1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) University of Cambridge 1995 - 2018 */
6 /* Copyright (c) The Exim Maintainers 2020 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* Functions for writing log files. The code for maintaining datestamped
10 log files was originally contributed by Tony Sheen. */
15 #define LOG_NAME_SIZE 256
16 #define MAX_SYSLOG_LEN 870
18 #define LOG_MODE_FILE 1
19 #define LOG_MODE_SYSLOG 2
21 enum { lt_main, lt_reject, lt_panic, lt_debug };
23 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
27 /*************************************************
28 * Local static variables *
29 *************************************************/
31 static uschar mainlog_name[LOG_NAME_SIZE];
32 static uschar rejectlog_name[LOG_NAME_SIZE];
33 static uschar debuglog_name[LOG_NAME_SIZE];
35 static uschar *mainlog_datestamp = NULL;
36 static uschar *rejectlog_datestamp = NULL;
38 static int mainlogfd = -1;
39 static int rejectlogfd = -1;
40 static ino_t mainlog_inode = 0;
41 static ino_t rejectlog_inode = 0;
43 static uschar *panic_save_buffer = NULL;
44 static BOOL panic_recurseflag = FALSE;
46 static BOOL syslog_open = FALSE;
47 static BOOL path_inspected = FALSE;
48 static int logging_mode = LOG_MODE_FILE;
49 static uschar *file_path = US"";
51 static size_t pid_position[2];
54 /* These should be kept in-step with the private delivery error
55 number definitions in macros.h */
57 static const uschar * exim_errstrings[] = {
80 US"Exim-imposed quota",
82 US"Delivery filter process failure",
83 US"Delivery add/remove header failure",
84 US"Delivery write incomplete error",
85 US"Some expansion failed",
86 US"Failed to get gid",
87 US"Failed to get uid",
88 US"Unset or non-existent transport",
89 US"MBX length mismatch",
90 US"Lookup failed routing or in smtp tpt",
91 US"Can't match format in appendfile",
92 US"Creation outside home in appendfile",
93 US"Can't check a list; lookup defer",
95 US"Failed to start TLS session",
96 US"Mandatory TLS session not started",
97 US"Failed to chown a file",
98 US"Failed to create a pipe",
100 US"When required by client",
101 US"Used internally in smtp transport",
102 US"RCPT gave 4xx error",
103 US"MAIL gave 4xx error",
104 US"DATA gave 4xx error",
105 US"Negotiation failed for proxy configured host",
106 US"Authenticator 'other' failure",
107 US"target not supporting SMTPUTF8",
110 US"Not time for routing",
111 US"Not time for local delivery",
112 US"Not time for any remote host",
113 US"Local-only delivery",
114 US"Domain in queue_domains",
115 US"Transport concurrency limit",
116 US"Event requests alternate response",
120 /************************************************/
124 return err < 0 ? exim_errstrings[-err] : CUS strerror(err);
127 /*************************************************
129 *************************************************/
131 /* The given string is split into sections according to length, or at embedded
132 newlines, and syslogged as a numbered sequence if it is overlong or if there is
133 more than one line. However, if we are running in the test harness, do not do
134 anything. (The test harness doesn't use syslog - for obvious reasons - but we
135 can get here if there is a failure to open the panic log.)
138 priority syslog priority
139 s the string to be written
145 write_syslog(int priority, const uschar *s)
150 if (!syslog_pid && LOGGING(pid))
151 s = string_sprintf("%.*s%s", (int)pid_position[0], s, s + pid_position[1]);
152 if (!syslog_timestamp)
154 len = log_timezone ? 26 : 20;
155 if (LOGGING(millisec)) len += 4;
162 if (!syslog_open && !f.running_in_test_harness)
164 # ifdef SYSLOG_LOG_PID
165 openlog(CS syslog_processname, LOG_PID|LOG_CONS, syslog_facility);
167 openlog(CS syslog_processname, LOG_CONS, syslog_facility);
173 /* First do a scan through the message in order to determine how many lines
174 it is going to end up as. Then rescan to output it. */
176 for (int pass = 0; pass < 2; pass++)
178 const uschar * ss = s;
179 for (int i = 1, tlen = len; tlen > 0; i++)
182 uschar *nlptr = Ustrchr(ss, '\n');
183 if (nlptr != NULL) plen = nlptr - ss;
184 #ifndef SYSLOG_LONG_LINES
185 if (plen > MAX_SYSLOG_LEN) plen = MAX_SYSLOG_LEN;
188 if (ss[plen] == '\n') tlen--; /* chars left */
192 else if (f.running_in_test_harness)
194 fprintf(stderr, "SYSLOG: '%.*s'\n", plen, ss);
196 fprintf(stderr, "SYSLOG: '[%d%c%d] %.*s'\n", i,
197 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
198 linecount, plen, ss);
201 syslog(priority, "%.*s", plen, ss);
203 syslog(priority, "[%d%c%d] %.*s", i,
204 ss[plen] == '\n' && tlen != 0 ? '\\' : '/',
205 linecount, plen, ss);
208 if (*ss == '\n') ss++;
215 /*************************************************
217 *************************************************/
219 /* This is called when Exim is dying as a result of something going wrong in
220 the logging, or after a log call with LOG_PANIC_DIE set. Optionally write a
221 message to debug_file or a stderr file, if they exist. Then, if in the middle
222 of accepting a message, throw it away tidily by calling receive_bomb_out();
223 this will attempt to send an SMTP response if appropriate. Passing NULL as the
224 first argument stops it trying to run the NOTQUIT ACL (which might try further
225 logging and thus cause problems). Otherwise, try to close down an outstanding
229 s1 Error message to write to debug_file and/or stderr and syslog
230 s2 Error message for any SMTP call that is in progress
231 Returns: The function does not return
235 die(uschar *s1, uschar *s2)
239 write_syslog(LOG_CRIT, s1);
240 if (debug_file) debug_printf("%s\n", s1);
241 if (log_stderr && log_stderr != debug_file)
242 fprintf(log_stderr, "%s\n", s1);
244 if (f.receive_call_bombout) receive_bomb_out(NULL, s2); /* does not return */
245 if (smtp_input) smtp_closedown(s2);
246 exim_exit(EXIT_FAILURE);
251 /*************************************************
252 * Create a log file *
253 *************************************************/
255 /* This function is called to create and open a log file. It may be called in a
256 subprocess when the original process is root.
