1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2023 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* Functions concerned with running Exim as a daemon */
16 /* Structure for holding data for each SMTP connection */
18 typedef struct smtp_slot {
19 pid_t pid; /* pid of the spawned reception process */
20 uschar * host_address; /* address of the client host */
23 typedef struct runner_slot {
24 pid_t pid; /* pid of spawned queue-runner process */
25 const uschar *queue_name; /* pointer to the name in the qrunner struct */
28 /* An empty slot for initializing (Standard C does not allow constructor
29 expressions in assignments except as initializers in declarations). */
31 static smtp_slot empty_smtp_slot = { .pid = 0, .host_address = NULL };
33 /*************************************************
34 * Local static variables *
35 *************************************************/
37 static SIGNAL_BOOL sigchld_seen;
38 static SIGNAL_BOOL sighup_seen;
39 static SIGNAL_BOOL sigterm_seen;
41 static int accept_retry_count = 0;
42 static int accept_retry_errno;
43 static BOOL accept_retry_select_failed;
45 static int queue_run_count = 0; /* current runners */
47 static unsigned queue_runner_slot_count = 0;
48 static runner_slot * queue_runner_slots = NULL;
49 static smtp_slot * smtp_slots = NULL;
51 static BOOL write_pid = TRUE;
53 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
54 static uschar * notifier_socket_name;
58 /*************************************************
60 *************************************************/
62 /* All this handler does is to set a flag and re-enable the signal.
64 Argument: the signal number
69 sighup_handler(int sig)
72 signal(SIGHUP, sighup_handler);
77 /*************************************************
78 * SIGCHLD handler for main daemon process *
79 *************************************************/
81 /* Don't re-enable the handler here, since we aren't doing the
82 waiting here. If the signal is re-enabled, there will just be an
83 infinite sequence of calls to this handler. The SIGCHLD signal is
84 used just as a means of waking up the daemon so that it notices
85 terminated subprocesses as soon as possible.
87 Argument: the signal number
92 main_sigchld_handler(int sig)
94 os_non_restarting_signal(SIGCHLD, SIG_DFL);
99 /* SIGTERM handler. Try to get the daemon pid file removed
103 main_sigterm_handler(int sig)
111 /*************************************************
112 * Unexpected errors in SMTP calls *
113 *************************************************/
115 /* This function just saves a bit of repetitious coding.
118 log_msg Text of message to be logged
119 smtp_msg Text of SMTP error message
120 was_errno The failing errno
126 never_error(uschar *log_msg, uschar *smtp_msg, int was_errno)
128 uschar *emsg = was_errno <= 0
129 ? US"" : string_sprintf(": %s", strerror(was_errno));
130 log_write(0, LOG_MAIN|LOG_PANIC, "%s%s", log_msg, emsg);
131 if (smtp_out) smtp_printf("421 %s\r\n", SP_NO_MORE, smtp_msg);
137 /*************************************************
138 *************************************************/
141 unlink_notifier_socket(void)
143 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
144 DEBUG(D_any) debug_printf("unlinking notifier socket %s\n", notifier_socket_name);
145 Uunlink(notifier_socket_name);
151 close_daemon_sockets(int daemon_notifier_fd,
152 struct pollfd * fd_polls, int listen_socket_count)
154 if (daemon_notifier_fd >= 0)
156 (void) close(daemon_notifier_fd);
157 daemon_notifier_fd = -1;
160 for (int i = 0; i < listen_socket_count; i++) (void) close(fd_polls[i].fd);
164 /*************************************************
165 * Handle a connected SMTP call *
166 *************************************************/
168 /* This function is called when an SMTP connection has been accepted.
169 If there are too many, give an error message and close down. Otherwise
170 spin off a sub-process to handle the call. The list of listening sockets
171 is required so that they can be closed in the sub-process. Take care not to
172 leak store in this process - reset the stacking pool at the end.
175 fd_polls sockets which are listening for incoming calls
176 listen_socket_count count of listening sockets
177 accept_socket socket of the current accepted call
178 accepted socket information about the current call
184 handle_smtp_call(struct pollfd * fd_polls, int listen_socket_count,
185 int accept_socket, struct sockaddr *accepted)
188 union sockaddr_46 interface_sockaddr;
189 EXIM_SOCKLEN_T ifsize = sizeof(interface_sockaddr);
190 int dup_accept_socket = -1;
191 int max_for_this_host = 0;
192 int save_log_selector = *log_selector;
195 rmark reset_point = store_mark();
197 /* Make the address available in ASCII representation, and also fish out
200 sender_host_address = host_ntoa(-1, accepted, NULL, &sender_host_port);
201 DEBUG(D_any) debug_printf("Connection request from %s port %d\n",
202 sender_host_address, sender_host_port);
204 /* Set up the output stream, check the socket has duplicated, and set up the
205 input stream. These operations fail only the exceptional circumstances. Note
206 that never_error() won't use smtp_out if it is NULL. */
208 if (!(smtp_out = fdopen(accept_socket, "wb")))
210 never_error(US"daemon: fdopen() for smtp_out failed", US"", errno);
214 if ((dup_accept_socket = dup(accept_socket)) < 0)
216 never_error(US"daemon: couldn't dup socket descriptor",
217 US"Connection setup failed", errno);
221 if (!(smtp_in = fdopen(dup_accept_socket, "rb")))
223 never_error(US"daemon: fdopen() for smtp_in failed",
224 US"Connection setup failed", errno);
228 /* Get the data for the local interface address. Panic for most errors, but
229 "connection reset by peer" just means the connection went away. */
231 if (getsockname(accept_socket, (struct sockaddr *)(&interface_sockaddr),
234 log_write(0, LOG_MAIN | ((errno == ECONNRESET)? 0 : LOG_PANIC),
235 "getsockname() failed: %s", strerror(errno));
236 smtp_printf("421 Local problem: getsockname() failed; please try again later\r\n", SP_NO_MORE);
240 interface_address = host_ntoa(-1, &interface_sockaddr, NULL, &interface_port);
241 DEBUG(D_interface) debug_printf("interface address=%s port=%d\n",
242 interface_address, interface_port);
244 /* Build a string identifying the remote host and, if requested, the port and
245 the local interface data. This is for logging; at the end of this function the
246 memory is reclaimed. */
248 whofrom = string_append(NULL, 3, "[", sender_host_address, "]");
250 if (LOGGING(incoming_port))
251 whofrom = string_fmt_append(whofrom, ":%d", sender_host_port);
253 if (LOGGING(incoming_interface))
254 whofrom = string_fmt_append(whofrom, " I=[%s]:%d",
255 interface_address, interface_port);
257 /* Check maximum number of connections. We do not check for reserved
258 connections or unacceptable hosts here. That is done in the subprocess because
259 it might take some time. */
261 if (smtp_accept_max > 0 && smtp_accept_count >= smtp_accept_max)
263 DEBUG(D_any) debug_printf("rejecting SMTP connection: count=%d max=%d\n",
264 smtp_accept_count, smtp_accept_max);
265 smtp_printf("421 Too many concurrent SMTP connections; "
266 "please try again later.\r\n", SP_NO_MORE);
267 log_write(L_connection_reject,
268 LOG_MAIN, "Connection from %Y refused: too many connections",
273 /* If a load limit above which only reserved hosts are acceptable is defined,
274 get the load average here, and if there are in fact no reserved hosts, do
275 the test right away (saves a fork). If there are hosts, do the check in the
276 subprocess because it might take time. */
278 if (smtp_load_reserve >= 0)
280 load_average = OS_GETLOADAVG();
281 if (!smtp_reserve_hosts && load_average > smtp_load_reserve)
283 DEBUG(D_any) debug_printf("rejecting SMTP connection: load average = %.2f\n",
284 (double)load_average/1000.0);
285 smtp_printf("421 Too much load; please try again later.\r\n", SP_NO_MORE);
286 log_write(L_connection_reject,
287 LOG_MAIN, "Connection from %Y refused: load average = %.2f",
288 whofrom, (double)load_average/1000.0);
293 /* Check that one specific host (strictly, IP address) is not hogging
294 resources. This is done here to prevent a denial of service attack by someone
295 forcing you to fork lots of times before denying service. The value of
296 smtp_accept_max_per_host is a string which is expanded. This makes it possible
297 to provide host-specific limits according to $sender_host address, but because
298 this is in the daemon mainline, only fast expansions (such as inline address
299 checks) should be used. The documentation is full of warnings. */
301 if (smtp_accept_max_per_host)
303 uschar *expanded = expand_string(smtp_accept_max_per_host);
306 if (!f.expand_string_forcedfail)
307 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
308 "failed for %Y: %s", whofrom, expand_string_message);
310 /* For speed, interpret a decimal number inline here */
313 uschar *s = expanded;
315 max_for_this_host = max_for_this_host * 10 + *s++ - '0';
317 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of smtp_accept_max_per_host "
318 "for %Y contains non-digit: %s", whofrom, expanded);
322 /* If we have fewer connections than max_for_this_host, we can skip the tedious
323 per host_address checks. Note that at this stage smtp_accept_count contains the
324 count of *other* connections, not including this one. */
326 if (max_for_this_host > 0 && smtp_accept_count >= max_for_this_host)
328 int host_accept_count = 0;
329 int other_host_count = 0; /* keep a count of non matches to optimise */
331 for (int i = 0; i < smtp_accept_max; ++i)
332 if (smtp_slots[i].host_address)
334 if (Ustrcmp(sender_host_address, smtp_slots[i].host_address) == 0)
339 /* Testing all these strings is expensive - see if we can drop out
340 early, either by hitting the target, or finding there are not enough
341 connections left to make the target. */
343 if ( host_accept_count >= max_for_this_host
344 || smtp_accept_count - other_host_count < max_for_this_host)
348 if (host_accept_count >= max_for_this_host)
350 DEBUG(D_any) debug_printf("rejecting SMTP connection: too many from this "
351 "IP address: count=%d max=%d\n",
352 host_accept_count, max_for_this_host);
353 smtp_printf("421 Too many concurrent SMTP connections "
354 "from this IP address; please try again later.\r\n", SP_NO_MORE);
355 log_write(L_connection_reject,
356 LOG_MAIN, "Connection from %Y refused: too many connections "
357 "from that IP address", whofrom);
363 /* OK, the connection count checks have been passed.
364 Now we can fork the accepting process; do a lookup tidy, just in case any
365 expansion above did a lookup. */
368 pid = exim_fork(US"daemon-accept");
370 /* Handle the child process */
374 int queue_only_reason = 0;
375 int old_pool = store_pool;
376 int save_debug_selector = debug_selector;
377 BOOL local_queue_only;
378 BOOL session_local_queue_only;
380 struct sigaction act;
383 smtp_accept_count++; /* So that it includes this process */
384 connection_id = getpid();
386 /* Log the connection if requested.
387 In order to minimize the cost (because this is going to happen for every
388 connection), do a preliminary selector test here. This saves ploughing through
389 the generalized logging code each time when the selector is false. If the
390 selector is set, check whether the host is on the list for logging. If not,
391 arrange to unset the selector in the subprocess.
