to do this before a TLS-on-connect
2822 Client Hello arrives and is acked. We do it as early as possible. */
2823 (void) setsockopt(accept_socket, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
2825 if (inetd_wait_timeout)
2826 last_connection_time = time(NULL);
2827 handle_smtp_call(fd_polls, listen_socket_count, accept_socket,
2828 (struct sockaddr *)&accepted);
2833 /* If not listening, then just sleep for the queue interval. If we woke
2834 up early the last time for some other signal, it won't matter because
2835 the alarm signal will wake at the right time. This code originally used
2836 sleep() but it turns out that on the FreeBSD system, sleep() is not inter-
2837 rupted by signals, so it wasn't waking up for SIGALRM or SIGCHLD. Luckily
2838 select() can be used as an interruptible sleep() on all versions of Unix. */
2843 poll(&p, 0, nolisten_sleep * 1000);
2844 handle_ending_processes();
2847 /* Re-enable the SIGCHLD handler if it has been run. It can't do it
2848 for itself, because it isn't doing the waiting itself. */
2852 sigchld_seen = FALSE;
2853 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2856 /* Handle being woken by SIGHUP. We know at this point that the result
2857 of accept() has been dealt with, so we can re-exec exim safely, first
2858 closing the listening sockets so that they can be reused. Cancel any pending
2859 alarm in case it is just about to go off, and set SIGHUP to be ignored so
2860 that another HUP in quick succession doesn't clobber the new daemon before it
2861 gets going. All log files get closed by the close-on-exec flag; however, if
2862 the exec fails, we need to close the logs. */
2866 log_write(0, LOG_MAIN, "pid %d: SIGHUP received: re-exec daemon",
2868 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
2869 unlink_notifier_socket();
2871 signal(SIGHUP, SIG_IGN);
2872 sighup_argv[0] = exim_path;
2874 execv(CS exim_path, (char *const *)sighup_argv);
2875 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid %d: exec of %s failed: %s",
2876 getpid(), exim_path, strerror(errno));
2880 } /* End of main loop */
2882 /* Control never reaches here */
2887 /* End of exim_daemon.c */
git://git.exim.org / exim.git / blob