261 The file name has been build in a working buffer, so it is permissible to
262 overwrite it temporarily if it is necessary to create the directory.
264 Returns: a file descriptor, or < 0 on failure (errno set)
268 log_open_already_exim(uschar * const name)
271 const int flags = O_WRONLY | O_APPEND | O_CREAT | O_NONBLOCK;
273 if (geteuid() != exim_uid)
279 fd = Uopen(name, flags, LOG_MODE);
281 /* If creation failed, attempt to build a log directory in case that is the
284 if (fd < 0 && errno == ENOENT)
287 uschar *lastslash = Ustrrchr(name, '/');
289 created = directory_make(NULL, name, LOG_DIRECTORY_MODE, FALSE);
292 debug_printf("created log directory %s\n", name);
294 debug_printf("failed to create log directory %s: %s\n", name, strerror(errno));
296 if (created) fd = Uopen(name, flags, LOG_MODE);
304 /* Inspired by OpenSSH's mm_send_fd(). Thanks! */
307 log_send_fd(const int sock, const int fd)
312 char buf[CMSG_SPACE(sizeof(int))];
314 struct cmsghdr *cmsg;
319 memset(&msg, 0, sizeof(msg));
320 memset(&cmsgbuf, 0, sizeof(cmsgbuf));
321 msg.msg_control = &cmsgbuf.buf;
322 msg.msg_controllen = sizeof(cmsgbuf.buf);
324 cmsg = CMSG_FIRSTHDR(&msg);
325 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
326 cmsg->cmsg_level = SOL_SOCKET;
327 cmsg->cmsg_type = SCM_RIGHTS;
328 *(int *)CMSG_DATA(cmsg) = fd;
335 while ((n = sendmsg(sock, &msg, 0)) == -1 && errno == EINTR);
336 if (n != 1) return -1;
340 /* Inspired by OpenSSH's mm_receive_fd(). Thanks! */
343 log_recv_fd(const int sock)
348 char buf[CMSG_SPACE(sizeof(int))];
350 struct cmsghdr *cmsg;
356 memset(&msg, 0, sizeof(msg));
362 memset(&cmsgbuf, 0, sizeof(cmsgbuf));
363 msg.msg_control = &cmsgbuf.buf;
364 msg.msg_controllen = sizeof(cmsgbuf.buf);
366 while ((n = recvmsg(sock, &msg, 0)) == -1 && errno == EINTR);
367 if (n != 1 || ch != 'A') return -1;
369 cmsg = CMSG_FIRSTHDR(&msg);
370 if (cmsg == NULL) return -1;
371 if (cmsg->cmsg_type != SCM_RIGHTS) return -1;
372 fd = *(const int *)CMSG_DATA(cmsg);
373 if (fd < 0) return -1;
379 /*************************************************
380 * Create a log file as the exim user *
381 *************************************************/
383 /* This function is called when we are root to spawn an exim:exim subprocess
384 in which we can create a log file. It must be signal-safe since it is called
385 by the usr1_handler().
390 Returns: a file descriptor, or < 0 on failure (errno set)
394 log_open_as_exim(uschar * const name)
397 const uid_t euid = geteuid();
399 if (euid == exim_uid)
400 fd = log_open_already_exim(name);
401 else if (euid == root_uid)
404 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sock) == 0)
406 const pid_t pid = exim_fork(US"logfile-open");
409 (void)close(sock[0]);
410 if (setgroups(1, &exim_gid) != 0) _exit(EXIT_FAILURE);
411 if (setgid(exim_gid) != 0) _exit(EXIT_FAILURE);
412 if (setuid(exim_uid) != 0) _exit(EXIT_FAILURE);
414 if (getuid() != exim_uid || geteuid() != exim_uid) _exit(EXIT_FAILURE);
415 if (getgid() != exim_gid || getegid() != exim_gid) _exit(EXIT_FAILURE);
417 fd = log_open_already_exim(name);
418 if (fd < 0) _exit(EXIT_FAILURE);
419 if (log_send_fd(sock[1], fd) != 0) _exit(EXIT_FAILURE);
420 (void)close(sock[1]);
424 (void)close(sock[1]);
427 fd = log_recv_fd(sock[0]);
428 while (waitpid(pid, NULL, 0) == -1 && errno == EINTR);
430 (void)close(sock[0]);
437 flags = fcntl(fd, F_GETFD);
438 if (flags != -1) (void)fcntl(fd, F_SETFD, flags | FD_CLOEXEC);
439 flags = fcntl(fd, F_GETFL);
440 if (flags != -1) (void)fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
453 /*************************************************
455 *************************************************/
457 /* This function opens one of a number of logs, creating the log directory if
458 it does not exist. This may be called recursively on failure, in order to open
461 The directory is in the static variable file_path. This is static so that it
462 the work of sorting out the path is done just once per Exim process.