393 jgh 2023/08/08 :- moved this logging in from the parent process, just
394 pre-fork. There was a claim back from 2004 that smtp_accept_count could have
395 become out-of-date by the time the child could log it, and I can't see how
396 that could happen. */
398 if (LOGGING(smtp_connection))
400 uschar * list = hosts_connection_nolog;
401 memset(sender_host_cache, 0, sizeof(sender_host_cache));
402 if (list && verify_check_host(&list) == OK)
403 save_log_selector &= ~L_smtp_connection;
404 else if (LOGGING(connection_id))
405 log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %Y "
406 "Ci=%lu (TCP/IP connection count = %d)", whofrom, connection_id, smtp_accept_count);
408 log_write(L_smtp_connection, LOG_MAIN, "SMTP connection from %Y "
409 "(TCP/IP connection count = %d)", whofrom, smtp_accept_count);
412 /* If the listen backlog was over the monitoring level, log it. */
414 if (smtp_listen_backlog > smtp_backlog_monitor)
415 log_write(0, LOG_MAIN, "listen backlog %d I=[%s]:%d",
416 smtp_listen_backlog, interface_address, interface_port);
418 /* May have been modified for the subprocess */
420 *log_selector = save_log_selector;
422 /* Get the local interface address into permanent store */
424 store_pool = POOL_PERM;
425 interface_address = string_copy(interface_address);
426 store_pool = old_pool;
428 /* Check for a tls-on-connect port */
430 if (host_is_tls_on_connect_port(interface_port)) tls_in.on_connect = TRUE;
432 /* Expand smtp_active_hostname if required. We do not do this any earlier,
433 because it may depend on the local interface address (indeed, that is most
434 likely what it depends on.) */
436 smtp_active_hostname = primary_hostname;
437 if (raw_active_hostname)
439 uschar * nah = expand_string(raw_active_hostname);
442 if (!f.expand_string_forcedfail)
444 log_write(0, LOG_MAIN|LOG_PANIC, "failed to expand \"%s\" "
445 "(smtp_active_hostname): %s", raw_active_hostname,
446 expand_string_message);
447 smtp_printf("421 Local configuration error; "
448 "please try again later.\r\n", SP_NO_MORE);
451 exim_underbar_exit(EXIT_FAILURE);
454 else if (*nah) smtp_active_hostname = nah;
457 /* Initialize the queueing flags */
460 session_local_queue_only = queue_only;
462 /* Close the listening sockets, and set the SIGCHLD handler to SIG_IGN.
463 We also attempt to set things up so that children are automatically reaped,
464 but just in case this isn't available, there's a paranoid waitpid() in the
465 loop too (except for systems where we are sure it isn't needed). See the more
466 extensive comment before the reception loop in exim.c for a fuller
467 explanation of this logic. */
469 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
471 /* Set FD_CLOEXEC on the SMTP socket. We don't want any rogue child processes
472 to be able to communicate with them, under any circumstances. */
473 (void)fcntl(accept_socket, F_SETFD,
474 fcntl(accept_socket, F_GETFD) | FD_CLOEXEC);
475 (void)fcntl(dup_accept_socket, F_SETFD,
476 fcntl(dup_accept_socket, F_GETFD) | FD_CLOEXEC);
479 act.sa_handler = SIG_IGN;
480 sigemptyset(&(act.sa_mask));
481 act.sa_flags = SA_NOCLDWAIT;
482 sigaction(SIGCHLD, &act, NULL);
484 signal(SIGCHLD, SIG_IGN);
486 signal(SIGTERM, SIG_DFL);
487 signal(SIGINT, SIG_DFL);
489 /* Attempt to get an id from the sending machine via the RFC 1413
490 protocol. We do this in the sub-process in order not to hold up the
491 main process if there is any delay. Then set up the fullhost information
492 in case there is no HELO/EHLO.
494 If debugging is enabled only for the daemon, we must turn if off while
495 finding the id, but turn it on again afterwards so that information about the
496 incoming connection is output. */
498 if (f.debug_daemon) debug_selector = 0;
499 verify_get_ident(IDENT_PORT);
500 host_build_sender_fullhost();
501 debug_selector = save_debug_selector;
504 debug_printf("Process %d is handling incoming connection from %s\n",
505 (int)getpid(), sender_fullhost);
507 /* Now disable debugging permanently if it's required only for the daemon
510 if (f.debug_daemon) debug_selector = 0;
512 /* If there are too many child processes for immediate delivery,
513 set the session_local_queue_only flag, which is initialized from the
514 configured value and may therefore already be TRUE. Leave logging
515 till later so it will have a message id attached. Note that there is no
516 possibility of re-calculating this per-message, because the value of
517 smtp_accept_count does not change in this subprocess. */
519 if (smtp_accept_queue > 0 && smtp_accept_count > smtp_accept_queue)
521 session_local_queue_only = TRUE;
522 queue_only_reason = 1;
525 /* Handle the start of the SMTP session, then loop, accepting incoming
526 messages from the SMTP connection. The end will come at the QUIT command,
527 when smtp_setup_msg() returns 0. A break in the connection causes the
528 process to die (see accept.c).
530 NOTE: We do *not* call smtp_log_no_mail() if smtp_start_session() fails,
531 because a log line has already been written for all its failure exists
532 (usually "connection refused: <reason>") and writing another one is
533 unnecessary clutter. */
535 if (!smtp_start_session())
539 exim_underbar_exit(EXIT_SUCCESS);
545 message_id[0] = 0; /* Clear out any previous message_id */
546 reset_point = store_mark(); /* Save current store high water point */
549 debug_printf("Process %d is ready for new message\n", (int)getpid());
551 /* Smtp_setup_msg() returns 0 on QUIT or if the call is from an
552 unacceptable host or if an ACL "drop" command was triggered, -1 on
553 connection lost, and +1 on validly reaching DATA. Receive_msg() almost
554 always returns TRUE when smtp_input is true; just retry if no message was
555 accepted (can happen for invalid message parameters). However, it can yield
556 FALSE if the connection was forcibly dropped by the DATA ACL. */
558 if ((rc = smtp_setup_msg()) > 0)
560 BOOL ok = receive_msg(FALSE);
561 search_tidyup(); /* Close cached databases */
562 if (!ok) /* Connection was dropped */
564 cancel_cutthrough_connection(TRUE, US"receive dropped");
566 smtp_log_no_mail(); /* Log no mail if configured */
567 exim_underbar_exit(EXIT_SUCCESS);
569 if (!message_id[0]) continue; /* No message was accepted */
571 else /* bad smtp_setup_msg() */
575 int fd = fileno(smtp_in);
579 /* drain socket, for clean TCP FINs */
580 if (fcntl(fd, F_SETFL, O_NONBLOCK) == 0)
581 for(int i = 16; read(fd, buf, sizeof(buf)) > 0 && i > 0; ) i--;
583 cancel_cutthrough_connection(TRUE, US"message setup dropped");
585 smtp_log_no_mail(); /* Log no mail if configured */
587 /*XXX should we pause briefly, hoping that the client will be the
588 active TCP closer hence get the TCP_WAIT endpoint? */
589 DEBUG(D_receive) debug_printf("SMTP>>(close on process exit)\n");
590 exim_underbar_exit(rc ? EXIT_FAILURE : EXIT_SUCCESS);
593 /* Show the recipients when debugging */
598 debug_printf("Sender: %s\n", sender_address);
601 debug_printf("Recipients:\n");
602 for (int i = 0; i < recipients_count; i++)
603 debug_printf(" %s\n", recipients_list[i].address);
607 /* A message has been accepted. Clean up any previous delivery processes
608 that have completed and are defunct, on systems where they don't go away
609 by themselves (see comments when setting SIG_IGN above). On such systems
610 (if any) these delivery processes hang around after termination until
611 the next message is received. */
613 #ifndef SIG_IGN_WORKS
614 while (waitpid(-1, NULL, WNOHANG) > 0);
617 /* Reclaim up the store used in accepting this message */
620 int r = receive_messagecount;
621 BOOL q = f.queue_only_policy;
622 smtp_reset(reset_point);
624 f.queue_only_policy = q;
625 receive_messagecount = r;
628 /* If queue_only is set or if there are too many incoming connections in
629 existence, session_local_queue_only will be TRUE. If it is not, check
630 whether we have received too many messages in this session for immediate
633 if (!session_local_queue_only &&
634 smtp_accept_queue_per_connection > 0 &&
635 receive_messagecount > smtp_accept_queue_per_connection)
637 session_local_queue_only = TRUE;
638 queue_only_reason = 2;
641 /* Initialize local_queue_only from session_local_queue_only. If it is not
642 true, and queue_only_load is set, check that the load average is below it.
643 If local_queue_only is set by this means, we also set if for the session if
644 queue_only_load_latch is true (the default). This means that, once set,
645 local_queue_only remains set for any subsequent messages on the same SMTP
646 connection. This is a deliberate choice; even though the load average may
647 fall, it doesn't seem right to deliver later messages on the same call when
648 not delivering earlier ones. However, the are special circumstances such as
649 very long-lived connections from scanning appliances where this is not the
650 best strategy. In such cases, queue_only_load_latch should be set false. */
652 if ( !(local_queue_only = session_local_queue_only)
653 && queue_only_load >= 0
654 && (local_queue_only = (load_average = OS_GETLOADAVG()) > queue_only_load)
657 queue_only_reason = 3;
658 if (queue_only_load_latch) session_local_queue_only = TRUE;
661 /* Log the queueing here, when it will get a message id attached, but
662 not if queue_only is set (case 0). */
664 if (local_queue_only) switch(queue_only_reason)
666 case 1: log_write(L_delay_delivery,
667 LOG_MAIN, "no immediate delivery: too many connections "
668 "(%d, max %d)", smtp_accept_count, smtp_accept_queue);
671 case 2: log_write(L_delay_delivery,
672 LOG_MAIN, "no immediate delivery: more than %d messages "
673 "received in one connection", smtp_accept_queue_per_connection);
676 case 3: log_write(L_delay_delivery,
677 LOG_MAIN, "no immediate delivery: load average %.2f",
678 (double)load_average/1000.0);
682 /* If a delivery attempt is required, spin off a new process to handle it.
683 If we are not root, we have to re-exec exim unless deliveries are being
684 done unprivileged. */
686 else if ( (!f.queue_only_policy || f.queue_smtp)
687 && !f.deliver_freeze)
691 /* We used to flush smtp_out before forking so that buffered data was not
692 duplicated, but now we want to pipeline the responses for data and quit.