464 Exim is normally configured to avoid running as root wherever possible, the log
465 files must be owned by the non-privileged exim user. To ensure this, first try
466 an open without O_CREAT - most of the time this will succeed. If it fails, try
467 to create the file; if running as root, this must be done in a subprocess to
471 fd where to return the resulting file descriptor
472 type lt_main, lt_reject, lt_panic, or lt_debug
473 tag optional tag to include in the name (only hooked up for debug)
479 open_log(int *fd, int type, uschar *tag)
483 uschar buffer[LOG_NAME_SIZE];
485 /* The names of the log files are controlled by file_path. The panic log is
486 written to the same directory as the main and reject logs, but its name does
487 not have a datestamp. The use of datestamps is indicated by %D/%M in file_path.
488 When opening the panic log, if %D or %M is present, we remove the datestamp
489 from the generated name; if it is at the start, remove a following
490 non-alphanumeric character as well; otherwise, remove a preceding
491 non-alphanumeric character. This is definitely kludgy, but it sort of does what
492 people want, I hope. */
494 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
499 /* Save the name of the mainlog for rollover processing. Without a datestamp,
500 it gets statted to see if it has been cycled. With a datestamp, the datestamp
501 will be compared. The static slot for saving it is the same size as buffer,
502 and the text has been checked above to fit, so this use of strcpy() is OK. */
504 Ustrcpy(mainlog_name, buffer);
505 if (string_datestamp_offset > 0)
506 mainlog_datestamp = mainlog_name + string_datestamp_offset;
510 /* Ditto for the reject log */
512 Ustrcpy(rejectlog_name, buffer);
513 if (string_datestamp_offset > 0)
514 rejectlog_datestamp = rejectlog_name + string_datestamp_offset;
518 /* and deal with the debug log (which keeps the datestamp, but does not
521 Ustrcpy(debuglog_name, buffer);
524 /* this won't change the offset of the datestamp */
525 ok2 = string_format(buffer, sizeof(buffer), "%s%s",
528 Ustrcpy(debuglog_name, buffer);
533 /* Remove any datestamp if this is the panic log. This is rare, so there's no
534 need to optimize getting the datestamp length. We remove one non-alphanumeric
535 char afterwards if at the start, otherwise one before. */
537 if (string_datestamp_offset >= 0)
539 uschar * from = buffer + string_datestamp_offset;
540 uschar * to = from + string_datestamp_length;
542 if (from == buffer || from[-1] == '/')
544 if (!isalnum(*to)) to++;
547 if (!isalnum(from[-1])) from--;
549 /* This copy is ok, because we know that to is a substring of from. But
550 due to overlap we must use memmove() not Ustrcpy(). */
551 memmove(from, to, Ustrlen(to)+1);
556 /* If the file name is too long, it is an unrecoverable disaster */
559 die(US"exim: log file path too long: aborting",
560 US"Logging failure; please try later");
562 /* We now have the file name. After a successful open, return. */
564 *fd = log_open_as_exim(buffer);
571 /* Creation failed. There are some circumstances in which we get here when
572 the effective uid is not root or exim, which is the problem. (For example, a
573 non-setuid binary with log_arguments set, called in certain ways.) Rather than
574 just bombing out, force the log to stderr and carry on if stderr is available.
577 if (euid != root_uid && euid != exim_uid && log_stderr)
579 *fd = fileno(log_stderr);
583 /* Otherwise this is a disaster. This call is deliberately ONLY to the panic
584 log. If possible, save a copy of the original line that was being logged. If we
585 are recursing (can't open the panic log either), the pointer will already be
586 set. Also, when we had to use a subprocess for the create we didn't retrieve
587 errno from it, so get the error from the open attempt above (which is often
588 meaningful enough, so leave it). */
590 if (!panic_save_buffer)
591 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
592 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
594 log_write(0, LOG_PANIC_DIE, "Cannot open %s log file \"%s\": %s: "
595 "euid=%d egid=%d", log_names[type], buffer, strerror(errno), euid, getegid());
603 if (type == lt_debug) unlink(CS debuglog_name);
608 /*************************************************
609 * Add configuration file info to log line *
610 *************************************************/
612 /* This is put in a function because it's needed twice (once for debugging,
616 ptr pointer to the end of the line we are building
619 Returns: updated pointer
623 log_config_info(gstring * g, int flags)
625 g = string_cat(g, US"Exim configuration error");
627 if (flags & (LOG_CONFIG_FOR & ~LOG_CONFIG))
628 return string_cat(g, US" for ");
630 if (flags & (LOG_CONFIG_IN & ~LOG_CONFIG))
631 g = string_fmt_append(g, " in line %d of %s", config_lineno, config_filename);
633 return string_catn(g, US":\n ", 4);
637 /*************************************************
638 * A write() operation failed *
639 *************************************************/
641 /* This function is called when write() fails on anything other than the panic
642 log, which can happen if a disk gets full or a file gets too large or whatever.
643 We try to save the relevant message in the panic_save buffer before crashing
646 The potential invoker should probably not call us for EINTR -1 writes. But
647 otherwise, short writes are bad as we don't do non-blocking writes to fds
648 subject to flow control. (If we do, that's new and the logic of this should
652 name the name of the log being written
653 length the string length being written
654 rc the return value from write()
656 Returns: does not return
660 log_write_failed(uschar *name, int length, int rc)
662 int save_errno = errno;
664 if (!panic_save_buffer)
665 if ((panic_save_buffer = US malloc(LOG_BUFFER_SIZE)))
666 memcpy(panic_save_buffer, log_buffer, LOG_BUFFER_SIZE);
668 log_write(0, LOG_PANIC_DIE, "failed to write to %s: length=%d result=%d "
669 "errno=%d (%s)", name, length, rc, save_errno,
670 (save_errno == 0)? "write incomplete" : strerror(save_errno));
676 /*************************************************
677 * Write to an fd, retrying after signals *
678 *************************************************/
680 /* Basic write to fd for logs, handling EINTR.
683 fd the fd to write to
684 buf the string to write
685 length the string length being written
688 length actually written, persisting an errno from write()
691 write_to_fd_buf(int fd, const uschar *buf, size_t length)
694 size_t total_written = 0;
695 const uschar *p = buf;
696 size_t left = length;
700 wrote = write(fd, p, left);
701 if (wrote == (ssize_t)-1)
703 if (errno == EINTR) continue;
706 total_written += wrote;
715 return total_written;
719 /* Pull the file out of the configured or the compiled-in list.
720 Called for an empty log_file_path element, for debug logging activation
721 when file_path has not previously been set, and from the appenfile transport setup. */
724 set_file_path(BOOL *multiple)
727 int sep = ':'; /* Fixed separator - outside use */
728 const uschar *ss = *log_file_path ? log_file_path : US LOG_FILE_PATH;
731 for (logging_mode = 0;
732 s = string_nextinlist(&ss, &sep, log_buffer, LOG_BUFFER_SIZE); )
734 if (Ustrcmp(s, "syslog") == 0)
735 logging_mode |= LOG_MODE_SYSLOG;
736 else if (!(logging_mode & LOG_MODE_FILE)) /* no file yet */
738 /* If a non-empty path is given, use it */
741 file_path = string_copy(s);
743 /* If handling the config option, and the element is empty, we want to use
744 the first non-empty, non-syslog item in LOG_FILE_PATH, if there is one,
745 since the value of log_file_path may have been set at runtime. If there is
746 no such item, use the ultimate default in the spool directory. */
748 else if (*log_file_path && LOG_FILE_PATH[0])
750 ss = US LOG_FILE_PATH;
754 logging_mode |= LOG_MODE_FILE;
757 if (multiple) *multiple = TRUE;
760 logging_mode = LOG_MODE_FILE;
762 /* Set up the ultimate default if necessary. */
764 if (logging_mode & LOG_MODE_FILE && !*file_path)
765 file_path = string_sprintf("%s/log/%%slog", spool_directory);
772 /* avoid closing it if it is closed already or if we do not see a chance
773 to open the file mainlog later again */
774 if (mainlogfd < 0 /* already closed */
775 || !(geteuid() == 0 || geteuid() == exim_uid))
777 (void)close(mainlogfd);
782 /*************************************************
783 * Write message to log file *
784 *************************************************/
786 /* Exim can be configured to log to local files, or use syslog, or both. This
787 is controlled by the setting of log_file_path. The following cases are
790 log_file_path = "" write files in the spool/log directory
791 log_file_path = "xxx" write files in the xxx directory
792 log_file_path = "syslog" write to syslog
793 log_file_path = "syslog : xxx" write to syslog and to files (any order)
795 The message always gets '\n' added on the end of it, since more than one
796 process may be writing to the log at once and we don't want intermingling to
797 happen in the middle of lines. To be absolutely sure of this we write the data
798 into a private buffer and then put it out in a single write() call.
800 The flags determine which log(s) the message is written to, or for syslogging,
801 which priority to use, and in the case of the panic log, whether the process
802 should die afterwards.
804 The variable really_exim is TRUE only when exim is running in privileged state
805 (i.e. not with a changed configuration or with testing options such as -brw).
806 If it is not, don't try to write to the log because permission will probably be
809 Avoid actually writing to the logs when exim is called with -bv or -bt to
810 test an address, but take other actions, such as panicking.
812 In Exim proper, the buffer for building the message is got at start-up, so that
813 nothing gets done if it can't be got. However, some functions that are also
814 used in utilities occasionally obey log_write calls in error situations, and it
815 is simplest to put a single malloc() here rather than put one in each utility.
816 Malloc is used directly because the store functions may call log_write().
818 If a message_id exists, we include it after the timestamp.
821 selector write to main log or LOG_INFO only if this value is zero, or if
822 its bit is set in log_selector[0]
823 flags each bit indicates some independent action:
824 LOG_SENDER add raw sender to the message
825 LOG_RECIPIENTS add raw recipients list to message
826 LOG_CONFIG add "Exim configuration error"
827 LOG_CONFIG_FOR add " for " instead of ":\n "
828 LOG_CONFIG_IN add " in line x[ of file y]"
829 LOG_MAIN write to main log or syslog LOG_INFO
830 LOG_REJECT write to reject log or syslog LOG_NOTICE
831 LOG_PANIC write to panic log or syslog LOG_ALERT
832 LOG_PANIC_DIE write to panic log or LOG_ALERT and then crash
833 format a printf() format
834 ... arguments for format
840 log_write(unsigned int selector, int flags, const char *format, ...)