693 Instead, hard-close the fd underlying smtp_out right after fork to discard
696 if ((dpid = exim_fork(US"daemon-accept-delivery")) == 0)
698 (void)fclose(smtp_in);
699 (void)close(fileno(smtp_out));
700 (void)fclose(smtp_out);
701 smtp_in = smtp_out = NULL;
703 /* Don't ever molest the parent's SSL connection, but do clean up
704 the data structures if necessary. */
707 tls_close(NULL, TLS_NO_SHUTDOWN);
710 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
712 signal(SIGHUP, SIG_DFL);
713 signal(SIGCHLD, SIG_DFL);
714 signal(SIGTERM, SIG_DFL);
715 signal(SIGINT, SIG_DFL);
717 if (geteuid() != root_uid && !deliver_drop_privilege)
719 signal(SIGALRM, SIG_DFL);
720 delivery_re_exec(CEE_EXEC_PANIC);
721 /* Control does not return here. */
724 /* No need to re-exec; SIGALRM remains set to the default handler */
726 (void) deliver_message(message_id, FALSE, FALSE);
728 exim_underbar_exit(EXIT_SUCCESS);
733 release_cutthrough_connection(US"passed for delivery");
734 DEBUG(D_any) debug_printf("forked delivery process %d\n", (int)dpid);
738 cancel_cutthrough_connection(TRUE, US"delivery fork failed");
739 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: delivery process fork "
740 "failed: %s", strerror(errno));
747 /* Carrying on in the parent daemon process... Can't do much if the fork
748 failed. Otherwise, keep count of the number of accepting processes and
749 remember the pid for ticking off when the child completes. */
752 never_error(US"daemon: accept process fork failed", US"Fork failed", errno);
755 for (int i = 0; i < smtp_accept_max; ++i)
756 if (smtp_slots[i].pid <= 0)
758 smtp_slots[i].pid = pid;
759 /* Connection closes come asyncronously, so we cannot stack this store */
760 if (smtp_accept_max_per_host)
761 smtp_slots[i].host_address = string_copy_malloc(sender_host_address);
765 DEBUG(D_any) debug_printf("%d SMTP accept process%s running\n",
766 smtp_accept_count, smtp_accept_count == 1 ? "" : "es");
769 /* Get here via goto in error cases */
773 /* Close the streams associated with the socket which will also close the
774 socket fds in this process. We can't do anything if fclose() fails, but
775 logging brings it to someone's attention. However, "connection reset by peer"
776 isn't really a problem, so skip that one. On Solaris, a dropped connection can
777 manifest itself as a broken pipe, so drop that one too. If the streams don't
778 exist, something went wrong while setting things up. Make sure the socket
779 descriptors are closed, in order to drop the connection. */
783 if (fclose(smtp_out) != 0 && errno != ECONNRESET && errno != EPIPE)
784 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_out) failed: %s",
788 else (void)close(accept_socket);
792 if (fclose(smtp_in) != 0 && errno != ECONNRESET && errno != EPIPE)
793 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fclose(smtp_in) failed: %s",
797 else (void)close(dup_accept_socket);
799 /* Release any store used in this process, including the store used for holding
800 the incoming host address and an expanded active_hostname. */
803 interface_address = sender_host_name = sender_host_address = NULL;
804 store_reset(reset_point);
810 /*************************************************
811 * Check wildcard listen special cases *
812 *************************************************/
814 /* This function is used when binding and listening on lists of addresses and
815 ports. It tests for special cases of wildcard listening, when IPv4 and IPv6
816 sockets may interact in different ways in different operating systems. It is
817 passed an error number, the list of listening addresses, and the current
818 address. Two checks are available: for a previous wildcard IPv6 address, or for
819 a following wildcard IPv4 address, in both cases on the same port.
821 In practice, pairs of wildcard addresses should be adjacent in the address list
822 because they are sorted that way below.
826 addresses the list of addresses
827 ipa the current IP address
828 back if TRUE, check for previous wildcard IPv6 address
829 if FALSE, check for a following wildcard IPv4 address
831 Returns: TRUE or FALSE
835 check_special_case(int eno, ip_address_item *addresses, ip_address_item *ipa,
838 ip_address_item *ipa2;
840 /* For the "back" case, if the failure was "address in use" for a wildcard IPv4
841 address, seek a previous IPv6 wildcard address on the same port. As it is
842 previous, it must have been successfully bound and be listening. Flag it as a
843 "6 including 4" listener. */
847 if (eno != EADDRINUSE || ipa->address[0] != 0) return FALSE;
848 for (ipa2 = addresses; ipa2 != ipa; ipa2 = ipa2->next)
850 if (ipa2->address[1] == 0 && ipa2->port == ipa->port)
852 ipa2->v6_include_v4 = TRUE;
858 /* For the "forward" case, if the current address is a wildcard IPv6 address,
859 we seek a following wildcard IPv4 address on the same port. */
863 if (ipa->address[0] != ':' || ipa->address[1] != 0) return FALSE;
864 for (ipa2 = ipa->next; ipa2 != NULL; ipa2 = ipa2->next)
865 if (ipa2->address[0] == 0 && ipa->port == ipa2->port) return TRUE;
874 /*************************************************
875 * Handle terminating subprocesses *
876 *************************************************/
878 /* Handle the termination of child processes. Theoretically, this need be done
879 only when sigchld_seen is TRUE, but rumour has it that some systems lose
880 SIGCHLD signals at busy times, so to be on the safe side, this function is
881 called each time round. It shouldn't be too expensive.
888 handle_ending_processes(void)
893 while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
897 debug_printf("child %d ended: status=0x%x\n", (int)pid, status);
899 if (WIFEXITED(status))
900 debug_printf(" normal exit, %d\n", WEXITSTATUS(status));
901 else if (WIFSIGNALED(status))
902 debug_printf(" signal exit, signal %d%s\n", WTERMSIG(status),
903 WCOREDUMP(status) ? " (core dumped)" : "");
907 /* If it's a listening daemon for which we are keeping track of individual
908 subprocesses, deal with an accepting process that has terminated. */
913 for (i = 0; i < smtp_accept_max; i++)
914 if (smtp_slots[i].pid == pid)
916 if (smtp_slots[i].host_address)
917 store_free(smtp_slots[i].host_address);
918 smtp_slots[i] = empty_smtp_slot;
919 if (--smtp_accept_count < 0) smtp_accept_count = 0;
920 DEBUG(D_any) debug_printf("%d SMTP accept process%s now running\n",
921 smtp_accept_count, (smtp_accept_count == 1)? "" : "es");
924 if (i < smtp_accept_max) continue; /* Found an accepting process */
927 /* If it wasn't an accepting process, see if it was a queue-runner
928 process that we are tracking. */
930 if (queue_runner_slots)
931 for (unsigned i = 0; i < queue_runner_slot_count; i++)
933 runner_slot * r = queue_runner_slots + i;
936 r->pid = 0; /* free up the slot */
938 if (--queue_run_count < 0) queue_run_count = 0;
939 DEBUG(D_any) debug_printf("%d queue-runner process%s now running\n",
940 queue_run_count, queue_run_count == 1 ? "" : "es");
942 for (qrunner ** p = &qrunners, * q = qrunners; q; p = &q->next, q = *p)
943 if (q->name == r->queue_name)
945 if (q->interval) /* a periodic queue run */
947 else /* a one-time run */
948 *p = q->next; /* drop this qrunner */
959 set_pid_file_path(void)
961 if (override_pid_file_path)
962 pid_file_path = override_pid_file_path;
965 pid_file_path = string_sprintf("%s/exim-daemon.pid", spool_directory);
967 if (pid_file_path[0] != '/')
968 log_write(0, LOG_PANIC_DIE, "pid file path %s must be absolute\n", pid_file_path);
972 enum pid_op { PID_WRITE, PID_CHECK, PID_DELETE };
974 /* Do various pid file operations as safe as possible. Ideally we'd just
975 drop the privileges for creation of the pid file and not care at all about removal of
977 Returns: true on success, false + errno==EACCES otherwise
981 operate_on_pid_file(const enum pid_op operation, const pid_t pid)
983 char pid_line[sizeof(int) * 3 + 2];
984 const int pid_len = snprintf(pid_line, sizeof(pid_line), "%d\n", (int)pid);
985 BOOL lines_match = FALSE;
986 uschar * path, * base, * dir;
988 const int dir_flags = O_RDONLY | O_NONBLOCK;
989 const int base_flags = O_NOFOLLOW | O_NONBLOCK;
990 const mode_t base_mode = 0644;
992 int cwd_fd = -1, dir_fd = -1, base_fd = -1;
993 BOOL success = FALSE;
997 if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid) goto cleanup;
998 if (pid_len < 2 || pid_len >= (int)sizeof(pid_line)) goto cleanup;
1000 path = string_copy(pid_file_path);
1001 if ((base = Ustrrchr(path, '/')) == NULL) /* should not happen, but who knows */
1002 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid file path \"%s\" does not contain a '/'", pid_file_path);
1004 dir = base != path ? path : US"/";
1007 if (!dir || !*dir || *dir != '/') goto cleanup;
1008 if (!base || !*base || Ustrchr(base, '/') != NULL) goto cleanup;
1010 cwd_fd = open(".", dir_flags);
1011 if (cwd_fd < 0 || fstat(cwd_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
1012 dir_fd = open(CS dir, dir_flags);
1013 if (dir_fd < 0 || fstat(dir_fd, &sb) != 0 || !S_ISDIR(sb.st_mode)) goto cleanup;
1015 /* emulate openat */
1016 if (fchdir(dir_fd) != 0) goto cleanup;
1017 base_fd = open(CS base, O_RDONLY | base_flags);
1018 if (fchdir(cwd_fd) != 0)
1019 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1023 char line[sizeof(pid_line)];
1026 if (fstat(base_fd, &sb) != 0 || !S_ISREG(sb.st_mode)) goto cleanup;
1027 if ((sb.st_mode & 07777) != base_mode || sb.st_nlink != 1) goto cleanup;
1028 if (sb.st_size < 2 || sb.st_size >= (off_t)sizeof(line)) goto cleanup;
1030 len = read(base_fd, line, sizeof(line));
1031 if (len != (ssize_t)sb.st_size) goto cleanup;
1034 if (strspn(line, "0123456789") != (size_t)len-1) goto cleanup;