844 gstring gs = { .size = LOG_BUFFER_SIZE-1, .ptr = 0, .s = log_buffer };
848 /* If panic_recurseflag is set, we have failed to open the panic log. This is
849 the ultimate disaster. First try to write the message to a debug file and/or
850 stderr and also to syslog. If panic_save_buffer is not NULL, it contains the
851 original log line that caused the problem. Afterwards, expire. */
853 if (panic_recurseflag)
855 uschar *extra = panic_save_buffer ? panic_save_buffer : US"";
856 if (debug_file) debug_printf("%s%s", extra, log_buffer);
857 if (log_stderr && log_stderr != debug_file)
858 fprintf(log_stderr, "%s%s", extra, log_buffer);
859 if (*extra) write_syslog(LOG_CRIT, extra);
860 write_syslog(LOG_CRIT, log_buffer);
861 die(US"exim: could not open panic log - aborting: see message(s) above",
862 US"Unexpected log failure, please try later");
865 /* Ensure we have a buffer (see comment above); this should never be obeyed
866 when running Exim proper, only when running utilities. */
869 if (!(log_buffer = US malloc(LOG_BUFFER_SIZE)))
871 fprintf(stderr, "exim: failed to get store for log buffer\n");
872 exim_exit(EXIT_FAILURE);
875 /* If we haven't already done so, inspect the setting of log_file_path to
876 determine whether to log to files and/or to syslog. Bits in logging_mode
877 control this, and for file logging, the path must end up in file_path. This
878 variable must be in permanent store because it may be required again later in
883 BOOL multiple = FALSE;
884 int old_pool = store_pool;
886 store_pool = POOL_PERM;
888 /* If nothing has been set, don't waste effort... the default values for the
889 statics are file_path="" and logging_mode = LOG_MODE_FILE. */
891 if (*log_file_path) set_file_path(&multiple);
893 /* If no modes have been selected, it is a major disaster */
895 if (logging_mode == 0)
896 die(US"Neither syslog nor file logging set in log_file_path",
897 US"Unexpected logging failure");
899 /* Revert to the old store pool, and record that we've sorted out the path. */
901 store_pool = old_pool;
902 path_inspected = TRUE;
904 /* If more than one file path was given, log a complaint. This recursive call
905 should work since we have now set up the routing. */
908 log_write(0, LOG_MAIN|LOG_PANIC,
909 "More than one path given in log_file_path: using %s", file_path);
912 /* If debugging, show all log entries, but don't show headers. Do it all
913 in one go so that it doesn't get split when multi-processing. */
919 g = string_catn(&gs, US"LOG:", 4);
921 /* Show the selector that was passed into the call. */
923 for (i = 0; i < log_options_count; i++)
925 unsigned int bitnum = log_options[i].bit;
926 if (bitnum < BITWORDSIZE && selector == BIT(bitnum))
927 g = string_fmt_append(g, " %s", log_options[i].name);
930 g = string_fmt_append(g, "%s%s%s%s\n ",
931 flags & LOG_MAIN ? " MAIN" : "",
932 flags & LOG_PANIC ? " PANIC" : "",
933 (flags & LOG_PANIC_DIE) == LOG_PANIC_DIE ? " DIE" : "",
934 flags & LOG_REJECT ? " REJECT" : "");
936 if (flags & LOG_CONFIG) g = log_config_info(g, flags);
938 /* We want to be able to log tainted info, but log_buffer is directly
939 malloc'd. So use deliberately taint-nonchecking routines to build into
940 it, trusting that we will never expand the results. */
942 va_start(ap, format);
944 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
947 g = string_cat(g, US"**** log string overflowed log buffer ****");
951 g->size = LOG_BUFFER_SIZE;
952 g = string_catn(g, US"\n", 1);
953 debug_printf("%s", string_from_gstring(g));
955 gs.size = LOG_BUFFER_SIZE-1; /* Having used the buffer for debug output, */
956 gs.ptr = 0; /* reset it for the real use. */
959 /* If no log file is specified, we are in a mess. */
961 if (!(flags & (LOG_MAIN|LOG_PANIC|LOG_REJECT)))
962 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "log_write called with no log "
965 /* There are some weird circumstances in which logging is disabled. */
967 if (f.disable_logging)
969 DEBUG(D_any) debug_printf("log writing disabled\n");
970 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
974 /* Handle disabled reject log */
976 if (!write_rejectlog) flags &= ~LOG_REJECT;
978 /* Create the main message in the log buffer. Do not include the message id
979 when called by a utility. */
981 g = string_fmt_append(&gs, "%s ", tod_stamp(tod_log));
985 if (!syslog_pid) pid_position[0] = g->ptr; /* remember begin … */
986 g = string_fmt_append(g, "[%d] ", (int)getpid());
987 if (!syslog_pid) pid_position[1] = g->ptr; /* … and end+1 of the PID */
990 if (f.really_exim && message_id[0] != 0)
991 g = string_fmt_append(g, "%s ", message_id);
993 if (flags & LOG_CONFIG)
994 g = log_config_info(g, flags);
996 va_start(ap, format);
1000 /* We want to be able to log tainted info, but log_buffer is directly
1001 malloc'd. So use deliberately taint-nonchecking routines to build into
1002 it, trusting that we will never expand the results. */
1004 if (!string_vformat(g, SVFMT_TAINT_NOCHK, format, ap))
1007 g = string_cat(g, US"**** log string overflowed log buffer ****\n");
1012 /* Add the raw, unrewritten, sender to the message if required. This is done
1013 this way because it kind of fits with LOG_RECIPIENTS. */
1015 if ( flags & LOG_SENDER
1016 && g->ptr < LOG_BUFFER_SIZE - 10 - Ustrlen(raw_sender))
1017 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " from <%s>", raw_sender);
1019 /* Add list of recipients to the message if required; the raw list,
1020 before rewriting, was saved in raw_recipients. There may be none, if an ACL
1021 discarded them all. */
1023 if ( flags & LOG_RECIPIENTS
1024 && g->ptr < LOG_BUFFER_SIZE - 6
1025 && raw_recipients_count > 0)
1028 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " for", NULL);
1029 for (i = 0; i < raw_recipients_count; i++)
1031 uschar * s = raw_recipients[i];
1032 if (LOG_BUFFER_SIZE - g->ptr < Ustrlen(s) + 3) break;
1033 g = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " %s", s);
1037 g = string_catn(g, US"\n", 1);
1038 string_from_gstring(g);
1040 /* Handle loggable errors when running a utility, or when address testing.
1041 Write to log_stderr unless debugging (when it will already have been written),
1042 or unless there is no log_stderr (expn called from daemon, for example). */
1044 if (!f.really_exim || f.log_testing_mode)
1046 if ( !debug_selector
1048 && (selector == 0 || (selector & log_selector[0]) != 0)
1051 fprintf(log_stderr, "LOG: %s", CS(log_buffer + 20)); /* no timestamp */
1053 fprintf(log_stderr, "%s", CS log_buffer);
1055 if ((flags & LOG_PANIC_DIE) == LOG_PANIC_DIE) exim_exit(EXIT_FAILURE);
1059 /* Handle the main log. We know that either syslog or file logging (or both) is
1060 set up. A real file gets left open during reception or delivery once it has
1061 been opened, but we don't want to keep on writing to it for too long after it
1062 has been renamed. Therefore, do a stat() and see if the inode has changed, and
1065 if ( flags & LOG_MAIN
1066 && (!selector || selector & log_selector[0]))
1068 if ( logging_mode & LOG_MODE_SYSLOG
1069 && (syslog_duplication || !(flags & (LOG_REJECT|LOG_PANIC))))
1070 write_syslog(LOG_INFO, log_buffer);
1072 if (logging_mode & LOG_MODE_FILE)
1074 struct stat statbuf;
1076 /* Check for a change to the mainlog file name when datestamping is in
1077 operation. This happens at midnight, at which point we want to roll over
1078 the file. Closing it has the desired effect. */
1080 if (mainlog_datestamp)
1082 uschar *nowstamp = tod_stamp(string_datestamp_type);
1083 if (Ustrncmp (mainlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1085 (void)close(mainlogfd); /* Close the file */
1086 mainlogfd = -1; /* Clear the file descriptor */
1087 mainlog_inode = 0; /* Unset the inode */
1088 mainlog_datestamp = NULL; /* Clear the datestamp */
1092 /* Otherwise, we want to check whether the file has been renamed by a
1093 cycling script. This could be "if else", but for safety's sake, leave it as
1094 "if" so that renaming the log starts a new file even when datestamping is
1098 if (Ustat(mainlog_name, &statbuf) < 0 || statbuf.st_ino != mainlog_inode)
1101 /* If the log is closed, open it. Then write the line. */
1105 open_log(&mainlogfd, lt_main, NULL); /* No return on error */
1106 if (fstat(mainlogfd, &statbuf) >= 0) mainlog_inode = statbuf.st_ino;
1109 /* Failing to write to the log is disastrous */
1111 written_len = write_to_fd_buf(mainlogfd, g->s, g->ptr);
1112 if (written_len != g->ptr)
1114 log_write_failed(US"main log", g->ptr, written_len);
1115 /* That function does not return */
1120 /* Handle the log for rejected messages. This can be globally disabled, in
1121 which case the flags are altered above. If there are any header lines (i.e. if
1122 the rejection is happening after the DATA phase), log the recipients and the
1125 if (flags & LOG_REJECT)
1127 if (header_list && LOGGING(rejected_header))
1132 if (recipients_count > 0)
1134 /* List the sender */
1136 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1137 "Envelope-from: <%s>\n", sender_address);
1140 /* List up to 5 recipients */
1142 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1143 "Envelope-to: <%s>\n", recipients_list[0].address);
1146 for (i = 1; i < recipients_count && i < 5; i++)
1148 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1149 " <%s>\n", recipients_list[i].address);
1153 if (i < recipients_count)
1155 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK, " ...\n", NULL);
1160 /* A header with a NULL text is an unfilled in Received: header */
1162 for (header_line * h = header_list; h; h = h->next) if (h->text)
1164 g2 = string_fmt_append_f(g, SVFMT_TAINT_NOCHK,
1165 "%c %s", h->type, h->text);
1168 else /* Buffer is full; truncate */
1170 g->ptr -= 100; /* For message and separator */
1171 if (g->s[g->ptr-1] == '\n') g->ptr--;
1172 g = string_cat(g, US"\n*** truncated ***\n");
1178 /* Write to syslog or to a log file */
1180 if ( logging_mode & LOG_MODE_SYSLOG
1181 && (syslog_duplication || !(flags & LOG_PANIC)))
1182 write_syslog(LOG_NOTICE, string_from_gstring(g));
1184 /* Check for a change to the rejectlog file name when datestamping is in
1185 operation. This happens at midnight, at which point we want to roll over
1186 the file. Closing it has the desired effect. */
1188 if (logging_mode & LOG_MODE_FILE)
1190 struct stat statbuf;
1192 if (rejectlog_datestamp)