1035 if (line[len-1] != '\n') goto cleanup;
1036 lines_match = len == pid_len && strcmp(line, pid_line) == 0;
1039 if (operation == PID_WRITE)
1046 /* emulate unlinkat */
1047 if (fchdir(dir_fd) != 0) goto cleanup;
1048 error = unlink(CS base);
1049 if (fchdir(cwd_fd) != 0)
1050 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1051 if (error) goto cleanup;
1052 (void)close(base_fd);
1055 /* emulate openat */
1056 if (fchdir(dir_fd) != 0) goto cleanup;
1057 base_fd = open(CS base, O_WRONLY | O_CREAT | O_EXCL | base_flags, base_mode);
1058 if (fchdir(cwd_fd) != 0)
1059 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1060 if (base_fd < 0) goto cleanup;
1061 if (fchmod(base_fd, base_mode) != 0) goto cleanup;
1062 if (write(base_fd, pid_line, pid_len) != pid_len) goto cleanup;
1063 DEBUG(D_any) debug_printf("pid written to %s\n", pid_file_path);
1068 if (!lines_match) goto cleanup;
1069 if (operation == PID_DELETE)
1072 /* emulate unlinkat */
1073 if (fchdir(dir_fd) != 0) goto cleanup;
1074 error = unlink(CS base);
1075 if (fchdir(cwd_fd) != 0)
1076 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "can't return to previous working dir: %s", strerror(errno));
1077 if (error) goto cleanup;
1085 if (cwd_fd >= 0) (void)close(cwd_fd);
1086 if (dir_fd >= 0) (void)close(dir_fd);
1087 if (base_fd >= 0) (void)close(base_fd);
1092 /* Remove the daemon's pidfile. Note: runs with root privilege,
1093 as a direct child of the daemon. Does not return. */
1096 delete_pid_file(void)
1098 const BOOL success = operate_on_pid_file(PID_DELETE, getppid());
1101 debug_printf("delete pid file %s %s: %s\n", pid_file_path,
1102 success ? "success" : "failure", strerror(errno));
1104 exim_exit(EXIT_SUCCESS);
1108 /* Called by the daemon; exec a child to get the pid file deleted
1109 since we may require privs for the containing directory */
1116 DEBUG(D_any) debug_printf("SIGTERM/SIGINT seen\n");
1117 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
1118 tls_watch_invalidate();
1121 if (daemon_notifier_fd >= 0)
1123 close(daemon_notifier_fd);
1124 daemon_notifier_fd = -1;
1125 unlink_notifier_socket();
1128 if (f.running_in_test_harness || write_pid)
1130 if ((pid = exim_fork(US"daemon-del-pidfile")) == 0)
1132 if (override_pid_file_path)
1133 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 3,
1134 "-oP", override_pid_file_path, "-oPX");
1136 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, 1, "-oPX");
1138 /* Control never returns here. */
1141 child_close(pid, 1);
1143 exim_exit(EXIT_SUCCESS);
1147 /*************************************************
1148 * Listener socket for local work prompts *
1149 *************************************************/
1152 daemon_client_sockname(struct sockaddr_un * sup, uschar ** sname)
1154 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1155 sup->sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1156 return offsetof(struct sockaddr_un, sun_path) + 1
1157 + snprintf(sup->sun_path+1, sizeof(sup->sun_path)-1, "exim_%d", getpid());
1159 *sname = string_sprintf("%s/p_%d", spool_directory, getpid());
1160 return offsetof(struct sockaddr_un, sun_path)
1161 + snprintf(sup->sun_path, sizeof(sup->sun_path), "%s", CS *sname);
1166 daemon_notifier_sockname(struct sockaddr_un * sup)
1168 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1169 sup->sun_path[0] = 0; /* Abstract local socket addr - Linux-specific? */
1170 return offsetof(struct sockaddr_un, sun_path) + 1
1171 + snprintf(sup->sun_path+1, sizeof(sup->sun_path)-1, "%s",
1172 CS expand_string(notifier_socket));
1174 notifier_socket_name = expand_string(notifier_socket);
1175 return offsetof(struct sockaddr_un, sun_path)
1176 + snprintf(sup->sun_path, sizeof(sup->sun_path), "%s",
1177 CS notifier_socket_name);
1183 daemon_notifier_socket(void)
1186 const uschar * where;
1187 struct sockaddr_un sa_un = {.sun_family = AF_UNIX};
1190 if (!f.notifier_socket_en)
1192 DEBUG(D_any) debug_printf("-oY used so not creating notifier socket\n");
1195 if (override_local_interfaces && !override_pid_file_path)
1198 debug_printf("-oX used without -oP so not creating notifier socket\n");
1201 if (!notifier_socket || !*notifier_socket)
1203 DEBUG(D_any) debug_printf("no name for notifier socket\n");
1207 DEBUG(D_any) debug_printf("creating notifier socket\n");
1210 if ((fd = socket(PF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0)
1211 { where = US"socket"; goto bad; }
1213 if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) < 0)
1214 { where = US"socket"; goto bad; }
1215 (void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
1218 len = daemon_notifier_sockname(&sa_un);
1220 #ifdef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1221 DEBUG(D_any) debug_printf(" @%s\n", sa_un.sun_path+1);
1222 #else /* filesystem-visible and persistent; will neeed removal */
1223 DEBUG(D_any) debug_printf(" %s\n", sa_un.sun_path);
1226 if (bind(fd, (const struct sockaddr *)&sa_un, (socklen_t)len) < 0)
1227 { where = US"bind"; goto bad; }
1229 #ifdef SO_PASSCRED /* Linux */
1230 if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &on, sizeof(on)) < 0)
1231 { where = US"SO_PASSCRED"; goto bad2; }
1232 #elif defined(LOCAL_CREDS) /* FreeBSD-ish */
1233 if (setsockopt(fd, 0, LOCAL_CREDS, &on, sizeof(on)) < 0)
1234 { where = US"LOCAL_CREDS"; goto bad2; }
1237 /* debug_printf("%s: fd %d\n", __FUNCTION__, fd); */
1238 daemon_notifier_fd = fd;
1242 #ifndef EXIM_HAVE_ABSTRACT_UNIX_SOCKETS
1243 Uunlink(sa_un.sun_path);
1246 log_write(0, LOG_MAIN|LOG_PANIC, "%s %s: %s",
1247 __FUNCTION__, where, strerror(errno));
1253 /* Data for notifier-triggered queue runs */
1255 static uschar queuerun_msgid[MESSAGE_ID_LENGTH+1];
1256 static const uschar * queuerun_msg_qname;
1259 /* The notifier socket has something to read. Pull the message from it, decode
1262 Return TRUE if a sigalrm should be emulated */
1265 daemon_notification(void)
1267 uschar buf[256], cbuf[256];
1268 struct sockaddr_un sa_un;
1269 struct iovec iov = {.iov_base = buf, .iov_len = sizeof(buf)-1};
1270 struct msghdr msg = { .msg_name = &sa_un,
1271 .msg_namelen = sizeof(sa_un),
1274 .msg_control = cbuf,
1275 .msg_controllen = sizeof(cbuf)
1279 buf[sizeof(buf)-1] = 0;
1280 if ((sz = recvmsg(daemon_notifier_fd, &msg, 0)) <= 0) return FALSE;
1281 if (sz >= sizeof(buf)) return FALSE;
1284 debug_printf("addrlen %d\n", msg.msg_namelen);
1287 if (msg.msg_namelen > 0)
1289 BOOL abstract = !*sa_un.sun_path;
1290 char * name = sa_un.sun_path + (abstract ? 1 : 0);
1291 int namelen = (int)msg.msg_namelen - abstract ? 1 : 0;
1293 debug_printf("%s from addr '%s%.*s'\n", __FUNCTION__,
1294 abstract ? "@" : "",
1297 debug_printf("%s (from unknown addr)\n", __FUNCTION__);
1300 debug_printf("%s (from unknown addr)\n", __FUNCTION__);
1302 /* Refuse to handle the item unless the peer has good credentials */
1303 #ifdef SCM_CREDENTIALS
1304 # define EXIM_SCM_CR_TYPE SCM_CREDENTIALS
1305 #elif defined(LOCAL_CREDS) && defined(SCM_CREDS)
1306 # define EXIM_SCM_CR_TYPE SCM_CREDS
1308 /* The OS has no way to get the creds of the caller (for a unix/datagram socket.
1309 Punt; don't try to check. */
1312 #ifdef EXIM_SCM_CR_TYPE
1313 for (struct cmsghdr * cp = CMSG_FIRSTHDR(&msg);
1315 cp = CMSG_NXTHDR(&msg, cp))
1316 if (cp->cmsg_level == SOL_SOCKET && cp->cmsg_type == EXIM_SCM_CR_TYPE)
1318 # ifdef SCM_CREDENTIALS /* Linux */
1319 struct ucred * cr = (struct ucred *) CMSG_DATA(cp);
1320 if (cr->uid && cr->uid != exim_uid)
1322 DEBUG(D_queue_run) debug_printf("%s: sender creds pid %d uid %d gid %d\n",
1323 __FUNCTION__, (int)cr->pid, (int)cr->uid, (int)cr->gid);
1325 # elif defined(LOCAL_CREDS) /* BSD-ish */
1326 struct sockcred * cr = (struct sockcred *) CMSG_DATA(cp);
1327 if (cr->sc_uid && cr->sc_uid != exim_uid)
1329 DEBUG(D_queue_run) debug_printf("%s: sender creds pid ??? uid %d gid %d\n",
1330 __FUNCTION__, (int)cr->sc_uid, (int)cr->sc_gid);
1340 #ifndef DISABLE_QUEUE_RAMP
1341 case NOTIFY_MSG_QRUN:
1342 /* this should be a message_id */
1344 debug_printf("%s: qrunner trigger: %s\n", __FUNCTION__, buf+1);
1346 memcpy(queuerun_msgid, buf+1, MESSAGE_ID_LENGTH+1);
1348 for (qrunner * q = qrunners; q; q = q->next)
1350 ? Ustrcmp(q->name, buf+1+MESSAGE_ID_LENGTH+1) == 0
1351 : !buf[1+MESSAGE_ID_LENGTH+1]
1353 { queuerun_msg_qname = q->name; break; }
1357 case NOTIFY_QUEUE_SIZE_REQ:
1360 int len = snprintf(CS buf, sizeof(buf), "%u", queue_count_cached());
1363 debug_printf("%s: queue size request: %s\n", __FUNCTION__, buf);
1365 if (sendto(daemon_notifier_fd, buf, len, 0,
1366 (const struct sockaddr *)&sa_un, msg.msg_namelen) < 0)
1367 log_write(0, LOG_MAIN|LOG_PANIC,
1368 "%s: sendto: %s\n", __FUNCTION__, strerror(errno));
1373 regex_at_daemon(buf);
1382 daemon_inetd_wtimeout(time_t last_connection_time)
1384 time_t resignal_interval = inetd_wait_timeout;
1386 if (last_connection_time == (time_t)0)
1389 debug_printf("inetd wait timeout expired, but still not seen first message, ignoring\n");
1393 time_t now = time(NULL);
1394 if (now == (time_t)-1)
1396 DEBUG(D_any) debug_printf("failed to get time: %s\n", strerror(errno));
1398 else if ((now - last_connection_time) >= inetd_wait_timeout)
1401 debug_printf("inetd wait timeout %d expired, ending daemon\n",
1402 inetd_wait_timeout);
1403 log_write(0, LOG_MAIN, "exim %s daemon terminating, inetd wait timeout reached.\n",
1405 daemon_die(); /* Does not return */
1408 resignal_interval -= (now - last_connection_time);
1411 sigalrm_seen = FALSE;
1412 ALARM(resignal_interval);
1416 /* Re-sort the qrunners list, and return the shortest interval.
1417 That could be negatime.
1418 The next-tick times should have been updated by any runs initiated,
1419 though will not be when the global limit on runners was reached.
1421 Unlikely to have many queues, so insertion-sort.
1425 next_qrunner_interval(void)
1427 qrunner * sorted = NULL;
1428 for (qrunner * q = qrunners, * next; q; q = next)
1434 qrunner ** p = &sorted;
1435 for (qrunner * qq; qq = *p; p = &(qq->next))
1436 if ( q->next_tick < qq->next_tick
1437 || q->next_tick == qq->next_tick && q->interval < qq->interval
1451 return qrunners ? qrunners->next_tick - time(NULL) : 0;
1455 daemon_qrun(int local_queue_run_max, struct pollfd * fd_polls, int listen_socket_count)
1457 DEBUG(D_any) debug_printf("%s received\n",
1458 #ifndef DISABLE_QUEUE_RAMP
1459 *queuerun_msgid ? "qrun notification" :
1463 /* Do a full queue run in a child process, if required, unless we already have
1464 enough queue runners on the go. If we are not running as root, a re-exec is
1465 required. In the calling process, restart the alamr timer for the next run. */
1467 if (is_multiple_qrun())
1468 if (local_queue_run_max <= 0 || queue_run_count < local_queue_run_max)
1472 #ifndef DISABLE_QUEUE_RAMP
1473 if (*queuerun_msgid) /* See if we can start another runner for this queue */
1475 for (qrunner * qq = qrunners; qq; qq = qq->next)
1476 if (qq->name == queuerun_msg_qname)
1478 q = qq->run_count < qq->run_max ? qq : NULL;
1484 /* In order of run priority, find the first queue for which we can start
1487 for (q = qrunners; q; q = q->next)
1488 if (q->run_count < q->run_max) break;
1494 /* Bump this queue's next-tick by it's interval */
1498 time_t now = time(NULL);
1499 do ; while ((q->next_tick += q->interval) <= now);
1502 if ((pid = exim_fork(US"queue-runner")) == 0)
1504 /* Disable debugging if it's required only for the daemon process. We
1505 leave the above message, because it ties up with the "child ended"
1506 debugging messages. */
1508 if (f.debug_daemon) debug_selector = 0;
1510 /* Close any open listening sockets in the child */
1512 close_daemon_sockets(daemon_notifier_fd,
1513 fd_polls, listen_socket_count);
1515 /* Reset SIGHUP and SIGCHLD in the child in both cases. */
1517 signal(SIGHUP, SIG_DFL);
1518 signal(SIGCHLD, SIG_DFL);
1519 signal(SIGTERM, SIG_DFL);
1520 signal(SIGINT, SIG_DFL);
1522 /* Re-exec if privilege has been given up, unless deliver_drop_
1523 privilege is set. Reset SIGALRM before exec(). */
1525 if (geteuid() != root_uid && !deliver_drop_privilege)
1532 signal(SIGALRM, SIG_DFL);
1537 if ( q->queue_2stage
1538 #ifndef DISABLE_QUEUE_RAMP
1542 if (q->queue_run_first_delivery) *p++ = 'i';
1543 if (q->queue_run_force) *p++ = 'f';
1544 if (q->deliver_force_thaw) *p++ = 'f';
1545 if (q->queue_run_local) *p++ = 'l';
1549 ? string_sprintf("%sG%s", opt, q->name) : opt;
1551 #ifndef DISABLE_QUEUE_RAMP
1552 if (*queuerun_msgid)
1554 log_write(0, LOG_MAIN, "notify triggered queue run");
1555 extra[extracount++] = queuerun_msgid; /* Trigger only the */
1556 extra[extracount++] = queuerun_msgid; /* one message */
1560 /* If -R or -S were on the original command line, ensure they get
1563 if (deliver_selectstring)
1565 extra[extracount++] = f.deliver_selectstring_regex ? US"-Rr" : US"-R";
1566 extra[extracount++] = deliver_selectstring;
1569 if (deliver_selectstring_sender)
1571 extra[extracount++] = f.deliver_selectstring_sender_regex
1573 extra[extracount++] = deliver_selectstring_sender;
1576 /* Overlay this process with a new execution. */
1578 (void)child_exec_exim(CEE_EXEC_PANIC, FALSE, NULL, FALSE, extracount,
1579 extra[0], extra[1], extra[2], extra[3], extra[4], extra[5], extra[6]);
1581 /* Control never returns here. */
1584 /* No need to re-exec; SIGALRM remains set to the default handler */
1586 #ifndef DISABLE_QUEUE_RAMP
1587 if (*queuerun_msgid)
1589 log_write(0, LOG_MAIN, "notify triggered queue run");
1590 f.queue_2stage = FALSE;
1591 queue_run(q, queuerun_msgid, queuerun_msgid, FALSE);
1595 queue_run(q, NULL, NULL, FALSE);
1596 exim_underbar_exit(EXIT_SUCCESS);
1601 log_write(0, LOG_MAIN|LOG_PANIC, "daemon: fork of queue-runner "
1602 "process failed: %s", strerror(errno));
1607 for (int i = 0; i < local_queue_run_max; ++i)
1608 if (queue_runner_slots[i].pid <= 0)
1610 queue_runner_slots[i].pid = pid;
1611 queue_runner_slots[i].queue_name = q->name;
1616 DEBUG(D_any) debug_printf("%d queue-runner process%s running\n",
1617 queue_run_count, queue_run_count == 1 ? "" : "es");
1622 sigalrm_seen = FALSE;
1623 #ifndef DISABLE_QUEUE_RAMP
1624 if (*queuerun_msgid) /* it was a fast-ramp kick */
1625 *queuerun_msgid = 0;
1626 else /* periodic or one-time queue run */
1628 { /* Impose a minimum 1s tick, even when a run was outstanding */
1629 int interval = next_qrunner_interval();
1630 if (interval <= 0) interval = 1;
1632 if (qrunners) /* there are still periodic qrunners */
1645 describe_queue_runners(void)
1649 if (!is_multiple_qrun()) return US"no queue runs";
1651 for (qrunner * q = qrunners; q; q = q->next)
1653 g = string_catn(g, US"-q", 2);
1654 if (q->name) g = string_append(g, 3, US"G", q->name, US"/");
1655 g = string_cat(g, readconf_printtime(q->interval));
1656 g = string_catn(g, US" ", 1);
1659 gstring_release_unused(g);
1660 return string_from_gstring(g);
1664 /*************************************************
1665 * Exim Daemon Mainline *
1666 *************************************************/
1668 /* The daemon can do two jobs, either of which is optional:
1670 (1) Listens for incoming SMTP calls and spawns off a sub-process to handle
1671 each one. This is requested by the -bd option, with -oX specifying the SMTP
1672 port on which to listen (for testing).
1674 (2) Spawns a queue-running process every so often. This is controlled by the
1675 -q option with a an interval time. (If no time is given, a single queue run
1676 is done from the main function, and control doesn't get here.)
1678 Root privilege is required in order to attach to port 25. Some systems require
1679 it when calling socket() rather than bind(). To cope with all cases, we run as
1680 root for both socket() and bind(). Some systems also require root in order to
1681 write to the pid file directory. This function must therefore be called as root
1682 if it is to work properly in all circumstances. Once the socket is bound and
1683 the pid file written, root privilege is given up if there is an exim uid.
1685 There are no arguments to this function, and it never returns. */
1691 struct pollfd * fd_polls, * tls_watch_poll = NULL, * dnotify_poll = NULL;
1692 int listen_socket_count = 0, poll_fd_count;
1693 ip_address_item * addresses = NULL;
1694 time_t last_connection_time = (time_t)0;
1695 int local_queue_run_max = 0;
1697 if (is_multiple_qrun())
1699 /* Nuber of runner-tracking structs needed: If the option queue_run_max has
1700 no expandable elements then it is the overall maximum; else we assume it
1701 depends on the queue name, and add them up to get the maximum.
1702 Evaluate both that and the individual limits. */
1704 if (Ustrchr(queue_run_max, '$') != NULL)
1706 for (qrunner * q = qrunners; q; q = q->next)
1708 queue_name = q->name;
1709 local_queue_run_max +=
1710 (q->run_max = atoi(CS expand_string(queue_run_max)));
1716 local_queue_run_max = atoi(CS expand_string(queue_run_max));
1717 for (qrunner * q = qrunners; q; q = q->next)
1718 q->run_max = local_queue_run_max;
1721 process_purpose = US"daemon";
1723 /* If any debugging options are set, turn on the D_pid bit so that all
1724 debugging lines get the pid added. */
1726 DEBUG(D_any|D_v) debug_selector |= D_pid;
1728 /* Allocate enough pollstructs for inetd mode plus the ancillary sockets;
1729 also used when there are no listen sockets. */
1731 fd_polls = store_get(sizeof(struct pollfd) * 3, GET_UNTAINTED);
1733 if (f.inetd_wait_mode)
1735 listen_socket_count = 1;
1737 if (dup2(0, 3) == -1)
1738 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
1739 "failed to dup inetd socket safely away: %s", strerror(errno));
1742 fd_polls[0].events = POLLIN;
1748 if (debug_file == stderr)
1750 /* need a call to log_write before call to open debug_file, so that
1751 log.c:file_path has been initialised. This is unfortunate. */
1752 log_write(0, LOG_MAIN, "debugging Exim in inetd wait mode starting");
1756 exim_nullstd(); /* re-open fd2 after we just closed it again */
1757 debug_logging_activate(US"-wait", NULL);
1760 DEBUG(D_any) debug_printf("running in inetd wait mode\n");
1762 /* As per below, when creating sockets ourselves, we handle tcp_nodelay for
1763 our own buffering; we assume though that inetd set the socket REUSEADDR. */
1766 if (setsockopt(3, IPPROTO_TCP, TCP_NODELAY, US &on, sizeof(on)))
1767 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to set socket NODELAY: %s",
1772 if (f.inetd_wait_mode || f.daemon_listen)
1774 /* If any option requiring a load average to be available during the
1775 reception of a message is set, call os_getloadavg() while we are root
1776 for those OS for which this is necessary the first time it is called (in
1777 order to perform an "open" on the kernel memory file). */
1779 #ifdef LOAD_AVG_NEEDS_ROOT
1780 if (queue_only_load >= 0 || smtp_load_reserve >= 0 ||
1781 (deliver_queue_load_max >= 0 && deliver_drop_privilege))
1782 (void)os_getloadavg();
1787 /* Do the preparation for setting up a listener on one or more interfaces, and
1788 possible on various ports. This is controlled by the combination of
1789 local_interfaces (which can set IP addresses and ports) and daemon_smtp_port
1790 (which is a list of default ports to use for those items in local_interfaces
1791 that do not specify a port). The -oX command line option can be used to
1792 override one or both of these options.
1794 If local_interfaces is not set, the default is to listen on all interfaces.
1795 When it is set, it can include "all IPvx interfaces" as an item. This is useful
1796 when different ports are in use.
1798 It turns out that listening on all interfaces is messy in an IPv6 world,
1799 because several different implementation approaches have been taken. This code
1800 is now supposed to work with all of them. The point of difference is whether an
1801 IPv6 socket that is listening on all interfaces will receive incoming IPv4
1802 calls or not. We also have to cope with the case when IPv6 libraries exist, but
1803 there is no IPv6 support in the kernel.
1805 . On Solaris, an IPv6 socket will accept IPv4 calls, and give them as mapped
1806 addresses. However, if an IPv4 socket is also listening on all interfaces,
1807 calls are directed to the appropriate socket.
1809 . On (some versions of) Linux, an IPv6 socket will accept IPv4 calls, and
1810 give them as mapped addresses, but an attempt also to listen on an IPv4
1811 socket on all interfaces causes an error.
1813 . On OpenBSD, an IPv6 socket will not accept IPv4 calls. You have to set up
1814 two sockets if you want to accept both kinds of call.
1816 . FreeBSD is like OpenBSD, but it has the IPV6_V6ONLY socket option, which
1817 can be turned off, to make it behave like the versions of Linux described
1820 . I heard a report that the USAGI IPv6 stack for Linux has implemented
1823 So, what we do when IPv6 is supported is as follows:
1825 (1) After it is set up, the list of interfaces is scanned for wildcard
1826 addresses. If an IPv6 and an IPv4 wildcard are both found for the same
1827 port, the list is re-arranged so that they are together, with the IPv6
1830 (2) If the creation of a wildcard IPv6 socket fails, we just log the error and
1831 carry on if an IPv4 wildcard socket for the same port follows later in the
1832 list. This allows Exim to carry on in the case when the kernel has no IPv6
1835 (3) Having created an IPv6 wildcard socket, we try to set IPV6_V6ONLY if that
1836 option is defined. However, if setting fails, carry on regardless (but log
1839 (4) If binding or listening on an IPv6 wildcard socket fails, it is a serious
1842 (5) If binding or listening on an IPv4 wildcard socket fails with the error
1843 EADDRINUSE, and a previous interface was an IPv6 wildcard for the same
1844 port (which must have succeeded or we wouldn't have got this far), we
1845 assume we are in the situation where just a single socket is permitted,
1846 and ignore the error.
1850 The preparation code decodes options and sets up the relevant data. We do this
1851 first, so that we can return non-zero if there are any syntax errors, and also
1854 if (f.daemon_listen && !f.inetd_wait_mode)
1856 int *default_smtp_port;
1860 const uschar * list;
1861 uschar *local_iface_source = US"local_interfaces";
1862 ip_address_item *ipa;
1863 ip_address_item **pipa;
1865 /* If -oX was used, disable the writing of a pid file unless -oP was
1866 explicitly used to force it. Then scan the string given to -oX. Any items
1867 that contain neither a dot nor a colon are used to override daemon_smtp_port.