1194 uschar *nowstamp = tod_stamp(string_datestamp_type);
1195 if (Ustrncmp (rejectlog_datestamp, nowstamp, Ustrlen(nowstamp)) != 0)
1197 (void)close(rejectlogfd); /* Close the file */
1198 rejectlogfd = -1; /* Clear the file descriptor */
1199 rejectlog_inode = 0; /* Unset the inode */
1200 rejectlog_datestamp = NULL; /* Clear the datestamp */
1204 /* Otherwise, we want to check whether the file has been renamed by a
1205 cycling script. This could be "if else", but for safety's sake, leave it as
1206 "if" so that renaming the log starts a new file even when datestamping is
1209 if (rejectlogfd >= 0)
1210 if (Ustat(rejectlog_name, &statbuf) < 0 ||
1211 statbuf.st_ino != rejectlog_inode)
1213 (void)close(rejectlogfd);
1215 rejectlog_inode = 0;
1218 /* Open the file if necessary, and write the data */
1220 if (rejectlogfd < 0)
1222 open_log(&rejectlogfd, lt_reject, NULL); /* No return on error */
1223 if (fstat(rejectlogfd, &statbuf) >= 0) rejectlog_inode = statbuf.st_ino;
1226 written_len = write_to_fd_buf(rejectlogfd, g->s, g->ptr);
1227 if (written_len != g->ptr)
1229 log_write_failed(US"reject log", g->ptr, written_len);
1230 /* That function does not return */
1236 /* Handle the panic log, which is not kept open like the others. If it fails to
1237 open, there will be a recursive call to log_write(). We detect this above and
1238 attempt to write to the system log as a last-ditch try at telling somebody. In
1239 all cases except mua_wrapper, try to write to log_stderr. */
1241 if (flags & LOG_PANIC)
1243 if (log_stderr && log_stderr != debug_file && !mua_wrapper)
1244 fprintf(log_stderr, "%s", CS string_from_gstring(g));
1246 if (logging_mode & LOG_MODE_SYSLOG)
1247 write_syslog(LOG_ALERT, log_buffer);
1249 /* If this panic logging was caused by a failure to open the main log,
1250 the original log line is in panic_save_buffer. Make an attempt to write it. */
1252 if (logging_mode & LOG_MODE_FILE)
1254 if (!*file_path) set_file_path(NULL);
1255 panic_recurseflag = TRUE;
1256 open_log(&paniclogfd, lt_panic, NULL); /* Won't return on failure */
1257 panic_recurseflag = FALSE;
1259 if (panic_save_buffer)
1261 int i = write(paniclogfd, panic_save_buffer, Ustrlen(panic_save_buffer));
1262 i = i; /* compiler quietening */
1265 written_len = write_to_fd_buf(paniclogfd, g->s, g->ptr);
1266 if (written_len != g->ptr)
1268 int save_errno = errno;
1269 write_syslog(LOG_CRIT, log_buffer);
1270 sprintf(CS log_buffer, "write failed on panic log: length=%d result=%d "
1271 "errno=%d (%s)", g->ptr, (int)written_len, save_errno, strerror(save_errno));
1272 write_syslog(LOG_CRIT, string_from_gstring(g));
1273 flags |= LOG_PANIC_DIE;
1276 (void)close(paniclogfd);
1279 /* Give up if the DIE flag is set */
1281 if ((flags & LOG_PANIC_DIE) != LOG_PANIC)
1282 die(NULL, US"Unexpected failure, please try later");
1288 /*************************************************
1289 * Close any open log files *
1290 *************************************************/
1296 { (void)close(mainlogfd); mainlogfd = -1; }
1297 if (rejectlogfd >= 0)
1298 { (void)close(rejectlogfd); rejectlogfd = -1; }
1300 syslog_open = FALSE;
1305 /*************************************************
1306 * Multi-bit set or clear *
1307 *************************************************/
1309 /* These functions take a list of bit indexes (terminated by -1) and
1310 clear or set the corresponding bits in the selector.
1313 selector address of the bit string
1314 selsize number of words in the bit string
1315 bits list of bits to set
1319 bits_clear(unsigned int *selector, size_t selsize, int *bits)
1321 for(; *bits != -1; ++bits)
1322 BIT_CLEAR(selector, selsize, *bits);
1326 bits_set(unsigned int *selector, size_t selsize, int *bits)
1328 for(; *bits != -1; ++bits)
1329 BIT_SET(selector, selsize, *bits);
1334 /*************************************************
1335 * Decode bit settings for log/debug *
1336 *************************************************/
1338 /* This function decodes a string containing bit settings in the form of +name
1339 and/or -name sequences, and sets/unsets bits in a bit string accordingly. It
1340 also recognizes a numeric setting of the form =<number>, but this is not
1341 intended for user use. It's an easy way for Exim to pass the debug settings
1342 when it is re-exec'ed.