1868 Any other items are used to override local_interfaces. */
1870 if (override_local_interfaces)
1872 gstring * new_smtp_port = NULL;
1873 gstring * new_local_interfaces = NULL;
1875 if (!override_pid_file_path) write_pid = FALSE;
1877 list = override_local_interfaces;
1879 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1882 gstring ** gp = Ustrpbrk(s, ".:") ? &new_local_interfaces : &new_smtp_port;
1888 *gp = string_catn(*gp, US"<", 1);
1891 *gp = string_catn(*gp, joinstr, 2);
1892 *gp = string_cat (*gp, s);
1897 daemon_smtp_port = string_from_gstring(new_smtp_port);
1898 DEBUG(D_any) debug_printf("daemon_smtp_port overridden by -oX:\n %s\n",
1902 if (new_local_interfaces)
1904 local_interfaces = string_from_gstring(new_local_interfaces);
1905 local_iface_source = US"-oX data";
1906 DEBUG(D_any) debug_printf("local_interfaces overridden by -oX:\n %s\n",
1911 /* Create a list of default SMTP ports, to be used if local_interfaces
1912 contains entries without explicit ports. First count the number of ports, then
1913 build a translated list in a vector. */
1915 list = daemon_smtp_port;
1917 while ((s = string_nextinlist(&list, &sep, NULL, 0)))
1919 default_smtp_port = store_get((pct+1) * sizeof(int), GET_UNTAINTED);
1920 list = daemon_smtp_port;
1923 (s = string_nextinlist(&list, &sep, NULL, 0));
1929 default_smtp_port[pct] = Ustrtol(s, &end, 0);
1930 if (end != s + Ustrlen(s))
1931 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "invalid SMTP port: %s", s);
1935 struct servent *smtp_service = getservbyname(CS s, "tcp");
1937 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1938 default_smtp_port[pct] = ntohs(smtp_service->s_port);
1941 default_smtp_port[pct] = 0;
1943 /* Check the list of TLS-on-connect ports and do name lookups if needed */
1945 list = tls_in.on_connect_ports;
1947 /* the list isn't expanded so cannot be tainted. If it ever is we will trap here */
1948 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1953 list = tls_in.on_connect_ports;
1954 tls_in.on_connect_ports = NULL;
1956 while ((s = string_nextinlist(&list, &sep, big_buffer, big_buffer_size)))
1960 struct servent * smtp_service = getservbyname(CS s, "tcp");
1962 log_write(0, LOG_PANIC_DIE|LOG_CONFIG, "TCP port \"%s\" not found", s);
1963 s = string_sprintf("%d", (int)ntohs(smtp_service->s_port));
1965 g = string_append_listele(g, ':', s);
1968 tls_in.on_connect_ports = g->s;
1972 /* Create the list of local interfaces, possibly with ports included. This
1973 list may contain references to 0.0.0.0 and ::0 as wildcards. These special
1974 values are converted below. */
1976 addresses = host_build_ifacelist(local_interfaces, local_iface_source);
1978 /* In the list of IP addresses, convert 0.0.0.0 into an empty string, and ::0
1979 into the string ":". We use these to recognize wildcards in IPv4 and IPv6. In
1980 fact, many IP stacks recognize 0.0.0.0 and ::0 and handle them as wildcards
1981 anyway, but we need to know which are the wildcard addresses, and the shorter
1984 In the same scan, fill in missing port numbers from the default list. When
1985 there is more than one item in the list, extra items are created. */
1987 for (ipa = addresses; ipa; ipa = ipa->next)
1989 if (Ustrcmp(ipa->address, "0.0.0.0") == 0)
1990 ipa->address[0] = 0;
1991 else if (Ustrcmp(ipa->address, "::0") == 0)
1993 ipa->address[0] = ':';
1994 ipa->address[1] = 0;
1997 if (ipa->port > 0) continue;
1999 if (daemon_smtp_port[0] <= 0)
2000 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "no port specified for interface "
2001 "%s and daemon_smtp_port is unset; cannot start daemon",
2002 ipa->address[0] == 0 ? US"\"all IPv4\"" :
2003 ipa->address[1] == 0 ? US"\"all IPv6\"" : ipa->address);
2005 ipa->port = default_smtp_port[0];
2006 for (int i = 1; default_smtp_port[i] > 0; i++)
2008 ip_address_item * new = store_get(sizeof(ip_address_item), GET_UNTAINTED);
2010 memcpy(new->address, ipa->address, Ustrlen(ipa->address) + 1);
2011 new->port = default_smtp_port[i];
2012 new->next = ipa->next;
2018 /* Scan the list of addresses for wildcards. If we find an IPv4 and an IPv6
2019 wildcard for the same port, ensure that (a) they are together and (b) the
2020 IPv6 address comes first. This makes handling the messy features easier, and
2021 also simplifies the construction of the "daemon started" log line. */
2024 for (ipa = addresses; ipa; pipa = &ipa->next, ipa = ipa->next)
2026 ip_address_item *ipa2;
2028 /* Handle an IPv4 wildcard */
2030 if (ipa->address[0] == 0)
2031 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
2033 ip_address_item *ipa3 = ipa2->next;
2034 if (ipa3->address[0] == ':' &&
2035 ipa3->address[1] == 0 &&
2036 ipa3->port == ipa->port)
2038 ipa2->next = ipa3->next;
2045 /* Handle an IPv6 wildcard. */
2047 else if (ipa->address[0] == ':' && ipa->address[1] == 0)
2048 for (ipa2 = ipa; ipa2->next; ipa2 = ipa2->next)
2050 ip_address_item *ipa3 = ipa2->next;
2051 if (ipa3->address[0] == 0 && ipa3->port == ipa->port)
2053 ipa2->next = ipa3->next;
2054 ipa3->next = ipa->next;
2062 /* Get a vector to remember all the sockets in.
2063 Two extra elements for the ancillary sockets */
2065 for (ipa = addresses; ipa; ipa = ipa->next)
2066 listen_socket_count++;
2067 fd_polls = store_get(sizeof(struct pollfd) * (listen_socket_count + 2),
2069 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count + 2;
2071 { p->fd = -1; p->events = POLLIN; }
2073 } /* daemon_listen but not inetd_wait_mode */
2075 if (f.daemon_listen)
2078 /* Do a sanity check on the max connects value just to save us from getting
2079 a huge amount of store. */
2081 if (smtp_accept_max > 4095) smtp_accept_max = 4096;
2083 /* There's no point setting smtp_accept_queue unless it is less than the max
2084 connects limit. The configuration reader ensures that the max is set if the
2085 queue-only option is set. */
2087 if (smtp_accept_queue > smtp_accept_max) smtp_accept_queue = 0;
2089 /* Get somewhere to keep the list of SMTP accepting pids if we are keeping
2090 track of them for total number and queue/host limits. */
2092 if (smtp_accept_max > 0)
2094 smtp_slots = store_get(smtp_accept_max * sizeof(smtp_slot), GET_UNTAINTED);
2095 for (int i = 0; i < smtp_accept_max; i++) smtp_slots[i] = empty_smtp_slot;
2099 /* The variable background_daemon is always false when debugging, but
2100 can also be forced false in order to keep a non-debugging daemon in the
2101 foreground. If background_daemon is true, close all open file descriptors that
2102 we know about, but then re-open stdin, stdout, and stderr to /dev/null. Also
2103 do this for inetd_wait mode.
2105 This is protection against any called functions (in libraries, or in
2106 Perl, or whatever) that think they can write to stderr (or stdout). Before this
2107 was added, it was quite likely that an SMTP connection would use one of these
2108 file descriptors, in which case writing random stuff to it caused chaos.
2110 Then disconnect from the controlling terminal, Most modern Unixes seem to have
2111 setsid() for getting rid of the controlling terminal. For any OS that doesn't,
2112 setsid() can be #defined as a no-op, or as something else. */
2114 if (f.background_daemon || f.inetd_wait_mode)
2116 log_close_all(); /* Just in case anything was logged earlier */
2117 search_tidyup(); /* Just in case any were used in reading the config. */
2118 (void)close(0); /* Get rid of stdin/stdout/stderr */
2121 exim_nullstd(); /* Connect stdin/stdout/stderr to /dev/null */
2122 log_stderr = NULL; /* So no attempt to copy paniclog output */
2125 if (f.background_daemon)
2127 /* If the parent process of this one has pid == 1, we are re-initializing the
2128 daemon as the result of a SIGHUP. In this case, there is no need to do
2129 anything, because the controlling terminal has long gone. Otherwise, fork, in
2130 case current process is a process group leader (see 'man setsid' for an
2131 explanation) before calling setsid().
2132 All other forks want daemon_listen cleared. Rather than blow a register, jsut
2137 BOOL daemon_listen = f.daemon_listen;
2138 pid_t pid = exim_fork(US"daemon");
2139 if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2140 "fork() failed when starting daemon: %s", strerror(errno));
2141 if (pid > 0) exit(EXIT_SUCCESS); /* in parent process, just exit */
2142 (void)setsid(); /* release controlling terminal */
2143 f.daemon_listen = daemon_listen;
2147 /* We are now in the disconnected, daemon process (unless debugging). Set up
2148 the listening sockets if required. */
2150 daemon_notifier_socket();
2152 if (f.daemon_listen && !f.inetd_wait_mode)
2155 ip_address_item *ipa;
2157 /* For each IP address, create a socket, bind it to the appropriate port, and
2158 start listening. See comments above about IPv6 sockets that may or may not
2159 accept IPv4 calls when listening on all interfaces. We also have to cope with
2160 the case of a system with IPv6 libraries, but no IPv6 support in the kernel.
2161 listening, provided a wildcard IPv4 socket for the same port follows. */
2163 for (ipa = addresses, sk = 0; sk < listen_socket_count; ipa = ipa->next, sk++)
2166 ip_address_item * ipa2;
2169 if (Ustrchr(ipa->address, ':') != NULL)
2172 wildcard = ipa->address[1] == 0;
2177 wildcard = ipa->address[0] == 0;
2180 if ((fd_polls[sk].fd = fd = ip_socket(SOCK_STREAM, af)) < 0)
2182 if (check_special_case(0, addresses, ipa, FALSE))
2184 log_write(0, LOG_MAIN, "Failed to create IPv6 socket for wildcard "
2185 "listening (%s): will use IPv4", strerror(errno));
2188 log_write(0, LOG_PANIC_DIE, "IPv%c socket creation failed: %s",
2189 af == AF_INET6 ? '6' : '4', strerror(errno));
2192 /* If this is an IPv6 wildcard socket, set IPV6_V6ONLY if that option is
2193 available. Just log failure (can get protocol not available, just like
2194 socket creation can). */
2197 if (af == AF_INET6 && wildcard &&
2198 setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0)
2199 log_write(0, LOG_MAIN, "Setting IPV6_V6ONLY on daemon's IPv6 wildcard "
2200 "socket failed (%s): carrying on without it", strerror(errno));
2201 #endif /* IPV6_V6ONLY */
2203 /* Set SO_REUSEADDR so that the daemon can be restarted while a connection
2204 is being handled. Without this, a connection will prevent reuse of the
2205 smtp port for listening. */
2207 if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
2208 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "setting SO_REUSEADDR on socket "
2209 "failed when starting daemon: %s", strerror(errno));
2211 /* Set TCP_NODELAY; Exim does its own buffering. There is a switch to
2212 disable this because it breaks some broken clients. */
2214 if (tcp_nodelay) setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on));
2216 /* Now bind the socket to the required port; if Exim is being restarted
2217 it may not always be possible to bind immediately, even with SO_REUSEADDR
2218 set, so try 10 times, waiting between each try. After 10 failures, we give
2219 up. In an IPv6 environment, if bind () fails with the error EADDRINUSE and
2220 we are doing wildcard IPv4 listening and there was a previous IPv6 wildcard
2221 address for the same port, ignore the error on the grounds that we must be
2222 in a system where the IPv6 socket accepts both kinds of call. This is
2223 necessary for (some release of) USAGI Linux; other IP stacks fail at the
2224 listen() stage instead. */
2227 f.tcp_fastopen_ok = TRUE;
2232 if (ip_bind(fd, af, ipa->address, ipa->port) >= 0) break;
2233 if (check_special_case(errno, addresses, ipa, TRUE))
2235 DEBUG(D_any) debug_printf("wildcard IPv4 bind() failed after IPv6 "
2236 "listen() success; EADDRINUSE ignored\n");
2240 msg = US strerror(errno);
2246 if (daemon_startup_retries <= 0)
2247 log_write(0, LOG_MAIN|LOG_PANIC_DIE,
2248 "socket bind() to port %d for address %s failed: %s: "
2249 "daemon abandoned", ipa->port, addr, msg);
2250 log_write(0, LOG_MAIN, "socket bind() to port %d for address %s "
2251 "failed: %s: waiting %s before trying again (%d more %s)",
2252 ipa->port, addr, msg, readconf_printtime(daemon_startup_sleep),
2253 daemon_startup_retries, (daemon_startup_retries > 1)? "tries" : "try");
2254 daemon_startup_retries--;
2255 sleep(daemon_startup_sleep);
2260 debug_printf("listening on all interfaces (IPv%c) port %d\n",
2261 af == AF_INET6 ? '6' : '4', ipa->port);
2263 debug_printf("listening on %s port %d\n", ipa->address, ipa->port);
2265 /* Start listening on the bound socket, establishing the maximum backlog of
2266 connections that is allowed. On success, add to the set of sockets for select
2267 and continue to the next address. */
2269 #if defined(TCP_FASTOPEN) && !defined(__APPLE__)
2270 if ( f.tcp_fastopen_ok
2271 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN,
2272 &smtp_connect_backlog, sizeof(smtp_connect_backlog)))
2274 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
2275 f.tcp_fastopen_ok = FALSE;
2278 if (listen(fd, smtp_connect_backlog) >= 0)
2280 #if defined(TCP_FASTOPEN) && defined(__APPLE__)
2281 if ( f.tcp_fastopen_ok
2282 && setsockopt(fd, IPPROTO_TCP, TCP_FASTOPEN, &on, sizeof(on)))
2284 DEBUG(D_any) debug_printf("setsockopt FASTOPEN: %s\n", strerror(errno));
2285 f.tcp_fastopen_ok = FALSE;
2288 fd_polls[sk].fd = fd;
2292 /* Listening has failed. In an IPv6 environment, as for bind(), if listen()
2293 fails with the error EADDRINUSE and we are doing IPv4 wildcard listening
2294 and there was a previous successful IPv6 wildcard listen on the same port,
2295 we want to ignore the error on the grounds that we must be in a system
2296 where the IPv6 socket accepts both kinds of call. */
2298 if (!check_special_case(errno, addresses, ipa, TRUE))
2299 log_write(0, LOG_PANIC_DIE, "listen() failed on interface %s: %s",
2301 ? af == AF_INET6 ? US"(any IPv6)" : US"(any IPv4)" : ipa->address,
2304 DEBUG(D_any) debug_printf("wildcard IPv4 listen() failed after IPv6 "
2305 "listen() success; EADDRINUSE ignored\n");
2308 /* Come here if there has been a problem with the socket which we
2309 are going to ignore. We remove the address from the chain, and back up the
2313 sk--; /* Back up the count */
2314 listen_socket_count--; /* Reduce the total */
2315 if (ipa == addresses) addresses = ipa->next; else
2317 for (ipa2 = addresses; ipa2->next != ipa; ipa2 = ipa2->next);
2318 ipa2->next = ipa->next;
2321 } /* End of bind/listen loop for each address */
2322 } /* End of setup for listening */
2325 /* If we are not listening, we want to write a pid file only if -oP was
2326 explicitly given. */
2328 else if (!override_pid_file_path)
2331 /* Write the pid to a known file for assistance in identification, if required.
2332 We do this before giving up root privilege, because on some systems it is
2333 necessary to be root in order to write into the pid file directory. There's
2334 nothing to stop multiple daemons running, as long as no more than one listens
2335 on a given TCP/IP port on the same interface(s). However, in these
2336 circumstances it gets far too complicated to mess with pid file names
2337 automatically. Consequently, Exim 4 writes a pid file only
2339 (a) When running in the test harness, or
2340 (b) When -bd is used and -oX is not used, or
2341 (c) When -oP is used to supply a path.
2343 The variable daemon_write_pid is used to control this. */
2345 if (f.running_in_test_harness || write_pid)
2347 const enum pid_op operation = (f.running_in_test_harness
2348 || real_uid == root_uid
2349 || (real_uid == exim_uid && !override_pid_file_path)) ? PID_WRITE : PID_CHECK;
2350 if (!operate_on_pid_file(operation, getpid()))
2351 DEBUG(D_any) debug_printf("%s pid file %s: %s\n", (operation == PID_WRITE) ? "write" : "check", pid_file_path, strerror(errno));
2354 /* Set up the handler for SIGHUP, which causes a restart of the daemon. */
2356 sighup_seen = FALSE;
2357 signal(SIGHUP, sighup_handler);
2359 /* Give up root privilege at this point (assuming that exim_uid and exim_gid
2360 are not root). The third argument controls the running of initgroups().
2361 Normally we do this, in order to set up the groups for the Exim user. However,
2362 if we are not root at this time - some odd installations run that way - we
2365 exim_setugid(exim_uid, exim_gid, geteuid()==root_uid, US"running as a daemon");
2367 /* Update the originator_xxx fields so that received messages as listed as
2368 coming from Exim, not whoever started the daemon. */
2370 originator_uid = exim_uid;
2371 originator_gid = exim_gid;
2372 originator_login = (pw = getpwuid(exim_uid))
2373 ? string_copy_perm(US pw->pw_name, FALSE) : US"exim";
2375 /* Get somewhere to keep the list of queue-runner pids if we are keeping track
2376 of them (and also if we are doing queue runs). */
2378 if (is_multiple_qrun() && local_queue_run_max > 0)
2380 queue_runner_slot_count = local_queue_run_max;
2381 queue_runner_slots = store_get(local_queue_run_max * sizeof(runner_slot), GET_UNTAINTED);
2382 memset(queue_runner_slots, 0, local_queue_run_max * sizeof(runner_slot));
2385 /* Set up the handler for termination of child processes, and the one
2386 telling us to die. */
2388 sigchld_seen = FALSE;
2389 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2391 sigterm_seen = FALSE;
2392 os_non_restarting_signal(SIGTERM, main_sigterm_handler);
2393 os_non_restarting_signal(SIGINT, main_sigterm_handler);
2395 /* If we are to run the queue periodically, pretend the alarm has just gone
2396 off. This will cause the first queue-runner to get kicked off straight away.
2397 Get an initial sort of the list of queues, to prioritize the initial q-runs */
2400 if ((sigalrm_seen = is_multiple_qrun()))
2401 (void) next_qrunner_interval();
2403 /* Log the start up of a daemon - at least one of listening or queue running
2406 if (f.inetd_wait_mode)
2408 uschar *p = big_buffer;
2410 if (inetd_wait_timeout >= 0)
2411 sprintf(CS p, "terminating after %d seconds", inetd_wait_timeout);
2413 sprintf(CS p, "with no wait timeout");
2415 log_write(0, LOG_MAIN,
2416 "exim %s daemon started: pid=%d, launched with listening socket, %s",
2417 version_string, getpid(), big_buffer);
2418 set_process_info("daemon(%s): pre-listening socket", version_string);
2420 /* set up the timeout logic */
2421 sigalrm_seen = TRUE;
2424 else if (f.daemon_listen)
2427 int smtps_ports = 0;
2428 ip_address_item * ipa;
2430 const uschar * qinfo = describe_queue_runners();
2432 /* Build a list of listening addresses in big_buffer, but limit it to 10
2433 items. The style is for backwards compatibility.
2435 It is possible to have some ports listening for SMTPS (as opposed to TLS
2436 startted by STARTTLS), and others listening for standard SMTP. Keep their
2437 listings separate. */
2439 for (int j = 0, i; j < 2; j++)
2440 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2442 /* First time round, look for SMTP ports; second time round, look for
2443 SMTPS ports. Build IP+port strings. */
2445 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2452 /* Now the information about the port (and sometimes interface) */
2454 if (ipa->address[0] == ':' && ipa->address[1] == 0)
2456 if (ipa->next && ipa->next->address[0] == 0 &&
2457 ipa->next->port == ipa->port)
2459 ipa->log = string_sprintf(" port %d (IPv6 and IPv4)", ipa->port);
2460 (ipa = ipa->next)->log = NULL;
2462 else if (ipa->v6_include_v4)
2463 ipa->log = string_sprintf(" port %d (IPv6 with IPv4)", ipa->port);
2465 ipa->log = string_sprintf(" port %d (IPv6)", ipa->port);
2467 else if (ipa->address[0] == 0) /* v4 wildcard */
2468 ipa->log = string_sprintf(" port %d (IPv4)", ipa->port);
2469 else /* check for previously-seen IP */
2471 ip_address_item * i2;
2472 for (i2 = addresses; i2 != ipa; i2 = i2->next)
2473 if ( host_is_tls_on_connect_port(i2->port) == (j > 0)
2474 && Ustrcmp(ipa->address, i2->address) == 0
2476 { /* found; append port to list */
2477 for (p = i2->log; *p; ) p++; /* end of existing string { */
2478 if (*--p == '}') *p = '\0'; /* drop EOL */
2479 while (isdigit(*--p)) ; /* char before port */
2481 i2->log = *p == ':' /* no list yet? { */
2482 ? string_sprintf("%.*s{%s,%d}",
2483 (int)(p - i2->log + 1), i2->log, p+1, ipa->port)
2484 : string_sprintf("%s,%d}", i2->log, ipa->port);
2488 if (i2 == ipa) /* first-time IP */
2489 ipa->log = string_sprintf(" [%s]:%d", ipa->address, ipa->port);
2495 for (int j = 0, i; j < 2; j++)
2497 /* First time round, look for SMTP ports; second time round, look for
2498 SMTPS ports. For the first one of each, insert leading text. */
2503 p += sprintf(CS p, "SMTP on");
2506 if (smtps_ports > 0)
2507 p += sprintf(CS p, "%sSMTPS on",
2508 smtp_ports == 0 ? "" : " and for ");
2510 /* Now the information about the port (and sometimes interface) */
2512 for (i = 0, ipa = addresses; i < 10 && ipa; i++, ipa = ipa->next)
2513 if (host_is_tls_on_connect_port(ipa->port) == (j > 0))
2515 p += sprintf(CS p, "%s", ipa->log);
2518 p += sprintf(CS p, " ...");
2521 log_write(0, LOG_MAIN,
2522 "exim %s daemon started: pid=%d, %s, listening for %s",
2523 version_string, getpid(), qinfo, big_buffer);
2524 set_process_info("daemon(%s): %s, listening for %s",
2525 version_string, qinfo, big_buffer);
2528 else /* no listening sockets, only queue-runs */
2530 const uschar * s = describe_queue_runners();
2531 log_write(0, LOG_MAIN,
2532 "exim %s daemon started: pid=%d, %s, not listening for SMTP",
2533 version_string, getpid(), s);
2534 set_process_info("daemon(%s): %s, not listening", version_string, s);
2537 /* Do any work it might be useful to amortize over our children
2538 (eg: compile regex) */
2541 smtp_deliver_init(); /* Used for callouts */
2543 #ifndef DISABLE_DKIM
2545 # ifdef MEASURE_TIMING
2547 gettimeofday(&t0, NULL);
2550 # ifdef MEASURE_TIMING
2551 report_time_since(&t0, US"dkim_exim_init (delta)");
2556 #ifdef WITH_CONTENT_SCAN
2566 /* Add ancillary sockets to the set for select */
2568 poll_fd_count = listen_socket_count;
2570 if (tls_watch_fd >= 0)
2572 tls_watch_poll = &fd_polls[poll_fd_count++];
2573 tls_watch_poll->fd = tls_watch_fd;
2574 tls_watch_poll->events = POLLIN;
2577 if (daemon_notifier_fd >= 0)
2579 dnotify_poll = &fd_polls[poll_fd_count++];
2580 dnotify_poll->fd = daemon_notifier_fd;
2581 dnotify_poll->events = POLLIN;
2584 /* Close the log so it can be renamed and moved. In the few cases below where
2585 this long-running process writes to the log (always exceptional conditions), it
2586 closes the log afterwards, for the same reason. */
2590 DEBUG(D_any) debug_print_ids(US"daemon running with");
2592 /* Any messages accepted via this route are going to be SMTP. */
2596 #ifdef MEASURE_TIMING
2597 report_time_since(×tamp_startup, US"daemon loop start"); /* testcase 0022 */
2600 /* Enter the never-ending loop... */
2604 int nolisten_sleep = 60;
2607 daemon_die(); /* Does not return */
2609 /* This code is placed first in the loop, so that it gets obeyed at the
2610 start, before the first wait, for the queue-runner case, so that the first
2611 one can be started immediately.