1344 The option table is a list of names and bit indexes. The index -1
1345 means "set all bits, except for those listed in notall". The notall
1346 list is terminated by -1.
1348 The action taken for bad values varies depending upon why we're here.
1349 For log messages, or if the debugging is triggered from config, then we write
1350 to the log on the way out. For debug setting triggered from the command-line,
1351 we treat it as an unknown option: error message to stderr and die.
1354 selector address of the bit string
1355 selsize number of words in the bit string
1356 notall list of bits to exclude from "all"
1357 string the configured string
1358 options the table of option names
1360 which "log" or "debug"
1361 flags DEBUG_FROM_CONFIG
1363 Returns: nothing on success - bomb out on failure
1367 decode_bits(unsigned int *selector, size_t selsize, int *notall,
1368 uschar *string, bit_table *options, int count, uschar *which, int flags)
1371 if (!string) return;
1375 char *end; /* Not uschar */
1376 memset(selector, 0, sizeof(*selector)*selsize);
1377 *selector = strtoul(CS string+1, &end, 0);
1379 errmsg = string_sprintf("malformed numeric %s_selector setting: %s", which,
1384 /* Handle symbolic setting */
1391 bit_table *start, *end;
1393 Uskip_whitespace(&string);
1394 if (!*string) return;
1396 if (*string != '+' && *string != '-')
1398 errmsg = string_sprintf("malformed %s_selector setting: "
1399 "+ or - expected but found \"%s\"", which, string);
1403 adding = *string++ == '+';
1405 while (isalnum(*string) || *string == '_') string++;
1409 end = options + count;
1413 bit_table *middle = start + (end - start)/2;
1414 int c = Ustrncmp(s, middle->name, len);
1416 if (middle->name[len] != 0) c = -1; else
1418 unsigned int bit = middle->bit;
1424 memset(selector, -1, sizeof(*selector)*selsize);
1425 bits_clear(selector, selsize, notall);
1428 memset(selector, 0, sizeof(*selector)*selsize);
1431 BIT_SET(selector, selsize, bit);
1433 BIT_CLEAR(selector, selsize, bit);
1435 break; /* Out of loop to match selector name */
1437 if (c < 0) end = middle; else start = middle + 1;
1438 } /* Loop to match selector name */
1442 errmsg = string_sprintf("unknown %s_selector setting: %c%.*s", which,
1443 adding? '+' : '-', len, s);
1446 } /* Loop for selector names */
1448 /* Handle disasters */
1451 if (Ustrcmp(which, "debug") == 0)
1453 if (flags & DEBUG_FROM_CONFIG)
1455 log_write(0, LOG_CONFIG|LOG_PANIC, "%s", errmsg);
1458 fprintf(stderr, "exim: %s\n", errmsg);
1461 else log_write(0, LOG_CONFIG|LOG_PANIC_DIE, "%s", errmsg);
1466 /*************************************************
1467 * Activate a debug logfile (late) *
1468 *************************************************/
1470 /* Normally, debugging is activated from the command-line; it may be useful
1471 within the configuration to activate debugging later, based on certain
1472 conditions. If debugging is already in progress, we return early, no action
1473 taken (besides debug-logging that we wanted debug-logging).
1475 Failures in options are not fatal but will result in paniclog entries for the
1478 The first use of this is in ACL logic, "control = debug/tag=foo/opts=+expand"
1479 which can be combined with conditions, etc, to activate extra logging only
1480 for certain sources. The second use is inetd wait mode debug preservation. */
1483 debug_logging_activate(uschar *tag_name, uschar *opts)
1489 debug_printf("DEBUGGING ACTIVATED FROM WITHIN CONFIG.\n"
1490 "DEBUG: Tag=\"%s\" opts=\"%s\"\n", tag_name, opts ? opts : US"");
1494 if (tag_name != NULL && (Ustrchr(tag_name, '/') != NULL))
1496 log_write(0, LOG_MAIN|LOG_PANIC, "debug tag may not contain a '/' in: %s",
1501 debug_selector = D_default;
1503 decode_bits(&debug_selector, 1, debug_notall, opts,
1504 debug_options, debug_options_count, US"debug", DEBUG_FROM_CONFIG);
1506 /* When activating from a transport process we may never have logged at all
1507 resulting in certain setup not having been done. Hack this for now so we
1508 do not segfault; note that nondefault log locations will not work */
1510 if (!*file_path) set_file_path(NULL);
1512 open_log(&fd, lt_debug, tag_name);
1515 debug_file = fdopen(fd, "w");
1517 log_write(0, LOG_MAIN|LOG_PANIC, "unable to open debug log");
1522 debug_logging_stop(void)
1524 if (!debug_file || !debuglog_name[0]) return;
1529 unlink_log(lt_debug);
1532 /* Called from the appendfile transport setup. */
1536 set_file_path(NULL);
1537 if (!(logging_mode & LOG_MODE_FILE)) return;
1538 open_log(&mainlogfd, lt_main, 0);
1539 open_log(&rejectlogfd, lt_reject, 0);