2613 The other option is that we have an inetd wait timeout specified to -bw. */
2616 if (inetd_wait_timeout > 0)
2617 daemon_inetd_wtimeout(last_connection_time); /* Might not return */
2620 daemon_qrun(local_queue_run_max, fd_polls, listen_socket_count);
2623 /* Sleep till a connection happens if listening, and handle the connection if
2624 that is why we woke up. The FreeBSD operating system requires the use of
2625 select() before accept() because the latter function is not interrupted by
2626 a signal, and we want to wake up for SIGCHLD and SIGALRM signals. Some other
2627 OS do notice signals in accept() but it does no harm to have the select()
2628 in for all of them - and it won't then be a lurking problem for ports to
2629 new OS. In fact, the later addition of listening on specific interfaces only
2630 requires this way of working anyway. */
2632 if (f.daemon_listen)
2635 BOOL select_failed = FALSE;
2637 DEBUG(D_any) debug_printf("Listening...\n");
2639 /* In rare cases we may have had a SIGCHLD signal in the time between
2640 setting the handler (below) and getting back here. If so, pretend that the
2641 select() was interrupted so that we reap the child. This might still leave
2642 a small window when a SIGCHLD could get lost. However, since we use SIGCHLD
2643 only to do the reaping more quickly, it shouldn't result in anything other
2644 than a delay until something else causes a wake-up. */
2652 lcount = poll(fd_polls, poll_fd_count, -1);
2656 select_failed = TRUE;
2660 /* Clean up any subprocesses that may have terminated. We need to do this
2661 here so that smtp_accept_max_per_host works when a connection to that host
2662 has completed, and we are about to accept a new one. When this code was
2663 later in the sequence, a new connection could be rejected, even though an
2664 old one had just finished. Preserve the errno from any select() failure for
2665 the use of the common select/accept error processing below. */
2668 int select_errno = errno;
2669 handle_ending_processes();
2674 /* Create or rotate any required keys; handle (delayed) filewatch event */
2676 if ((old_tfd = tls_daemon_tick()) >= 0)
2677 for (struct pollfd * p = &fd_polls[listen_socket_count];
2678 p < fd_polls + poll_fd_count; p++)
2679 if (p->fd == old_tfd) { p->fd = tls_watch_fd ; break; }
2682 errno = select_errno;
2685 /* Loop for all the sockets that are currently ready to go. If select
2686 actually failed, we have set the count to 1 and select_failed=TRUE, so as
2687 to use the common error code for select/accept below. */
2689 while (lcount-- > 0)
2691 int accept_socket = -1;
2693 struct sockaddr_in6 accepted;
2695 struct sockaddr_in accepted;
2700 #if !defined(DISABLE_TLS) && (defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT))
2701 if (tls_watch_poll && tls_watch_poll->revents & POLLIN)
2703 tls_watch_poll->revents = 0;
2704 tls_watch_trigger_time = time(NULL); /* Set up delayed event */
2705 tls_watch_discard_event(tls_watch_fd);
2706 break; /* to top of daemon loop */
2709 if (dnotify_poll && dnotify_poll->revents & POLLIN)
2711 dnotify_poll->revents = 0;
2712 sigalrm_seen = daemon_notification();
2713 break; /* to top of daemon loop */
2715 for (struct pollfd * p = fd_polls; p < fd_polls + listen_socket_count;
2717 if (p->revents & POLLIN)
2719 EXIM_SOCKLEN_T alen = sizeof(accepted);
2720 #if defined(__FreeBSD__) && defined(SO_LISTENQLEN)
2722 socklen_t blen = sizeof(backlog);
2724 if ( smtp_backlog_monitor > 0
2725 && getsockopt(p->fd, SOL_SOCKET, SO_LISTENQLEN, &backlog, &blen) == 0)
2728 debug_printf("listen fd %d queue curr %d\n", p->fd, backlog);
2729 smtp_listen_backlog = backlog;
2732 #elif defined(TCP_INFO) && defined(EXIM_HAVE_TCPI_UNACKED)
2734 socklen_t tlen = sizeof(ti);
2736 /* If monitoring the backlog is wanted, grab for later logging */
2738 smtp_listen_backlog = 0;
2739 if ( smtp_backlog_monitor > 0
2740 && getsockopt(p->fd, IPPROTO_TCP, TCP_INFO, &ti, &tlen) == 0)
2742 DEBUG(D_interface) debug_printf("listen fd %d queue max %u curr %u\n",
2743 p->fd, ti.tcpi_sacked, ti.tcpi_unacked);
2744 smtp_listen_backlog = ti.tcpi_unacked;
2748 accept_socket = accept(p->fd, (struct sockaddr *)&accepted, &alen);
2753 /* If select or accept has failed and this was not caused by an
2754 interruption, log the incident and try again. With asymmetric TCP/IP
2755 routing errors such as "No route to network" have been seen here. Also
2756 "connection reset by peer" has been seen. These cannot be classed as
2757 disastrous errors, but they could fill up a lot of log. The code in smail
2758 crashes the daemon after 10 successive failures of accept, on the grounds
2759 that some OS fail continuously. Exim originally followed suit, but this
2760 appears to have caused problems. Now it just keeps going, but instead of
2761 logging each error, it batches them up when they are continuous. */
2763 if (accept_socket < 0 && errno != EINTR)
2765 if (accept_retry_count == 0)
2767 accept_retry_errno = errno;
2768 accept_retry_select_failed = select_failed;
2770 else if ( errno != accept_retry_errno
2771 || select_failed != accept_retry_select_failed
2772 || accept_retry_count >= 50)
2774 log_write(0, LOG_MAIN | (accept_retry_count >= 50 ? LOG_PANIC : 0),
2775 "%d %s() failure%s: %s",
2777 accept_retry_select_failed ? "select" : "accept",
2778 accept_retry_count == 1 ? "" : "s",
2779 strerror(accept_retry_errno));
2781 accept_retry_count = 0;
2782 accept_retry_errno = errno;
2783 accept_retry_select_failed = select_failed;
2785 accept_retry_count++;
2787 else if (accept_retry_count > 0)
2789 log_write(0, LOG_MAIN, "%d %s() failure%s: %s",
2791 accept_retry_select_failed ? "select" : "accept",
2792 accept_retry_count == 1 ? "" : "s",
2793 strerror(accept_retry_errno));
2795 accept_retry_count = 0;
2798 /* If select/accept succeeded, deal with the connection. */
2800 if (accept_socket >= 0)
2802 #ifdef TCP_QUICKACK /* Avoid pure-ACKs while in tls protocol pingpong phase */
2803 /* Unfortunately we cannot be certain to do this before a TLS-on-connect
2804 Client Hello arrives and is acked. We do it as early as possible. */
2805 (void) setsockopt(accept_socket, IPPROTO_TCP, TCP_QUICKACK, US &off, sizeof(off));
2807 if (inetd_wait_timeout)
2808 last_connection_time = time(NULL);
2809 handle_smtp_call(fd_polls, listen_socket_count, accept_socket,
2810 (struct sockaddr *)&accepted);
2815 /* If not listening, then just sleep for the queue interval. If we woke
2816 up early the last time for some other signal, it won't matter because
2817 the alarm signal will wake at the right time. This code originally used
2818 sleep() but it turns out that on the FreeBSD system, sleep() is not inter-
2819 rupted by signals, so it wasn't waking up for SIGALRM or SIGCHLD. Luckily
2820 select() can be used as an interruptible sleep() on all versions of Unix. */
2825 poll(&p, 0, nolisten_sleep * 1000);
2826 handle_ending_processes();
2829 /* Re-enable the SIGCHLD handler if it has been run. It can't do it
2830 for itself, because it isn't doing the waiting itself. */
2834 sigchld_seen = FALSE;
2835 os_non_restarting_signal(SIGCHLD, main_sigchld_handler);
2838 /* Handle being woken by SIGHUP. We know at this point that the result
2839 of accept() has been dealt with, so we can re-exec exim safely, first
2840 closing the listening sockets so that they can be reused. Cancel any pending
2841 alarm in case it is just about to go off, and set SIGHUP to be ignored so
2842 that another HUP in quick succession doesn't clobber the new daemon before it
2843 gets going. All log files get closed by the close-on-exec flag; however, if
2844 the exec fails, we need to close the logs. */
2848 log_write(0, LOG_MAIN, "pid %d: SIGHUP received: re-exec daemon",
2850 close_daemon_sockets(daemon_notifier_fd, fd_polls, listen_socket_count);
2851 unlink_notifier_socket();
2853 signal(SIGHUP, SIG_IGN);
2854 sighup_argv[0] = exim_path;
2856 execv(CS exim_path, (char *const *)sighup_argv);
2857 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "pid %d: exec of %s failed: %s",
2858 getpid(), exim_path, strerror(errno));
2862 } /* End of main loop */
2864 /* Control never reaches here */
2869 /* End of exim_daemon.c */
git://git.exim.org / exim.git / blob